15

Annotation-based deduction in temporal logic

Embed Size (px)

Citation preview

Page 1: Annotation-based deduction in temporal logic

Annotation-Based Deductionin Temporal Logic zHugh McGuire ?, Zohar Manna ?, and Richard Waldinger ??? Computer Science Department, Stanford University, Stanford, California 94305,U.S.A.; [email protected] , [email protected] .?? Arti�cial Intelligence Center, SRI International, Menlo Park, California 94025,U.S.A.; [email protected] .Abstract. This paper presents a deductive system for predicate tem-poral logic with induction.Representing temporal operators by �rst-order expressions enables tem-poral deduction to use the already developed techniques of �rst-orderdeduction. But when translating from temporal logic to �rst-order logicis done indiscriminately, the ensuing quanti�cations and comparisonsof time expressions encumber formulas, hindering deduction. So in thedeductive system presented here, translation occurs more carefully, viarei�cation rules. These rules paraphrase selected temporal formulas asnontemporal �rst-order formulas with time annotations. This time rei�-cation process suppresses quanti�cations (the process is analogous toquanti�er skolemization) and uses addition instead of complicated com-binations of comparisons. Some ordering conditions on arithmetic ex-pressions can arise, but such are handled automatically by a special-purpose uni�cation algorithm plus a decision procedure for Presburgerarithmetic.This deductive system is relatively complete.Contents1 Introduction2 The Language: Annotated Temporal Logic3 Deduction I: Fundamentals4 Deduction II: Time Rei�cation5 Deduction III: Nonclausal Resolution6 Deduction IV: Induction7 Examples8 Properties of this deductive system9 Conclusionz This research was supported in part by the National Science Foundation under grantCCR-92-23226, by the Advanced Research Projects Agency under contract NAG2-703 and grant NAG2-892, and by the United States Air Force O�ce of Scienti�cResearch under contract F49620-93-1-0139.

Page 2: Annotation-based deduction in temporal logic

1 IntroductionTemporal logic has been found valuable for the speci�cation of concurrentand reactive software and hardware systems (see, e.g., [MP91]). To use suchspeci�cations, however, it is necessary to have techniques for reasoning abouttemporal-logic formulas.For example, model-checking or -exploring (`semantic tableau') systems suchas [CES86, P86, KM93] are e�ective for temporal formulas which are essentiallypropositional. But so far, they have been inapplicable to general predicate tem-poral formulas. The deductive system of [AM90] extends nonclausal resolutionfor predicate logic [MW80] to handle temporal operators directly, but that sys-tem requires a cut rule which gratuitously introduces new formulas into proofs,and it imposes possibly distracting restrictions on its rules.An alternative to reasoning directly with temporal operators is to translatetemporal formulas into nontemporal �rst-order predicate logic, using quanti�-cations and comparisons of explicit time parameters to express the temporaloperators. Then, one can apply the accumulated technology for reasoning in�rst-order logic. Such an approach is used in [W89] and [O88] for modal logicsother than temporal logic. But performing this translation indiscriminately mayconfuse otherwise simple modal-logic proofs, in which the modal operators areintuitively meaningful; proofs requiring induction are particularly susceptible tothis disservice. (See also [O93] re e�ciency.)This paper presents a deductive system which employs such translation, butwith some �nesse. Temporal operators are translated gradually and selectively,and the resulting expressions representing time are simple: time is identi�edwith the natural numbers, so temporal operators can be represented by addition(and subtraction). Then, reasoning about terms which represent time is doneautomatically by uni�cation (as with \t" in the following simple example) plusa decision procedure for Presburger arithmetic derived from [S79].An example of such a proof, of the formula (2p! p), is:Assertions Goals Explanations1 0 ::: (2p ! p) Given2 0 ::: 2p � 1, split \!"3 0 ::: p + 1, split \!"4 t ::: p � 2, reify \2�"5 true 3&4, resolution,uni�er ft 0gThis structure formalizes the goal-directed style of proofs that humans prefer toconstruct and �nd easiest to understand.

Page 3: Annotation-based deduction in temporal logic

The deductive system here also provides induction for temporal operators,and rules such as rewriting, for convenience. This system subsumes the priorone of [AM90]; i.e., any valid formula which can be proven in that system canalso be proven here.2 The Language: Annotated Temporal Logic (ATL)The basic language here is the Linear Temporal Logic of [MP91]; the completelanguage of atl adds time annotations to formulas. For example, in the atlformula [3 ::: 2p] , the numeral \3" is the time annotation. This formula issatis�ed if its basic subformula 2p is satis�ed at time 3.2.1 SyntaxThe basic language here has function symbols, variable symbols, predicatesymbols, the equality symbol \=", the six boolean operators \true", \false",\:", \^", \_", and \!", the quanti�cation operators \8" and \9", and tem-poral operators. The temporal operators (which apply to formulas) comprise\2", \3", \ ", and \U" | named \henceforth", \eventually", \next", and\until", respectively | as well as their `mirror' operators which refer to thepast: \�2", \�3", \� ", and \S" | named \heretofore", \once", \previously",and \since", respectively. The operators \U" and \S" are binary; the other tem-poral operators are unary. An additional temporal operator is \�" | named\next-value" | which applies to terms (and is unary). Lastly, re basic sym-bols, some zero-arity function symbols and all zero-arity predicate symbols (i.e.,propositions) are dynamic, i.e., ` exible'. (The signi�cance of dynamic symbolsis semantic; see below.)In addition to the preceding basic symbols, the complete language of atl re-quires time symbols: the natural numerals (\0", \1", etc.), the addition functionsymbol \+", the predecessor function symbol \pred", other uninterpreted func-tion symbols (e.g., \h1", \h2"), variable symbols (e.g., \t1", \t2", \�1", \�2"),and comparison symbols \<" and \�" (in addition to \="). Time symbols arenot dynamic.Terms and incomplete (unannotated) formulas are constructed from basicsymbols and time symbols as is customary, applying function symbols, predi-cate symbols, and operators to appropriate arguments. A time term is either atime numeral, a time variable, or the application of a time function symbol toarguments which do not contain \�" or any dynamic symbols.An elementary complete annotated formula of atl has the form \[� ::: ']",where � is a time term | in this context called a time annotation | and ' is anincomplete formula. An elementary complete time formula is an unannotatedcomparison of two time terms. Further complete formulas are constructed fromthese elementary ones using nontemporal boolean operators and quanti�ers asis customary (except that quanti�ers are not allowed to bind variables in timeannotations).

Page 4: Annotation-based deduction in temporal logic

2.2 SemanticsA model is a structure with a domain | i.e., a nonempty set of objects |and a sequence of states indexed by the natural numbers IN. For an indexn 2 IN, state n of model � is denoted by the expression \h�; ni". A modelassigns concrete objects, functions, and relations (over the domain) to the lan-guage's nondynamic variable symbols, function symbols, and predicate symbols,respectively; a state does the same for the dynamic symbols. A model interpretsthe time numerals (\0" etc.) as the natural numbers IN, \+" as addition, \pred"as predecessor,1 and so on (for the time symbols). For example, a time functionsymbol (e.g., \h") is interpreted as a function whose range is IN.Interpretation of terms and unannotated formulas is as customary, with func-tions, operators, quanti�ers, etc. An expression which contains no temporal op-erators or dynamic symbols is interpreted via the global assignments of a model;otherwise, it is interpreted by a state. Some examples for temporal operatorsare: h�; ni j= ' i� h�; n + 1i j= ' :h�; ni j= � ' i� 0 < n and h�; n� 1i j= ' :h�; ni j= (' U ) i� there exists a k � n such that h�; ki j= ,and, for every i such that n � i < k, h�; ii j= ' .h�; ni j= (' S ) i� there exists a k � n such that h�; ki j= ,and, for every i such that k < i � n, h�; ii j= ' .The value of the term �� in the nth state of model � is the valueof the term � in the (n+1)st state of �.A model � interprets an annotated formula [� ::: '] as follows: Let n 2 IN be�'s interpretation of the time annotation � . Then, � j= [� ::: '] i� h�; ni j= ' :Interpretation of further complete formulas is then as customary.A formula is valid if it is satis�ed by all models.A theory is speci�ed by a set A of formulas which are called the axioms ofthe theory. A formula ' is valid within the theory speci�ed by the set A if forevery model � that satis�es all the axioms A, � j= '.3 Deduction I: FundamentalsOur deductive framework, using deductive tableaux, is that of [MW93].3.1 Notation: Deductive TableauxA deductive tableau is a table with four columns and any positive numberof rows. The leftmost column simply contains row numbers; the middle twocolumns, titled \Assertions" and \Goals", contain complete atl formulas (onlyone per row); and the rightmost column, titled \Explanations", contains texts1 A model's interpretation of \pred(0)" is arbitrary.

Page 5: Annotation-based deduction in temporal logic

which explain how rows were derived. Each assertion or goal formula may haveone (or more) of its subformulas highlighted with a box (boxes). For an exampleof a deductive tableau, see the Introduction.The intuitive interpretation of a deductive tableau2 is that the column ofgoals contains a formula being proved valid, followed by reductions of it to moretractable goals, and the column of assertions contains formulas which can beassumed true, to be used in the proof. A box highlights a subformula in arow when the subformula is particularly signi�cant to a deduction rule which isapplied to that row in the proof; this subformula is called a target of the rule.Associated with every subformula in a deductive tableau is a characteristiccalled polarity, which is determined by the parity of the number of negations |whether explicit, or implicit via \!" | within whose scope the subformulalies; one additional negation is implicit for assertions, re ecting their status of`implying' the goals. Even parity of these negations occasions positive polarity,and odd parity occasions negative polarity. A superscript of either \+" or \�"on a formula indicates the formula's polarity.3.2 Outline of the Deductive SchemeAn atl proof that a basic formula ' is valid begins with the following de-ductive tableau: Assertions Goals Explanations1 0 ::: ' GivenThen, rows are added via rules. The proof succeeds when true is derived as areduced goal formula.Quasi-deductive primitive operations, acting within rows instead of addingnew ones, include renaming variables and automatically simplifying expressions,for example changing :: to and 0+ � to � .If the validity being proved is relative to a theory, then any axiom of thetheory can be added to the deductive tableau as an assertion. Previously provedlemmas can be added similarly.Such axioms and lemmas for the natural numbers can be used for time.3.3 The Rewriting RuleThis rule generates a new row from a prior one by replacing a target subfor-mula with an equivalent (sub)formula. Examples of rewriting schemas are::('1 ^ '2) , (:'1 _:'2) and (8�1)(8�2)' , (8�2)(8�1)' :Nontemporal rewritings are listed in [MW93]. Temporal ones are as follows.First: 2' , ' ^ 2'3' , ' _ 3'('1 U '2) , '2 _ �'1 ^ ('1 U '2)�2 [MW93] gives formal semantics for deductive tableaux.

Page 6: Annotation-based deduction in temporal logic

When used from left to right, these rewritings are called expansions.Next, there are rewritings which specify that the temporal operator \ "distributes over or commutes with nontemporal boolean operators (\:", \^",\_", and \!") and quanti�ers. For example: ('1 ^ '2) , ( '1 ^ '2).There are some similar rewritings involving the other temporal operators:2('1 ^ '2) , 2'1 ^2'2 ('1 ^'2) U '3 , ('1 U '3) ^ ('2 U '3)3('1 _ '2) , 3'1 _3'2 '1 U ('2 _ '3) , ('1 U '2) _ ('1 U '3)2(8�)' , (8�)2' (8�)'h�i U , (8�)�'h�i U �3(9�)' , (9�)3' U (9�)'h�i , (9�)� U 'h�i�(In each of the quanti�cation cases for U , the formula must not contain anyfree occurrence of the variable �.)There are similar rewritings for the operators \�2", \�3", \� ", and \S".3.4 The Time Distribution RuleTime annotations distribute over or commute with nontemporal boolean op-erators (\:", \^", \_", and \!") and quanti�ers. For example, the formula[3 ::: (2p! p)] is equivalent to the formula �[3 ::: 2p] ! [3 ::: p]�. The followingrewritings provide this time distribution:�� ::: (:')� ) :[� ::: '] �� ::: ('1 ! '2)� ) [� ::: '1] ! [� ::: '2]�� ::: ('1 ^ '2)� ) [� ::: '1] ^ [� ::: '2] �� ::: (8�)'� ) (8�)[� ::: ']�� ::: ('1 _ '2)� ) [� ::: '1] _ [� ::: '2] �� ::: (9�)'� ) (9�)[� ::: '](In each of the quanti�cation cases, the time annotation � must not contain �.)Time distribution can be (automatically) combined with the normal oper-ations of other deduction rules, as desired. (For clear examples of such com-bination, see applications of the splitting rule | e.g., in the sample deductivetableau in the Introduction.)3.5 The Duality RuleApplied to a negated or simply false formula which is in one column (Asser-tions or Goals), this rule adds the formula's inverse to the other column.3.6 The Splitting RuleThis rule disassembles a formula, easing further processing of its components.Assertions Goals'1 ! '2'1 '2 Assertions Goals'1 _ '2'1'2 Assertions Goals'1 ^ '2'1'2

Page 7: Annotation-based deduction in temporal logic

4 Deduction II: Time Rei�cationQuanti�er elimination is presented here in some detail because it is crucial totime rei�cation.4.1 The Quanti�er-Elimination Rule (Skolemization)3A quanti�er (Q�) has universal force if either its quanti�cation operator Qis \8" and its polarity is positive, or if its quanti�cation operator is \9" and itspolarity is negative; otherwise, (Q�) has existential force.The schema of the quanti�er-elimination rule is: [� ::: (Q�)'] ) [� ::: ~'] ,4where formula ~' is constructed from formula ' as follows:If the quanti�er (Q�) being eliminated has universal force, then a functionsymbol \fnew" | new to the deductive tableau | is introduced. Addi-tionally, let � be a list of the following variables of the entire row formulato which this rule is being applied: all the free variables, plus all the vari-ables bound by quanti�ers of existential force within whose scope the targetsubformula [� ::: (Q�)'] lies. Then, the new subformula ~' is constructedfrom the original subformula ' by substituting the term \fnew(�)" for eachoccurrence of variable � which was bound by the target quanti�er (Q�).If the quanti�er (Q�) being eliminated has existential force (and does not liewithin the scope of any quanti�er of universal force, in which case eliminationof (Q�) would be disallowed), then the `new' subformula ~' is simply identicalto the original subformula '; thus, (Q�) is simply removed.(When eliminating (Q�) might change the quanti�er binding of any variable via`quanti�er capturing', such a variable must be renamed.)4.2 Introduction of the Time Rei�cation RuleTime rei�cation removes a temporal operator from a formula via a processwhich, actually, is equivalent to the three-step operation of (1) translating theformula into nontemporal �rst-order predicate logic, (2) eliminating quanti�ersintroduced by step (1), and (3) translating back into temporal logic.[AM90] gives a typical scheme for translating basic temporal formulas tosemantically equivalent nontemporal formulas. An illustrative example is: 2p 7�! (8t)�(t � 3)! p(t)� :Rei�cation, applied to the equivalent atl formula, translates analogously for the\ "-operators (yielding \3") but di�erently for the operator \2":[0 ::: 2p] (1)7�! (8�) p(3 + �) :3 Skolemization in other systems has somewhat reversed operations since the goalthere is refutation while the goal here is validation.4 Or, for unannotated time formulas, simply: (Q�)' ) ~' .

Page 8: Annotation-based deduction in temporal logic

(The choice of \�" versus \t" indicates a time increment instead of an absolutetime.) Assuming negative polarity, rei�cation would continue as follows:(8�) p(3 + �) (2)7�! p(3 + �) (3)7�! [3 + � ::: p] :Another example of atl translation is:�0 ::: (p U q)� (1)7�! (9�1)�q(3 + �1) ^ (8�2)�(�2< �1)! p(3 + �2)�� :Rei�cation of As an illustrative example, translating the formula [t ::: p] of atl intonontemporal predicate logic yields p(t+1) . Translating back yields [t+ 1 ::: p] .Generalizing (facilely), the schema for rei�cation of the operator \ " is:[� ::: '] ) [� + 1 ::: '] :Rei�cation of 222 and 333An example for the operator \2" is given above; the operator \3" is treatedanalogously, with \9" instead of \8". The rei�cation schemas are:h� ::: (2')+i ) �� + hnew(�) ::: '� h� ::: (2')�i ) �� + �new ::: '�h� ::: (3')�i ) �� + hnew(�) ::: '� h� ::: (3')+i ) �� + �new ::: '�Since rei�cation of these operators implicitly involves quanti�ers, the details ofthe quanti�er-elimination rule apply: In the two cases on the left, for \2+"and \3�", the meta-symbol \�" denotes a list of variables as in skolemization;and in the other two cases, for \2�" and \3+", this rule is disallowed forany formula [� ::: (2')�] or [� ::: (3')+] that occurs within the scope of anyquanti�er of universal force. An example for \2+" is:Asstns Goals Explanations�t ::: :�d = f(x)�� ^ (9y)hc ::: 2(d = y) +i�t ::: :�d = f(x)�� ^ (9y)�c+ h(t; x; y) ::: d = y� reify 2+;\h" is newRei�cation of ���An example of a formula containing the operator \�" is [t ::: �d = a]. Thesymbol d here should be dynamic; otherwise, the term �d would be equivalentto d, so simpli�cationwould delete the operator \�" in the formula. Assume thatthe symbol a is not dynamic. Then translating this formula into nontemporallogic yields d(t+ 1) = a. Translating back yields [t+ 1 ::: d = a] .

Page 9: Annotation-based deduction in temporal logic

But if the symbol a were dynamic, that result would not be equivalent tothe original formula. To see this, note that with a dynamic, translation of theformula [t ::: �d = a] into nontemporal logic would yield d(t+ 1) = a(t), whiletranslation of [t+ 1 ::: d = a] would yield d(t+ 1) = a(t + 1).Considering these cases, the rei�cation schema for the operator \�" is:�� ::: 'h��1; : : : ;��ni� ) �� + 1 ::: 'h�1; : : : ; �ni� ;where (1) the target subformula 'h: : :i must not contain any dynamic symboloutside of the speci�ed terms ��i, and (2) none of the speci�ed terms ��i mayoccur within the scope of any other temporal operator.Rei�cation of � � � , �2�2�2, and �3�3�3[� ::: � '] ) (0 < � ) ^ [pred(� ) ::: '] :Both h� ::: (�2')+i and h� ::: (�3')�i ) �hnew(�) � �� ^ �hnew(�) ::: '� :Both h� ::: (�2')�i and h� ::: (�3')+i ) (tnew � � ) ^ [tnew ::: '] :The details for �2 and �3 are the same as for the operators 2 and 3.Rei�cation of UUU and SSS (Here, the subscript \n" speci�es newness.)h� ::: (' U )�i ) �� + hn(�) ::: � ^ ���n < hn(�)� ! �� + �n ::: '��h� ::: (' U )+i )�� + �n ::: � ^ ��hn(�; �n) < �n� ! �� + hn(�; �n) ::: '��h� ::: (' S )�i )�hn(�) � �� ^ �hn(�) ::: � ^ �h�hn(�) < tn� ^ �tn � ��i ! �tn ::: '��h� ::: (' S )+i )(tn � � ) ^ (tn ::: ) ^ ��(tn< hn(�;tn)) ^ (hn(�;tn) � �)� ! [hn(�;tn) ::: ']�5 Deduction III: Nonclausal ResolutionThe schemas for nonclausal resolution are: 5Assertions Goals'D[� ::: �+]E D[~� ::: ~��]E�'htruei _ hfalsei�� � Asstns Goals'D[� ::: �+]E D[~� ::: ~��]E�'htruei ^ hfalsei�� �5 As with the quanti�er-elimination rule, target subformulas for the resolution rulecan be unannotated time formulas.

Page 10: Annotation-based deduction in temporal logic

Assertions Goals'D[� ::: �+]E D[~� ::: ~��]E0@:'htruei^ hfalsei 1A� � Assertions Goals'D[� ::: �+]E D[~� ::: ~��]E 0@'htruei^: hfalsei1A� �In each case: (1) the formulas ' and must not share any free variables;(2) neither target subformula [� ::: �] or [~� ::: ~�] may contain any occurrence ofany variable that is bound by a quanti�er outside of the target; and (3) thesetarget subformulas must unify via a most general uni�er �:Additional restrictions apply if the uni�er � involves a replacement � �with term � containing a dynamic symbol. For then:1. No free occurrence of variable � in the formulas ' and may lie withinthe scope of any temporal operator or inside any time annotation or timeformula.2. All the time annotations within whose scope(s) replaceable occurrences of� lie must be uni�ed (by �).These two restrictions ensure consistency of the time at which a dynamic symbolmay be interpreted. Otherwise, such a symbol | contained in term �, placed invarious contexts by the replacement � � | could refer to di�erent objects,violating soundness.When resolution fails only because the target time annotations � and ~� failto unify, an option is that the equation � = ~� can be conjoined with the de-sired result of resolution as something additional that needs to be proven. APresburger-like decision procedure can handle time formulas such as this equa-tion. For an example of this situation, see Section 7.2 .The Equality RuleThis rule involves resolution-based reasoning. Hence, like the resolution ruleitself, this rule comprises four schemas because of the alternatives for columns.Only one such schema need be shown:Assertions Goals'D�� ::: �h�i�E Dh~� ::: (� = ~�)�iE �'D�� ::: �h�i�E ^ : hfalsei�� �

Page 11: Annotation-based deduction in temporal logic

Here, � must unify term � with term ~� as well as time annotation � with timeannotation ~� . Further details are as for resolution.6 Deduction IV: InductionThe logic may refer to a domain, such as the natural numbers or lists, forwhich principles of induction hold. Then, rules which implement these principlesare available. An example, for the natural numbers, is:Assertions Goals� ::: (8�)'h�i� ::: �'h0i ^ �'hmi ! 'hm + 1i��where the initial row must not contain free variables and m must be new. Thus,a goal can be reduced to a base case plus an inductive step.Induction also applies to temporal operators. For example:Assertions Goals� ::: 2'[� ::: '] ^ ��� + cnew ::: '� ! �� + cnew + 1 ::: '��where the initial row must not contain free variables and cnew must be new.There are additional temporal induction schemas, e.g., for assertions of theform [� ::: 3'] (see the extended version of this paper).7 Examples7.1 Validity of the Formula ��p ^ 2(p! 3p)� ! 23p���p ^ 2(p! 3p)� ! 23p���p ^ 2(p! 3p)� ! 23p�This example, which requires temporal induction, is used in [AM90].Assertions Goals Explans1 0 ::: 0@�p ^ 2(p! 3p)�!23p 1A Given2 0 ::: p � 1, split3 0 ::: 2(p ! 3p) � 1, split4 0 ::: 23p 1, split5 h0 ::: 3p +i^ ��c1 ::: 3p� ! �c1 + 1 ::: 3p�� 4, temporalinduction(of 2)

Page 12: Annotation-based deduction in temporal logic

6 ht2 ::: p +i^ (: : : ! : : :) 5, reify 3+7 �c1 ::: 3p�!�c1 + 1 ::: 3p� 6&2, resolution,uni�er ft2 0g8 c1 ::: 3p 7, split9 c1 + 1 ::: 3p + 7, split10 t3 ::: (p ! 3p) 3, reify 2�11 [t3 ::: p] ! ht3 ::: 3p i 10, distribution12 [t3 ::: p] ! ht3 + 1 ::: 3p �i 11, reify 13 c1 ::: p + 12&9, resolution,uni�er ft3 c1g14 c1 ::: (p _ 3p) 8, expand 315 hc1 ::: p �i _ [c1 ::: 3p] 14, distribution16 c1 ::: 3p 15&13, resolution;duality17 c1 + 1 ::: 3p � 16, reify 18 true 17&9, resolutionHighlights of this proof are:First, the splitting rule conveniently demarcates the given formula's premisesand desired conclusion (goal #4). Time distribution is used implicitly.One rationalization of the decision to apply temporal induction to goal #4is that when one attempts the simpler operation, namely rei�cation (of theoperator \2"), one gets stuck later in the proof.Goal #5, being the result of the induction rule, comprises two conjuncts:the base case and the inductive step. In this proof, the base case (the leftconjunct) is proven �rst.Goal #7 is split for convenience.Assertion #8 is the inductive hypothesis, and goal #9 is the desired inductiveconclusion. Experience with induction proofs leads one to attempt to reducethe latter to the former. Assertion #3 is used for this reduction.When goal #13 arises, assertion #8 can be used.The last two deduction-steps handle a case due to the disjunctive nature(consider assertion #14) of the inductive hypothesis.

Page 13: Annotation-based deduction in temporal logic

7.2 Validity of the Formula �23�(:p) S q� ! 2�p!3q���23�(:p) S q� ! 2�p!3q���23�(:p) S q� ! 2�p!3q��Assertions Goals Explanations1 0 ::: 0@2�3��(:p) S q�!2+�p! 3q� 1A Given2 t1 + h2(t1) ::: (:p) S q � 1, split;reify 2� & 3�3 c3 ::: p! 3+q 1, split; reify 2+4 c3 ::: p � 3, split5 c3 + �4 ::: q+ 3, split; reify 3+6 h5(t1) � t1 + h2(t1) 2, reify S�; split7 h5(t1) ::: q � 2, reify S�; split8 �h5(t1) < t6� ^ �t6 � t1 + h2(t1)�!ht6 ::: : p +i 2, reify S�; split9 h5(t1) < c3^c3 � t1 + h2(t1) + 8&4, resolution,ft6 c3g;and dualityAt this point in the proof, one could resolve goal #5, containing q+, with as-sertion #7, containing q�; the system would automatically generate the goal�h5(t1) = c3+�4� and pass this new formula plus the deductive tableau's othertime formulas | assertion #6 and goal #9 | to a Presburger-like decisionprocedure, altogether in the form `hassertionsi ! hgoalsi':(8t1)�h5(t1) � t1 + h2(t1)� ! 0BB@(9t1)��h5(t1) < c3� ^ �c3 � t1 + h2(t1)��W(9 t1; �4)�h5(t1) = c3 + �4� 1CCAThis formula is indeed valid (for the natural numbers), so these operations wouldsatisfactorily �nish the proof.Alternatively, one may continue the proof `manually' as follows:10 x � x+ y � axiom for natural numbers11 h5(c3) < c3 + 10&9, resolution,�t1 c3; x c3; y h2(c3)

Page 14: Annotation-based deduction in temporal logic

12 x < y � _ (9z)(x = y + z) property of naturals13 (9z)�h5(c3) = c3 + z� � 12&11, resolution,�x h5(c3); y c3;duality14 h5(c3) = c3 + c7 � 13, eliminate 9�15 h5(c3) ::: q + 14&5, equality, f�4 c7g16 true 15&7, resolution, ft1 c3g7.3 Veri�cation of List-processingAn assumption of list-processing code is that for any list l and at any time, ifsome dynamic symbol d is set equal to the list, and then (as time passes) d getsrepeatedly truncated (while doing so is possible), then eventually d will equalthe empty list NIL . Such a statement may be formalized as follows:(8l)2�h(d = l) ^ 2�:(d = NIL) ! ��d = tail(d)��i ! 3(d = NIL)� :This formula can be proven in atl, using induction for lists, in thirty-three steps.8 Properties of the ATL Deductive System(Proofs of these properties are given in the extended version of this paper.)8.1 SoundnessWhen all atl formulas and operations are translated into nontemporal pred-icate logic, the soundness established in [MW93] applies; i.e., any formula whichcan be proven in atl is indeed valid.8.2 Relative CompletenessThe atl system can perform all the operations of the deductive system of[AM90]. Hence, as [AM90] identi�ed a class of `arithmetical' formulas (of predi-cate temporal logic) for which their deductive system is complete, the atl systemis also complete for that class.8.3 Decision Procedure for Propositional Temporal LogicThe atl deductive system can be used for a decision procedure for formulasof propositional temporal logic by mimicking more standard `semantic' decision-algorithms such as the graph-based one of [KM93]. (This decision procedureusing atl also resembles the construction in [AM90]'s proof of completeness oftheir deductive system for propositional temporal formulas.)

Page 15: Annotation-based deduction in temporal logic

9 ConclusionThe deductive system described here allows established techniques for rea-soning in predicate logic with induction to be extended to temporal logic. Thissystem has several features which enable it to avoid complications of removal oftemporal operators, and it invokes special uni�cation and decision proceduresto reduce the burden on the user. It enables proofs of temporal formulas to beconstructed with more formality, ease, and clarity than was previously possible.References[AM90] Abadi, M., and Manna, Z.: \Nonclausal Deduction in First-Order TemporalLogic," in Journal of the Association for Computing Machinery (JACM ),Volume 37 (1990), Number 2 (April), pp. 279{317.[CES86] Clarke, E., Emerson, E., and Sistla, A.: \Automatic Veri�cation of Finite-State Concurrent Systems Using Temporal Logic Speci�cations," in ACMTransactions on Programming Languages and Systems, Volume 8 (1986),Number 2 (April), pp. 244{263.[KM93] Kesten, Y., Manna, Z., McGuire, H., and Pnueli, A.: \A Decision Algo-rithm for Full Propositional Temporal Logic," in Courcoubetis, C. (editor):Computer Aided Veri�cation (5th International Conference, CAV '93) (LNCS#697), pp. 97{109. Springer-Verlag, Berlin, 1993.[MP91] Manna, Z., and Pnueli, A.: The Temporal Logic of Reactive and ConcurrentSystems: Speci�cation. Springer-Verlag, New York, 1991.[MW80] Manna, Z., and Waldinger, R.: \A Deductive Approach to Program Syn-thesis," in ACM Transactions on Programming Languages and Systems, Vol-ume 2 (1980), pp. 90{121.[MW93] Manna, Z., and Waldinger, R.: The Deductive Foundations of Computer Pro-gramming. Addison-Wesley, Reading, Massachusetts, 1993.[O88] Ohlbach, H.: \A Resolution Calculus for Modal Logics," in Lusk, E., andOverbeek, R. (editors): 9th International Conference on Automated Deduc-tion (Proceedings) (LNCS #310), pp. 500{516. Springer-Verlag, Berlin, 1988.[O93] Ohlbach, H.: \Translation Methods for Non-Classical Logics | An Over-view," in Automated Deduction in Nonstandard Logics (Technical Report#FS-93-01), pp. 113{125. AAAI Press, Menlo Park, California, 1993.[P86] Plaisted, D.: \A Decision Procedure for Combinations of Propositional Tem-poral Logic and Other Specialized Theories", in Journal of Automated Rea-soning, Volume 2 (1986), pp. 171{190.[S79] Shostak, R.: \A practical decision procedure for arithmetic with functionsymbols," in JACM, Volume 26 (1979), Number 2 (April), pp. 351{360.[W89] Wallen, L.: Automated Proof Search in Nonclassical Logics. The MIT Press,Cambridge, Massachusetts, 1989.This article was processed using the LaTEX macro package with LLNCS style


Deduction of static surface roughness from complex excess attenuation

Deduction of static surface roughness from complex excess attenuation

Documents
logic - Nexperia

logic - Nexperia

Documents
Philosophical logic

Philosophical logic

Documents
Weekly and fortnightly PAYE deduction tables - Inland Revenue

Weekly and fortnightly PAYE deduction tables - Inland Revenue

Documents
REMARKS ON STOIC DEDUCTION by JOHN CORCORAN 1974

REMARKS ON STOIC DEDUCTION by JOHN CORCORAN 1974

Documents
A relevance restriction strategy for automated deduction

A relevance restriction strategy for automated deduction

Documents
Automating ontological annotation with wordnet

Automating ontological annotation with wordnet

Documents
Manual Annotation Interface

Manual Annotation Interface

Documents
Transforming equality logic to propositional logic

Transforming equality logic to propositional logic

Documents
Strategy Evolution and Resolution Deduction in Diplomacy

Strategy Evolution and Resolution Deduction in Diplomacy

Documents
Logical consequence in modal logic: Natural deduction in ${\\rm S}5$

Logical consequence in modal logic: Natural deduction in ${\\rm S}5$

Documents
Automatic Deduction in Dynamic Geometry using Sage - arXiv

Automatic Deduction in Dynamic Geometry using Sage - arXiv

Documents
Chooser: a MultiTask Annotation Tool

Chooser: a MultiTask Annotation Tool

Documents
Pessimistic Meta-Deduction and Its Implications for Scientific Realism

Pessimistic Meta-Deduction and Its Implications for Scientific Realism

Documents
Elevating Annotation Summaries To ... - OpenProceedings.org

Elevating Annotation Summaries To ... - OpenProceedings.org

Documents
Fully Adequate Gentzen Systems and the Deduction Theorem

Fully Adequate Gentzen Systems and the Deduction Theorem

Documents
Automatic Deduction in Dynamic Geometry using Sage

Automatic Deduction in Dynamic Geometry using Sage

Documents
Priming in deduction: A spatial arrangement task

Priming in deduction: A spatial arrangement task

Documents
Model-based deduction for knowledge representation

Model-based deduction for knowledge representation

Documents
Automated natural deduction in thinker

Automated natural deduction in thinker

Documents
Semantic Annotation of Image Collections

Semantic Annotation of Image Collections

Documents
buddhist logic

buddhist logic

Documents
Metabolic Pathfinding Using RPAIR Annotation

Metabolic Pathfinding Using RPAIR Annotation

Documents
Natural Deduction and Normalisation for Partially Commutative Linear Logic and Lambek Calculus with Product

Natural Deduction and Normalisation for Partially Commutative Linear Logic and Lambek Calculus with Product

Documents
Annotation - MegaFilesXL

Annotation - MegaFilesXL

Documents
Efficient deduction in fuzzy logic

Efficient deduction in fuzzy logic

Documents
Modal Deduction in Second-Order Logic and Set Theory - II

Modal Deduction in Second-Order Logic and Set Theory - II

Documents
Chapter 6 Integration of Computation and Deduction

Chapter 6 Integration of Computation and Deduction

Documents
Fibring Labelled Deduction Systems

Fibring Labelled Deduction Systems

Documents
Natural deduction and arbitrary objects

Natural deduction and arbitrary objects

Documents