See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/220693544

Logic in computer science - modelling and reasoning about systems (2. ed.).

Book · January 2004

Source: DBLP

CITATIONS READS
7 1,937

2 authors:

Michael Huth Mark Ryan

Imperial College London University of Birmingham
145 PUBLICATIONS 3,671 CITATIONS 159 PUBLICATIONS 5,071 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Michael Huth on 13 October 2014.

The user has requested enhancement of the downloaded file.

 Logic in Computer Science:
Modelling and Reasoning about Systems
MICHAEL HUTH
Department of Computing and Information Sciences
Kansas State University, USA.
MARK RYAN
School of Computer Science
University of Birmingham, UK.
 Contents

Preface 1
Acknowledgments 8
1 Propositional Logic 9
1.1 Declarative sentences : : : : : : : : : : : : : : : : : : : : : : : 10
1.2 Natural deduction : : : : : : : : : : : : : : : : : : : : : : : : 14
1.2.1 Rules for natural deduction : : : : : : : : : : : : : : : 15
1.2.2 Derived rules : : : : : : : : : : : : : : : : : : : : : : : 36
1.2.3 Natural deduction in summary : : : : : : : : : : : : : 38
1.2.4 Provable equivalence : : : : : : : : : : : : : : : : : : : 41
1.2.5 An aside: proof by contradiction : : : : : : : : : : : : 42
1.3 Propositional logic as a formal language : : : : : : : : : : : : 46
1.4 Semantics of propositional logic : : : : : : : : : : : : : : : : : 55
1.4.1 The meaning of logical connectives : : : : : : : : : : : 55
1.4.2 Mathematical induction : : : : : : : : : : : : : : : : : 60
1.4.3 Soundness of propositional logic : : : : : : : : : : : : 65
1.4.4 Completeness of propositional logic : : : : : : : : : : : 70
1.5 Normal forms : : : : : : : : : : : : : : : : : : : : : : : : : : : 78
1.5.1 Semantic equivalence, satis ability, and validity : : : : 78
1.5.2 Conjunctive normal forms and validity : : : : : : : : : 85
1.5.3 Horn clauses and satis ability : : : : : : : : : : : : : : 94
1.6 Bibliographic notes : : : : : : : : : : : : : : : : : : : : : : : : 98
2 Predicate Logic 100
2.1 The need for a richer language : : : : : : : : : : : : : : : : : 100
2.2 Predicate logic as a formal language : : : : : : : : : : : : : : 106
iii
iv Contents
2.2.1 Terms : : : : : : : : : : : : : : : : : : : : : : : : : : : 106
2.2.2 Formulas : : : : : : : : : : : : : : : : : : : : : : : : : 108
2.2.3 Free and bound variables : : : : : : : : : : : : : : : : 113
2.2.4 Substitution : : : : : : : : : : : : : : : : : : : : : : : : 115
2.3 Proof theory of predicate logic : : : : : : : : : : : : : : : : : 119
2.3.1 Natural deduction rules : : : : : : : : : : : : : : : : : 119
2.3.2 Quanti er equivalences : : : : : : : : : : : : : : : : : : 131
2.4 Semantics of predicate logic : : : : : : : : : : : : : : : : : : : 139
2.4.1 Models : : : : : : : : : : : : : : : : : : : : : : : : : : 140
2.4.2 Semantic entailment : : : : : : : : : : : : : : : : : : : 147
2.4.3 The semantics of equality : : : : : : : : : : : : : : : : 149
2.5 Undecidability of predicate logic : : : : : : : : : : : : : : : : 152
2.6 Bibliographic notes : : : : : : : : : : : : : : : : : : : : : : : : 158
3 Veri cation by Model Checking 160
3.1 Motivation for veri cation : : : : : : : : : : : : : : : : : : : : 160
3.2 Syntax of computation tree logic : : : : : : : : : : : : : : : : 164
3.3 Semantics of computation tree logic : : : : : : : : : : : : : : 168
3.3.1 Practical patterns of speci cations : : : : : : : : : : : 177
3.3.2 Important equivalences between CTL formulas : : : : 178
3.4 Example: mutual exclusion : : : : : : : : : : : : : : : : : : : 181
3.4.1 First modelling attempt : : : : : : : : : : : : : : : : : 182
3.4.2 Second modelling attempt : : : : : : : : : : : : : : : : 183
3.5 A model checking algorithm : : : : : : : : : : : : : : : : : : : 184
3.5.1 The labelling algorithm : : : : : : : : : : : : : : : : : 185
3.5.2 Pseudo-code of the model checking algorithm : : : : : 189
3.5.3 The `state explosion' problem : : : : : : : : : : : : : : 190
3.6 The SMV system : : : : : : : : : : : : : : : : : : : : : : : : : 193
3.6.1 Modules in SMV : : : : : : : : : : : : : : : : : : : : : 195
3.6.2 Synchronous and asynchronous composition : : : : : : 196
3.6.3 Mutual exclusion revisited : : : : : : : : : : : : : : : : 197
3.6.4 The Alternating Bit protocol : : : : : : : : : : : : : : 201
3.7 Model checking with fairness : : : : : : : : : : : : : : : : : : 205
3.8 Alternatives and extensions of CTL : : : : : : : : : : : : : : : 207
3.8.1 Linear-time temporal logic : : : : : : : : : : : : : : : : 207
3.8.2 CTL* : : : : : : : : : : : : : : : : : : : : : : : : : : : 210
3.8.3 The expressive power of CTL : : : : : : : : : : : : : : 213
3.9 The xed-point characterization of CTL : : : : : : : : : : : : 215
3.9.1 Monotone functions : : : : : : : : : : : : : : : : : : : 218
3.9.2 The correctness of SATEG : : : : : : : : : : : : : : : : 220
 Contents v
3.9.3 The correctness of SATEU : : : : : : : : : : : : : : : : 222
3.10 Bibliographic notes : : : : : : : : : : : : : : : : : : : : : : : : 226
4 Program Veri cation 228
4.1 Why should we specify and verify code? : : : : : : : : : : : : 229
4.2 A framework for software veri cation : : : : : : : : : : : : : : 230
4.2.1 A core programming language : : : : : : : : : : : : : : 232
4.2.2 Hoare triples : : : : : : : : : : : : : : : : : : : : : : : 235
4.2.3 Partial and total correctness : : : : : : : : : : : : : : 238
4.2.4 Program variables and logical variables : : : : : : : : 241
4.3 Proof calculus for partial correctness : : : : : : : : : : : : : : 242
4.3.1 Proof rules : : : : : : : : : : : : : : : : : : : : : : : : 242
4.3.2 Proof tableaux : : : : : : : : : : : : : : : : : : : : : : 246
4.3.3 A case study: minimal-sum section : : : : : : : : : : : 264
4.4 Proof calculus for total correctness : : : : : : : : : : : : : : : 270
4.5 Bibliographic notes : : : : : : : : : : : : : : : : : : : : : : : : 273
5 Modal Logics and Agents 274
5.1 Modes of truth : : : : : : : : : : : : : : : : : : : : : : : : : : 274
5.2 Basic modal logic : : : : : : : : : : : : : : : : : : : : : : : : : 275
5.2.1 Syntax : : : : : : : : : : : : : : : : : : : : : : : : : : : 275
5.2.2 Semantics : : : : : : : : : : : : : : : : : : : : : : : : : 276
5.3 Logic engineering : : : : : : : : : : : : : : : : : : : : : : : : : 286
5.3.1 The stock of valid formulas : : : : : : : : : : : : : : : 287
5.3.2 Important properties of the accessibility relation : : : 291
5.3.3 Correspondence theory : : : : : : : : : : : : : : : : : : 293
5.3.4 Some modal logics : : : : : : : : : : : : : : : : : : : : 297
5.3.5 Semantic entailment : : : : : : : : : : : : : : : : : : : 301
5.4 Natural deduction : : : : : : : : : : : : : : : : : : : : : : : : 302
5.5 Reasoning about knowledge in a multi-agent system : : : : : 306
5.5.1 Some examples : : : : : : : : : : : : : : : : : : : : : : 306
5.5.2 The modal logic KT45n : : : : : : : : : : : : : : : : : 309
5.5.3 Natural deduction for KT45n : : : : : : : : : : : : : : 315
5.5.4 Formalising the examples : : : : : : : : : : : : : : : : 317
5.6 Bibliographic notes : : : : : : : : : : : : : : : : : : : : : : : : 328
6 Binary Decision Diagrams 330
6.1 Representing boolean functions : : : : : : : : : : : : : : : : : 330
6.1.1 Propositional formulas and truth tables : : : : : : : : 331
6.1.2 Binary decision diagrams : : : : : : : : : : : : : : : : 333
vi Contents
6.1.3 Ordered BDDs : : : : : : : : : : : : : : : : : : : : : : 340
6.2 Algorithms for reduced OBDDs : : : : : : : : : : : : : : : : : 348
6.2.1 The algorithm reduce : : : : : : : : : : : : : : : : : : 348
6.2.2 The algorithm apply : : : : : : : : : : : : : : : : : : : 350
6.2.3 The algorithm restrict : : : : : : : : : : : : : : : : : 357
6.2.4 The algorithm exists : : : : : : : : : : : : : : : : : : 359
6.2.5 Assessment of OBDDs : : : : : : : : : : : : : : : : : : 361
6.3 Symbolic model checking : : : : : : : : : : : : : : : : : : : : : 365
6.3.1 Representing subsets of the set of states : : : : : : : : 365
6.3.2 Representing the transition relation : : : : : : : : : : 369
6.3.3 Implementing the functions pre9 and pre8 : : : : : : : 370
6.3.4 Synthesising OBDDs : : : : : : : : : : : : : : : : : : : 372
6.4 The relational -calculus : : : : : : : : : : : : : : : : : : : : : 375
6.4.1 Syntax and semantics : : : : : : : : : : : : : : : : : : 376
6.4.2 Coding CTL models and speci cations : : : : : : : : : 380
6.5 Bibliographic notes : : : : : : : : : : : : : : : : : : : : : : : : 388
Index 389
Bibliography 399
 Preface

Our motivation for writing this book

Recent years have brought about the development of powerful tools for veri-
fying speci cations of hardware and software systems. By now, the IT indus-
try has realized the impact and importance of such tools in their own design
and implementation processes. Major companies, such as Intel, Siemens,
BT, AT&T, and IBM, are now actively investigating this technology and its
incorporation into their planning and production departments. This neces-
sitates the availability of a basic formal training which allows undergraduate
students as well as working programmers and beginning graduate students
to gain sucient pro ciency in using and reasoning with such frameworks.
The recent shift of information technologies toward internet-based data
access and processing means that there is also an increased demand in quali-
ed individuals who can reason about sophisticated autonomous agent-based
software which is able to interact with other agents and gather desired in-
formation on large networks.
This book addresses these needs by providing a sound basis in logic, fol-
lowed by an introduction to the logical frameworks which are used in mod-
elling and reasoning about computer systems. It provides simple and clear
presentation of material. A carefully chosen core of essential terminology
is introduced; further technicalities are introduced only where they are re-
quired by the applications.
We believe that our proposed course material makes a vital contribution
to preparing undergraduate students for today's fast paced and changeable
professional environments. This con dence stems not only from the topical-
ity of our proposed applications, but also from the conviction that a solid
background in logical structures and formalisms can very well serve as a
buoy in the rough waters of future software and hardware developments.
1
2 PREFACE
There is an abundance of books on mathematical logic or logic in computer
science on the market. However, we are not aware of any book that suits
the contemporary and applications-driven courses that we teach and are
beginning to be taught in most computer science curricula. Existing books
tend to be written for logicians rather than computer science students and
are thus too \heavy", and overloaded with technical terminology. The ties
to computer science are merely of a foundational nature, such as the Curry-
Howard isomorphism, or cut-elimination in sequent calculi. There is an
evident need for a book which introduces the contemporary applications of
logic which are beginning to be taken up by industry; the book should be
accessible to students who do not want to learn logic for its own sake.
It is important to say what the book does not provide: we completely
omitted applications like the design and use of theorem-provers, and the
exposure to constructive type theories (such as the Calculus of Construc-
tions and the Logical Framework) as a mathematical foundation for program
synthesis; and the design, analysis and implementation of programming lan-
guages. This decision is by no means meant to represent a judgment of
such topics. Indeed, we hope and anticipate that others will address these
important issues in a text that is suitable for undergraduates.

Reasons for adopting this book

Our book zooms in on concepts at the heart of logic and presents them in a
contemporary fashion. In that way, and by discussing the implementation
of such principles, our material creates stimulating overlaps with other stan-
dard courses such as Formal Language Theory or an Introduction to Data
Types and Programming.
It di ers from existing books on that subject in the following ways:
 New technical concepts are introduced as they are needed, and never for
their own sake. The emphasis is always on applications rather than on
mathematical technicalities. Yet, technicalities are always treated with
the necessary rigour.
 We introduce, at an accessible level, a framework for program veri cation
(symbolic model checking) which is currently available only in research
papers. This is at present a hot topic in industry, and graduates uent in
this material are highly sought.
 Our text is supplemented by a wordwide web site1 which o ers additional
1 www.cs.bham.ac.uk/research/lics/
 PREFACE 3
material useful for classroom presentations; such as postscript les of g-
ures for online, or overhead projector, presentations; and html les of all
the SMV code featured in the book.
 All sections of the book have several exercises marked with an  as in
Exercises 0.1
* 1. :::
2. :::
* 3. :::
4. :::

for which we have provided sample solutions in LATEX. Bona de teachers

and instructors may obtain the postscript les directly from Cambridge
University Press. Exercises end with a short bar, as shown, in order that
the reader know where to pick up the text.

Outline of the book

One of the leitmotifs of our book is the observation that most logics used in
the design, speci cation, and veri cation of computer systems fundamentally
deal with a satisfaction relation
M
where M is some sort of situation or model, like the snapshot of a system,
and  is a speci cation, a formula of that logic, expressing what should
be true in situation M. For example, M could model a communications
protocol and  the property that the protocol be fair. At the heart of this
setup is that  is actually computable in a compositional way. Fixing the
situation M, we determine whether M   holds by recursively determining
this for all subformulas of . We expand this view for a particular logic
(CTL), where this computation and the modelling of a situation may be
done purely symbolically using boolean formulas. Tools which support this
reasoning make the approach applicable to quite a few realistic systems and
designs.
Here is a brief synopsis of what the book covers:
Chapter 1, on propositional logic, should be the common starting point
and backbone for any course based on this book; it might also be
used as a reference text for courses that presuppose a knowledge of
propositional logic. Its sections provide
4 PREFACE
a complete presentation of a natural deduction style proof sys-

tem for propositional logic with a discussion of the intuitionistic
fragment;
 a section on propositional logic as a formal language;
 the semantics of propositional logic, where:
{ we constructively prove soundness and completeness of the proof
system with respect to the usual truth table semantics;
{ we discuss the notions of equivalence, satis ability, and validity;

{ we cover the principle of mathematical induction, which is needed

for soundness, often employed in our book, and is one of the cen-
tral reasoning tools in computer science; and
{ we feature a section on disjunctive normal forms and Horn
formulas; our presentation highlights the development of algo-
rithms computing such normal forms as well as discussing their
correctness.
Chapter 2 addresses predicate logic. In this chapter we

 rst motivate the need for richer logics via symbolic representa-
tions of natural language sentences;
 de ne and study predicate logic as a formal language with the
standard notions of static scoping (free and bound variables) and
substitution;
 familiarize students with its semantics,
 introduce a natural deduction style proof system for predicate logic
by \enriching" the proof system of Chapter 1 with the introduction
and elimination rules for quanti ers; we use this system to prove
the standard quanti er equivalences; and
 present Church's proof of the undecidability of satisfaction in pred-
icate logic (via reduction to the Post correspondence problem).
Chapter 3 introduces students to model checking, a state-of-the-art tech-
nique in verifying concurrent systems. We
 focus on the syntax and semantics of CTL (Computation Tree
Logic), and derive the standard algorithm for model checking CTL
formulas;
 let students practice the synthesis and interpretation of practically
relevant, and frequently occurring, speci cations in CTL;
 present two case studies in great detail: a mutual exclusion proto-
col and an alternating bit protocol; both protocols are developed
as labelled transition systems;
 PREFACE 5
introduce the symbolic model veri er SMV, and provide SMV code

for our case studies and discuss the relevant CTL speci cations;
 explain how CTL and SMV manage to incorporate fairness con-
straints;
 discuss the logics LTL and CTL* and compare their expressive
power to that of CTL;
 give a xed-point characterization of those CTL operators which
express invariant behaviour; and
 conclude by pointing out that practical speci cations often obey
common patterns and o er pointers to web-sites, where such pat-
terns are developed, surveyed, and documented.
Chapter 4 covers program veri cation by discussing deductive reasoning

about imperative programs; it presents a Floyd-Hoare style program

logic for a sequential imperative core programming language, remi-
niscent to a fragment of the C programming language. The emphasis
will be on correctness proofs (partial and total correctness) for fairly
simple programs. The main objective is to challenge students to sys-
tematically develop small programs meeting required input/output
behaviour. In particular, they need to develop the ability to come
up with characterizing invariants of while-loops.
Chapter 5 discusses modal logics and agents. Modal logics are motivated
through a desire to have possible world semantics.
 We discuss general syntax, semantics, and an extension of the
propositional logic deduction calculus for basic modal logic. The
theme of the rst part of this chapter is that of \logic engineering":
e.g. if 2 means that an agent knows , then what axioms and
inference rules for 2 should we engineer? We carry out such a task
for various meanings of 2.
 The second part of this chapter is devoted to the study of a modal
logic modelling general reasoning about knowledge in a Multi-
Agent System (KT45n ). It carefully explains how some epistemo-
logical puzzles can be solved using this modal logic.
Chapter 6 introduces binary decision diagrams, which are a data structure

for boolean functions.

 We describe ordered binary decision diagrams (OBDDs) and their
accompanying algorithms;
 We discuss extensions and variations of OBDDs as well as their
limitations;
 We explain how CTL models can be coded as boolean formulas;
6 PREFACE
 We present the syntax and semantics of the relational mu-calculus
within which we code CTL models and their speci cation in the
presence of simple fairness constraints.
That chapter should create stimulating links to courses on algo-
rithms and data structures, courses on circuit design, and can also be
used as a foundation for implementation projects which develop tools
supporting reasoning with the concepts developed in other chapters.
At the end of each chapter, we provide pointers to the literature and to sites
where free software may be downloaded, if applicable. A detailed index
should allow for the quick discovery of cross-connections between most of
these chapters.
Dependency of chapters and prerequisites. The book requires that
students know the basics of elementary arithmetic and naive set theoretic
concepts and notation. The core material of Chapter 1 (everything except
Sections 1.4.3 to 1.5.3) is essential for all of the chapters that follow. Other
than that, only Chapter 6 depends on Chapter 3, and a basic understand-
ing of the static scoping rules covered in Chapter 2 | although one may
easily cover Sections 6.1 and 6.2 without having done Chapter 3 at all. The
dependency graph of chapters can be seen below:
1

2 3 4 5

Suggested course outlines

We suggest at least three di erent ways of teaching with this text (based on
a 12-15 week course).
 A course based on Chapters 1, 2, and 5 would be suitable for students
specialising in database and information systems or arti cial intelligence;
this choice of material should prepare them for more advanced topics in
database programming and automated deduction.
 PREFACE 7
 A course based on Chapters 1, 3, and 6 would focus on the complete
development of a veri cation framework for concurrent systems down to
the implementation level.
 A course based on Chapters 1, 3, and 4 would provide a broader presen-
tation of the logical foundations of programming.
Suitable courses based on the book. This book can be used as the
main text book in a course on the introduction to logic in computer science,
and the speci cation and veri cation of computer systems and programs.
It may be quite useful as an additional text in courses on algorithms and
data structures, the introduction to logic in arti cial intelligence, sequential
circuit and chip design and validation, discrete mathematics for computer
scientists, formal language theory, as well as courses in networks and oper-
ating systems.

WWW page
This book is supported by a WWW page, which contains a list of errata,
the SMV source code for examples in Chapter 3, some further exercises, and
details of how to obtain the solutions to exercises in this book which are
marked with a . There are also links to other relevant pages. The URL for
the book's page is
www.cs.bham.ac.uk/research/lics/
 Acknowledgments

Many people have, directly or indirectly, assisted us in writing this book.

David Schmidt kindly provided serveral exercises for Chapter 4. Krysia
Broda has pointed out some typographical errors, and she and the other
authors of [BEKV94] have allowed us to use some exercises from that book
(notably Exercises 1.6(1(b)), 2.2(5), 2.5(4, 9, 10)). We also borrowed exer-
cises or examples from [Hod77] and [FHMV95]. Zena Matilde Ariola, Josh
Hodas, Jan Komorowski, Sergey Kotov, Scott A. Smolka and Steve Vickers
have corresponded with us about this text; their comments are appreciated.
Matt Dwyer and John Hatcli made useful comments on drafts of Chapter 3.
A number of people read and provided useful comments on several chapters,
including: Graham Clark, Christian Haack, Anthony Hook, Achim Jung,
Kevin Lucas, Roberto Segala, Alan Sexton, and Allen Stoughton. Numer-
ous students at Kansas State University and the University of Birmingham
have given us feedback of various kinds, which have in uenced our choice
and presentation of the topics. We acknowledge Paul Taylor's LATEX package
for proof boxes. About half a dozen anonymous referees made critical, but
constructive comments which helped to improve this text in various ways.
In spite of these contributions, there may still be errors in the book, and we
alone must take responsibility for those.

8
 Index

ABP, 201 eld, 264

acknowledgment channel, 201 of integers, 264
alternating the control bit, 201 section, 264
fairness, 201 arti cial intelligence, 274
main SMV program, 204 arti cial language, 100
absorption laws, 84 assignment, 193
abstract data type initial, 268
sets, 190 non-deterministic, 202, 206
abstraction, 163, 192, 205 program notation, 233
and non-determinism, 194 statement, 163, 233
accessibility relation, 277, 291, 311 associativity laws, 81, 84
adequate set of connectives assumption
for CTL, 179, 180, 185, 207, 210, 385 discharging, 40, 302
for propositional logic, 80, 99 stack of assumptions, 67
agent, 275, 289, 298 temporary, 21, 136
algebraic speci cation, 158 asynchronous
algorithm circuit, 330
deterministic, 85 interleaving, 182
algorithm apply, 350 atom
complexity, 361 marking, 95
control structure, 351 atomic formula, 309
recursive descent, 352 of modal logic, 275
algorithm CNF, 85 of predicate logic
algorithm reduce, 348 meaning, 141
complexity, 361 axiom
algorithm restrict, 357 5, 304, 305
complexity, 361 T, 318
algorithm reduce 4, 299, 304, 315
example execution, 350 5, 304, 315
alternating bit protocol, 201 T, 299, 304, 315, 320
always in the future, 289 for assignment, 243
and-elimination, 15, 316 for equality, 120
and-introduction, 15, 316 for modal logic, 297
application domain, 161, 228 instance, 244
approach schemes, 301
model-based, 161
proof-based, 161 Backus Naur form (BNF), 48
approximants backwards breadth- rst search, 188, 207
m Z:f , 378 base case, 60, 61, 65
m Z:f , 378 basic modal logic, 275
arity, 106, 107 BDD, 338
array, 235 hi(n), 349
bounds, 264 lo(n), 349

390
 Index 391
as boolean function, 338 branching-time logic, 162
complement, 340
consistent path, 339 case
edge, 333 overlap, 88
examples, 338 case analysis, 87, 89, 126
has an ordering, 341 case-statement, 28, 194
layer of variables, 333 characteristic function, 366
line Church, A., 153
dashed, 334, 338 circuit
solid, 334, 338 2-bit comparator, 374
ordered, 341 asynchronous, 197, 373
read-1, 357 sequential, 331
reduced, 338 synchronous, 197, 330, 373, 385
removal of duplicate non-terminals, 337 circular de nition, 180
removal of duplicate terminals, 337 Clarke, E., 163, 227
removal of redundant tests, 337 classical logic, 42, 300
satis able, 339 client, 231
subBDD, 336 clock tick, 184
which is not a read-1-BDD, 358 closure under propositional logic, 297
which is not an OBDD, 342 CNF, 81
with duplicated subBDDs, 336 code
belief, 289 speci cation, 229
binary decision diagram, 338 veri cation, 229
binary decision tree, 333 coding
redundancies in, 335 AF , 382
binding priorities, 165 EF , 381
for basic modal logic, 275 EG , 382
for integer expressions, 232 EU , 382
for KT45n , 310 EX , 381
for predicate logic, 109 examples of symbolic evaluation, 382
for propositional logic, 13 fair EG , 386
for relational mu-calculus, 376 fair EU , 386
bit, 154 fair EX , 386
control, 201 set of fair states, 385
least signi cant, 363 command, 233
most signi cant, 363 atomic, 233
one-bit channel, 202 compound, 233
two-bit channel, 202 common knowledge, 306, 310
blocks of code, 233 as invariant, 375
Boole, G., 98, 351 communicating processes, 228
boolean algebra, 29 communication protocol, 197
boolean connective, 166, 278 completeness
boolean existential quanti cation, 359 of natural deduction for predicate logic, 103
boolean expression, 233, 245 of natural deduction for propositional logic,
boolean forall quanti cation, 361 78
boolean formula complexity
independent of a variable, 352 exponential, 190
semantically equivalent, 351 of apply, 356
truth table, 331 of brute force minimal-sum section
boolean function algorithm, 265
`don't care' conditions, 355 of fairness, 386
as a binary decision tree, 333 of labelling algorithm, 187, 188
symbolic representation, 330 of labelling EGC , 207
boolean guard, 258 composition
boolean variable, 330 sequential, 252
bottom, 32 synchronous, 196
bottom-elimination, 33 compositional semantics, 57
bottom-introduction (see \not-elimination"), compositionality
33 in model checking, 193
box-elimination, 303 computability, 152
box-introduction, 303 computation
392 Index
intractable, 70 directed graph, 168, 337
computation path, 171 acyclic, 338
fair, 207 cycle, 337
computation trace, 260 disjunction, 12
computation tree logic, 163, 274, 289 of literals, 81, 83
computational behaviour, 274 distributivity laws
computer program, 114 of box modality, 282
concatenation, 142, 153 of F connective, 209
conclusion, 12, 246, 257 of propositional logic, 29, 84, 87
concurrency, 229 dividend, 263
conjunct, 82 don't care links, 369
conjunction, 12, 267 double negation-elimination, 301
in nite, 310 double negation-introduction, 301
connective
adequate set, 190 elimination rule, 15, 120
unary, 165 Emerson, E. A., 163, 227
consistency, 151, 276, 287 encoding, 146
constant symbol, 111 entailment
contradiction, 31, 132, 289, 296 in program logics, 251
control structure, 233, 234 environment
controlling value, 356 and non-determinism, 194
copy rule, 30, 303 for concurrent programs, 161
core programming language, 232, 264 for predicate logic formulas, 144
correspondence theory, 297 equality, 235
counter example, 140, 149, 287, 305 intentional, 120
counter trace, 162 program notation, 233
critical section, 181 symbol, 119
CTL, 163, 227, 274, 289 equivalence relation, 292, 298, 314
as a subset of CTL*, 211 equivalent formulas
expressive power, 213 of basic modal logic, 283
modalities, 274 of CTL, 178{180
model checker, 193 of KT4, 299
with boolean combinations of path of KT45, 298
formulas, 213, 214 of LTL, 209
CTL connectives of predicate logic, 132
fair, 385 of propositional logic, 26, 179
CTL formula of relational mu-calculus, 380
square brackets, 166 exclusive-or, 333, 364
CTL*, 210, 227 existential quanti er, 179
exists-elimination, 126
dag, 338 exists-introduction, 126
dashed box
avour, 315 factorial
data structure, 141 of a natural number, 234
de Morgan laws, 83, 179, 215 program, 234, 260
for modalities, 282 fairness
deadlock, 168, 177, 212 nested xed points, 386
debugging systems, 185, 229 symbolic model checking, 385
decision problem, 152 fairness constraint, 184, 197
of validity in predicate logic, 153 simple, 205, 206
decision procedure, 79 FAIRNESS running, 202
declarative explanation, 38 Fibonacci numbers, 76
declarative sentence, 10, 100 eld index, 264
truth value, 55 nite automata, 358
default case, 194 nite data structure, 185
de nition rst order logic, 100
inductive, 48 xed point, 218
description greatest, 218, 219
informal, 230, 236, 265 least, 218, 219
language, 160, 162 semantics for CTL, 180, 215
Dijkstra, E., 259 ow of control, 234
 Index 393
Floyd, R., 242 Halpern, J., 227
for-loop, 235 Hoare triple, 236
forall-elimination, 122 Hoare, C.A.R., 236, 242
forall-introduction, 123 Hodges, W., 158
formal Horn clause, 94
path, 211 hybrid rule, 320
formula
height, 63, 77 if-statement, 255
Horn, 94 implication, 12
immediate subformula, 186 logical, 251
of basic modal logic, 282 implies-elimination, 18
of CTL, 164 implies-introduction, 21
atomic, 164 in-order representation, 51
ill-formed, 165 inconsistency, 231
well-formed, 165 index, 153
of LTL induction
valid, 215 course-of-values, 63
of predicate logic, 109, 250 hypothesis, 60, 61
of propositional logic, 48, 71, 178 in model checking, 192
well-formed, 47, 48, 63 mathematical, 60
of relational mu-calculus, 376 inductive step, 60
positive, 300, 319, 325 in x notation, 142, 166
scheme, 179, 280, 288 information
K, 283 negative, 320
in propositional logic, 280 information content, 32
instance, 280 input parameter, 87
subformula, 50 integer
frame, 293 expression, 232
free for x in , 117, 122 integer label, 348
Frege, G., 158 integer multiplication, 363
function interface between logics, 250
in predicate logic, 142 interleaving
monotone, 218 formulas with code, 248
a non-example, 218 transitions, 182, 197
recursive, 181 introduction rules, 15, 120
SAT, 189, 191 introspection
termination, 226 negative, 290, 298
SATaf, 192, 216 positive, 290, 298
SATag, 226 intuitionistic logic, 42, 134, 299
SATeg, 193 invariants, 246
SATeu, 192 discovering, 258
SATex, 191 iterative squaring, 388
symbol, 104, 105, 111
binary, 106 Jape, 158
translate, 181 justi cation, 249, 250, 303
function pre9 (X ), 368
function pre8 (X ), 368 Knaster-Tarski Theorem, 219
function SAT knowledge
correctness, 218 common, 307
future distributed, 310
excludes the present, 176, 301 false, 292
includes the present, 174, 176, 301 formula
whether it includes the present, 289 positive, 320
world, 162 idealised, 290, 298
in a multi-agent system, 275
G-reachable, 312 modality, 309
in k steps, 312 of agent, 275, 290
Godel, K., 103 Kozen, D., 388
Gentzen, G., 98 Kripke model, 277
grammar, 48 as a counter example, 305
clause, 242 for KT45n , 311
394 Index
Kripke, S., 277, 283 of KT45, 311
of KT45n , 312
label of predicate logic, 103, 142
adding, 186 of propositional logic, 57
deleting, 187 model checker, 162
labelling model checking, 161, 163, 228
AF, 186 algorithm, 180, 189, 206, 289
EG, 187 debugging, 381
EGC , 207 example, 175
EU, 186 with fairness constraints, 206
EX, 186 model of CTL, 168
labelling algorithm, 185 model-based veri cation, 160, 162
labelling function module, 237
coding subsets, 366 modulo 8 counter, 375
for CTL model, 168 modus ponens, 18
for Kripke model, 277 modus tollens, 19, 300
frame does not have one, 294 muddy children puzzle, 317, 320
language construct, 235 Mutex model
law of excluded middle, 38 pictorial representation, 182
laws of arithmetic, 250 mutual exclusion, 181
LEM
instance, 300 natural deduction
linear-time logic, 162 extension to predicate logic, 103
linear-time temporal logic, 208 for modal logic, 306
literal, 81, 89 for temporal logic, 162
liveness, 183, 197 inventor, 98
property, 181, 183, 204, 206 natural deduction rules
logic engineering, 275, 286 for basic modal logic, 303
logic programming, 70, 158 for KT45n , 316, 327
logical level, 251 for predicate logic, 120
look-up table, 144 for propositional logic, 39
up-dated, 144 necessity
LTL, 208, 227 logical, 162, 276, 288
physical, 288
machine state, 235 negation, 12
Manna, Z., 227 negation-elimination (see
McMillan, K., 227 \bottom-elimination"), 33
memoisation negation-introduction, 33
of computed OBDDs, 352 nested boolean quanti cation, 381
midcondition, 249 network
minimal-sum section, 264 architecture, 163
minimal-sum section problem, 273 synchronous, 162
modal connective no strict sequencing, 182, 183
CG , 310 node
Ki , 309 initial, 338
modal logic, 274 leaf, 114
K, 298 non-terminal, 333
KT4, 299 terminal, 334, 338
KT45, 298 non-blocking protocol, 181, 183
normal, 297 non-determinism, 162, 183
S4, 299 non-termination, 234
S5, 298 normal form, 78, 80
modality, 162, 276 conjunctive, 81, 332
diamond, 276 disjunctive, 332
path, 213 negation, 86
model CTL*, 211
of KT45n , 311 LTL, 210
of basic modal logic, 277, 296 product-of-sums, 363
of CTL, 168, 278 sum-of-products, 356
pictorial representation, 168, 176, 177 not-elimination, 33
of intuitionistic propositional logic, 300 not-introduction, 33
 Index 395
OBDD, 341 possibility, 286
absence of redundant variables, 346 logical, 162, 276
canonical form, 343 possible world
complementation, 368 semantics, 283
de nition, 341 Post correspondence problem, 153
extensions, 364 postcondition
for pre9 (X ), 370 in program logic, 236
for pre8 (X ), 370 Prawitz, D., 98
integer multiplication, 363 precondition
intersection, 368 in program logic, 236
limitations, 363 weakest, 249
memoisation, 352 of algorithm, 90
nested boolean quanti cation, 362 predicate, 100
of an even parity function, 344 binary, 102
of the odd parity function, 344 number of arguments, 102
of transition relation, 369 symbols, 108
optimal ordering, 364 unary, 102
reduced, 342 predicate logic, 100
unique representation, 342 extension, 250
reduced one for logical \i ", 344 pre x, 142
representing subsets, 365 notation, 166
running-time of algorithms ordering, 142
upper bounds, 362 premise, 12, 243
sensitivity of size, 346 preprocessing, 190
synthesis of boolean formula, 362 Prior, A., 227
test problem
for implication, 347 instance, 153
for satis ability, 347 reduction, 152
for semantic equivalence, 346 procedural interpretation, 40
for validity, 347 process
union, 368 concurrent, 181
variations, 364 instantiation, 204
odd parity function, 344 processor, 229
omniscience program
logical, 289, 290 behaviour, 237
or-elimination, 27 bug, 229
or-introduction, 27 code, 249
overloading, 148 construct, 233
of proof rules, 120 correctness, 90, 96, 189
derived, 235
parity function diverging, 238
even, 343 documentation, 229
as OBDD, 344 environment, 230
parity OBDD, 364 nite-state, 330
parse tree fragment, 235
for a predicate logic formula, 114 logic, 248
of a term, 108 methodology, 231
of a basic modal logic formula, 275 procedures, 235
of a CTL formula, 166 sequential, 228
of propositional logic formula, 49 termination, 96, 97, 219, 238
root, 50 variable, 190, 241
subtree, 50 veri cation, 243
underspeci ed, 280 formal, 232
partial correctness, 238 program execution, 286, 290
partial order reduction, 192 programming language
pattern imperative, 232
checkEU (f; g ), 386 proof
checkEX (f ), 386 box
pattern matching, 15, 125, 253 for !i, 21
place holder, 101 for forall-introduction, 123
Pnueli, A., 227 for modal logic, 302
396 Index
opening, 40 quantitative, 231
side by side, 33 unsound, 254
by contradiction, 37 record
calculus, 228, 232 eld, 196
construction, 242 recursion
constructive, 134 mutual, 211
dashed box, 303, 317 recursive call, 255
fragment, 252 reductio ad absurdum, 37, 133, 152
indirect, 42 reduction to absurdity, 37
of correctness, 216 regular language, 358
of termination, 238 relation
partial, 255 binary, 163, 168
partial correctness, 242, 254 Euclidean, 292, 298
search, 70 functional, 292
solid box, 303 linear, 292
strategy, 129, 237 re exive, 292
subproof, 245 as formula, 121
tableaux, 242 serial, 292, 302
theory, 100, 139, 162 symmetric, 292, 301
total correctness, 270 as formula, 121
proof rules, 14 total, 292, 301
for implication, 246 transition, 168
for assignment, 242 transitive, 292, 295
for conjunction, 15 as formula, 121
for disjunction, 26 relational mu-calculus
for double negation, 17 explicit substitution, 376
for equality, 120 xed-point operators, 378
for existential quanti cation, 126 restriction, 351
for if-statements, 245, 255 root of a parse tree, 155
modi ed, 256 rule
for implication, 21, 250 derived, 36
for KT45n , 316 hybrid, 19
for negation, 31
for quanti ers, 125 safety property, 181, 183, 204
for sequential composition, 242, 248 satisfaction
for universal quanti cation, 122 in a frame, 294
for while-statements, 246, 258, 264 in a frame for KT45n , 312
schema, 125 satisfaction relation
subformula property, 127 for relational mu-calculus, 376
proof tableaux for basic modal logic, 278
complete, 268 for CTL, 169
proof-based veri cation, 160, 228 for KT45, 311
proposition, 10 for LTL, 209
propositional logic, 100 for partial correctness, 238
protocol, 181, 182 for predicate logic, 145
provability for relational mu-calculus, 377
undecidability of predicate logic, 157 for total correctness, 238
satis ability, 332
quanti er, 279, 282 3SAT, 363
equivalences, 209 deciding, 94
in predicate logic, 102 of a predicate logic formula, 148
binding priorities, 109 of a propositional logic formula, 59
equivalences, 148 undecidability of predicate logic, 156
meaning, 141 SCC
Quielle, J., 227 fair, 207
scheduler
reasoning fair, 199
about knowledge, 298, 306 scope
constructive, 42 of a dummy variable, 131
in an arbitrary related world, 303 of a variable, 114, 115, 127
informal, 319 of an assumption, 40, 127, 302
 Index 397
search space, 127, 153 patterns, 227
semantic entailment practical pattern, 177
for basic modal logic, 281 symmetric, 183
for KT45, 300 truth table, 83
for normal modal logics, 301 Spin, 227
for predicate logic, 103 state
for propositional logic, 66 critical, 182
for relational mu-calculus, 380 explosion, 190, 191
semantic equivalence, 56 explosion problem, 227
semantics fair, 386
of Z:f , 378 formula, 211
of Z:f , 378 global, 182
of basic modal logic, 278 graph, 171
of boolean quanti cation, 377 initial, 183, 184, 193, 205, 236
of CTL, 168 non-critical, 182
of EG, 217 of a system, 242
of equality, 150 reachable, 205
of predicate logic, 139 resulting, 235, 236
of propositional logic, 57 space, 191
of relational mu-calculus, 377 splitting states, 183
of Until, 174 transition, 163
sentence trying, 182
atomic, 12 storage
components, 100 location, 265
declarative, 100 state, 233
in predicate logic, 145 string, 167, 275
sequent, 14 binary, 142, 153
invalid, 76 empty, 142
unsound, 130 strongly connected component, 188
Shannon expansion, 351 structural induction, 63, 72
side condition, 120, 123 substitution
Sifakis, J., 227 in predicate logic, 116
SMV, 166, 227 instance, 294
main program for ABP, 204 instance of tautology, 283
module, 195 principle, 120
receiver, 203 symbolic model checking, 365
sender, 202 symbolic model veri er, 193
for channel, 203 syntactic
instantiation, 195 category, 85, 98
process, 373 domain, 232, 233
program syntax
example, 194 of basic modal logic, 275
for Mutex, 197 of boolean expressions, 233
speci cation, 194 of boolean formulas, 333
soundness of CTL, 164
of forall-elimination, 122 of CTL*, 211
of natural deduction of Horn formulas, 98
basic modal logic, 306 of KT45n , 310
predicate logic, 103, 139 of literals, 85
propositional logic, 65 of LTL, 208
of program logics, 240 of predicate logic, 109
of proof rule for while-statements, 258 of propositional logic, 48
of the substitution principle, 121 of relational mu-calculus, 376
SPEC, 194, 202 of terms, 107
speci cation system
as CTL formula, 193 asynchronous, 227
for ABP, 204 interleaving model, 374
formal, 231 simultaneous model, 374
informal, 231 axiomatic, 99
language, 160 commercial-critical, 160, 229
of a predicate, 111 component, 204
398 Index
concurrent, 161 for propositional logic, 11
debugging, 162 truth table
description, 195 for conjunction, 55
design, 162 truth tables, 57
development, 161 type, 21, 299
elevator, 177, 214 checking, 22
nite-state, 228 theory, 158
hybrid, 250
in nite-state, 228 unary connective, 275
mission-critical, 160 undecidability
multi-agent, 306 of provability, 157
physical, 163 of satis ability, 156
reactive, 161, 229, 330 of validity in predicate logic, 153
safety-critical, 160, 229 universal quanti cation, 241
transition, 162 universal quanti er, 179
veri cation, 228 universe of concrete values, 142
unsound sequent, 158
tautology, 71 Until, 174
temporal connective in natural language, 174
AF, 170 negating, 209
AG, 170 weak, 213
AU, 170 updated valuation, 377
AX, 169
EF, 170 validity
EG, 170 in basic modal logic, 282
EU, 170 in KT45n , 313
EX, 170 in propositional logic, 59
temporal connectives, 164 undecidability in predicate logic, 153
temporal logic, 162, 274 valuation
term, 106 in predicate logic, 140
interpretation, 145 in propositional logic, 57
term-rewriting system, 158 in relational mu-calculus, 376
termination value
proof, 238 initial, 204, 241, 242
tertium non datur, 37 variable, 101, 163, 232
theorem, 23 boolean, 190, 205, 330
prover, 118, 157 bound, 114
proving, 158 capture, 117
time dummy, 123
continuous, 162 free, 114
discrete, 162 local, 235
top, 32 logical, 241, 267
total correctness, 238 variable ordering
transition relation, 168 compatible, 342
for SMV programs, 372 list, 341
transition system, 162 variant, 270
of ABP program, 205 veri cation
of Mutex code, 200 full, 161
of SMV program, 194 method, 160
unwinding, 171, 185 of communication protocols, 163
translation of hardware, 163
English into predicate logic, 102, 109 of software, 163
tree, 242 of systems, 228
in nite, 171 post-development, 161, 229
truth pre-development, 161, 229
dynamic, 162 process, 244
mode, 274, 276 program, 243
of knowledge, 298 property, 161
static, 162 property-oriented, 228
value semi-automatic, 228
for predicate logic, 144 techniques, 160
 Index 399
weak Until, 213
in CTL, 214
in CTL*, 214
in LTL, 214
weakest precondition, 249
while-statement, 233, 234
body, 246, 258, 261
non-termination, 270
wise men puzzle, 317
word
empty, 142
world
possible, 277, 311
related, 277
year 2000 problem, 230
 Bibliography

[Ake78] S. B. Akers. Binary decision diagrams. IEEE Transactions on Computers,

C-27(6):509{516, 1978.
[AO91] K. R. Apt and E.-R. Olderog. Veri cation of Sequential and Concurrent
Programs. Springer-Verlag, 1991.
[Bac86] R. C. Backhouse. Program Construction and Veri cation. Prentice Hall,
1986.
[BCM+ 90] J. R. Burch, J. M. Clarke, K. L. McMillan, D. L. Dill, and J. Hwang.
Symbolic model checking: 1020 states and beyond. In IEEE Symposium on
Logic in Computer Science. IEEE Computer Society Press, 1990.
[BEKV94] K. Broda, S. Eisenbach, H. Khoshnevisan, and S. Vickers. Reasoned
Programming. Prentice Hall, 1994.
[BJ80] G. Boolos and R. Je rey. Computability and Logic. Cambridge University
Press, 2nd edition, 1980.
[Boo54] George Boole. An Investigation of the Laws of Thought. Dover, New York,
NY, USA, 1854.
[Bra91] J. C. Brad eld. Verifying Temporal Properties of Systems. Birkhaeuser,
Boston, Mass., 1991.
[Bry86] R. E. Bryant. Graph-based algorithms for boolean function manipulation.
IEEE Transactions on Compilers, C-35(8), 1986.
[Bry91] R. E. Bryant. On the Complexity of VLSI Implementations and Graph
Representations of Boolean Functions with Applications to Integer
Multiplication. IEEE Transactions on Computers, 40(2):205{213, February
1991.
[Bry92] R. E. Bryant. Symbolic Boolean Manipulation with Ordered
Binary-decision Diagrams. ACM Computing Surveys, 24(3):293{318,
September 1992.
[CE81] E. M. Clarke and E. A. Emerson. Synthesis of synchronization skeletons for
branching time temporal logic. In D. Kozen, editor, Logic of Programs
Workshop, number 131 in LNCS. Springer Verlag, 1981.
[CGL93] E. Clarke, O. Grumberg, and D. Long. Veri cation tools for nite-state
concurrent systems. In A Decade of Concurrency, number 803 in Lecture
Notes in Computer Science, pages 124{175. Springer Verlag, 1993.
[CGL94] E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and
Abstraction. ACM Transactions on Programming Languages and Systems,
16(5):1512{1542, September 1994.

400
 Bibliography 401
[Che80] B. F. Chellas. Modal Logic { an Introduction. Cambridge University Press,
1980.
[Dam96] D. R. Dams. Abstract Interpretation and Partition Re nement for Model
Checking. PhD thesis, Institute for Programming research and Algorithmics.
Eindhoven University of Technology, July 1996.
[Dij76] E. W. Dijkstra. A Discipline of Programming. Prentice Hall, 1976.
[DP96] R. Davies and F. Pfenning. A Modal Analysis of Staged Computation. In
23rd Annual ACM Symposium on Principles of Programming Languages.
ACM Press, January 1996.
[EN94] R. Elmasri and S. B. Navathe. Fundamentals of Database Systems.
Benjamin/Cummings, 1994.
[FHMV95] Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Y. Vardi.
Reasoning about Knowledge. MIT Press, Cambridge, 1995.
[Fit93] M. Fitting. Basic modal logic. In D. Gabbay, C. Hogger, and J. Robinson,
editors, Handbook of Logic in Arti cial Intelligence and Logic Programming,
volume 1. Oxford University Press, 1993.
[Fit96] M. Fitting. First-Order Logic and Automated Theorem Proving. Springer,
2nd edition, 1996.
[Fra92] N. Francez. Program Veri cation. Addison-Wesley, 1992.
[Fre03] G. Frege. Grundgesetze der Arithmetik, begri sschriftlich abgeleitet. 1903.
Vol. I and II (Jena).
[Gal87] J. H. Gallier. Logic for Computer Science. John Wiley, 1987.
[Gen69] G. Gentzen. Investigations into logical deduction. In M. E. Szabo, editor,
The Collected Papers of Gerhard Gentzen, chapter 3, pages 68{129.
North-Holland Publishing Company, 1969.
[Gol87] R. Goldblatt. Logics of Time and Computation. CSLI Lecture Notes, 1987.
[Gri82] D. Gries. A note on a standard strategy for developing loop invariants and
loops. Science of Computer Programming, 2:207{214, 1982.
[Ham78] A. G. Hamilton. Logic for Mathematicians. Cambridge University Press,
1978.
[Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming.
Communications of the ACM, 12:576{580, 1969.
[Hod77] W. Hodges. Logic. Penguin Books, 1977.
[Hod83] W. Hodges. Elementary predicate logic. In D. Gabbay and F. Guenthner,
editors, Handbook of Philosophical Logic, volume 1. Dordrecht: D. Reidel,
1983.
[Hol90] G. Holzmann. Design and Validation of Computer Protocols. Prentice
Hall, 1990.
[Koz83] D. Kozen. Results on the propositional mu-calculus. Theoretical Computer
Science, 27:333{354, 1983.
[Lee59] C. Y. Lee. Representation of switching circuits by binary-decision
programs. Bell System Technical Journal, 38:985{999, 1959.
[Lon83] D. E. Long. Model Checking, Abstraction, and Compositional Veri cation.
PhD thesis, School of Computer Science, Carnegie Mellon University, July
1983.
[McM93] K. L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers,
1993.
[MP91] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent
Systems: Speci cation. Springer-Verlag, 1991.
 402 Bibliography
[MP95] Z. Manna and A. Pnueli. Temporal Veri cation of Reactive Systems:
Safety. Springer-Verlag, 1995.
[MvdH95] J.-J. Ch. Meyer and W. van der Hoek. Epistemic Logic for AI and
Computer Science, volume 41 of Cambridge Tracts in Theoretical Computer
Science. Cambridge University Press, 1995.
[Pap94] C. H. Papadimitriou. Computational Complexity. Addison Wesley, 1994.
[Pau91] L.C. Paulson. ML for the Working Programmer. Cambridge University
Press, 1991.
[Pnu81] A. Pnueli. A temporal logic of programs. Theoretical Computer Science,
13:45{60, 1981.
[Pop94] S. Popkorn. First Steps in Modal Logic. Cambridge University Press, 1994.
[Pra65] D. Prawitz. Natural Deduction: A Proof-Theoretical Study. Almqvist &
Wiksell, 1965.
[QS81] J. P. Quielle and J. Sifakis. Speci cation and veri cation of concurrent
systems in cesar. In Proceedings of the fth International Symposium on
Programming, 1981.
[Ros97] A. W. Roscoe. The Theory and Practice of Concurrency. Prentice Hall,
1997.
[SA91] V. Sperschneider and G. Antoniou. Logic, A Foundation for Computer
Science. Addison Wesley, 1991.
[Sch92] U. Schoening. Logik Fur Informatiker. B.I. Wissenschaftsverlag, 1992.
[Sch94] D. A. Schmidt. The Structure of Typed Programming Languages.
Foundations of Computing. The MIT Press, 1994.
[Sim94] A. K. Simpson. The Proof Theory and Semantics of Intuitionistic Modal
Logic. PhD thesis, The University of Edinburgh, Department of Computer
Science, 1994.
[Tay98] R. G. Taylor. Models Of Computation and Formal Languages. Oxford
University Press, 1998.
[Ten91] R. D. Tennent. Semantics of Programming Languages. Prentice Hall, 1991.
[Tur91] R. Turner. Constructive Foundations for Functional Languages. McGraw
Hill, 1991.
[vD89] D. van Dalen. Logic and Structure. Universitext. Springer-Verlag, 3rd
edition, 1989.
[Wei98] M. A. Weiss. Data Structures and Problem Solving Using Java.
Addison-Wesley, 1998.

View publication stats