~d~ng vhe propoafio~a~ veni~ of the ~agic~ giverrcs/research/wolper.pdf · ~knple r~ pmgrmwm. ptl...
TRANSCRIPT
~ & T ~ 1 L a ~ a ~ e ,
We ,how tha, th~ cJa~ of Woper~e~ of Wogta.~ e×~t~
~ble i~ pm~ickma~ ~emporM ~ c caa be aub~aafial~y
exte~l~ if we ~ m e the ~ g t ~ , m ~ daao
i~depe~Aemo Baai~Jlyo a program i, da~-independem g
~ Mhavk~ d ~ ~ d e ~ d ca ~ ~ d f i , dam h
~ r , t e , u ~ , Our m u i ~ ~gnk~caufly e×t~d '~J:~.* alapEo
~bflity of ~ ver~ficafic~ ~ d ~ t h e ~ , me.~hod~
L ~l~r~aegaa
FdlovAag th, kfifiM eon~4bufio~ o~ Floyd Kl67]
~oa~ pAo69], the ~npha~ h~ ~cgk~ of ~ m n ~
w~ for a k~g thr~e ca fLr, t-orde~ log~. ~deed. w h ~
~ a ~ . m g abo~ a program, ¢r~e u~uaHy talk, ahom the
vaHabte, ap~:H~g m the progran ~ d a H.h'~o~e~' ~br-
ma)J~ ~ e ~ ~h, m/on ~atura~ one ~ which to do thiL tt
w~ ~ l y aft~ ~ , of Wogram* w,r , formMiz,d h~
gmtem c~" modal k~#c, ~ k~ dynam~ lo#e N:h:76, Ha7~)
lampo~a) ~ [i~h~glL that rate,eat M propositional
k~gka of ~rog~am~ apl :~ed, ~tarfi~g with the work of
~ c ~ z aed Ladaa, c~ propo~ifionM dy~agdc ~fi¢
Permission to copy w~thoui )?ceal) or part of this material is granted provided that the copies are not made nr distributed ~or direct commercial advantage, the ACM copyright notice and the dI)e of the publication and ~t~ date appear, and nndce is given ~hat copying is by ge~m~ss~on of the Association for Computing Machinery. To copy mherwise, or ~o repubfish0 reqmres a Ke and/or specific permission.
© 1985 ACM~-89791d75-X-1/86~184 $00.75
WL79). ~ the tag ~w year, ~he~e has bees a ~ h ~ hrge
~ y d work on a number of proq~o~i~:m~ ~o#¢, of pro-
t~aa~o To menfio~ ~s~ ~ f,a~: dy~anic k)gic K%790
bab~fi¢ dyaamic ~ fKog3. Feg3L k~gic of k~.owkdg,
~ 8 4 0 L e ~ L temporal ~ [CEgl, Wog30 WVS83.
acgsL
that they ~ov-kle a %~ae h:me," ~i&m of the f~mali~m
which i~ ~fi~ pmptwtie~J~ can he aud~d ~n~o~d~
by the ~rmpI~gdty mh~'~t to Kr~t~.ord~ k~i~,. It trams
~ut that they a~ huer~a~ti~g fcrtagLiyt~m, ~th ~k, pco~-
des for )J~gt~c~, w~,~y o¢ them ae dee~ab)e. A~o~
~ d ~ n g vhe propoafio~a~ ven i~ of the ~agic~ giver
~dgh~ mm ~ formati,m and ~o~, ehalhmg~h~g probt¢~
Ia the ~ e of t~por~J )og1¢~ the gudy of the pto-
~itia~a~ cab was motivated got oMy by theo~etk~d
i.me~aa. ~t also by )o~b le ap#icafic~a~. The f~J.~t ~Jch
appficatio~ was the ~ymhe~s of ~ r c ~ i z a f i ~ ~ke)etoa,
~om l~ttopo,~tkmal ~m~or~l k~¢ (I~TL) ~l~eeff~ec~tio~$.
Ta~s i, bared ca ~he faa that given a/~¢opo~tkmal ~no
pocal k~gg~g formuh, ~ e ~ n build ~ ffh~he~ ~tr~cture ~fi:,-
~ g the ~i:mzm~. ~ ara~vJ~ ~a~ tth~a ~ ~i,~l ~
l~o~aao ~ w~ doae ~ g b t ~ g ~ , m m ~ g l
fi~rmu1~o ~zae cb~cka ~h~ a ~ fi~i~aa~e ~ g r a m ,
184
~Aewed ~ ~ ~¢suemr, ov~ which the fi~mula ~ ~ , , o
l~LgS] ~ d ~LF~5]. ~ h~ been ~d~o emended to ~ , ~,rif-
ie~lti,~ of ~babf l i~ ie fi~ite-~te p r ~ g r ~ ~ iVY50
~Z85, VW85]. An ~mpl~menmfion of the model-cAh~ee~6ug
~ e e d u r e and i~ ~pp~cztiem to ~ e ~¢t icM lxmbiew~
~r~ d ~ u ~ d ~u [CES~3, CM~3].
While these ~pp l~f io~ of ~ x ~ t i ~ z ~ ] temix~r~d
i ~ e , ~l~iMiy ~ e m o d e l ~ e ~ e ~ . ~ e ~ quits ~romi~
p a ~ t k m ~ l ~mpor~d ]o#e*. Given ~ i it i~ ~ i~eopo~i-
t i ~ l form~sm, il ~ n only deal with ~ finite n u m b of
v~d~. Moreover, it e ~ only d~ibe f i n i m ~ mue~
tu~ [WV~83]. It h ~ Men ~rg~ed that ~ d~e~ n~ I~
dude the u~cfuLu~ of prolx~sifion~l ~mpor~d logle
there ~re a l~rg~ h u m o r of non-~ri~dM ~rogrr~lm~ ~hm ~r~
"in ~ n ~ fini~e-~amL Let us ex~mLue ~hi~ ~Lm. Um-
Mly. ~m ~ e~ene~ finite-rosin" {~o~am ~onsi~l~ of
~ont~ol ~ ~a~ ha~ a finite humor of ~es and ~ome
data re#~¢~, ~ha* cannol m~onibly be viewed ~ ~mite-
~.~e. Con~de~ fl~¢ ea~mple of ~ da~ ~a~fe r pro~exfl.
f i n i t e ~ t , ( ~ ~ ~h~ ~d~rn~ti~g bi~ Imm~ooo|) and the d ~
~dm#y ~ r ~ and passed along. A g ~ n d ~or r~cu~
property for ~eh a p~otoool h ~h~ ff i~ t e e d ~ an i~fin-
i ~ ~que~ of di~Jn~ m ~ l g e m , i~ ou~uim the ~me
infinite ~ q ~ e ~ . Unfortunately, ~ueh a ~o~y
~volv¢~ ~ d ~ ~ ing manipul~d lind cannot M ~ d
~ l . Aim, it e~=o~ be ~ t e d i~ FrL ~ i~ i~ n ~ ~ N e
lo ,~idk i ~ u l an iufini~ numMr of di~J~ei m ~ g e ~ i~ ~l
puffy p~olx~itionM framgwork.
L~ mine w ~ . ~¢ r~m~ks ~ haw ~ made run
~ n ~ ~ ~ ~mi~km. The fa~ ~a~ w~ hsv~ ~ de, s]
~e~vanL ~ ti~ l~otocol ~a~ e~ m ~ m an id~-
ir~l way. It ~ ~ intuition ~hat w~ furmalize ~ th~
~ p ~ . We ~how that under a ~ daga-~dependem:e
a s ~ p a e n . ~ can ~in u~ p r o i x ~ a l ~mporal
~ d f y ~nd verify the ~orr~eine~ ~ a program ~ r ~ °
~g on an infinim numMr of diffe~nt dab vMu,,.
b ~ ~ u h ~ that, given the dam-h~d~p~mde~ ~,~um~
~nfini~ numMr of d ~ vMu~ ~ ~u~w61~ ~o lra~-
i ~ r ~ ~ d over ~ ~ n ~ ~Lui** ~ of d ~ vMu~. This
~ o ~ required an ~nfinit~ry ver~i~m of ~ropol~km~
temlx~r~l ~i~:, i.e., a ver~i~ of ~TL i~dudiag ~ i ~ i ~
of p ro~ i t i~a , ~md infinite , ~ n ~ c f i ~ ~ di~j~.mc-
tkm~.
Th~ ~e~ul~ h~ i ~ e ~ L ~ g ~ m ~ u e n e ~ . F~
hn#i~ ~h~ the ~mk~u~ of ~.mhe~i~ ~ building finite
~ ruau r~ ~nd of model-~h~dng ~ n be ~ n d ~ d ~o mot,
m~er~i~g properfi~ of ~h~ program. For ~,tanc~. nan ,
~h~e ~ h ~ i ~ u ~ one can now ~ t e in propo~fion~ temo
~r~d ]ogle ,.he functional ~ r ~ e ~ of I pr~ae~l,
fl~ ~ rn~f in~ bit ~o~¢ol. and verify i~ u~i~g modulo
~ecldng. Nora ~ m pr~vi~u~ ~t~mp~ ~ verify the
[CES83. Vo82], ~he funaion~ ~ r r~xne~ of the ~rol~cM
w~ never ~.a~d, One only stst~d ~md ~f~Md d~ir~b½
bus not ~of~i~n~ l~oPer~ ~ ~Menc~ of d e ~ d ~ .
Tee, trod. we ~,lieve our notion of d~m-4ndet~,enden~ h~l~
m make morn ~r~d~ ~he ~ofion ~ mine l~rogran~
~'m ~ n e ~ finiw.smm t
we ~ dealing win. Than, we def'm~ ~ and ~ ~rmi-
~ry e x ~ n ~ n ~nd ~ how h ~ ned fur ~ d f i ~ k m .
New v~ def'me ~ e dam-i~dei~nden~ ~ u m # o n . We
follow wkh our ~ u ] ~ onflx~ ~ , i f i , ~ i o ~ of dam-
indep~dent ~ n ~ . FFmally, we ~ m ~ e our ~ s u ~
185
w T °
( ............................... :.:.: ............ )
Or, st I ~ t 2 ~ t ~
~ g ~ e 2,1
We ~ u m e ~at tim ~ v ~ o n w ~ t m~ke~ ~ i~Wm~,
m ~ q ~ of da~l o b ~ ~vMhble to ~ p~ogz~m at ~
where ~ c h L~de, j~10 i~ takem ~ m ~
tL~ of that ~eq~, We d.efi~ lhe dazg do~ /~ ~
p~grmm to b , D ~ d the ~r~ZaMe dam set of tba Imro~mm
At e~ch c~D~t ~ono the dam ~b~ wr~m ~re
~m]kea from the ~ t Do Th~,~ ~ ~ e q u e ~ of dram ~b~a~s
eba~vier ~ ~ D~::~geam ea~ ~ ~ vk-wed
mm i~f~ ~ e=¢ie~ea ' " • where ~ h @ l~
gxam~¢ 2 J :
~ @ a m ~ ~hm if ~ infinite * * q ~ of dim/mint d ~
~ m q ~ i~ ~:ie~n m the output ~x~t. L~ other ~a~rds0
~y ~m ~ g ~ m will lm am m~fle~vb~ of
e~#~z:,euL*/na2 .... ~ 'the o ~ p m ~ m . m
p ~ d k~#, (PTL) IGPS~m0.W~] m ~ d f y ~h, Mh~vi~
~knple r ~ pmgrmwm. PTL foemul~m ~ ~fl~
fiv¢~ ~ una!y tempo~M ei~tor~ X (mm~00 F (even~*
~ y ) , G 0dwl~) ~md the binary ~,m~rM o~,ra,~, U
(~miD. A c ~ n p ~ e dmflnltk~n ~ #vmn h~ the lp~db~o
To ~l~=ify i ~qu~ of i ~ J o u ~ e~n ts ~ g pmpcP
~ifi~d ~mpor~d lo#c, we ~, ~x~,l,~ ~ p m ~ i ~ with
~ h ~x~ibM event ~md w~dte a form~|m i~vo]vi~g thee~
~to~xxd~io~, vzmd~ Lhe ~r~m~mpfiort ~ cmly ome ptoi~-
~km ~ ~ at e~h time (~e ~l~dL~ ~ d~). TM~,
of c o u ~ , ~ t k ~ ~ ] y if ~ the ~ t calf d h ~ f ~ t events
finite, wi~h, m our framework, ~ ~ i v a ~ t to gmyimg
Lh~ ~ d~Lm domain of ~he pl'ogz~m ~ fimi~,.
What ~ we do if the dmlm dommin i~ (exmmb~b|y)
mfimtm ( ~ i~ Example 2.1)2 We ~uk l ~hnply ~gm~e fl~,
M ~.itaMe to ~tate p i n e s ~ "~m~ v~t~ e ~ t ~ i i y
w~m~ ~ ~ u a i data mmttmm, fro" m~mm, ~ t ~ g
~ d m ~ PTL ~ i e ~ t i ~ s ~ i~ {CC~Sg3]
186
W ~ ] . A~o~he, mlufic~ weuM be ~ u ~ an ~qfm~r~
~er~km of FrL. ~nfinits~y ~ ro~ i t~mt i ~,mp~r~] ~ a
fiFrL) ~ ~ ~ ~TL e~cep~ that we ~n~de~ fo~mu~a~
bs~t ~rom a ~untaNe ~ t of ~ i t i e ~ a ~ui that w~
~ w eounmMe ~ n ~ t i o n ~ ~md d~n~tk~n,. A ~
definition is given m the ~ppe~dlx.
~ e 3d : Let u, ~ e i f y ~ ~FrL tim ~ r a m that
~ad~ a ~t~re~n of v~d~es at its input ~ and ~ite~ the
2. I. ~ae da~ domain of the ~ogr~n ~ the ceuntab~
{dt,d~ .... }. T nu, tbe ~ t of pmlxnfiti~, our ]I~TL ~ormu~a
~i~t ~r~m is the ~unt~ble ~t
{m?dt,ou~ldt,~?d~,omld~ .... }. ~ ~l~eili~tio~ i, tbe
Allowing:
in?d,~
(.,~,?d#in?d~) ] D
[ F ou~ld~ ̂ O(ou~!d~DXO~u~!dl) ̂
F eu~!d~ ̂ O(ou~!d3DXO-~au¢.d ~) ^
(~ou~!d#ou~Id~) ] } (3.1)
ba~ieally, it ~.at~ that for all t,j, ff 6 and d i are read
~xactly ~c~ and i~ dj i* read before 6. then d~ and dj ave
wfi~ea exactly once and d~ i, wri~an before 6 (remember
interpret thi, ~ormula under the ~umption that only
one pmpo~ifion ~ ~ru, a~ each pomO. We ~dso need to
~ec~fy that the yrogrsm kee~, reading mine dam ob~a.
can be done by:
G F ( ~ ~d~) (3.2)
C|e~rly, ~ T L ~ets u, ~q~ecify * e type cf p~pen i~
we am i~m~t~i ~ . Of ~ m ~ , . ~be ~b~ is tlm
lac~ ~ u ~ u l l ~ t ~ z t i ~ of F rL that make m~tt~d, It~
mt~de|~king l~b~o W, view it ~ me~|y ~ a
~ g ~ we ~ e ~ y i n g b e h a ~ in a dam-indwel le r
way, we can ~ ~PTL sped~ation~ ~imilar m
4o ~ i ~ l d e ~ e u 6 e a e ,
We want to give a ~vec~e dvfin~on of the fact that
a progr~a b e h a ~ in a da ta4nd~ndent wayo Intuifive]yo
wha~ we want to By ~ that ff we change th, ~pu~ dab
our ~ognun, the behvtic, of the ~ g v a m ~
~ g e 0 ~ for ~ ,~tre~pc~dlng wd~e, of the output
data° Czn~kier a ~timp~ ~eacdve Vrogran~ P, and cc~id,~
a dam domJdn D. neander n o w , func~on f ~ m the
data dcema*M D to anc~he, (fiai~ o~ infinite) dam domMn
DL ~ ~n~km can be ex~nded to an ava~aM~ data
~{imt, im2 .... } over D by defining ~ )
A, we me~ticmed in ~k~cfic~ 20 ~ Mhavi~t of
~rogram P. given an avai]aNe da~ ~et ~0 is an infinite
i~quan~ of input ~ ou~pu~ event, e~. ~ behavk~r
th, program P over the avmlable data ~ t ~ ) will thus
be an Lufini~e sequence ~'~e'te'xe'~ " • • of event, of ~be
For a behavior ¢r of P over the av~dlable data
~, ~et u* deno~ by f(~) the ~nfini~ l~,que~
and if e~ is ouO!d, f(e3 i~ ouO!j~d). We can now ~ate
definition of dam-indep~den~.
Defi~#i~ 4 J : A ~impi~ n a i v e p~vg~aw P ~ da~o
ind~e~dem ~¢nen lhe following hold, fi~, all data dcanai~
D. ava~able data ~e~ Z over D. and f imcd~, f:D~D': e
i~ a pc~ble ~ha~o~ of P f ~ Lbe available dam se~ ~ ~ff
f(~) ~ a ~ f ib~e behavior of P for the available data ~t
A natural que~tiem m ~k ~ how ~ n one ~ll th~ a
program ~ dataqnde~endenL ~n gener~d determining ff a
program i* data-iudepe~ld~t ~ n be quire hitvd. ~ fad,
is ~ s y to ~how that it is und~idabie. Howevw, in a x ~
will then ~aly de~ .~d on the ¢~mt~i ~ t of tM~ ~tate. L~t
dam u~d for the ~a~ part of the ~ug~m. Th¢~, tt~ ~ -
187
d a ~ q n d ~ d e ~ , :
~ m ~ ~ ~ d i a g a v~d~e i~w a v~iabie of ~
(2) be~dde~ i~VouV~u~ ~rafica~, . v~ab]e~ off ~:b~
c~aiy a ~ ~ in,Ln~ioa, of ~ e fom~
~ l :~v~zr2 w ~ m both ~mxl and vat2 ~m of ~y~m
da~ao
~dido~ (2) i~ c r y Lo ~heck ~ y n ~ o d ~ y . CMndi~o~ (1)
~ easy too ~he~k ~cep~ f ~ ~t~ f ~ ~a~ i~ ~quh~ a
variable ~ have ~ v~d~ ~fo~e ~e~g ~ t e ~ . 7~i~ ~ b~
~rd undeddaMe, bu~ can be c~hecked o~ mo~
i~ d~dab le o~ fini~o, ta~ progzam, o
To Wove form~y ~at a~ndifion~ (1) and (2) ~ e
~ e n ~ o~, would need ~o be more ~ific about ~he
~ r ~ o g ~ g lang~ag~i~ ured. ~ f o r m ~ y , one can ~ f l y
h, c~wd~d by ob~er~&~g ~aa~ if ~ ~ a m i~ nm wish
av~abLe dan ~et f(Z) ra~.hez ga~ %. at each ~oia~
execution, ~¢ v~ffab~ of typ,~ ~ w~ haw v ~
fry) rather d~an v. A1~oo ~ c a u ~ v~6able~ ~ ~
~ e ~ ] y umd m a ~w~:'~d way, ~ potable ¢~a~e t r ~ i o
tk~a~ of Lhe ~ a m wilt be Me~fi~a~ ~a both ea~e~o
~ ~ m a ~ n a ~ to ~el~eve ~a~ a property of a dam
~ a d ~ t program can be ~edfied o~ dLffe~ent data
d ~ n , o Fee m ~ c e . ~ might M po,~ib~e ~ ~efiace a
pro~ty ~dfi~d o~m~ a~ ~f ini~ data domai~ by a .~o-
~er~ specified ~ver a Fmi~ data dc~aai~o ~ Vhi~ ~ f i o n
we ~ th~ ~ can be dc~a¢ for a ~dgaWw, aa~ claaa
~ '~m ~ ~xm~id~ are ~ (eg ~ T L ) fo~mu~
of ~ e i~p~/o~pu~ event, of P. We ~ d~o~e ~h
~l ~ ~md by the progr~ P if i~ ~ ~a~ied by 6fl
p a n ~ w.
domaL~ D to ~ t h e r d ~ d~aah~ DL Le~ u~ denote by
v (PJ (D) ) ~he pro~er~ .r(~,D) where each p~o~c~s~fic~ c8
~ . ~ n ~ndd ~ reepl~ced by ~nd~d) ~ d each ~ i ~
of thee form o~h~d ~ replaced by] o~h?~d). We ~r¢
inte~e~ted m ~ rel~tkm bet~e,aa w(P,D) ~ d w(P,flD))o
A fimt ~ u l , about ,hL~ mhfion ean M 6btzined a, ~bb
~w,. Con~de~ a ~ r j e ~ v , (onto) ~c tdon f:D~D' ~zd
define FX:D'~2~o ~ ~a~ d £ F ~ d 3 hff f (d )=d . G i ~
~¢~opee~iy w(~,D') of a wogr~:m P over ~ d ~ ~ D' ,
~ de~o~e by w(P.f~l(D$ ~he property w(P.D') w ~ e
each Wopmfifio~ of ~ e form in~?d' h m#aced by du~ ~c~o
~b]y infinit, d ~ n c . d ~ V m~?d ~md each propc~fifikm
zow ~m ~ ¢o~ow~g:
Prvpv~r#/e~ 3 J : Given a data~depve~deat program Po
and a ~,jacdve ~actkm f:D~D' f.n:~m a data dc~anam D
m ~ d~t~ dcenam D'o ~ P tariff'tea ~e ~ p e ~ y
~(P,D$ ~r t~ dam domain D' Lff it ~fie~ the ~eoo
Skewh of Preefl We ~eed to ptccve that ~ behaviceg of P
over D ~ ~ y ~e(P,D') iff all beh~v~ora of P over D
behvAc~ , ~ver D. it has a M ~ v ~ r ~ e ) eve, D' a~d.
$v~a ~a~ f ~ ~ t ~ f i v ~ , if P ha~ a Mhavior . ' over D'0
~ , ~ ~heve L~ ~me behavior ~ ~ P e~e~ D ~ch uh~
e'=~e)o I~ i~ ~h~ ~uffieien~ to ~v~ li~ ,a behavior ¢
mn~ ~ ~ ~ormuh ~ r a u m f i n g ~ ~o lx ,vy wo I f .
fx~ ~ ~ ~ivm ~i ~ uuu~ ~,nemm i~
188
What make, ~tmV~ifiou 5.1 ime~e~fi~g ~, that
#yea u~ a way m r~#a~ a ~opetty over a l~g~ dab
dom~dn by a p~op~ety ov~t a ~naHe~ dab d ~ m . L,~ ua
~ r a t e thJ~ by ~ examp~.
~xa~¢e 33 : Con~id~ V o ~ t y (3.~) ~ ~e~d L~ Ex~,o
#e 3.1:
GF( ~tin?6) (5.1)
Tl~a ia ~ IFrL ~ a ~ e n t aix~ut a ~mynu~ o~af i~g
owst ~ ~nfini~ data domain D. Now ~a~ide~ ~ data
dom~d~ D~={d} ~ x ~ a g ~ ~ one e l e c t ~d
~ncfion f mapph~g every element of D into that ~in#¢
e~em~t, r~Oposkion 5.1 ga~a~ that
GFin?d (5.2)
hoki~ for a da*a-hulelu~nd.~at pm~m oveel ~ ~ dala
domain D' iff (5.1) holds owu" ~ data dom~i~ D. ~i'he~
fore. to prove (5.1), v~ earn m~id¢~ the ~og~am oiu~rat-
ing over a ~ingle data element a~d ~ (5.D, thu,
~epl~ing an XPTL ~tat~ment by a ~impl, ~ gau~n~t.
n
Dmpo~ifi~n 5.1 i~ i~u~f i~g but not ~a~fi~ing. We
~au ~ b l i ~ ano~u~r mult. Con~id~ a ~a~n~nt
only proposition, appenlfi~g i~ ~ ~ of the ~nn ia~?d
~(P, DoCD). NoW ~ ~ would ~ the ~ ¢ for ~uy
F~L ~tatement that i~ ~o~ i~fmitaw. Consider a ~nefio~ f
~ m D m a dtmmin D' ~uch that the mappk~g f ~ w e e ~
Do and i~ image D'o ia on~o-~me and ~ ima~ of
D-Do i~ D'-D'o¢~. L~ u~ ~11 ~ h a mapping one-u~-
one over D~
~reposl~ion 3.2: Given a da~-hid~peadeat program P, a
~l~rVd v(P.DaCD) of P over a ti~it~ ~ t D~ of
~ t ~ deami~ D ~ a ~ g f f ~ D to a ~ a ~ ~ i a
lufld~ iff ~(P, jffDoCCD)) hoM~.
$kewk of ~roa~: A~ ~t i~olx~ilkm 5.1. it i~ ~ d f i d ~ to
~eow~ that w(P, DoCD) lu~M~ ~ a 5ah~fm~ ¢ ove¢ D iff
iud~ai~ ~ ~ ~ ~ ibr~ulaao ~f v i~ a~ au~ni~
~uDa~t m p~(O). ~ holda iff ~r~w(P~D~CD).
~,~t of the ~d~don i~ *turn ~aighfforwa~d. c
~ v ~ f i o n 5.2 hag a n u m b of in~re~ting eonu~
que~e~, if w~ mn~ider a fhncfim f ~ o m th~ data dom~d~
D to it~f0 w~ ~ e~bli~h ~ following:
ComNa2y 53: GiNs ~ data-indepexident ~ g t a m P~ ff a
WoF~ W w(P, DoCC2)) hold, o~ a fini~ ~hczt D O of the
dala d~a i~ , ~hen for every ~b~e~ D'~CD that ~ be put
i~ one-to.one m ~ u ~ d e ~ c , with D~ by a ~*f ion f (L , .
of the ~anv~ ~rdm~dit~), v(PJ(DoCCD)) hotd~.
C~rollary 5.3 l~i~,lty ~tate~ that m ~how that a
~ ¢ t y ~ d ~ few ~ fia~u~ ~ a of a giw~a ~ize of
da~ de~nain, it i~ ~uffident to ~how that ~t ho|d~ ~
~eh ~ub~et.
~ e 32: Con~id~ ~he p~op~// (3.1) wc ~ * d i~
~xam#e ~. 1. It i, ~n infini~ mn]u~io~ i~ which ~eh of
a m ~ c ~ mvoiv,~ only two e~ett~t~ of ~ dan
d ~ a i a . M o ~ , ~ . all Lh, m~#~a~ ave kl~fieM
f~ the w~m~t of the data domah~ to which they ap#yo
What Coro~a~ 5.3 ~1~ u~ ~ that to ~ow that ida these
~x~cls ho]d o it ~ ~uffi~¢nt ~ ~h~w that one of them
hokia. This is yeN/ ~re~i ing ~ it ~xvfit~ ~h~ ~ep~ae~
meat of ~ ~nfiui~/mn~n~ion by one of the ~oa~n~o
o
~h'oi~ifion 5.2 aho ~abl~a us to l~p|~:e a ~t~t~
men~ o~ez a~ i~tiniU~ dab d~m~i~ t~ a ~ m e n t over a
~nite data domain. ~deed0 ff the ~U~U~rncnt h over a fi~-
~u~ ~b~ Do of the data domai~ vat ~ u n ~ # ~ i~ by a
~tement over a dan domain ~xmudning ~0{+1 elcmg~a
aa ~othing pzeve~za u~ ~ map#rig aR e~m~t~ of
D-Do into a ~ingie element tiED'. M o ~ o by C ~ d -
la~y 5.3, ~howing that a ~ o l ~ W holds on ~m.v ~& a don~li~
~ t o ~ m . ~ ¢orte~tumde~ with D~ ~ ~ ~ atat~i
7f~r~w 5.4: Given a da~oiadel~e~ul~t ~ * ~ ~ s
Ixolpe~y ~a(P, Do~) ho~d~ owe emo~y fiui~ milMe~ D~
189
a data dama~ D% ~ ~ + - t o - o + +~e~P D@ ~ h ghg*
e4 a ~t,t~nt lmldmg ever a.R ~ of ~ feee eg die
dam dmm~+m Tha++ by + F ~ 5+4, m ~ the, (3+D
h+~dm+ it im ~ n t ta ~how ~h~ fi~tmuim {+++ haM+
o~e~ m dam d~m.tam D' ~:zm+{aing + ~me e~+.mm
(,U' +{dx,+z,d~+)
[ Y +aPd+ a G(+Pd+DX+-t+?d~ A
F ia?d z a G(M?d2DXG~in?da) ^
• [.F o~¢!dl a G(out~d~DXG~.ouNd~} a
F ou~)da ~ G(ouNdaDXG~u¢!d9 ^
G(~oug*dxUou£d 9 ] (5+3)
So, we have ~ b z , d a iafinhary ~t~ntent e r r a~ infix-
Re data domain by a ~hrrpN PTL ~.meat over a data
damaJ~ containing ~ : three e~mr~tm. A~ a finn
~emark, aim n~2 thaL becaume of the data-independence
~+aumptJon+ e g t a b I ~ g ~ormm~, of the program over
L~finbe domain LmpHea ha correct~e~, ~r any ~th, r
dotards+ finite ~ mu~taNy infin:~+ ~ other wcrrdm+ if we
mean by mrPectm+m+ that the ~q~ .e . e of data hemm writ+
te2a at the outpt~t Nrft ~ ~e,~t~cN to the ~qu~ce of dark
hemg Ned at N i~Dat N t the~, if a data-mdependeat
~mgram ~ t i g ~ (3.1) ~md (3+D over am infinhe dam
dc~na~n+ it w~l be correct meg my Pmite ~ eountably
infi:~im data domain, m
+. C T ~ e i ~ i ~ ~ C ~ r ~ mlth ~ Wvrk
We have ~J~wa the under aa a,~umpfi~m off data°
iadepende~ce+ ~perf ie~ of w o g r ~ that are defined
m0 L~:~:]'~ ~ of data obb~ct~ could L~ feet be
~ m m ~ i~ p ~ m a ~ ~ a ~ k~+ We gave a~ ~a ,zam~ m PTL ~df+matkm ~f a program than Per.ads
m Nfin+ ~ream of m~m ~ mNe~ ~ + a m m im
~ g h ~ v ~m>~ mz, ~ r m ~ R y za~hmP ~m+
# + m ~ + + m tmmn++ trod+, ~ m~mm+
~ i f i c a t ~ by ~ e ] ~ g ~ atb~e~ ~ t ~ + Vhm
~ i e , F)TL ~,cff~ca~cm~+ Fo~ ~m~ the:y make h
~ i N e to ~ e ~ d e J ~ c ~ g to verify tb~ f ~ v j
c~r~ectaem cg ~ t c , N+ (Le.+ ~ a data t~aa,df+~ Wotc~&l+
th~ tb~ ~ ¢ q ~ of m c ~ c m ~ead ~ the ~ezd~ ~de f~
~ e ~ n e ~ the ~e~em~e of ~ + ~:dtt~n a~ th+
ea:dve~ ~de). b~ [~WLg5L the f i a ~ a ~ c ~ c m e m
~hem~mg bh protocol ~ @ ] m ,eMfied a.~mafi+
cM~y, u ~ g a ~ d ba~:~ c~ the ~dea, d e y e e ~ d here*.
Mac that earlier automatic revocation+ of ~ a ~ f i n g
Mt p~ccmcN only e ,~Ni~ed ~ m e de~irab~ ~it~vfie~
the pmmaa~ ~athe, ~ha~ greying ~ fu~ctbma~ cccrect~e~+,
The va]y ~¢dou~b e~d+fing ~ o ~ of ~ c t ~ a ] m~o
One way m which our r~uk~ are ~rpr i£ng ~.m ~a~
they ~eem to be m c c ~ t ~ c f i c ~ w~h ~ m e k ~ o ~ ~pc ,~
ggb~vy require. Of mute+ the c o n ~ i c ~ o n h on~
a~arenL One ~ r ~ l ~ ~+ the fact p r o m m [SCFG82]
~hat h i~ L . n ~ N i e to g~ecify unbounded barfed+ in pro-
)msific~M temperM M#m (compa~ to ~h, e~amp~, we
#~)+ The differerm~ is that we de nc~ gbv a ~ L ~ o
mule that ccharact~ze~ unbetmded NJffe~. bJ~ # ~ a
~temen~ ~a t ~ ~af~ci~at m e~taNi~h tha* a p¢og~am
~,haee~ Rke a buffet0 if k k~ daL~dnd~e~dem+
Another ~ch ~e~k im tin p~c~:ff appearing
[AKg3] that it i~ impo~dble to extead automatic ~og:~am
verification m paramae~zed progr~g , b~ mine ~n~e0 h
might appear thin ~h~, ia e:act~y wha~ ~ do. w~m
parameter would be the £ze of the data domJdn.
dhffezeac, m the, the t o u r h~ [AKgS] ~ow~ the impc~fi+
bfi~] for g~erM pa~ameU.~rized wogtam$+ Here. we deJd
w~th a ~ezy ,l~edai d a n of ~ a r ~ t e & m d program+.
& & ~ w i ~ e m +
I am gratvM to M+ BaudiaeL C+ Councou~,~, F. SaUiio
M+ Men'itL L M&cheR and Me V~rdl ~ ~.m4d~ ~+
meata ~m d~Y~ of ~ paper.
190
[Agg~
+cm+~]
[CgSg3]
[CMg3]
~H83]
A~mmfic PPogPmm V, Pifie~J~m¢'+ ~M
l ~ c h R ~ ~Cl1095+ 1995+
Tran~mi~m ~ H~df-D~p~ L~m~m ++. Cow
rz+mieatwm of ~ ACre, V~+ 12, No. 5+ May
1969, pp. ~ 2 6 1 .
Sy-mehrm~_afim ~ke~mm ~mm ~mahi~g
Time Tempor~ L~gic '+, Pine. ef are 2~81
W o r ~ p on Legies of ~m~raras, Lec~m Nmem
fl~ Compuuw ~cflm~ Vol. 131, ~imgmP-
V+rhg, New York, pp. 52+71.
~. M. Chrke, ~. A. Eme~n, A. P. Simlh,
"Automatic Verfie~tion of F'mi+, mm~ C+~m+
~ r m l ~rg~zns Ui~g Tempi ] Logic ~i~eifi-
cafiong: A ~actic~d Appma~'++ Proe. of ~P
lOth ACM Sympesimm on P~in~ip+es of ,Pre@m~+
ruing La~ges, Au~fl~, January 19M+ pp.
117-126,
E. M. Clarke, B. MJshz~, "Automatic VeHficm-
~JOm Of Ah~j~ch~o~g C~L~itg ++, ~Og+C$ Of Po P.
grams Proc+, L~m~m~ Nora h~ Compu~r ~ -
e~ce+ vol. 16~+ ~pfinger-Verlag, BerlhL 1993,
pp. 101-115.
B.A. Emermm, LY. H~flpmm, ""~mefim~"
~nd "Nm N¢ver" R~imi~ed: Om Branching v~.
LL~*~ Time", Pro~. ]O~h ACM Syrap. on ~-
ciples of PrograrmMng Lgnguuges, 1983.
E. A. Emet~,em+ Ching-l~i~ng Ld, '~Mod~flitie~
tot Modal CMckh~g: Brancl:fi,~g Thne S~PikJ~,
Back", Prec. 12th ACM S)~apesimm on Princi-
ples ef Pre~'aramin$ Lan~aatlea, New Orie~ms,
$~mumPy 195~, pp. g4-96.
Y.A+ Feklmam+ "A D,~ciable ~ t i ~ f l
~ b ~ N M i ~ I ~ r a ~ Lo#©"+ Prec. JaM ACM
$yw~. on ~ o r y ~ Compuan$, ~te~, 1 ~ ,
pp. ~9g-3~9.
[GPSSBO]
VA~79]
~ ]
V~g4]
~oTg]
~Oa3]
I~32.
C o ~ e r ~ d Sy~¢m $¢ieaees, IN2), l~tg, ~ .
194-21 I.
D+ Oabbay, A. PnueJi, $. Sh~hh ~md L ~vi+
"Th~ T~aporal An~y~ of F a ~ " , h'o¢,
7th ACM Sympo o~ ~inc~les ~ Pmgmmmin8
Languages, ~ Vegas0 19g0, PP. 163d73.
D. Hmml, "F i~ O~de~ Dyn~n~c L~#c", Lain+
m~, Nmm m CempumP P~i~m~+ mL 6~+
Spti~g~f:V~ag+ ~fli~, 197~+
D. H~d, D. Koz~, R. PmPik~+ ' ~ m
L~gi,: Bxpremimm,m, ~id~+i~li+y, Cempk~+
n~.~ +'' Jourmd ef Cor~pu~er ~md Sy$~em Science
25+ 2 (1992), pp. 166.170.
3. Y. H~dp~, Y. Me~m~o ++Kmm~wi~dg, mm~
Commom If~cmledge in m Dim~flm+md ~irmm+
men+ '+, Pree. 3rd Syrup. on PPineiples ef Disgzi.
buted Com~u~g, V ~ a e ~ , 19~4+ pp. 50+61.
C. A. R. HoaP*+ ++&m Axiomili, ~ i ~
Computer l~m.wA~g", Co~um~caao~a
the ACM, 12 (10), 1969, pp. ~6+590.
C. A. R. Hoar,, "C~mmum~miag ~mmig, J
] h ' ¢ ~ " + CemmunieaMom of the ACM, Y d .
21, No 8 (Auff~m 197g), ~ . 666677.
B. T. H~en~ mad S+ S. Omd~ki, ~ M m i ~
VetNeatio~ of Computer ~mm~km~ ~+
t.oe~", IEEE Trans. o~ Comm., Vol. COM-31,
No. I, $1m~m% 1983, pp. 56-6g.
ACM Syrup. om ~eoey ef Cempm+~, ~gga+
m 3 . pp. 291- .
191
Mere: °, Sevem~ ACM S ~ i ~ r m on ~@~e~
af ~ @ ~ n g Lang~agea, L~ V~g*** ~.~Vo
Ke~d~edge a~d Reh~d ~e~z~', ~mc. 3~d
Syrup. on ~ @ ~ e a of ~ r i b ~ Co~wm~g,
V~cou~r, 198~, ~ . 30~6L
Lh~e~r ~:~c~..C~t~ ", ~rrev. 72t~ ACM $y~q~
~iwm on ~cip~es of :Programming Languages,
e~fi~g Proee~e~ from Teml~or~ Logic ~gec~fi--
~ , ~ * , ACM Tr~daztiem on Programming
Languagea and 8y$¢ms, VoL 60 No. 1, J ~ u ~
1994~ pp. 68.-93
A, ~i, "The Temporal L%dc of CC~cur~ng
E a ~ ' o Theoretical Computer Science
13(i~D, ~ . 45-60.
:~rec, 72a~ ~mo Co~l W. on Auwm~, La~g~agea
and Programming, L~ctur~ Nc~:~ m Compvmr
~ e ~ o voL 194, ~izgeroVefL~, ~er~,
DgS, ~p. 15-32.
Noyd-H~re Logic", Peec. ~7~k IEEE Syrup. en
Fa~datiom of Corr~u~er Science, Hou~c~,
Oc~ 1~76o pp. 109-121.
Vog. ~tatL "A Near~tiwM Meethed fi:~ ~ea-
~ M g ~Lx:~ A~oa", & Com~ter e ~ Sy~em~
Sciences 2009gff), pp. ~1-~54o
$.~o Q~IM, $. ~fMd~, **Faz:r~e~a ez~d ,Relaged
~ , i~ Fmmt~n Sy~ma "°, R¢:aa~rc~
Yo~o gf ~&e ACM~ v~d. 32° ~ . 3o July ~9950 g~t~
733~749.
[N~FG~]A~ P. N ~ , E.Mo C ~ e o N. Fraac,~, Y.
G~eevi~c,~ ~A~e Me~aage ~h:~ffv.r~ Char~efiz-
ACM Symposium o~ Principles of Dis~r~buged
Compmi~g, Ot~wa, t9~2o
L~ping and Co~ver~e'0 f~f~rmaeion and Con.
meg 54(1~82), pp. 121-141.
[ ~ 5 ] g. ~a~ani0 P. WNpe~o A. L ~ n e , "A~ Mg~o
rflhmJ¢ Technique for Protc~ Vez/ficafi~n'o
to ~ppear.
Mli~-d¢ Concurrent F i n i ~ ~ r o g r ~ ' 0
P.~ac. 26~ Syrup. on Fo~ndatiom of Computer
Scieme, Po~dand, ~ ~pe~ro
F. H. VogL '~ve~t-Based Tem~M L~#o
~ee~ecol Specification, Te~etn$ and Veeficatio~,
Nor~h-Ho~and ~bL~hhig, 19~.
M. Y. VardL P. Wo|~ee0 '*Yet A~oL~er ~ o ~
~ o ~ Lo#c~ ~f ~grams, ~izgeg-VeeMg
~erl~, 1993, pp. 50~o512.
M.Y. V~dL P. Wo~per, '°A~wma~Theorefi¢
Tee~ute~ for ModM Lo#¢~ of ~togz~mC',
~ec. ]6tk ACM Syt. ~. an ~heo~y of Comp~n$,
WRing, on0 19~, pp. ~¢6.¢56.
M. Y. Vardi, Po WNpe,, "A~ Au~ma~-
TI ,:wedc Appro~h ~ Aw~mafic ~am
Verh~cafio~', to @peer.
from Tem~gaeai L ~ ~ p ~ i e ~ * %
Wws~
lw~2]
192
IWV~]]
~. W o l F . °Tempted L~gk~ Con ~ Mo,,
No~° 1-2, 1983, pp° 72-99.
P. Woyero M. Y, Va~io A. P. ff~.~, ~ e a -
~on~ng about Infini~ Co~p~f ic~ Paths",
P~c. 24t~ IEEE Syr~o~i~m on Fow~dagem ef
Compgger Sciem:e, T~c~o~0 ~ 3 ~ p~. 1~1~4.
~ w ~ i t i o ~ Temporal ~g/¢:
F o r m u ~ of ~TL ~ built from ~ ~ of ~ r ~
prol:~:~i~c~, F~p Ind ~'~ clo~e~i wade, boolean ~er~o
~.k'm~0 the a~lic~tic~ of the unary ~ n ~ a l ~ e c ~ v ¢ X
~ U (un~). A PTL furmul~ ~ i~arpr~d over
in~i~e ~eque~ee of ~ru~h a~ignmen~, i.e. ~ function
i.,. , ~ ( ~ O ~ k + i ) . We have ~ha~:
~ p for p~rop ~ p~(O)
* ~ f U g fly for ~ome i~O0 ~ g ~md for all O~j<~
We u~ F f (e~,nmai~y ~ ~ ~3 ~bb~c~afio~ fCq reueUf
u~u~l abbrovi~io~.
where one ~'¢n~ happens a~ eea~h ~ ¢ ~n~nL To do
we will u ~ one l~ot~o~icio~ i~ ~ p for each ~ n ~
~n~rpre~ ~ fogmut~ over ~ q u e n ~ ~ : ~ P w p r~fl~r
~ha~ ~ : ~ 2 ~ , i.e. ~ each ~ i ~ a m , one ~ ~nly
~r~ lgo~oai~.iou i~ ~ p hold,.
We ~xmfid~ ~he ~ e a ~ o ~ of I ~ L wh~e ~ ~ of
~o~i~m, ~rep call M ~umabM and where ~ ~
~ i a f i c ~ U y , we ha~:
@
@
193