- Email: [email protected]
Peano arithmetic as axiomatization of the time frame in logics of programs and in dynamic logics
Annals of Pure and Applied North-Holland
201
Logic 63 (1993) 201-225
Peano arithmetic as axiomatization of the time frame in logics of programs and in dynamic logics Balhzs Bird and Ildik6 Sain Mathematical Institute of the Hungarian Academy of Sciences, Budapest, Pf. 127, H-1364, Hungary Communicated by D. van Dalen Received 6 December 1985 Revised 2 January 1993
Abstract Biro, B. and I. Sain, Peano arithmetic as axiomatization programs and in dynamic logics, Annals of Pure and Applied
of the time frame in logics Logic 63 (1993) 201-225.
of
We show that one can prove the partial correctness of more programs using Peano’s axioms the time frames of three-sorted time models than using only Presburger’s axioms, that is useful to allow multiplication of time points at program verification and in dynamic temporal logics. We organized the paper as follows: 1. Preliminaries, 2. The main result, Peano arithmetic with bounded multiplication, 4. Connections with temporal logics dynamic logics, Acknowledgements, References.
for it is and 3. and
In the present paper we solve a problem raised in e.g. [18] and [3] common in the fields of comperative study of program verification methods, lattice of logics of programs, dynamic logics, nonstandard dynamic logic (NDL), temporal logics of programs etc. Roughly speaking, the problem is as follows. When reasoning about programs, is it useful to postulate the full set Tpa of axioms of Peano Arithmetic on the time scale (with addition and multiplication of the time points)? In other words, does there exist a partial correctness assertion not provable from the set Tpres of Presburger’s axioms plus Ind, the set of so called computational induction axioms, but provable from Tpa plus Ind? (In the Correspondence to: I. Sain, Mathematical Institute of the Hungarian Academy of Sciences, Budapest, Pf. 127, H-1364, Hungary. Email: [email protected]. Research supported by Hungarian National Foundation for Scientific Research grant No 1911. The final version of this paper was prepared in Prague, November l-5 1992, at the Institute of Computer Science of the Czechoslovak Academy of Sciences. 0168-0072/93/$06.00
0
1993 -
Elsevier
Science
Publishers
B.V. All rights reserved
202
B. Biro’. I. Sain
formalism of [l&23-27], etc. the problem reads as follows: Is Tpres + Znd co Tpa + Znd true?) We shall prove that the answer is in the affirmative (Corollary 2.2): there exists a data theory DT, a program p and a formula 3 in the language of DT such that DT + Tpres + Znd does not prove the partial correctness of p w.r.t. I,!J but DT + Tpa + Znd does. Moreover, it is enough to use a distinguished proper subset In& of the set Znd (cf. Theorem 2.1). In the last section (Section 4) we will show the connections with dynamic and temporal logics. The present paper is self-contained, but our notational framework is described in more detail (and more formally) e.g. in [l&23-25,27].
1. Preliminaries
1.1.Concerning classical logic, we shall usually use the concepts and notation of [8] or [17]. Throughout the paper, d denotes an arbitrary (one-sorted) similarity type (or signature or language). For a set X = {xi: i E w} of variables, Trm$ and F: denote, respectively, the set of all terms and the set of all first-order formulas of similarity type d containing variables from X only. For sets r, A of formulas, we often write r + A instead of r U A. If G is a binary relation symbol of d, Q = ( Qo, . . . , Qk_,) is a sequence of quantifiers (V or 3), 1= (x0, . . . , xk-] ) E kX is a sequence of variables (with length of that of Q), 47E Fz and (I E Trm:, then (Qz < a) cp abbreviates
3~ Q, and Vj Q, abbreviate, V&-l
respectively,
3x0 3x1. . * Z~X~_~Q, and V.xoVx, . . .
cp.
If q is a formula, x is a variable symbol and z is a term, then the formula q(x/t) is obtained by replacing every free occurrence of x in cp by z. One-sorted models are denoted by boldface capital letters, like T and D, and their universes are denoted by the corresponding italic capitals. Many-sorted models are denoted by calligraphic letters, like JU. The words ‘extension’, ‘expansion’ and ‘reduct’ are used in the sense of [8] and [17]. If A is a model with universe A and a E A then (A, a) denotes the expansion of A with a as a constant. Throughout, t denotes the similarity type of arithmetic, that is, it consists of the function and relation symbols 0, S, s--, +, . with their usual arities. 1.2. For any (one-sorted) similarity type d, we define td to be a three-sorted similarity type, expanding d, as follows. The set of sorts is {t, d, i}; t, d and i are called time, data and intensions sorts, respectively. td consists of the following three parts: symbols of d purely of sort d, but otherwise with the same arities as in d; l
Peano arithmetic as axiomatization of the time frame
203
symbols of t (0, S, S, +, .) purely of sort t, but otherwise with the same arities as in t: a binary function symbol ext, called extension, the first argument of which is of sort i, the second one is of sort t, and its value is of sort d. Intuitively, intensions are functions mapping the time universe into the data universe (universe of individuals). It is the operation ext that implements this intuition, assigning data values to intensions at every time instant. Because of this intuition, we will often write S(T) = u instead of ext(s, z) = o (where s is an intension variable and r, u are terms of sorts t and d respectively). Let X = {xi: i E o}, Y = {yl: i E CO}, Z = {z;: i E w} be three pairwise disjoint countable sets, otherwise arbitrary but fixed throughout the paper. When writing up terms and formulas of similarity type td, we use X, Y and Z for variables of sorts d, i and t respectively. For brevity, we will often write x, y, z for x0, y,,, z. (xuyuz). We note that FF z F;, and FT 5. F;d, but respectively. We define E;Ed ‘grFtd there are formulas of & not in FF U FT (the ones containing ext). Models of similarity type td, called time models, are three-sorted models l
l
At= (T,D,z,ext), where T, called time structure or time frame, is a model of similarity type t; D, called data structure, is a model of similarity type d; I, called the intensions universe, is just a set; and ext E lxTD is called the extension function (or value-of function). 1.3. Throughout, by a program we mean a deterministic block-diagram program in the usual sense. More precisely, the program commands (of similarity type d) are the elements of the following set: {(i:xtt),
(i:IFx
GOT0
k), (i:HALT):
i, k E Label, x E X, t E Trm:,
x E FT is a quantifier free formula},
where the set Label is the set of all ground terms (terms not containing variables) of similarity type d.’ By a program of similarity type d we understand a finite sequence p of program commands of similarity type d in which no two members have the same label and there is exactly one HALT command, the last command of p; further, if (i: IF x GOT0 k) occurs in p then there is a command in p having label k. The variables of a program are interpreted in the data structure of time models. ’ Label was chosen this way for technical reasons only. If someone does not want to use data values as labels, s/he can define time models in a slightly different way. For example, we could have defined time models as 5-sorted structures (T, D, L, I,,. Z!_), where L = (L, OL, SL, sL) satisfies the usual fin&e axiomatization of (w, 0, S, s). Further, D II L = 0, ID sTD, and f,_ sTL. Then the labels are the ground terms of the language of L. However, since the same results can be achieved by our approach as in the 5-sorted formalism, for the sake of simplicity here we use the former one. See [27, Appendix l] for details concerning this problem.
204
B. Bird. I. Sain
If a ‘state’ of a variable is represented by one data value then an intension represents the ‘sequence of states’ of a variable during an ‘execution’ of the program, that is, a trace of the variable. In our formalism an execution sequence or a trace of a program p in a time model Ju is always a finite sequence s = (so, . . . , s,-,, s,) of intensions, where c E o is the number of variables occurring in p. Intuitively, each intension sj, 0.< J. c c - 1, assigns a data value to the jth program variable in every time instant, and the intension s, assigns a label to the control variabZe (which is defined to be the variable xc, not occurring in p) in every time instant, according to the consecutive program commands (for detailed definitions see [18, Definition 7; 7,281). 1.4. If p is a program and tj~E FT then the new formula [p]~@ expresses the partial correctness of p w.r.t. the output condition $J, that is [p]~ says that “whenever p terminates, I@ will hold” or “every output of p satisfies I@” (cf. e.g. [18, Definition 91). It is known (and easy to show) that for every program p and
formula I/ E Fz, [p]+ can be expressed by a first-order formula of & (see e.g. [6, Definition 11; 18, Definition 18; 27, Appendix 11). Intuitively, the Z$, formula expressing [p]~& says the following, in any time model & = (T, D, I, ext). (‘dY,,, . . . >YCE ML? = (YO>. . . , yJ
j
is an execution sequence of p in Ju]
(t/z E T)[(J terminates at time point z, i.e., ext(y,, z) = ‘the code of label HALT’)+
w(xoly&>,
. . , xc-,ly,-l(z))]).
We shall often call such a formula [p]~@ a partial correctness assertion (pea). So, at this point, we know when a pea [P]I/I is valid in a model Ju of &. We denote this as & k [p]$~. Let Ax c &. Then (7)
Ax L [p]q
is defined to hold iff
for every model Ju of &, whenever JU LAX, we also have Ju b [p]~. Let Aq,, Ax, c_ Frd be arbitrary.
Ax0 S~ AxI abbreviates
that for every program
p of similarity type d, every DT G FT and every 11,E F$, Axe + DT k [p]$~ implies Ax, + DT k [ply. Ax{, co Ax, abbreviates that Ax,, so Ax, but Ax, &Axo.
1.5. Finally, we select some distinguished elements and subsets of the set & of formulas. Recall the usual arithmetical hierarchy of formulas from e.g. [21]. According to this, a formula from F, is a 2, formula if it is of shape 32 cp, where cp is a A,, formula, that is a formula containing is not necessarily quantifier free). A formula. If z E Z, p? E &, then ind(q, z) is q~ w.r.t. variable z, that is ind(cp, z)
(V(Z/O) A vz ]91+
bounded quantifiers only (thus a A0 formula 17, formula is of shape V,? cp, where q is a A,, the formula
stating
denotes the formula
cp(zlw))l)+vz v,
induction
for the formula
Peano arithmetic as axiomatizarion of the time frame
205
We select sets Znd, Znd,,, Z&, (n E CO)of induction formulas as follows: Znd ef {ind(y, Znd,, ‘%Cf {ind(q,
Z& ef {ind(q,
2): go E & and z E Z}, z): z E 2 and Q,E & is a quantifier free formula}.* z): z E Z, Q,E F; and Q, is a En formula}.
Next we define the following two sets of formulas of similarity type f: Tpa is the set of Peano axioms written up using Z as set of variables, and Tpres is the set of axioms of Presburger’s Arithmetic (using Z), that is Tpres ‘2~~ {q E Tpa: the symbol . does not occur in q}.
Warning. Throughout this paper, the language (i.e., similarity type) of the time frames is fixed to be that of Peano arithmetic (that is, (0, S, S, +, .} with their usual arities). Sometimes we assume only Tpres about the time frames instead of assuming the whole set Tpa of Peano axioms. In such cases we do nut mean switching to the reduced language (0, S, S, +} (although Tpres contains no axioms concerning multiplication; in particular, we do not assume z . 0 = 0 and (z . z,) + z = z . St,). For any formula cp E &, Tpres k sp is meaningful, even if q contains multiplication. (Tpres b cp holds, by (t), if for every model JR of &, JU k Tpres implies Ju k CJ.X) In a sense, we look at the above selected axiom system Znd, . . . , Tpa, Tpres as potential logical axioms for various dynamic logics or logics of programs. (The formulas of dynamic logic are built up from the atomic formulas of FT by applying [p] as a unary connective for each program p, and the usual connectives A, 1, 3x; of FT. Notice that no explicit reference to sorts t or i are permitted in dynamic logic. These sorts are used indirectly, via the unary connective [p].) This means the following. Let DT c F? be a data theory and [p]l~, be a partial correctness assertion. (Then DT U {[PI~~Iconsists of formulas of dynamic logic.) Then [p]#~ is said to be a semantical consequence
of DT
in the dynamic logic specified by Znd iff DT + Znd k [p]$~ in the sense of (t) above.
More generally, let Ax be any combination axiom systems. Then [p]~
(like Tpa + Znd) of the above selected
is said to be a semantical consequence
of DT
in the dynamic logic specified by Ax iff DT + Ax k [p]$~ in the sense of (i) above.
‘We note that in many papers relevant to this one, like [6, 18,24,27], lndqf stands for the set of such induction formulas where go does not contain quantifiers of sort t, but it may contain quantifiers of the other sorts. Here we can use ‘true’ quantifier free induction.
206
B. Birch, I. Sain
The consequence that is,
relation of the dynamic logic specified by Ax is denoted as LA,.,
DTkA, [p]~@ iff DT +Ax k [p]~. The dynamic logics ‘LAX’and their uses were elaborated and explained in greater detail in the above quoted papers as well as in [24]. We do not need that theory here, but our results apply directly to that theory. We will give some more details about this in Section 4. Instead of dynamic logic, we can apply the results of this paper to Temporal Logics as explained in [4], and as it was done e.g. in [l, 7, 13,28,2]. When evaluating a temporal formula in a model Ju = (T, . . .) of & then only the reduct (T, 0, S, S) of the time frame T of Ju is used. (One may ask the question, why are then + and ‘e’ for T included into the models of temporal logic in the above quoted works, but as it is explained in [4,1,7], these operations on the time frame are useful for temporal logic in an indirect but quite essential way.)
2. The main result Theorem 2.1 below states that, for proving partial correctness of programs, Presburger’s axioms Tpres for the time scale plus full three-sorted induction Znd are not stronger than Peano’s axioms Tpa, even if we require induction only for quantifier free many-sorted formulas (Zndqf) in the latter case. (For the exact definitions of Tpres, Tpa, Znd, Znd, see Section 1.) Theorem
2.1. Tpres + Znd #o Tpa + Znd,.
This theorem gives a solution to our original problem: Corollary 2.2.
Tpres + Znd co Tpa + Znd.
Cl
Remark. Tpres + Znd may seem puzzling, since we add, among others, all induction axioms of Peano arithmetic (in the time sort). But do not overlook that we do not add the axioms recursively defining multiplication, namely
(*)
z*o=o,
2 - SZl = (2 * z1) + 2.
Call Tpa without the axioms (*) PA” for a moment. Claim.
PA- extends Presburger’s
arithmetic conservatively.
Proof. Let A = (A, 0, S, c=--,+) be a model of Presburger’s arithmetic. We define -:AxA+A by VxVy(x.y=O). NOW (A;)kPA-. Another possible proof is
based on the fact that Presburger’s arithmetic is complete.
0
Peano arirhmetic as axiomatization
of lhe time frame
207
The above claim justifies our decision to compare Tpa + Znd with Tpres + Znd (both theories having the same language and the same induction axioms) instead of comparing Tpa + Znd with Presburger arithmetic (formulated in the language without multiplication) extended by In& meaning induction axioms of & not containing multiplication. 0 Proof of Theorem 2.1. Throughout this proof, let the similarity type d be a disjoint copy of r (the similarity type of arithmetic). Recall from Section 1 that the function and relation symbols of t are 0, S, G, +, *. For simplicity, we will use these symbols for referring to the function and relation symbols of d as well. This will not cause confusion, since context will always help, for example, when writing up terms and formulas of similarity type d, we use variables from X, while we use variables from 2 in terms and formulas of similarity type t. We will give a set DT c Ff (data theory) and a pea [p]~& ($J E FT and p is a program of similarity type d), such that DT + Tpa + Znd, k [p]~,
but
DT + Tpres + Znd # [p]~.
As it will be mentioned later, the present choices of DT and [p]q were already used by the second author, in various ways, for calibrating the proof-theoretic powers of temporal logics for proving pca’s. Let P0 be the following finite fragment of Peano arithmetic (of similarity type d): PO~f{x’o=o,x+o=x, x + S(x,) = S(x + Xl), x . S(q)
Let Dot be the following axiomatization with top element: 1
Dot%f{xcx
x sx1
l/x16x,
0s.x
G&9(x),
=x . XI +x}.
of discrete
linear ordering
(possibly)
cx*, =x*,
0 =x v 3x1 (x = S(x,)), x
x = S(x)+x,
dx},
and let LabelAx
9 (0 # S(0) # S(S(0))
# S(S(S(O)))},
DT sf PO + Dot + LabelAx.
(The set LabelAx is needed to ensure the existence of enough different labels for the program below.) Clearly DT E FT. Let p be the program indicated in Fig. 1,
208
B. Biro’, I. Sain
Fig. 1.
that is p puts the variable x0 equal to 0 (of d), and then replaces x0 by its successor until x0 and S(x,J become equal. Let P- c_ F$’ be the set of Peano’s axioms without the induction schema. (Then P- is P” plus an axiomatization of discrete linear ordering without top element but with bottom element 0 and successor S, see e.g. in [18, Definition 161.) By [19, Corollary 401, there exists a I7r formula y of the similarity type of arithmetic such that Tpaby
but
P-+E,fy
(1)
P- + I& k y). This y is Con(P- + LX,) stating the consistency of (We note that [19, Corollary 401 guarantees more than this, namely that for each IZ> 0 there is a II, formula y,, with P- + LYE f y,, and P- + Z2n+1 b yn . Thus, (1) remains true if we substitute P- + Z2n+1 and P- + Z& for Tpa and P- + El respectively.) Since y is a II, formula, its negation is _ZI, and by a generalization of Matijasevic’s theorem, given in [9, Theorem 3.151, one can find terms a(Z), t(2) such that
(moreover,
P- + 12,.
P- + Lx, i=[1y f, 32 (t(i)
here X = (x,, . . . , x,-1)
= o(2))],
for some m E w. Hence
P- + I21 L-[y * v,f (t(2) # a(?))]
which, together with (l), implies that Tpa L z(f) # a(2)
but
P- + Z2, !#z(2) # a(2).
(2)
Since d is a copy of the similarity type of arithmetic, we may assume that the members of X really belong to the set X of variables, and the terms r(2) and a(Z) above are elements of Trm$. Let I/J(x~) E FT be the formula v,? [z(j) + u(j) < x0-f r(X) # u(Z)].
(3)
Peano arithmetic as axiomatization of the time frame
T
SO
209
D
Fig. 2.
We note that the only free variable of r/j is x0 E X. Claim 2.3 below was used by the second author around the end of 1982 for proving that Tpa f Znd proves strictly more pea’s than any of the known temporal logics, cf. e.g. [22]. The result is extended to all possible (in a certain sense) temporal logics in [24].3 Claim 2.3. DT + Tpa + Ind,, k [p]~. Proof of Claim 2.3. Let At = (T, D, I, ext) be a time model such that & k DT + Tpa + Ind, Let s = (so, 3,) be a terminating trace of p in A! (where so is the trace of the program variable x0 and s, is the trace of the control variable). Then clearly and there exists a b E D such that D k (S(b) = b A Vx (x d V.zso(G)) = S(G))> b)). Let a E T be such that J%k (so(a) = b A sl(a) = 2) (see Fig. 1 and Fig. 2). We prove that there is a least element a of T with the above property:
Claim 2.4. Ju k 3a [so(a) = b A VZ (SO(Z) = b + 2 2 a)]. Proof. First we show that there exists an e E T with (**)
so(e) # b
but
so(S(e)) = b,
using Ind,, . Let x(z) be the formula so(z) # b. Then x(O) holds, since so(O) = 0 # b by would hold, then by ind(y,, z) E Znd,, A! b LabelAx. If Vx (x(z)-+ x(S(z))) Vz (so(z) # b) would hold, contradicting so(c) = b for some c E T (since p terminates). This proves (**). 3This result motivated Martin Abadi for designing a temporal logic as strong as Tpa + Ind in [l]. As it turns out in [28], Abadi’s temporal logic remains still weaker than Tpa + Ind, so it remains an open problem to find a natural temporal logic as strong as Tpa + Ind.
210
B. Bit-b, I. Sain
Let e E T be a time point satisfying (**), and let a dg’S(e). We will prove that a is the time point desired by Claim 2.4. To see this, it is enough to show that Ju k Vz [S”(Z) = b + (Vz, 3 Z)(S”(.q) = b)],
(4)
because of the following. Assume, by contradiction, that s”(z) = b and z $ a. Then a > z by P-. Hence e 2 z, which, by (4), yields s”(e) = b-a contradiction. To prove (4), let z E Z be fixed, and assume s”(z) = b. Then z f 0 by s,,(O) #b. Let cp(z, z,) be the formula z1 * z--,s”(zJ = b. Then cp(z, 0) holds by z # 0. Now assume S(zl) 3 z. If S(z,) = z then s”(S(z,)) = s”(z) = b. If S(z,) >z then z1 > z and thus s”(S(z,)) = S(s”(q)) = S(b) = b. Thus Vz, [q(z, z,)+ q(z, S(z,))] holds, and the application of ind(q, ZJ E Znd, completes the proof of Claim 2.4. 0 Now let a E T be the least time instant
with the property
.& ks”(a) = b A
s,(a) = 2. Let (T ~a)+=f{~~T:Tk~~a}.
Claim 2.5. (i) sn: T + D is a homomorphism. (ii) (s” r (T 1 a)):(T 1 a)~Ll is a bijection. Proof of (i). It is immediate from its definition that s”(0) = 0 and s” is an S-homomorphism, that is s”(S(z)) = S@“(z)). The fact that S” is a s-homomorphism can be seen, e.g., as follows. Let z, E Z be fixed, and let r$(zi, z) be z1 s z--,s”(z~) s s”(z). +(zl, 0) holds because z1 s 0 implies z, = 0 by P-, and then s”(z,) = s”(0) = 0 s S”(Z). Assume
q(zl, z) holds, and assume z1 s S(z).
We want to prove s”(tJ s
S”(S(Z)). If z1 = S(z) then s”(zi) = s”(S(z)) = S(s”(z)), thus s”(zl) s s”(S(z)). If z1 < S(z) then either z1 =zz or z1 > z. If z1 G z then s”(zl) z, then S(z)< zi s S(z,) by P-, further S(z,) s S(z) by assumption and P-, thus S(z) = S(z,). Thus s”(zJ c S(S”(Z,)) = S”(S(Z1)) = S”(S(Z)). Thus we proved I@(z,, z)+ v(zl, S(z)) for arbitrary z E T. Thus, $J(z,, 0) and ind( q, z) E Ind,, together prove that VZ(I@(Z,, z)) for arbitrary z, E T, which proves that S” is a S-homomorphism. To prove that S” is a +-homomorphism, let z, E Z be fixed, and for some z E Z let (~(2, q) be the formula S”(Z + z,) = S”(Z) + S”(G), and apply ind( o, z) E Znd,, . (The successor step will work because J%F PC’.)
Peano arithmetic as axiomatization of the time frame
One can similarly prove that so is a --homomorphism, where p is
211
by applying ind(p, z) E
Ind,,
&
. Zl> = so(z) . %(4.
Proof of (ii). Assume that so is not onto on (T r a), that is let x E D \Rng(s”)
and let 6(z) be the formula s”(z) O+ s”(z) # O)].
b #O-+
(5)
Indeed, if z > 0 then z = S(z,) for some zi, and thus
S”(Z)= S”(~(Zl))= Q”(Zl)) + 0. Next we prove that Ju k (X =SX] +x
(6)
+ S”(Z) =SX1+ S”(Z)).
Fix any X, x1 E D with x
Now assume a 2 z1 > z,. Then so(zz) s S(s”(z2)) by Dot, and s”(z2) f S(s”(z2)) by Claim 2.4. Thus S”(Z2)
<
W”(Z2)).
(7)
On the other hand, since z1 > zz, we have zl =z,+ z for some z >O. Hence s”(zl) = s”(zJ + s”(z). By (5), s”(z) 3 S(O), and then by (6) s&2)
+
h(f)
2
%(Z*)
+
S(O)
=
SMz2)).
From this, using (7), we get S”(Zl)
=
S”(Z2)
which was required.
+
S”(Z)
-2, G”(Z2))
‘S”(Z2)
We have proved Claim 2.5.
0
Now it can easily be seen that the first part of (2) and Claim 2.5 together prove Claim 2.3 (v was defined in item (3)). 0 Claim 2.6. DT + Tpres + hi
i#[p]~.
Proof. Recall from (2) that P- + ZZ, !#r(Z) # @). of the similarity type of arithmetic such that AkP-
+-IX,
and
A k t(Z) = a(F)
Hence there exists a model A (8)
212
B. Biro’, I. Sain
for some Z = (e,, . . . , em_, ) E “A. (We note that in the following proof everything remains true if Zz, is replaced with ZJC,,for any n E o, but this IZhas to be fixed throughout the proof.) Let b d&fr(P) + a(C) + 4. Then A k b > t(P) + o(C) by P-. Let Qef(Zd
rA)U2{a
EA: b ~a},
and let A* be the reduct of A obtained by omitting s. Then Q is obviously a congruence of A*. Let Bsf (A*/Q, c),
(9)
where c is defined in B by k,/Q s k2/Q iff A k min(k,/Q)
< min(k,/Q).
It is easy to check that s is well-defined, B k Dot, and B is a homomorphic of A. Since P0 consists of equations only and they are preserved homomorphisms, B k P”. Since b > 3, B k LabelAx. Thus
image under
B!=DT.
(10)
Let sO:A+ B be the natural homomorphism of A onto B, that is, so(a) = a/Q for each a EA. Since for each a/Q E B we have a/Q G b/Q, there is a function sl:A+ B such that sdgf (so, s,) is a trace of p in (A,B, {so, s,}, value-of). Let this s be fixed. If A = (A, 0, S, C, +, 0) then we define a new time frame A+ = (A, 0, S, G, +, +). In more detail, let A- be the additive reduct of A, that is A- is the reduct of A which is obtained by omitting multiplication. Let A’dgf (A-, _tA) that is in A’ we have a new multiplication which is simply a copy of the old addition from A. So A+ b Vz, z, (z * z, = z + zl). Let Jt’zf
(A+, B, {so, sl}, value-of).
Then s is a trace of p in J4+ too, with output b/Q (in fact, so(b) = b/Q s,(b) = 3, see Fig. 1). By the definition of b and by (8) and (9), we have B f t(F/Q) + o(ElQ) < b/Q+ where 2/Q = (e,/Q,
. . . , em-,/Q).
z(2/&) Z @lQ),
Therefore
(11)
Ju+ l#iPI@
Let Tpres-
and
be Tpres without the induction schema. Then by (8) and (10)
JU+ k (Tpres-)
+ DT.
We turn to showing .kl+ k Znd. Here we give only the main line of the proof. The technical details are in Section 3. We start with constructing new models from an arbitrary model A of P- in the following definition.
Definition 2.7. Let A = (A, 0, S, C, +, a) be a model of P- and fix an arbitrary 0 # b E A. We define a new structure E(A, 6) -or briefly E-as follows. The
Peano arithmetic as axiomatization of the time frame
universe of E is A. Except for the multiplication, are the same in E as in A, and for X, y E A let
all the operations
213
and relations
Now recall that A k P- + LIZ, (A is as in (8)). Let b E A, and consider model E(A, b) as defined in Definition 2.7 above. It can be seen that
the
for any x E & with parameters in JV but no free variables other than z E 2 there is a unary formula Q,E c with parameters in E(A, b) but no free variables other than z E 2 such that for all q E A
J‘P k x[ql iff JW, b) b dql. Corollary
3.10 in Section
3 states
(12)
that for any 91E F, and z E 2, E(A, b) ‘F
ind(g?, z). Thus by (12), for any x E E;d and z E 2
JV k ind(x, z), Therefore,
by (ll),
that is,
JU+ k Znd.
.4+ k Tpres, and thus
DT + Tpres + Ind # [p]+.
Thus Claim 2.6 has been proved.
•!
Claim 2.3 and Claim 2.6 together prove Theorem
2.1.
0
For stating some corollaries, we need to define a kind of arithmetical hierarchy of (three-sorted) & formulas. We call an fid formula A0 if the only quantifiers possibly occurring in it are bounded quantifiers of the time sort. Based on this, one can define a &, & hierarchy, using quantifiers of sort time only. For example, an & formula is called 2, if it is of the form 32 I,Qfor some A0 formula 3; here Z = (zO, . . . , zk) for some k E w, and z,, . . . , zk are variables of sort time. (Giving a formal recursive definition is left to the reader.) For each 122 0, we let lndZn dzf{ind( cp, 2): z E 2, Q,E 2, Q,E & and cp is a Z,, formula}. Corollary 2.8. (i) Tpres + Znd & (P- + LX,) + Znd,. (ii) (P- + ZZ,) + ZndLY,-Co (P- + ZZ;) + Znd,, Proof. The
proof of Theorem 2.1 proves Tpres + Znd & (P- + L&) + Zndqf (which is sharper than Theorem 2.1). The only place where ZZ; was needed was when we proved the existence of a n, formula y such that P- + I& k y but
214
B. Biro’,
I. Sain
(T’res + P-) + Znd, l#y. The proof of this was started with item (1). In the proof of Corollary 2.9 below, we will show that this y can be improved such that P- + I2, b y but (Tpres + P-) + Ind, # y. By using the techniques of the proof of Corollary 2.9, this proves (i). In passing we note that the Z,.?$part of (i) can in principle be improved by taking a system S weaker than IZ:, and finding a 11r formula y such that P- + S L y but (Tpres + P-) + Ind, ‘f y. Via slightly modifying the proof of Theorem 2.1, we can get a proof for (ii), as follows. In the proof everything goes through in its original form, the only difference is in the proof of Claim 2.6: when defining At/II+ from A and from b E A, we do not take the additive reduct A+ but we take A itself as a time frame. So we let J%%~(A, B, { sn, s,}, value-of). Now we can reformulate item (12) as follows. For any x E l$, with parameters in A but no free variables other than z E 2 there is a unary formula ‘p E F, with parameters in A but no free variables other than z E 2 such that for all 4 E A Further, if x is a ;5, formula then so is q.
w+
Therefore, for any 2, formula x E fid we have A k ind(cp, z) since A 112, was assumed (here Q,is the above translation of x). Thus by (12)+ above & k ind(~, z) for any x E Z&, proving JU kIndZ, and thus finishing the proof of (ii). El Moreover,
the following infinite hierarchy also holds.
Corollary 2.9. (i) (Vn a O)(Vk < n)(P- + Z_ZJ + Ind& Co (P- + 12”+1) + hd&. (ii) (Vn 3 O)(P- + I&) + IndE,,
(p- + Gz) StYn and (P- + I&+,) k yn, if n > 0. Now, we use this y,, in place of y in our proof to form the pea [p]~~. In case of n = 0 we must do two things: (1) Observing4 that it is known that there is a fll formula y0 such that (P- + I&) f y.
but
(P- + Z-Z,) h yo
(here 1& is the same thing as IA,,). 4This was pointed out to us by Petr HBjek.
Peano arithmetic as axiomatization of the timeframe
215
(2) Avoiding use of Matijasevic’s theorem, and achieving the same affect by a more cumbersome output condition ~JJ~, as follows. Recall that y. is of the form Vx pO(x) where p0 contains only bounded quantifiers. We let the new output condition qo(x) be
(Vxr
can compute the truth value of po(x,)
by using only numbers smaller than x” 3
po(xl)).
This formula is easily formalizable since there are only ‘finitely’ many terms (and / subterms) in pO. Now one can modify the proof of Claim 2.3 for proving Claim 2.3+. DT + (P- + Is&+,) + Zndqf L [/I]&.
The proof needs only straightforward modifications. The subclaims in the proof (Claims 2.4, 2.5) remain unchanged both in formulation and in proof. Now we note that statement (12)’ remains true if we assume only A k (P- + Z&) and one can also prove that if x is JY,,then so is QI. Therefore the above modified proof works for proving the following: Claim 2.6+. DT + (P- + En) + Znd& I/ [p]qn.
Claims 2.3+ and 2.6+ complete the proof of (i). (ii) is a consequence of (i) in the following way. Zz,, is contained in Znd&, hence (P- + Z&) + ZndE, = (P- + Z&) + ZndX,. By choosing k = n in (i), we have (P- + I&) + Znd& $, (P- + Z&) + Znd&
So (i) =$ (ii) is proved.
3. Peano arithmetic
+ Znd_&
so (P- + Zz;,,,)
+ Znd&+,,.
Cl
with hounded
multiplication
In the proof of Claim 2.6 we constructed a new model E from an arbitrary model A of P- and b E A (Definition 2.7). We shall prove that in such a new model the induction axiom is satisfied for each formula Q,E E (Corollary 3.10). This proof will be based on Corollary 3.3, Theorem 3.4, and Lemma 3.6 below. Notation 3.1. For r E o. the term times --a 2+-
of
t is abbreviated
as rz and r is written instead of r(S(0)).
216
B. Bir6, 1. Sain
For any terms r, CJE Tmz$ and any r E o, r =I CJabbreviates the formula 3r(z+rz=avo+rz=t)
(the difference of r and CJis divisible by r). For any valuation q E zA of the variables, for any u E A and for any z E Z, let the valuation q: E ‘A be defined as follows:
We let tb denote the expansion of the similarity type t with the constant symbol b.
0
From, now on, A denotes an arbitrary but fixed model of P- + LX,, and b E A is arbitrary but fixed. Recall the definition of the model E(A, b) of similarity type tb from Section 2 (Definition 2.7). From now on, (E, b) denotes the model E(A, b) associated to A and b in the previous sentence. Let Q,E Flh be a z,, (I&) formula, let q E zA, and let z E Z be a variable not occurring in cp. Then there is a z,, (IT,,) formula 9’ E F, such that ($)
(E, b) k dql
iff A k @Ml.
This is easy to see, using the definition of aE (see Definition 2.7). Lemma 3.2. Let A and (E, b) be as above, let Q,E F,h and z E Z.
If Q,is JCl or
Kl,
then
(E, b) k ind(cp, t). Proof. Assume Q)E &h is zl. Assume (E, b) k (v(O) A Vz (Q)(Z)* cp(Sz)))[q] for some q E zA. Then, by ($) above, there is a 2, formula q’ E F, with Ak(q’(0) A Vz ((p’(z)* cp’(Sz)))[q’] for the appropriate modification q’ of q. Then A!= Vz q’(z)[q’] by AkZZ,. But by ($) again, then (E, b) k Vt q(z)[q], proving (E, b) k ind(cp, z). For the IL, case we use a lemma from [20], by which P- + I& ‘FZI& for any n E o (cf. [20, Theorem A, p. 200 and Proposition 2, p. 2011). The idea of the proof of this lemma is the following. By definition, let 2 0 z1 = z2 iff z2 S 2 A [(zl 3 2 A z2 = 0) v z1 + 2, = 21. From P- + Z& it is easy to prove that 0 is a function, z < z, + S(z, 0 S(z)) = z,OzandzOz=O. Let q E F, be fin, and assume that (*)
v(O) A Vz (I-+
holds. By contradiction,
q@(z))) assume that Vz cp does not hold. Then -19(a) for some a.
Peano arithmetic as axiomatization
of the timeframe
217
Let r/~(z) denote lq(a 0 2). Then, using (*) and the simple facts concerning 0 above, one can easily prove that ~(0) and Vz (q(z)-, +(S(z))) hold. Since 0 is a function, II, is .X,,(this is immediate by ‘pure logic’). By ZJ$ we can conclude Vz v(z). Then, in particular, q(a) holds, hence iv(O), contradicting q(O) in (*). This proves Vz q, completing the proof idea of the Paris-Kirby lemma. (Actually, by symmetry, this proves P- k (ZZn * 1,) but we do not need this here.) Now, let A, (E, b) be as above, Q,E Fyha n, formula. Then A k P- + LX,. By the just proved lemma then A b In,. But then the argument given in the Z:, case, 0 with the obvious changes, completes the proof. Corollary 3.3. Let A and (E, 6) be as above, in particular A k P- + IZ,. Let q(z) E F,b be a 2, formula, and assume (E, b) k 3z q(z). Then there is a minimal value of z satisfying q, that is, (E, b) k 32 [(P(Z) A 0’~ < z)(~QG))I.
Proof. Let v(z)
be (Vz, ~z)l~)(zr). Then r/j is n,, and thus, by Lemma 3.2, would imply Vz I/J(Z). But the latter contradicts HO) A Vz (Hz)+ W(z))) 3z q(z), therefore either iv(O) or 3z (~($J(z)-+ q(S(z)))). In both cases the statement of this corollary holds. 0
Theorem 3.4. Let A and (E, b) be as above, recall that A k P- + I.Z1. Then for every q~E F,h there is a q+ E Fyhof the form (QT ~b)[x
>I
(TX’ qj S zij v pv’ Oij“r(i,j) zi,j j=q
(13)
where . Q is a sequence of quantifiers (V or 3), . Z is a sequence of variable symbols of the same length, . 1 E o, and . for every OGi
mi,piEo,
o;j,t;jETrm,h
(Ocj
(r(i, j)Eu
(mi
(E, b) k Q,* v+.
Proof. Let A be an arbitrary but fixed model of P- + 12, and let b E A. For simplicity of the proof, we expand the similarity types t and tb with the symbol (the symbol of subtraction). The expanded similarity types are t- and tb-. Let A’ be a disjoint copy of A, CefA UA’, let -:A+A’ be a bijection, and let 0 -agf-a for every a EA. Let C = (C, 0, S, =%,+, -, .) be the structure of similarity type t- defined from C in the natural way (i.e., 0 = O*, for every a E A, S(a) = S*(a) and S(-a) = (a - 1) etc.).
218
B. Bir6, I. Sain
Let QJE Fp. We prove the theorem by induction on the complexity of 97. If rp is an atomic formula then it is evidently equivalent to a formula of form (13) above, since (E, b) k (z. = zl) ++(z, c z1 A z1 =s z,J.
The conjunction of two formulas of form (13) is trivially equivalent to a formula of the desired form. The negation of a formula of form (13) is also equivalent to a formula of form (13) since (E, b) 1 (lzo Q ZJ f;, (21+ 1 c to)
and
It remains to prove only the following. If q E Fth is of form (13) then 3z cp is also equivalent to a formula of form (13). We shall prove this fact using a number of new notations and lemmas. Fix any i E ‘Z. We will define for every t E Trm,h the terms E,(r) and ub,( r) - called the lower and upper bound of z, respectively - by recursion on the complexity of t. If there is no danger of confusion we shall omit the subscript z. Definition 3.5. Let Z E kZ be arbitrary fb(0) = ub(0) sfO,
but fixed.
[b(b) = ub(b) zf 6.
If z E Z then if z 4 {Z(O), . . . , Z(k - l)}, i.e. z g RngZ, Ib(” ~’ [ X~ otherwise; if z $ RngZ, ub(z’ d~f “b’ otherwise Assuming that lb and ub are already defined for u and r, let lb(S(z))eflb(z),
ub(S(z))gfub(t)
Ib(o+z)gflb(a)+lb(z),
ub(a + z)dsfub(o)
lb(a - z)%fflb(o) - ub(t),
ub(a - z)“sf ub(u) - lb(t),
lb(u . z)ef -b,
ub(u*
z)dGfb.
+ b, + ub(z),
Cl
It is easy to check that for each t E Trm,h(C, b) k (;& 0 s Z(j) c b) + (lb(z) G z s ub(t)),
(14)
Peano arithmetic as axiomatiization of the time frame
219
and for some n E w, (C, 6) kc&(t) - lb(t) = nb.
(W
(Here rz depends on the form of z only.) We also have the following lemma: Lemma
3.6. Let Q,E FChbe a formula of the form (13). Assume that the variable
symbol z E 2’ does not occur in a product in q (that is, there is no subterm 5 of Q, with some p, CTE Trm,h such that (E, b) k 2j = o . p and z occurs either in o or in p).
Then there exists a formula
Q?’E F,h of the form
(13) such that (E, b) k
(32 V) t, @* Proof of Lemma 3.6. A similar quantifier elimination transformation can be found e.g. in [17, Lemma 13.81. Let q, z be as in the formulation of the lemma. Let us separate all the occurrences of z in q. Since z does not occur in a product in q~, at most constant factors stand before z. The typical subformulas of Q? containing 2 are:
c,z s rr,
t2 6 czz,
c3z
=s
r.7,
where cl, c2, cj are constant factors, z,, z2, r3 are terms. Let r be the least common multiple of these factors, and let z’ = rz. Using z’, the above formulas become:
Combining these ideas, we get the following claim: Claim 3.7.
There is a formula
Q E F,h of the form ??I,-1 ji oil S
where r is the least common l
Z V
j=m, )I PC-l V
Z ‘s(i,j)
th V Xi
,
multiple of the constant factors standing with z in the
original form (13) of q; Q, I, 2, m;, pi (for 0 6 i < I) are the same as in (13); z does not occur in xi (0 2 i < 1); each term which occurs in @ is the difference of two terms from Trm,h; further we have that for any q E zA,
B. Bird. I. Sain
220
Suppose (E, b) b 3z cp[q] for a valuation 4 E zA. Since p? is of the form of (13), Q, is Z;,, hence Corollary 3.3 is applicable to p. Then, by Corollary 3.3, there exists a minimal value of z in A satisfying cp. Denote this value by d’ E A and let d = rd’. Then (E, b) k cp[q:]. Let r’ be the least common multiple of the numbers r(i, j) in (13) and the numbers s(i, j) in (16) (0 G i
(17)
Case 2: d > I’. Then (E, 6) ‘Fcpp[qs], but (E, b) klq[q&],
thus
(C b) k @‘[&I
(18)
(C, b) kl@,[s;-r,].
(19)
and
A close examination
of the formula (16) shows that by (18) and (19) there is an
i < I such that
(C, b) I(32 c b)(T&’
O;j> Z)[qi-,,].
Thus by (18) (C, b) k (32 G b)(yg’
Z -
r’ <
Oij S Z)[q;]
(20)
and by (14) (C, b) k (32 < b)(yv’
,=n,
Ib(U,) ~ z G ub(oij + r’))[qi].
(21)
By (15), for some natural number h, (C, b) kUb(Gij) = h,b + lb(o,).
Let h E o denote the maximum of the numbers h,. Now fix any j with 12;
c b)( Ivi Tg’ @(zllb(aij)
+
(22)
w)[ql,
where w E 2 is a new variable. Denote the formula occurring in (22) by rp, and let
A
A I eb(aij)
I d Fig. 3.
I
I
t/xb(aij+ T’)
T’ + hb + tb(aij)
>
221
Peano arithmetic as axiomatization of the time frame
q2 denote the following formula: I& v 32 (O
A @).
(23)
the two cases d s r’ and d > r’. (17) and (22) imply
(C b) k dql. On the other hand, (C, b) t=(Q)~--, (3.~ 3 0) @)[q] trivially holds, thus (C 6) k (R* Therefore
(32 a 0) @)[ql-
we have proved that (I% b) b 32 9141 iff (C, 6) k v&l.
One can easily obtain a formula q’ E Fth of form (13) such that for any valuation q E “A (C, b) k %[ql
iff (ETb) k @hl.
We have proved Lemma 3.6.
0
Now let Q,E F,h be a formula of form (13), and let z E Z be an arbitrary variable symbol. Then (E, b) L (32 Y) -
[(3zSb)g,v3z(z>b,-,+)],
where @ is obtained from Q, by substituting 0 for every product that contains z. The first member of the disjunction on the right hand side of the equivalence is clearly a formula of form (13). In the second member, variable z does not occur in a product, so by Lemma 3.6 it is equivalent to a formula of the desired form. This proves Theorem 3.4. 0 Corollary 3.8. For every formula (E, b)kq,-q+. Cl
Q?E Fth there is a 2, formula
vc E F,h such that
Since b can be defined in E by a A,, formula of similarity type t we get: Corollary
3.9. For every formula
Ek~,++q+.
C.PE 8 there is a 2, formula
go+ E F, such that
•i
Now Lemma 3.2 and Corollaries 3.8 and 3.9 together give Corollary 3.10. E k ind(q,
4. Connections
z) for every formula
with temporal
CJIE Fj and any z E Z.
logics and dynamic
0
logics
Let d be any fixed similarity type. Let Mod, be the class of all models of &,_ The set DF, of dynamic formulas of similarity type d is the smallest set satisfying (i), (ii) below.
222
B. Biro’, I. Sain
(i) FT c DF,. (ii) For any q, v E DF,, program p of similarity type d and i E co, we have ([PIV),
(CPA V), (~cP), (3Xi CP)E DF,.
The validity relation b c_Mod,, x DF, is defined along the lines of the definition of _Mk [P]I/.J (see Subsection 1.4). The definition for the case when $J E DF, is arbitrary, is the same as given there. Let Ax be any combination of our distinguished axiom systems Ind, . . . , Tpa, . . . , Z-Z,, investigated in this paper. Then Mod,,(Ax) s &, is defined the usual way. Now,
is one of the many possible dynamic logics. (The hierarchy of dynamics logics is analogous to the hierarchy of modal logics including S4, S4.1, . . . , S4.3, S5 etc., cf. e.g. in [4].) These dynamic logics were compared from the point of view of their program verifying powers in many of the papers quoted so far. The present paper shows that even if we restrict our attention to provability of partial correctness only, we have an infinite hierarchy in Corollary 2.9. Also, adding multiplication to the time frame increases pea-proving power (Theorem 2.1). Temporal logic with discrete time (TL from now on) as used in a substantial part of computer science literature (see e.g. [l, 3,4,5,10,13,22,26,28]) is a logic with three basic modalities 0, (F), (P} meaning next-time, sometime in the future and sometime in the past respectively. (Sometimes binary modalities like ‘until’ are included too, but that is not important now.) The set TF, of temporal formulas of similarity type d is the smallest set satisfying (a) and (b) below. (a) Every atomic formula from F:“y is in TF,. (b) For any Q,J,I# E TF, and i E w,
Note that y; may occur in TF,, but it cannot be quantified over. In TL, y; is called apexible constant symbol. (So it is no more regarded as a variable, but instead as a constant which may change its value in time.) The class of models for TFd is Mod,,. That is, the so-called Kripke models of temporal logic are exactly the classical models of & we have been studying in this paper. Instead of defining the validity relation kt G Mod, X TFd directly, we define it by defining a translation function tr : l-F, ---, fld. First we define an auxiliary function tr* : TFd x z* & as follows. Intuitively, tr*(q, z) means that q is true at time z. For every z E Z, i, j E w and q, I/J E TFd, (y,(Z) =Xj) ( recall that y,(Z) = ext(y,, z)) w enever q is atomic and no y E Y occurs in v, (2) tr*(v, 2) = ‘1’ h (3) tr* preserves classical connectives and quantifiers (e.g. W*(3Xi cp, z)sf
(1) t~*(ri =~~~:)~f
3x; tr*(QA 2))
Peano arithmetic as axiomatization of the time frame
223
(4) W*(Oq, Z)” 3Zj (2; = S(Z) A tr*(q, Zi)) (5) tr*((F)q, z)~f(3z;~z)fr*(Q), 2;) (6) tr*((P) q, z) ‘!Ef(3~; =zz) tr*(q, zJ). Since we may assume that every flexible constant yi occurs only in the form y, = xi, the definition of tr* is completed. For Q,E TF,, tr(cp)gfffr*(q), zJ, further for any JII E Mod,, we let A!=,g? iff &l=tr(cp).
The basic (or weakest) temporal logic is
A complete Hilbert-style inference system for TLO can be found e.g. in [4]. Similarly to the case of dynamic logics, TLO itself is not very useful as a temporal logic, it is only a starting point. Let Md, = (4 E Mod,: Ju = (N, . . ,)} where N is the standard model of arithmetic. Let
TL, = (TF,, Mdo,, k,> It was proved in [5] that it is completely impossible to give a complete inference system for even the weakest fragments of TL,, even if we take completeness in the weakest bearable sense. (So the situation is much worse than just saying that the validities of TL, are not recursively enumerable. Of course, they are not, but we could still hope to be able to prove some very basic temporal formulas about programs, say restricting our ambitions to those programs which terminate etc. Such ‘hopes’ are disproved in [5].) So then it is natural to take ‘logical’ axiom systems Ax c 1c;das we did here, and study the temporal logics TL,, = (TF,, Mod,(Ax),
bt>.
This approach was taken in all the temporal logic papers quoted from the present work. [12] announced a completeness theorem for TL,,. Completeness results, at least for provability of temporal statements about programs, were proved for T&,=~+r,~) beginning with [22]. From the results of the present paper it follows is closer (from the purely temporal point of view) to the desirable that T&,,+M) but ‘unreachable’ TL, than TLcTpres+lndl.(By Corollary 2.9, there is an infinite hierarchy of temporal logics in between.) An early, preprint version of this paper motivated [l] to try to find a Hilbert style completeness theorem for TLcTpa+,ndj. And it was with the methods of the present paper that [28] showed that the problem remains still open. These developments led to the present situation when the theory of temporal logic heavily uses weak systems of Peano’s arithmetic, cf. e.g. [4].
224
B. Biro’, I. Sain
Acknowledgements
We thank Petr Hgjek, Agnes Kurucz and Istvan NCmeti for their precious help. Thanks are due to R. Verbrugge for careful reading the manuscript and for very helpful comments. We also thank L. Csirmaz, C. Dimitracopoulos, S. Feferman, J. KrajiEek and J. Paris for their advices concerning Peano Arithmetic.
References [II M. Abadi, The power of temporal proofs, Theoret. Comput. Sci. 64 (1989) 35-84. PI M. Abadi, Errata for “The power of temporal proofs”, Theoret. Comput. Sci. 70 (1990) 275. [31 H. Andreka, Sharpening the characterization of the power of Floyd method, in: A. Salwicki, ed., Logics of Programs and their applications (Proc. Conf. Poznan 1980), Lecture Notes in Computer Science 148 (Springer, Berlin, 1983) l-26. [41 H. AndrCka, V.Goranko, Sz. Mikulas, I. NCmeti and I. Sain, Effective first order temporal logics, in: A. Szalas, ed., Volume on Logics of Programs (Springer, Berlin, to appear). Also available as: Preprint, Math. Inst. Hungar. Acad. Sci. (1991) 69 pp. PI H. AndrCka, I. NCmeti and I. Sain, Completeness problems in verification of programs and program schemes, in: J. Bebar, ed., Mathematical Foundations of Computer Science ‘79 (Proc. Conf. Olomouc, Czechoslovakia 1979), Lecture Notes in Computer Science 74 (Springer, Berlin, 1979) 208-218. [61 H. AndrCka, I. NCmeti and I. Sain, A complete logic for reasoning about programs via non-standard model theory, Theoret. Comput. Sci. 17 (1982) 193-212 and 259-278. 171 H. Andrtka, I. Nemeti and I. Sain, On the strength of temporal proofs, Theoret. Comput. Sci. 80 (1991) 125-151. PI C.C. Chang and H.J. Keisler, Model Theory (North-Holland, Amsterdam, 1973). [91 C. Dimitracopoulos, MatijaseviE’s Theorem and Fragments of Arithmetic, Thesis presented to the Univ. of Manchester (UK) for the degree of Doctor of Philosophy in the Faculty of Science (1980). [lOI D.M. Gabbay, Tense logics with discrete moments of time I, J. Philos. Logic 1. [Ill D.M. Gabbay, I. M. Hodkinson and M.A. Reynolds, Temporal Logic, Vol. I (Oxford Univ. Press, Oxford, 1993,). [=I T. Gergely and T. Ury, First-order Programming Theories, in: W. Brauer, G. Rosenberg and A. Salomaa, eds., EATCS Monographs on Theoretical Computer Science 24 (Springer, Berlin, 1991) 351 pp. [I31 R. Goldblatt, Logics of Time and Computation (second edition, revised and expanded), CSLI (Center for the Study of Language and Information) Lecture Notes 7, viii + 180 pp. [I41 P. Hajek, Some conservativeness results for nonstandard dynamic logic, in: J. Demetrovics, G. Katona and A. Salomaa, eds., Algebra, Combinatorics and Logic (Proc. Conf. GyBr, Hungary, 1983) Colloq. Math. Sot. J. Bolyai 42 (North-Holland, Amsterdam, 1981) 443-449. P. Hajek, A simple dynamic predicate logic, Theoret. Comput. Sci. 46 (1986) 239-259. ;:i; Z. Manna, Mathematical Theory of Computation (McGraw-Hill, New York, 1974). 1171 J.D. Monk, Mathematical Logic (Springer, Berlin, 1976). 1181 I. NCmeti, Nonstandard dynamic logic, in: D. Kozen, ed., Logics of Programs (Proc. Conf. New York), Lecture Notes in Computer Science 131 (Springer, Berlin, 1982) 311-348. P91 J. Paris, A. hierarchy of cuts in models of arithmetic, in: Model Theory of Algebra and Arithmetic (Proc. Conf. Karpacz, Poland, 1979), Lecture Notes in Math. 834 (Springer, Berlin, 1980) 312-337. WI J.B. Paris and L.A.S. Kirby, ,.&-collection schemas in arithmetic, in: A Macintyre, L. Pacholski and J. Paris, eds., Logic Colloquium ‘77 (North-Holland, Amsterdam, 1978) 199-209.
Peano arithmetic as axiomatization of the time frame
225
[21] H. Rogers, Jr., Theory of Recursive Functions and Effective Computability (McGraw-Hill, New York, 1967). [22] I. Sam, Sharpening the characterization of Pnueli’s program verification method, Parts I-II, Preprint, Math. Inst. Hungar. Acad. Sci., Budapest (June 1983), 66 pp. [23] I. Sain, Structured nonstandard dynamic logic, Z. Math. Logik Grundlag. Math. 30 (3) (1984) 481-497. [24] I. Sain, Dynamic Logic with Nonstandard Model Theory, Dissertation, Hungar. Acad. Sci., Budapest, 1986 (in Hungarian), ix + 180 pp. [25] 1. Sain, Total correctness in nonstandard dynamic logic, Theoret. Comput. Sci. 50 (1987) 285-321. [26] I. Sain, Is “some other time” sometimes better than “sometime” in proving partial correctness of programs?, in: M.M. Richter and M.E. Szabo, eds., Nonstandard Methods in MathematicsSpecial Volume of Studia Logica 47 (1988) 279-301. [27] I. Sain, Comparing and characterizing the powers of established program verification methods, in: J.V. Tucker and K. Meinke, eds., Many sorted Logic and its Applications (Proc. Conf. Leeds, UK, 1988) (Wiley, New York, 1993) 215-314. [28] I. Sain, Temporal logics need their clocks, Theoret. Comput. Sci. 95 (1992) 75-95.
201
Logic 63 (1993) 201-225
Peano arithmetic as axiomatization of the time frame in logics of programs and in dynamic logics Balhzs Bird and Ildik6 Sain Mathematical Institute of the Hungarian Academy of Sciences, Budapest, Pf. 127, H-1364, Hungary Communicated by D. van Dalen Received 6 December 1985 Revised 2 January 1993
Abstract Biro, B. and I. Sain, Peano arithmetic as axiomatization programs and in dynamic logics, Annals of Pure and Applied
of the time frame in logics Logic 63 (1993) 201-225.
of
We show that one can prove the partial correctness of more programs using Peano’s axioms the time frames of three-sorted time models than using only Presburger’s axioms, that is useful to allow multiplication of time points at program verification and in dynamic temporal logics. We organized the paper as follows: 1. Preliminaries, 2. The main result, Peano arithmetic with bounded multiplication, 4. Connections with temporal logics dynamic logics, Acknowledgements, References.
for it is and 3. and
In the present paper we solve a problem raised in e.g. [18] and [3] common in the fields of comperative study of program verification methods, lattice of logics of programs, dynamic logics, nonstandard dynamic logic (NDL), temporal logics of programs etc. Roughly speaking, the problem is as follows. When reasoning about programs, is it useful to postulate the full set Tpa of axioms of Peano Arithmetic on the time scale (with addition and multiplication of the time points)? In other words, does there exist a partial correctness assertion not provable from the set Tpres of Presburger’s axioms plus Ind, the set of so called computational induction axioms, but provable from Tpa plus Ind? (In the Correspondence to: I. Sain, Mathematical Institute of the Hungarian Academy of Sciences, Budapest, Pf. 127, H-1364, Hungary. Email: [email protected]. Research supported by Hungarian National Foundation for Scientific Research grant No 1911. The final version of this paper was prepared in Prague, November l-5 1992, at the Institute of Computer Science of the Czechoslovak Academy of Sciences. 0168-0072/93/$06.00
0
1993 -
Elsevier
Science
Publishers
B.V. All rights reserved
202
B. Biro’. I. Sain
formalism of [l&23-27], etc. the problem reads as follows: Is Tpres + Znd co Tpa + Znd true?) We shall prove that the answer is in the affirmative (Corollary 2.2): there exists a data theory DT, a program p and a formula 3 in the language of DT such that DT + Tpres + Znd does not prove the partial correctness of p w.r.t. I,!J but DT + Tpa + Znd does. Moreover, it is enough to use a distinguished proper subset In& of the set Znd (cf. Theorem 2.1). In the last section (Section 4) we will show the connections with dynamic and temporal logics. The present paper is self-contained, but our notational framework is described in more detail (and more formally) e.g. in [l&23-25,27].
1. Preliminaries
1.1.Concerning classical logic, we shall usually use the concepts and notation of [8] or [17]. Throughout the paper, d denotes an arbitrary (one-sorted) similarity type (or signature or language). For a set X = {xi: i E w} of variables, Trm$ and F: denote, respectively, the set of all terms and the set of all first-order formulas of similarity type d containing variables from X only. For sets r, A of formulas, we often write r + A instead of r U A. If G is a binary relation symbol of d, Q = ( Qo, . . . , Qk_,) is a sequence of quantifiers (V or 3), 1= (x0, . . . , xk-] ) E kX is a sequence of variables (with length of that of Q), 47E Fz and (I E Trm:, then (Qz < a) cp abbreviates
3~ Q, and Vj Q, abbreviate, V&-l
respectively,
3x0 3x1. . * Z~X~_~Q, and V.xoVx, . . .
cp.
If q is a formula, x is a variable symbol and z is a term, then the formula q(x/t) is obtained by replacing every free occurrence of x in cp by z. One-sorted models are denoted by boldface capital letters, like T and D, and their universes are denoted by the corresponding italic capitals. Many-sorted models are denoted by calligraphic letters, like JU. The words ‘extension’, ‘expansion’ and ‘reduct’ are used in the sense of [8] and [17]. If A is a model with universe A and a E A then (A, a) denotes the expansion of A with a as a constant. Throughout, t denotes the similarity type of arithmetic, that is, it consists of the function and relation symbols 0, S, s--, +, . with their usual arities. 1.2. For any (one-sorted) similarity type d, we define td to be a three-sorted similarity type, expanding d, as follows. The set of sorts is {t, d, i}; t, d and i are called time, data and intensions sorts, respectively. td consists of the following three parts: symbols of d purely of sort d, but otherwise with the same arities as in d; l
Peano arithmetic as axiomatization of the time frame
203
symbols of t (0, S, S, +, .) purely of sort t, but otherwise with the same arities as in t: a binary function symbol ext, called extension, the first argument of which is of sort i, the second one is of sort t, and its value is of sort d. Intuitively, intensions are functions mapping the time universe into the data universe (universe of individuals). It is the operation ext that implements this intuition, assigning data values to intensions at every time instant. Because of this intuition, we will often write S(T) = u instead of ext(s, z) = o (where s is an intension variable and r, u are terms of sorts t and d respectively). Let X = {xi: i E o}, Y = {yl: i E CO}, Z = {z;: i E w} be three pairwise disjoint countable sets, otherwise arbitrary but fixed throughout the paper. When writing up terms and formulas of similarity type td, we use X, Y and Z for variables of sorts d, i and t respectively. For brevity, we will often write x, y, z for x0, y,,, z. (xuyuz). We note that FF z F;, and FT 5. F;d, but respectively. We define E;Ed ‘grFtd there are formulas of & not in FF U FT (the ones containing ext). Models of similarity type td, called time models, are three-sorted models l
l
At= (T,D,z,ext), where T, called time structure or time frame, is a model of similarity type t; D, called data structure, is a model of similarity type d; I, called the intensions universe, is just a set; and ext E lxTD is called the extension function (or value-of function). 1.3. Throughout, by a program we mean a deterministic block-diagram program in the usual sense. More precisely, the program commands (of similarity type d) are the elements of the following set: {(i:xtt),
(i:IFx
GOT0
k), (i:HALT):
i, k E Label, x E X, t E Trm:,
x E FT is a quantifier free formula},
where the set Label is the set of all ground terms (terms not containing variables) of similarity type d.’ By a program of similarity type d we understand a finite sequence p of program commands of similarity type d in which no two members have the same label and there is exactly one HALT command, the last command of p; further, if (i: IF x GOT0 k) occurs in p then there is a command in p having label k. The variables of a program are interpreted in the data structure of time models. ’ Label was chosen this way for technical reasons only. If someone does not want to use data values as labels, s/he can define time models in a slightly different way. For example, we could have defined time models as 5-sorted structures (T, D, L, I,,. Z!_), where L = (L, OL, SL, sL) satisfies the usual fin&e axiomatization of (w, 0, S, s). Further, D II L = 0, ID sTD, and f,_ sTL. Then the labels are the ground terms of the language of L. However, since the same results can be achieved by our approach as in the 5-sorted formalism, for the sake of simplicity here we use the former one. See [27, Appendix l] for details concerning this problem.
204
B. Bird. I. Sain
If a ‘state’ of a variable is represented by one data value then an intension represents the ‘sequence of states’ of a variable during an ‘execution’ of the program, that is, a trace of the variable. In our formalism an execution sequence or a trace of a program p in a time model Ju is always a finite sequence s = (so, . . . , s,-,, s,) of intensions, where c E o is the number of variables occurring in p. Intuitively, each intension sj, 0.< J. c c - 1, assigns a data value to the jth program variable in every time instant, and the intension s, assigns a label to the control variabZe (which is defined to be the variable xc, not occurring in p) in every time instant, according to the consecutive program commands (for detailed definitions see [18, Definition 7; 7,281). 1.4. If p is a program and tj~E FT then the new formula [p]~@ expresses the partial correctness of p w.r.t. the output condition $J, that is [p]~ says that “whenever p terminates, I@ will hold” or “every output of p satisfies I@” (cf. e.g. [18, Definition 91). It is known (and easy to show) that for every program p and
formula I/ E Fz, [p]+ can be expressed by a first-order formula of & (see e.g. [6, Definition 11; 18, Definition 18; 27, Appendix 11). Intuitively, the Z$, formula expressing [p]~& says the following, in any time model & = (T, D, I, ext). (‘dY,,, . . . >YCE ML? = (YO>. . . , yJ
j
is an execution sequence of p in Ju]
(t/z E T)[(J terminates at time point z, i.e., ext(y,, z) = ‘the code of label HALT’)+
w(xoly&>,
. . , xc-,ly,-l(z))]).
We shall often call such a formula [p]~@ a partial correctness assertion (pea). So, at this point, we know when a pea [P]I/I is valid in a model Ju of &. We denote this as & k [p]$~. Let Ax c &. Then (7)
Ax L [p]q
is defined to hold iff
for every model Ju of &, whenever JU LAX, we also have Ju b [p]~. Let Aq,, Ax, c_ Frd be arbitrary.
Ax0 S~ AxI abbreviates
that for every program
p of similarity type d, every DT G FT and every 11,E F$, Axe + DT k [p]$~ implies Ax, + DT k [ply. Ax{, co Ax, abbreviates that Ax,, so Ax, but Ax, &Axo.
1.5. Finally, we select some distinguished elements and subsets of the set & of formulas. Recall the usual arithmetical hierarchy of formulas from e.g. [21]. According to this, a formula from F, is a 2, formula if it is of shape 32 cp, where cp is a A,, formula, that is a formula containing is not necessarily quantifier free). A formula. If z E Z, p? E &, then ind(q, z) is q~ w.r.t. variable z, that is ind(cp, z)
(V(Z/O) A vz ]91+
bounded quantifiers only (thus a A0 formula 17, formula is of shape V,? cp, where q is a A,, the formula
stating
denotes the formula
cp(zlw))l)+vz v,
induction
for the formula
Peano arithmetic as axiomatizarion of the time frame
205
We select sets Znd, Znd,,, Z&, (n E CO)of induction formulas as follows: Znd ef {ind(y, Znd,, ‘%Cf {ind(q,
Z& ef {ind(q,
2): go E & and z E Z}, z): z E 2 and Q,E & is a quantifier free formula}.* z): z E Z, Q,E F; and Q, is a En formula}.
Next we define the following two sets of formulas of similarity type f: Tpa is the set of Peano axioms written up using Z as set of variables, and Tpres is the set of axioms of Presburger’s Arithmetic (using Z), that is Tpres ‘2~~ {q E Tpa: the symbol . does not occur in q}.
Warning. Throughout this paper, the language (i.e., similarity type) of the time frames is fixed to be that of Peano arithmetic (that is, (0, S, S, +, .} with their usual arities). Sometimes we assume only Tpres about the time frames instead of assuming the whole set Tpa of Peano axioms. In such cases we do nut mean switching to the reduced language (0, S, S, +} (although Tpres contains no axioms concerning multiplication; in particular, we do not assume z . 0 = 0 and (z . z,) + z = z . St,). For any formula cp E &, Tpres k sp is meaningful, even if q contains multiplication. (Tpres b cp holds, by (t), if for every model JR of &, JU k Tpres implies Ju k CJ.X) In a sense, we look at the above selected axiom system Znd, . . . , Tpa, Tpres as potential logical axioms for various dynamic logics or logics of programs. (The formulas of dynamic logic are built up from the atomic formulas of FT by applying [p] as a unary connective for each program p, and the usual connectives A, 1, 3x; of FT. Notice that no explicit reference to sorts t or i are permitted in dynamic logic. These sorts are used indirectly, via the unary connective [p].) This means the following. Let DT c F? be a data theory and [p]l~, be a partial correctness assertion. (Then DT U {[PI~~Iconsists of formulas of dynamic logic.) Then [p]#~ is said to be a semantical consequence
of DT
in the dynamic logic specified by Znd iff DT + Znd k [p]$~ in the sense of (t) above.
More generally, let Ax be any combination axiom systems. Then [p]~
(like Tpa + Znd) of the above selected
is said to be a semantical consequence
of DT
in the dynamic logic specified by Ax iff DT + Ax k [p]$~ in the sense of (i) above.
‘We note that in many papers relevant to this one, like [6, 18,24,27], lndqf stands for the set of such induction formulas where go does not contain quantifiers of sort t, but it may contain quantifiers of the other sorts. Here we can use ‘true’ quantifier free induction.
206
B. Birch, I. Sain
The consequence that is,
relation of the dynamic logic specified by Ax is denoted as LA,.,
DTkA, [p]~@ iff DT +Ax k [p]~. The dynamic logics ‘LAX’and their uses were elaborated and explained in greater detail in the above quoted papers as well as in [24]. We do not need that theory here, but our results apply directly to that theory. We will give some more details about this in Section 4. Instead of dynamic logic, we can apply the results of this paper to Temporal Logics as explained in [4], and as it was done e.g. in [l, 7, 13,28,2]. When evaluating a temporal formula in a model Ju = (T, . . .) of & then only the reduct (T, 0, S, S) of the time frame T of Ju is used. (One may ask the question, why are then + and ‘e’ for T included into the models of temporal logic in the above quoted works, but as it is explained in [4,1,7], these operations on the time frame are useful for temporal logic in an indirect but quite essential way.)
2. The main result Theorem 2.1 below states that, for proving partial correctness of programs, Presburger’s axioms Tpres for the time scale plus full three-sorted induction Znd are not stronger than Peano’s axioms Tpa, even if we require induction only for quantifier free many-sorted formulas (Zndqf) in the latter case. (For the exact definitions of Tpres, Tpa, Znd, Znd, see Section 1.) Theorem
2.1. Tpres + Znd #o Tpa + Znd,.
This theorem gives a solution to our original problem: Corollary 2.2.
Tpres + Znd co Tpa + Znd.
Cl
Remark. Tpres + Znd may seem puzzling, since we add, among others, all induction axioms of Peano arithmetic (in the time sort). But do not overlook that we do not add the axioms recursively defining multiplication, namely
(*)
z*o=o,
2 - SZl = (2 * z1) + 2.
Call Tpa without the axioms (*) PA” for a moment. Claim.
PA- extends Presburger’s
arithmetic conservatively.
Proof. Let A = (A, 0, S, c=--,+) be a model of Presburger’s arithmetic. We define -:AxA+A by VxVy(x.y=O). NOW (A;)kPA-. Another possible proof is
based on the fact that Presburger’s arithmetic is complete.
0
Peano arirhmetic as axiomatization
of lhe time frame
207
The above claim justifies our decision to compare Tpa + Znd with Tpres + Znd (both theories having the same language and the same induction axioms) instead of comparing Tpa + Znd with Presburger arithmetic (formulated in the language without multiplication) extended by In& meaning induction axioms of & not containing multiplication. 0 Proof of Theorem 2.1. Throughout this proof, let the similarity type d be a disjoint copy of r (the similarity type of arithmetic). Recall from Section 1 that the function and relation symbols of t are 0, S, G, +, *. For simplicity, we will use these symbols for referring to the function and relation symbols of d as well. This will not cause confusion, since context will always help, for example, when writing up terms and formulas of similarity type d, we use variables from X, while we use variables from 2 in terms and formulas of similarity type t. We will give a set DT c Ff (data theory) and a pea [p]~& ($J E FT and p is a program of similarity type d), such that DT + Tpa + Znd, k [p]~,
but
DT + Tpres + Znd # [p]~.
As it will be mentioned later, the present choices of DT and [p]q were already used by the second author, in various ways, for calibrating the proof-theoretic powers of temporal logics for proving pca’s. Let P0 be the following finite fragment of Peano arithmetic (of similarity type d): PO~f{x’o=o,x+o=x, x + S(x,) = S(x + Xl), x . S(q)
Let Dot be the following axiomatization with top element: 1
Dot%f{xcx
x sx1
l/x16x,
0s.x
G&9(x),
=x . XI +x}.
of discrete
linear ordering
(possibly)
cx*, =x*,
0 =x v 3x1 (x = S(x,)), x
x = S(x)+x,
dx},
and let LabelAx
9 (0 # S(0) # S(S(0))
# S(S(S(O)))},
DT sf PO + Dot + LabelAx.
(The set LabelAx is needed to ensure the existence of enough different labels for the program below.) Clearly DT E FT. Let p be the program indicated in Fig. 1,
208
B. Biro’, I. Sain
Fig. 1.
that is p puts the variable x0 equal to 0 (of d), and then replaces x0 by its successor until x0 and S(x,J become equal. Let P- c_ F$’ be the set of Peano’s axioms without the induction schema. (Then P- is P” plus an axiomatization of discrete linear ordering without top element but with bottom element 0 and successor S, see e.g. in [18, Definition 161.) By [19, Corollary 401, there exists a I7r formula y of the similarity type of arithmetic such that Tpaby
but
P-+E,fy
(1)
P- + I& k y). This y is Con(P- + LX,) stating the consistency of (We note that [19, Corollary 401 guarantees more than this, namely that for each IZ> 0 there is a II, formula y,, with P- + LYE f y,, and P- + Z2n+1 b yn . Thus, (1) remains true if we substitute P- + Z2n+1 and P- + Z& for Tpa and P- + El respectively.) Since y is a II, formula, its negation is _ZI, and by a generalization of Matijasevic’s theorem, given in [9, Theorem 3.151, one can find terms a(Z), t(2) such that
(moreover,
P- + 12,.
P- + Lx, i=[1y f, 32 (t(i)
here X = (x,, . . . , x,-1)
= o(2))],
for some m E w. Hence
P- + I21 L-[y * v,f (t(2) # a(?))]
which, together with (l), implies that Tpa L z(f) # a(2)
but
P- + Z2, !#z(2) # a(2).
(2)
Since d is a copy of the similarity type of arithmetic, we may assume that the members of X really belong to the set X of variables, and the terms r(2) and a(Z) above are elements of Trm$. Let I/J(x~) E FT be the formula v,? [z(j) + u(j) < x0-f r(X) # u(Z)].
(3)
Peano arithmetic as axiomatization of the time frame
T
SO
209
D
Fig. 2.
We note that the only free variable of r/j is x0 E X. Claim 2.3 below was used by the second author around the end of 1982 for proving that Tpa f Znd proves strictly more pea’s than any of the known temporal logics, cf. e.g. [22]. The result is extended to all possible (in a certain sense) temporal logics in [24].3 Claim 2.3. DT + Tpa + Ind,, k [p]~. Proof of Claim 2.3. Let At = (T, D, I, ext) be a time model such that & k DT + Tpa + Ind, Let s = (so, 3,) be a terminating trace of p in A! (where so is the trace of the program variable x0 and s, is the trace of the control variable). Then clearly and there exists a b E D such that D k (S(b) = b A Vx (x d V.zso(G)) = S(G))> b)). Let a E T be such that J%k (so(a) = b A sl(a) = 2) (see Fig. 1 and Fig. 2). We prove that there is a least element a of T with the above property:
Claim 2.4. Ju k 3a [so(a) = b A VZ (SO(Z) = b + 2 2 a)]. Proof. First we show that there exists an e E T with (**)
so(e) # b
but
so(S(e)) = b,
using Ind,, . Let x(z) be the formula so(z) # b. Then x(O) holds, since so(O) = 0 # b by would hold, then by ind(y,, z) E Znd,, A! b LabelAx. If Vx (x(z)-+ x(S(z))) Vz (so(z) # b) would hold, contradicting so(c) = b for some c E T (since p terminates). This proves (**). 3This result motivated Martin Abadi for designing a temporal logic as strong as Tpa + Ind in [l]. As it turns out in [28], Abadi’s temporal logic remains still weaker than Tpa + Ind, so it remains an open problem to find a natural temporal logic as strong as Tpa + Ind.
210
B. Bit-b, I. Sain
Let e E T be a time point satisfying (**), and let a dg’S(e). We will prove that a is the time point desired by Claim 2.4. To see this, it is enough to show that Ju k Vz [S”(Z) = b + (Vz, 3 Z)(S”(.q) = b)],
(4)
because of the following. Assume, by contradiction, that s”(z) = b and z $ a. Then a > z by P-. Hence e 2 z, which, by (4), yields s”(e) = b-a contradiction. To prove (4), let z E Z be fixed, and assume s”(z) = b. Then z f 0 by s,,(O) #b. Let cp(z, z,) be the formula z1 * z--,s”(zJ = b. Then cp(z, 0) holds by z # 0. Now assume S(zl) 3 z. If S(z,) = z then s”(S(z,)) = s”(z) = b. If S(z,) >z then z1 > z and thus s”(S(z,)) = S(s”(q)) = S(b) = b. Thus Vz, [q(z, z,)+ q(z, S(z,))] holds, and the application of ind(q, ZJ E Znd, completes the proof of Claim 2.4. 0 Now let a E T be the least time instant
with the property
.& ks”(a) = b A
s,(a) = 2. Let (T ~a)+=f{~~T:Tk~~a}.
Claim 2.5. (i) sn: T + D is a homomorphism. (ii) (s” r (T 1 a)):(T 1 a)~Ll is a bijection. Proof of (i). It is immediate from its definition that s”(0) = 0 and s” is an S-homomorphism, that is s”(S(z)) = S@“(z)). The fact that S” is a s-homomorphism can be seen, e.g., as follows. Let z, E Z be fixed, and let r$(zi, z) be z1 s z--,s”(z~) s s”(z). +(zl, 0) holds because z1 s 0 implies z, = 0 by P-, and then s”(z,) = s”(0) = 0 s S”(Z). Assume
q(zl, z) holds, and assume z1 s S(z).
We want to prove s”(tJ s
S”(S(Z)). If z1 = S(z) then s”(zi) = s”(S(z)) = S(s”(z)), thus s”(zl) s s”(S(z)). If z1 < S(z) then either z1 =zz or z1 > z. If z1 G z then s”(zl)
Peano arithmetic as axiomatization of the time frame
One can similarly prove that so is a --homomorphism, where p is
211
by applying ind(p, z) E
Ind,,
&
. Zl> = so(z) . %(4.
Proof of (ii). Assume that so is not onto on (T r a), that is let x E D \Rng(s”)
and let 6(z) be the formula s”(z)
b #O-+
(5)
Indeed, if z > 0 then z = S(z,) for some zi, and thus
S”(Z)= S”(~(Zl))= Q”(Zl)) + 0. Next we prove that Ju k (X =SX] +x
(6)
+ S”(Z) =SX1+ S”(Z)).
Fix any X, x1 E D with x
Now assume a 2 z1 > z,. Then so(zz) s S(s”(z2)) by Dot, and s”(z2) f S(s”(z2)) by Claim 2.4. Thus S”(Z2)
<
W”(Z2)).
(7)
On the other hand, since z1 > zz, we have zl =z,+ z for some z >O. Hence s”(zl) = s”(zJ + s”(z). By (5), s”(z) 3 S(O), and then by (6) s&2)
+
h(f)
2
%(Z*)
+
S(O)
=
SMz2)).
From this, using (7), we get S”(Zl)
=
S”(Z2)
which was required.
+
S”(Z)
-2, G”(Z2))
‘S”(Z2)
We have proved Claim 2.5.
0
Now it can easily be seen that the first part of (2) and Claim 2.5 together prove Claim 2.3 (v was defined in item (3)). 0 Claim 2.6. DT + Tpres + hi
i#[p]~.
Proof. Recall from (2) that P- + ZZ, !#r(Z) # @). of the similarity type of arithmetic such that AkP-
+-IX,
and
A k t(Z) = a(F)
Hence there exists a model A (8)
212
B. Biro’, I. Sain
for some Z = (e,, . . . , em_, ) E “A. (We note that in the following proof everything remains true if Zz, is replaced with ZJC,,for any n E o, but this IZhas to be fixed throughout the proof.) Let b d&fr(P) + a(C) + 4. Then A k b > t(P) + o(C) by P-. Let Qef(Zd
rA)U2{a
EA: b ~a},
and let A* be the reduct of A obtained by omitting s. Then Q is obviously a congruence of A*. Let Bsf (A*/Q, c),
(9)
where c is defined in B by k,/Q s k2/Q iff A k min(k,/Q)
< min(k,/Q).
It is easy to check that s is well-defined, B k Dot, and B is a homomorphic of A. Since P0 consists of equations only and they are preserved homomorphisms, B k P”. Since b > 3, B k LabelAx. Thus
image under
B!=DT.
(10)
Let sO:A+ B be the natural homomorphism of A onto B, that is, so(a) = a/Q for each a EA. Since for each a/Q E B we have a/Q G b/Q, there is a function sl:A+ B such that sdgf (so, s,) is a trace of p in (A,B, {so, s,}, value-of). Let this s be fixed. If A = (A, 0, S, C, +, 0) then we define a new time frame A+ = (A, 0, S, G, +, +). In more detail, let A- be the additive reduct of A, that is A- is the reduct of A which is obtained by omitting multiplication. Let A’dgf (A-, _tA) that is in A’ we have a new multiplication which is simply a copy of the old addition from A. So A+ b Vz, z, (z * z, = z + zl). Let Jt’zf
(A+, B, {so, sl}, value-of).
Then s is a trace of p in J4+ too, with output b/Q (in fact, so(b) = b/Q s,(b) = 3, see Fig. 1). By the definition of b and by (8) and (9), we have B f t(F/Q) + o(ElQ) < b/Q+ where 2/Q = (e,/Q,
. . . , em-,/Q).
z(2/&) Z @lQ),
Therefore
(11)
Ju+ l#iPI@
Let Tpres-
and
be Tpres without the induction schema. Then by (8) and (10)
JU+ k (Tpres-)
+ DT.
We turn to showing .kl+ k Znd. Here we give only the main line of the proof. The technical details are in Section 3. We start with constructing new models from an arbitrary model A of P- in the following definition.
Definition 2.7. Let A = (A, 0, S, C, +, a) be a model of P- and fix an arbitrary 0 # b E A. We define a new structure E(A, 6) -or briefly E-as follows. The
Peano arithmetic as axiomatization of the time frame
universe of E is A. Except for the multiplication, are the same in E as in A, and for X, y E A let
all the operations
213
and relations
Now recall that A k P- + LIZ, (A is as in (8)). Let b E A, and consider model E(A, b) as defined in Definition 2.7 above. It can be seen that
the
for any x E & with parameters in JV but no free variables other than z E 2 there is a unary formula Q,E c with parameters in E(A, b) but no free variables other than z E 2 such that for all q E A
J‘P k x[ql iff JW, b) b dql. Corollary
3.10 in Section
3 states
(12)
that for any 91E F, and z E 2, E(A, b) ‘F
ind(g?, z). Thus by (12), for any x E E;d and z E 2
JV k ind(x, z), Therefore,
by (ll),
that is,
JU+ k Znd.
.4+ k Tpres, and thus
DT + Tpres + Ind # [p]+.
Thus Claim 2.6 has been proved.
•!
Claim 2.3 and Claim 2.6 together prove Theorem
2.1.
0
For stating some corollaries, we need to define a kind of arithmetical hierarchy of (three-sorted) & formulas. We call an fid formula A0 if the only quantifiers possibly occurring in it are bounded quantifiers of the time sort. Based on this, one can define a &, & hierarchy, using quantifiers of sort time only. For example, an & formula is called 2, if it is of the form 32 I,Qfor some A0 formula 3; here Z = (zO, . . . , zk) for some k E w, and z,, . . . , zk are variables of sort time. (Giving a formal recursive definition is left to the reader.) For each 122 0, we let lndZn dzf{ind( cp, 2): z E 2, Q,E 2, Q,E & and cp is a Z,, formula}. Corollary 2.8. (i) Tpres + Znd & (P- + LX,) + Znd,. (ii) (P- + ZZ,) + ZndLY,-Co (P- + ZZ;) + Znd,, Proof. The
proof of Theorem 2.1 proves Tpres + Znd & (P- + L&) + Zndqf (which is sharper than Theorem 2.1). The only place where ZZ; was needed was when we proved the existence of a n, formula y such that P- + I& k y but
214
B. Biro’,
I. Sain
(T’res + P-) + Znd, l#y. The proof of this was started with item (1). In the proof of Corollary 2.9 below, we will show that this y can be improved such that P- + I2, b y but (Tpres + P-) + Ind, # y. By using the techniques of the proof of Corollary 2.9, this proves (i). In passing we note that the Z,.?$part of (i) can in principle be improved by taking a system S weaker than IZ:, and finding a 11r formula y such that P- + S L y but (Tpres + P-) + Ind, ‘f y. Via slightly modifying the proof of Theorem 2.1, we can get a proof for (ii), as follows. In the proof everything goes through in its original form, the only difference is in the proof of Claim 2.6: when defining At/II+ from A and from b E A, we do not take the additive reduct A+ but we take A itself as a time frame. So we let J%%~(A, B, { sn, s,}, value-of). Now we can reformulate item (12) as follows. For any x E l$, with parameters in A but no free variables other than z E 2 there is a unary formula ‘p E F, with parameters in A but no free variables other than z E 2 such that for all 4 E A Further, if x is a ;5, formula then so is q.
w+
Therefore, for any 2, formula x E fid we have A k ind(cp, z) since A 112, was assumed (here Q,is the above translation of x). Thus by (12)+ above & k ind(~, z) for any x E Z&, proving JU kIndZ, and thus finishing the proof of (ii). El Moreover,
the following infinite hierarchy also holds.
Corollary 2.9. (i) (Vn a O)(Vk < n)(P- + Z_ZJ + Ind& Co (P- + 12”+1) + hd&. (ii) (Vn 3 O)(P- + I&) + IndE,,
(p- + Gz) StYn and (P- + I&+,) k yn, if n > 0. Now, we use this y,, in place of y in our proof to form the pea [p]~~. In case of n = 0 we must do two things: (1) Observing4 that it is known that there is a fll formula y0 such that (P- + I&) f y.
but
(P- + Z-Z,) h yo
(here 1& is the same thing as IA,,). 4This was pointed out to us by Petr HBjek.
Peano arithmetic as axiomatization of the timeframe
215
(2) Avoiding use of Matijasevic’s theorem, and achieving the same affect by a more cumbersome output condition ~JJ~, as follows. Recall that y. is of the form Vx pO(x) where p0 contains only bounded quantifiers. We let the new output condition qo(x) be
(Vxr
can compute the truth value of po(x,)
by using only numbers smaller than x” 3
po(xl)).
This formula is easily formalizable since there are only ‘finitely’ many terms (and / subterms) in pO. Now one can modify the proof of Claim 2.3 for proving Claim 2.3+. DT + (P- + Is&+,) + Zndqf L [/I]&.
The proof needs only straightforward modifications. The subclaims in the proof (Claims 2.4, 2.5) remain unchanged both in formulation and in proof. Now we note that statement (12)’ remains true if we assume only A k (P- + Z&) and one can also prove that if x is JY,,then so is QI. Therefore the above modified proof works for proving the following: Claim 2.6+. DT + (P- + En) + Znd& I/ [p]qn.
Claims 2.3+ and 2.6+ complete the proof of (i). (ii) is a consequence of (i) in the following way. Zz,, is contained in Znd&, hence (P- + Z&) + ZndE, = (P- + Z&) + ZndX,. By choosing k = n in (i), we have (P- + I&) + Znd& $, (P- + Z&) + Znd&
So (i) =$ (ii) is proved.
3. Peano arithmetic
+ Znd_&
so (P- + Zz;,,,)
+ Znd&+,,.
Cl
with hounded
multiplication
In the proof of Claim 2.6 we constructed a new model E from an arbitrary model A of P- and b E A (Definition 2.7). We shall prove that in such a new model the induction axiom is satisfied for each formula Q,E E (Corollary 3.10). This proof will be based on Corollary 3.3, Theorem 3.4, and Lemma 3.6 below. Notation 3.1. For r E o. the term times --a 2+-
of
t is abbreviated
as rz and r is written instead of r(S(0)).
216
B. Bir6, 1. Sain
For any terms r, CJE Tmz$ and any r E o, r =I CJabbreviates the formula 3r(z+rz=avo+rz=t)
(the difference of r and CJis divisible by r). For any valuation q E zA of the variables, for any u E A and for any z E Z, let the valuation q: E ‘A be defined as follows:
We let tb denote the expansion of the similarity type t with the constant symbol b.
0
From, now on, A denotes an arbitrary but fixed model of P- + LX,, and b E A is arbitrary but fixed. Recall the definition of the model E(A, b) of similarity type tb from Section 2 (Definition 2.7). From now on, (E, b) denotes the model E(A, b) associated to A and b in the previous sentence. Let Q,E Flh be a z,, (I&) formula, let q E zA, and let z E Z be a variable not occurring in cp. Then there is a z,, (IT,,) formula 9’ E F, such that ($)
(E, b) k dql
iff A k @Ml.
This is easy to see, using the definition of aE (see Definition 2.7). Lemma 3.2. Let A and (E, b) be as above, let Q,E F,h and z E Z.
If Q,is JCl or
Kl,
then
(E, b) k ind(cp, t). Proof. Assume Q)E &h is zl. Assume (E, b) k (v(O) A Vz (Q)(Z)* cp(Sz)))[q] for some q E zA. Then, by ($) above, there is a 2, formula q’ E F, with Ak(q’(0) A Vz ((p’(z)* cp’(Sz)))[q’] for the appropriate modification q’ of q. Then A!= Vz q’(z)[q’] by AkZZ,. But by ($) again, then (E, b) k Vt q(z)[q], proving (E, b) k ind(cp, z). For the IL, case we use a lemma from [20], by which P- + I& ‘FZI& for any n E o (cf. [20, Theorem A, p. 200 and Proposition 2, p. 2011). The idea of the proof of this lemma is the following. By definition, let 2 0 z1 = z2 iff z2 S 2 A [(zl 3 2 A z2 = 0) v z1 + 2, = 21. From P- + Z& it is easy to prove that 0 is a function, z < z, + S(z, 0 S(z)) = z,OzandzOz=O. Let q E F, be fin, and assume that (*)
v(O) A Vz (I-+
holds. By contradiction,
q@(z))) assume that Vz cp does not hold. Then -19(a) for some a.
Peano arithmetic as axiomatization
of the timeframe
217
Let r/~(z) denote lq(a 0 2). Then, using (*) and the simple facts concerning 0 above, one can easily prove that ~(0) and Vz (q(z)-, +(S(z))) hold. Since 0 is a function, II, is .X,,(this is immediate by ‘pure logic’). By ZJ$ we can conclude Vz v(z). Then, in particular, q(a) holds, hence iv(O), contradicting q(O) in (*). This proves Vz q, completing the proof idea of the Paris-Kirby lemma. (Actually, by symmetry, this proves P- k (ZZn * 1,) but we do not need this here.) Now, let A, (E, b) be as above, Q,E Fyha n, formula. Then A k P- + LX,. By the just proved lemma then A b In,. But then the argument given in the Z:, case, 0 with the obvious changes, completes the proof. Corollary 3.3. Let A and (E, 6) be as above, in particular A k P- + IZ,. Let q(z) E F,b be a 2, formula, and assume (E, b) k 3z q(z). Then there is a minimal value of z satisfying q, that is, (E, b) k 32 [(P(Z) A 0’~ < z)(~QG))I.
Proof. Let v(z)
be (Vz, ~z)l~)(zr). Then r/j is n,, and thus, by Lemma 3.2, would imply Vz I/J(Z). But the latter contradicts HO) A Vz (Hz)+ W(z))) 3z q(z), therefore either iv(O) or 3z (~($J(z)-+ q(S(z)))). In both cases the statement of this corollary holds. 0
Theorem 3.4. Let A and (E, b) be as above, recall that A k P- + I.Z1. Then for every q~E F,h there is a q+ E Fyhof the form (QT ~b)[x
>I
(TX’ qj S zij v pv’ Oij“r(i,j) zi,j j=q
(13)
where . Q is a sequence of quantifiers (V or 3), . Z is a sequence of variable symbols of the same length, . 1 E o, and . for every OGi
mi,piEo,
o;j,t;jETrm,h
(Ocj
(r(i, j)Eu
(mi
(E, b) k Q,* v+.
Proof. Let A be an arbitrary but fixed model of P- + 12, and let b E A. For simplicity of the proof, we expand the similarity types t and tb with the symbol (the symbol of subtraction). The expanded similarity types are t- and tb-. Let A’ be a disjoint copy of A, CefA UA’, let -:A+A’ be a bijection, and let 0 -agf-a for every a EA. Let C = (C, 0, S, =%,+, -, .) be the structure of similarity type t- defined from C in the natural way (i.e., 0 = O*, for every a E A, S(a) = S*(a) and S(-a) = (a - 1) etc.).
218
B. Bir6, I. Sain
Let QJE Fp. We prove the theorem by induction on the complexity of 97. If rp is an atomic formula then it is evidently equivalent to a formula of form (13) above, since (E, b) k (z. = zl) ++(z, c z1 A z1 =s z,J.
The conjunction of two formulas of form (13) is trivially equivalent to a formula of the desired form. The negation of a formula of form (13) is also equivalent to a formula of form (13) since (E, b) 1 (lzo Q ZJ f;, (21+ 1 c to)
and
It remains to prove only the following. If q E Fth is of form (13) then 3z cp is also equivalent to a formula of form (13). We shall prove this fact using a number of new notations and lemmas. Fix any i E ‘Z. We will define for every t E Trm,h the terms E,(r) and ub,( r) - called the lower and upper bound of z, respectively - by recursion on the complexity of t. If there is no danger of confusion we shall omit the subscript z. Definition 3.5. Let Z E kZ be arbitrary fb(0) = ub(0) sfO,
but fixed.
[b(b) = ub(b) zf 6.
If z E Z then if z 4 {Z(O), . . . , Z(k - l)}, i.e. z g RngZ, Ib(” ~’ [ X~ otherwise; if z $ RngZ, ub(z’ d~f “b’ otherwise Assuming that lb and ub are already defined for u and r, let lb(S(z))eflb(z),
ub(S(z))gfub(t)
Ib(o+z)gflb(a)+lb(z),
ub(a + z)dsfub(o)
lb(a - z)%fflb(o) - ub(t),
ub(a - z)“sf ub(u) - lb(t),
lb(u . z)ef -b,
ub(u*
z)dGfb.
+ b, + ub(z),
Cl
It is easy to check that for each t E Trm,h(C, b) k (;& 0 s Z(j) c b) + (lb(z) G z s ub(t)),
(14)
Peano arithmetic as axiomatiization of the time frame
219
and for some n E w, (C, 6) kc&(t) - lb(t) = nb.
(W
(Here rz depends on the form of z only.) We also have the following lemma: Lemma
3.6. Let Q,E FChbe a formula of the form (13). Assume that the variable
symbol z E 2’ does not occur in a product in q (that is, there is no subterm 5 of Q, with some p, CTE Trm,h such that (E, b) k 2j = o . p and z occurs either in o or in p).
Then there exists a formula
Q?’E F,h of the form
(13) such that (E, b) k
(32 V) t, @* Proof of Lemma 3.6. A similar quantifier elimination transformation can be found e.g. in [17, Lemma 13.81. Let q, z be as in the formulation of the lemma. Let us separate all the occurrences of z in q. Since z does not occur in a product in q~, at most constant factors stand before z. The typical subformulas of Q? containing 2 are:
c,z s rr,
t2 6 czz,
c3z
=s
r.7,
where cl, c2, cj are constant factors, z,, z2, r3 are terms. Let r be the least common multiple of these factors, and let z’ = rz. Using z’, the above formulas become:
Combining these ideas, we get the following claim: Claim 3.7.
There is a formula
Q E F,h of the form ??I,-1 ji oil S
where r is the least common l
Z V
j=m, )I PC-l V
Z ‘s(i,j)
th V Xi
,
multiple of the constant factors standing with z in the
original form (13) of q; Q, I, 2, m;, pi (for 0 6 i < I) are the same as in (13); z does not occur in xi (0 2 i < 1); each term which occurs in @ is the difference of two terms from Trm,h; further we have that for any q E zA,
B. Bird. I. Sain
220
Suppose (E, b) b 3z cp[q] for a valuation 4 E zA. Since p? is of the form of (13), Q, is Z;,, hence Corollary 3.3 is applicable to p. Then, by Corollary 3.3, there exists a minimal value of z in A satisfying cp. Denote this value by d’ E A and let d = rd’. Then (E, b) k cp[q:]. Let r’ be the least common multiple of the numbers r(i, j) in (13) and the numbers s(i, j) in (16) (0 G i
(17)
Case 2: d > I’. Then (E, 6) ‘Fcpp[qs], but (E, b) klq[q&],
thus
(C b) k @‘[&I
(18)
(C, b) kl@,[s;-r,].
(19)
and
A close examination
of the formula (16) shows that by (18) and (19) there is an
i < I such that
(C, b) I(32 c b)(T&’
O;j> Z)[qi-,,].
Thus by (18) (C, b) k (32 G b)(yg’
Z -
r’ <
Oij S Z)[q;]
(20)
and by (14) (C, b) k (32 < b)(yv’
,=n,
Ib(U,) ~ z G ub(oij + r’))[qi].
(21)
By (15), for some natural number h, (C, b) kUb(Gij) = h,b + lb(o,).
Let h E o denote the maximum of the numbers h,. Now fix any j with 12;
c b)( Ivi Tg’ @(zllb(aij)
+
(22)
w)[ql,
where w E 2 is a new variable. Denote the formula occurring in (22) by rp, and let
A
A I eb(aij)
I d Fig. 3.
I
I
t/xb(aij+ T’)
T’ + hb + tb(aij)
>
221
Peano arithmetic as axiomatization of the time frame
q2 denote the following formula: I& v 32 (O
A @).
(23)
the two cases d s r’ and d > r’. (17) and (22) imply
(C b) k dql. On the other hand, (C, b) t=(Q)~--, (3.~ 3 0) @)[q] trivially holds, thus (C 6) k (R* Therefore
(32 a 0) @)[ql-
we have proved that (I% b) b 32 9141 iff (C, 6) k v&l.
One can easily obtain a formula q’ E Fth of form (13) such that for any valuation q E “A (C, b) k %[ql
iff (ETb) k @hl.
We have proved Lemma 3.6.
0
Now let Q,E F,h be a formula of form (13), and let z E Z be an arbitrary variable symbol. Then (E, b) L (32 Y) -
[(3zSb)g,v3z(z>b,-,+)],
where @ is obtained from Q, by substituting 0 for every product that contains z. The first member of the disjunction on the right hand side of the equivalence is clearly a formula of form (13). In the second member, variable z does not occur in a product, so by Lemma 3.6 it is equivalent to a formula of the desired form. This proves Theorem 3.4. 0 Corollary 3.8. For every formula (E, b)kq,-q+. Cl
Q?E Fth there is a 2, formula
vc E F,h such that
Since b can be defined in E by a A,, formula of similarity type t we get: Corollary
3.9. For every formula
Ek~,++q+.
C.PE 8 there is a 2, formula
go+ E F, such that
•i
Now Lemma 3.2 and Corollaries 3.8 and 3.9 together give Corollary 3.10. E k ind(q,
4. Connections
z) for every formula
with temporal
CJIE Fj and any z E Z.
logics and dynamic
0
logics
Let d be any fixed similarity type. Let Mod, be the class of all models of &,_ The set DF, of dynamic formulas of similarity type d is the smallest set satisfying (i), (ii) below.
222
B. Biro’, I. Sain
(i) FT c DF,. (ii) For any q, v E DF,, program p of similarity type d and i E co, we have ([PIV),
(CPA V), (~cP), (3Xi CP)E DF,.
The validity relation b c_Mod,, x DF, is defined along the lines of the definition of _Mk [P]I/.J (see Subsection 1.4). The definition for the case when $J E DF, is arbitrary, is the same as given there. Let Ax be any combination of our distinguished axiom systems Ind, . . . , Tpa, . . . , Z-Z,, investigated in this paper. Then Mod,,(Ax) s &, is defined the usual way. Now,
is one of the many possible dynamic logics. (The hierarchy of dynamics logics is analogous to the hierarchy of modal logics including S4, S4.1, . . . , S4.3, S5 etc., cf. e.g. in [4].) These dynamic logics were compared from the point of view of their program verifying powers in many of the papers quoted so far. The present paper shows that even if we restrict our attention to provability of partial correctness only, we have an infinite hierarchy in Corollary 2.9. Also, adding multiplication to the time frame increases pea-proving power (Theorem 2.1). Temporal logic with discrete time (TL from now on) as used in a substantial part of computer science literature (see e.g. [l, 3,4,5,10,13,22,26,28]) is a logic with three basic modalities 0, (F), (P} meaning next-time, sometime in the future and sometime in the past respectively. (Sometimes binary modalities like ‘until’ are included too, but that is not important now.) The set TF, of temporal formulas of similarity type d is the smallest set satisfying (a) and (b) below. (a) Every atomic formula from F:“y is in TF,. (b) For any Q,J,I# E TF, and i E w,
Note that y; may occur in TF,, but it cannot be quantified over. In TL, y; is called apexible constant symbol. (So it is no more regarded as a variable, but instead as a constant which may change its value in time.) The class of models for TFd is Mod,,. That is, the so-called Kripke models of temporal logic are exactly the classical models of & we have been studying in this paper. Instead of defining the validity relation kt G Mod, X TFd directly, we define it by defining a translation function tr : l-F, ---, fld. First we define an auxiliary function tr* : TFd x z* & as follows. Intuitively, tr*(q, z) means that q is true at time z. For every z E Z, i, j E w and q, I/J E TFd, (y,(Z) =Xj) ( recall that y,(Z) = ext(y,, z)) w enever q is atomic and no y E Y occurs in v, (2) tr*(v, 2) = ‘1’ h (3) tr* preserves classical connectives and quantifiers (e.g. W*(3Xi cp, z)sf
(1) t~*(ri =~~~:)~f
3x; tr*(QA 2))
Peano arithmetic as axiomatization of the time frame
223
(4) W*(Oq, Z)” 3Zj (2; = S(Z) A tr*(q, Zi)) (5) tr*((F)q, z)~f(3z;~z)fr*(Q), 2;) (6) tr*((P) q, z) ‘!Ef(3~; =zz) tr*(q, zJ). Since we may assume that every flexible constant yi occurs only in the form y, = xi, the definition of tr* is completed. For Q,E TF,, tr(cp)gfffr*(q), zJ, further for any JII E Mod,, we let A!=,g? iff &l=tr(cp).
The basic (or weakest) temporal logic is
A complete Hilbert-style inference system for TLO can be found e.g. in [4]. Similarly to the case of dynamic logics, TLO itself is not very useful as a temporal logic, it is only a starting point. Let Md, = (4 E Mod,: Ju = (N, . . ,)} where N is the standard model of arithmetic. Let
TL, = (TF,, Mdo,, k,> It was proved in [5] that it is completely impossible to give a complete inference system for even the weakest fragments of TL,, even if we take completeness in the weakest bearable sense. (So the situation is much worse than just saying that the validities of TL, are not recursively enumerable. Of course, they are not, but we could still hope to be able to prove some very basic temporal formulas about programs, say restricting our ambitions to those programs which terminate etc. Such ‘hopes’ are disproved in [5].) So then it is natural to take ‘logical’ axiom systems Ax c 1c;das we did here, and study the temporal logics TL,, = (TF,, Mod,(Ax),
bt>.
This approach was taken in all the temporal logic papers quoted from the present work. [12] announced a completeness theorem for TL,,. Completeness results, at least for provability of temporal statements about programs, were proved for T&,=~+r,~) beginning with [22]. From the results of the present paper it follows is closer (from the purely temporal point of view) to the desirable that T&,,+M) but ‘unreachable’ TL, than TLcTpres+lndl.(By Corollary 2.9, there is an infinite hierarchy of temporal logics in between.) An early, preprint version of this paper motivated [l] to try to find a Hilbert style completeness theorem for TLcTpa+,ndj. And it was with the methods of the present paper that [28] showed that the problem remains still open. These developments led to the present situation when the theory of temporal logic heavily uses weak systems of Peano’s arithmetic, cf. e.g. [4].
224
B. Biro’, I. Sain
Acknowledgements
We thank Petr Hgjek, Agnes Kurucz and Istvan NCmeti for their precious help. Thanks are due to R. Verbrugge for careful reading the manuscript and for very helpful comments. We also thank L. Csirmaz, C. Dimitracopoulos, S. Feferman, J. KrajiEek and J. Paris for their advices concerning Peano Arithmetic.
References [II M. Abadi, The power of temporal proofs, Theoret. Comput. Sci. 64 (1989) 35-84. PI M. Abadi, Errata for “The power of temporal proofs”, Theoret. Comput. Sci. 70 (1990) 275. [31 H. Andreka, Sharpening the characterization of the power of Floyd method, in: A. Salwicki, ed., Logics of Programs and their applications (Proc. Conf. Poznan 1980), Lecture Notes in Computer Science 148 (Springer, Berlin, 1983) l-26. [41 H. AndrCka, V.Goranko, Sz. Mikulas, I. NCmeti and I. Sain, Effective first order temporal logics, in: A. Szalas, ed., Volume on Logics of Programs (Springer, Berlin, to appear). Also available as: Preprint, Math. Inst. Hungar. Acad. Sci. (1991) 69 pp. PI H. AndrCka, I. NCmeti and I. Sain, Completeness problems in verification of programs and program schemes, in: J. Bebar, ed., Mathematical Foundations of Computer Science ‘79 (Proc. Conf. Olomouc, Czechoslovakia 1979), Lecture Notes in Computer Science 74 (Springer, Berlin, 1979) 208-218. [61 H. AndrCka, I. NCmeti and I. Sain, A complete logic for reasoning about programs via non-standard model theory, Theoret. Comput. Sci. 17 (1982) 193-212 and 259-278. 171 H. Andrtka, I. Nemeti and I. Sain, On the strength of temporal proofs, Theoret. Comput. Sci. 80 (1991) 125-151. PI C.C. Chang and H.J. Keisler, Model Theory (North-Holland, Amsterdam, 1973). [91 C. Dimitracopoulos, MatijaseviE’s Theorem and Fragments of Arithmetic, Thesis presented to the Univ. of Manchester (UK) for the degree of Doctor of Philosophy in the Faculty of Science (1980). [lOI D.M. Gabbay, Tense logics with discrete moments of time I, J. Philos. Logic 1. [Ill D.M. Gabbay, I. M. Hodkinson and M.A. Reynolds, Temporal Logic, Vol. I (Oxford Univ. Press, Oxford, 1993,). [=I T. Gergely and T. Ury, First-order Programming Theories, in: W. Brauer, G. Rosenberg and A. Salomaa, eds., EATCS Monographs on Theoretical Computer Science 24 (Springer, Berlin, 1991) 351 pp. [I31 R. Goldblatt, Logics of Time and Computation (second edition, revised and expanded), CSLI (Center for the Study of Language and Information) Lecture Notes 7, viii + 180 pp. [I41 P. Hajek, Some conservativeness results for nonstandard dynamic logic, in: J. Demetrovics, G. Katona and A. Salomaa, eds., Algebra, Combinatorics and Logic (Proc. Conf. GyBr, Hungary, 1983) Colloq. Math. Sot. J. Bolyai 42 (North-Holland, Amsterdam, 1981) 443-449. P. Hajek, A simple dynamic predicate logic, Theoret. Comput. Sci. 46 (1986) 239-259. ;:i; Z. Manna, Mathematical Theory of Computation (McGraw-Hill, New York, 1974). 1171 J.D. Monk, Mathematical Logic (Springer, Berlin, 1976). 1181 I. NCmeti, Nonstandard dynamic logic, in: D. Kozen, ed., Logics of Programs (Proc. Conf. New York), Lecture Notes in Computer Science 131 (Springer, Berlin, 1982) 311-348. P91 J. Paris, A. hierarchy of cuts in models of arithmetic, in: Model Theory of Algebra and Arithmetic (Proc. Conf. Karpacz, Poland, 1979), Lecture Notes in Math. 834 (Springer, Berlin, 1980) 312-337. WI J.B. Paris and L.A.S. Kirby, ,.&-collection schemas in arithmetic, in: A Macintyre, L. Pacholski and J. Paris, eds., Logic Colloquium ‘77 (North-Holland, Amsterdam, 1978) 199-209.
Peano arithmetic as axiomatization of the time frame
225
[21] H. Rogers, Jr., Theory of Recursive Functions and Effective Computability (McGraw-Hill, New York, 1967). [22] I. Sam, Sharpening the characterization of Pnueli’s program verification method, Parts I-II, Preprint, Math. Inst. Hungar. Acad. Sci., Budapest (June 1983), 66 pp. [23] I. Sain, Structured nonstandard dynamic logic, Z. Math. Logik Grundlag. Math. 30 (3) (1984) 481-497. [24] I. Sain, Dynamic Logic with Nonstandard Model Theory, Dissertation, Hungar. Acad. Sci., Budapest, 1986 (in Hungarian), ix + 180 pp. [25] 1. Sain, Total correctness in nonstandard dynamic logic, Theoret. Comput. Sci. 50 (1987) 285-321. [26] I. Sain, Is “some other time” sometimes better than “sometime” in proving partial correctness of programs?, in: M.M. Richter and M.E. Szabo, eds., Nonstandard Methods in MathematicsSpecial Volume of Studia Logica 47 (1988) 279-301. [27] I. Sain, Comparing and characterizing the powers of established program verification methods, in: J.V. Tucker and K. Meinke, eds., Many sorted Logic and its Applications (Proc. Conf. Leeds, UK, 1988) (Wiley, New York, 1993) 215-314. [28] I. Sain, Temporal logics need their clocks, Theoret. Comput. Sci. 95 (1992) 75-95.