Johan van Benthem,Denis Bonnay

DOI: https://doi.org/10.3166/jancl.18.153-173

2008-01-01

Abstract:Consider any logical system, what is its natural repertoire of logical operations? This question has been raised in particular for first-order logic and its extensions with generalized quantifiers, and various characterizations in terms of semantic invariance have been proposed. In this paper, our main concern is with modal and dynamic logics. Drawing on previous work on invariance for first-order operations, we find an abstract connection between the kind of logical operations a system uses and the kind of invariance conditions the system respects. This analysis yields (a) a characterization of invariance and safety under bisimulation as natural conditions for logical operations in modal and dynamic logics, and (b) some new transfer results between first-order logic and modal logic.

Venema,J. Benthem,A. Baltag,S. Smets

2013-01-01

Abstract:One of van Benthem’s seminal results is the Bisimulation Theorem characterizing modal logic as the bisimulation-invariant fragment of first-order logic. Janin and Walukiewicz extended this theorem to include fixpoint operators, showing that the modal μ-calculus μML is the bisimulation-invariant fragment of monadic second-order logic MSO. Their proof uses parity automata that operate on Kripke models, and feature a transition map defined in terms of certain fragments of monadic first-order logic. In this paper we decompose their proof in three parts: (1) two automata-theoretic characterizations, of MSO and μML respectively, (2) a simple model-theoretic characterization of the identity-free fragment of monadic first-order logic, and (3) an automata-theoretic result, stating that (a strong version of) the second result somehow propagates to the level of full fixpoint logics. Our main contribution shows that the third result is an instance of a more general phenomenon that is essentially coalgebraic in nature. We prove that if one set Λ of predicate liftings (or modalities) for a certain set functor T uniformly corresponds to the T -natural fragment of another such set Λ ′, then the fixpoint logic associated with Λ is the bisimulation-invariant logic of the fixpoint logic associated with Λ ′.

Johan van Benthem

1988-01-01

Abstract:Modal logic becomes action logic by adding programs as in propositional dynamic logic or the μ– calculus. Modal languages can be s en as decidable fragments of first-order logic that admit a natural bisimulation, and hence enjoy a good model theory. Recently, much stronger 'guarded fragments' of first order logic have been identified that enjoy the same pleasant features. The latter can serve as richer action languages as well. We will develop the logic of guarded fragments as a form of process theory. ln particular, moving from sequential to parallel process operations correlates with moving to first-order fragments that are close to, or perhaps just over the decidable–undecidable fence. 1 The modal dynamics of actions We will start by reviewing the basics. Standard poly modal logic is a decidable fragment of the first-order logic of process graphs (labeled transition systems, Kripke models). It can be characterized semantically as consisting, up to logical equivalence, of those first order formulas which are invariant for bisimulation. Propositional dynamic logic turns this into an explicit action language by treating propositions and programs on a par, adding a syntactic component of regular programs, including tests for all propositions. Again, this system is decidable, its propositions are invariant for bisimulation, while its programs are what may be called 'safe for bisimulation'. (Roughly speaking, transition relations for all programs enjoy automatic zig-zag over any existing bisimulation). To obtain the full power of fixed-point operations over all syntactically positive predicate transformers, however, one must move to the modal μ-calculus. Again, the latter system is decidable, and it consists of all bisimulation-invariant statements in a first-order logic with fixed-point operators over process graphs. (This convenient paraphrase of a recent semantic characterization is equivalent to the version involving monadic second-order logic.) This line of logics runs into clear limitations, as it does not handle joint or parallel action. But read on. 2 From modal to guarded logics Modal logic behaves much like a miniature of first order logic in its main system properties (effective axiomatizability, interpolation, preservation results). The mechanism that drives this strong similarity is essentially the following meta-equation: ML : FOL = bisimulation : potential isomorphism We will unpack this terse, but meaning-laden tatement somewhat in the tutorial. Of course, modal

William Blum,C. -H. Luke Ong

DOI: https://doi.org/10.2168/lmcs-5(1:3)2009

2009-02-19

Logical Methods in Computer Science

Abstract:Safety is a syntactic condition of higher-order grammars that constrains occurrences of variables in the production rules according to their type-theoretic order. In this paper, we introduce the safe lambda calculus, which is obtained by transposing (and generalizing) the safety condition to the setting of the simply-typed lambda calculus. In contrast to the original definition of safety, our calculus does not constrain types (to be homogeneous). We show that in the safe lambda calculus, there is no need to rename bound variables when performing substitution, as variable capture is guaranteed not to happen. We also propose an adequate notion of beta-reduction that preserves safety. In the same vein as Schwichtenberg's 1976 characterization of the simply-typed lambda calculus, we show that the numeric functions representable in the safe lambda calculus are exactly the multivariate polynomials; thus conditional is not definable. We also give a characterization of representable word functions. We then study the complexity of deciding beta-eta equality of two safe simply-typed terms and show that this problem is PSPACE-hard. Finally we give a game-semantic analysis of safety: We show that safe terms are denoted by `P-incrementally justified strategies'. Consequently pointers in the game semantics of safe lambda-terms are only necessary from order 4 onwards.

computer science, theory & methods,logic

Mikkel Birkegaard Andersen,Thomas Bolander,Hans van Ditmarsch,Martin Holm Jensen

DOI: https://doi.org/10.1007/s11229-016-1060-x

2016-02-26

Abstract:Plausibility models are Kripke models that agents use to reason about knowledge and belief, both of themselves and of each other. Such models are used to interpret the notions of conditional belief, degrees of belief, and safe belief. The logic of conditional belief contains that modality and also the knowledge modality, and similarly for the logic of degrees of belief and the logic of safe belief. With respect to these logics, plausibility models may contain too much information. A proper notion of bisimulation is required that characterises them. We define that notion of bisimulation and prove the required characterisations: on the class of image-finite and preimage-finite models (with respect to the plausibility relation), two pointed Kripke models are modally equivalent in either of the three logics, if and only if they are bisimilar. As a result, the information content of such a model can be similarly expressed in the logic of conditional belief, or the logic of degrees of belief, or that of safe belief. This, we found a surprising result. Still, that does not mean that the logics are equally expressive: the logics of conditional and degrees of belief are incomparable, the logics of degrees of belief and safe belief are incomparable, while the logic of safe belief is more expressive than the logic of conditional belief. In view of the result on bisimulation characterisation, this is an equally surprising result. We hope our insights may contribute to the growing community of formal epistemology and on the relation between qualitative and quantitative modelling.

Artificial Intelligence,Logic in Computer Science

Johan van Benthem,van benthem

1997-01-01

Abstract:Modal logic becomes action logic by adding programs as in propositional dynamic logic or the μ– calculus. Modal languages can be s en as decidable fragments of first-order logic that admit a natural bisimulation, and hence enjoy a good model theory. Recently, much stronger 'guarded fragments' of first order logic have been identified that enjoy the same pleasant features. The latter can serve as richer action languages as well. We will develop the logic of guarded fragments as a form of process theory. ln particular, moving from sequential to parallel process operations correlates with moving to first-order fragments that are close to, or perhaps just over the decidable–undecidable fence. 1 The modal dynamics of actions We will start by reviewing the basics. Standard poly modal logic is a decidable fragment of the first-order logic of process graphs (labeled transition systems, Kripke models). It can be characterized semantically as consisting, up to logical equivalence, of those first order formulas which are invariant for bisimulation. Propositional dynamic logic turns this into an explicit action language by treating propositions and programs on a par, adding a syntactic component of regular programs, including tests for all propositions. Again, this system is decidable, its propositions are invariant for bisimulation, while its programs are what may be called 'safe for bisimulation'. (Roughly speaking, transition relations for all programs enjoy automatic zig-zag over any existing bisimulation). To obtain the full power of fixed-point operations over all syntactically positive predicate transformers, however, one must move to the modal μ-calculus. Again, the latter system is decidable, and it consists of all bisimulation-invariant statements in a first-order logic with fixed-point operators over process graphs. (This convenient paraphrase of a recent semantic characterization is equivalent to the version involving monadic second-order logic.) This line of logics runs into clear limitations, as it does not handle joint or parallel action. But read on. 2 From modal to guarded logics Modal logic behaves much like a miniature of first order logic in its main system properties (effective axiomatizability, interpolation, preservation results). The mechanism that drives this strong similarity is essentially the following meta-equation: ML : FOL = bisimulation : potential isomorphism We will unpack this terse, but meaning-laden tatement somewhat in the tutorial. Of course, modal

Johan van Benthem

DOI: https://doi.org/10.1007/bf00370508

1984-01-01

Studia Logica

Abstract:Providing a possible worlds semantics for a logic involves choosing a class of possible worlds models, and setting up a truth definition connecting formulas of the logic with statements about these models. This scheme is so flexible that a danger arises: perhaps, any (reasonable) logic whatsoever can be modelled in this way. Thus, the enterprise would lose its essential ‘tension’. Fortunately, it may be shown that the so-called ‘incompleteness-examples’ from modal logic resist possible worlds modelling, even in the above wider sense. More systematically, we investigate the interplay of truth definitions and model conditions, proving a preservation theorem characterizing those types of truth definition which generate the minimal modal logic.

J Van Benthem

DOI: https://doi.org/10.1109/LICS.1998.705661

1998-01-01

Abstract:Modal logic becomes action logic by adding programs as in propositional dynamic logic or the mu-calculus. Modal languages can be seen as decidable fragments of first-order logic that admit a natural bisimulation, and hence enjoy a goon model theory. Recently, much stronger 'guarded fragments' of first-order logic have been identified that enjoy the same pleasant features. The latter can serve as richer action languages as well. We will develop the logic of guarded fragments as a form of process theory. In particular, moving from sequential to parallel process operations correlates with moving to first-order fragments that are close to, or perhaps just over the decidable-undecidable fence.

Yu-Fang Chen,Chih-Duo Hong,Anthony W. Lin,Philipp Ruemmer

DOI: https://doi.org/10.48550/arXiv.1709.07139

2017-10-03

Abstract:We revisit the classic problem of proving safety over parameterised concurrent systems, i.e., an infinite family of finite-state concurrent systems that are represented by some finite (symbolic) means. An example of such an infinite family is a dining philosopher protocol with any number n of processes (n being the parameter that defines the infinite family). Regular model checking is a well-known generic framework for modelling parameterised concurrent systems, where an infinite set of configurations (resp. transitions) is represented by a regular set (resp. regular transducer). Although verifying safety properties in the regular model checking framework is undecidable in general, many sophisticated semi-algorithms have been developed in the past fifteen years that can successfully prove safety in many practical instances. In this paper, we propose a simple solution to synthesise regular inductive invariants that makes use of Angluin's classic L* algorithm (and its variants). We provide a termination guarantee when the set of configurations reachable from a given set of initial configurations is regular. We have tested L* algorithm on standard (as well as new) examples in regular model checking including the dining philosopher protocol, the dining cryptographer protocol, and several mutual exclusion protocols (e.g. Bakery, Burns, Szymanski, and German). Our experiments show that, despite the simplicity of our solution, it can perform at least as well as existing semi-algorithms.

Logic in Computer Science,Formal Languages and Automata Theory,Programming Languages

Marius Bozga,Radu Iosif,Joseph Sifakis

DOI: https://doi.org/10.48550/arXiv.1902.02696

2019-02-07

Abstract:We consider concurrent systems consisting of a finite but unknown number of components, that are replicated instances of a given set of finite state automata. The components communicate by executing interactions which are simultaneous atomic state changes of a set of components. We specify both the type of interactions (e.g.\ rendez-vous, broadcast) and the topology (i.e.\ architecture) of the system (e.g.\ pipeline, ring) via a decidable interaction logic, which is embedded in the classical weak sequential calculus of one successor (WS1S). Proving correctness of such system for safety properties, such as deadlock freedom or mutual exclusion, requires the inference of an inductive invariant that subsumes the set of reachable states and avoids the unsafe states. Our method synthesizes such invariants directly from the formula describing the interactions, without costly fixed point iterations. We applied our technique to the verification of several textbook examples, such as dining philosophers, mutual exclusion protocols and concurrent systems with preemption and priorities.

Formal Languages and Automata Theory

Johan van Benthem,Jan van Eijck,Vera Stebletsova

DOI: https://doi.org/10.1093/logcom/4.5.811

1994-01-01

Journal of Logic and Computation

Abstract:Transition systems can be viewed either as process diagrams or as Kripke structures. The first perspective is that of process theory, the second that of modal logic. This paper shows how various formalisms of modal logic can be brought to bear on processes. Notions of bisimulation can not only be motivated by operations on transition systems but can also be suggested by investigations of modal formalisms. To show that the equational view of processes from process algebra is closely related to modal logic, we consider various ways of looking at the relation between the calculus of basic process algebra and propositional dynamic logic. More concretely, the paper contains preservation results for various bisimulation notions, a result on the expressive power of propositional dynamic logic, and a definition of bisimulation which is the proper notion of invariance for concurrent propositional dynamic logic.

Marc Brockschmidt,Daniel Larraz,Albert Oliveras,Enric Rodriguez-Carbonell,Albert Rubio

DOI: https://doi.org/10.48550/arXiv.1507.03851

2015-08-04

Abstract:We present an automated compositional program verification technique for safety properties based on conditional inductive invariants. For a given program part (e.g., a single loop) and a postcondition $\varphi$, we show how to, using a Max-SMT solver, an inductive invariant together with a precondition can be synthesized so that the precondition ensures the validity of the invariant and that the invariant implies $\varphi$. From this, we build a bottom-up program verification framework that propagates preconditions of small program parts as postconditions for preceding program parts. The method recovers from failures to prove the validity of a precondition, using the obtained intermediate results to restrict the search space for further proof attempts. As only small program parts need to be handled at a time, our method is scalable and distributable. The derived conditions can be viewed as implicit contracts between different parts of the program, and thus enable an incremental program analysis.

Logic in Computer Science

Thomas Bolander,Alessandro Burigana

2024-05-01

Abstract:Bisimulations are standard in modal logic and, more generally, in the theory of state-transition systems. The quotient structure of a Kripke model with respect to the bisimulation relation is called a bisimulation contraction. The bisimulation contraction is a minimal model bisimilar to the original model, and hence, for (image-)finite models, a minimal model modally equivalent to the original. Similar definitions exist for bounded bisimulations ($k$-bisimulations) and bounded bisimulation contractions. Two finite models are $k$-bisimilar if and only if they are modally equivalent up to modal depth $k$. However, the quotient structure with respect to the $k$-bisimulation relation does not guarantee a minimal model preserving modal equivalence to depth $k$. In this paper, we remedy this asymmetry to standard bisimulations and provide a novel definition of bounded contractions called rooted $k$-contractions. We prove that rooted $k$-contractions preserve $k$-bisimilarity and are minimal with this property. Finally, we show that rooted $k$-contractions can be exponentially more succinct than standard $k$-contractions.

Logic in Computer Science

Raz Lotan,Eden Frenkel,Sharon Shoham

2024-08-20

Abstract:First-order logic has been established as an important tool for modeling and verifying intricate systems such as distributed protocols and concurrent systems. These systems are parametric in the number of nodes in the network or the number of threads, which is finite in any system instance, but unbounded. One disadvantage of first-order logic is that it cannot distinguish between finite and infinite structures, leading to spurious counterexamples. To mitigate this, we offer a verification approach that captures only finite system instances. Our approach is an adaptation of the cutoff method to systems modeled in first-order logic. The idea is to show that any safety violation in a system instance of size larger than some bound can be simulated by a safety violation in a system of a smaller size. The simulation provides an inductive argument for correctness in finite instances, reducing the problem to showing safety of instances with bounded size. To this end, we develop a framework to (i) encode such simulation relations in first-order logic and to (ii) validate the simulation relation by a set of verification conditions given to an SMT solver. We apply our approach to verify safety of a set of examples, some of which cannot be proven by a first-order inductive invariant.

Logic in Computer Science,Programming Languages

Michael Lambert

DOI: https://doi.org/10.48550/arXiv.2111.07461

2021-11-15

Abstract:This paper presents a reformulation in topos logic of a safety result arising in an abstract presentation of blockchain consensus protocols. That is, in a high-level template for "correct-by-construction" consensus protocols, it is shown that a proposition and its negation cannot both be safe in protocol states that have executions to some common state. This is in fact true for any inconsistent propositions and the proof requires only intuitionistic reasoning. This opens the door for work on consensus protocols in the internal language of a topos. As a first pass on such a program, the main contribution of this paper is the formulation of estimate safety in abstract correct-by-construction protocols as a forcing statement in the internal logic of a given topos. This is illustrated first in the setting of copresheaf toposes. It is also seen there that safety can be viewed as a modal statement. For these interpretations, some extensions and adaptations of results in the literature on modal operators in toposes are presented. The final reformulation of estimate safety is a completely elementary version in the language of an arbitrary topos where it is seen that estimate safety is equivalent to a certain forcing statement.

Category Theory

Patrik Simons

DOI: https://doi.org/10.48550/arXiv.cs/0005010

2000-05-09

Abstract:An algorithm for computing the stable model semantics of logic programs is developed. It is shown that one can extend the semantics and the algorithm to handle new and more expressive types of rules. Emphasis is placed on the use of efficient implementation techniques. In particular, an implementation of lookahead that safely avoids testing every literal for failure and that makes the use of lookahead feasible is presented. In addition, a good heuristic is derived from the principle that the search space should be minimized. Due to the lack of competitive algorithms and implementations for the computation of stable models, the system is compared with three satisfiability solvers. This shows that the heuristic can be improved by breaking ties, but leaves open the question of how to break them. It also demonstrates that the more expressive rules of the stable model semantics make the semantics clearly preferable over propositional logic when a problem has a more compact logic program representation. Conjunctive normal form representations are never more compact than logic program ones.

Logic in Computer Science,Artificial Intelligence

J van Benthem

DOI: https://doi.org/10.1016/s0168-0072(98)00029-3

IF: 5.414

1998-01-01

Machine Learning

Abstract:Rohit Parikh has been one of the pioneers at the interface of modal and dynamic logic. Bringing dynamic, process-oriented concerns into modal logic has been a major move, whose repercussions are still being felt today. In this contribution, I consider the bridge concept of bisimulation, which links modal logic with computational process theories. The main results show how its model-theoretic invariance properties, first established within first-order model theory, may be lifted to infinitary logic, a natural generalized habitat for theories of programs and processes. The techniques used for this purpose also suggest some further proof-theoretic uses, going beyond purely modal languages.

Yuxin Deng,Yuan Feng

DOI: https://doi.org/10.1109/TASE.2017.8285625

2017-01-01

Abstract:We investigate a notion of probabilistic program equivalence under linear contexts. We show that both a statebased and a distribution-based bisimilarity are sound coinductive proof techniques for reasoning about higher-order probabilistic programs, but only the distribution-based one is complete for linear contextual equivalence. The completeness proof is novel and directly constructs linear contexts from transitions, rather than the traditional approach of characterizing bisimilarities as testing equivalences.

Jinwoo Kim,Shaan Nagy,Thomas Reps,Loris D'Antoni

2024-10-21

Abstract:Applications like program synthesis sometimes require proving that a property holds for all of the infinitely many programs described by a grammar - i.e., an inductively defined set of programs. Current verification frameworks overapproximate programs' behavior when sets of programs contain loops, including two Hoare-style logics that fail to be relatively complete when loops are allowed. In this work, we prove that compositionally verifying simple properties for infinite sets of programs requires tracking distinct program behaviors over unboundedly many executions. Tracking this information is both necessary and sufficient for verification. We prove this fact in a general, reusable theory of denotational semantics that can model the expressivity and compositionality of verification techniques over infinite sets of programs. We construct the minimal compositional semantics that captures simple properties of sets of programs and use it to derive the first sound and relatively complete Hoare-style logic for infinite sets of programs. Thus, our methods can be used to design minimally complex, compositional verification techniques for sets of programs.

Programming Languages

P. Dicpinigaitis,Yvonne E. Gayle

DOI: https://doi.org/10.1046/J.1365-2125.2003.01902.X

2003-11-01

British Journal of Clinical Pharmacology

Abstract:AIMS Current guidelines recommend the use of first-generation antihistamines for the treatment of cough due to rhinitis/postnasal drip syndrome. The antitussive activity of the second-generation antihistamine, fexofenadine, has not been investigated. Therefore, we evaluated the effect of fexofenadine on capsaicin-induced cough in healthy volunteers and in subjects with acute viral upper respiratory tract infection (URI). METHODS Twelve healthy volunteers and 12 subjects with URI underwent pulmonary function testing and capsaicin cough challenge on two separate days, 2 h after ingesting 180 mg fexofenadine or matched placebo. Subjects inhaled single, vital-capacity breaths of capsaicin aerosol, administered in incremental doubling concentrations, until the concentration inducing five or more coughs (C5) was determined. RESULTS In both subject groups, C5 was not significantly different after fexofenadine compared to placebo. In subjects with URI, pulmonary function studies were also similar. In healthy volunteers, however, FEV1 and FEF(25-75), pulmonary function parameters reflecting the degree of airway dilatation, were significantly increased after fexofenadine. Mean (95% CI) values for FEV1(L) after fexofenadine and placebo were 3.16 (2.77, 3.55) and 3.08 (2.69, 3.47), respectively (P = 0.017). Mean values for FEF(25-75)(L/s) were 3.49 (3.10, 3.88) and 3.26 (2.79, 3.72), respectively (P = 0.029). CONCLUSIONS Fexofenadine demonstrated no antitussive activity against capsaicin-induced cough in healthy volunteers and subjects with URI. The ineffectiveness of fexofenadine in suppressing cough probably reflects the lack of anticholinergic activity and central nervous system penetrance that is characteristic of first-generation antihistamines. The mild bronchodilation induced by fexofenadine in healthy volunteers is of unclear clinical significance and requires further investigation.