Modal Logic-PhDthesis - Marchignoli

` degli Studi di Pisa
Universita
Dipartimento di Informatica
Dottorato di Ricerca in Informatica

di Pisa
Universita
Ph.D. Thesis
Natural Deduction Systems for Temporal

Logics
Davide Marchignoli
Supervisor
A. Masini
ADDR: Corso Italia 40, 56125 Pisa, Italy.

TEL:+39-50-887268.
FAX: +39-50-887226.
E-MAIL: marchign@di.unipi.it.
` degli Studi di Pisa

Universita
Dipartimento di Informatica
Dottorato di Ricerca in Informatica

di Pisa
Universita
Ph.D. Thesis
Natural Deduction Systems for Temporal

Logics
Davide Marchignoli
Abstract. In this thesis we study natural deduction proof systems for discrete
time linear temporal logics.
We start defining a proof system for a simple logic for which no induction
rule is needed. The resulting proof system is simple and its rules for modal
operators are close to the quantifiers rules in predicate logic.
We prove that standard proof theoretic properties of predicate logic hold also
for this system. In particular we prove that the system enjoys normalization
property and that its intuitionistic fragment enjoys disjunction property and
existential property.
Then we extend the previous system to cope with linear temporal logic and we
consider several different modal operator. The new system require an induction
rule and is not normalizing.
We recover the normalization property defining a new proof system with an
infinitary rule. We show that this new system is equivalent to the system based
on the inductive rule as long as we consider finite set of formulas.
Starting from our first proof system, we devise a term calculus that gives a
computational reading to the temporal operators of intuitionistic temporal
logic. We argue about its application in staged evaluation by defining a basic
language with constructs for boxed code and delayed evaluation.
Finally we briefly show how the proof systems defined in this thesis can be
faithfully encoded in logical frameworks.
ADDR: Corso Italia 40, 56125 Pisa, Italy.

TEL:+39-50-887268.
FAX: +39-50-887226.
E-MAIL: marchign@di.unipi.it.
Contents
1 Introduction
2 Basic Notions and Notations

2.1 Natural Deduction . . . . . . . . . .
2.1.1 Computational interpretation.
2.2 Modal and Temporal Logics . . . . .
2.2.1 Hilbert systems. . . . . . . . .
2.2.2 Temporal Logics. . . . . . . .
2.2.3 ND Systems for modal logics .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3 Small Temporal Logic

3.1 Language and Semantics . . . . . . . . . . .
3.2 Axiomatization . . . . . . . . . . . . . . . .
3.3 Labelled formulas . . . . . . . . . . . . . . .
3.4 Natural deduction system NKSTL . . . . .
3.4.1 Relational Entailment . . . . . . . .
3.5 Soundness and Completeness . . . . . . . . .
3.6 A natural deduction system without equality
4 Small temporal logic Normalization
4.1 Reduction Rules . . . . . . . . . . .
4.1.1 Relational Reductions . . .
4.1.2 Logical Reductions . . . . .
4.2 NKSTL Normalization . . . . . .
4.3 NJSTL Normalization . . . . . . .
5 Temporal Logics
5.1 Language and Semantics . . . .
5.2 Proof Systems . . . . . . . . . .
5.2.1 Until Temporal Logic . .
5.2.2 Past Tense operators . .
5.2.3 Branching Time logics .
5.3 A partial result of normalization
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
. .
. .
. .
. .
. .
for
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7
7
12
15
17
19
21
. . .
. . .
. . .
. . .
. . .
. . .
STL
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
25
25
27
28
29
32
36
38
.
.
.
.
.
41
41
41
42
45
48
.
.
.
.
.
.
53
53
54
56
57
59
60
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ii
CONTENTS
5.4
Failure of normalization . . . . . . . . . . . . . . . . . . . . . . . . . 62
6 Omega temporal logic

6.1 The system LTL . . . . . . . . . . . . . . . . . . .
6.2 Normalization . . . . . . . . . . . . . . . . . . . . .
6.2.1 Reduction Rules . . . . . . . . . . . . . . .
6.2.2 Preliminaries . . . . . . . . . . . . . . . . .
6.2.3 NKLTL Normalization . . . . . . . . . . .
6.2.4 Consequences of normalization in NKLTL
6.2.5 NJLTL Normalization . . . . . . . . . . .
6.2.6 Consequences of normalization in NJLTL
6.3 Elimination of () . . . . . . . . . . . . . . . . . .
7 Temporal calculus
7.1 Temporal -calculus . . . . . . . . .
7.1.1 Strong Normalization . . . . .
7.1.2 Confluency . . . . . . . . . .
7.2 Multi stage Interpretation . . . . . .
7.2.1 Interpretation of modal types
7.2.2 Reduction Semantics . . . . .
7.2.3 Correctness criteria . . . . . .
7.3 Comparison with multi staged calculi
7.3.1 Encoding # . . . . . . . . .
7.3.2 Encoding 2 . . . . . . . . . .
7.4 Mini-MLT . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
65
65
71
72
72
75
78
79
81
85
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
87
87
90
93
95
96
97
101
104
104
106
111
8 Temporal Logics in Logical Framework

8.1 Dependently Typed -calculus . . . . . . .
8.2 Encoding in Dependently Typed -calculus
8.2.1 Encoding Formulas . . . . . . . . .
8.2.2 Encoding Judgments . . . . . . . .
8.2.3 Encoding Provability . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
117
117
120
121
123
125
Bibliography
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
133
Chapter 1
Introduction
In this thesis we are mainly concerned with temporal logics [GHR94] and systems of
natural deduction [Pra65]. The kind of temporal logics considered here range from
a simple bimodal logic to past tense temporal logic with until. For each one of these
a proof system in natural deduction style is introduced and investigated.
Starting from the seminal paper of Pnueli [Pnu77], in which temporal logic is
presented as a tool for the specification and verification of the behaviour of reactive
systems, temporal logics found its way in many different areas of Computer Science.
Nowadays temporal logic is a main ingredient in the study of temporal database,
in specification, verification and synthesis of concurrent systems [CES86, Lam94],
in linguistics and in many other areas (for a detailed list of applications see also
[GHR94]).
The term temporal logic is often used to denote the broad class of logical system
that are aimed to the representation of temporal information. Several different
approaches have been developed in this direction, among these we will focus on the
approaches based on modal logics (see [Che90]).
Temporal Logic (or Tense Logic) arise from the seminal studies made by Arthur
Prior around 1960 (see for a survey [Pri68]). The basic linguistic constructs of
temporal modal logics are called modal operators (or quantifiers). In the original
works of Prior, he introduced two modal operators with intended meaning It will at
some time be the case that and It will always be the case that (usually denoted
with 2 and 3).
The work of Prior opened a wide spectrum of possibilities for the modeling of
time in logical systems.
From the semantic point of view, flow of time is described as a relation among
events; when described in mathematical structures the events take the name of
worlds and the relation take the name of accessibility relation. According to the
context in which temporal logic is applied, several different choices are available for
the formalization of the accessibility relation.
In application of temporal logic to computer science, the accessibility relation
is usually discrete (given each event there exists a set of successors for that event)
CHAPTER 1. INTRODUCTION
since it describe the evolution of systems that compute in steps. Another possibility
is that of having a dense relation (for each pair of ordered events exists always a
third event that follows the former and precede the latter).
Again, in computer science, it is usually the case that we are interested in the
description of a system starting from a given event, say the boot time of the system.
Conversely we could also consider a relation in which for each event there exists
another event that precedes it in time.
In the former case we consider a time structure that extends infinitely in the
future (it is usually unnecessary to consider an end point in time), in the latter we
obtain a time structure that extends infinitely both in the past and in the future.
Another common property of discrete accessibility relations is linearity; in linear
temporal logic it is assumed that each event has exactly one successor in time. Conversely in branching time temporal logic each event may have one or more successor
in time.
Also from the syntactic point of view there is a number of different systems that
are generally referred to with the generic name of temporal logic. Beyond the basic
modal operators denoting possibility and necessity in the future several other modal
operators have been introduced and investigated.
Notably, in discrete time temporal logic a modal operator have been introduced
with the meaning in the next time it will be the case that. Moreover modal
operators for the quantification over the past and for bounded quantification have
been studied.
Most of these studies follow the same methodology that has been developed for
the study of modal logics. In particular most of the works present axiomatic systems
and no great investigation has been made toward other approaches.
A particularly successful logic formalism in computer science is natural deduction. Natural deduction systems have been introduced in 1935 by Gerhard Gentzen
[Gen69] and, starting with the study of Dag Prawitz in [Pra65], have become object
of deep investigation in logic and in computer science.
The first motivation leading to the definition of natural deduction systems is
that of mirroring the human reasoning in the process of developing proofs.
Instead of being defined by a set of truth assumed axiomatically, a natural deduction system is defined by a set of inference rules. Each logical constant is completely
described in the system by a set of introduction and elimination rules. A formula
with a given logical constant may only be introduced starting from a set of assumptions described by the introduction rules for that logical constant. Symmetrically
the only formulas that can be deduced assuming a formula with a given logical
constant are specified by elimination rules for that logical constant.
The reasons for the success of natural deduction systems in computer science are
manyfold.
First, respect to Hilbert style proofs, natural deduction proofs are more easily
managed by humans. This is particularly relevant in the context of logical frameworks ([Pfe96] provides an index for the subject) in which a computer program assist
3
the user in the development of formal proofs.
Second, natural deduction proofs have a rich syntactic structure that can be
exploited to obtain (syntactically) interesting meta-theoretical results. For instance
the well known normalization property of the natural deduction system for predicate
logic can be used to prove the consistency of predicate logic.
Also, by means of the Curry-Howard isomorphism [How80], a deep connection
has been drawn among (a class of) natural deduction systems and (a class of) calculi.
Moreover the type disciplines of many calculi can be seen as an application of the
Curry-Howard isomorphism to a given natural deduction system. Conversely, in
many case, calculi can be seen as (computational) interpretations of logical systems
defined by a natural deduction system.
In the area of temporal logic (and more in general in modal logic) natural deduction systems have been mostly neglected. The first attempt to devise a natural
deduction system for modal logic has been made by Prawitz in [Pra65].
In his work Prawitz introduced three natural deduction systems for modal logics
S4 and S5 (for sake of discussion we will refer here only to the first). S4 is a modal
logic with reflexive, transitive accessibility relation and with modal operators 2 for
necessity and 3 possibility.
The peculiar rules of his systems are the introduction rules for 2, these are
translations of the axiomatic inference rule of necessitation (if formula is a theorem,
so is also 2 ). Unfortunately, the necessitation rule interacts poorly with the notion
of assumption in natural deduction systems.
In the first formulation, the 2 introduction rule require: (i) a proof of ; (ii)
that each formula assumed in the proof of is of the form 2 for some formula .
This is an almost direct translation of the necessitation rule, unfortunately the
resulting system is non normalizing. In order to recover the normalization property
Prawitz devise a new 2 introduction rule (the third version).
The third formulation the 2 introduction rule is a complicated elaboration of
the first formulation, condition (ii) is relaxed so to require that a formula of the
form 2 is present on each path of the proof leading from the assumptions to the
conclusion.
This rule is clearly non-local (requires conditions on the structure of the whole
proof, rather than on the immediate premises of the rule). Non local rules are in
general difficult to handle, and proof techniques (rewriting) used to prove properties
of natural deduction systems usually fail with non-local rules.
More important, the resulting system lies quite far from the intentions of natural
deduction. The inference rules of the system hardly constitute the meaning of
modal operators and the process of proving modal formulas remains quite unnatural.
Other works after that of Prawitz addressed the problem of formulating natural
deduction systems for modal logic (at best of our knowledge there are not works
dealing with natural deduction systems for temporal logic).
In [Mas96] A. Masini propose natural deduction systems for positive fragments
of several modal logics (K, KT, K4, S4). His systems introduce the notion of level of
formulas so to accomodate a more flexible treatement of assumptions. In the resulting formalisms the modal rules mimic quite closely the quantifier rules of predicate
logic.
In [PW95] Pfenning and Wong present a proof system for (the intuitionistic
fragment of) modal logic S4. The theoretical properties of the resulting calculus are
investigated and some hint to the applications of the calculus are given (notably for
staged computation and binding time analysis).
In [Sim94], A. Simpson introduce a family of labelled natural deduction systems
for a broad class of (intuitionistic) modal logics. The main aim of the work of
Simpson is that of studying intuitionistic modal logic, no great attention is paid in
his work to classical modal logic.
In [Vig97] and successively in [BMV97a] D. Basic, S. Matthews and L. Viganò
study the application of Labelled Deductive Systems [Gab97] to modal logics. They
study a methodology to obtain natural deduction systems for a broad class of modal
logics. Also they show a modular proof of correcteness for the whole class of system
they introduce.
The systems of Simpson and Basin will be described in some detail in 2.2.3.
In this thesis, starting from ideas found in the works quoted above, we aim to the
definition of systems of natural deduction (or better, natural systems) for temporal
logics. In particular, we exploit the idea of labelled system to obtain inference rules
for temporal operators that are close to the standard rules of quantifiers in predicate
logics.
We advocate the validity of the approach by considering a number of different
temporal logics and establishing basic proof theoretical results for the proposed
systems. In particular, following the methodology of Prawitz, we will study the
normalization property and its several consequences.
We advocate the significance of the approach considering applications of the
developed proof systems. Starting from one of the investigated proof systems, we
devise a term calculus with application to the area of staged evaluation. Also we
show how the proposed logical systems can be encoded in logical framework in order
to obtain proof checker for temporal logics.
The thesis, then, is roughly divided in two parts.
In Chapter 2 we give a brief and rigorous introduction to the main topics we will
touch in the thesis, namely natural deduction and temporal logics.
In Chapter 3 we start considering a simple variant of temporal logic, that we call
here Small Temporal Logic. Respect to other temporal logics, small temporal logic
has the peculiarity of not needing an inductive rule, this turns out to give a rather
simple proof system. We give a proof system in natural deduction style and discuss
the various choices leading to such system.
In Chapter 4 we study the properties of the proof system for Small Temporal
Logic. Two different versions are considered, an intuitionistic version and a classical
version. Normalization is proved both for the intuitionistic version and the classical
version, moreover several properties of intuitionistic predicate logic are also proved
5
for Small Temporal Logic, remarkably disjunction property and existential property.
In Chapter 5 we show how the proof system for Small Temporal Logic can be
extended in order to obtain a proof systems for linear temporal logic, some other
variant of linear temporal logic is also considered. For each of these logics the
introduction of an induction rule in the proof system will be required. We will show
that such addition spoils the normalization property of the proof system.
In order to recover some of the properties of normalizing systems for the proof
systems for temporal logics, in Chapter 6 we define a new class of proof systems
based on a rule with infinite premises ( rule). We study the properties of these
proof systems and how they relate with the systems based on the inductive rule.
A consequence of the properties of the system based on the -rule will be the
consistency of the systems based on the inductive rule.
In Chapter 7 we study an application of intuitionistic Small Temporal Logic
to staged evaluation. First we define temporal -calculus (an extension of simply
typed -calculus whose type system is based on Small Temporal Logic) and study its
properties. Then we define a reduction strategy that is shown to be meaningful with
respect to staged evaluation and estabilish correctness properties for this reduction
strategy. Finally we introduce a simple programming language based on temporal
-calculus.
In Chapter 8 we briefly cover the aspect of proving temporal formulas. In particular we show how the proof systems defined in this thesis can be faithfully encoded
in logical frameworks. We consider the dependently typed -calculus and show
how, using standard methodologies, we can define isomorphisms among the set of
temporal proofs and given subsets of -terms.
Chapter 2
Basic Notions and Notations
In this chapter we briefly review some basic notions that we will repeatedly use in
the sequel. This in no way makes this work self-contained but should anyway be
sufficient for the acquainted reader to fix notations. The quoted bibliography will
provide further information for each single discussed topic.
2.1
Natural Deduction
In this section we quickly recall the most important notions for natural deduction
systems. For simplicity we consider natural deduction systems for propositional
logic; as common in this context, we will take formula as a short-end for .
For more information on the subject consider [Pra65, Gir87, Tak87, TS96].
Systems of natural deduction have been proposed by Gentzen as natural formalization of the process carried out by a mathematician when writing rigorous
proofs.
A key property of systems of natural deduction is the possibility to work under
assumptions, in order to prove one can assume the truth of and prove
(under such an assumption) the truth of . When proving the assumption is
active (or open) and can be used in the deduction process. Once the deduction of
is concluded, the assumption may be discharged so as to obtain a deduction of
that does not depend on the truth of . Once the statement has been
proved and the assumption has been discharged, becomes a closed assumption
and cannot be used again in the deduction process.
Assumptions and formula occurrences When dealing with natural deduction
we must be careful to distinguish among formulas and assumptions occurring in deductions. Assumptions used in deductions are formula occurrences, so that different
assumptions in a deduction can have the same shape (i.e. the same formula) but
they are nevertheless distinct objects.
CHAPTER 2. BASIC NOTIONS AND NOTATIONS
A rigorous formalization would require labelling each assumption in order to

distinguish it from other assumptions of the same shape. For our purpose in this
section we prefer to avoid such labelling and rely on the position in which the
assumption occurs within deductions to distinguish among different occurrences of
formulas of the same shape.
Deductions. A deduction of a formula under a set of assumption occurrences
(or simply a deduction of from ) is a tree-like structure depicted as
whose leaves are the open assumptions of the deduction and whose root is the
conclusion of the deduction.
The set of deductions of a natural deduction system is inductively defined by
means of a set of logical rules. Instead of describing a general format for logical
rules, we prefer to consider a concrete example.
Definition 2.1.1 (ND system for classical propositional logic)
[]
(Ax)
[]
( )
EC
(I )

(E )
[1 ] [2 ]
i
1 2 (I )
1 2
(E )
1 2
1 2 (I )
1 2
(E )
i
The axiom rule (Ax) is the only rule without premises. It states that for each
formula , the single node labelled is a deduction, namely the trivial deduction.
This deduction has as conclusion and the singleton {} as set of open assumptions.
A rule () with 1 , . . . , n as premises and as conclusion permits the formation
of a deduction with conclusion starting from deductions for 1 , . . . , n . For instance, if 1 , 2 are deductions with conclusions 1 , 2 and open assumptions 1 , 2
respectively, by rule (I ) we also have that
1 2
1 2
1 2
1 2 (I )
is a deduction with conclusion 1 2 and open assumptions 1 2 .
2.1. NATURAL DEDUCTION
For most rules, the set of open assumptions is the union of the sets of open
assumptions of the premises. Some rule instead permits to discharge a subset of the
assumptions from its premises, this is depicted using square brackets on the premise
of the rule. For instance consider a deduction of with open assumptions ,
moreover assume that all the assumptions in are of shape . Then, using (I ),
we can build a new derivation with conclusion and open assumptions .
The (possibly empty) set is the set of assumption discharged by rule (I ). Such
discharge operation is usually depicted bracketing the assumptions in
[]1
(I )1
Numbers labelling rule occurrences and assumptions (as in the previous example)
are sometimes used to record the binding among closed assumptions and rules that
discharged such assumptions.
Given a set of formulas and a formula , a system of natural deduction S is
said to prove that is a consequence of if exists a deduction in S such that
concludes with and have open assumptions whose shapes are in .
In this case one says that is a deduction in S of from , or, if is empty,
that is a proof of . The natural deduction system S defines indeed a consequence
relation (S ) over the set of formulas, S if exists in S a deduction of from
with . The subscript S is omitted when the system is clear from the context.
Obviously the consequence relation resulting from the proof system should coincide with the semantic entailment relation () of the logic. A proof system is said
sound when implies is a logical consequence of . Conversely it is said
complete if whenever is a logical consequence of .
A sequent presentation. It is possible to give another presentation of natural
deduction systems that makes more explicit the set of open assumptions of a deduction. In this alternative presentation, each deduction concludes with a pair (, ).
The first component of such pair is a set of formulas representing (a superset of) the
open assumptions of the deduction, the second component is a formula representing
the conclusion of the deduction. The whole pair is called sequent and is usually
written . We will rely on the context to distinguish among the sequent as a
pair and the assertion that in some fixed system formula is a consequence of .
Finally, commas appearing in sequents are interpreted as unions, so that ,
is interpreted as {} .
It is easy to convince oneself that starting from the system in 2.1.1 and making
explicit the set of open assumptions in each rule we can mechanically derive the
rules in Definition 2.1.2.
10
Definition 2.1.2 (Sequent style ND system for propositional logic)
(Ax)
,
(I )
i
( )
1 2 I
1 2
(I )
1 2
1 2

(E )
, 1 , 2
(E )
1 2
(E )
i
,
(EC )
Some observation about logical rules. In natural deduction systems, each

logical rule, except the axiom rule, is related to a logical connective and can be
classified either as an introduction rules or as an elimination rules.
A generic rule () with premises 1 , . . . n and conclusion is an introduction
rule for connective if is obtained by 1 , . . . , n using as main connective. The
premises 1 , . . . , n can be seen as minimal conditions necessary to conclude .
Conversely a generic rule () with among its premises and as conclusion
is an elimination rule for connective . The conclusion of elimination rules can be
seen as the maximal information that can be restored from the premises. The
premise of the rule containing the eliminated connective is said the main premise of
the rule.
Since proofs in natural deduction systems have a single conclusion, each elimination rule must conclude with exactly a formula. When a connective naturally
eliminates as a set of formulas (this is for instance the case of disjunction) elimination rules take a slightly different form. Instead of allowing to conclude with formulas
derived from the main premise, they discharge such formulas from assumptions in
other premises of the deduction (see for instance (E )); such rules are called improper
rules.
In a natural deduction system each connective has one or more introduction rules
and one or more elimination rules. If the system is well behaved (in a sense that will
be clear later) each elimination rule is dual to the corresponding introduction rule.
This duality is manifest in the observation that each introduction/elimination pair
does not change the content of the deduction. For instance 1 and 2 below can be
considered essentially equal in that they concludes with the same formula starting
from the same set of formulas (i.e. they prove , ).
2
1
(I )

(E )
Rule pairs for which such a duality holds are said to satisfy the inversion principle.
11
Normal Deductions. If one is interested in the logical content of deductions, 1

and 2 above can be safely considered equivalent. In the same way such equivalence
can be extended to the whole set of deductions of propositional logics by means of
equations of which 1 = 2 is an instance.
For example, in the same spirit we would like to equate deductions
[]
(I )
(E ) =
and
i
[1 ] 2 [2 ]
i i
i
1
2
(I )
i
1 2
=
(E )
Leaving out the complex details, all we need to know is that the set of deductions
can be endowed with an equivalence relation that equate any deductions differing
only for the presence of introduction/elimination pairs.
It is then natural to seek a canonical form for the whole set of equivalent deductions. Going back to 1 and 2 , considering that they conclude with , the former
contains a useless detour. A good candidate to represent the whole class of deductions equivalent to 1 is the deduction that do not contain detour. Such a deduction
is said a normal deduction.
Several interesting properties can be usually established for normal deductions.
For instance normal deduction in the system of natural deduction for propositional
logic enjoy the following.
i
Proposition 2.1.3 (Subformula property) If is a normal proof of , then

each formula occurring in is a subformula of .
In virtue of the previous considerations, it is interesting to know if each deduction
in a given natural deduction system is equivalent to some normal deduction. In this
case we would have, for instance, that each provable formula would admit a
proof (the normal proof) constituted only of subformula of . A system in which
each deduction is equivalent to a normal deduction is said (weakly) normalizing. A
natural deduction system is said strongly normalizing if exists an effective procedure
that, given any deduction, computes an equivalent normal deduction.
Proposition 2.1.4 The system of propositional logic is normalizing.
The normalization procedure for a strongly normalizing natural deduction system
is usually given as a set of rewrite rules over deductions. Proving strong normalization then is tantamount to proving that the reduction relation induced by the
12
rewrite rules admit no infinitely increasing chains (for details about normalization
in classical logic see [Pra65, St
a91]).
In propositional logic we have, for instance, the following reduction rule.
[]
(I )

(
)
E
Theorem 2.1.5 (Strong normalization for ND system Prop) The system of

natural deduction for propositional calculus is strongly normalizing, i.e. for each
deduction it does not exists an infinite reduction sequence = 0 1 .
Once the strong normalization has been proved, the reduction process becomes
interesting by itself as a computational process.
2.1.1
Computational interpretation.
In order to talk about computation we need to introduce a formalism in which

computations can be described, the intention being that of relating such formalism
to natural deduction. We will now introduce -calculus (see [Bar91]), a formalism
particularly convenient for the description of computations.
Definition 2.1.6 (Untyped -calculus) Given a set of variables V, the abstract
syntax of the terms of the calculus (briefly -terms) is defined by the following
grammar:
t ::= x | (x.t) | (tt)
where we used x to range over V and t to range over the set of -terms.
Given a term t, the set FV(t) of free variables in t is defined inductively by
the following equations:
FV(x) = {x}
FV(x.t) = FV(t) \ {x}
FV(t1 t2 ) = FV(t1 ) FV(t2 )
Variables occurring in terms that are not free are said bound variables, a term
without free variables is said closed. Two terms differing only for the choice of
bound variables are said -equivalent. -equivalent terms are considered equal (to
be precise, terms are defined as equivalent classes with respect to -equivalence).
Given terms t, u and a variable x, the substitution of u for x in t is defined by
induction on t as
x{u/x} = u
y{u/x}
= y
(x.t){u/x} = x.t
(y.t){u/x} = y.t{u/x}
(t1 t2 ){u/x} = t1 {u/x}t2 {u/x}
where x, y V and x 6= y.
13
Computations in -calculus are represented as a process of rewriting by substitution. Roughly, if we interpret x.t as the function associating term t to variable
x and (x.t)u as the application of term u to such a function, it is natural to see
t{u/x} as the result of such application. Such a process of rewriting is formalized
by a reduction relation within terms whereas the notion of result is formalized by
normal forms.
Definition 2.1.7 (-reduction) reduction (here denoted by ) is the minimal
relation over the set of -terms containing
(x.t)u t{u/x}
and closed respect the following compatibility conditions:
tu
x.t x.u
t1 t1
t1 t2 t1 t2
t2 t2
t1 t2 t1 t2
We denote with the reflexive and transitive closure of . A -term t is in

normal form if it does not exists a -term u such that t u. A -term t is said to
have normal form if exists u in normal form such that t u.
One of the important properties that a computational system should guarantee
is that the evaluation of a given term does not give rise to different results. In
particular, since reduction in is non deterministic, (there is no prescribed order on
reductions) one needs to prove that no two different normal forms can be obtained
from the same term.
The following well-known property is sufficient to show each -term has at most
one normal form.
Proposition 2.1.8 (Church-Rosser Property) Given -terms t, t1 and t2
If t t1 and t t2 exists u such that t1 u and t2 u.
Within calculus we can then define a class of terms to represent natural numbers and functions. Functions that admit a representation within -calculus are said
-definable. Finally, the following theorem gives the expressive power of -calculus.
Theorem 2.1.9 All general recursive functions are -definable.
We come back now at natural deduction systems, but, instead of considering
classical logic, we take a weaker logic (the reason for this choice will be made clear
later). We consider the fragment of intuitionistic propositional logic without .
The most rewarding (at least from this perspective) semantic definition we can
give of intuitionistic logic is due to Heyting (a discussion on Heyting Semantics, can
be found in [Gir89]). The Heytings idea is that the semantics of a intuitionistic
propositional formula is nothing but the set of its proofs, where a proof of:
14
an atomic formula is a process that is assumed to be given;

a conjunction is a pair of proofs, one for and one for ;
a disjunction is either a proof of A plus the information that is the proved
sentence, or a proof of plus the information that is the proved sentence;
an implication is a function that maps each proof of to a proof of .
It is now easy to notice that the definition of deduction in Definition 2.1.1 fulfills the Heytings definition of proof. The only mismatch is in the rule for , we
easily obtain a natural deduction proof system for propositional intuitionistic logic
substituting rule (EC ) with the following:
( )
E
From the provability point of view it is clear that intuitionistic logic is strictly
weaker than classical logic. Consider for instance the excluded middle principle
( ). According to Heytings semantics, a proof of requires either a
proof of or a proof of , that is not true in general; hence, in intuitionistic logic,
the excluded middle principle is no longer valid.
On the other side, from a computational point of view, the natural deduction
system for classical logic does not enjoy the Church-Rosser property so that the
same proof can be reduced to different normal forms.
By a change of perspective, we read again the Heytings definition as the specification of a typed calculus. The semantics of a type is the set of terms inhabiting
type , where a term whose type is:
an atomic type is some datum from a set associated to such a type;
the product is a pair of terms, one of type and one of type ;
the disjoint sum is either a term of type tagged with 0, or a term of type
tagged with 1;
the function type is a term that when applied to a term of type results in
a term of type .
It is now matter of choosing a concrete syntax and formalizing the clauses above
as term formation rules to obtain the definition of a typed language. For simplicity
we will consider here only the calculus arising from the implicative fragment of the
logic (for a more general presentation see [Gir89, Hin97, TS96]).
15
2.2. MODAL AND TEMPORAL LOGICS
Definition 2.1.10 (Simply typed -calculus ( )) Given a set of basic types

T0 , the set of types T of the simply typed -calculus is described by the following
abstract syntax:
T ::= |
where ranges over T0 and , range over T .
Let V be a given set of variables.
A variable declaration is a pair x: with x V and T . A typing environment (or typing context) is a set of variable declaration.
A -term t has type under typing context if exists a derivation of t:
built with the following rules:
, x: x:
, x: t:
x.t:
t: u:
tu:
A -term t for which exists a context and a type such that t: is said to
admit type in . The set of -terms is defined as the set of -terms that admit
a type in .
The following property make it possible to inherit -reduction within .
Proposition 2.1.11 (Subject Reduction) For each -terms t and u
t: and t u = u:
Comparing the natural deduction system for intuitionistic propositional logic
and the definition of simply typed -calculus it is immediately seen a strong correspondence among the two.
Such correspondence can be made mathematically quite precise. It can be shown
that it is an isomorphism (the Curry-Howard isomorphism) between:
intuitionistic logic and simply typed -calculus
. . . formulas
and . . . types
. . . deductions
and . . . terms
. . . normalization
and . . . computation
For a description of Curry-Howard isomorphism see also [Gir89, Bar92].
2.2
Modal and Temporal Logics
Modal and temporal logics appears in many different contexts of computer science
(for a list of applications see [GHR94]). The distinctive tract of modal logics is the
notion of possibility and necessity. The true/false approach used in classical logics
is here substituted by notions of possibly true and necessarily true. Such notions
are expressed within the logic by means of modal operators (or quantifiers). For a
comprehensive discussion of modal logics see [Che90, HC84].
16
Definition 2.2.1 (The language of modal logics) Given a set of atomic formulas L, the abstract syntax of modal formulas is defined as follows:
Form ::= | | ( ) | ( ) | ( ) | (2 ) | (3 )
where ranges over L and , range over modal formulas. 2 and 3 are said the
necessity and possibility modal operators respectively.
Modal logics are interpreted within rich mathematical structures, known as
Kripke Structures, where the truth value of formulas depends on the world in which
formulas are evaluated. Necessity and possibility become quantifiers on this set of
worlds, a formula is necessary true at a world w if it is true in each world deemed
possible from w. Conversely a formula is possibly true in a world w if exists a world
deemed possible from w in which the formula is evaluated true. The notion of possible world (or reachable world) is formalized by mean of a relation of reachability
in this world structure.
Definition 2.2.2 (Kripke Frames and Structures) A Kripke frame (or modal
frame or simply frame) is a pair (W, R) where:
W is a non empty set;
R is a binary relation on W;
when F refers to a modal frame we will also write FW and FR for its first and
second component respectively.
Given a set of atomic formulas L, a Kripke structure (or modal structure) on L
is a triple (W, R, ) where:
(W, R) is a Kripke frame;
is a function from W to the power-set of L, : W 2L .
If M is a modal structure, we will write MW , MR and M to denote its components.
One usually refers to the elements of W as the worlds of the structure, R is called
the reachability relation (or accessibility relation) and is called truth assignment.
The evaluation of modal formulas is defined with respect to a Kripke structure
and a world of the structure. The interpretation of propositional connectives will
coincide with their interpretation in propositional logic, the interpretation of modal
quantifiers will depend on the reachability relation of the structure.
17
Definition 2.2.3 Given a modal formula , a modal frame M = (W, R, ) and a

world w W define the satisfaction relation by induction as follow:
M, w
M, w
M, w
M, w
M, w
M, w

2
3
(w), for each L

M, w and M, w
M, w or M, w
M, w 6 or M, w
w W if w R w then M, w
w W such that w R w and M, w
(2.2.1)
Relation is then extended to structures and frames as follow:

M
F
M, w for each world w MW

F , for each truth assignment : FW 2L
In case M (F ) one says that M (F ) is a model of .

Finally, a modal formula is said valid if F for each modal frame F .
Observe that the two modal operators 2 and 3 are dual each other, i.e. more
precisely M 3 if and only if M 2 .
Since the definition of satisfaction is parametric both in a structure and in a
world, one can define two different consequence relations considering truth for whole
structures or truth for each world of the structure.
Definition 2.2.4 (Consequence Relations) Global consequence relation g is a
relation among set of modal formulas defined by:
g M (x M, x ) = (x M, x )
Local consequence relation, is a relation among set of formulas defined by
M x (M, x = M, x )
Other notions of validity result considering restricted class of frames.
2.2.1
Hilbert systems.
Traditionally proof systems for Modal logics are formulated as Hilbert systems; we
will start here considering normal modal logic K.
Definition 2.2.5 (Modal Logic K) Modal Logic K is the logic defined by the following axiom schemata:
P0) any instance of propositional tautologies;
Axiom K) 2( ) 2 2
18
and by modus ponens and necessitation inference rules:

MP) if and then ;
NEC) if then 2 .
As usual we will use the notation to indicate that formula is provable in
the system.
A definition of the modal entailment relation is beyond the purposes of this
introduction, for a complete exposition see [vB83].
The Hilbert system for modal logic K fully characterize modal validity defined
in Definition 2.2.3, i.e. if and only if .
The name modal logics gives a broad classification distinguishing among classical
logics and logics of modalities, many different modal logics results by restricting the
class of frames of interest. Many interesting set of frames can be classified according
to the properties of the accessibility relation. The semantics definition restricted to
such classes of frames give rise to different modal logics. An interesting topic rise by
the study of reachability relation properties that have a characterize at the syntactic
level. For instance it is well known that, if we add formula 2 to the set of
axioms of K, we obtain a logic containing all and only the formulas valid in frames
with reflexive reachability relation.
Definition 2.2.6 Consider a formula P on the first order language with binary
symbols R and =. Then we say that a modal formula defines property P if
{F | F } = {F | F P }
where in the second set, F is seen as a first order structure and is first-order truth
relation.
For a through introduction to Correspondence theory (the study of frame properties definable in modal logic) see [van84].
Modal logics obtained by the addition of axiom to the Hilbert system for K are
usually named by their Lemmon Code. The Lemmon code is a string of the form
KC1 . . . Cn ; letters C1 . . . Cn come from a set of standard letters each one denoting a
different axiom. The most widely used letters, together with the first order property
they define, are summarized in Table 2.1. For instance modal logic whose frames
have accessibility relation that is reflexive and transitive has Lemmon code KT 4.
Some logic also have an historical name, notably we recall S4 that stands for
KT 4 and S5 that stands for KT 5.
19
Code
B
D
T
4
5
Name
Symmetric
Seriality
Reflexivity
Transitivity
Axiom
23
2 3
2
2 22
Euclidean
3 23
Frame property
w, w .w R w implies w R w
w.w .w R w
w.w R w
w, w , w .w R w and w R w
implies w R w
w, w , w .w R w and w R w
implies w R w
Table 2.1: Lemmon codes and frame properties
2.2.2
Temporal Logics.
Temporal logics naturally arise from modal logics when the accessibility relation is
used to model the flow of time (as observed in the seminal work [Pnu77]). Temporal
logics have applications in several fields in computer science (see for instance [Pnu77,
Pnu97, Eme90, Sti92]), in particular they are used in the specification of systems
whose behavior can be described by a sequence of events. Properties of interest
in these systems are notions like always happens, happens in the next time and
eventually happens.
Like modal logics, temporal logics are interpreted on Kripke frames. Several
temporal logics have been defined in literature (for a comprehensive accounting see
[GHR94]), differing both in the choice of modalities and the choice of properties
satisfied by frames. Here we are interested in particular in a discrete time linear
temporal logic.
Definition 2.2.7 (The language of temporal logics.)
Given a set of atomic formulas L the abstract syntax of discrete time linear temporal
logic formulas (or linear temporal logic, for short) is defined as follow:
Form ::= | | | | | # | 2 | 3
where ranges over L and , range over the set of formulas. Formulas # , 2
and 3 are usually read next , always and eventually .
Modal operators # and 2 are used to express respectively immediate future
(next time relative to current time) and remote future (any time past current time).
The two modal operators are described at the semantics level by using two different
accessibility relations, one for # and its reflexive transitive closure for 2.
Definition 2.2.8 (Semantics.) A Kripke frame (W, R) is a linear temporal frame
(or simply a temporal frame) if R is a linear total relation on W, i.e.
for each w W exists a unique w W such that w R w
20
A linear temporal structure (or simply temporal structure) is a triple (W, R, )

such that:
(W, R) is a linear temporal frame;
is a truth assignment.
Given a formula , a temporal structure M = (W, R, ) and a world w W we
define the satisfaction relation extending equation 2.2.1 with the following clauses:
M, w #
M, w 2
M, w 3
w W if wRw then M, w
w W if w R w M, w
w W such that w R w and M, w
(2.2.2)
where R is the reflexive, transitive closure of R.

The pair of operators 2 and 3 are indeed one dual of the other, i.e. M 2
if and only if M 3 . By definition of R , the accessibility relation for 2 is
reflexive and transitive, so that 2 satisfies axioms T and 4, i.e. for each structure
M, M 2 and M 2 2 2 . Summarizing, this fragment of the logic
behaves as S4.
The next time operator #, instead, is auto-dual, i.e. M # if and only if
M # . Moreover by the assumption that R is total we also have that #
satisfies axiom D, i.e. for each M, M # # .
Moreover the two pairs of modal quantifiers are related by the fact that the
accessibility relation for # is contained in the accessibility relation for 2. For each
structure M, we have M 2 # .
It is more common to define linear temporal structures as sequences of subset
of L (see for instance [Sti92]); it is however easy to see the two formulations are
equivalent. We chose this formulation in order to keep as the definition of semantics
for modal and temporal logic as close as possible.
Axiomatization. Here we briefly define linear temporal logic via an Hilbert axiomatization.
Definition 2.2.9 Linear temporal logic is defined by the following axiom schemata:
T1) 2( ) 2 2 ;
T2) #( ) # # ;
T3) (# # ) ( # # );
T4) 2 # 2 ;
21
T5) 2( # ) 2
and the following inference rules:
MP) if and then ;
NEC# ) if then # .
NEC2 ) if then 2 ;
As usual we will use the notation to indicate that formula is provable in
the system.
Observe that axioms T1 corresponds to axiom K on the 2 fragment of the logic,
and axiom T2 corresponds to axiom K on the # fragment of the logic. Axiom
T3 is used to impose linearity on the structure. Axiom T5 is also knows as the
induction axiom and is used to capture the fact that the accessibility relation for
modal operator 2 is contained in the reflexive, transitive closure of the accessibility
relation for #. Conversely, axiom T4 imposes the reflexivity and transitivity of
modal operator 2.
2.2.3
ND Systems for modal logics
Here we briefly sketch two approaches that has been undertaken in the representation
of modal logics within natural deduction systems. Both approaches are related to
Labelled Deductive Systems (see [Gab97]) and give rise to similar systems for modal
logic K.
Simpson approach. The system we are going to describe is due to A. Simpson
and is presented in [Sim94].
The main focus of Simpsons work is on intuitionism within modal logics, and
the natural deduction system he proposes is aimed to study the proof theory of
intuitionistic modal logics. The aim is foundational, quoting from [Sim94]: we
want to provide a natural deduction system for intuitionistic modal logic in which the
standard possible world meanings of modalities can be read off from their inference
rules. Nevertheless, the technique developed for this purpose can also be used to
develop natural deduction systems for classical modal logics.
The basic idea is that if the possible world meaning has to be made explicit in
logical rules, the worlds itself should explicit appear in rules. A logical judgment of
his system take the form p: and is interpreted as formula holds at world p. Here
p is a world variable (simply a symbol used in the proof system) not to be confused
with points of Kripke structures; world variable are interpreted as generic worlds of
generic structures.
We start by considering the semantics definition of modal logic K. Once we fix
a world, the semantics of propositional connectives coincide with the semantics of
22
propositional logic and we can use the rules of Definition 2.1.1 simply relativizing
formulas respect world variable; for instance the rules for conjunction become
p: 1 p: 2
p: 1 2 (I )
p: 1 p: 2
(E )
p: i
From the clause for modal connective 2, we have that the truth of 2 can be
established at a generic world p, if the truth of can be established at any other
other world q reachable from p. Conversely if 2 is proved true at world p, and q
is any world reachable from p then we also have that q is true at world q.
From this informal description it is clear that we need another judgment to
express the fact that the world denoted by some variable, say q, is accessible from
the world denoted by some other variable, say q. Using notation p R q to express
accessibility of q from p, the equations for modal operators in Definition 2.2.3 can
be syntactically rephrased in the form of natural deduction rules as follow:
[p R q]
q:
E(q)
p: 2 (2I )
p R q p: 2
(2E )
q:
The fact that we need to prove q: in any possible world q reachable from p to
conclude 2 in order to concluded p: 2 is expressed in (2I ) by the eigenvariable
condition on q. We write E(q) to denote that q must be a fresh variable not occurring
neither in the conclusion (i.e. such that q 6= q) nor in the open assumptions.
Similar considerations lead to the formulation of the rules for the introduction
and the elimination of 3.
Definition 2.2.10 (Natural deduction system for intuitionistic K)
p: (Ax)
q:
p: (E )
p: i
p: 1 2 (I )
[p: ]
p: 1 2
[p: 1 ]
[p: 2 ]
p0 :
p0 :
p0 :
(E )
[p R q]
p:
p: p:
(E )
(I )
p:
p:
q:
E(q)
p: 2 (2I )
p R q p: 2
(2E )
q:
[p R q][q: ]
p: 1 p: 2
p: 1 2 (I )
p: 1 2
(E )
p: i
p R q q:
(3 I )
p: 3
p: 3
p0 :
(3E )E(q)
p0 :
23
Other modal logics can be obtained enriching the previous system with rules to
deal with relational judgments. Simpson study the class of modal logics that are
first-order definable by mean of a geometrical theory, moreover he gives a method
to derive rules from a (logical) description of a geometric theory. For sake of exemplification we only show here some representative rule.
[p R q]
p0 :
E(q)
p0 : (RD )
[p R p]
p0 :
p0 : (RT )
[p R r]
pRq
qRr
p0 :
p0 :
(R4 )
The rules shown above are the natural deduction equivalent of axioms D, T
and 4 respectively. Some observation is in order about the choice for the format of
relational rules.
Like logical rules also relational rules may introduce fresh variables, this is the
case, for instance, of (RD ). Each relational rule is given as an indirect rule with exactly one logical judgment as main premise and some number of relational judgment
as minor premises. The conclusion of a relational rule is always a logical judgment.
Finally each relational rule discharge one or more relational assumption.
In this way Simpson relegate the relational judgment to the role of side conditions for the applicability of the rules; since relational judgments are not part of the
logic one would indeed expect that no rule of the system concludes with a relational
judgment. Moreover, in this way, there is never the need of defining a logic of relational judgments, since no relational judgment appear as conclusion of a deduction,
there is no need to define what results from the application of a logical rule to a
relational judgment.
In the following judgments of the form p R q will also be called relational formulas
and judgment of the form p: will be called also labelled formulas or logical formulas
when we want to distinguish them from relational formulas.
BasinVigan`
o approach. The system described here is due to Basin and and
Viganò and has been studied in [BMV98b, BMV98a, BMV97a, BMV97b, Vig97,
BMV96b, BMV96a].
Their work exploits Labelled deductive systems so to obtain a modular natural
deduction system to represent a large class of modal logics. In the setting they define,
a natural deduction system for a given logic is obtained by plugging a (specific)
proof system for a relational theory (here called relational proof system) within
a (parametric) natural deduction system for modal logics (here called logic proof
system). The interface among the two proof systems is described by means of a
labelling algebra. The relational proof system deals with relational judgment of the
form t R t where t and t are term of the labelling algebra. The logical proof systems
deals with judgments of the form t: where the label t is a term of the labelling
algebra and is a logical formulas. Relational judgment appear also as premises of
the rules of the logical proof system.
24
Following [BMV97a] we describe a (parametric) natural deduction system composed of a base system for modal logic K and a class of systems for Horn theories
defining different modal logics.
The base system for logic K is composed of the same rule of the system of
Simpson except for (E ). Logics defined by these systems are classical hence the
rule for -elimination is the following:
[p: ]
q:
p: (EC )
The other important difference among the two sets of rules is in the nature of the
labels. In Simpsons work labels are simply variables whereas in this system labels
are terms of some algebra that will be specific to the relational theory considered.
The proof system for the relational theory is obtained from a Horn theory by
translating each Horn formula to a rule of the proof system. The translation is quite
straightforward and we will not describe it in details. What matters for our purpose
is that the resulting rules take the form
t1 R t1
tn R tn
t0 R t0
where t0 , . . . , tn and t0 , . . . , tn are terms (with variables) of the labelling algebra.

For instance the rules below correspond to axioms T, 4 and D respectively.
xRx
(RT )
xRy yRz
(R4 )
xRz
x R f (x)
(RD )
Rule corresponding to axiom D clearly explain the need of considering terms

and not simply variables. To assert that a generic world is reachable from a world
variable x, we need to conclude with a judgment of the form x R t for some term t.
Now if we chose to a variable for t, since relational deductions and logical deductions
are separate objects, we cannot impose any global condition on such a variable. In
particular we cannot impose that such a variable does not appear in some assumption
of the deduction.
Chapter 3
Small Temporal Logic
In this chapter we will introduce small temporal logic (or, for short, STL), a logic
with two modal connectives obtained by a semantic simplification of linear temporal
logic.
Two different reasons lead us to consider STL. First, the intuitionistic fragment
of STL give rise to an interesting calculus related to staged evaluation whose property
will be exploited in Chapter 7. Second the proof system for this logic will constitute
the basis of the proof system that will be developed for linear temporal logic.
3.1
Language and Semantics
Definition 3.1.1 (Language of Small Temporal Logic (STL))

Given a set of propositional variables L, the language of small temporal logic is
defined by:
Form ::= | | | | | # | 3 | 2
where we used to range over L and , to range over formulas.
We will also use as a shorthand for and as a shorthand for
( ) ( ).
The language of small temporal logic is the same of linear temporal logic, the
difference is purely semantical and is introduced in order to simplify the proof system. More precisely, what we want to leave out is the induction axiom. In order to
do this we interpret formulas over frames with two distinct relations, one used as
accessibility relation for 2 and one used as accessibility relation for #.
Definition 3.1.2 (Birelational Frames and Structures)
A birelational frame M is a triple (W, R, R ) where:
(W, R) and (W, R ) are Kripke frames;
26
CHAPTER 3. SMALL TEMPORAL LOGIC
R is a linear total relation on W;

R is reflexive and transitive;
the reflexive and transitive closure of R is included in R .
Given a set of propositional variables L, a birelational structure over L is a
quadruple (W, R, R , ) such that (W, R, R ) is a birelational frame and : W 2L
is a truth assignment.
Definition 3.1.3 Given a small temporal logic formula , a birelational structure
M = (W, R, R , ) and an element w of W, define the satisfaction relation ()
inductively on as follow:
M, w
M, w
M, w
M, w
M, w #
M, w 2
M, w 3
(w), for each atomic formula

M, w and M, w
M, w or M, w
M, w 6 or M, w
w W such that M, w
(3.1.1)
We say that the structure M is a model of (M ) if for each w W holds

M, w .
The usual definition of satisfiable and valid formula follow accordingly.
Truth assignment can also be seen as a function : L 2W , we will indifferently
use one or the other representation when this leads to a simpler exposition.
Observation 3.1.4 Temporal frames can be identified with the subset of birelational
frames for which the accessibility relation R is the reflexive and transitive closure
of the accessibility relation R.
For each temporal frame F = (W, R) exists a birelational frame F such that for
each temporal formula , F if and only if F .
Indeed, denote with R the reflexive transitive closure of relation R and take F =
(W, R, R ), by definition of for temporal and birelational frames, we immediately
have the statement.
As a corollary we have that formulas that are valid in small temporal logic are
also valid in temporal logic.
To see that small temporal logic validity and temporal logic validity do not
coincide consider formula = 2( # ) 2 . We have that is valid
in temporal logic, since it is the instance of the induction axiom schema, but it is
not valid in small temporal logic. To see this consider the birelational structure
M = (W, R, R , ) with
W = {0, 1, . . . , , + 1, . . .}
R = {(i, i + 1) | 0 i < + }
27
3.2. AXIOMATIZATION
R = {(i, j) | 0 i j < + }
(i) i <
It is easily seen that M is a counter-model for .
3.2
Axiomatization
A complete axiomatization for STL can easily be obtained by combining the axioms
that define the properties of the two accessibility relations.
Definition 3.2.1 (Small temporal logic axiomatization)
Small temporal logic is axiomatized by the following axiom schemata:
T1) 2( ) 2 2 ;
T2) #( ) # # ;
T3) (# # ) ( # # );
T4) 2 2 2 ;
T5) 2 # 2 ;
and the following inference rules:
MP) if and then ;
NEC2 ) if then 2 ;
NEC# ) if then # .
Observe that the set of axioms is obtained from the axiomatization of linear
temporal logic by dropping the induction axiom. Indeed axioms T4 and T5 are
derivable from the axiomatization of linear temporal logic, but the induction axiom
is not derivable in the axiomatization of STL.
Proposition 3.2.2 (Soundness) If is provable in the Hilbert system of Definition 3.2.1 then .
Proof. Simply observe that each axiom is valid and that rules MP and Nec preserve validity.
2
The completeness of the axiomatization follows from a general result of correspondence theory based on [Lem77]. Here we will briefly sketch the argument, for
more details see [Sti92, van84].
28
Proposition 3.2.3 (Completeness) If is a valid small temporal logic formula,

there exists a proof of in the Hilbert system of Definition 3.2.1.
Proof. The proof follows a standard Henkin argument (see [HC84] for details).
Instead of proving = we prove 6 =
6 , i.e. that for each
consistent formula exists M and w such that M, w .
Given such a formula , by a standard construction, we can obtain a tuple
M = (W, R, R , ) (called the canonical model of STL) such that:
(W, R, ) is a Kripke structure;
(W, R , ) is a Kripke structure;
M, w , for some w W;
M satisfies any instance of axioms T3, T4 and T5.
Finally, by correspondence theory, we have
M T3 implies R is linear and total;
M T4 implies R is reflexive and transitive;
M T5 implies if R R .
i.e. M is a birelational model of .
3.3
Labelled formulas
In the following we will use judgments in the style of Simpson and Viganò systems.
Given a set of world variables V, we have two different kinds of judgments: logical
judgments and relational judgments.
We will call logical judgments (or labelled formulas) pairs composed of a world
variable and a formula; such judgments will be written as p: . When it will be
clear from the context that is a set of formulas, we will denote with p: the set
of labelled formulas {p: | }.
We will call relational judgment, or relational formulas, triples composed of two
world variables and a relational symbol among R, R and =. Relational judgments
will be written using infix notation for the relational symbol. We will use the term
judgment to denote either relational or logical judgments.
Be careful not to confuse relational symbols with the accessibility relations of
structures. To avoid confusion we will reserve the calligraphic letters R and R for
accessibility relations and will use the roman letters R, R for relational symbols.
Intuitively labelled formulas express the truth of formulas when interpreted respect to a given point of the structure. Relational judgments express relations among
worlds to which world variables refer. To make these notions precise, we now define
an evaluation relation for logical and relational judgments.
29
3.4. NATURAL DEDUCTION SYSTEM NKSTL
Definition 3.3.1 Assume given a set of world variables V and a birelational frame
M = (W, R, R , ). We define a modal environment as a function : V W.
Given a modal environment , the evaluation relation extends to labelled formulas
as follow:
M, p: M, (p)
In the same way, we extend the evaluation relation to relational judgments:
M, p R q
M, p R q
M, p = q
(p) R (q)
(p) R (q)
(p) = (q)
Finally, we extend the definition of consequence relation to judgments as follow,

given a set G of judgments and a labelled formula p: , we take:
p: M (M, = M, p: )
We will write [p 7 w] for the modal environment that agrees with on V \ {p}
and maps p to w.
Observation 3.3.2 From the definition it is immediately seen that the evaluation
for labelled formulas give rise to the same notion of validity defined for unlabelled
formulas.
More formally, given a labelled formula p: and a birelational structure M =
(W, R, R , ),
w W M, w M, p:
In the following we will need sequents of judgments. We will write G; p: for
the sequent with set of relational premises G, set of logical premises and conclusion
p: .
We will use J to range over relational and logical judgment. We will sometimes
need to replace occurrences of world variables within judgment. If J is a judgment
and p, q are world variables we will denote with J {q/p} the judgment obtained by
substituting in J each occurrence of p with q.
3.4
Natural deduction system NKSTL
We now give a proof system in natural deduction style for the simple logic above.
We choose to follow the Simpsons approach since we want to keep the system as
simple as possible and then we prefer to avoid the introduction of an algebra of
terms.
For sake of completeness we list also the propositional rules even if they coincide
with those in Simpson (except for elimination rule) and Viganò systems.
30
Propositional Rules.
[p: ]
[p: ]
q:
p:
p: p:
p: i
(E ) p: (I )
p: (EC ) p: (I )
p:
1
2
[p: 1 ] [p: 2 ]
p: 1 2
p0 :
p0 :
p0 :
(E )
p: 1 2
p: 1 p: 2
(E )
p: i
p: 1 2 (I )
Modal Rules.
[p R q]
q:
E(q)
p: # (#I )
p: # p R q
p R q q:
(3 I )
(#
)
E
q:
p: 3
[p R q][q: ]
p0 :
p: 3
p0 :
(3E )E(q)
[p R q]
q:
E(q)
p: 2 (2I )
p R q p: 2
(2E )
q:
Recall that we use superscript E(q) on rule names to denote the fact that q has
to be a fresh variable for the rule being applicable. So in rules (#E ), (3E ) and (2I )
the world variable q can occur neither in the conclusion nor in any open assumption
of the premises.
Observe that, assuming linearity of R, connective # becomes autodual, i.e.
# # and so # behaves both as a universal quantifier and an existential
quantifier. Hence also the following formulation would do:
[p R q][q: ]
p: #
q: p R q
(#I )
p: #
r:
r:
(#E )E(q)
Relational Rules. The system defined up to now, is essentially modal logic K in

which we have two pair of dual modalities. In order to obtain a complete axiomatization with respect to birelational frames we have to add rules encoding properties
of the accessibility relations.
31
[p = p]
[p1 = p3 ]
q:
q: (=)
p1 = p2
p3 = p2
q:
q:
[p R q]
(=)
p0 :
E(q)
p0 : (RD )
[p1 = p2 ]
{q R pi }i{1,2}
p:
p:
[p R p]
[J{p1 /p2 }]
(RL )
p1 = p2 p1 :
p1 = p2 J
(=)
p2 :
r:
[p R q]
p0 :
p0 : (RT )
pRq
p0 :
(RI )
p0 :
r:
(=)
[p R r]
p R q
q R r
p0 :
p0 :
(R4 )
Some observations about the relational rules are in order. Rules (=) are used
to characterize the equality relation as an equivalence relation that behaves as a
congruence with respect to judgments. Rule (RL ) characterize linearity and permit
to conclude q1 = q2 from assumptions p R q1 and p R q2 . Rule (RD ) is the analogous
of axiom D for accessibility relation R, whereas rules (RT

) and (R4 ) correspond to
axiom T and 4 respectively. Finally rule (RI ) is used to characterize the relationship
among accessibility relations R and R .
It is interesting to note that relational rules are mutually orthogonal. In particular dropping rules (RL ) and (=) we obtain a system for frames with a branching
structure. The resulting system remains distant from branching temporal logics,
since it lacks a notion of path. It can be nevertheless interesting as a starting point
for a simple logic with branching semantics.
Remark 3.4.1 As observed before, modal operator # behaves both as an existential and as a universal quantifier. Even if we chose the universal formulation, the
system gives also the existential one, i.e. rules (#I ) and (#E ) are derivable in the
system as shown by the following deductions:
[q = q ] q :
(=)
q:
[p R q] p R q
(R
)
L
q:
E(q)
p: # (#I )
[p R q]
[p R q] p: #
(#E )
q:
r:
(RD )E(q)
r:
Conversely rules (#I ) and (#E ) can be derived in a system with (#I ) and (#E )
32
using the following derivations:

q: [p R q]
(#I )
p: #
E(q)
(R
D)
p: #
pRq
p: #
q:
[p R r]
q:
[q = r] [r: ]
(=)
q:
(RL )
(#E )E(r)
Intuitionistic small temporal logic. In the following we will also consider the
proof system obtained from NKSTL substituting rule (EC ) with rule (E ). This
new system will be called here NJSTL, and we will refer to the logic generated by
NJSTL as the intuitionistic small temporal logic.
There is not yet agreement on what should be intuitionistic modal logics in
general and we will not be concerned in our work with intuitionistic semantics.
Some evidence about the fact that NJSTL make sense as intuitionistic counterpart of NKSTL is given by the fact that NJSTL satisfy the following properties
(see [Sim94]):
NJSTL is conservative over intuitionistic propositional logic;
the addition of excluded middle ( ) yields NKSTL;
disjunction property holds for NJSTL (see 4.3.7);
modal quantifiers are independent in NJSTL (see 4.3.11).
There are other reasons that lead us to consider this proof system. First, NJSTL
deductions is a relevant subset of NKSTL deductions, and for this restricted subset
there are some properties that do not hold in general. Second, NJSTL may be of
some interest when trying to recover a computational content from small temporal
logic.
3.4.1
Relational Entailment
Following the Simpson approach we avoided rules that do not conclude with a logical
formula. In particular, relational rules that one would expect to have the shape
of introduction rules (for instance (RT

)) have a rather peculiar form and discharge
assumptions instead of introducing new formulas. If we formulated the system using
sequents we would see that relational rules are always left introductions and we do
not have right introduction.
This asymmetry slightly complicates matters when we come to reasoning about
the relational part of a deduction. If we consider the relational rules that do not
involve fresh variables (i.e. all but rule (RD )) we can give an equivalent formulation
using an approach à la Viganò. This means defining an entailment relation among
logical judgment and a proof system characterizing such relation.
33
Definition 3.4.2
p R p
pRq pRr
q=r
pRq
p R q
p=q J
J {q/p}
p R q q R r
p R r
p=p
p=q r=q
q=r
Given a set of relational judgments G and a relational judgment J , we will write

G J if exists a deduction of J with assumptions in G.
Trivially each of the rules above correspond to a relational rule of our proof
system and conversely each rule of our proof system correspond to one of the rules
above (except for rule (RD )). Moreover, logical rules of NKSTL system together
with the rules above immediately define a natural deduction system à la Viganò.
With some work one could show that such system corresponds exactly to the (RD )free fragment of NKSTL.
We are not interested here in this alternative formulation of NKSTL. Instead,
we find convenient to describe relational parts of NKSTL deductions in terms of
relational entailment.
Definition 3.4.3 Let be an NKSTL deduction and J , J occurrences of relational judgment in .
We say that J immediately depends J if J is discharged by a rule that has J
among its premises.
We say that J depends on J if exists a sequence J0 , . . . , Jn such that J0 =
J , Jn = J and for each i Ji immediately depends on Ji+1 .
Observe that the dependency relation among formula occurrences in deductions
is well founded, so it can be used as measure in inductive arguments. Indeed if J
depends on J , J must be used as premise for some rule appearing below J , hence
it cannot also appear above some rule that has J as premise.
Proposition 3.4.4 Let G and J be relational formulas such that G J . Then for
each and p: , if exists a NKSTL (NJSTL) deduction of G, J ; p: there
exists also a NKSTL (NJSTL) deduction of G; p: .
Proof. Let be the deduction of G, J ; p: and the deduction of J .
Proceeding by induction on we build a deduction of G; p: as follow.
If is the trivial deduction, J G and is also a deduction of G; p: .
Else concludes with some rule () with premises 1 and 2 of G J1 and G J2
respectively. Applying to the relational rule corresponding to () we immediately
obtain a new deduction 1 of G, J1 , J2 ; p: . The inductive hypothesis for 1
and 2 yields also a deduction of G; p: .
2
34
Proposition 3.4.5 Let be a deduction of G; p: , and J a relational judgment occurring (possibly not open) in . Moreover, let G be the set of relational
assumptions discharged by rules (3E ), (2I ), (#I ) and (RD ) that occur in below J .
Then G, G J .
Proof. Proceed by induction using as measure the size of the set of judgments J
depends on.
if J is open, J G; if J is discharged by a logical rule or by rule (RD ), then
J G . In any case trivially G, G J ;
if J is discharged by a relational rule () with premises J1 , . . . , Jn , by induction hypothesis we have G, G J1 , . . . G, G Jn .
Now observe that we have in the relational proof system a rule corresponding
to () from which J , . . . , Jn J so that we can conclude G, G J .
2
Having defined a proof system for relational judgments allow us to state some
simple facts about the structure of such proofs. In particular it is interesting the
case in which the conclusion of the proof is of shape p R q, in this case we can
rebuild the sequence of world variables witnessing p R q.
Proposition 3.4.6 Let G be a set of relational judgments and p, q world variables.
If G p R q or G p R q, there exist two sequences s0 , . . . , sn and e0 , . . . , en of
world variables such that:
G e0 = p and G sn = q;
for each i n, G si = ei ;
for each i < n, either si R ei+1 G or si R ei+1 G.
Proof. We proceed by induction on a deduction of G J :
if J is obtained by application of the reflexivity rule we take n = 0 and the
trivial sequences p and q;
if J is obtained by an application of the R introduction rule with premise
p R q, we apply the induction hypothesis to obtain the sequences;
if J is obtained by an application of the equality rule with premise J =
J {p /p} (J = J {q /q}) we apply the induction to J to obtain a new pair of
sequences s0 , . . . , sn and e0 , . . . , en . Since one of the premises of the equality
rule must be p = p (q = q ) and by transitivity of equality, the sequences
s0 , . . . , sn and e0 , . . . , en satisfy the requirements;
35
if J = p R q is obtained by application of a transitivity rule with premises

p R r and r R q, the induction hypothesis give us two pair of sequences:
s0 . . .sh = r
s0 . . .sk = q
p =e0 . . .eh
r =e0 . . .ek
Now, since by transitivity of equality s0 = eh , the new pair of sequences
s0 , . . . , sh1 , s0 , . . . , sk and e0 , . . . , eh , s1 , . . . , sk satisfy the requirements.
2
Now transposing the previous fact on NKSTL and NJSTL, we have:
Corollary 3.4.7 Let a deduction of G; p0 : and J a relational judgment
of shape p R q occurring not open in . Moreover, let G the set of relational
assumptions discharged by rules (3E ), (2I ), (#I ) and (RD ) that occur in below J .
Then there exists two sequences of world variables s0 , . . . sn and e0 , . . . , en satisfying the following:
G, G e0 = p and G, G sn = q;
for each i n, G, G si = ei ;
for each i < n, one of the two judgments si R ei+1 and si R si+1 belongs to
G G.
Proof. By Proposition 3.4.5 there exists a deduction of G, G p R q and applying
proposition Proposition 3.4.6 we immediately have the result.
2
Definition 3.4.8 Let , G, p R q as in the proposition above and let s0 , . . . , sn ,
e0 , . . . , en the two sequences whose existence is stated by the proposition. We will
say that p R q is of finite length if for each i < n si R ei+1 G. In this case we
will also say the the judgment p R q is of length n.
Finally we consider how renaming of world variables affect NKSTL (NJSTL)
deductions.
Given any function f : V V trivially we can extends f to labelled formulas and
relational formulas as follow:
f (p R q) = f (p) R f (q)
f (p = q) = f (p) = f (q)
f (p R q) = f (p) R f (q)
f (p: ) = f (p):
Consequently f naturally extends also to logical and relational contexts, via :

f (p: ) = {f (p: )} f ()
f ({J } G) = {f (J )} f (G).
The following statement permit to extend f also to NKSTL (NJSTL) deductions.
36
Proposition 3.4.9 Let f a function on the set of world variables V, then:

G; p: = f (G); f () f (p): .
Moreover the deduction of f (G); f () f (p): is obtained by renaming world
variables occurring in the deduction of G; p: .
Proof. Proceeding by induction on a derivation of G; p: , build a derivation
of f (G); f () f (p): . Here we consider only the case
[p R q]
q:
E(q)
=
p: # (#I )
where is a deduction of G, p R q; q: .
Let r a world variable different from f (p) and occurring neither in f (G) nor in
f () and let g = f [q 7 r] the function that agrees with f on V \ {q} and maps q to
r. By inductive hypothesis, exists a deduction of g(G), g(p R q); g() g(q: ),
and, by the choice of r, applying rule (#I ) on we obtain also a deduction of
g(G); g() g(p: # ). Again, by the choice of r and g, is also a deduction of
f (G); f () f (p): # .
2
Corollary 3.4.10 If G; p: and p does occur neither in G nor in , then
G; q: for any world variable q.
Proof. Simply apply Proposition 3.4.9 using function f : V V such that f (p) = q
and f (x) = x for any other x V.
2
Observe that, if f is not injective, the sets of assumptions f () and f (G) can
be smaller than and G, consider for instance = {p: , q: } and f such that
f (p) = f (q) = p.
3.5
Soundness and Completeness
In this section we will prove the soundness and completeness of NKSTL. First we
recall the standard notion of sound rule and adapt it to our system.
Definition 3.5.1 Let () a natural deduction rule that, given deductions of G1 ; 1
p1 : 1 , . . . , Gn ; n pn : n , builds a deduction of G; p: . Rule () is said sound
if, for each birelational structure M from:
M, G1 and M, 1 = M, p1 : 1
..
.
M, Gn and M, n = M, pn : n
3.5. SOUNDNESS AND COMPLETENESS
37
follows:
M, G and M, = M, p: .
Proposition 3.5.2 (Soundness)

p: = p:
for each set of labelled formulas and for each labelled formula p: .
Proof. It is sufficient to show that each rule in NKSTL is sound. We prove as an
example that rule (2I ) is sound.
So we consider a birelational frame M = (W, R, R , ) and a modal environment
such that M, . We now have to prove that, assuming

M, p R q and M, = M, q: ,
we also have M, p: 2 .
Let w and w elements of W such that (p) = w and w R w , then take
= [q 7 w ]. Clearly M, p R q and, from the side condition on q, also
M, . Hence, applying the hypothesis, M, q: .
Summarizing, for each w such that (p) R w we have M, w , but this
means M, p: 2 .
2
The proof of completeness can be given deriving each axiom of the Hilbert system
and showing that each inference rule is eliminable.
Lemma 3.5.3 If p: then p: # and p: 2
Proof. If is a proof of p: and q is a world variable not occurring in , using
Corollary 3.4.10,
{q/p}
{q/p}
q:
q:
and
(#I )
p: 2 (2I )
p: #
are proofs of p: # and p: 2 respectively.
2
Lemma 3.5.4 Each axiom of the Hilbert system is derivable in NKSTL.
Proof. We only give as example a derivation of axiom K
[p R q] [p: #( )]
(#E ) [p R q] [p: # ] (#E )
q:
q:
(E )
q:
(#I )
p: #
(I )
p: # #
(I )
p: #( ) # #
2
38
Proposition 3.5.5 (Completeness)

p: = p:
Proof. Follows immediately from the completeness of the Hilbert system and from
lemmata 3.5.3 and 3.5.4.
2
3.6
A natural deduction system without equality

for STL
In this section we want to describe a variant of the natural deduction system for
small temporal that does not use judgments for equality.
Consider the following introduction/elimination rules for #:
p R q q:
(#I )
p: #
p R q p: #
(#E )
q:
Using rule (#I ) together with (RD ) we can derive the linearity axiom:
[p R q] [q: ]
(#I )
[p: # ]
p: #
(E )
( )
I
[p R q]
q:
(#I )
p: #
(RD )
p: #
p: # # (I )
Whereas using rule (#E ) and again rule (RD ) we obtain a proof of axiom D:
[p R q] [p: # ]
[p R q] [p: # ]
(#E )
(#E )
q:
q:
(E )
(I )
p: #
(RD )
p: #
(I )
p: # #
Clearly also axioms T 2 and T 4 can be proved using rules (#I ) and (#E ) with
deductions that do not contain equality judgments. This suggest a simplification of
the system defined above.
Definition 3.6.1 The system NKSTLI is obtained by system NKSTL by removing rules (=) and (RL ) and substituting rule (#I ) with (#I ).
The resulting system is easily seen to be sound and complete with respect to
birelational temporal frames.
3.6. A NATURAL DEDUCTION SYSTEM WITHOUT EQUALITY FOR STL
39

p: = p:
Proof. Follow easily by the soundness of NKSTL and by the fact that (#I ) is
derivable in NKSTL.
2
p: = p:
Proof. Easy by completeness of NKSTL and by the fact that (#I ) can be derived
from (#I ) and (RD ).
2
Even if also NKSTLI give rise to a complete system, we immediately face a
problem when trying to normalize, for instance, a proof of p R p1 , p R p2 , p1 :
p2 : . Indeed it is easily seen that such a deduction would require the introduction
of # .
The problem arise from the relational contexts in which two distinct world variables (here p1 and p2 ) are successors of a same relational variable (here p).
With the following definition we want to make precise the set of deductions
giving rise to the problem sketched above. Then we show that we can avoid such
complications imposing a mild restriction on the set of relational contexts.
Definition 3.6.4 A set of relational assumptions G will be said linear if
G does not contain the equality symbol;
do not exist world variables p, q1 and q2 such that p R q1 and p R q2 .
Consider a deduction of G; p: concluding with an application of (RD ). Such
an application of rule (RD ) will be said linear if the assumption discharged by such
a rule, say q R q , is such that for no q q R q G.
A deduction of G; p: will be said linear if G is linear and each application
of (RD ) within is linear.
Clearly, given a linear deduction , each subdeduction of have a linear set
of open assumption.
Proposition 3.6.5 Given a linear G, if G; p: there exists a linear deduction
of G; p: .
40
Proof. By induction on the deduction of G, p: removing each non linear

occurrence of (RD ).
The only non trivial case to consider is the case that the deduction concludes with
a non-linear application of (RD ). Then we have a deduction of G, q R q ; p:
with q R q G. Consider now the function f on V that is the identity of V \ {q }
and maps q to q .
By Proposition 3.4.9 we also have a deduction of f (G), f (q R q ); f ()
f (p): , but, from the side conditions on (RD ), this is a deduction of G; p: .
Now, is of the same size of so the statement follows by inductive hypothesis.
2
As a consequence of the previous proposition we obtain a complete proof system
also if we restrict (RD ) to linear applications only. It could be shown that the
resulting system is normalizing.
Chapter 4
Small temporal logic
Normalization
In this chapter we study the properties related to normalization within the systems
NKSTL and NJSTL. The emphasis is on weak normalization and properties of
normal deductions.
4.1
4.1.1
Reduction Rules
Relational Reductions
The relational rules will not take a fundamental part in reduction, we can consider
them as indirect rules that do not discharge logical judgments. We can easily see
that each relational rule commute with the other rules following the schema
J1 Jm
p:
[J ]
p:
()
q:
[J ]
p:
J 1 J n
(r)
J1 Jm
q:
J 1 J n
(r)
q:
()
where (R) is a relational rule, (r) is an elimination rule with main premise p:
and J is the judgment discharged by the relational rule. To see that the reduction
given above make sense it is sufficient to observe that no elimination rule discharges
assumptions on its main premise, so in this case J1 Jm cannot be discharged by
(r).
The only exception to the pattern above is given by the equality rules for which
we have the following permutative reductions:
p1 = p2 p2 :
(=)
p1 = p2 p1 :
p1 :
p1 :
(=)
(E )
p2 :
p2 :
p1 = p2
p1 :
(E )
(=)
p2 :
p2 :
42
CHAPTER 4. SMALL TEMPORAL LOGIC NORMALIZATION
p1 = p2 p1 : #
(=)
p2 : #
p2 R q
(#E )
q:
[p1 R q] p1 : #
(#E )
p1 = p2 p2 R q
q:
(=)
q:
[p2 R r][r: ]
p1 = p2 [p1 R r]
q:
(=)
p1 : 3
q:
(3 E )
q:
[p2 R r][r: ]
p1 = p2 p1 : 3
(=)
p2 : 3
q:
(3 E )
q:
p1 = p2 p1 : 2
(=)
p2 R q
p2 : 2
p1 = p2

(2E )
q:
4.1.2
p2 R q
q:
p1 R q p1 : 2
(2E )
q:
(=)
Logical Reductions
The proper reduction rules are given by the proper reduction rules of propositional
logic plus the following:
[p R r]
r:
E(q)
p: # (#I )
r:
pRq
{q/r}
pRq
(#E ) q:
[p R r][r: ]
p R q q:
p R q q:
(3 I )
{q/r}
p: 3
p0 :
(3E )E(r)
p0 :
p0 :
[p R r]
p R q
r:
E(r)
(2
)
I
{q/r}
p R q p: 2

(2
)
E
q:
q:
where, in the resulting deductions, some further renaming of variables bound by
(#I ), (#E ), (3E ) and (RD ) may be needed (see for a detailed explanation [TvD88]).
Finally we have the permutative reductions for and 3:
[p R r][r: ]
p: 3
q:
(3E )E(r)
q:
J1 Jn
()
q0 : 0
[p R r][r: ]
J1 Jn
q:
()
q0 : 0
p: 3
E(r)
(3 E )
q0 : 0
43
4.1. REDUCTION RULES
p: 1 2
J1 Jn
q0 : 0
[p: 1 ] [p: 2 ]
1
2
q:
q:
q:
()
p: 1 2
(E )

[p: 1 ]
[p: 2 ]
J1 Jn q:
J1 Jn q:
()
()
q0 : 0
q0 : 0
(E )
q0 : 0
where () is any elimination rule.

We now amend the standard definitions of path, segment and thread to deal with
this augmented set of rules. For the original definitions see [Pra65].
Definition 4.1.1 Given a deduction , a sequence J1 , . . . Jn of logical judgment
occurrences in is a thread if J1 is a leaf in , Ji stand above Ji+1 for each i and
Jn is the conclusion of .
Given a thread J1 , . . . Jn in , a subsequence Ji, . . . Ji+k is a segment if:
Ji is not consequence of an indirect rule;
Ji+j is the minor premise of an indirect logical rule or premise of a relational
rule, for each j < k;
Ji+k is not the minor premise of an indirect logical rule or premise of a relational rule.
A segment J1 , . . . , Jn is a maximum segment when J1 is conclusion of an introduction rule and Jn is the major premise of an elimination rule.
Observe that judgments Ji , . . . Ji+k in segments have shape pi : , . . . , pi+k :
where for some h, k it may be ph 6= pk , and this happens in case (=) occurs in
the segment.
Definition 4.1.2 Given a deduction , a sequence J1 , . . . Jn of logical judgment
occurrences in a deduction is a path if
J1 is a leaf that is not discharged by the application of an indirect rule;
for each i < n, Ji is:
either premise of a relational or an introduction rule and Ji+1 is the
conclusion of such rule;
or the major premise of an indirect rule discharging Ji+1 ;
44
or a premise of a direct elimination rule concluding with Ji+1 .

Jn is either the minor premise of a (E ), or the major premise of an indirect
rule that does not discharge any assumption or the conclusion of .
Observe that each judgment occurring in some deduction occurs in some path
in .
Finally we define a notion of rank on deductions to be used as inductive measure
in the normalization proofs.
Definition 4.1.3 The size of a formula (written ||) is the number of connectives
occurring in . Accordingly, the size of a judgment is defined as the size of its
formula and the size of a segment as the size of any of its judgments (recall that
judgments occurring in the same segment are always of the same shape).
The length of a segment (written lh()) is the number of judgments occurring
in .
The cut rank of a deduction (written cr()) is defined as a pair (n, ) where:
n = max{|| : is a maximum segment in }
X
=
{lh() : is a maximum segment in with || = n}
where the maximum and the sum on the empty set are intended to be 0.
Ranks will be considered ordered with the lexicographic order so that (n1 , 1 ) <
(n2 , 2 ) when n1 < n2 or n1 = n2 and 1 < 2 . The bottom of this ordering ((0, 0))
will also be written as 0.
A deduction is said normal if cr() = 0, i.e. if it has no maximum segments.
The following lemmata will be used in the normalization proofs both for the
classical case and the intuitionistic case.
Lemma 4.1.4 Let be a deduction concluding with an elimination rule whose main
premise is the conclusion of a maximum segment . Assume moreover that for each
maximum segment in different from , | | < ||. Then, from follows
cr() > cr( ).
Proof. Assume that is of shape and let be a maximum segment occurring
in but not in .
If is obtained by relational reduction or a permutative reduction, then must
be a proper subsegment of .
If is obtained by a logical reduction, then must be of shape where is a
subformula of .
Hence, cr( ) is (|| , lh() 1) in the former case, and (|| , ), for some some
subformula of and some , in the latter case.
2
45
4.2. NKSTL NORMALIZATION
Lemma 4.1.5 Let 1 and 2 be the following deductions

1
p:
1 =
p0 :
2
p:
2 =
p0 :
and assume cr(1 ) = (n, ), cr(1 ) = (n, ) and || < n. Then, if cr(2 ) < cr(1 ),
also cr(2 ) < cr(1 ).
Proof. Let cr(2 ) = (n , ). If n = n it must be < and, since || < n,
=
=
<
{lh() : is a maximum segment in 2 with || = n}

{lh() : is a maximum segment in with || = n} +
{lh() : is a maximum segment in with || = n} + =
If n < n, either some segment in is of size n, and cr(2 ) = (n, ) < (n, ) or
any segment in is of size smaller than n. In the latter case, since also each segment
in 2 is of size smaller than n and since || < n, we have again cr(2 ) < (n, ). 2
4.2
NKSTL Normalization
Following [Pra65], in virtue of the equivalence 3 2 , we will consider the

fragment of logic , , , #, 2, so to minimize the disturbing effect of (EC ).
Observe that in the natural deduction system for classical propositional logic,
the only non trivial segments span throughout (E ), so in the -free fragment we
never have segments of length greater than 1. Conversely, due to relational rules, in
NKSTL# 2 deductions we can have segments of any length.
We start by showing that, without loss of generality, we can restrict (EC ) so
that it concludes with atomic formulas different from .
Proposition 4.2.1 If G; p: , there is a deduction of p: from G; in which
the consequence of every application of (EC ) is a propositional variable.
Proof. Consider a deduction of G; p: , and assume that some non atomic
formula occurs in the deduction as conclusion of (EC ). Then q: will be the
conclusion of some deduction with shape
[q: ]
( )
EC
q:
46
Now if = # 0 , or = 2 0 , we can rewrite as follow:

[q: # 0 ] [q R r]
[q: 2 0 ] [q R r]
(#E )
(2E )
r: 0
[r: 0 ]
r: 0
[r: 0 ]
(E )
(E )
(I )
(
)
I
q: # 0
q: 2 0
( )
EC
r: 0
r: (EC )
(#I )
(2I )
q: # 0
q: 2 0
In similar way, in case is or a formula with main connective or , we can
rewrite as described in [Pra65].
In any case the size of formulas occurring as conclusion of (EC ) is decreased.
Then, to obtain a deduction in as in the thesis, we can repeatedly apply the procedure described above.
2
Proposition 4.2.2 If G; p: is derivable in the fragment , , , #, 2, there
exists a normal deduction of G; p: .
Proof. The proof proceeds along the lines of the proof of Prawitz for the classical
predicate logic. Let 0 be a deduction of G; p: , in virtue of Proposition 4.2.1, we
can assume without loss of generality that each occurrence of (EC ) in 0 concludes
with a propositional variable. Now we define a sequence 0 , 1 , . . . of deductions
where i+1 is obtained from i as described below.
If we assume cr(i ) = (n, ) > 0, the set of maximum segment in i is not empty.
In this case we can choose a deduction i in i such that i concludes with an
elimination rule () that has a maximum segment of size (n, ) as major premise
and such that any other segment occurring in i has size smaller than ||.
Let J be the last judgment occurring in . Since we assumed that each application of (EC ) has atomic conclusion, J cannot be introduced via (EC ), so the
only possibility is that J is the conclusion of an indirect rule or a relational rule
or an introduction rule. In any case apply to i one of the reductions defined in
Section 4.1 to obtain a new deduction i . Observe that again in each occurrence
of (EC ) concludes with a propositional variable. Finally take i+1 as the deduction
obtained by replacing i with i in i .
Obviously each i is a deduction of p: , moreover from Lemma 4.1.4 we
know cr(i ) < cr(i ) and from Lemma 4.1.5 we also know cr(i+1 ) < cr(i ). Hence
the sequence must terminate with a deduction n of rank 0.
2
The importance of normal proofs rests on the fact that normal deduction have
a rigid structure. Properties of normal deduction are obtained by exploiting their
structure. The following lemma establishes the structure of normal deductions.
Lemma 4.2.3 Let be a normal deduction and let = 1 , . . . , n a path in .
Then there is a segment i (the minimum segment in ) such that:
4.2. NKSTL NORMALIZATION
47
each j with j < i is major premise of an elimination rule and the formula in
j+1 is a subformula of the formula occurring in j ;
either i = n or i is premise of an introduction rule or i is premise of (EC );
each j with i < j < n is premise of an introduction rule and the formula
occurring in j is a subformula of the formula occurring j+1 .
Proof. Since is normal, no j is a maximum segment so each elimination rule
must precede each introduction rule along . Observe moreover that the only place
in which (EC ) may occur is below the minimum formula, else we should have an
application of (EC ) that does not conclude with a propositional variable.
2
In normal deduction we can assign a natural number to each path of the derivation called its order.
Definition 4.2.4 Given a normal deduction and a path in , we will say that
the order of is
0, if the last judgment of is the conclusion of ;
n + 1, if the last judgment of is the minor premise of a (E ) rule whose
major premise belongs to a path of order n.
A path of order 0 will also be called main path.
Observe that in normal deductions, no path concludes on the major premise of
an indirect elimination rule, hence orders are defined for each path.
The following are standard consequences of normalization.
Corollary 4.2.5 (Consistency) The system NKSTL is consistent, i.e. it cannot
prove .
Proof. Assuming by contradiction the existence of a proof of , from Proposition 4.2.2, we also have a normal proof of . Consider the main path of , since
there is no introduction rule for , the introduction part of must be empty, but
can neither be the conclusion of an elimination rule, since we have no assumptions
to eliminate.
2
Corollary 4.2.6 (Subformula property) Given a normal deduction of G;
p: , each formula occurring in is either a subformula of some formula in {}
or a subformula of a formula discharged by an application of (EC ).
Proof. This is immediate consequence of Lemma 4.2.3 for paths of order 0. Assuming the statement true for each formula occurring in paths of order n, we in
particular have the statement true for formulas that are conclusion of paths of order
n + 1 (since subformula of some formula in a path of order n). Applying again
Lemma 4.2.3, we obtain the statement for each formula belonging to paths of order
n + 1.
2
48
Corollary 4.2.7 (Separation Theorem) The only rules applied in a normal deduction of p: are relational rules and logical rules for connectives occurring in
formulas of and .
Proof. Follows immediately from Corollary 4.2.6.
4.3
NJSTL Normalization
We now study the normalization for the intuitionistic system NJSTL.

Proposition 4.3.1 If G; p: there exists a normal deduction of G; p: .
Proof. As in the proof of normalization for NKSTL, we start with a deduction 0
and build a sequence of deductions 0 , 1 , . . . where each i+1 is obtained from i
by mean reductions (in this case we will also need reductions for , and 3).
Applying Lemma 4.1.4 and Lemma 4.1.5 we will have cr(i ) > cr(i+1 ), hence
the sequence must conclude with a normal deduction.
2
Lemma 4.3.2 Let be a normal deduction and let = 1 , . . . , n a path in .
Then there is a segment i (the minimum segment in ) such that:
each j with j < i is major premise of an elimination rule and the formula in
j+1 is a subformula of the formula occurring in j ;
either i = n or i is premise of an introduction rule or i is premise of (E );
each j with n > j > i is premise of an introduction rule and the formula
occurring in j is a subformula of the formula occurring j+1 .
Proof. Since does not contain maximum segments.
Corollary 4.3.3 (Subformula property) Every formula occurring in a normal

deduction of G; p: is a subformula of some formula occurring in G; {p: }.
Proof. Proceed by induction on order of paths applying Lemma 4.3.2.
Corollary 4.3.4 (Separation Theorem) The only rules applied in a normal deduction of G; p: are relational rules and logical rules for connectives occurring
in formulas of and .
Proof. Consequence of the subformula property.
The properties in the rest of this section are specific of the intuitionistic version of
the system (they have no counterpart in NKSTL). In order to state them precisely
we will need the following definition.
4.3. NJSTL NORMALIZATION
49
Definition 4.3.5 The abstract syntax of Strictly positive contexts is defined by the
following abstract syntax:
P ::= | + | + | + | + | + | # + | 3 + | 2 +
where and + range over formulas and strictly positive contexts respectively.
Given a strictly positive context + and a formula we denote with + [] the
result of substituting for within + .
We say that is a strictly positive subformula of when exists a strictly positive
context + such that + [] = .
Lemma 4.3.6 Let be a normal deduction of G; p: and a main path in .
Then, each formula occurring in the E-part of is a strictly positive subformula of
some formula in .
Proof. First observe that each leaf of on a main path that is not discharged by
an indirect elimination rule must belong to .
Then, for each on a main path, we have:
if is the conclusion of a relational rule, then is also the logical premise of
such rule;
if is the conclusion of a direct elimination rule that has as main premise ,
then is a strictly positive subformula of ;
if is discharged by an indirect elimination rule that has as main premise ,
then is a strictly positive subformula of .
2
Corollary 4.3.7 (Disjunction Property) Let be such that no formula in
contains a strictly positive subformula with as principal sign.
Then, if G; p: 1 2 , there exists i {1, 2} such that G; p: i .
Proof. Consider a normal deduction of G; p: 1 2 . By the assumption on
the shape of formulas in we know that no (E ) may occur in and so there is
exactly one main path in .
Consider the last segment of this path. By Lemma 4.3.2, must be either:
the conclusion of an elimination rule. But in this case, by Lemma 4.3.6, we
also have that is a strictly positive subformula of a formula in , against the
assumptions;
the conclusion of (E ). In this case we immediately have also a deduction of
G; and hence also a deduction of G; p: i ;
the conclusion of a (I ) with premise p: i for some i.
50
In this last case is of shape
q: i
q: 1 2 (I )
p: 1 2 ()
with () some set of relational rule. And, applying rules () to deduction , we
obtain a deduction of i
q: i
p: i ()
2
The following two lemmata state the analogous of the existential property in
intuitionistic small temporal logic. Informally they say that if p: 3 is provable
under a set of assumptions G; , there exists a witness world q in which can be
proved.
Corollary 4.3.8 Given G; such that:
no in contains a strictly positive subformula with 3 or as principal sign;
no relational formula in G contains R .
Then
G; p: 3 = G; p: #n for some n.
Proof. Consider a normal deduction of p: 3 . By Lemma 4.3.6 and the
assumption on the formulas occurring in , no (E ) may occur in a main path of .
Hence contains a single main path . Moreover, again by the assumption on
and by 4.3.6, the last segment in must be the conclusion of a (3I ). So will be
of the following form
[q R r] r:
(3 I )
q: 3
()
p: 3
where () is some set of relational rules discharging the assumption [q R r].
Now, apply Proposition 3.4.6 to find a pair of sequences q0 , . . . , qn , q0 , . . . , qn and
proceed by induction on n.
for n = 0 we have that q and r are equal so that we can prove p: ;
from qn1 R qn and qn equal to r we immediately have a proof of qn1 : #
and applying the induction hypothesis, we also have a proof of q: #n .
2
51
4.3. NJSTL NORMALIZATION
We can relax the hypothesis on the assumptions of the deduction to obtain a

generalization of the previous statement.
Corollary 4.3.9 (Existential property) Given G; such that:
no in contains a strictly positive subformula with 3 as principal sign;
no relational formula in G contains R .
Then, if G; p: 3 , there exists a set of indexes {i1 , . . . , in } such that
G; p: #i1 p: #in .
Proof. We proceed by induction on the size of deductions of p: 3 .
Consider a normal deduction of G; p: 3 , and a main path of the
deduction (we can have more then one path if there is some occurrence of (E ) in
).
Assume now that the last segment in is not a premise of a (E ) rule. By 4.3.6,
must conclude with a (3I ) or a rule (E ). In any case the argument used to prove
Corollary 4.3.8 carries over unchanged.
Assume not the the last segment of is a premise of a (E ) rule, then must
have the following structure:
1
r: 1 2
[r: 1 ] [r: 2 ]
2
3
q: 3 q: 3
(E )
q: 3
()
p: 3
where () denotes a set of relational rules. Now, by adjoining rules R below 1 , 2

and 3 we obtain deductions
1 of G; r: 1 2 ,
2 of G; , r: 1 q: 3 and
3 of , r: 2 q: 3 .
Moreover, each one of these deductions, is of size strictly smaller than the size
of and neither 1 nor 2 contain a positive subformula with 3 as principal sign.
So we can apply the induction hypothesis to 2 and 3 to obtain G; , 1
p: #i1 #ih and G; , 2 p: #j1 #jk . Hence, by or elimination
using 3 , we have p: #j1 #jk #i1 #ih .
2
In the classical version of the system we can build a simple deduction showing
3 2 so that both 3 and 2 are expressible in terms of its dual. In the
intuitionistic fragment instead neither 3 nor 2 can be expressed in terms of other
connectives.
52
Definition 4.3.10 A binary (unary) connective is said definable if, for each
propositional variables 1 , 2 () exists a formula in which connective does not
occur, such that 1 2 ( ).
Conversely, is said independent if no such exists.
Proposition 4.3.11 Each connective and temporal quantifier is independent in the
intuitionistic version of STL.
Proof. We will treat only the cases of 3 and 2, for the propositional connectives
we refer to [Pra65].
Assume by contradiction that there exists a formula in which does not occur
connective 3 and such that 3 . Then there exists a proof of p: p: 3 , and
by Corollary 4.3.9, we also have p: p: #i1 p: #in .
Now, from p: 3 and p: p: #i1 p: #in , we have immediately
p: 3 p: #i1 p: #in and applying Proposition 4.3.7, p: 3 p: #k for
some k. Moreover, since p R q; q: p: 3 and p R p1 , . . . , pk1 R pk ; p: #k
pk : , we should also have a normal deduction for
p R q, p R p1 , . . . , pk1 R pk , q: pk :
that is impossible since we have no rule to apply, except for relational rules and we
cannot prove p R q, p R p2 , . . . , pk1 R pk pk = q.
Assume by contradiction that exists a formula not containing 2 such that
2 . Then there must be a normal proof of p R q; p: q: and by
Corollary 4.3.4 such a proof does not contain rules (2I ) and (2E ).
Consider now a main path 1 , . . . , n in and let q1 : 1 , . . . , qn : n be the conclusions of 1 , . . . , n respectively. By Lemma 4.3.2 n can only be either the conclusion
of a (E ) or the conclusion of an elimination rule. In the first case we also have
p: contradicting 2 . Hence we know that each i is the conclusion
of an elimination rule.
Now show that for each j, qj+1 and qj must be the same world variable. First
observe that we only derive q = r if r is equal to q (the same variable) so that labelled
formulas in segment j are labelled with qj and in particular the first formula of j
have label qj .
Now let us consider the possible rules deriving j+1 from j . In case j+1 is
conclusion of a propositional rule clearly qj+1 = qj . The case that j+1 is conclusion
of (#E ) can be excluded since we cannot derive the premise p R q. The only
remaining case is that j+1 is discharged by an application of (3E ) having as premise
j , but also this is impossible due to the side condition in (3E ). So we know that
the first formula of 1 is labelled on world variable q. But this contradict the fact
that the only open assumption of is p: .
2
Chapter 5
Temporal Logics
We now study a proof system obtained from NKSTL by the addition of an induction
rule on worlds. We prove the soundness and completeness of the proof system respect
linear temporal logic then we show how proof systems for other temporal logics can
be obtained changing the relational rules.
Finally we study some properties of deductions in this system and show that the
use of the induction rule leads to a failure of normalization.
5.1
Language and Semantics
To keep the presentation of linear temporal logic semantics close to small temporal
logic semantics we will use the following definition of linear temporal frames.
Definition 5.1.1 A linear frame M is a triple (W, R, R ) where:
W is a set of worlds;
R is a linear, total relation over W;
R is the reflexive and transitive closure of R.
Structures and the satisfaction relation are defined form linear frames in the
same way as for small temporal logic.
We have the following connection among small temporal logic and linear temporal
logic structures and frames.
Fact 5.1.2
Each linear temporal logic frame is also a simple temporal logic frame.
Each linear temporal logic structure is also a simple temporal structure.
54
CHAPTER 5. TEMPORAL LOGICS
And immediately follows the following connection between the two satisfaction
relations.
Corollary 5.1.3 For each , STL implies LTL .
Proof. Follows immediately from Fact 5.1.2.
5.2
Proof Systems
We will again use labelled formulas and relational judgments within our proof system, we will use the relational judgment p R q for the modalities 3 and 2 instead
of p R q.
Definition 5.2.1 (NKLTL) The proof system for Linear Temporal Logic is obtained from NKSTL by the addition of the following induction rule:
[p R p ][p R p ][p : ]
p R q
p:
p :

(RE )E(p ,p )
q:
This proof system will be denoted with NKLTL. In the same way NJLTL will
denote the proof system obtain from NJSTL by the addition of (RE ).
This is the rule that permit inductive arguments, the two premises of the rule
correspond to the base case and the inductive case respectively. In order to show,
by induction, that formula holds in some world q reachable from p, we show that
holds in p and each time it holds in some world p reachable from p it also holds
in the next world p .
Example 5.2.2 The induction axiom 2( # ) 2 is an example of
formula whose prove requires the (RE ) rule.
[p R p ] p: 2( # )
(2E )
[p : ]
p : #
(E )
[p R p ]
p : #
(#E )
[p R q] p:
p :
(RE )
q:
E(q)
(2
)
I
p: 2
2
Proposition 5.2.3 (Soundness) NKLTL is sound with respect to LTL, i.e.
p: = p:
for each set of formulas and for each formula .
55
5.2. PROOF SYSTEMS
Proof. Since NKSTL is sound with respect to STL and since each LTL structure
is also an LTL, we only need to prove the soundness of (RE ).
So assume M = (W, R, R , ) is an LTL structure and an environment such
that M, p R q, M, p: and, if M, p R p , p R p , p : , then
M, p : .
Since R is the transitive and reflexive closure of R there exists (a possibly
empty) sequence w0 , . . . , wn W such that w0 = (p), wn = (q) and wi R wi+1 for
each i. We proceed by induction on n.
If n = 0, since w0 = (p) = (q), we immediately have M, w0 .
Assuming M, wn1 consider = [p 7 wn1][p 7 wn ] where p and p
are fresh world variables, we will have M, p R p , p R p , p : . Now, by the
assumption on M and , we can conclude M, p : , and so also M, q: .
2
p: = p:
where contains only a finite set of formulas.
Proof. Since in NKSTL we derive each axiom of the STL axiomatization, it is
sufficient to give a prove of the induction schema (see Example 5.2.2) to obtain a
complete axiomatization for LTL.
2
Remark 5.2.5 Observe the proviso on the finiteness of the set of assumptions in
Proposition 5.2.4. A logic for which the implication of Proposition 5.2.4 holds only
under such condition is usually said to be weakly complete, conversely a logic for
which the implication holds also for infinite sets of assumptions is said strongly
complete.
The necessity of considering only finite sets of assumptions is related to induction.
Since we require that the relation R is the minimal reflexive and transitive relation
including R we can enumerate all the points reachable from some starting point w
via R . On the other side we insist to have finite proofs so that we cannot make use
of an infinite set of assumptions.
The standard counterexample to the strong completeness of LTL is given by the
sequent p: 2 where = {p: #n | n < }. Obviously, since the proof system
is sound, we cannot prove p: 2 without using each of the assumption and this is
impossible in a finite proof.
In the following we will consider proof systems obtained from NKSTL that
capture other temporal logics.
56
5.2.1
Until Temporal Logic
The system we considered up to now is not the full linear time logic, indeed what
is normally called Linear Time Logic also includes a binary modality until (written
U) with the following semantics:
M, w U w0 R R wn such that
(5.2.1)
w = w0 and M, wn and i < n.M, wi
Even if this fits poorly in the setting we set up, we can give rules for this connective also
p: 1 p: #(1 U 2 )
p: 2
(UI )
(UI )
p: 1 U 2
p: 1 U 2
[p R p ][p : 2 ] [p R p ][p R p ][p : 1 ][p : ]
p: 1 U 2
p :
p:
p :
(UE )E(p ,p
The system obtained from NKLTL by the addition of the rules above will be
called NKUTL.
Even if the name is improper, we will write LTL in refering to the logic with
modal operators #, 2 and 3, we will write UTL when we refer to the logic that
contains also the modal operator U.
p: = p:
for each set of UTL formulas and for each UTL formula .
Proof. From Proposition 5.2.3 it is sufficient to show the soundness of rules concerned with connective Until. The two introduction rules can be immediately seen
sound.
To show soundness of the elimination rule consider a structure M and an environment satisfying the premises of (UE ). From M, p: 1 U 2 and from (5.2.1)
we have worlds w0 , . . . , wn such that (p) = w0 , M, wn 2 and for all i < n
M, wi 1 . We now prove by induction on i that i n = M, wni .
For i = 0 this amounts to prove M, wn , consider an environment =
[p 7 wn ] for a fresh variable p . Obviously we will have M, p R p
and M, p : 2 . Hence, applying the second premise of the rule we also have
M, p : , i.e. M, wn .
Assuming M, wni , consider an environment = [p 7 wni1 ][p 7
wni] for fresh variables p and p . By inductive hypothesis we have M, p : .
Hence, by applying the third premise of the rule we obtain M, p : , i.e.
M, wni1 .
To conclude observe that from M, w0 immediately follows M, p: . 2
57
5.2. PROOF SYSTEMS

p: = p:
for each finite set of UTL formulas and for each UTL formula .
Proof. Again the proof can be given by a reduction to a well known complete axiom
system. Addition of axioms
1 U 2 2 (1 #(1 U 2 ))
1 U 2 3 2
to an axiomatization of LTL is known to give a complete axiomatization of the logic.
As an example we consider the second axiom above:
p: 1 U 2
[p R q] [q: 2 ]
(3 I )
p : 3 2
[p R p ][p : 2 ]
()
(3 I )
[p : 3 2 ]
p : 3 2
p : 3 2
(RT )
(3 E )
p : 3 2
p : 3 2
(UE )
p: 3 2
where () are relational rules used to discharge judgment p R q from assumptions

p R p and p R q.
2
5.2.2
Past Tense operators
A common extension of LTL is obtained by adding modalities quantifying over past.

Essentially two choices are possible; one is that of adding a distinguished initial point
in the structures, the other is that of having structures extending infinitely in both
ends. We will discuss briefly the system arising from the latter (simpler) choice.
For each modality of LTL we can add its mirror image changing the direction of the quantification, so from #, 3 and 2 we obtain modalities #- , 3- and 2respectively with the following semantic definition:
M, w #-
M, w 2-
M, w 3-
M, w for all w W such that w R w

M, w for all w W such that w R w
M, w for some w W such that w R w
The resulting logic will be called PLTL.

In order to exploit the symmetry among future tense modalities and past tense
modalities we start defining an involutive function [] on PLTL modal operators
that associates to each future time modal operator its past time analogous:
[#] = #-
[#- ] = #
[3] = 3-
[3- ] = 3
[2] = 2-
[2- ] = 2
58
Then we extend [] to formulas taking [] = , [ ] = [] [] for each

modal operator and [ ] = [] [] for each propositional connective .
Finally an axiomatization of PLTL (see [Sti92]) can be obtained by adding to the
axiomatization of LTL the axioms:
P0) # #- ;
P1) 2 3- ;
and the following inference rule:
R ) if then [] .
The axioms establish the relation among past time operators and future time
operators, the inference rule state the symmetry among past and future.
We obtain the rules for past time modal operators simply reversing the relational
judgments in rules of the corresponding future time modal operator.
[q R p]
q:
(#- I )E(q)
p: #-
p: #- q R p
q R p q:
(3 - I )
(#
)
E
q:
p: 3-
[q R p][q: ]
[q R p]
p: 3-
p0 :
(3- E )E(q)
p0 :
q:
(2- I )E(q)
p: 2-
q R p p: 2-
(2- E )
q:
we will also need the addition of the relational rules:
p0 :
E(p)
p0 : (RD )
[p R p ][p R p][p : ]
[p1 = p2 ]
[p R q]
{pi R q}i{1,2}
p0 :
p0 :
(RL )
q R p p:
q:
p :
(RE )E(p ,p
The proof system obtained by addition of the previous rules to NKLTL will be
denoted with NKPLTL.
p: = p:
for each set of PLTL formulas and for each formula .
Proof. It is sufficient to show the soundness of the rules related to past modalities.
The proof proceeds along the lines of the proof of Proposition 5.2.3.
2
59
5.2. PROOF SYSTEMS
In order to prove the completeness of NKPLTL we show that rule R is eliminable in the system. First we extend the function [] to judgments as follow:
[p: ] = p: []
[p R q] = q R q
[p R q] = q R q
Lemma 5.2.9
G; p: = [G] ; [] [p: ]
for each set of PLTL formulas and for each PLTL formula .
Proof. The proof proceeds by induction on a deduction of G; p: .
As an example consider the case that concludes with a (#I )E(q) . Then the
premise of is a deduction of G, p R q; q: and its conclusion is p: # . By
induction hypothesis we know that exists a deduction of [G] , q R p; [] q: []
and applying (#- I ), we immediately have also a deduction of [G] ; [] p: #- [] .
2
p: = p:
for each finite set of PLTL formulas and for each formula .
Proof. Again we can derive the axioms and rules of a complete axiomatization.
The fact that rule R is derivable follows immediately from Lemma 5.2.9. Hence
it is sufficient to show that NKPLTL proves axioms P0 and P1, and this is shown
by the two following derivation:
[p R q] [p: ]
(3 - I )
q: 3-
(2I )E(q)
p: 2 3-
(I )
p: 2 3-
[p = r] [p: ]
(=)
[p R q] [r R q]
r:
(=)
r:
(#- I )
q: #-
(#I )
p: # #-
(I )
p: # #-
2
5.2.3
Branching Time logics
Another interesting logic arise by dropping the requirement of linearity for accessibility relation. Temporal logics in which the accessibility relation is not required to
be linear are said branching time logics in opposition to linear time logics.
Definition 5.2.11 (Branching time frames and structures) A branching time
frame M is a triple (W, R, R ) where:
(W, R) and (W, R ) are Kripke frames;
60
R is a total relation on W;
R is reflexive and transitive;
the reflexive and transitive closure of R is included in R .
Given a set of propositional variables L, a branching time structure over L is a
quadruple (W, R, R , ) such that (W, R, R ) is a branching time frame and : W
2L is a truth assignment.
Usually branching time logics provide modal operators to quantify over paths of
structures. In the following we will not consider such operators and limit the discussion to the logic induced by the interpretation of LTL connectives over branching
time structures. We will call such a logic Branching Time Logic (or BTL for short).
An axiomatization for branching time logic can be obtained from the axiomatization of LTL (see Definition 2.2.9) simply replacing axiom T3 with axiom D.
Having equality explicit in the system NKLTL makes it easy to drop the linearity assumptions. So, in order to obtain the proof system NKBTL for branching
time logic, we simply remove from NKLTL rules (RL ) and (=).
p: = p:
for each set of BTL formulas and for each formula .
Proof. Each rule of NKBTL is sound.

p: = p:
for each set of BTL formulas and for each formula .
Proof. Derive each axiom of BTL.
5.3
A partial result of normalization
The definitions and facts stated in Section 3.4.1 can be easily extended to the system
of LTL, the only difference will be that a relational judgment occurrence J can
depend on a relational judgment occurrence J also by mean of a (RE ).
Lemma 5.3.1 Given a deduction of p: , exists an equivalent deduction
such that:
in
do not occur any (RE ) with relational premise of finite length (cf. Definition 3.4.3);
5.3. A PARTIAL RESULT OF NORMALIZATION
61
any logical rule and any induction rule occurring in

also occur in .
Proof. We proceed by induction on the number of (RE ) with premise of finite length
occurring in . In the case that there is no (RE ) in with premise of finite length,
we immediately have the result taking
= .
Otherwise consider an innermost occurrence of (RE ) in with premise p R q of
finite length:
[p R p ][p R p ][p : ]

p R q p:
p :

0 =
(RE )E(p ,p )
q:
i.e. one such that each (RE ) occurring in or (possibly none) has a relational
premise of infinite length.
Applying Proposition 3.4.6 we obtain two sequences s0 , . . . sn and e0 , . . . , en . Now
proceeding by induction on n we now define a deduction
0 equivalent to 0 that
does not contain occurrences of (RE ).

If n = 0 take
[p = q] p:
(=)
q:
0 =
q: ()
where () are relational rules discharging p = q.
By induction hypothesis exists
1 equivalent to the deduction
p R sn1
[p R p ][p R p ][p : ]

p:
p :
(RE )
sn1 :
so take as
0 the deduction
1
[p R sn1 ] sn1 R en sn1 :
{sn1 /p , en /p }
[q = en ]
en :
(=)
q:
q: ()
where () are relational rules discharging the assumptions p R sn1 and q = en , the
renaming of p and p in are sound since these variable must be fresh in
1 .
The external inductive hypothesis concludes the proof.
2
The lemma also states that each deduction that does not contain occurrences of
(RE ) with premises of infinite length is also a STL deduction.
62
Proposition 5.3.2 For each LTL deduction that does not contain occurrences of
(RE ) with relational premise of infinite length exists an equivalent normal deduction.
Proof. Follows immediately by previous lemma and by the normalization result for
STL.
2
5.4
Failure of normalization
It is well known that inductive proofs, intuitionistic or not, may require inductive
arguments stronger than the conclusion of the proof. In this section we try to
formalize this fact within our proof system.
A negative consequence of this statement will be the failure of cut elimination
for NKLTL.
In the following we will consider the set of judgments
G = {pi R pi+1 , pi R pj | 0 i j},
= {p0 : , p0: # , p0 : 2( # # )}
with an atomic formula. We will also need the set

= {pi : , pi: | is a subformula of some , 0 i}.
Lemma 5.4.1 For each {, # , # # , , # , # # } and for each i <
G; 6STL pi : 2 and G; 6STL pi : 2( # )
Proof. We simply build a counter model for the two formulas.
Take M = (W, R, R , ) as follow:
W = {0, 1, . . . , , + 1, . . .}
R = {(i, j) | 0 i j < + }
R = {(i, i + 1) | 0 i < + }
(i) i < i = + 2k
and such that (pi ) = i.

It is easily seen that M, G and M, but M, satisfies neither p0 : 2
nor p0 : 2( # ).
2
Lemma 5.4.2 Let be a set of logical judgments, G a set of relational judgments and a formula in {, # , # # , , # , # # }. Then
G, G ; , ST L pi : 2( # ) = G, G ; , ST L
Proof. First observe that for any subformula of some formula in and for any i
we have G; STL pi : and so, by soundness of NKSTL, also G, G ; , STL pi : .
Assume by contradiction that G, G ; , is satisfiable and the antecedent of the
implication is verified.
5.4. FAILURE OF NORMALIZATION
63
Consider now any judgment pi : in . By the assumptions on , must be

either a subformula of some formula in , or the negation of a subformula of some
formula in . In the former case we have G; pi : , in the latter case we have
G; , pi : . Hence from our assumption on satisfiability of G, G ; , we must
conclude G; J for each J , i.e. G; .
But now, from G; and from G; , 2( # ) we must conclude
G; 2( # ) contradicting Lemma 5.4.1.
2
Lemma 5.4.3 If exists a NKLTL deduction of G, p0 R q; q: satisfying the
subformula property, there exists also an equivalent NKSTL deduction.
Proof. Let be an NKLTL deduction of G; p0 R q; q: . We proceed in
two steps, first we rewrite so that no (RE ) occurrence in has main premise
depending on a relational judgment discharged by a (2I ) occurrence. Then we
rewrite the resulting deduction so to remove each occurrence of (RE ).
Start by observing that, from the subformula property, each occurrence of connective 2 within is in formula 2( # # ).
Consider now an outermost deduction
in concluding with p: 2( # # ).
Here with outermost we mean that
does not occur in the premise of some deduction
of that concludes with (2I ).
We can replace
within with the deduction
[p0 R r] p0 : 2( # # )
(2E )
p0 R p [p R r]
r: # #
(R4 )
r: # #
E(r)
(2I )
p: 2( # # )
()
p: 2( # # )
where () are relational rules used to discharge p0 R p. Observe indeed that each
world variable appearing in is such that p0 R p.
Repeating this procedure we obtain a deduction in which no rule (2I ) stands
below an occurrence of (RE ).
Now consider an innermost deduction
in concluding with (RE ) and with
relational premise of infinite length. Here with innermost we mean that no (RE )
rule occurs in a premise of
.
Since no (2I ) may occur below
and since this occurrence of (RE ) has relational
premise of infinite length, this premise must depends on p0 R q. Without loss of
generality we will assume that the relational premise is p0 R q.
The inductive premise of
will be an NKSTL deduction of
G, G , p0 R p , p R p ; , , p : p :
with {, # , # # , , # , # # }, and p , p world variables not
occurring in G, G , , .
64
But, applying (#I ), (I ) and (2I ) we immediately have also a deduction of

G , G; , p0 : 2( # ). Now, from Lemma 5.4.2 and from completeness of
NKSTL, we also have an NKSTL deduction of G, G ; , . So we can build a
(RE )-free deduction equivalent to
as follow:

( )
E
s:
Repeating this procedure for each occurrence of (RE ) in results in a new
deduction containing only induction rules with premises of finite length. We can
conclude the proof by application of Proposition 5.3.2.
2
Proposition 5.4.4 No proof of G; , p0 R q q: enjoys the subformula property.
Proof. By Lemma 5.4.3 the assumption would imply also G; , p0 R q STL q: ,
and so immediately, by soundness of NKSTL, also G; STL p: 2 . But this
contradicts Lemma 5.4.1.
2
Chapter 6
Omega temporal logic
6.1
The system LTL
In this chapter we augment the deductive machinery of the proof system for linear
temporal logic introduced in 5 by adding a rule with an infinite set of premises.
The reason to consider such a powerful rule is the same that lead to the definition
of the omega rule in the system of arithmetic, i.e. it gives a normalization result and
its standard consequences. In general infinitary systems are used also to establish
results about their finitary counterparts (for example see [Min00]). Soundness results
are a typical application of this technique, also in this case, the consistency of LTL
can be seen as a corollary of the consistency of LTL .
First we define the system and relate it to the semantics of linear temporal logic.
A result of soundness and completeness with respect to such logic is proven.
Then we study the proof theoretical aspects of the system both in a classical
and intuitionistic version. A result of normalization is shown and the standard
consequences of normalization are recovered.
In the case of the intuitionistic fragment we also obtain some novel form of
existential property relative to the modal connective 3.
Finally we give sufficient conditions under which the omega rule can be eliminated.
Definition 6.1.1 The system NKLTL is obtained from NKSTL by adding the
following rule:
[p0 = q]
p0 R q
r:
[p0 R p1 ] [pn R pn+1 ][pn+1 = q]
r:
r:
()E(p1,p2 ,...)
where variables p1 , p2 , . . . are fresh and the nth premise the rule discharges assumptions {pi R pi+1 , pn = q | 0 i < n}.
66
CHAPTER 6. OMEGA TEMPORAL LOGIC
As usual we denote with E(p1 , p2 , . . .) the restriction that the eigenvariables

p1 , p2 , . . . cannot occur free in any assumption of the premises.
In the same way, NJLTL is obtained from NJSTL by the addition of rule ().
Remark 6.1.2 Another possible, and probably more intuitive, formulation could
be the following:
[p0 R p1 ] [pn R pn+1 ]
p0 R q
p0 :
q:
pn+1 :
( )E(p1 ,p2 ,...)
It is easy to see that nothing is lost in choosing the first one. Indeed assume you
have a deduction of G, p0 R q; q: obtained by application of rule ( ) to
premises 1 , 2 , . . ..
Now each i is a deduction of
G, p0 R q, p0 R p1 , . . . , pi1 R pi ; pi :
so, applying rule (=) to i we can build deductions 0 , 1 , . . . with i proving
G, p0 R q, p0 R p1 , . . . , pi1 R pi , pi = q; q:
and an application of rule () to p0 R q, 0 , . . . gives a deduction equivalent to .
In other words rule ( ) is derivable in NKLTL .
Moreover the two rules are equivalent, more precisely consider a new system
NKLTL in which rule () is replaced by rule ( ), then we can show that () is
eliminable in NKLTL (the proof will be given later).

Anyway we choose to keep rule () because it shows nicer properties when dealing
with normalization.
Since we are now working with infinite objects we try to be more precise in
defining the nature of such objects and their basic properties.
Definition 6.1.3 Deductions in NKLTL are defined by (transfinite) induction by
the following clauses:
A single logical judgment is an NKLTL deduction (the trivial deduction);
If 1 , . . . , n are NKLTL deductions so are also the deductions obtained by
the application of an NKSTL rule to premises 1 , . . . , n ;
If 1 , 2 , . . . are NKLTL deductions, so are also deductions obtained by the
application of an () rule to premises 1 , 2 , . . .
6.1. THE SYSTEM LTL
67
Observe that we are banning the case that contains a infinite branch, exactly as
happens with proof systems that do not contain infinitary rules. So also NKLTL
deductions never contain infinite branches.
Given an NKLTL deduction and an ordinal number o, we say that is of
size smaller than o (and write || o) if
is a trivial proof, or
concludes with an NKSTL rule with premises 1 , . . . , n such that for all i
|i | oi < o, or
concludes with an () rule with premises 1 , 2 , . . . such that for all i |i |
oi < o.
We will say that is of size o, and write || = o if o = min{o : || o }.
Observe that this notion of size does not agree with the notion of size defined on
finite deductions.
Proposition 6.1.4 (Soundness) NKLTL is sound with respect to semantics of
linear temporal logic.
Proof. By soundness of NKSTL it is sufficient to show the soundness of ().
So consider an instance of () with premises p0 R q, 1 , 2 , . . . where
i is a deduction of G, p0 R p1 , . . . , pi1 R pi , pi = q; r:
Let M and be a structure and an environment satisfying each of the premises,
i.e.
M, G, p0 R q,
M, p0 R p1 , . . . , pi1 R pi , pi = q = M, r: for each i
(a)
(b)
From (a) we can find a sequence w0 , . . . , wn of points of M such that (p0 ) =

w0 R R wn = (q).
Take = [p0 7 w0 ] [pn 7 wn ], now, from the side condition on the eigenvariables p0 , . . . , pn , and from (b) we have
M, p0 R p1 , . . . , pn1 R pn , pn = q = M, r:
but, by the choice of w0 , . . . , wn , the premise of the implication is immediately
satisfied and so we obtain M, r: . Finally from (r) = (r) we can conclude
M, r: .
2
Proposition 6.1.5 Rule (RE ) is derivable in NKLTL .
More precisely, assume and are NKLTL deductions respectively of
G, p0 R q; p0 : and G, p0 R q, p0 R p , p R p , p : p :
with p and p different from p0 and q and not occurring in G, .
Then there exists also an NKLTL deduction of G, p0 R q; q: .
68
Proof. Consider an infinite sequence of fresh variables p1 , p2 , . . . and inductively

define a sequence of NKLTL deductions as follow
p0 R pi
0 = ;
i+1 =
i
pi R pi+1 pi :
{pi /p , pi+i /p }
pi+1 :
Then i is a deduction of G, Gi , Gi , p0 R q; pi : where

Gi = {pj R pj+1 | 0 j < i},
Gi = {p0 R pj | 0 j i}.
Applying i times rule (RI ) to deduction i we obtain a new deduction i of

G, Gi , p0 R q; pi : and finally applying rule ( ) to 0 , 1 , . . . we obtain an
NKLTL deduction of G, p0 R q; q: .
2
Proposition 6.1.6 For each set of assumptions G; and for each formula p:
G; NKLTL p: = G; NKLTL p:
G; NJLTL p: = G; NJLTL p: .
Proof. The proof is given by defining a type preserving map || from NKLTL
(NJLTL) deductions to NKLTL (NJLTL ) deductions, i.e. such that if is an
NKLTL (NJLTL) deduction of G; p: then || is a NKLTL (NJLTL )
deduction of G; p: .
Define || inductively on as follow:
if is the trivial proof || = ;
if is a proof concluding with an NKSTL rule () with premises 1 , . . . , n ,
|| is obtained by application of () to premises |1 | , . . . |n | ;
if is a proof concluding with an occurrence of (RE ) with premises 1 and 2 ,
|| is obtained by application of Proposition 6.1.5 to the proof obtained by
application of (RE ) to premises |1 | and |2 | .
The fact that || is type preserving is easily proved using Proposition 6.1.5.
Finally observe that (EC ) occurs in || if and only if (EC ) occurs in , hence
NJLTL deductions are mapped to NJLTL deductions.
2
This allow us to embed the NKLTL proof system in NKLTL so that we
immediately have the following result.
Corollary 6.1.7 (Weak Completeness) For any finite set of labelled formulas
and any labelled formula p: , we have
p: = NKLTL p:
69
6.1. THE SYSTEM LTL
Proof. By NKLTL completeness p: = NKLTL p: and by Proposition 6.1.6 NKLTL p: = NKLTL p: .

2
Obviously the result also extends to the intuitionistic fragment as long as the
non-infinitary proof system is complete with respect to the considered semantics.
Hence we have two deductive systems with the same expressive power when
dealing with finite sets of formulas.
Proposition 6.1.8 For each finite set of labelled formulas , for each set of relational formulas G and for any labelled formula p:
G; NKLTL p: G; NKLTL p:
Proof. The ( = ) part is given in Proposition 6.1.6, the ( = ) part is easy
consequence of soundness of NKLTL and weak completeness of NKLTL.
2
On the other side we can see that NKLTL is strictly more powerful of NKLTL
when dealing with infinite set of formulas, and this is due to the fact that LTL is
not compact.
Consider for instance the infinite set of assumptions G = {pi R pi+1 | 0 i}, =
{pi : | 0 i} and the finite sets Gn = {p0 R p1 } {pi R pi+1 | 1 i < n}.
It is immediate to see that, for each n, G, Gn pn = pn and so we can build a
sequence of NKLTL deductions 0 , 1 , 2 , . . . such that i proves G, Gi ; pi : .
Applying the rule to the deductions 0 , 1 , . . . we obtain the following:
0
[p0 R q] p0 :
[p0 R p1 ] [p0 R p1 ] [p1 R p2 ]

1
2
p1 :
p2 :
...
()
q:
(2
)
I
p0 : 2
On the other side consider any finite subset f in of , clearly G; f in 6 p0 : 2 .

And, since any NKLTL deduction must have a finite number of non discharged
assumptions, we have 6NKLTL p0 : 2 .
Proposition 6.1.9 (Strong Completeness) Given a (possibly infinite) set of
LTL formulas
LTL = p0 : NKLTL
where we wrote p0 : for the set {p0 : | }.
The proof follows a standard Henkin style argument: we prove the contrapositive by building a model for . The simplicity of the proof is also given by the
powerful () rule, which allow us to get rid of the typical complication rising from
the fulfillment of eventuality.
70
In the rest of the proof we will write instead of p0 : and we will consider a set
of variables S = {pi | 0 i < } and a set of relational formulas G = {pi R pi+1 |
0 i}.
First we build the maximal consistent set extending G via application of
the Lindenbaum technique ([Sho67]).
Proposition 6.1.10 Each consistent set of LTL labelled formulas can be extended
to a maximal consistent set .
The following lemma states some basic properties of .
Lemma 6.1.11 For any maximal consistent set extending G , for any LTL
formulas , and for any world variable pi S
pi :
pi :
pi :
pi :
pi : #
pi : 3
pi : 2
pi : 6
pi : and pi :
pi : or pi :
pi : implies pi :
pi+1 :
k 0.pi+k :
k 0.pi+k :
Proof. Each equivalence follows trivially from the definition of maximal consistent
set and from simple deductions in NKLTL . As an example we consider the case
pi : 2 .
= ) If pi : 2 , we have for each k, G pi R pi+k and so also G; pi+k :
hence pi+k : .
= ) If for each k pi+k : , applying ( ) we obtain G; , pi R q q: for a
generic q not occurring in G. An application of (2I ) gives us G; pi : 2
and so pi : 2 .
2
Proof (Strong Completeness). We start by defining a linear temporal structure
M = (S, R, R , ) taking:
S as the set defined above;
R = {(p, q) | p R q G};
R as the transitive and reflexive closure of R;
71
6.2. NORMALIZATION
as the function mapping p to { | p: } (recall that take value over

the set of atomic formulas).
We now prove that for any and for any pi S
M, pi pi :
Proceed by induction on
if is atomic the thesis follows by definition of ;
if has main connective in , , , , # the thesis follows by definition of ,
by inductive hypothesis and by application of Lemma 6.1.11;
if = 3 the direction ( = ) follows by the inductive hypothesis and
Lemma 6.1.11.
Conversely assume by contradiction 3 6 , then in virtue of Lemma 6.1.11,
6 k.pi+k : and again by Lemma 6.1.11, k.pi+k : . And applying
the last time Lemma 6.1.11 we have pi : 2 from which pi : 3
contradicting the consistency of ;
if = 2 the direction ( = ) follows by the inductive hypothesis and
Lemma 6.1.11.
Conversely assume by contradiction M, pi 6 2 then k.M, pi+k 6 and by
induction hypothesis and property of , pi+k : . Another application of
Lemma 6.1.11 gives pi : 3 contradicting the consistency of .
We complete the proof observing that, by construction, and we proved
M so also M .
2
Corollary 6.1.12 Rule () is eliminable in the system NKLTL obtained from

NKLTL by replacing rule () with rule ( ).
Proof. In the proof of completeness Proposition 6.1.9 we used rule ( ) so that
NKLTL and NKLTL result sound and complete for the same semantics. Said
in symbols we have implies NKLTL by Proposition 6.1.9, and this
implies NKLTL by Remark 6.1.2.
2
6.2
Normalization
In this section we study the reductions for the system of linear temporal logic with
omega rule. The main result of this section will be a normalization result.
72
6.2.1
Reduction Rules
First we complete the set of reductions by adding commutative conversions involving

the () rule. Each of these reductions follow the pattern shown below in which ()
is any elimination rule that has as main premise the omega branch.
p0 R q
[p0 = p] [p0 R p1 ][p1 = p]

0
1
1
q:
q:
()
q:
q1 : 1
r:
n
qn : n
()
[p0 = p]
[p0 R p1 ][p1 = p]
0
1
n
1
1
n
q:
q1 : 1 qn : n
q:
q1 : 1 qn : n
()
()
p0 R q
r:
r:
()
r:
Observe that the resulting deduction is well formed since no elimination rule
discharges relational assumptions on its main premise and so the relational premise
of rule cannot be discharged by rule ().
6.2.2
Preliminaries
In this section we give some basic definition and property needed later to prove the
normalization result. Most of these are completely standard and can be found for
instance in [TS96] and [Sch77].
Definition 6.2.1 The definition of dependency among relational judgments carry
forward to LTL deductions adding the clause that a relational formulas discharged
by an application of () immediately depends on the relational premise of that rule.
The facts stated in Section 3.4 about relational formula occurrences remain valid
also for LTL deductions, the only difference is that a formula occurrence may also
have been discharged by a () rule.
We can also generalize the notions of thread, path and segment.
Definition 6.2.2 In the following we will regard () as a relational rule and the
definitions of thread, path and segment follow accordingly.
The definition P
of cut rank (cf. Definition 4.1.3) extends immediately to deduction replacing
with sup.
Definition 6.2.3 Given a deduction define the rank of (cr()) as a pair (n, )
where:
n = sup{|| : is a maximum segment in }
6.2. NORMALIZATION
73
= sup{lh() : is a maximum segment in with || = n}

We will consider as usual the lexicographic order on the set of pairs in {}
{}.
Notice that for deductions, cr() take values on ( {}) ( {}) since
a proof can contain sequences of segments of unbounded length and sequences of
segments of formulas of unbounded size.
To make things simpler we normalize deductions in two steps, first we use commutative conversion to move indirect rules in convenient position, then we perform
proper reductions.
Observation 6.2.4 Since in this logic we have infinite deductions, infinite reduction sequences will rise naturally. Consider for instance a proof obtained by ()
from proofs 1 , 2 , . . . and sequences of reductions 1 , 2 , . . . for 1 , 2 , . . . respectively. In this case we could also consider the infinite sequence of reductions for
obtained interleaving sequences 1 , 2 , . . .. We will not be too formal on this point
since we will not explicitly talk about reduction sequences.
Observation 6.2.5 Observe that commutative conversions and relational reductions preserve segments; more precisely if is obtained from by a commutative
conversion, there is a bijection among segments in and segments in .
In particular if is a segment occurring in and is the corresponding segment
in , we have that is the main premise of a proper logical reduction () if and
only if so is also .
Lemma 6.2.6 (Substitution Lemma) Let be a deduction of G; , q: p:
and a deduction of G ; q: . Then the deduction { /q: } obtained by
replacing the occurrence of assumption q: with in is a deduction of G, G ; ,
p: such that
cr({ /q: }) max{cr(), cr( ), (|| , )}
Proof. By induction on ||.
Lemma 6.2.7 Given an omega deduction exists an equivalent deduction

such
that cr(
) cr() and each maximum segment in
is of length 1.
Proof. Proceed by induction on ||.
If is the trivial deduction we can take
= and we have finished. So assume
that is of shape
0
1
p0 : 0 p1 : 1
=
()
p:
74
Now, if () is a relational or an introduction rule, we can build the new deduction
0
p0 : 0
1
p1 : 1
p:
()
where
i is obtained by application of the inductive hypothesis to i . Clearly each
maximum segment in
belongs to some
i and so it must be of length 1.
Consider now the case that () is an elimination rule and assume p0 : 0 is the
main premise of (). If p0 : 0 stands on a maximum segment of length 1 or p0 : 0
does not stand on a maximum segment, the same procedure described above applies.
So assume that p0 : 0 stands on a maximum segment of length greater than 1, in
this case it will be the conclusion of an indirect rule (R ). Now we can apply
a commutative conversion to obtain a deduction concluding with (R ) and with
premises of size strictly smaller than ||. Finally using the same procedure described
above we obtain the thesis.
To make things more clear we spell out in details the case that (R ) is (). We
will have
pR q
=
p R q
0
1
p0 : 0 p0 : 0
p0 : 0
0
p0 : 0
1
() p1 : 1
p:
1
n
1
p1 : 1 pn : n
p :
() 0 0
p:
p:
n
pn : n
()
1
n
p1 : 1 pn : n
()
p:
()
Let be the resulting deduction and let 0 , 1 , . . . as follow:

i =
i
p0 : 0
p1 : 1
p:
pn : n
()
clearly, the ith premises of () rule in can be obtained by substituting 1 , . . . , n

for p1 : 1 , . . . , pn : n within i
Now observe that we have for all i:
|| = 1 + sup{|1 | , . . . , |n | , 1 + sup{|0 | , |1 | , . . .}} > |i | , |i |
so that we can apply the inductive hypothesis to each i and i obtaining deductions
i and
i .
Then indicate with i the result of the substitution in
i of
1 , . . . ,
n for
p1 : 1 , . . . , pn : n .
We have that segments in i on which pj : j stand are not main premises of
elimination rules. Hence we also know that the only maximum segments in i are
those appearing either in
i or in
1 , . . . ,
n .
75
6.2. NORMALIZATION
Finally we have shown that the only segments appearing in deduction
p R q
0
1
p:
p:
p:
()
also appear either in

i or
i and, by inductive hypothesis, contain no segments
of length greater than 1.
2
6.2.3
NKLTL Normalization
Again, in order to tackle normalization in the classical case, we consider the fragment of well behaved connectives (conjunction and universal modal operators)
and remove from deductions each occurrence of (EC ), with non atomic conclusion.
The proof will proceed by steps, first we will show how to normalize deductions
with finite cut ranks, then we will use the result to proof a general normalization
theorem.
Proposition 6.2.8 Let be a deduction of p: from G; in the , , #, 2 fragment, then there exists a deduction of G; p: satisfying
each application (EC ) in has atomic conclusion
(6.2.1)
Proof. The argument is similar to that used in Proposition 4.2.1 but we have to
change the inductive measure since, in principle, the size of formulas occurring in
as conclusion of (EC ) could be unbounded.
So proceed by (transfinite) induction on ||:
if is a trivial deduction we have nothing to prove;
if is obtained from 1 , 2 , . . . via a rule () different from (EC ), the inductive
hypothesis gives us deductions 1 , 2 , . . . each without occurrences of (EC )
with non atomic conclusion. Applying () to 1 , 2 , . . . results in the desired
deduction;
if is of shape
[p: ]
1
p: (EC )
we have by induction hypothesis a new proof 1 equivalent to 1 in which no
(EC ) ooccurrence concludes with a non atomic formula. Now we can proceed
by induction on || as in Proposition 4.2.1 to show the existence of .
2
Proposition 6.2.9 Let be an NKLTL deduction on the , , , #, 2 fragment.
Assume also cr() = (n, 1) for some 0 < n < , and satisfies (6.2.1). Then there
exists an omega deduction
equivalent to with cr(
) < cr().
76
Proof. We proceed by induction on ||.

By the assumption on cr(), cannot be the trivial proof so the base case is
vacuously verified.
Let () be the last rule in and 0 , 1 , . . . the premises of (). We now have the
following cases:
The main premise of () is not on a maximum segment.
First take
i as i if cr(i ) = 0 and as the deduction obtained by application
of the inductive hypothesis to i , otherwise.
Then define
as the deduction concluding with () and with premises
i .
We will have cr(
) = sup{cr(
i )} and either cr(
i ) = cr(i ) = 0 or cr(
i ) <
cr(i ). Then, since by assumption cr() = sup{cr(i )} < (, 1), we obtain
cr(
) < cr().
() is an elimination rule with main premise that stand on a maximum segment.
By hypothesis on (length of the maximum segments and (6.2.1)) such premise
must be the conclusion of an introduction rule (say ( )). So we have to
consider the possible introduction elimination pairs ( )/().
Assuming 0 , . . . , n are the premises of the introduction rule (R ), take
i
as i is cr(i ) = 0, the deduction obtained by application of the inductive
hypothesis on i , otherwise. Obviously we will have either cr(
i ) = cr(i ) = 0
or cr(
i ) < cr(i ). Proceed now by case analysis.
(E ) This is the most significant case, we have
[p: ]
0
p:
1
(I )
p:
p:
=
(E )
p:
1
[p: ]
=
p:
By Lemma 6.2.6 we have

cr(
) = cr(
0 {
1 /p: })
max{cr(
0 ), cr(
1 ), (|| , )}
< max{cr(0 ), cr(1 ), (| | , 1)} = cr()
(E ) in this case (and the symmetrical) we have
0
1
p:
p:
(I )
p:
=
p: (E )
= p:
77
6.2. NORMALIZATION
and either cr(

) = cr(
0 ) = 0 < cr(), or
cr(
) = cr(
0 ) < cr(0 ) max{cr(0 ), cr(1 ), (| | , 1)} = cr().
(#E ) in this case we have
[p R r]
0
r:
(#I )
p R q p: #
=
(#E )
q:
pRq
0 {q/r}
= p:
and again, either cr(

) = cr(
0 ) = cr(0 ) = 0 < cr(), or
cr(
) = cr(
0 ) < cr(0 ) max{cr(0 ), (|# | , 1)} = cr().
(2E ) the argument is the same used for the previous case.
Observation 6.2.10 Reductions do not create new occurrence of (EC ) so if satisfies (6.2.1) and is a reduct of , also satisfies (6.2.1).
In particular both Lemma 6.2.7 and Proposition 6.2.9 preserve (6.2.1).
Corollary 6.2.11 Let be an NKLTL deduction on the , , , #, 2 fragment.
Assume also cr() (n, ) for some 0 < n < , and satisfies (6.2.1). Then there
exists a normal deduction
equivalent to .
Proof. The proof easily follows by induction on cr() using Proposition 6.2.9,
Lemma 6.2.7 and Observation 6.2.10.
2
Proposition 6.2.12 (Normalization)
For each omega deduction on the , , , #, 2 fragment, exists an equivalent normal
deduction.
Proof. We can assume that satisfies (6.2.1), if not so we can apply Proposition 6.2.8. We now proceed by induction on showing the existence of a normal
proof
equivalent to and satisfying (6.2.1).
If is the trivial deduction we have nothing to prove, otherwise let () be the
last rule in and let 0 , 1 , . . . be the premises of () concluding respectively with
p0 : 0 , p1 : 1 , . . .. By inductive hypothesis we also have normal deductions
0 ,
1 , . . .
equivalent to 0 , 1 , . . . respectively. Then we can build a new deduction
0
p0 : 0
1
p1 : 1
p:
()
If no premise of () in stands on a maximal segment, is a normal deduction,

since maximal segments in must occur in some
i and this is impossible since each
78
i is normal by induction hypothesis. Moreover satisfies (6.2.1) since , 0 , 1 , . . .

do.
So, the only other cases to consider are those in which () is an elimination
rule. In these cases, we have only a finite number of premises, say 0 , . . . ,
n ,
and each maximal segment occurring in must end on some of the premises of
(). Hence, we immediately have cr( ) < (max{|0 | , . . . , |n |}, ), moreover, by
induction hypothesis, by the fact that satisfies (6.2.1) and by Observation 6.2.10
we also have satisfies (6.2.1). Hence we can apply Corollary 6.2.11 to in order
to obtain a normal deduction.
2
Hereafter, in virtue of Proposition 6.2.8 we will assume that normal proofs satisfy
(6.2.1).
Observe that in this setting it makes no sense to talk about strong normalization.
Indeed we can consider any deductions containing an infinite number of independent
redexes and we cannot hope to achieve a normal form for such deduction with a finite
set of reductions. In the proof shown above infinite number of reductions are hidden
in the induction where we apply inductive arguments to the (possibly infinite) set
of premises of a rule.
6.2.4
Consequences of normalization in NKLTL
In this section we will prove some corollaries following from the normalization theorems. Most of them are the equivalent of the standard results for classical system
of predicate logic.
Lemma 6.2.13 (Structure of normal proofs in NKLTL )
Consider a normal deduction on the , , , #, 2 fragment of NKLTL . Let
0 , 1 , . . . , n be a sequence of segments forming a path in , moreover let j be the
shape of segment j . Then exists i [0..n] such that i is the minimum segment,
i.e.
each j in the E part of the path (i.e. such that j < i) is the major premise
of an elimination rule and j+1 is a subformula of j ;
either i = n or i is premise of an introduction rule or a (EC ) rule;
each j in the I partof the path (i.e. such that i < j) is the conclusion of an
introduction rule and j1 is a subformula of j .
Proof. The thesis follows by the observation that does not contain maximum
segments.
2
In this result we have to deal with segments instead of formulas even if we
excluded the case of and 3. The reason is due to the presence of relational
rules that may occur among logical rules. It can be easily seen however that such
relational rules could be commuted below logical rules.
6.2. NORMALIZATION
79
Theorem 6.2.14 (Consistency) The system NKLTL is consistent.

Proof. As usual assume by contradiction to have a normal proof of p: , and
consider a main path in .
From Lemma 6.2.13 we know that such path will be composed of an introduction
part and an elimination part. Since we have no introduction rule for , the I part
of the path will be empty. But so will be also the E part of the path since we have
no assumption to discharge.
2
This immediately gives also the consistency of NKLTL.
Corollary 6.2.15 The system NKLTL is consistent.
Proof. Immediate from consistency of NKLTL and from Proposition 6.1.6.
Corollary 6.2.16 (Subformula property) Given a normal deduction of G;

p: , each formula occurring in is either a subformula of some formula in {}
or a subformula of a formula discharged by an application of (EC ).
Proof. The statement is proved by induction on the order of the path on which the
formula occurs.
For a main path (order 0) this is an easy consequence of Lemma 6.2.13. Consider
a path of order n + 1, by definition of order, concludes on a path of order n.
It is now sufficient to use Lemma 6.2.13 and apply the inductive hypothesis on
to obtain the thesis.
2
Proof. Follows immediately from Corollary 6.2.16.
6.2.5
NJLTL Normalization
In this section we examine the normalization for the intuitionistic version of the
system, we will consider the full set of connectives.
The arguments will follow the same pattern of the classical case but we will
obtain different and more interesting consequences.
Proposition 6.2.18 Given an NJLTL deduction with cr() = (n, 1) for some
0 < n < , exists an equivalent deduction
with cr(
) < cr().
Proof. The proof proceeds along the same lines of the proof of Proposition 6.2.9,
the only difference is in the inductive case where we can also have reductions for
, 3 and .
80
If concludes with a rule (E ) whose main premise stands on a maximum

segment, must be of shape
1
( )
E
p:
p1 : 1
p0 :
n
pn : n
()
where () is an elimination rule.

Then take
= (E )
p0 :
where
is if cr( ) = 0 and the deduction obtained by inductive hypothesis
applied to otherwise.
Clearly cr(
) = cr(
) < cr().
If concludes with a rule (E ) whose main premise stands on a maximum
segment, must be of shape
[p: 1 ]
1
p: i
(
)
p: 1 2 I
p0 :
p0 :
[p: 2 ]
2
p0 :
(E )
Then take
as if cr( ) = 0, the deduction obtained by application of the
inductive hypothesis to otherwise. In the same way define
i .
Finally take
p: i
=
p0 :
and by Lemma 6.2.6 we have
cr(
) = cr(
i {
/p: i})
max{cr(
), cr(
i ), (|i | , )}
< max{cr( ), cr(i ), (|1 2 | , 1)} = cr().
If concludes with a rule (3E ) whose main premise stands on a maximum
segment, by hypothesis on cr(), such premise must be conclusion of a (3I ).
Hence has the following shape:
p R q q:
(3 I )
p:
p0 :
[p R r][r: ]

p0 :
(3 E )
81
6.2. NORMALIZATION
Now define
as if cr( ) = 0, the deduction obtained by application of the
inductive hypothesis to otherwise. In analogous way define also
.
Now we can take
p R q q:
{q/r}
=
p0 :
and by Lemma 6.2.6 we have

cr(
) = cr(
{
/p: })
max{cr(
), cr(
), (|| , )}
< max{cr( ), cr( ), (|3 | , 1)} = cr().
2
Corollary 6.2.19 For any NJLTL deduction with cr() < (n, ) for some
n < exists a normal deduction
equivalent to .
Proof. The proof easily follows by induction on cr() using Proposition 6.2.18 and
Lemma 6.2.7.
2
Proposition 6.2.20 (Normalization) For each ILTL deduction exists an equivalent normal deduction.
Proof. As in Proposition 6.2.12 using Corollary 6.2.19 instead of Corollary 6.2.11
2
6.2.6
Consequences of normalization in NJLTL
Lemma 6.2.21 (Structure of normal proofs in NJLTL )

Let be a normal NJLTL deduction and 0 , 1 , . . . , n a path in where the
formula in each j is j . Then exists i 0..n such that i is the minimum segment
of the path, i.e.
each j in the I part of the path (i.e. such that j < i) is the major premise of
an elimination rule and j+i is a subformula of pj ;
either i = n or pi : i is premise of an introduction rule or a (E ) rule;
each pj : j in the E part (i.e. such that i < j) of the path is the conclusion of
an introduction rule and j+1 is a subformula of j .
Proof. Follows easily from the observation that in a normal deduction we do not
have maximum segments.
2
82
The only slight difference respect to the standard result is that in this case
segments span also through relational rules.
Lemma 6.2.22 Consider a normal NJLTL deduction of G; p: and a path
1 , . . . , n in . Let k be the minimum segment of the path and 1 , . . . , n the
formulas associated to 1 , . . . n respectively . Then
either k = 1 and 1 is discharged by an application of (E ) or for each j < k
j is in the assumption part of (, );
k is in the assumption part of (, ) and either k = or k is also in the
conclusion part of (, );
for each j > k, j is in the conclusion part of (, ).
Proof. The proof proceed by induction on the order of the path.
Corollary 6.2.23 (Subformula property) Every formula occurring in a normal

deduction of G; p: is a subformula of some formula occurring in {p: }.
Proof. Proceed by induction on order of paths applying Lemma 6.2.21.
Proof. Consequence of the subformula property.
Theorem 6.2.25 (Consistency) The system NJLTL is consistent.

Proof. Follows immediately from NJLTL p: = LTL p: and from the
consistency of NKLTL .
2
Corollary 6.2.26 The system NJLTL is consistent.
Proof. Immediate from consistency of NJLTL and from Proposition 6.1.6.
To establish constructive properties in the intuitionistic case we have to get rid

of useless application of ().
Lemma 6.2.27 For any normal NKLTL deduction exists an equivalent normal
deduction
in which each occurrence of () has relational premise of infinite length.
Moreover if is an intuitionistic deduction, so is also .
83
6.2. NORMALIZATION
Proof. We inductively build a new proof replacing occurrences of () whose relational premise is of finite length n with its n-th logical premise. More precisely,
consider a subdeduction of
p R q
[p = q] [p R p1 ][p1 = q]
0
1
r:
r:
()
r:
with relational premise (p R q) of finite length. Let G be the set of relational

formulas discharged by some rule occurring in below .
By Proposition 3.4.6 we can find two sequences s0 , . . . , sn and e0 , . . . , en such
that G, G s0 = p, en = q, si = ei , sj R ej+1 for all 0 i n and for all 0 j < n.
Now we can build a deduction equivalent to as follow:
[p R s1 ] [sn1 R sn ][sn = q]
n {s1 /p1 , . . . , sn /pn }
r:
=
r: ()
where () are relational rules discharging the assumptions p R s1 , s1 R s2 , . . .,
sn1 R sn , sn = q.
2
Remark 6.2.28 The analogous of the propositional disjunction property in temporal logics does not hold directly, we have to strengthen the assumptions to consider
only proof contexts in which does not appear connective 3.
This is due to the fact that we can prove intuitionistically 3 # 3 as
testified by the following deduction
[q R q] [q: ]
(3 I )
[p R q]
q: 3
[q = p] [q: ]
(#
)
I
(=)
p:
p: # 3
(I )
(I )
[p R q] p: # 3
p: # 3
()
p: 3
p: # 3
(3 E )
p: # 3
Corollary 6.2.29 (Disjunction Property) Let be such that no in contains
a strictly positive subformula with or 3 as principal sign and let G be a set of
relational assumptions that does not contain the R symbol.
If G; p: 1 2 then G; p: i,
for some i {1, 2}.
Proof. Consider a normal deduction of G; p: 1 2 , using Lemma 6.2.27

we can assume without loss of generality that the only occurrences of () in have
relational premise of infinite length.
By the property of normal deductions, the last segment of each main path must
be
84
either a formula in , but this is impossible since no formula in contains a

strictly positive subformula with as principal sign;
or the conclusion of an elimination rule, but also this is impossible since, by
6.2.22, this would imply that 1 2 is in the conclusion part of ;
or the conclusion of a (E ), but in this case we would have a deduction of
G; and trivially also a deduction for G; p: i ;
or the conclusion of an (I ) rule.
So it is sufficient to consider the last case.
Now the only rules that may occur below such occurrence of (I ) are indirect
rules, hence either a relational rule or (3E ) or (E ). Applying Lemma 6.2.22 we
know that if (3E ) (respectively (E )) appears below (I ), then 3 (respectively
1 2 ) appears in the assumption part of (, 1 2 ). Clearly, the main premise
of such indirect rules cannot be discharged by a rule below (I ) (there are no introduction rules below (I )), hence such premise (either 3 or 1 2 ), must be in
the conclusion part of , contradicting the assumption.
So the only rules that may occur below (I ) are relational rules, moreover these
must be different from (), since the only () in have premises of infinite length
and no rule below (I ) may discharge a premise of infinite length.
Summarizing, will be of shape
q: i
q: 1 2 (I )
p: 1 2 ()
where () are relational rules different from ().
Finally proceeding by case analysis on the possible rules in () we immediately
build a new deduction
q: i
p: i ()
proving G; p: i .
2
Corollary 6.2.30 Let such that no in contains a positive subformula with
or 3 as principal sign and G that does no contains R .
If G; p: 3 then G; p: #n ,
for some n.
Proof. Proceeding as in the first part of the proof of Corollary 6.2.29 we can conclude that is of shape
[q R r] r:
(3 I )
q: 3
()
p: 3
6.3. ELIMINATION OF ()
85
where () are relational rules different from () and discharging the assumption
q R r.
Now, apply Proposition 3.4.6 to find a pair of sequences q0 , . . . , qn , q0 , . . . , qn and
proceed by induction on n.
for n = 0 we have that q and r are equal so that we can prove q: ;
from qn1 R qn and qn equal to r we immediately have a proof of qn1 : #
and applying induction hypothesis also a proof of q: #n .
Finally using relational rules (), from q: #n we obtain p: #n .
Corollary 6.2.31 (Existential property) Let such that no in contains a

positive subformula with 3 as principal sign and G that does not contain R .
If p: 3 then p: #i1 p: #in , for some set of indexes i1 , . . . , in .
Proof. The proof is similar to the proof of Corollary 4.3.9 using Corollary 6.2.30
instead of Corollary 4.3.8.
2
6.3
Elimination of ()
We now show that, under some condition on the shape of judgments G; p: ,

we can obtain a normal NKLTL deduction starting from a normal NKLTL deduction. The same fact can be proved both in the classical and in the intuitionistic
case.
Proposition 6.3.1 Let G; p: be a provable judgment in the , , #, 2 fragment of NKLTL . Assume that 2 does not occur in the conclusion part of p:
and no assumption of shape p R p occurs in G.
Then exists a normal deduction of G; p: such that no occurrence of ()
in has a premise of infinite length.
Proof. By Proposition 6.2.12 exists a normal proof of G; p: . By assumptions
on the connectives occurring in p: and by Lemma 6.2.22, we know that no
(2I ) may occur in . This fact plus the assumption on immediately gives that
each relational formula in is of finite length.
2
Corollary 6.3.2 Let G; p: be a provable judgment in the , , #, 2 fragment
of NKLTL . Assume that 2 does not occur in the conclusion part of p: and
no assumption of shape p R p occurs in G.
Then exists a normal NKLTL deduction of p: .
Proof. Follows immediately by Proposition 6.3.1 and Lemma 6.2.27.
86
Proposition 6.3.3 Let G; p: be a provable judgment in NJLTL . Assume

that 2 does not occur in the conclusion part of p: , 3 does non occur in the
assumption part of p: and no assumption of shape p R p occurs in G.
Then exists a normal proof of G; p: such that no occurrence of () in
has a premise of infinite length.
Proof. By Proposition 6.2.12 exists a normal proof of G; p: . By assumptions
on the connectives occurring in G; p: and by Lemma 6.2.22, we know that no
(2I ) or (3E ) may occur in . This fact plus the assumption on immediately gives
that each relational formula in is of finite length.
2
Corollary 6.3.4 Let G; p: be a provable judgment in NJLTL . Assume
that 2 does not occur in the conclusion part of p: , 3 does non occur in the
assumption part of p: and no assumption of shape p R p occurs in G.
Then exists a normal NJLTL deduction of G; p: .
Proof. Follows immediately by Proposition 6.3.3 and Lemma 6.2.27.
Chapter 7
Temporal calculus
Following ideas presented in [DP96] and in [Dav96], in this section we introduce a
computational interpretation of the two modal operators of intuitionistic Small Temporal Logic. The resulting calculus will be a proper extension of the simply typed
lambda calculus augmented with operators to deal with # and 2 types. Standard
properties such as normalization and Church-Rosser are established for this new
calculus.
We introduce a reduction semantics based on a staged reduction strategy. This
strategy is then shown to be meaningful with respect to staged evaluation and code
generation. Several correctness criteria of the strategy are investigated.
We add some basic type and recursion to our calculus obtaining a core programming language with constructs for code generation and staged evaluation. Some
example is given to show the practical relevance of such language.
Finally we compare the resulting language with other calculi implementing similar features.
7.1
Temporal -calculus
Starting from the natural deduction system NJSTLI , we introduce a term calculus
for the , #, 2 fragment of intuitionistic STL.
Definition 7.1.1 (Temporal -calculus) The sets of types and terms are inductively defined by the following clauses:
::=
t ::=
| | # | 2
x | (x.t) | t1 t2 | next(t) | prev(t) | box(t) | unbox(t)
where we used to range over type variables, to range over types and x, t to range
over variables and terms respectively.
We will tacitly rename bound variables thus considering, instead of terms, equivalence classes of terms with respect to -conversion (here denoted with ). We will
denote with t{u/x} the standard substitution of term u for variable x in term t.
88
CHAPTER 7. TEMPORAL CALCULUS
A variable declaration is a triple x: : p where x is a variable, a type and p a

world variable.
A typing context is a pair G; where G is a linear set of relational formulas (cf.
Definition 3.6.4) and is a set of variable declarations.
Type judgments are of the form G; t: : p where G; is a typing context and
t: : p is a typed term.
The formation rules for well typed terms are the following:
G; , x: : p x: : p
G, q R q ; t: : p
(RD )E(q)
G; t: : p
G; , x: : p t: : p
(I )
G; x.t: : p
G, p R q; t: : q
(#I )
G; next(t): # : p
G, p R q; t: : p
(2I )E(q)
G; box(t): 2 : p
G, q R q ; t: : p
(R )
G; t: : p
G; t: : p G; u: : p
(E )
G; tu: : p
G, p R q; t: # : p
(#E )
G, p R q; prev(t): : q
G, p R q; t: 2 : p
(2E )
G, p R q; unbox(t): : q
where for no q , q R q G.
where either q R q G or q = q or exists q such that q R q G and

q R q G.
We will denote with T the set of terms that admit type derivation in some typing
context.
Definition 7.1.2 > , ># and >2 are the minimal relations on T terms such that
for each t, u:
(x.t)u > t{u/x}
prev(next(t)) ># t
unbox(box(t)) >2 t
The reduction relations , # and 2 on T terms are the smallest relations
compatible with the operators of temporal -calculus and containing respectively >
, ># and >2 .
Finally take as the union of , # and 2 . We will use , # , 2 and
to denote the reflexive transitive closure of , # , 2 and respectively. We will
also use + to denote the transitive closure of .
Observe that we are indeed defining terms as an encoding of NJSTLI deductions, we decided anyway for sake of simplicity to erase some information of minor
importance for the calculus. More precisely we can observe the following difference
among a deduction and the corresponding term t:
89
7.1. TEMPORAL -CALCULUS
abstraction in t are not labelled with types for the abstracted variables, i.e.
the temporal -calculus is formulated à la Curry.
t abstracts from the relational in , and this is made explicit in rules (RD ) and
(R ) where the term in the conclusion is equal to the term in the premise. For
sake of conciseness we also choose to summarize rules (RI ), (RT

) and (R4 ) in
the single rule (R ).
the world at which # elimination occurs is not present in the term. Such
information is only apparently lost since we are using a discrete linear order
for R;
the world at which 2 elimination occurs is not present in the term. We are
assuming that unbox() eliminates always at a world determined by the surrounding context. For instance, if unbox(t) is of type at world p we know
that the box resulting from t is eliminated at world p. It can be easily shown
that, by using, next() and prev(), we can recover the expressiveness of the
logic;
Up to the differences shown above, the reductions in temporal -calculus closely
corresponds to reductions in STL.
Lemma 7.1.3 (Generation Lemma)
Consider a relational context G = {p0 R p1 , p1 R p2 , . . .}, a context , a type and
a world variable pk . Then for some , 1 , 2 we have:
G; x: : pk
G; x.t: : pk
G; tu: : pk
G; next(t): : pk
G; prev(t): : pk
G; box(t): : pk
G; unbox(t): : pk
= x: : pk
= = 1 2 and G; , x: 1 : pk t: 2 : pk
= G; t: : pk and G; u: : pk
= = # and G; t: : pk+1
= k > 0 and G; t: # : pk1
= = 2 and G, pk R q; t: : q
= G; t: 2 : pk
Proof. Each statement can be proved by induction on the derivations. Here we

consider the most interesting cases.
Consider a derivation of G; next(t): : pk . We have two cases, either the
last rule in is (#I ) or the last rule is a relational rule. In the former case, the
premise of the rule is a deduction of G; t: : pk+1 with = # . In the latter
case we have a derivation of G , G; next(t): : pk and by inductive hypothesis also
a derivation of G , G; t: : pk+1 where = # . Applying the same relational
rule to we immediately obtain G; t: : pk+1.
2
90
In order to further simplify the exposition in the following we will assume a fixed
relational context G = p0 R p1 , p1 R p2 , . . .. So instead of writing G; t: : p we
will write only t: : p.
Proposition 7.1.4 (Subject Reduction) Temporal -calculus enjoys subject reduction, i.e.
G; t: : p and t u = G; u: : p
Proof. Proceeding by induction on t verify that for each t and u
G; (x.t)u: : p
G; prev(next(t)): : p
G; unbox(box(t)): : p
=
=
=
G; t{u/x}: : p
G; t: : p
G; t: : p.
The statement then follows by induction on the derivation of t u.
7.1.1
Strong Normalization
We now define a map from temporal lambda calculus terms to simply typed lambda
calculus term that we will use in the following to prove some property of the calculus,
in particular strong normalization.
Let T# , T2 be type variables not in the set of types of the temporal -calculus and
x# , x2 variables not in the set of variables of the temporal -calculus. Define a map
pq that takes T types to simply typed calculus types and temporal -calculus
terms to simply typed -calculus terms:
pq
p q
p# q
p2 q
=
=
=
=
pq pq
T# pq
T2 pq
pxq
px.tq
ptuq
pnext(t)q
pprev(t)q
pbox(t)q
punbox(t)q
=
=
=
=
=
=
=
x
x.ptq
ptqpuq
x# .ptq
ptqx#
x2 .ptq
ptqx2
pq trivially extends to contexts via pq = {x: pq | x: : p }.
91
Lemma 7.1.5 The map pq preserves types, more precisely

G; t: : p = pq, x# : T# , x2 : T2 ptq: pq
where at the right of the implication denotes the typing relation of the simply typed
lambda calculus.
Proof. We build a derivation of pq, x# : T# , x2 : T2 ptq: pq proceeding by induction on the size of the derivation of G; t: : p.
If the derivation of t: : p concludes with an axiom, then t = x and x: : p so
immediately applying the rule for axiom of simply typed -calculus, pq x: pq.
If the derivation of t: : p concludes with (Rel), we have as premise a derivation
of G, G ; t: : p, hence, by induction hypothesis also a derivation of pq t: pq.
If the derivation of t: concludes with (#I ), we have = # , t = next(u) and
we have as premise a derivation of G, p R q; u: : q. By inductive hypothesis
puq: pq and, using (I ) also ptq: pq.
The remaining cases are similar.
2
Lemma 7.1.6 For any T terms t and u
pt{u/x}q ptq{puq/x}
Proof. By induction on t.
if t = x we have pt{u/x}q = puq = ptq{puq/x};
if t = y with x 6= y then pt{u/x}q = ptq = ptq{puq/x};
if t = x.t0 , we have
pt{u/x}q = ptq = x.pt0 q = (x.pt0 q){puq/x} = ptq{puq/x}
if t = y.t0 , we choose a variable z not occurring in t or u and obtain
pt{u/x}q = p(z.t0 {z/y}){u/x}q = pz.t0 {z/y}{u/x}q
= z.pt0 {z/y}{u/x}q z.pt0 {z/y}q{puq/x}
= pz.t0 {z/y}q{puq/x} ptq{puq/x}
where the fourth equality is given by the inductive hypothesis.
the remaining cases follow similarly.
Lemma 7.1.7 The map pq preserves reductions, more precisely, given T terms t
and u,
t u = ptq puq
where on the right of the implication denotes reduction in the simply typed
-calculus.
92
Proof. We build a derivation of ptq puq proceeding by induction on the derivation of t u.

For the base cases we have three possibilities:
if t > u, it must be t = (x.t0 )t1 and so, by Lemma 7.1.6
ptq = (x.pt0 q)pt1 q > pt0 q{pt1 q/x} = pt0 {t1 /x}q = puq
if t ># u, it must be t = prev(next(t0 )) and so
ptq = (x# .pt0 q)x# > pt0 q = puq
if t >2 u, it must be t = unbox(box(t0 )) and so
ptq = (x2 .pt0 q)x2 > pt0 q = puq
If t 6> u we still have several cases according to the outermost operator in t.
Consider for instance the case t = x.t0 , u = x.u0 and t0 u0 . By induction
hypothesis pt0 q pu0q and so also
ptq = (x.pt0 q) (x.pu0 q) = puq
For sake of completeness we also prove the converse.

Lemma 7.1.8 Given a well typed T term t and terms M, N with ptq = M,
M N = u such that puq = N and t u
where on the left of the implication denotes reduction in the simply typed
-calculus.
Proof. We define u and a derivation of t u proceeding inductively on the derivation of M N.
The basic case is given by M > N, then M = (x.M1 )M2 , N = M1 {M2 /x},
and we can have the following cases:
t = (x.t1 )t2 with pt1 q = M1 and pt2 q = M2 , then we can take u = t1 {t2 /x}
and obviously t > u;
t = prev(next(t1 )) with pt1 q = M1 and M2 = x# , then we can take u = t1 and
we have t ># u;
t = unbox(box(t1 )) with pt1 q = M1 and M2 = x2 , then we can take u = t1
and we have t >2 u.
93
If M 6> N proceed by cases on the structure of t.
Theorem 7.1.9 (Strong Normalization) Temporal -calculus is strongly normalizing.

Proof. Assume by contradiction that exists an infinite sequence of terms t0 , t1 , . . . in
T such that t0 t1 , then by Lemma 7.1.7, we also have pt0 q pt1 q
contradicting the strong normalization of simply typed lambda calculus.
2
7.1.2
Confluency
In the following we sketch the proof of Church-Rosser property. Since the technique
is completely standard we will skip most details.
Lemma 7.1.10 , # and 2 are substitutive, i.e. t, t , u:
t t
t # t
t 2 t
=
=
=
t{u/x} t {u/x}
t{u/x} # t {u/x}
t{u/x} 2 t {u/x}
Proof. The proof for can be found in [TS96], the proofs for # and 2 are
essentially equal. Here we sketch the # case.
Proceed by induction of the size of the derivation of t # t . If t ># t , then
t = prev(next(t )) and clearly t{u/x} = prev(next(t {u/x})) ># t {u/x}.
If t 6># t proceed by case analysis on t. For instance if t = box(t0 ), t = box(t0 )
with t0 # t0 , by inductive hypothesis t0 {u/x} # t0 {u/x} and immediately
t{u/x} = box(t0 ){u/x} # box(t0 ){u/x} = t {u/x}.
2
Lemma 7.1.11 is weakly Church-Rosser, i.e. t, t , t
t t and t t = u such that t u and t u
Proof. A proof can be obtained by a trivial extension to the standard proof for the
simply typed -calculus (see [TS96]).
2
Lemma 7.1.12 # and 2 are weakly Church-Rosser, i.e. t, t , t
t # t and t # t
t 2 t and t 2 t
=
=
u such that t # u and t # u

u such that t 2 u and t 2 u
Proof. The proof of the second statement is equal to the proof of the first statement
up to renaming of prev(next()) redexes in box(unbox()) redexes. So we consider
only the first statement.
The case in which the redex are disjoint is trivial, in the other case we can assume
without loss of generality t = prev(next(t )) (the remaining cases are easily handled
by induction on t). Then we will have, either t = t and so we can take u = t = t
or t # prev(next(s)) with t # s and so we can take u = s.
2
94
Lemma 7.1.13 , # and 2 commute each other, i.e. t, t , t

t t and t # t
t t and t 2 t
t 2 t and t # t
=
=
=
u such that t # u and t u

u such that t 2 u and t u
u such that t # u and t 2 u
Proof. To prove each of the statements it is sufficient to prove the weaker

t 1 t and t 2 t = u such that t 2 u and t 1 u
for each pair (1, 2) of reduction relations. This can be easily proved using substitutivity property of , # and 2 . The three statements can be proved in similar
ways, here we prove explicitly only the first statement.
As usual if t and t are obtained by contraction of disjoint redexes we can obtain
u contracting both redexes. Let us consider the remaining cases.
if t = (x.t0 )t1 , t = t0 {t1 /x} and t = (x.t0 )t1 , we can take u = t0 {t1 /x},
indeed, by substitutivity of , from t0 t0 we also have t0 {t1 /x} t0 {t1 /x};
if t = (x.t0 )t1 , t = t0 {t1 /x} and t = (x.t0 )t1 , we can take u = t0 {t1 /x},
indeed, it is easily seen by induction on t0 , t0 {t1 /x} t0 {t1 /x};
if t = prev(next(t )) and t = prev(next(s)) with t s, simply take u = s;
in the remaining case we can proceed by induction on t.
Lemma 7.1.14 (HindleyRosen) Let R1 and R2 be two relations on a set X.

If R1 commutes with itself, R2 commutes with itself and R1 commutes with R2
then (R1 R2 ) is Church-Rosser.
Proof. See [Bar91].
Lemma 7.1.15 (Newman) R is strongly normalizing and weakly ChurchRosser

implies R is ChurchRosser.
Proof. See [Bar91].
Theorem 7.1.16 (Church-Rosser) enjoys the Church-Rosser property.

Proof. By weak confluency of , # and 2 and by strong normalization, an application of Newmans lemma yields confluency of , # and 2 . From Lemma 7.1.13,
and confluency of relations , # and 2 we obtain the thesis using Hindley-Rosen
lemma.
2
7.2. MULTI STAGE INTERPRETATION
7.2
95
Multi stage Interpretation
In recent years several works ([Dav96, DP96, Dan96, DP99, GJ97, MTES99, TS00,
WLPD98]) have addressed the problems related to multi-staged evaluation and code
generation.
The motivations leading to such paradigms are mainly applicative, several computing activities are naturally organized in stages and computing in such stages
often requires execution of code generated in previous stages.
Typical examples are the following:
compilation may be seen as a process carried out in two stages. In the first
stage a grammar is given as input to a compiler generator. The output of
the first computation is code for a compiler that, in a second stage, is evaluated with a source language input. Finally evaluation of the target code is
performed in a third stage.
partial evaluation is another activity involving more than one evaluation stage.
Suppose we are given a program P computing function f : X Y Z, it
can be the case that P will be evaluated many times with a first input x: X
known a priori. We can then specialize P on the first input to a more efficient
program Px computing f (x) . Also in this case the computation takes place
in two stages and the first one involves code generation.
macros in programming languages can be also seen as a computation performed during compilation. Among the languages in which macros are most
extensively used we have LISP (see [Sus82]) and Scheme (see [ADH+ 98]). In
these two untyped languages the distinction among code and data is blurred
and it is possible to build at runtime expression whose evaluation will be delayed. In particular in Scheme a pair of operators can be used to prevent
evaluation of expressions (quoting) and to substitute expression values within
quoted expressions (unquoting).
These mechanism are expressive enough to tackle with most issues arising from
staged evaluation. Nevertheless the lack of a type system leave the whole responsibility of the well-formedness of expressions on the programmer making
the construction of multi-staged programs particularly difficult. Other problems with these languages arise from the fact that quoted expressions do not
behave correctly with respect to equivalence, i.e. within quoted expressions
it is not implemented the so called hygienic substitution. For a throughout
introduction to Scheme as a staged language see [].
From such scenarios comes quite naturally the need for a language in which the
whole computation can be formally described with a uniform clean methodology.
The system underlying this programming language should provide means to specify
96
the order in which evaluation of program fragments take place and moreover provide
means to describe code generation and evaluation.
Such language can be seen both as a programming language in which the programmer specify the computations steps with the aid of the type system and as an
intermediate low-level language used for instance by binding time analyzers. In the
following we will focus on the first application.
7.2.1
Interpretation of modal types
We now discuss a computational interpretation of the two modalities of the temporal -calculus. From the theoretical point of view this extends the Curry-Howard
isomorphism to a significant fragment of temporal logic, from the practical point of
view this gives directions in the design of programming languages for multi staged
computation.
We consider the type 2 as the type of code, that evaluates to values of type
. The axiomatization of S4 fit perfectly in this setting, since we have:
Necessitation: from we can derive 2 , can be interpreted as the possibility of
building code from closed expression. Obviously this is not possible for open
expression, and this guarantees that code can does not depend on the context
in which it is built.
Axiom K: 2( ) 2 2 , gives us the possibility of composing code,
i.e. given a code for a function and code for its argument we can compose the
two to obtain code for the result.
Reflexivity: 2 , gives the possibility of evaluating code of type 2 to obtain
values of type .
Transitivity: 2 2 2 , gives the possibility of building code whose evaluation
results in code.
We interpret the type # as a specification of the time at which a value of
type will be available. Assuming, that the computation proceeds in stages and
these stages are linearly ordered, the world variables in type judgments give a convenient way to refer to such stages. Again the axiom for # in STL fit well in this
interpretation:
Axiom K: #( ) # # , interpreted as terms living in the same stage
can be freely composed.
Linearity: (# # ) #( ), interpreted as the possibility to delay
computation pertaining later stages.
Finally the interplay among modalities reflects the execution model we are describing, indeed, from 2 #n 2 , we have that code can be used any stage.
7.2.2
97
Reduction Semantics
We now give a call by value reduction semantics in which term t is reduced to a

value v that can be either a value for this stage or a term whose evaluation should
continue in the next stage. In the latter case the value v will be in the form of
next(t ) and t will be the continuation for the next stage.
From the considerations above, it results that the definition of values has to be
given with respect to the stage in which the term lives. It is clear that a lambda
redex must be reduced if occurring at the initial stage but not so if occurring in a
later stage. So we will divide values according to the level at which they live.
Definition 7.2.1 (Values) The set of values V is the subset of well typed terms
given by the union of Vi , i N, where sets Vi are defined by induction as follow:
V0
::=
V1
::=
Vn+1 ::=
x.t | next(v1 ) | box(t)

x.t | v1 v1 | next(v2 ) | box(t) | unbox(v1 )
x.t | vn+1 vn+1 | next(vn+2 ) | box(t) | unbox(vn+1 ) | prev(vn )
where n > 0, vi ranges over Vi and t ranges over T .

In principle the substitution of code for variables is a different action respect the
substitution of other values for variables. A machine implementing code emission
should probably perform several specific actions related to code management when
pasting code within other code and within evaluation constructs. In particular
box and unbox statements occurring in terms to specify code boundaries should be
eliminated as soon as they are not needed any more.
To deal with this aspect of evaluation we explicitly define a notion of substitution
for code.
Definition 7.2.2 (Code Substitution) The substitution of code for u within t in
place of x is denoted t[u/x] and is defined as
(
t{y/unbox(x)}{u/x}{u/y} if u = box(u)
t[u/x] =
t{u/x}
otherwise
where y is a variable not occurring free neither in t nor in u and, with abuse of
notation, we wrote t{u/unbox(x)} for the natural extension of the operation t{u/x}.
In words, if u = box(u ) for some u, t[u/x] is obtained by replacing each occurrence
of unbox(x) with u and each other occurrence of x with box(x).
In the previous definition, in order to keep things simple, we also considered the
case in which x occurs free in u, nevertheless in the following we will never need to
consider such case.
98
Observation 7.2.3 Given T terms t and u, we have either

t[u/x] = t{u/x} or t{u/x} 2 t[u/x]
Can be proved easily from the definition of code substitution.
Lemma 7.2.4 (Substitution Lemma) Assuming u: : p and , x: t: : q
we have
t[u/x]: : q
Proof. follows immediately from the substitution lemma for the standard substitution, from Observation 7.2.3 and from Proposition 7.1.4.
2
Finally we are ready to define the reduction semantics. We will use a natural
semantics (see for more details see [Gun92]).
Definition 7.2.5 (Staged Reductions)
n
The family of reduction relations {| n N} is inductively by the following rules:
Stage 0:
0
t x.t
x.t x.t
u u
t [u /x] s
tu s
0
t u
box(t) box(t)
t box(u) u u
unbox(t) u
next(t) next(u)
Stage n + 1:
n+1
n+1
t t
t u
n+1
x x
n+1
x.t x.u
n+2
n+1
tu t u
0
n+1
t u
t next(u)
t u
n+1
next(t) next(u)
n+1
n+2
prev(t) prev(u)
box(t) box(t)
n+1
u u
prev(t) u
n+1
t u
n+1
unbox(t) unbox(u)
Some observation about the rules are in order. First we can divide evaluation
rules according to the stage they pertain. As a first approximation, at stage 0 we
deal with unquoted (not within next()) terms, whereas at stages greater than 0 we
deal with quoted (within some number of next()).
We can easily see that reductions occurs only at stage 0, # reduction occurs
only at stage 1 whereas 2 reductions may occur at level 0 or at any other level if
triggered by a reduction.
We briefly discuss the two groups of rules.
99
Stage 0: the fragment of the calculus is treated as in the standard reduction

semantics for call by value lambda calculus. The only difference is due to
code substitution that permits reduction of unbox(box()) redexes resulting
from the evaluation of an application. Observe that that if unbox(box(u)) is
already a subterm of either t or t , it is not reduced by the evaluation of tt .
As usual we do not have a rule for evaluation of variables.
Moreover we have rules for the evaluation of 2 redexes but not rules for
the evaluation of # redexes, indeed in a well typed term we cannot have a
prev(next()) redex at level 0.
Stage n + 1: the rules for and for application evaluate their subterms and rebuild
a term from the result of the evaluations. This is needed since occurrences of
prev() in the term could lower the level to 0 and require in this way the
evaluation of subterms.
The same approach is taken to deal with the unbox() operator, whereas terms
quoted by a box() operator are left unevaluated.
Observe that we now need a rule for variables since at stages greater than
0 we evaluate under lambdas, consider for instance the evaluation of term
next(x.x).
Finally we deal with next() ( prev() ) either raising (lowering) the evaluation
index, or reducing # redex when at stage 1.
In the following we will also use the more standard notation t u instead of
t u.
0
Example 7.2.6 By previous description it is clear that the temporal reduction

strategy permits the evaluation of terms under abstractions by two different mechanisms:
using construct prev() when the is quoted by a next() construct. For
instance assuming t is a term such that t next(u), then redexes in t are
reduced when evaluating next(x. prev(t)):
0
t next(u)
1
prev(t) u
1
x. prev(t) x.u
0
next(x. prev(t)) next(x.u)

In this case we have a reduction for the prev(next(t)) redex plus any reduction
resulting from the evaluation of t at stage 0.
100
using code substitution when a reduction involves a code object. For instance
(x.y. unbox(x)) (x.y. unbox(x)) (y. unbox(x))[box(t)/x] y.t
(x.y. unbox(x)) box(t) y.t
since (y. unbox(x))[box(t)/x] = y.t.
In this case we have only reduction of temporal redexes resulting from code
being substitute in place of variable within a unbox construct.
2
n
Proposition 7.2.7 Each relation is a reduction strategy, i.e. for each t and u
n
t u = t u
n
Proof. We proceed by induction on the depth of the derivation of t u.

In the base case the derivation is constituted by a single rule, then t = u and
obviously also t u.
For the inductive case proceed by inspection of the last rule of the derivation:
If the last rule is the application rule at level 0 we have
t = t1 t2
t1 x.t1
t2 t2
t1 [t2 /x] u
By inductive hypothesis we also have

t1 x.t1
t2 t2
t1 [t2 /x] u
Hence by Observation 7.2.3

t = t1 t2 (x.t1 )t2 t1 {t2 /x} 2 t1 [t2 /x] u
1
if the last rule is the prev() rule at level 1 we have t next(u) and by
inductive hypothesis also t next(u) therefore
next(t) next(prev(u)) # u
0
if the last rule is the box() rule at level 0 we have t box(u), u u and,
by inductive hypothesis, also t box(u), u u . Hence
unbox(t) unbox(box(u)) 2 u u
the proof for the remaining rules follows the same pattern used in the previous
case simply using the inductive hypothesis.
2
The converse does not hold. Consider t = x.((y.y)x) and u = x.x, since
both t and u are values, we have t t and u u whereas t u. This mismatch
is essentially due to the fact that is defined as a compatible relation respect the
operators of the temporal -calculus, so we can reduce under each context.
101
7.2.3
Correctness criteria
Here we investigate some property of the staged reduction semantics. These will give
some insight of the relevance of the staged reduction strategy for staged evaluation.
Corollary 7.2.8 (Subject Reduction) Given a T term t and context such
that t: : p
n
t u = u: : p
Proof. Follows easily by Observation 7.2.3 and by the fact that enjoys subject
reduction.
2
The next proposition shows that the definition of value at stage k agree with the
k
reduction relation .
k
Lemma 7.2.9 (Value Lemma) For each t, u T t u = u Vk .

k
Proof. We proceed by induction on the derivation of t u.

k
If the derivation of t u contains a single rule, then u must be either x or x.u

or box(u ) and we have immediately u Vk .
For the other cases we have the following possibilities:
0
if t = t0 u0 and k = 0, we also have derivations of t0 x.t0 , u0 u0 and

0
t0 [u0 /x] u. By inductive hypothesis, the last derivation give us u V0 ;

1
if t = next(t0 ) and k = 0, we also have a derivation of t0 u0 and by inductive

hypothesis we have u0 V1 . By definition of V0 , immediately u = next(u0 )
V0 ;
0
if t = unbox(t0 ) and k = 0 we also have derivations for t box(u0) and for

0
u0 u. By inductive hypothesis on the second premise, u V0 ;

0
if t = prev(t0 ) and k = 1 we also have a derivation of t0 next(u), so by

inductive hypothesis, next(u) V0 and by definition of V0 , u V1 ;
the remaining cases follow immediately by inductive hypothesis and by definition of values.
2
Remember that we will work in the fixed relational context G = {p0 R p1 , p1 R
p2 , . . .}. The following proposition relates the static semantics with the dynamic
semantics. It shows that, given a term t, if its evaluation involve the evaluation of
a subterm u at stage k, then u is typed at world pk . This will also justify our abuse
of word stage when referring to world variables.
102
Proposition 7.2.10 Consider a T term t and a context with t: : pk . Conk

h
sider also a derivation of t u, then for each t u occurring in there exists
a context such that , t : : ph . Moreover does not contain variables at p0 .
Proof. We proceed by induction on .
If is the trivial derivation there is nothing to prove.
Consider now the case that is not the trivial derivation, we show that for each
h
premise t u of the last rule of exists such that , t : : ph for some .
Moreover such does not contain variable declarations at p0 .
So let us consider the possible rules concluding :
0
if t = t0 u0 and k = 0, then we have the premises t0 t0 , u0 u0 and

0
t0 [u0 /x] u. By Lemma 7.1.3, exists such that t0 : : p0 and

u0 : : p0 . For the last premise, we have by Proposition 7.1.4 and by
Lemma 7.2.4, t0 [u0 /x]: : pk ;
k
if t = x.t0 and k > 0, we have the premise t0 u0 . By Lemma 7.1.3 exist

1 , 2 such that = 1 2 and , x: 1 : pk t0 : 2 : pk ;
0
if t = unbox(t0 ) and k = 0 we have the premises t0 box(u0 ) and u0 u.

By Lemma 7.1.3, t0 : 2 : pk and applying Proposition 7.1.4 and Proposition 7.2.7 we have u0 : : pk ;
h+1
if t = next(t0 ), we have the premise t0 next(u). By Lemma 7.1.3 exists

with = # and t0 : : pk+1;
0
if t = prev(t0 ) and k = 1 we have the premise t0 next(u). By Lemma 7.1.3,

t0 : # : p0 ;
the remaining cases follow the same pattern.
An application of the inductive hypothesis concludes the proof.
Proposition 7.2.11 (Determinacy)

k
t u and t u = u u
Proof. The statement follows easily by the observation that given any term t and
k
any number k exists at most one rule concluding with t u for some term u. 2
Now we show that the reduction strategy is well defined from the point of view
of termination: each evaluation eventually carry out some value.
Proposition 7.2.12 (Definiteness of reduction) For each closed T term t there
exists a T term u such that t u.
103
Proof. Consider a T term t and a context such that t: : pk and assume

that does not contain variables at p0 .
k
k
We start proving that if t
6 (i.e. it does not exists a term u such that t u)
k
then exists a term t such that t + t and t .

6
Proceed by induction on t:
if t = x, the statement is vacuously true since either k = 0 and x: : pk is in
k
, or k > 0 and t t;
if t = x.t0 we have two cases. If k = 0 the statement is vacuously true since
0
k
t t. If k > 0, it must be that t0
6 so we can apply the inductive hypothesis
to obtain a term t0 and immediately we have t = x.t0 ;
k
if t = t0 t1 , we have two cases according to k. If k > 0 either t0

6
or
k
t1 .
6
Assume without loss of generality the former case, then by induction
hypothesis we obtain t0 such that t0 + t0 and we can take t = t0 t1 .
0
If k = 0 we can have several cases. If t0

6 or t1
6 we proceed as for k > 0.
0
Now, by Lemma 7.2.9 and by Corollary 7.2.8, if t0 u, u must be in the form
0
0
k
x.u0 so the only remaining case is that t0 x.u0 , t1 u1 and u0 [u1 /x] .
6
In this case, by Observation 7.2.3, we can take t = u0 [u1 /x]u0 [u1 /x];
the remaining cases can be shown in the same way.
k
So we proved that if t
6 there exists t such that t + t , and t .
6
Hence if we assume the existence of a term t for which the evaluation is not
defined, by iterating the previous argument, we can build an infinite chain t =
t0 + t1 + . This contradicts Theorem 7.1.9.
2
Finally we show that the kind of value resulting from the computation of a term
t is determinated from the type of t.
Corollary 7.2.13 (Binding time correctness)
Let t be a closed T term, then, for some u
t: # : p0
t: 2 : p0
t: : p0
=
=
=
t next(u) V0
t box(u) V0
t x.u V0
Proof. The proof follows immediately from Lemma 7.2.9, Corollary 7.2.8 and Proposition 7.2.12.
2
This corollary, together with the observation that next(u): # : p0 implies
u: : p0 , justifies the idea of continuing the evaluation of a term of type # at the
next stage evaluating its residue u.
104
7.3
Comparison with multi staged calculi
In this section we consider other calculi extending calculus to cope with staged
evaluation. Among the several alternatives we choose to compare the temporal
-calculus with calculi # and 2 , since they are, in our opinion, the most representative and since they provided the basis of our development. We will show that
the temporal -calculus fully integrates the features of both.
7.3.1
Encoding #
In [Dav96] Davies define the # calculus, an extension of calculus whose type

system is based on modal logic with linear accessibility relation. Davies shows the
relevance of # for staged evaluation by encoding in its system a fragment of the
language used in [GJ97] for binding time analysis.
In this section we briefly introduce # and then we show that it precisely corresponds to the 2 free fragment of temporal -calculus.
Definition 7.3.1 (# terms and types) The sets of types and terms of # are
inductively defined by the following clauses:
::=
t ::=
| | #
x | (x.t) | t1 t2 | next(t) | prev(t)
where we used to range over type variables, to range over types and x, t to range
over variables and terms respectively.
A variable declaration is a pair xn : where x is a variable, a type and n a
natural number.
A typing context is a set of variable declarations.
Type judgments are of the form n t: where is a typing context, t is a
term, is a type and n is a natural number.
The sets of terms and types of # coincide with the sets of terms and types of
the 2 free fragment of the temporal -calculus, we use the same notation for both
and rely on the context to distinguish among the two systems.
The difference between our presentation and the one used by Davies lies in the
choice on how world information are recorded in judgments. We use world variables,
since these provide a more general tool for the description of different modal and
temporal logics, he uses natural number since this gives a simpler system when
dealing with a single linear modality.
7.3. COMPARISON WITH MULTI STAGED CALCULI
105
Definition 7.3.2 (# typing rules)

, xn : n x:
, xn : n t: : p
n x.t: : p
n t: : p n u: : p
n tu: : p
n+1 t: : q
n next(t): # : p
n t: # : p
n+1 prev(t): : p
Now we define a map to amend the minor syntactic differences among # judgments and temporal -calculus judgments.
Remember that we are restricting our attention to judgment with a fixed relational context p0 R p1 , p1 R p2 , . . ..
Definition 7.3.3 pq is a function that associates temporal -calculus contexts to
# contexts and # judgments to temporal -calculus judgments defined as follow:
pq = {x: : pk | xk : }
p n t: q = pq t: : pn
As long as we consider a the fixed relational context p0 R p1 , p1 R p2 , . . ., pq
is clearly a bijective function on type judgments. We now prove that it is also an
isomorphism with respect to typability in the two systems.
Proposition 7.3.4 For each # context , for each # term t and for each natural
number n :
n t: p n t: q
Proof. The proof will be by induction on t. Clearly for the base case we have, by
definition of pq, xn : if and only if x: : pn pq.
For non trivial deductions we treat the two implications separately.
= ) If t = next(u) for some u, the deduction of n t: concludes with the
next() rule, so we also have a deduction of n+1 u: for a such that =
# . By inductive hypothesis we can build a deduction of pq u: : pn+1.
The desired proof can be obtained by applying (#I ) and (Rel) to .
If t = prev(u) for some u, the deduction of n t: concludes with the
prev() rule and we also have a deduction of m u: # where n = m + 1.
By inductive hypothesis we obtain also a deduction of pq u: # : pm and
applying (#E ) to such deduction we obtain a deduction of pq prev(u): : pn .
In any other case the last rule applied is a propositional rule, then, use the
inductive hypothesis and the corresponding rule in temporal -calculus to
obtain a deduction of p t: : pn q.
106
= ) If t = next(u) for some u, by Lemma 7.1.3, we have = # for some and

pq u: : pn+1. Applying inductive hypothesis we obtain n+1 u: . Then,
using the rule for next(), n next(u): # .
If t = prev(u) for some u, by Lemma 7.1.3, we have pq u: # : pm where
n = m + 1 and, by inductive hypothesis, we also have a deduction of m
u: # . Using the rule for prev() we can immediately build a derivation of
n prev(u): .
The remaining cases can be proved in a similar way using the generation lemma
and the typing rules of # .
2
The semantics of # is defined by a transition system with the same rules used
in the 2 free fragment of the temporal -calculus. Therefore we immediately have
the following.
Proposition 7.3.5 For each # terms t, u
k
t u in # t u in T
And this justify the statement that the 2-free fragment of temporal -calculus
and # are isomorphic.
7.3.2
Encoding 2
In [DPar] Davies and Pfenning introduce a calculus based on intuitionistic logic S4

with operators for management of closed code. In their calculus the S4 modality
(2) corresponds to the type of closed code, accordingly, the 2 introduction rule
gives the constructor for code blocks and the elimination rule gives the evaluator
for code blocks. They give two formulations of the calculus differing in the form of
the type system. A first explicit calculus in which the elimination rule for 2 take
the form of a let construct; an implicit calculus whose type system is motivated by
[Mas96, PW95] in which the elimination rule for box takes the form of an indexed
unbox construct.
In the rest of the section we will briefly present the explicit formulation of the
calculus of Davies and Pfenning and then describe an encoding of this system in
temporal -calculus.
Definition 7.3.6 (2 terms and types) The set of types and terms are inductively defined as follow:
::=
t ::=
| | 2
x | (x.t) | t1 t2 | u | box(t) | let box(u) = t1 in t2
107
where we used as usual for type variables, for types, x for variables and t
for terms. Metavariable u is used for modal variables (as we will see later, those
occurring in modal contexts).
An (ordinary) variable declaration is a pair x: where x is an (ordinary) variable
and a type. A modal variable declaration is a pair u: where u is an modal variable
and a type.
A typing context is a pair ; where is a set of ordinary variable declaration
and is a set of modal variable declaration. Hence, a type judgment takes the form
; t: .
; , x: x:
; , x: t:
; x.t:
; t:
; box(t): 2
, u: ; u:
; t0 : ; t1 :
; t0 t1 :
; t1 : 2 , u: ; t2 :
; let box u = t1 in t2 :
A first difference we can observe among 2 and the temporal -calculus is in the
management of modal context. In 2 a set of modal variables disjoint from ordinary
variables, and two distinct contexts are used to track the world in which a term live.
In a temporal -calculus type derivation, each term is explicitly tagged with the
world at which it lives.
We now show that as long as we deal with a single modality the two approach
are equally expressive. In order to do this define a map from 2 terms to T terms
preserving type derivations.
First we need some additional notation. We will write Gn to denote the set
of relational assumptions p0 R p1 , . . . , pn1 R pn . Given a set of 2 declarations = {x1 : 1 , . . . , xn : n } we will denote with : p the set of T declarations
{x1 : 1 : p, . . . , xn : n : p} and with 2 : p the set {x1 : 2 1 : p, . . . , xn : : p}.
Definition 7.3.7 Let pq a map from 2 terms to T defined as follow:
pxq
px.tq
pt1 t2 q
puq
pbox(t)q
plet box(u) = t1 in t2 q
=
=
=
=
=
=
x
x.ptq
pt1 qpt2 q
unbox(u)
box(ptq)
(u.pt2 q)pt1 q
108
Proposition 7.3.8 Given a 2 term t, if

; t:
then, for each n 0 and for each partition 0 , . . . , n of
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn ptq: : pn
Proof. We proceed by induction on the derivation of ; t: .
if the last rule of the derivation is for ordinary variables, we have t = x and
x: and the statement follows trivially;
if the derivation concludes with
; , x: 1 t1 : 2
; x.t1 : 1 2
by inductive hypothesis we have a derivation of
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn , x: 1 : pn pt1 q: 2 : pn
and applying (I ) we obtain a derivation of
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn x.pt1 q: 1 2 : pn
; t1 : ; t2 :
; t1 t2 :
by inductive hypothesis we also have derivations for
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn pt1 q: : pn , and
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn pt2 q: : pn
and applying (E ) we immediately have a derivation for
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn pt1 qpt2 q: : pn
, u: , u:
applying (2E ) and either transitivity or reflexivity of R , we immediately obtain a derivation of
Gn ; 2 0 : p0 , . . . , 2 n : pn , u: 2 : pi , : pn unbox(u): : pn
where i is any natural number in 0, . . . , n;
109

; t1 :
; box(t1 ): 2
by inductive hypothesis, we also have a derivation of
Gn+1 ; 2 0 : p0 , . . . , 2 n : pn pt1 q: : pn+1
and applying (2I ) and weakening we obtain a derivation of
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn box(pt1 q): 2 : pn
it the derivation concludes with
; t1 : 2 , u: ; t2 :
; let box u = t1 in t2 :
by inductive hypothesis we also have derivations for
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn pt1 q: 2 : pn , and
Gn ; 2 0 : p0 , . . . , 2 n : pn , u: 2 : pn , : pn pt2 q: : pn
Using (I ) and (E ) we can now build a derivation of
Gn ; 2 0 : p0 , . . . , 2 n : pn , : pn (u.pt2 q)pt2 q: : pn
2
Corollary 7.3.9 For each 2 term t and for each world variable p
t: = ptq: : p
The mapping pq show the greater simplicity of 2 derivations respect to temporal -calculus derivations, most information about worlds in 2 derivations is
implicitly kept in the structure of the derivation.
Observe that some T term never arise as map of a 2 term, i.e. pq is not
surjective. For instance can be easily seen that for each t 2 it does not exists
t 2 such that ptq = unbox(box(pt q)).
We now briefly define the reduction semantics of 2 and show that it agrees with
the reduction semantics of the temporal -calculus except for minor differences.
Definition 7.3.10 The evaluation relation 2 is inductively defined on 2 terms
by the following clauses:
x.t 2 x.t
t1 2 x.t1
box(t) 2 box(t)
t2 2 t2 t1 {t2 /x} 2 s
t1 t2 2 s
t1 2 box(t1 ) t2 {t1 /u} 2 s

let box(u) = t1 in t2 2 s
110
Lemma 7.3.11 For each 2 terms t1 , t2 , for each ordinary variable x and for each
modal variable u we have
pt1 q[pt2 q/x] = pt1 q{pt2 q/x}
pt1 q[pbox(t2 )q/u] = pt1 {t2 /u}q.
Proof. The first equality follows immediately from the observation that the term
unbox(x) cannot appear within pt1 q since unbox() is used only in the translation
of modal variables.
The second equality follows by the observation that each occurrence of u in
pt1 q appears as argument in a unbox() construct and by the definition of code
substitution.
2
Proposition 7.3.12 For each 2 terms t, s
t 2 s ptq psq
Proof. By induction on the derivations of t 2 s and ptq psq.
the case t is a variable is trivial;
if t = x.t , we have px.t q = x.pt q and clearly both t 2 t and ptq ptq;
if t = t1 t2 , by induction hypothesis, t2 2 t2 if and only if pt2 q pt2 q and t1 2
x.t1 if and only if pt1 q x.pt1 q. Moreover x cannot be a modal variable,
since t is a well typed 2 term and the rule for abstraction allows only
abstraction on ordinary variables. Hence, by Lemma 7.3.11, pt1 q[pt2 q/x] =
pt1 q{pt2 q/x} and applying a last time the inductive hypothesis t 2 s if and
only if ptq psq;
if t = box(t1 ) we immediately have t 2 s if and only if ptq psq since
box(t1 ) box(t1 ) and box(pt1 q) box(pt1 q);
if t = let box(u) = t1 in t2 consider separately the two implications. If t 2 s, by
definition, t1 2 box(t1 ) and t2 {t1 /u} 2 s. Applying the inductive hypothesis
we have pt1 q box(pt1 q). By Lemma 7.3.11, pt2 q[box(pt1 q)/u] = pt2 {t1 /u}q
so applying induction hypothesis pt2 q[box(pt1 q)/u] s, finally, by evaluation
rule for application, (u.pt2 q)pt1 q s.
On the other side assume (u.pt2 q)pt1 q s , then, by Corollary 7.2.13 and
Proposition 7.3.8, pt1 q box(pt1 q) so that, by inductive hypothesis, also t1 2
box(t1 ). Finally, since by Lemma 7.3.11 pt2 q[box(pt1 q)/u] = pt2 {t1 /u}q, and
since pt2 q[box(pt1 q)/u] s , by inductive hypothesis s = psq and pt2 {t1 /u}q
s.
2
111
7.4. MINI-MLT
7.4
Mini-MLT
We are interested in potential application of this term calculus to staged programming languages, in order to study such applications we extent the temporal calculus to a core calculus for a programming language.
First we start with the addition to the temporal -calculus of concrete types for
natural numbers, pattern matching on numbers and a construct for recursion.
::=
t ::=
nat | | # | 2
x | (x.t) | t1 t2 | rec x.t | z | s(t) | case(t, t1 , t2 )
| next(t) | prev(t) | box(t) | unbox(t)
For improving readability of terms we will add some syntactic sugar, we will write
case t of z t1 | s(x) t2 for case(t, t1 , x.t2 ) and let x = t1 in t2 for (x.t2 )t1 .
We also extend the type system with the following rules:
G; t: nat: p
G; s(t): nat: p
G; z: nat: p
G; , x: : p t: : p
G; rec x.t:
G; t: nat: p G; t1 : : q G; t2 : nat : q
G; case(t, t1 , t2 ): : q
Then we need to augment the set of values with terms for natural number and
recursion. In order to do this the equations in Definition 7.2.1 become
v0
v1
::=
::=
vn+1 ::=
x.t | z | s(v0 ) | next(v1 ) | box(t)

x.t | z | s(v1 ) | v1 v1 | case(v1 , v1 , v2 ) | rec x.v1
| next(v2 ) | box(t) | unbox(v1 )
x.t | z | s(vn+1 ) | vn+1 vn+1 | case(v1 , v1 , v2 ) | rec x.v1
| next(vn+2 ) | box(t) | unbox(vn+1 ) | prev(vn )
where k 0 and vi , vi , vi are terms in Vi .

Finally we extend the definition of staged evaluation with the following clauses:
Stage 0:
0
t{t/x} u
t u
z z
s(t) s(u)
0
s z t1 u
0
case(s, t1 , t2 ) u
rec x.t u
0
s s(s ) t2 s u
0
case(s, t1 , t2 ) u
112
Stage n + 1:
n+1
n+1
t u
n+1
z z
t u
n+1
s(t) s(u)
n+1
s s
n+1
t1 t1
n+1
rec x.t rec x.u

n+1
t2 t2
n+1
case(s, t1 , t2 ) case(s, t1 , t2 )
Obviously, stepping from temporal -calculus to Mini-MLT some property of the
typing get lost, for example the term rec x.x can be easily shown of any type. This
is the price we have to pay for a Turing complete calculus.
Now we will briefly consider the most important properties that can be carried
over to Mini-MLT.
Proposition 7.4.1 (Subject Reduction) Mini-MLT enjoys subject reduction:
n
G; t: : p and t u = G; u: : p
Proof. Simply check that each additional clause in the definition of evaluation
relation satisfies this property.
2
k
Lemma 7.4.2 (Value Lemma) For each Mini-MLT terms t and u, t u =

u Vk .
k
Proof. Proceed by induction on the derivation of t u as in Lemma 7.2.9.
Proposition 7.4.3 (Determinacy)

k
t u and t u = u u
Proof. The statement follows easily by the observation that given any term t and
k
any number k exists at most one rule concluding with t u for some term u. 2
Obviously we cannot prove the analogous of Proposition 7.2.12, indeed, in a big
step reduction semantics, definiteness of reduction for a term t implies termination
of evaluation for t, and clearly we have diverging terms in Mini-MLT. Nevertheless
it would be interesting to show that each non diverging term is evaluated by our semantics, this would provide a sort of correctness for the presentation of the reduction
relation.
To prove this last statement we proceed as follow, we introduce in Mini-MLT a
new term stuck to denote an error during evaluation, then we add a new meta
rule to our transition semantics
k
if no proper rule is applicable for t

k
t stuck
(stuck)
113
7.4. MINI-MLT
where we say that a rule () is applicable for t if there exist terms t , t1 , . . . , tn

and t1 , . . . , tn not containing stuck such that:
k1
t1 t1
kn
tn tn
()
t t
is an instance of ().
The reduction relation remains well defined since the premise of the rule (stuck)
can be effectively computed, we simply have to check a finite number of rules for
applicability to term t.
In this way we are sure that for each term we can always apply a reduction rule.
Moreover any term giving rise to an evaluation error is evaluated to stuck, indeed
the only rule defined for the term stuck is (stuck) and this evaluate again to stuck.
Observe that in this new setting, the evaluation process of a term t may have
k
k
k
three distinct outcomes: t v with v 6= stuck, t stuck and t
6 or if you prefer
the evaluation of t diverge.
Finally we prove that no well typed Mini-MLT is evaluated to stuck.
k
Proposition 7.4.4 Given a Mini-MLT term t with G; t: : p if t v then

v 6= stuck.
Proof. Once one observes that stuck has no type, and so t 6= stuck, the proof
proceeds along the same line of the one used for Proposition 7.2.12.
2
Once we have precisely defined diverging terms we can prove the following.
Proposition 7.4.5 (Binding time correctness)
Let t be a closed non diverging Mini-MLT term, then, for some u and some k
t: nat: p0
t: # : p0
t: 2 : p0
t: : p0
=
=
=
=
t sk (z) V0
t next(u) V0
t box(u) V0
t x.u V0
Proof. Follows immediately from value lemma, subject reduction and the assumption that t is non diverging.
2
Another interesting property that carries over to Mini-MLT guarantee that terms
are evaluated with a meaningful reduction order with respect to its typing.
Proposition 7.4.6 Consider an MLT term t and a context with t: : pk .
k
h
Consider also a derivation of t u, then for each t u occurring in exists a
context such that , t : : ph . Moreover does not contain variables at p0 .
114
Proof. Proceeding by induction on as in Proposition 7.2.10 and using a trivial

extension of Lemma 7.1.3.
2
Now we examine some in way in which the power function can be staged. First
take a non staged definition of power .
let power: nat nat nat =
rec p. n.x. case n
of z 1
| s(m) x (p m x )
we are here assuming the existence of a function of type nat nat nat that
multiplies its arguments.
One sees immediately that it may be interesting to stage this function so to have
power n x. x
x}. We have at least two ways to proceed.
| {z
n times
Example 7.4.7
Using the box() construct we can write a function powerc of type nat 2(nat
nat) that given n generates code to compute x.power x.
let powerc: nat 2(nat nat) =
rec p. n. case n
of z box(x. s(z))
| s(m) let q = unbox(p m) in box(x.x (q x))
We can easily see by induction on the derivation of powerc n tn that tn =

box(un ) where un is
u0 = x. s(z)
un+1 = x.x (un x)
so that tn contains n trivial redexes that are not reduced in the evaluation. One
can also see that, given the type constraint, there is no way to avoid the formation
of such unwanted redexes. Indeed any recursive invocation of powerc will return
code for a lambda abstraction that cannot be reduced appearing in the context of
box constructor (recall that code substitution only reduce 2 redexes).
2
Example 7.4.8 Rather than a staging specification we prefer to consider powerc
as a function producing closed code. If we are interested in a two stage version of
power it may be convenient to specify the staging using # type. We will then be free
to manipulate open code and will be probably able to produce a more efficient
residual.
115
7.4. MINI-MLT
let powers: nat #(nat nat) =

n. next(x. prev((rec p.m.
case m of
z
next(s(z))
| s(m ) x (p m ))
n))
Here we use the next() construct to quote the abstraction over x, then we use
the prev() construct to unquote the application of n to the subterm (rec p. . . .). We
know by Corollary 7.2.13 that powers n next(tn ) for some tn V1 . Moreover, by
definition of value of level 1, we also know that the subterm of powers unquoted by
prev will be evaluate and will not appear in tn .
2
One can easily prove that powers n next(x
x} s(z)).
| {z
n times
Example 7.4.9 Consider now the case we want to stage the function pwpw =
n.m.power (power n m) so to have the computation depending on n performed
in a first stage and the computation depending on m performed in a second stage.
As for the power example we can follow two different approaches, we could
define either a term pwpwc: nat 2(nat 2(nat nat)) or a term pwpws: nat
#(nat #(nat nat)).
For pwpwc we would have the trivial redexes we had also in powerc whereas
pwpws would give more efficient residues for pwpws n and pwpw n m. But there is
also another important difference.
Whereas we can define pwpwc simply in terms of powerc
let pwpwc: nat 2(nat 2(nat nat)) =
n.m. unbox(powerc) (powerc n m)
the same is not possible for pwpws since powers is bound to the stage in which
it is defined and cannot be used in a different stage, but in this case we would to
invoke powers in the first and in the second stage of evaluation.
A different solution comes from the mixing of the two constructs, take
let powersc: 2(nat #(nat nat)) = box(powers)
let pwpwsc: nat #(nat #(nat nat)) =
n. next(m. unbox(powersc) (prev(unbox(powersc) n) m))
powersc is now code for a staged version of the power function and can be used
at any time after its definition (i.e. it is cross stage persistent). The definition of
pwpwsc is essentially the standard definition enriched with information regarding
the evaluation of code and the staging of the evaluated code.
116
It is easy to see that

pwpwsc n next(m. unbox(powersc) ((x. x
x} s(z)) m))
| {z
n times
(m. unbox(powersc) ((x. x

x} s(z)) m)) m x. x
x}
| {z
| {z
n times
mn times
Chapter 8
Temporal Logics in Logical
Framework
In this chapter we will consider some of the possible implementations of the the
logical systems described in Chapter 3 and in Chapter 5 within logical frameworks.
The emphasis will be on using the logical systems rather than proving properties
about them, so using the terminology introduced in [BC93] we will consider logical
frameworks rather than metalogical frameworks.
We will start describing briefly the dependly typed -calculus, this will be the
system in which the object logics will be encoded. The paradigm of the encoding is
the judgment-as-type: judgments of the object logic will correspond to types of the
underlying logic (see [HHP93]).
8.1
Dependently Typed -calculus
In our presentation we will follow [Pfe99]. This presentation differs from more
standard formulations (see for instance [Bar92]) mainly in two aspects.
First, equality is rather than , this complicates the theory of P but simplifies the formulation of the encoding (complication of metatheory arise from the
fact that reductions do not preserve type).
Second, abstraction is not present at level of families, this will not have significant impact on the system, it only simplifies the presentation.
The abstract syntax of P pseudo-terms is defined as follows:
Terms ::= x | type | x: U.V | x: U.V | UV
where x ranges over a set V of variables and U, V range over the set of pseudo-terms.
In order to improve readability we will use the following syntactic conventions:
when x does not occur in V , we will write U V for the term x: U.V ;
the term x1 , , xn : U.V will be used as a shorthand for x1 : U. xn : U.V .
118
CHAPTER 8. TEMPORAL LOGICS IN LOGICAL FRAMEWORK
P terms are a subset of pseudo-terms defined by means of typing rules. Terms

can be seen as living on three distinct levels: kinds, families and objects. To make the
separation more clear we split the set V of variables in three disjoint sets CF , CO , VO
whose elements will be called family constants, object constants and object variables
respectively.
As usual the term formation rules are given with respect to an assignment of
type for variables (or basis in Barendregts terminology). Since, type declarations
will have different intended meaning (some will be used to encode the object logic
and some will be used to encode objects living within the object logic) we will record
such declarations in two distinct lists: signatures and contexts.
A signature is an ordered sequences x1 : U1 , . . . , xn : Un where xi CF CO and
Ui is a pseudo-terms. A context is an ordered sequence x1 : U1 , . . . xn : Un where each
xi VO and each Ui is a pseudo-term.
Finally, the term formation rules, are given respect to a valid type assignment
; where is a signature and is a context. Valid signatures and contexts are
inductively defined by means of formation rules, we will write ; valid to denote
type assignments that can built by such formation rules.
To avoid cluttering the rules with side conditions, we use different metavariables
for terms, variables and constants of different levels:
Level
kinds
families
objects
Kinds
terms
constants
K, K , . . .
A, B, . . . a, b, . . .
M, N, . . . c, c , . . .
; valid
; type: kind
variables
x, y, . . .
; A: type ; , x: A K: kind
; x: A.K: kind
Families
; K: kind a: K
; a: K
; A: type ; , x: A B: type
; x: A.B: type
; A: x: B.K ; M: B
; AM: K{M/x}
Objects
x: A ; valid
; x: A
c: A ; valid
; c: A
; M: x: A.B ; N: A
; MN: B{N/x}
; A: type ; , x: A M: B
; x: A.M: x: A.B
119
8.1. DEPENDENTLY TYPED -CALCULUS
Equality
; U: V ; V V : W
; U: V
where judgment ; V V : W denotes -equality for typed terms V and V of

type W . The introduction of the type of terms in the equality judgment is needed
in order to get rid of the fact that equality does not preserve type, the standard
example is given by the term x: A.(y: B.y)x.
For more information on equality in Pure Type Systems see [Geu92, Pfe99].
Valid Signatures and Contexts
; valid
; valid ; A: type x 6
; , x: A valid
; valid ; K: kind a 6
, a: K; valid
; valid ; A: type c 6
, c: A; valid
Standard properties of Pure Type Systems (see [Ber90]) can be proved also for
this formulation of dependently typed -calculus.
Proposition 8.1.1 P enjoys the following properties:
Exchange
If 1 , x: U1 , y: U2, 2 ; V : W and 1 , y: U2; valid
then 1 , y: U2, x: U1 , 2 ; V : W ;
If ; 1 , x: U1 , y: U2, 2 V : W and ; 1 , y: U2, 2 valid
then ; 1 , y: U2 , x: U1 , 2 V : W .
Weakening
If ; U: V and ; , W : W valid then ; , W : W U: V .
Substitution
If ; 1 U: V and ; 1 , x: V, 2 W : W
then ; 1 , 2 {U/x} W {U/x}: W {U/x}.
Moreover also the following holds.
Proposition 8.1.2 (Decidability of typing) The typing relations of P are decidable.
The last property is of paramount importance for logical frameworks design. Indeed, since in these frameworks the encoding of logical systems follows the paradigm
of proof checking as type checking, decidability of type checking at the level of the
meta logic corresponds to decidability of proof checking at the level of object logic.
120
The main obstacle to decidability is given by the equality rule in which it is

required to check if two terms are equal up to conversion. This is solved by
reducing each term to its canonical form ( reduced expanded form) and checking
equality over canonical terms.
For another reason canonical terms play an important role in the system. As we
will see more precisely in the following, the P terms resulting from the encoding of
the object logic entities will be exactly the canonical terms inhabiting some specific
type.
In order to be able to reason about the result of such encodings, we give an
inductive definition of canonical term. Before giving the formation rules for canonical
terms we need an additional notion.
Given a valid typing environment ; and terms A, K such that ; A: K,
we say that A is a basic family if A is of the form aM1 . . . Mn for some a of arity n.
The rules for the construction of canonical terms make use of the following
judgments:
; A basic,
; U V ,
; U V ,
denoting that A is a basic family

denoting that U is a canonical term of type V
denoting that U is atomic of type V
Canonical Objects
; A type ; , x: A M B
; x: A.M x: A.B
Atomic Objects
; M A A basic
; M A
c: A
x: A
; c A ; x A
; M x: A.B ; N A
; MN B{N/x}
Canonical Families
; A type ; , x: A B: type ; A type A basic
; x: A.B type
; A type
Atomic Families
a: K
; a K
8.2
; A x: B.K ; M B
; AM K{M/x}
Encoding in Dependently Typed -calculus
In this section we will define a P signature F to encode LTL formula, judgments

and deductions. A similar approach for modal logics has been followed in [BMV98b,
Mic97].
121
8.2. ENCODING IN DEPENDENTLY TYPED -CALCULUS
8.2.1
Encoding Formulas
In this section we define the set of P terms used to represent formulas of LTL. This
set is described by mean of a signature specifying a P type for formulas and a set
of constructors for logical connectives.
First, we need a family for formulas, we will introduce for this a constant o, then
we need a constructor for each connective of LTL. The resulting declarations will be
recorded in a signature F .
Let F be the signature containing the following declarations:
o: type
bot: o
imp: o o o
or: o o o
and: o o o
next: o o
box: o o
dia: o o
In order to complete the definition of the set of P terms representing LTL

formulas, we need a representation for propositional variables. Following standard
practice, we choose to encode propositional variables with P variables of type o.
Assume given a map from the set of propositional variables L to the set of object
variables (VO ) that associates to each propositional variable a distinct P variable
x .
Then we can define the map pq from the language of LTL formulas over L to
P pseudo-terms as follow:
pq = x
pq = bot
p q = andpqpq
p q = orpqpq
p q = imppqpq
p# q = nextpq
p2 q = boxpq
p3 q = diapq
In order to establish the correctness of the map, we need a reprentation of the
set of free variables of a formula, first we introduce a bit of notation.
Given a set of propositional variables X = {1 , . . . , n }, we will write X for the
P environment {x1 : o, . . . , xn : o}.
The following proposition states that the map pq is well defined over the set of
canonical P terms.
Proposition 8.2.1 Let be an LTL formula with propositional variables in X,
then
F ; X pq o
122
i.e. the encoding of is a P canonical term in the typing environment F ; X .

Proof. Follows easily by induction on .
If is a propositional variable , then clearly F ; x : o x o.
Consider now the case = 1 2 , then, by induction hypothesis,
F ; X p1 q o,
F ; X p2 q o.
Then, by definition of canonical term, F ; X andp1 qp2 q o, and since o is an

atomic family, we also have F ; X andp1 qp2 q o.
The other cases can be proved in the same way.
2
The following theorem establish a stronger property for pq, namely its faithfulness over the set of canonical terms of type o.
Proposition 8.2.2 Let X be a set of propositional variables, then pq is a bijection
among LTL formulas with propositional variables in X and canonical P terms of
type o in F ; X .
Proof. This amount to prove that pq is injective and that for each P term M, if
F ; X M o, there exists an LTL formula with propositional variables in X
such that M = pq.
The fact that pq is injective follows immediately from its definition.
In order to show that it is surjective on the set of canonical terms, we build its
inverse proceeding by induction on the construction of ; X M o.
The only possibility is to have ; X M o and we have three cases:
M = x for some x X and then M = pq for some X;
M = c for some c such that ; X c: o so that it must be M = bot =
pq;
M = N1 N2 with ; X N1 x: A.o and ; X N2 A. Now, since the
only family in ; is o, A must be o and by induction hypothesis N2 = p2 q
for some 2 with propositional variables in X.
For N1 we have two possibilities, either N1 is a constant (and then it can only
be one of next, box and dia) or it is P0 P1 with ; X P0 x: A.o o
and ; X P1 A. In the former case, trivially either M = p# 2 q or
M = p2 2 q or M = p3 2 q.
In the latter, again it must be A = o and by inductive hypothesis P1 = p1 q
for some 1 with propositional variables in X. Now P0 can only be one of
the constants in of type o o o so that M will one of the following
p1 2 q, p1 2 q, p1 2 q.
2
Finally, with the following proposition, we have that pq is a compositional bijection among LTL formulas and canonical P terms of type o.
123
Proposition 8.2.3 The map pq is compositional. More formally, consider ,

LTL formulas with propositional variables among X and a propositional variable
in X, then
p{/}q = pq{pq/x}
Proof. By induction on .
If = , p{/}q = pq = x {pq/x } = pq{pq/x }.
Consider the case = 1 2 , then, using the induction hypothesis for 1 and
2 , we have:
p(1 2 ){/}q = p1 {/} 2 {/}q =
= andp1 {/}qp2{/}q =
= andp1 q{pq/x }p2 q{pq/x } =
= (andp1 qp2 q){pq/x } = p1 2 q{pq/x }
The other cases are similar.
Even if rather obvious, the compositionality of pq is an important property. If it

would fail we hardly could represent generic proof rules and generic proofs. Assume
indeed we have an object M represting some formula with propositional variable
. We would expect to be able to represent the formula {/}, compositionality
says precisely that such formula is represented by the P object M{pNq/x }.
The syntax poses no difficulties (in particular we do not have to deal with higher
order operators), following the same approach pq can be extended also to formulas
of temporal logics described in Chapter 5.
With abuse of notation in the following we will also write px yq when x and
y are P terms of type o with the obvious meaning. The same convention will also
be used for the other syntactic objects for which we will define an encoding later.
8.2.2
Encoding Judgments
In order to encode judgments we extend the signature F with the family of world
variables, the family of judgments and with constructors for the four kinds of judgments used in the natural deduction systems for temporal logics:
w: type
j: type
R: w w j
F: w o j
S: w w j
E: w w j
Assume given a function from the set of world variables to VO that takes world
variable p to P variable yp . Then we can define a map among LTL judgements
and terms of type j as follow:
pp R qq = Ryp yq
pp R qq = Syp yq
124
pp = qq = Eyp yq
pp: q = Fyppq
Given a set of world variables Y = {p1 , p2 , . . . , pn }, we will denote with Y the
P environment {yp1 : w, yp2 : w, . . . , ypn : w}.
Again pq is a compositional bijection among canonical P terms of type j and
LTL judgments, as stated by the two following propositions.
Proposition 8.2.4 Let X be a set of propositional variables and Y a set of world
variables, then we have the following.
If J is a judgment with propositional variables in X and world variables in Y ,
then F ; X , Y pJ q j.
Conversely if F ; X , Y M j there exists an LTL judgment J with propositional variables in X and world variables in Y , such that pJ q = M.
Proof. We prove first that pJ q j. There are different cases according to the
shape of J
If J = p R q, or J = p R q, or J = (p = q), clearly we have F ; Y pJ q
j;
if J = p: , by Proposition 8.2.1, we have F ; X pq o and by definition
of canonical term also F ; X , Y F yp pq j.
Conversely proceed by induction on the proof of ; Y , X M j. Since the
only constructors for j are R, S, E and F , we have only one of the following cases
M = RN1 N2 with ; X , Y N1 w and ; X , Y N2 w. Clearly both
N1 and N2 must belong to Y so that M = pp R qq for some p and q such that
N1 ppq and N2 = pqq;
M = SN1 N2 , as above, it must be M = pp R qq for some p and q such that
N1 = ppq and N2 = pqq;
M = EN1 N2 , as above, it must be M = pp = qq for some p and q such that
N1 = ppq and N2 = pqq;
M = F N1 N2 , with ; X , Y N1 w and ; X , Y N2 o. Using
Proposition 8.2.2 we immediately have N2 = pq for some and M = pp: q
for some p such that ppq = N1 .
2
Proposition 8.2.5 pq is compositional with respect to both propositional variables
and world variables.
More precisely, if X, Y are sets of propositional variables and world variables
respectively, J is a judgment on X, Y , is a formula on X, p, q are world variables
and a propositional variable, we have
pJ {/}q = pJ q{pq/x }
pJ {q/p}q = pJ q{pqq/yp}
125
Proof. For the first identity the in case that J is a relational there is nothing to
prove, so assume J = p: , then using Proposition 8.2.3 we immediately have:
pJ {/}q = pp: {/}q = F yp pq{pq/x } = pJ q{pq/x }
For the second identity assume that J is of the form p0 R q0 , then we have
p(p0 R q0 ){q/p}q = Rpp0 {q/p}qpq0{q/p}q =
= Rwp0 {pqq/wp}wq0 {pqq/wp} = pp0 R q0 q{q/p}.
World variables resemble term variables in first order logic since they have their
own sort and occur in judgments as term variables occur in formulas. Anyway there
is an important difference that makes the syntax of judgments quite simpler to treat,
there are no binders (at the level of judgments) for world variables.
With abuse of notation we will sometime mix (within pq) P variables representing world variables with world variables and P variables representing propositional
variables with propositional variables.
This will permit to gain in readability writing for instance
p: w.A, B: o.T pp: Aq T pp: Bq T pp: A Bq
instead of
p: w.A, B: o.T pp: Aq T pp: Bq T (F p(and AB))
8.2.3
Encoding Provability
In order to encode deductions we extend the signature F with a dependent type

family and terms corresponding to the rules of the proof system.
Families for deductions
T : j type
Inhabitants of T pp: q will be deduction of p: . Before defining how deductions
will be encoded we have to decide how to keep track of the set of open assumptions.
We assume that each judgmente that is open in the deduction is labelled by a
different symbol, we will depict such labelling using a superscript.
Let = {J1z1 , . . . , Jnzn } be a set of assumptions (labelled with z1 , . . . , zn ) with
propositional variables in X and world variables in Y . We define pq as the sequence
{z1 : T pJ1q, . . . , zn : T pJnq} where the elements of the sequence are arranged in a
fixed arbitrary order (we can assume that the set of symbols labelling assumptions
is endowed of such an order).
Clearly, in virtue of the exchange property of P , the chosen order does not
matter from the point of view of provability, and moreover, disregarding the chosen
order, we have the following proposition.
126
Proposition 8.2.6 Given a set of assumptions with propositional variables in X

and world variables in Y , F ; X , Y , pq is a valid P context.
Proof. Since F ; X , Y is a valid context it is sufficient to show that F ; X , Y
T pJ q: type. This follows easily from F T : j type and Proposition 8.2.4.
2
Deductions in NKLTL of G; p: will be encoded as P objects of type
T pp: q under the context F ; X , Y , pG; q where X and Y are the sets of propositional variables and world variables, respectively, occurring in G; p: .
The axiom rule for NKLTL deductions is represented by means of the P axiom
rule, so that the trivial deduction p: z is encoded as
F ; X , Y , z: T pp: q z: T pp: q.
In order to represent the other formation rules for NKLTL we extend the signature F with the objects listed in the following paragraphs.
Objects for propositional rules
andI : p: w.A, B: o.T pp: Aq T pp: Bq T pp: A Bq
andEl : p: w.A, B: o.T pp: A Bq T pp: Aq
andEr : p: w.A, B: o.T pp: A Bq T pBq
orIl : p: w.A, B: o.T pp: Aq T pp: A Bq
orIr : p: w.A, B: o.T pp: Bq T pp: A Bq
orE : p: wA, B, C: o.T pp: A Bq
(T pp: Aq T pp: Cq) (T pp: Bq T pp: Cq) T pp: Cq
impI : p: w.A, B: o.(T pp: Aq T pp: Bq) T pp: A Bq
impE : p: w.A, B: o.T pp: A Bq T pp: Aq T pp: Bq
botE : p, q: w.A: o.(T pp: Aq T pq: botq) T pp: Aq
The key ideas here is that of viewing inference rules as proofs of higher order
judgments (see [HHP93]). More precisely two kinds of higher order judgments are
used: hypothetical judgments to represent premises of rules that discharge assumptions and schematic judgments to represent the genericity of proof rules.
These are the same objects that one obtains encoding ND-PROP, the only difference is given by the quantification over the world variable that is necessary here
since we deal with labelled formulas and not formulas.
Objects for modal rules
nextI : p: w.A: o.(q: w.T pp R qq T pq: Aq) T pp: # Aq
127
nextE : p, q: w.A: o.T pp: # Aq T pp R qq T pq: Aq

boxI : p: w.A: o.(q: w.T pp R qq T pq: Aq) T pp: 2 Aq
boxE : p, q: w.A: o.T pp: 2 Aq T pp R qq T pq: Aq
diaI : p, q: w.A: o.T pq: Aq T pp R qq T pp: 3 Aq
diaE : p, q: w.A, B: o.T pp: 3 Aq
(r: w.T pr: Aq T pp R rq T pq: Bq) T pq: Bq
Here the parallel among world variables and variables of predicate logic is quite
clear. If one forget about the relational part, the types of these objects are the same
types of the terms reprenting quantifiers of ND-PRED. More precisely, nextI , boxI ,
nextE , boxE closely correspond to the terms encodind universal quantifier of NDPRED and diaI , diaE closely correspond to the terms encoding existential quantifier
of ND-PRED.
It is worth noticing that there is another way to obtain (almost) the same rules.
One could consider the first order translation of LTL and encode in P the terms
resulting from such translation.
Anyway there is an important difference among our approach and the approach
sketched above. In the former we have a sort for LTL formulas and there is no
way to exit from the syntax of LTL. In the latter we would only have first order
formulas (some of which would be the encoding of an LTL formula) and we would
need some external machinery in order to guarantee that the manipulated objects
always represent LTL formulas.
Objects for relational rules
relD : A: o.p, q: w.(r: w.T pq R rq T pp: Aq) T pp: Aq
relT : A: o.p, q: w.(T pq R qq T pp: Aq) T pp: Aq
rel4 : A: o.p, q1 , q2 , q3 : w.T pq1 R q2 q T pq2 R q3 q
(T pq1 R q3 q T pp: Aq) T pp: Aq
relI : A: o.p, q, r: w.T pq R rq (T pq R rq T pp: Aq) T pp: Aq
relInd : A: o.p, q: w.T pp R qq T pp: Aq
(r, s: w.T pp R rq T pr R sq T pr: Aq T ps: Aq) T pq: Aq
relL : A: o.q, p1 , p2 , p: w.T pq R p1 q T pq R p2 q
(T pp1 R p2 q T pp: Aq) T pp: Aq)
relE1 :A: o, p, q: w.(T pp = pq T pq: Aq) T pq: Aq
relE2 :A: o.p1 , p2 , p3 , q: w.T pp1 = p2 q T pp3 = p2 q
(T pp1 = p3 q T pq: Aq) T pq: Aq
And finally, for each kind of judgment we have rules stating the substitutivity of
equal world variables, for instance
subst1 : A: o.p, q.T pp = qq T pp: Aq T pq: Aq
128
subst2 : A: o.p1 , p2 , q, r: w.T pp1 = p2 q T pp1 R qq

(T pp2 R qq T pr: Aq) T pr: Aq
The set of objects above immediately gives us an inductive encoding pq from

NKLTL deductions to P terms. We spell out in details some of the inductive
clauses:
if = p: z ,
pq = z;
1
2
p:
p:
if =
,
p:
[p: z ]
p:
if =
,
p:
[p R q z ]
q:
,
if =
p: #
pq = andI yp pqpqp1qp2 q;
pq = impI yp pqpq(z: T pp: q.p q);
pq = nextI yp pq(yq : w.z: T pp R qq.p q);
p: # p R q z
if =
,
q:
pq = nextE yp yq pqp qz;
[q: z1 ][p R q z2 ]
2
1
p: 3
p0 :
if =
,
p0 :
pq = diaE yp yp0 pqpqp1 q(yq : w.z1 : pq: qz2: pp R qq.p2 q);
if =
p R q z
[p R pz11 ][p1 R pz22 ][p1 : z3 ]

1
2
p:
p2 :
,
q:
pq = relInd pqyp yq zp1 q

(yp1 , yp2 : w.z1: T pp R p1 q.z2 : T pp1 R p2 q.z3 : T pp1 : q.p2 q).
Finally it can be seen that the proposed encoding is faithful.
129
Proposition 8.2.7 Let be an NKLTL deduction of p: with open assumptions

{J1z1 , . . . , Jnzn }. Let X be the set of propositional variables occurring in and Y
the set of world variables in . Then we have
F ; X , Y , z1 : T pJ1q, . . . zn : T pJn q pq T pp: q
Conversely, assume that for some P terms M, N we have
F ; X , Y , z1 : T pJ1q, . . . zk : T pJk q M T pp: q,
for some p and then there exists an NKLTL deduction of J1 , . . . Jk p: such
that pq = M.
Proof. Due to the number of objects in F the proof is quite lenghtly and boring,
so we only sketch the proof and do not consider each possible rule occurring in .
= ) To prove the first statement we proceed by induction on the definition of
pq.
First observe that T pp: q is an atomic type, so it is sufficient to prove
F ; X , Y , z1 : T pJ1q, . . . zn : T pJn q pq T pp: q.
The base case is given by the trivial deduction, and we immediately have
F ; X , Y , z: T pp: q z T pp: q,
since z is an atomic object of basic type.
In the remaining cases M will be of the form cN1 . . . Nh with c some object
in F of arity h representing a proof rule and N1 , . . . , Nh , of type A1 , . . . , Ak
respectively, the arguments of c.
Now, for any possible c we immediately have
F ; X , Y , z1 : T pJ1q, . . . zn : T pJn q c T pp: q
hence it is sufficient to show
F ; X , Y , z1 : T pJ1q, . . . zn : T pJn q Ni Ai
for each i [1 . . . h].
By inspection on the objects in F we know that the only possibilities for Ni
are the following:
Ni = p q for some subdeduction of , and, applying inductive hypothesis, we know that Ni is a canonical object;
Ni is the encoding of a world variable, then it must be a variable of atomic
type w, hence a canonical object;
130
Ni is the encoding of an LTL formula, then, by 8.2.1, Ni is a canonical

object of type o;
Ni is obtained by abstracting the encoding of a deduction over an atomic
family (either w or o or T pq for some ). Again, by induction hypothesis, we can conclude Ni is canonical.
= ) In order to prove the second statement we need to strenghten slightly the
assertion, we prove that whenever
F ; X , Y , z1 : T pJ1q, . . . zk : T pJk q M T N
we have one of the following:
N = pp: q for some p and and M = pq for some deduction of p: ;
N = pp R qq for some p and q and M = zi for some deduction i;
N = pp R qq for some p and q and M = zi for some deduction i;
N = pp = qq for some p and q and M = zi for some deduction i;
First, since T N is not of the form x: A.P , we must have
F ; X , Y , z1 : T pJ1 q, . . . zk : T pJk q M T N.
Then the base case is given by M = z, in this case we must have z = zi for
some i [1 . . . k], and clearly M is either the encoding of a trivial deduction
p: z or the encoding of a relational judgment z: J .
If M is not a variable, since the only costants in F that have type concluding
with T pp: q are those representing proof rules, it must be M = cN1 . . . Nh
with c some constant in F of arity h and
F ; X , Y , z1 : T pJ1q, . . . zk : T pJk q Ni Ai
for each i [1 . . . h].
Now, by inspection of the types of the possible constants c, we know that Ai
can only be one of the following:
o, and, by 8.2.2, Ni = pq for some formula ;
w, and, since the only term of type w are variables, Ni is the encoding of
a world variable;
T pq: q for some q and , in this case, by induction hypothesis, Ni = pi q
for some deduction i of q: ;
T pJ q for some relational judgment J , and since the only terms of this
type are variable, we Ni = zl for some l [1 . . . k];
131
z1 : B1 . . . zl : Bl .Ni where each Bi is a canonical family and Ni T B.

Again by induction hypothesis, B = pq: q for some q and some and
Ni is the encoding of a deduction of q: .
Finally we obtain the deduction applying the rule encoded by constant c to
the deductions encoded by the arguments.
2
Observe that we have a bijecton among NKLTL deductions of p: and canonical
terms of T pp: q. Instead it is not true in general that each canonical term of type
T J (with J: j) is the encoding of an NKLTL deduction. Indeed we have canonical
objects for T (Ryp yq ) but these do not encode any deduction.
Finally we show that the map pq is compositional with respect to deductions,
formulas and world variables.
Proposition 8.2.8 Let be an NKLTL deduction of G; p: , then we have the
following:
for each pair of world variables r, s
p{s/r}q = pq{ys /yr }.
for each propositional variable and for each LTL formula ,
p{/}q = pq{pq/x }.
for each assumption pq: qz in and for each 0 of q: ,
p{0 /z}q = pq{p0 q/z}.
Proof. The proof is simple but quite long, due to the great number of proof rules.
For sake of conciseness we consider only the last statement and sketch briefly the
possibile cases.
We Proceed by induction on the proof .
The base case is given by the trivial proof, in this case, pq = z and we have
two possibilities. Either z = z and p{0 /z}q = p0 q, or z 6= z and clearly
p{0 /z}q = z . In any case the statement follows easily.
Assume is obtained by the application of rule () to deductions 1 , . . . , k , then
{0 /z} is obtained by applying rule () to deductions 1 {0 /z}, . . . , k {0 /z}.
By definition of pq, we have p{p0 q/z}q = cN1 . . . Nh and pq = cM1 . . . Mh
where each Mi and Ni are either the encoding of a formula or the encoding of a
world variable or the encoding of some deductions i and i {0 /z} respectively.
Now, if Nk = pi {0 /z}q, applying inductive hypothesis, we immediately have
Nk = pi q{p0 q/z} = Mk {p0 q/z}.
In any other case, since no proof variable may occur in the terms encoding
formulas and world variables, we have Nk = Mk = Mk {p0 q/z}.
132
Concluding
p{0 /z}q = cN1 . . . Nh = cM1 {p0 q/z} . . . Mh {p0 q/z}
= (cM1 . . . Mh ){p0 q/z} = pq{p0 q/z}
2
Bibliography
[ADH+ 98] H. Abelson, R. K. Dybvig, C.T. Haynes, G.J. Rozas, N.I. Adams IV, D.P.
Friedman, E. Kohlbecker, G.L. Steele Jr., D.H. Bartley, R. Halstead,
D. Oxley, G.J. Sussman, G. Brooks, C. Hanson, K.M. Pitman, and
M. Wand. Revised report on the algorithmic language scheme. HigherOrder and Symbolic Computation, 11(1):7105, 1998.
[Bar91]
H. P. Barendregt. The Lambda Calculus. Number 103 in Studies in Logic

and the Foundations of Mathematics. North-Holland, Amsterdam, 1991.
[Bar92]
Henk P. Barendregt. Lambda calculi with types. In S. Abramsky,

D. Gabbay, and T.S.E. Maibaum, editors, Handbook of Logic in Computer Science, volume 2, chapter 2, pages 117309. Oxford University
Press, 1992.
[BC93]
D. A. Basin and R. Constable. Metalogical frameworks. In G. Huet

and G. Plotkin, editors, Logical Environments, pages 129. Cambridge
University Press, Cambridge, MA, 1993.
[Ber90]
S. Berardi. Type dependence and constructive mathematics. PhD thesis,

Dipartimento di Matematica, Università di Torino, Italy, 1990.
[BMV96a] David Basin, Sean Matthews, and Luca Viganò. Implementing modal
and relevance logics in a logical framework. In L.C. Aiello, J. Doyle, and
S.C. Shapiro, editors, Proceegins of the Fifth International Conference
on Knowledge Representation and Reasoning (KR96), pages 386397.
Morgan Kaufmann Publishers, 1996.
[BMV96b] David Basin, Sean Matthews, and Luca Viganò. A topography of labelled modal logics. In F. Baader and K.U. Schulz, editors, Proceedings
of the First International Workshop on Frontiers of Combining Systems
(FroCoS96), pages 7592. Kluwer Academic Publishers, 1996.
[BMV97a] David Basin, Sean Matthews, and Luca Viganò. Labelled propositional
modal logics: Theory and practice. Journal of Logic and Computation,
7(6):685717, 1997.
134
BIBLIOGRAPHY
[BMV97b] David Basin, Sean Matthews, and Luca Viganò. Labelled quantified
modal logics. In G. Brewka, C. Habel, and B. Nebel, editors, Proceedings
of the 21st German Annual Conference on Artificial Intelligence (KI97),
pages 171182. Springer-Verlag LNAI 1303, 1997.
[BMV98a] David Basin, Sean Matthews, and Luca Viganò. Labelled modal logic:
Quantifiers. Journal of Logic, Language, and Information, 7(3):237263,
1998.
[BMV98b] David Basin, Sean Matthews, and Luca Viganò. A modular presentation
of modal logics in a logical framework. In The Tbilisi Symposium on
Language, Logic and Computation: Selected Papers. CSLI Publications,
1998.
[CES86]
E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification

of finite-state concurrent systems using temporal logic specifications.
ACM Transactions on Programming Languages and Systems, 8(2):244
263, 1986.
[Che90]
B. F. Chellas. Modal Logic: An Introduction. Cambridge University

Press, 1990.
[Dan96]
Olivier Danvy. Type-directed partial evaluation. In Conference Record of

POPL 96: 23rd ACM SIGPLAN-SIGACT Symposium on Principles of
Programming Languages, pages 242257, St. Petersburg Beach, Florida,
1996.
[Dav96]
Rowan Davies. A temporal-logic approach to binding-time analysis. In

Proceedings, 11th Annual IEEE Symposium on Logic in Computer Science, pages 184195, New Brunswick, New Jersey, 1996. IEEE Computer
Society Press.
[DP96]
Rowan Davies and Frank Pfenning. A modal analysis of staged computation. In Conference Record of POPL 96: The 23rd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, St. Petersburg Beach, Florida, 1996.
[DP99]
Rowan Davies and Frank Pfenning. A modal analysis of staged computation. Technical Report CMU-CS-99-153, Computer Science Department,
Carnegie Mellon University, 1999.
[DPar]
Rowan Davies and Frank Pfenning. A modal analisys of staged computation. Journal of the ACM, to appear.
[Eme90]
E. Allen Emerson. Temporal and modal logic. In Jan van Leeuwen,

editor, Handbook of Theoretical Computer Science, Volume B: Formal
BIBLIOGRAPHY
135
Models and Semantics, pages 9951072. Elsevier Science Publishers, Amsterdam, The Netherlands, 1990.
[Gab97]
Dov M. Gabbay. Labelled Deductive Systems. Number 33 in Oxford

Logic Guides. Oxford University Press, 1997.
[Gen69]
Gerhard Gentzen. Investigations into logical deductions, 1935. In M. E.

Szabo, editor, The Collected Papers of Gerhard Gentzen, pages 68131.
North-Holland Publishing Co., Amsterdam, 1969.
[Geu92]
Herman Geuvers. The Church-Rosser property for -reduction in typed

-calculi. In A. Scedrov, editor, Seventh Annual IEEE Symposium on
Logic in Computer Science, pages 453460, Santa Cruz, California, 1992.
[GHR94]
Dov M. Gabbay, Ian Hodkinson, and Mark Reynolds. Temporal logic.

Vol. 1. The Clarendon Press Oxford University Press, New York, 1994.
[Gir87]
Jean-Yves Girard. Proof theory and logical complexity. Bibliopolis,

Napoli, 1987.
[Gir89]
Jean-Yves Girard. Proofs and types, volume 7 of Cambridge tracts in

theoretical computer science. Cambridge University Press, 1989.
[GJ97]
Robert Gl
uck and Jesper Jrgensen. An automatic program generator for multi-level specialization. Lisp and Symbolic Computation,
10(2):113158, 1997.
[Gun92]
Carl A. Gunter. Semantics of programming languages: structures and

techniques. Foundations of computing. MIT Press, 1992.
[HC84]
G. E. Hughes and M. J. Cresswell. A companion to modal logic. Methuen

& Co. Ltd., London, 1984.
[HHP93]
Robert Harper, Furio Honsell, and Gordon Plotkin. A framework for

defining logics. Journal of the Association for Computing Machinery,
40(1):143184, 1993.
[Hin97]
J. Roger Hindley. Basic Simple Type Theory, volume 42 of Cambridge

Tracts in Theoretical Computer Science. Cambridge University Press,
Cambridge, UK, 1997.
[How80]
William A. Howard. The formulae-as-types notion of construction. In

Jonathan P. Seldin and J. Roger Hindley, editors, To H. B. Curry:
Essays on Combinatory Logic, Lambda Calculus and Formalism, pages
479490. Academic Press, London, 1980.
136
BIBLIOGRAPHY
[Lam94]
L. Lamport. The temporal logic of actions. ACM Transactions on Programming Languages and Systems, 16(3):872923, 1994.
[Lem77]
E. J. Lemmon. The Lemmon Notes: An Introduction to Modal Logic.

Basil Blackwell, Oxford, 1977.
[Mas96]
Andrea Masini. A computational interpretation of modal proofs. In

P. Odifreddi, editor, Proof Theory of modal logic, pages 213241. Kluwer
Academic Publishers, Netherlands, 1996.
[Mic97]
M. Miculan. Encoding Logical Theories of Programs. PhD thesis, Dipartimento di Informatica, Università di Pisa, Pisa, Italia, 1997.
[Min00]
Gregory Mints. Reduction of finite and infinite derivations. In Proceedings of the Workshop on Proof Theory and Complexity, PTAC98,
volume 13 of Annals of Pure and Applied Logic, pages 167188. Elsevier
Science, 2000.
[MTES99] E. Moggi, W. Taha, Z. El-Abidine Benaissa, and T. Sheard. An idealized

MetaML: Simpler, and more expressive. volume 1576, pages 193207,
1999.
[Pfe96]
Frank Pfenning. The practice of logical frameworks. In Helène Kirchner,

editor, Proceedings of the Colloquium on Trees in Algebra and Programming, pages 119134, Linkoping, Sweden, 1996. Springer-Verlag LNCS
1059.
[Pfe99]
Frank Pfenning. Logical frameworks. In Alan Robinson and Andrei

Voronkov, editors, Handbook of Automated Reasoning. Elsevier Science
Publishers, 1999. In preparation.
[Pnu77]
Amir Pnueli. The temporal logic of programs. In 18th Annual Symposium on Foundations of Computer Science, pages 4657. IEEE Computer Science, Long Beach, California, 1977.
[Pnu97]
Amir Pnueli. The temporal logic of programs. Technical Report CS9714, Weizmann Institute of Science, Faculty of Mathematics and Computer Science, 1997.
[Pra65]
Dag Prawitz. Natural Deduction. Almquist and Wiksell, Stockholm,

1965.
[Pri68]
Arthur N. Prior. Papers on Time and Tense. Oxford University Press,

Oxford, 1968.
BIBLIOGRAPHY
137
[PW95]
Frank Pfenning and Hao-Chi Wong. On a modal -calculus for S4.

In S. Brookes and M. Main, editors, Proceedings of the Eleventh Conference on Mathematical Foundations of Programming Semantics, volume 1 of Electronic Notes in Theoretical Computer Science, New Orleans, Louisiana, 1995.
[Sch77]
Helmut Schwichtenberg. Proof theory: Some applications of cutelimination. In J. Barwise, editor, Handbook of mathematical logic, volume 90 of Studies in Logic and the Foundations of Mathematics, chapter
D.2, pages 867895. North-Holland, Amsterdam, 1977.
[Sho67]
Shoenfield. Mathematical Logic. Addison-Wesley series in logic. AddisonWesley, 1967.
[Sim94]
Alex K. Simpson. The Proof Theory and Semantics of Intuitionistic

Modal Logic. PhD thesis CST-114-94, Laboratory for Foundations of
Computer Science, Dept. of Computer Science, Univ. of Edinburgh,
1994.
[St
a91]
Gunnar St
almarck. Normalization theorems for full first order classical
natural deduction. The Journal of Symbolic Logic, 56(1):129149, 1991.
[Sti92]
Colin Stirling. Modal and temporal logics. In S. Abramsky, Dov M.

Maibaum, editors, Handbook of Logic in Computer
Gabbay, and T. S.E.
Science. Volume 2. Background: Computational Structures, pages 477
563. Oxford University Press, 1992.
[Sus82]
Gerald Jay Sussman. LISP, Programming and Implementation. Cambridge University Press, London, 1982.
[Tak87]
Gaisi Takeuti. Proof theory. North-Holland Publishing Co., Amsterdam,

second edition, 1987.
[TS96]
Anne S. Troelstra and Helmut Schwichtenberg. Basic Proof Theory,

volume Cambridge Tracts in Theoretical Computer Science. Cambridge
University Press, 1996.
[TS00]
Walid Taha and Tim Sheard. MetaML and multi-stage programming

with explicit annotations. Theoretical Computer Science, 248(12):211
242, 2000.
[TvD88]
A. S. Troelstra and D. van Dalen. Constructivism in Mathematics, volume 2 of Studies in Logic and the Foundations of Mathematics. NorthHolland, Amsterdam, 1988.
138
BIBLIOGRAPHY
[van84]
Johan van Benthem. Correspondence theory. In D. Gabbay and F. Guenthner, editors, Handbook of Philosophical Logic, Volume II: Extensions
of Classical Logic, volume 165 of Synthese Library, chapter II.4, pages
167247. D. Reidel Publishing Co., Dordrecht, 1984.
[vB83]
J. van Benthem. Modal Logic and Classical Logic, volume 3 of Monographs in philosophical logic and formal linguistics. Bibliopolis, Naples,
1983.
[Vig97]
Luca Viganò. A Framework for Non-Classical Logics. PhD thesis, Universitat des Saarlandes, 1997.
[WLPD98] Philip Wickline, Peter Lee, Frank Pfenning, and Rowan Davies. Modal
types as staging specifications for run-time code generation. ACM Computing Surveys, 30(3es), 1998.

Modal Logic-PhDthesis - Marchignoli

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Modal Logic-PhDthesis - Marchignoli

Diunggah oleh

Hak Cipta:

Format Tersedia

` degli Studi di Pisa

Dottorato di Ricerca in Informatica

Natural Deduction Systems for Temporal

ADDR: Corso Italia 40, 56125 Pisa, Italy.

` degli Studi di Pisa

Dottorato di Ricerca in Informatica

Natural Deduction Systems for Temporal

ADDR: Corso Italia 40, 56125 Pisa, Italy.

2 Basic Notions and Notations

3 Small Temporal Logic

6 Omega temporal logic

8 Temporal Logics in Logical Framework

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

A rigorous formalization would require labelling each assumption in order to

2.1. NATURAL DEDUCTION

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

Definition 2.1.2 (Sequent style ND system for propositional logic)

Some observation about logical rules. In natural deduction systems, each

2.1. NATURAL DEDUCTION

Normal Deductions. If one is interested in the logical content of deductions, 1

Proposition 2.1.3 (Subformula property) If is a normal proof of , then

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

Theorem 2.1.5 (Strong normalization for ND system Prop) The system of

In order to talk about computation we need to introduce a formalism in which

FV(x.t) = FV(t) \ {x}

FV(t1 t2 ) = FV(t1 ) FV(t2 )

2.1. NATURAL DEDUCTION

We denote with the reflexive and transitive closure of . A -term t is in

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

an atomic formula is a process that is assumed to be given;

2.2. MODAL AND TEMPORAL LOGICS

Definition 2.1.10 (Simply typed -calculus ( )) Given a set of basic types

Modal and Temporal Logics

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

2.2. MODAL AND TEMPORAL LOGICS

Definition 2.2.3 Given a modal formula , a modal frame M = (W, R, ) and a

(w), for each L

Relation  is then extended to structures and frames as follow:

M, w  for each world w MW

In case M  (F  ) one says that M (F ) is a model of .

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

and by modus ponens and necessitation inference rules:

2.2. MODAL AND TEMPORAL LOGICS

Table 2.1: Lemmon codes and frame properties

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

A linear temporal structure (or simply temporal structure) is a triple (W, R, )

where R is the reflexive, transitive closure of R.

2.2. MODAL AND TEMPORAL LOGICS

ND Systems for modal logics

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

2.2. MODAL AND TEMPORAL LOGICS

CHAPTER 2. BASIC NOTIONS AND NOTATIONS

where t0 , . . . , tn and t0 , . . . , tn are terms (with variables) of the labelling algebra.

Rule corresponding to axiom D clearly explain the need of considering terms

Language and Semantics

Definition 3.1.1 (Language of Small Temporal Logic (STL))

CHAPTER 3. SMALL TEMPORAL LOGIC

R is a linear total relation on W;

(w), for each atomic formula

We say that the structure M is a model of (M  ) if for each w W holds

It is easily seen that M is a counter-model for .

CHAPTER 3. SMALL TEMPORAL LOGIC

Proposition 3.2.3 (Completeness) If is a valid small temporal logic formula,

Relation is then extended to structures and frames as follow:

M, w for each world w MW

In case M (F ) one says that M (F ) is a model of .

We say that the structure M is a model of (M ) if for each w W holds

M, w for all w W such that w R w