Clausal Resolution for CTL?Alexander Bolotov, Clare Dixon and Michael Fisher

Department of Computing and MathematicsManchester Metropolitan University, Manchester M1 5GD, U.K.fA.Bolotov,C.Dixon,M.Fisherg@doc.mmu.ac.uk

Abstract. In this paper we consider proof techniques for branching-time tempo-ral logics. While a considerable amount of research has beencarried out regardingthe relationship between finite automata and such logics, practical proof tech-niques for such logics have received relatively little attention. Recently, however,several applications requiring refined proof methods for branching-time temporallogics have appeared, most notably the specification and verification of multi-agent systems. Thus, here we extend our clausal resolution method for linear-time temporal logics to a branching-time framework, in particular to the power-ful CTL* logic. The key elements of the resolution method, namely the normalform, the concept of step resolution and a novel temporal resolution rule, areintroduced, justified, and applied.

1 Introduction

A proof method based upon clausal resolution has been developed forlinear discretetemporal logics [10] and has been shown to be particularly amenable to efficientim-plementation [6]. It is based upon a normal form that can potentially represent a rangeof temporal logics, utilising a variety of model structures [11]. Forexample, in [4] weextended the resolution method to the (comparatively simple) branchingtime temporallogic CTL [5].

We here consider the extension of this approach to the more powerful branching-time logic CTL? that is now being applied, for example, within the specification andverification of multi-agent systems [15]. The key elements of the method, namely thenormal form, the concept ofstepresolution and the form of thetemporalresolutionrule, are introduced and justified with respect to CTL?.

Our approach follows the observation that, as the branching structures characterisedby CTL? consist of a set of linear paths, we can use our linear-time temporal resolutionalong a given path, while using an additional mechanism in order to cope with resolutionbetweenpaths. This is achieved by extending the normal form so that each temporalformula is labelled with an index identifying the path on which it is relevant. Thus,resolution can only be carried out between two formulae if their indices ‘match’.

The structure of this paper is as follows. Inx2 we briefly outline the syntax andsemantics of CTL?. In x3 we define a normal form used for CTL? formulae, introducingthe notion ofindicesand providing the context over which the linear-time operatorsrange. Inx3.1 the interpretation of such indexed formulae is given. Then inx3.2 wedescribe the algorithm to transform arbitrary CTL? formulae into the normal form, and

in xx3.3-3.6 we present the range of transformation rules. An example of the transfor-mation of a CTL? formula to its normal is given inx3.7. Inx4 we introduce a resolutionmethod and the range of resolution rules. Inx4.5 we give an example of the resolu-tion refutation. Correctness arguments are outlined inx5. Finally, in x6, we provideconcluding remarks and discuss future work.

2 Full Computation Tree Logic — CTL ?The syntax of CTL? distinguishesstate(S) andpath (P) formulae. These are definedinductively as follows.

S ::= C j true j false j S^ S j S_ S j S) S j :S j AP j EPP ::= S j P^ P j P_ P j P) P j:P j P j}P j gP j PU P j PW P

Here,C is any well-formed formula of propositional logic,true andfalse are con-stants,A (‘on all future paths starting here’) andE (‘on some future path starting here’)are branching-time path operators, and (‘always in the future’),} (‘at some timein the future’), g (‘at the next moment in time’),U (‘until’), and W (‘unless’) arelinear-time temporal operators. Thus, the very expressive language ofCTL? allows usto represent such complex properties asA}( gB^ E g:B).

Following [8], we interpret a well-formed formula of CTL? in a tree-like modelstructureM = hS; R; Li, whereS is a set of states,R� S�Sis a binary relation overSsuch that there is a states0 which is the root of the structure’s tree (i.e.8j: (hsj ; s0i 62R)) and every state has at least one successor (i.e.8i: 9j: (hsi ; sji 2 R)), andL is aninterpretation function mapping atomic propositional symbols to truth values at eachstate.

Before continuing with the semantics of CTL? we first introduce some notation.A path, �si , over R, is a sequence of statessi ; si+1; si+2; : : : ; si+n; : : : such that8j � i: (sj ; sj+1) 2 R. A path�s0 is called afullpath. Given a path�si and a state

sj 2 �si ; i < j, we term an infinite sub-sequencesj ; sj+1; sj+2; : : : ( sj+k 2 �si , fork = 0; 1; : : :) asuffixof a path�si abbreviating it withSuf(�si ; sj). We can now give, inFigure 1, the definition of the satisfaction relation ‘j=’.

Definition 1 (Satisfiability). A well-formed formula, B, is satisfiable if, and only if,there exists a model structureM such thathM; s0i j= B.

Definition 2 (Validity). A well-formed formula, B, is valid if, and only if, B is satisfiedin every possible model, i.e. for each model structureM, hM; s0i j= B.

Note that the CTL? semantics above requires that, when interpreting atomic formulaeon some path�si , we are referring to the behaviour in the first statesi of this path.This causes thefailure of the substitution principlefor proposition symbols and henceinduces some restrictions on therenamingprocedure which plays a significant role inour resolution method. Further, note that in [9] it was shown that anyCTL? formulaGcan be transformed to a particular formG0 where the nesting of path quantifiers is atmost 2 and wherej= G0 iff j= G. This is achieved by repeatedly renaming the statesubformulae ofG. We later utilize this property in transforming formulae (x3.2).

hM; sii j= p iff p 2 L(si); for atomic phM; sii j= :A iff hM; sii 6j= AhM; sii j= A^ B iff hM; sii j= A and hM; sii j= BhM; sii j= A_ B iff hM; sii j= A or hM; sii j= BhM; sii j= A) B iff hM; sii 6j= A or hM; sii j= BhM; sii j= AB iff for each �si hM; �si i j= BhM; sii j= EB iff there exists �si such that hM; �si i j= BhM; �si i j= A iff hM; sii j= A; for state formula AhM; �si i j= :A iff hM; �si i 6j= AhM; �si i j= A^ B iff hM; �si i j= A and hM; �si i j= BhM; �si i j= A_ B iff hM; �si i j= A or hM; �si i j= BhM; �si i j= A) B iff hM; �si i 6j= A or hM; �si i j= BhM; �si i j= B iff for each sj 2 �si if i � j thenhM;Suf(�si ; sj)i j= BhM; �si i j=}B iff there exists sj 2 �si such that i � j andhM;Suf(�si ; sj)i j= BhM; �si i j= fB iff hM;Suf(�si ; si+1)i j= BhM; �si i j= AU B iff there exists sj 2 �si such that i � j andhM;Suf(�si ; sj)i j= B and for each sk 2 �siif i � k < j then hM;Suf(�si ; sk)ii j= AhM; �si i j= AW B iff hM; �si i j= A or hM; �si i j= AU B

Fig. 1.CTL? semantics

3 Normal Form for CTL ?The normal form we use for CTL? is called SNFC? . To define SNFC? , we must extendthe CTL? language slightly. Firstly, we introduce a new constantstart :hM; sii j= start iff i = 0Secondly, we introduce indices in order to express the path context of atemporal for-mula. In general, the index of a formula will tell us whether we can reason about thisformula in the context of all paths (any arbitrary path) or in the context of some spe-cific path. Indices are based on the two setsVAR = f�; �; ; : : :g representing “pathvariables” andFUN = ff ; g; h; : : :g representing unary path functions. The set of pathexpressions,IND, is made up from members ofVAR and expressions of the formf (�),wheref 2 FUN and� 2 VAR. Note that indices of the formf (g(�)) can not be ob-tained as part of our transformation procedure (seex3.8). We will also see later (x3.4)that path expressions of the typef (�) appear due to the removal of theE quantifier andplay a similar role to the Skolem functions in predicate logic.A formula in SNFC? is of the form

An

i=1(Pi ) Fi)where each “Pi ) Fi” (called arule) is further restricted to be one of the following:

start ) l_k=1qk (an initial rule)

m

j=1 pjhvari ) g l_k=1qkhindi (a steprule)

m

j=1 pjhvari )}lhindi (a sometimerule)

Note that,pj , qj andl are literals,hvari andhindi are indices providing the pathcontextfor the rules,hvari 2 VAR, andhindi 2 IND. Note also that, in an indexed formula suchasChind1i, the indexhind1i relates to the whole formulaC.

3.1 Interpreting Indexed Formulae

Any SNFC? rule can be interpreted as a constraint upon the branching structure (re-membering that SNFC? rules are in the scope of an implicit ‘A ’). As a simple exam-ple, consider the set of rulesf start ) x; xh�i ) }zhf(�)i; true h�i ) g:zh�i g.Indexed formulae of this set are interpreted in relation to some modelM as follows:

– The initial rulestart ) x is understood as “x is satisfied at the initial state ofM”.– The ‘sometime’ rulexh�i )}zhf(�)i can be interpreted as “for any fullpath� and

any statesi 2 �, (indicated by indexh�i 2 VAR) if x is satisfied at a statesi then}zmust be satisfied along some path�si (indicated by indexhf (�)i)”.– The step ruletrue h�i ) g:zh�i can be interpreted as “for any fullpath� and

any statesi 2 �, if true is satisfied at a statesi then g:z must be satisfied alongany path�si ”.

3.2 Algorithm for Transforming CTL ? Formulae to SNFC?We now consider how an arbitrary CTL? formula can be transformed into SNFC? . Pre-serving or changing a path index introduced at some stage of the transformation proce-dure is important in formulating the transformation rules.

To check the validity of some CTL? formula, F, we first negate it and push thenegations intoF until they are applied to propositions. This is based on negations ofclassical logic operators in addition to the following equivalences.:AP� E:P :EP� A:P : gP� g:P:(PU Q) � :QW (:P^ :Q) :}F � :F:(PW Q) � :QU (:P^ :Q) : P�}:P

This gives us a formulaG such thathM; s0i j= F iff hM; s0i j= G. Then thetransformation procedure,� , is applied toG, giving � [G] = �2[�1[G]] where�1 and�2are described by the steps 1-3 and 4-8 below, respectively.

1. Anchor Gto start , obtainingstart ) G.

2. Apply the initial renaming rule obtainingA (start ) x0) ^ A (x0hvari ) Ghvari), wherex0 is a new proposition.

3. Reduce the nesting of path quantifiers inG gradually renaming the deepest embed-ded state subformulae (seex3.3).This reduction of the nesting of state formulae inG is based on the method definedin [9]. Once this has been carried out, we obtain a set of constraints of theformA (Bhvari ) PChvari) or A (Bhvari ) Chvari) whereP is either of the pathoperators andC a formula without path operators.

4. Remove path quantifiers (seex3.4); this provides a context for the renaming of pathformulae in the next step.

5. Rename path formulae (seex3.3), preserving the path context, in order to reducethe nesting of temporal operators to exactly 1 and so that every temporal operatorapplies only to literals.

6. Remove temporal operators (seex3.5).7. Introduce a temporal context (seex3.6),where necessary, use classical equivalences

to rewrite rules into their correct form.8. Rename path variables apart, again if necessary, to ensure that no path variable

occurs in two different rules.

3.3 Renaming rule

We extract subformulae from within a complex formula as follows.

Phind1i ) Q(R)hind2i �! fPhind1i ) Q(R=x)hind2i; xhind3i ) Rhind2igHere,Q(R) means “R is a subformula of(Q)”, Q(R=x) means a result of replacingR by a new proposition symbolx in Q andhind3i = hind2i if hind2i 2 VAR, but ifhind2i = hf (�)i thenhind3i = h�i.3.4 Removal of Path Quantifiers

These rules introduce new indices representing a path context of the appropriate type.

Removal of A: Removal of E:Phind1i ) AFhind2iPhind1i ) Fhind3i (ind3 2 VAR) Phind1i ) EFhind2i

Phind1i ) Fhf(ind2)i (f 2 FUN)3.5 Removal of Temporal Operators

Here we must correctly maintain a path context while reducing temporal operators usingtheir fixed point definitions. In the formulation of the removal rulesbelow ‘x’ is a newproposition symbol,hind3i 2 VAR, andhind3i = hind2i if hind2i 2 VAR but if hind2i =hf (�)i thenhind3i = h�i.

Removal of ‘always’: Removal of ‘unless’:

Phind1i ) Fhind2iPhind1i ) (F ^ x)hind1ixhind3i ) g(F ^ x)hind2i Phind1i ) (FW G)hind2i

Phind1i ) (G_ (F ^ x))hind1ixhind3i ) g(G_ (F ^ x))hind2i

Removal of ‘until’: Phind1i ) (F U G)hind2iPhind1i ) (G_ (F ^ x))hind1ixhind3i ) g(G_ (F ^ x))hind2iPhind1i ) }Ghind2i

3.6 Introducing a Temporal Context and Simplifying

Since, for a purely classical formula, ‘F’, it is the state, rather than the current path, thatis important in establishing satisfiability, we can apply the following rules (whereF isclassical and ‘P’ is either of the path quantifiers).

Temporising: Qhind1i ) Fhind2istart ) (:Q_ F)true hind1i ) g(:Q_ F)hind1iFurther, we use a number of transformations that correspond to the following equiv-alences of CTL?: g(P ^ Q) � gP ^ gQ; EAF � AF; AEF � EF; AAF �AF;EEF � EF and obvious simplificationsTfalse � false ; PTfalse � false ,where ‘P’ is either of the path quantifiers and ‘T’ is any unary temporal operator. Fi-nally, we utilize transformations applied to obtain normal form in classical logic; weterm this set of additional simplificationsSIMP and apply them wherever required.

3.7 Example Transformation

Let us consider the steps required to transform the formulaA}( gp^ E g:p) (whoseunsatisfiability is not immediately obvious) into SNFC? .

Recall that, following the transformation algorithm, we first apply the initial renam-ing rule (steps 2 and 3 below) and then rename the deepest embedded state subformula(steps 4 and 5).1: start ) A}( gp^ E g:p) Given2: start ) x 1; Initial Renaming3: xh�i ) A}( gp^ E g:p)h�i 1; Initial Renaming4: xh�i ) A}( gp^ y)h�i 3; Renaming5: yh�i ) E g:ph�i 3; RenamingAs the nesting of path quantifiers is now of depth 1 (in rules 4 and 5), weremovethese quantifiers (steps 6 and 7) thus generating a certain path context for purely pathformulae.6: xh�i )}( gp^ y)h�i 4; A Removal7: yh�i ) g:phf(�)i 5; E RemovalNow we can rename a purely path formula( gp ^ y) which occurs in the context}( gp ^ y)h�i (steps 8 and 9) and then apply simplification and temporising rules.8: xh�i )}zh�i 6; Renaming9: zh�i ) ( gp^ y)h�i 6; Renaming10: zh�i ) gph�i 9; SIMP11: zh�i ) yh�i 9; SIMP12: start ) (:z_ y) 11; Temporising13: true h�i ) g(:z_ y)h�i 11; TemporisingFinally, taking 2, 7, 8, 10, 12 and 13 above and renaming path variables (in7, 10 and13) apart we obtain the desired set of SNFC? rules. (In x4.5 we present a resolutionproof for this set of rules, repeating it as a part of such proof).

3.8 Features ofSNFC?Here we summarize some important features of the transformation procedure that canbe proved straightforwardly from the transformation algorithm given above.

1. Labels of the typehf (ind)i can appear only on the right hand side of a rule andtherefore any index on the left hand side is always a path variable.

2. If the index of the right hand side formula ishf (ind)i then the left hand side isalways labeled byhindi which ensures the link between left and right hand sideindices.

3. We can not obtain indices where an argument of a function is itself a function, i.e.of the typehf (g(�))i. Note however, that use of the indices of the typehf (ind)i iscrucial as a function symbolf is a syntactical indication of a certain path context(seex3.1).

4. On the left hand side of formulae that appear during the transformation procedurewe can only have an expression which is either of the following types:start ,true , a literal or a conjunction of literals.

3.9 Correctness of the transformation

The following theorem (see [3] for details) characterizes the correctness of the trans-formation procedure� .

Theorem 1. A well-formedCTL? formula, G, is satisfiable if, and only if,�(G) is.

4 Resolution procedure forCTL?Once the original formula has been transformed into SNFC? , there are two possiblesituations in which resolution rules can be applied. The first type of resolution rule,which we callstep resolution, (seex4.1), is applied when literalsl and:l occur at thesame moment of time on the same branch. The second type of resolution rule, calledtemporal resolution(seex4.2), can be applied when some propositionl can occur at allfuture moments on a path (a situation known as aloop), while l can be also constrainedto be false at some point in the future of the same path.

In both cases, the use of indices is crucial as they express the required pathcontexts.As we will see below, we must be able to unify indices in order to carry out resolution.Unification between indices is the same as the unification of terms in classical logic.

4.1 Step Resolution

With l as a literal and�(hindai; hindbi) as an abbreviation for the unification of twoindices, we have the following step resolution rules.

SRES1: SRES2:

Phind1i ) g(C_ l)hind2iQhind3i ) g(D _ :l)hind4i(P^Q)hind5i ) g(C_ D)hind6i start) (C_ l)start) (D _ :l)start) (C_ D)

wherehind6i = �(hind2i; hind4i) and, if hind6i 2 VAR then hind5i = hind6i but ifhind6i is of the formhf (�)i thenhind5i = h�i.

4.2 Temporal Resolution

To apply the temporal resolution rule (defined below) we must first consider aloop. Aloop is a situation when a literal, sayl, occurs at all future moments on some or allpaths. In the linear-time case an algorithm for identifying loops in sets of merged ruleshas been developed [6] and we expect to extend this technique to the case of CTL?.Merged rules are generated from step rules as follows.

Rhind1i ) gChind2iQhind3i ) gDhind4i(R^Q)hind5i ) (C^ D)hind6i

wherehind6i = �(hind2i; hind4i) and if hind6i 2 VAR then hind5i = hind6i else ifhind6i is of the formf (�) thenhind5i = h�i.Definition 3 (Loop in CTL?). A loop in l is a set of merged rules8><>:P0hind01i) gQ0hind02i: : : : : :

Pnhindn1i) gQnhindn2i 9>=>;such that for all0 � i � n, bothj= Qi ) l and j= Qi ) n_

j=0Pj .

We will abbreviate such loop by(P0 _ : : : _ Pn)hind1i ) g lhind2i where, if for alli, hindi2i 2 VAR thenhind1i = hind2i = h�i whereh�i is a new index inVAR, butif for all i hindi2i only involves one function symbol, sayf , thenhind2i = hf (�)i andhind1i = h�i whereh�i is a new index inVAR, elsehind2i = hh(�)i andhind1i = h�iwhereh�i is a new index inVAR andh is a new function symbol inFUN.

For this set of merged rules, each right hand side implies one or more lefthand sidesfrom the side condition on loops. As indices on the right hand sidesare either functionsor variables, and indices on the left hand sides are always variables, right hand sideindices will always unify with the relevant left hand side indices. Each right hand sideimplies l. Hence, once one of the left hand sides is satisfied a literall holds at all futuremoments on some or all paths (dependent on the type of the index).

Now, once we have detected(P0 _ : : : _ Pn)hind1i ) g lhind2i indicating a loopin l we can resolve it with a sometime ruleQhind3i ) }:lhind4i provided the indiceshind2i andhind4i can be unified.

TRES: Phind1i ) g lhind2iQhind3i )}:lhind4iQhind5i ) (:PW :l)hind4i

where�(hind2i; hind4i) 6= ; andhind5i = hind4i if hind4i 2 VAR else ifhind4i is of theform f (�) thenhind5i = h�i.

Note that in the special case of TRES, when}:l is labeled byhind4i 2 VAR, wepreserve this label for the conclusion even whenhind2i is hf (�)i. This is related to thelimit closure property of CTL? ([8]) and is required for completeness ([3]).

Observe also that the conclusion of TRES should be further translated into SNFC? .

4.3 Transferring Constraints

If at any point we derive a formula such as(P^ : : :^Q)hind1i ) gfalse hind2i then wemust ensure thatP^ : : : ^Q never occurs anywhere by applying the following rule.

Transferral rule: (P^ : : : ^Q)hind1i ) gfalse hind2istart ) (:P_ : : ::Q)true hind1i ) g(:P_ : : : _ :Q)hind1i4.4 Termination

The step and temporal resolution rules are repeatedly applied. If we reach a stage whereno new resolvents are generated, then the procedure terminates. If eitherstart )false or true hind1i ) gfalse hind2i are generated during the temporal resolution pro-cedure, it terminates and the original set of rules is unsatisfiable (seex5).

4.5 Resolution Example

Now we consider a resolution refutation forA}( gp^E g:p) given as a set of SNFC?rules obtained inx3.7. We begin the proof repeating this set of rules.1: start ) x SNFC?2: start ) :z_ y SNFC?3: true h�i ) g(:z_ y)h�i SNFC?4: yh�i ) g:phf(�)i SNFC?5: zh'i ) gph'i SNFC?6: xh�i ) }zh�i SNFC?7: (y^ z)h�i ) gfalse hf(�)i 4; 5; SRES18: start ) :y_ :z 7; Transferral9: true h�i ) g(:y_ :z)h�i 7; Transferral10: true h�i ) g:zh�i 3; 9; SRES111: xh�i ) (false W z)h�i 6; 10; TRES12: xh�i ) (z_ (false ^ r))h�i 11; Removal of W13: xh�i ) zh�i 12; SIMP14: start ) :x_ z 13; Temporising15: start ) false 1; 14; 2; 8; SRES25 Correctness of the resolution procedure

Our correctness argument is given by a number of theorems stating fundamental prop-erties of the above resolution procedure.

Theorem 2 (Termination). Given any set R ofSNFC? rules the resolution procedureapplied to R terminates.

Theorem 3 (Soundness of the resolution procedure).Given a set R ofSNFC? rulesif there is a resolution refutation for R (seex4.4) then R is unsatisfiable.

Theorem 4 (Completeness of the resolution procedure).If a set R ofSNFC? rulesis unsatisfiable then there exists a resolution refutation for R.

While the proof of theorem 2, based on the finiteness ofR, is relatively simple andthe reader is referred to [3], proofs of theorems 3 and 4 are more complex requiring anumber of technical definitions from the graph and automata theory. Due tothe lack ofthe space we sketch outlines of these proofs, again referring to [3] for full details.

First of all note, that within the proofs of the theorems 3 and 4, we utilise ideas fromthe alternating automata approach to temporal logic [13, 14, 2, 17] and essentially usethe finite tree model property of CTL?.

The following observation is important for the proofs. The structure of a set ofSNFC? rules (seex3) can be related to that of a transition system. The initial rulesprovide the starting conditions while the step and eventuality rules can be consideredas “global” transition rules. Thus, for a setR of SNFC? rules obtained for some CTL?formulaG we define an infinitealternating computation treewhich is a type of labeledAND-OR tree. Subformulae ofRare used as the labels for the states of such tree. Tran-sitions in the AND-OR tree are hyper-transitions allowing for a state ti to have a setof successorstj : : : tk called AND-successors ofti indicating the application of severalrules simultaneously. Hyper-transitions are determined by a transition function definedsimilarly to one for the hesitant alternating tree automaton ([17]) andusing the set ofthe global rules ofR.

Then we show that due to the finite model property of CTL? an infinite computationtree collapses into a finite graph. This graph corresponds to a set of possible runs ofnon-deterministic Buchi Tree Automaton [9].

A set of the standard deletion rules is applied to the graph: nodes with outstand-ing eventualities and nodes without successors must be deleted (as paths through thesenodes cannot form part of any model ofR). This pruning procedure terminates resultingin a Buchi Tree Automaton,BR, that accepts exactly those trees that satisfy the setR.This proves that a setRof SNFC? rules is unsatisfiable if and only if the automatonBR

is empty.Finally, we show that the deletions in the graph ofBR correspond to the resolution

rules we have developed, thus, proving the fact that a setRof SNFC? rules is unsatisfi-able if and only if there exists a resolution refutation forR.

Therefore, taking into account theorem 1, we conclude that given a CTL? formulaG, then if there exists a resolution refutation for the set of SNFC? rulesR generatedfrom G thenR (and henceG) is unsatisfiable. If the resolution forR terminates notfinding a refutation it is possible to extract a model forR and thusR (and henceG) issatisfiable.

6 Conclusions

We have extended the clausal resolution method developed for linear-time temporallogics to a branching-time framework. This will form the basis of future work into boththe efficient implementation of this approach, where we expect to utilise techniquesdeveloped for implementing linear-time temporal resolution, and a detailed complexity

analysis. In addition, we will also further examine the relationshipbetween the differenttypes of branching-time temporal logics by studying their translation into our normalform.

The authors would like to thank the anonymous referees for useful comments. Thiswork was supported by EPSRC under research grant GR/L87491.

References

1. O. Bernholtz and O. Grumberg. Branching-Time Temporal Logic and Amorphous Tree Au-tomata. InProc.of 4th Conference on Concurrency Theory, Springer-Verlag, (LNCS 715),1993.

2. O. Bernholtz, M. Vardi and P. Wolper. An Automata-Theoretic Approach to Branching-Time Model Checking. InProc. Conf. on Computer-Aided verification (CAV’94), June 1994,Springer-Verlag, (LNCS 818), pp 142-155.

3. A. Bolotov. Clausal Resolution for Branching-Time Temporal Logic. PhD Thesis. In prepa-ration.

4. A. Bolotov and M. Fisher A clausal resolution method for CTL branching time temporalLogic. Journal of experimental and theoretical artificial intelligence, Taylor & Francis, 11,1999, pp 77-93.

5. E. M. Clarke and E. A. Emerson. Design and Synthesis of Synchronisation Skeletons UsingBranching Time Temporal Logic. Springer-Verlag, (LNCS 131), 1981.

6. C. Dixon. Search Strategies for Resolution in Temporal Logics. InProceedings of the Thir-teenth International Conference on Automated Deduction (CADE), Springer-Verlag, August1996.

7. E. A. Emerson. Alternative Semantics for Temporal Logics. Theoretical Computer Science,26, 1983, pp 120–130.

8. E. A. Emerson. Temporal and Modal Logic. In J. van Leeuwen,editor,Handbook of Theoret-ical Computer Science, pp 996–1072. Elsevier, 1990.

9. E. A. Emerson. Automated Reasoning about Reactive Systems. InLogics for Concurrency:Structures Versus Automata, Springer-Verlag, (LNCS 1043), 1996.

10. M. Fisher. A Resolution Method for Temporal Logic. InProc. Twelfth International JointConference on Artificial Intelligence (IJCAI), Sydney, Australia, 1991. Morgan Kaufman.

11. M. Fisher. A Normal Form for Temporal Logic and its Application in Theorem-Proving andExecution.Journal of Logic and Computation, 7(4), August 1997.

12. R. Kaivola. Axiomatizing Extended Computation Tree Logic. In Proceedings of 21st In-ternational Colloquium on Trees in Algebra and Programming– CAAP’96, volume 1059 ofLecture Notes in Computer Science, pp 87–101. Springer-Verlag, 1996.

13. D. E. Muller and P. E. Schupp. Alternating automata on infinite trees. InTheoretical Com-puter Science, pp 267-276, vol.54, 1987.

14. D.E. Muller and P.E. Schupp. Simulating Alternating tree automata by nondeterministicautomata: New results and new proofs of theorems of Rabin, McNaughton. InTheoreticalComputer Science, pp 69-107, vol. 141, 1995.

15. A. S. Rao. Decision procedures for propositional linear-time Belief-Desire-Intention logics.In Intelligent Agents II (LNAI 1037). Springer-Verlag: Heidelberg, Germany, 1996.

16. C. Stirling. Modal and Temporal Logics. InHandbook of Logic in Computer Science. OxfordUniversity Press, 1992.

17. M. Y. Vardi. An Automata-theoretic Approach to Linear Temporal Logic. InLogics forConcurrency: Structures Versus Automata, Springer-Verlag (LNCS 1043), 1996.