Basic Propositional Linear Temporal Logic

2.5 Decidability

At the beginning of this section we argued that the non-derivability of F A→2B

forF ={A→ eⁱB |i ∈N}(eⁱ denotes the sequence e. . . eofi subsequently applied e-operators) shows that there is no sound formal system which is complete in the full sense. Another view of this situation together with the proven weak com- pleteness is given by the fact that full completeness could be achieved by weakening the concept of formal systems: a semi-formal system is like a formal system but may containω-rules, i.e., rules of the form

A1,A2,A3, . . .B

with an infinite sequenceA1,A2,A3, . . .of premises.

We conclude this section with the remark that the semi-formal system which results fromΣLTLby replacing the induction rule (ind) by theω-rule

(ω-ind) A→ eⁱB, i∈N A→2B

is indeed (sound and) complete in the full sense that FA ⇒ F A

then holds for arbitraryFandA.

Of course, a derivation in a semi-formal system is no longer a purely “mechan- ical” process. In order to apply an ω-rule the derivation of their infinitely many premises needs some argument “outside” the system, typically an inductive one. For example, a derivation of (ind) with (ω-ind) is given as follows:

(1) A→B assumption

(2) A→ eA assumption

(3) A→ eⁱB for alli∈N from (1) and (2) by induction oni

(4) A→2B (ω-ind),(3)

Line (3) is achieved by the fact that fori= 0it is just the assumption (1) and with

(3a) A→ eⁱB induction hypothesis

(3b) e(A→ eⁱB) (nex),(3a)

(3c) eA→ eⁱ⁺¹B (mp),(ltl2),(3b)

(3d) A→ eⁱ⁺¹B (prop),(2),(3c)

we obtain the necessary induction step.

We will now show that the validity of LTL formulas is even decidable. In fact, we will present a method to decide the satisfiability problem, i.e., whether a formula is satisfiable or not. Applying Theorem 2.1.9, validity of formula F (the validity problem) can then be decided by determining whether¬Fis unsatisfiable.

The decision procedure for satisfiability is based on the same ideas as the proof of the Weak Completeness Theorem 2.4.10; recall that its essence was to construct a satisfying temporal structure for any finite and consistent set of formulas. In fact, the definitions of theτandσoperations were carefully chosen to ensure that the tree of PNPs contained only finitely many different nodes. The information contained in the infinite tree can therefore be more succinctly represented in a finite graph if identical nodes are identified. The resulting graph encodes all temporal structures that satisfy the initially given consistent set of formulas. On the other hand, if the given set of formulas is inconsistent, we will see that the construction fails for one of two possible reasons: first, false∈pos(P)orpos(P)∩neg(P)=∅may hold for all leaf nodesP, implying that they are immediately contradictory. Second, the resulting graph may contain no “appropriate” path because for some nodePand some formula 2A∈neg(P)there is no nodeQreachable fromP such thatA∈neg(Q); cf. the proof of Lemma 2.4.8.

Let us make these ideas more formal. Given a PNPP, we define a tableau for Pto be any rooted directed graphT of pairwise distinct PNPs whose root isP and such that for every nodeQ= (F⁺,F⁻)ofT, one of the following conditions hold:

(⊥) false∈ F⁺orF⁺∩ F⁻=∅, andQhas no successor node.

(→⁺) A→B ∈ F⁺ for some formulasA,B, andQhas precisely two successor nodes: the left-hand successor(F⁺\ {A →B},F⁻∪ {A})and the right- hand successor((F⁺\ {A→B})∪ {B},F⁻).

(→⁻) A →B ∈ F⁻ for some formulasA,B, andQhas precisely the successor node(F⁺∪ {A},(F⁻\ {A→B})∪ {B}).

(2⁺) 2A ∈ F⁺ for some formula A, and Q has precisely the successor node ((F⁺\ {2A})∪ {A, e2A},F⁻).

(2⁻) 2A∈ F⁻for some formulaA, andQhas precisely two successor nodes: the left-hand successor(F⁺,(F⁻\ {2A})∪ {A})and the right-hand successor (F⁺,(F⁻\ {2A})∪ {e2A}).

(e) All formulas inFQare of the form false,v (wherev ∈V), or eAfor some formulaA, nodeQdoes not satisfy(⊥), andQhas precisely the successor node(σ1(Q), σ3(Q)).

(σ1 andσ3 are the functions defined in Sect. 2.4.) The “rules”(→⁺)through (e) propagate information to the successor nodes. In fact, they construct completions in the sense of Sect. 2.4 in a systematic way. The nodes of the tableau that satisfy condition(e)are called tableau states. Paths inT are defined like paths in the tree K_P in Sect. 2.4.

As in that tree construction (cf. Lemma 2.4.6) it follows that the construction of a tableauT according to the above rules can give rise to only finitely many different nodes, so any tableau for a given PNP is finite. Moreover, the rules(→⁺)through (2⁻)decompose complex operators and can therefore hold only finitely often until

9

10

6

7

8

4

5

2

3

1

? ?

?

? ?

@@R

@@R

{v,d_2v},{d₂d_v} {v,d_2v},{d_v}

{2v},{d₂d_v} {2v},{d_v}

{v,d_2v},{v}

{2v},{v} {2v},{2d_v} {d_2v},{d₂d_v} {d_2v},{d_v}

{d_2v},{2d_v}

(a) Tableau for({d_2v},{2d_v})

6

7

8

4

5

2

3

1

-

? ?

@@R

@@R

∅,∅ ∅,{2v} ∅,{d_2v}

∅,{v} ∅,{v,d_2v}

∅,{v,2v} {2v},{2v} {v→2v},{2v}

(b) Tableau for({v →2v},{2v}) Fig. 2.1. Example tableaux

either(⊥)or(e)must be applied. In particular, any infinite path in the tableau must contain infinitely many tableau states.

Finally, observe that propositional constants and formulas of the form false or eAthat appear in some nodeQthat is not a tableau state are copied to all succes- sor nodes ofQ. Therefore, ifQ1, . . . ,Qk is a path in a tableau such that none of Q1, . . . ,Qk−1is a tableau state thenQkcontains all of the formulas of these forms thatQ1contains.

Figures 2.1(a) and 2.1(b) illustrate the tableau construction at the hand of the PNPs({e2v},{2ev})and({v →2v},{2v})wherev∈V. The nodes (denoting

PNPs without surrounding parentheses) are marked by numbers for easy reference.

Those marked 2, 3, 9, and 10 in Fig. 2.1(a) and 4, 5, 6, and 8 in Fig. 2.1(b) are tableau states. In the other nodes, the formula to which a decomposing rule is applied is shown underlined.

It remains to define the unsatisfiable nodes or subgraphs of a tableau. Given a tableauT, the set of closed nodes ofT is inductively defined as follows:

(C1) All nodesQofT that satisfy condition(⊥)are closed.

(C2) Every nodeQofT all of whose successors are closed is closed.

(C3) IfQis a node andAis a formula such that2A∈neg(Q)and every path from Qto nodesQwithA∈neg(Q)contains some closed node thenQis closed.

A tableau is called unsuccessful if its root is closed; otherwise it is called successful.

Let us apply these rules to the tableau shown in Fig. 2.1(a): the node 6 is closed by condition(C1); therefore node 4, whose only successor node is node 6, is closed by condition(C2), and nodes 2, 9, and 7 are closed applying(C2) two times more.

Now consider node 5: the formula2evis contained negatively and the only nodes in paths from node 5 that contain evnegatively are nodes 7 and 9 which are closed.

Therefore, node 5 is also closed by condition(C3), implying by(C2)that node 3 is closed and finally, again by(C2), node 1 (the root of the tableau) is closed, so the tableau is unsuccessful. In fact, the PNP({ e2v},{2ev})represents the unsatisfi- able formula e2v∧ ¬2 ev.

In the tableau of Fig. 2.1(b) the node 3 is closed by condition(C1), but no other node is found closed. For example, node 2 is not closed since nodes 4 and 6 are not closed. So, the root of the tableau is also not closed and the tableau is successful;

observe that the PNP({v → 2v},{2v})corresponds to the satisfiable formula (v →2v)∧ ¬2v.

We now set out to prove in a series of lemmas that a tableau for a given PNPP is successful if and only ifPis satisfiable.

Lemma 2.5.1. LetT be a tableau andQsome node ofT. For all temporal structures Kand alli ∈N:

a) IfQis not a tableau state of T thenKi(Q) = ttif and only if Ki(Q) =ttfor some successor nodeQofQinT.

b) IfQ is a tableau state of T thenK_i(Q) = ttimplies thatK_i+1(Q) = ttfor the unique successor nodeQofQinT. Moreover,Q is satisfiable only ifQis satisfiable.

Proof. a) It suffices to distinguish the possible conditions(⊥)to(2⁻)that tableau nodes which are not tableau states must satisfy. We only give two illustrative cases;

the other ones are equally obvious.

1. Qis a node satisfying(⊥). Then false ∈ pos(Q)or pos(Q)∩neg(Q) = ∅;

henceKi(Q) = ttfor noKandi, andQhas no successor node.

2. Qis a node according to(2⁺). Then2A∈pos(Q)for some formulaA. Now, K_i(2A) =ttif and only if bothK_i(A) =ttandK_i(e2A) =ttby (T28), which implies the assertion.

b) Suppose thatQis a tableau state ofT, i.e., it satisfies( e), and thatK_i(Q) =tt.

In particular,K_i(eA) = ttfor every eA ∈ pos(Q)andK_i(eA) = fffor every eA∈neg(Q)and thereforeK_i+1(A) =ttfor everyA∈pos(Q)andK_i+1(A) =ff for everyA∈neg(Q). It follows thatK_i+1(Q) =tt.

Furthermore, suppose thatQ is satisfiable, and chooseK = (η₀, η₁, . . .)and i ∈ Nsuch that Ki(Q) = tt. For Kⁱ = (ηi, ηi+1, . . .)we have Kⁱ₀(Q) = tt by Lemma 2.1.5. Now letK = (η, ηi, ηi+1, . . .)whereηis defined byη(v) =ttif and only ifv ∈pos(Q). Again by Lemma 2.1.5 it follows thatK₁(Q) = tt. Moreover, becausepos(Q)∩neg(Q) =∅we haveK₀(A) = ttfor allA∈ pos(Q)∩Vand K₀(A) =fffor allA∈neg(Q)∩V. Since all formulas inQare either false,v∈V or of the form eAand because false∈/ pos(Q)it follows, together with the definition ofQ, thatK₀(Q) =tt; henceQis satisfiable.

Intuitively, a successful tableau represents all temporal structures that satisfy the root PNP. Consecutive nodes not of type (e)in tableau paths gather information about formulas to be satisfied at the same state of the temporal structure. Formally, given an infinite pathQ0,Q1, . . .in a tableau we define the functioncnt : N→N by letting

cnt(i) = |{j <i| Qj is a tableau state}|

which mapsito the number of nodes of type(e)in the prefixQ0, . . . ,Qiof the path.

The functioncntis clearly monotonic; it is also surjective because any infinite path must contain infinitely many tableau states. We may therefore define the following

“inverse” functionst :N→Nby st(k) = max{i ∈N|cnt(i) =k}

which is again monotonic and determines the index of thekth tableau state (count- ing from0) along the path Q0,Q1, . . .. Observe that these definitions ensure that st(cnt(i))≥i, thatcnt(st(k)) =k, and thatcnt(st(k) + 1) =cnt(k) + 1.

Given some temporal structureKand some nodeQin a tableau we inductively define the (finite or infinite) pathπ^K_Q=Q0,Q1, . . .as follows:

• Q0=Q.

• IfQihas no successor node in the tableau thenπ^K_Qends in nodeQi.

• IfQihas precisely one successor nodeQthenQi+1=Q.

• IfQihas a left-hand successor nodeQand a right-hand successor nodeQthen Qi+1=QifK_cnt(i)(Q) =tt, elseQi+1 =Q.

Note that this definition of π_Q^K is such that for any formula 2A ∈ neg(Qi)the successorQ containingA ∈ neg(Q)is “preferred” in the sense that this node is chosen to continue the path “if possible”.

Lemma 2.5.2. LetQbe a node in a tableau andKa temporal structure such that K0(Q) = tt. Then π_Q^K = Q0,Q1, . . . is infinite and does not contain any closed tableau node. Moreover,K_cnt(i)(Qi) =ttfor alli∈N.

Proof. a) We first prove by induction on the definition ofπ^K_QthatK_cnt(i)(Qi) =tt for all nodesQi ofπ_Q^K.

1. Withcnt(0) = 0we haveKcnt(0)(Q0) =K0(Q0) =ttfrom the assumption.

2. Consider the nodeQi+1. By induction hypothesis we haveK_cnt(i)(Qi) =tt. If Qiis not a tableau state thencnt(i+ 1) =cnt(i). According to the definition of π^K_Qwe then getK_cnt(i+1)(Qi+1) =K_cnt(i)(Qi+1) = ttwith Lemma 2.5.1 a).

IfQi is a tableau state thencnt(i+ 1) = cnt(i) + 1andQi+1is the unique successor ofQi inT. So we obtainK_cnt(i+1)(Qi+1) =K_cnt(i)+1(Qi+1) =tt with Lemma 2.5.1 b).

This observation also implies thatπ^K_Qmust be infinite for otherwise condition (⊥)would have to hold for the final nodeQk, contradictingK_cnt(k)(Qk) =tt.

b) It remains to prove that no nodeQiis closed, which is shown by induction on the definition of the set of closed nodes (simultaneously for alli∈N):

1. We have already observed above that condition(⊥)can hold for no nodeQi, so noQiis closed because of(C1).

2. Assume that nodeQi was closed according to(C2), i.e., because all its succes- sor nodes had already been established as being closed. This implies thatQi+1

is also closed, which is impossible according to the induction hypothesis.

3. Assume that nodeQiwas closed because of a formula2A∈neg(Qi)such that all paths fromQi to nodesQof the tableau withA∈neg(Q)contain a node that had already been found to be closed. Because of K_cnt(i)(Qi) = tt there is some smallestj ≥cnt(i)such thatKj(A) = ff. Now consider the subpath Qi,Qi+1, . . . ,Qst(j)fromQiup to (and including) thejth tableau state of the path. Observe thatst(j)is well defined because the path is known to be infinite;

moreover,st(j)≥st(cnt(i))≥i.

We prove that for allk such that i ≤ k ≤ st(j), either 2A ∈ neg(Qk)or e2A ∈ neg(Qk): fork = i, we know by assumption that 2A ∈ neg(Qk).

Following any edge other than according to(e)or(2⁻), applied to2A, pre- serves the assertion. IfQk satisfies condition(2⁻), applied to2A, it has two successor nodesQandQsuch thatA∈neg(Q)and e2A∈neg(Q). Now, by assumption we know thatQis closed; thereforeQk+1must beQ, and thus we have e2A∈ neg(Qk+1). Finally, ifQk satisfies condition(e), we cannot have2A∈ Qk, so we have e2A∈ Qkand thus2A∈ Qk+1.

Now let l denote the least index such that i ≤ l ≤ st(j)and cnt(l) = j; observe that eitherl =iorQl is the successor of a tableau state, and therefore we must have2A∈neg(Ql). It follows from the definition of a tableau that at some nodeQm wherel ≤m ≤st(j), and thuscnt(m) = j, rule(2⁻)must be applied to2A. Moreover, Kj(Qm) = ttandKj(A) = ff, soQm+1 is the left-hand successor of nodeQm, andA ∈ neg(Qm+1). We have thus found a pathQi, . . . ,Qm+1 fromQi to a node whereA ∈ neg(Qm+1) such that no node along the path has already been found to be closed, and a contradiction is reached. Therefore,Qicannot be closed because of(C3).

Lemma 2.5.3. IfT is a tableau for a PNPPandPis satisfiable thenT is success- ful.

Proof. Assume thatPis satisfiable and letK= (η0, η1, . . .)be a temporal structure andi ∈Nsuch thatKi(P) = tt. ForKⁱ = (ηi, ηi+1, . . .)Lemma 2.1.5 implies that Kⁱ₀(P) = tt. By Lemma 2.5.2 the pathπ_P^Ki throughT does not contain any closed tableau node. In particular, the rootP is not closed, i.e., the tableau is successful.

We will now prove that, conversely, any successful tableau T for P contains some path that represents a temporal structure satisfyingP. As in Sect. 2.4 we say that an infinite pathQ0,Q1, . . .inT is complete ifQ0 =P, if it does not contain any closed node, and if for all formulasAand alli ∈Nsuch that2A∈ neg(Qi) there exists somej ≥isuch thatA∈neg(Qj).

Lemma 2.5.4. Every successful tableau for a PNPP contains some complete path.

Proof. The proof is similar to that of Lemma 2.4.8: Assume thatT is a successful tableau for a PNPP. SinceT is a finite graph of PNPs there are only finitely many formulasAsuch that2A∈neg(Q)for some nodeQofT. Choose some fixed enu- merationA0, . . . ,Am−1of all such formulasA. We define a successionπ0, π1, . . . of finite, non-empty paths inT that do not contain any closed nodes and such thatπi

is a proper prefix ofπi+1as follows:

• Letπ₀=P be the path that contains only the root ofT. SinceT is successful, Pis not closed.

• Inductively, assume thatπi =Q0, . . . ,Qk has already been defined. We distin- guish two cases: if2Aimodm∈/ neg(Qk)orAimodm ∈neg(Qk)thenπi+1is obtained fromπiby appending some non-closed successor node ofQk. (Observe that Qk has some such successor since otherwise it were closed by condition (C2).) If, on the other hand,2Aimodm ∈neg(Qk)andAimodm ∈/ neg(Qk) then condition(C3)ensures that there exists some pathπfromQto some node QwithAimodm ∈neg(Q)such thatπdoes not contain any closed node (and obviously,πmust be non-empty). Letπi+1be the concatenation ofπiandπ. The succession π0, π1, . . . uniquely determines an infinite pathπ in T, which is

complete by construction.

Lemma 2.5.5. If T is a successful tableau for a PNP PthenPis satisfiable.

Proof. Assume thatT is successful, and choose some complete path Q0,Q1, . . . inT, which is possible by Lemma 2.5.4. Now letK= (η0, η1, . . .)be any temporal structure such that, for allv ∈Vandi∈N,

v ∈pos(Qst(i)) ⇒ ηi(v) =tt, v ∈neg(Qst(i)) ⇒ ηi(v) =ff.

Such structures exist because no nodeQj is closed, and in particular one cannot have v ∈pos(Qst(i))∩neg(Qst(i))for anyv andi. For example, one can defineKby stipulating thatη_i(v) =ttif and only ifv ∈pos(Qst(i)), for allvandi.

We will prove that the above condition ensures

(∗) A∈pos(Qi) ⇒ K_cnt(i)(A) =tt, A∈neg(Qi) ⇒ K_cnt(i)(A) =ff

for all formulasAand alli∈N. In particular,(∗)impliesK_cnt(0)(Q0) =tt, that is, K₀(P) =ttsinceQ0=P andcnt(0) = 0, proving the lemma.

Assertion(∗)is proven by structural induction onA.

1. A≡v ∈V: Ifv ∈pos(Qi)thenv∈pos(Qst(cnt(i)))by the tableau construc- tion and thusK_cnt(i)(v) =Kcnt(st(cnt(i)))(v) =tt.

Ifv ∈ neg(Qi)then again we have v ∈ neg(Qst(cnt(i))), and the assertion K_cnt(i)(v) =fffollows as above from the assumption onK.

2. A ≡ false: SinceQi is not closed, we know that false ∈/ pos(Qi); moreover, Kcnt(i)(false) =ff. This suffices.

3. A ≡ B → C: Assume that B → C ∈ pos(Qi) and consider the path Qi, . . . ,Qst(cnt(i)). By the tableau construction there exists some j where i≤j <st(cnt(i))such that rule(→⁺)is applied toAat nodeQj; observe that cnt(j) = cnt(i). It follows thatB ∈neg(Qj+1)orC ∈pos(Qj+1), and thus by induction hypothesisK_cnt(j)(B) =fforK_cnt(j)(C) =tt. In either case, we obtainK_cnt(i)(B→C) =tt.

IfB → C ∈ neg(Qi)the argument is analogous withB ∈ pos(Qj+1)and C ∈neg(Qj+1)because of rule(→⁻).

4. A ≡ eB: If eB ∈ pos(Qi) then eB ∈ pos(Qst(cnt(i))) by the tableau construction and B ∈ pos(Qst(cnt(i))+1) since rule (e) is applied at node Qst(cnt(i)). Applying the induction hypothesis it follows that

Kcnt(i)( eB) =Kcnt(i)+1(B) =Kcnt(st(cnt(i))+1)(B) =tt.

The case eB ∈ neg(Qi)is argued analogously withB ∈ neg(Qst(cnt(i))+1) because of rule(e).

5. A ≡2B: Assume2B ∈pos(Qi), and consider the pathQi, . . . ,Qst(cnt(i)): by the tableau construction there exists somej wherei ≤j <st(cnt(i))such that rule (2⁺)is applied to formula 2B at nodeQj, and therefore we have {B, e2B} ⊆pos(Qj+1). Moreover, it follows that e2B ∈ pos(Qst(cnt(i)));

thus2B ∈pos(Qst(cnt(i))+1). Continuing inductively, for allk ≥cnt(i)we find somej such thatcnt(j) =k andB ∈pos(Qj). The induction hypothesis implies thatKk(B) =ttholds for allk ≥cnt(i), that is,K_cnt(i)(2B) =tt.

Now suppose that2B ∈ neg(Qi). The definition of a complete path ensures thatB ∈ neg(Qj)for somej ≥i. By the induction hypothesis it follows that Kcnt(j)(B) =ff, and the monotonicity ofcntimpliesKcnt(i)(2B) =ff.

The previous results provide now the desired algorithmic decision procedure for satisfiability. Given a PNPP, a tableauT for P can be constructed by expansion steps according to the rules(→⁺)through (e)and terminating according to rule (⊥). Rules(C1)–(C3)can be used to remove unsatisfiable nodes or subgraphs inT (pruning steps) providing the decision whetherT is successful or unsuccessful, i.e., by the Lemmas 2.5.3 and 2.5.5, whetherPis satisfiable or not. We summarize this investigation in the following theorem.

Theorem 2.5.6 (Decidability Theorem for LTL). The satisfiability and validity problems forLLTLare decidable.

Proof. In order to decide the satisfiability problem for a given formulaFofLLTL, the decision procedure is applied to the PNP({F},∅). SinceFis valid if and only if¬F is unsatisfiable, the validity problem forF can be decided with the PNP(∅,{F}).

The given tableau definitions refer to the basic logical operators of LTL. Of course, for practical use one could add also “direct” rules for the derived operators, e.g., conditions

(∨⁺) A∨B ∈ F⁺ for some formulasA,B, andQ has precisely two successor nodes: the left-hand successor((F⁺\ {A∨B})∪ {A},F⁻)and the right- hand successor((F⁺\ {A∨B})∪ {B},F⁻),

(∨⁻) A∨B ∈ F⁻ for some formulas A,B, andQ has precisely the successor node(F⁺,(F⁻\ {A∨B})∪ {A,B})

for tableau nodesQ= (F⁺,F⁻), providing expansion steps with respect to∨, or (C4) IfQis a node andAis a formula such that3A∈pos(Q)and every path from

Qto some nodeQ withA∈ pos(Q)contains some closed node thenQis itself closed

as another rule for pruning steps.

Moreover, the description of the decision procedure above seems to suggest that pruning steps are applied only after all nodes have been fully expanded. However, actual implementations would be likely to interleave expansion and pruning steps in order to avoid unnecessary expansions. So, the closure conditions(C1)and(C2) can be implemented at the time of construction ofT. Condition(C3)can be checked by inspecting the strongly connected components (SCC) of the tableau: an SCC is said to promiseAif2A∈neg(Q)holds for some nodeQof the SCC. It is said to fulfillAifA∈neg(Q)holds for some nodeQof the SCC. Finally, we call an SCC honest if it fulfills all formulasAthat it promises. A tableauT is successful if and only if it contains some honest SCC that is reachable on a path from the root ofT. The existence of honest SCCs can be decided, for example using Tarjan’s algorithm, in time linear in the size ofT.

Formulas that occur in nodes of a tableauT for a PNPPare either subformulas of formulas inFPor formulas of the form eAwhereAis a subformula of some formula inFP. Because the number of subformulas of a formula is linear in the length of the formula (measured as the number of symbols), it follows that the number of nodes ofT is at most exponential in the size ofP, measured as the sum of the lengths of the formulas inP. Altogether we find that the tableau method can be implemented in time exponential in the size ofP.