First-Order Linear Temporal Logic

5.3 Incompleteness

Propositional linear temporal logic LTL and classical propositional logic PL are both decidable. PL can be completely axiomatized and for LTL this is possible at least in the weak form described in Sect. 2.4. Comparing linear temporal and classical logics in their first-order versions, FOL is undecidable and hence FOLTL is undecidable as well. The main difference appears with respect to axiomatizations. In contrast to FOL, FOLTL can not be completely axiomatized, not even in the weak form. More precisely: FOLTL is incomplete in the sense defined in Sect. 1.4. We may show this following the pattern given there by proving that, roughly speaking, the standard model of natural numbers can be “characterized” in FOLTL.

To make this argument precise, letSIG_Natbe the natural number signature with the function symbols0,SUCC,+,∗andTSIG_Nat= (SIG_Nat,{num},∅)with the flexible individual constantnum(of sortNAT). We consider the following formulas ofLFOLTL(TSIGNat):

P1 ≡ SUCC(x)= 0,

P2 ≡ SUCC(x) =SUCC(y)→x =y, P3 ≡ x+ 0 =x,

P4 ≡ x+SUCC(y) =SUCC(x+y), P5 ≡ x∗0 = 0,

P₆ ≡ x∗SUCC(y) = (x∗y) +x, P₇ ≡ 3(num=x),

P₈ ≡ num=x → e(num= 0∨num=SUCC(x)).

Note thatP₁–P₆are axioms of the first-order theoryNatconsidered in Sect. 1.3 and are (as classical FOL formulas) valid in the standard modelNof natural numbers.

Furthermore, leti_j = j(j + 1)/2 for everyj ∈ NandP = (N,W_Nat)be the temporal structure forTSIG_NatwithW_Nat = (η₀, η₁, η₂, . . .)such that

ηij(num) = 0 for everyj,

ηij+k(num) =k forij <ij+k <ij+1.

More intuitively,i0= 0,i1= 1,i2= 3,i3= 6,. . ., soWNatmay be depicted by η₀η₁η₂η₃ η₄η₅η₆η₇η₈η₉η₁₀. . .

num 0 0 1 0 1 2 0 1 2 3 0 . . . Lemma 5.3.1. The formulasP₁–P₈are valid inP.

Proof. P1–P6are rigid and non-temporal, valid inNand hence inPby Lemma 5.1.1.

The validity ofP7andP8inPfollows from the definition ofWNat: ifξ(x) =nthen ηin+1+n(num) =n and ifηi(num) =n andηi+1(num)= 0theni =ij +nfor somej andi + 1 = ij +n+ 1 = ij+1; henceηi+1(num) = n + 1. So we get P^(ξ)_i (P₇) =ttandP^(ξ)_i (P₈) =ttfor everyiandξ.

The temporal structurePhasNas its data component. Let nowK= (S,W)be any temporal structure forTSIGNat. We define the mappingχ:|N| → |S|by

χ(0) = 0^S,

χ(n+ 1) =SUCC^S(χ(n)).

Lemma 5.3.2. If the formulasP7andP8are valid inKthen there isk ∈Nsuch that a)η_k(num) = 0^S,

b) for everyi≥k,η_i(num) =χ(n) for somen ∈N.

Proof. LetP7 andP8be valid in K. Then K^ξ₀(P7) = tt forξwithξ(x) = 0and this impliesηk(num) = 0^Sfor somek ∈N. So thisk has the property a), and b) is shown by induction oni.

1. Fori =k we haveηi(num) =ηk(num) = 0^S=χ(0)from a).

2. For i > k we have ηi−1(num) = χ(m)for some m ∈ Nby the induction hypothesis. Since_KP8, we haveK^ξ_i−1(P8) = ttfor ξwithξ(x) = χ(m); so η_i(num) = 0^S=χ(0)orη_i(num) =SUCC^S(χ(m)) =χ(m+ 1).

Lemma 5.3.3. If the formulasP1,P2,P7, andP8are valid inKthen:

a)m=n ⇒ χ(m)=χ(n) for everym,n ∈N. b) For everyd∈ |S|there is anm ∈Nwithχ(m) =d.

Proof. a) Letn =m. We showχ(n)=χ(m)by induction onn+m.

1. Ifn = 0,m= 0, andP₁is valid inKthenχ(n) = 0^S=SUCC^S(χ(m−1)) = χ(m). The casem = 0,n = 0is symmetrical.

2. Ifn = 0andm = 0thenχ(n−1)=χ(m−1)by the induction hypothesis and if P₂is valid inKthen we getχ(n) =SUCC^S(χ(n−1))=SUCC^S(χ(m−1)) = χ(m).

b) Assume that there is somed ∈ |S|such thatχ(m) = d for everym ∈ N. IfP7andP8 are valid inKthen by Lemma 5.3.2 b) there are k,n ∈ Nsuch that ηi(num) = η(n)fori ≥k. This means thatηi(num) =d fori ≥k. Moreover, because ofP7,K^(ξ)_k (3(num =x)) =ttforξwithξ(x) =d; henceηi(num) = d

for somei≥kand this is a contradiction.

Lemma 5.3.3 says thatχis a bijective mapping and by the next lemma it is, in the terminology of classical logic, even an “isomorphism” (ifKsatisfies the respective formulas).

Lemma 5.3.4. If the formulasP₃–P₆are valid inKthen for everym,n∈N:

a)χ(m+n) =χ(m) +^Sχ(n).

b)χ(m∗n) =χ(m)∗^Sχ(n).

Proof. a) The assertion is proved by induction onn.

1. IfP3is valid inKthen we haved+^S0^S =d for arbitraryd ∈ |S|; so we get χ(m+ 0) =χ(m) =χ(m) +^S0^S=χ(m) +^Sχ(n).

2. Utilizing the validity ofP₄and the induction hypothesis we get χ(m+ (n+ 1)) = χ((m+n) + 1)

= SUCC^S(χ(m+n))

= SUCC^S(χ(m) +^Sχ(n))

= χ(m) +^SSUCC^S(χ(m))

= χ(m) +^Sχ(m+ 1).

b) The proof of this part runs analogously, using the validity ofP₅andP₆. In isomorphic structures the same (closed) formulas are valid (in the FOL sense).

We transfer this property to the present situation.

Lemma 5.3.5. LetK = (S,W)be a temporal structure forTSIGNat in which the formulasP1–P8are valid andAa closed formula ofLFOL(SIGNat). Then

_NA ⇔ _SA.

Proof. For any variable valuationξwith respect toNletχ◦ξbe the variable valuation χ◦ξ(x) =χ(ξ(x))with respect toS. (Note that all notations in the assertion of the lemma and in the following proof are from classical first-order logic.)

a) We first show by induction ontthat χ(N^(ξ)(t)) =S^(χ◦ξ)(t)

holds for every term ofLFOL(SIG_Nat)and for everyξ.

1. Iftis a variablex thenχ(N^(ξ)(t)) =χ(ξ(x)) =S^(χ◦ξ)(t).

2. t ≡0:χ(N^(ξ)(t)) =χ(0) = 0^S=S^(χ◦ξ)(t)by definition ofχ.

3. t ≡SUCC(t1): Then by definition ofχand the induction hypothesis we have χ(N^(ξ)(t)) = χ(N^(ξ)(t1) + 1)

= SUCC^S(χ(N^(ξ)(t1)))

= SUCC^S(S^(χ◦ξ)(t1))

= S^(χ◦ξ)(t).

4. t ≡t₁+t₂ort≡t₁∗t₂: Then, in the first case, χ(N^(ξ)(t)) = χ(N^(ξ)(t₁) +N^(ξ)(t₂))

= χ(N^(ξ)(t₁)) +^Sχ(N^(ξ)(t₂))

= S^(χ◦ξ)(t₁) +^SS^(χ◦ξ)(t₂)

= S^(χ◦ξ)(t)

with Lemma 5.3.4 a) and the induction hypothesis. The second case runs analo- gously with Lemma 5.3.4 b).

b) Let nowAbe a formula ofLFOL(SIGNat). We show by induction onAthat N^(ξ)(A) =S^(χ◦ξ)(A)

holds for everyξ.

1. A ≡ t₁=t₂: Then with Lemma 5.3.3 a) and a) we have N^(ξ)(A) =tt ⇔ N^(ξ)(t1) =N^(ξ)(t2)

⇔ χ(N^(ξ)(t1)) =χ(N^(ξ)(t2))

⇔ S^(χ◦ξ)(t1) =S^(χ◦ξ)(t2)

⇔ S^(χ◦ξ)(A) =tt.

2. A≡false:N^(ξ)(A) =ff=S^(χ◦ξ)(A).

3. A≡B→C: Then with the induction hypothesis we have N^(ξ)(A) =tt ⇔ N^(ξ)(B) =ff or N^(ξ)(C) =tt

⇔ S^(χ◦ξ)(B) =ff or S^(χ◦ξ)(C) =tt

⇔ S^(χ◦ξ)(A) =tt.

4. A≡ ∃xB: Ifξ∼x ξthenχ◦ξ(y) =χ(ξ(y)) =χ(ξ(y)) =χ◦ξ(y)for every variabley other thanx; soχ◦ξ ∼x χ◦ξ. On the other hand, for any variable valuationξwith respect toS, letξ be the variable valuation with respect toN withχ(ξ(y)) =ξ(y)for everyy, i.e.,ξ =χ◦ξ.ξis well defined because of Lemma 5.3.3 b). Then, for χ◦ξ ∼x ξ and y different from x, we have

χ(ξ(x)) = χ(ξ(y))which implies ξ(y) = ξ(y)by Lemma 5.3.3 a); hence ξ∼x ξ. Altogether we get with the induction hypothesis

N^(ξ)(A) =tt ⇔ there is aξwithξ∼x ξandN^(ξ)(B) =tt

⇔ there is aξwithξ∼x ξandS^(χ◦ξ)(B) =tt

⇔ there is aξwithχ◦ξ∼x ξandS^(ξ)(B) =tt

⇔ S^(χ◦ξ)(A) =tt.

c) With b) we finally get the assertion of the lemma: ifAis closed thenN^(ξ)(A) andS^(χ◦ξ)(A)do not depend onξandχ◦ξ, respectively; so we have

_NA ⇔ N^(ξ)(A) =tt for everyξ

⇔ S^(χ◦ξ)(A) =tt for everyξ

⇔ _SA.

Recalling the discussion in Sect. 1.3, Lemma 5.3.5 informally says that the for- mulasP₁–P₈“characterize” the standard modelNof natural numbers (up to isomor- phism). This provides the key argument to the desired incompleteness result which can now easily be formalized.

Theorem 5.3.6 (Incompleteness Theorem for FOLTL). The logic FOLTL is in- complete.

Proof. The result follows from the G¨odel Incompleteness Principle pointed out in Sect. 1.4 if we can find a (decidable) setFof formulas ofLFOLTL(TSIGNat)such that

FA ⇔ _NA

holds for every closed formulaAofLFOL(SIGNat). In fact this works withFbeing the set of formulasP₁–P₈:Ais a rigid and non-temporal formula of the language LFOLTL(TSIG_NAT); so if F Athen _PAby Lemma 5.3.1 which implies _NAby Lemma 5.1.1. If, on the other hand,_NAandK= (S,W)is a temporal structure for TSIG_Natwhich satisfies the formulas ofFthen_SAby Lemma 5.3.5; hence_KAby

Lemma 5.1.1, and this meansFA.

The preceding discussion shows that FOLTL is a bit comparable with classical second-order logic. We remark, however, that FOLTL is still “weaker” than SOL:

there are properties of structures which can be characterized in SOL but not in FOLTL.

A proof-theoretical indication of the difference between FOLTL and SOL is the following observation. In Sect. 2.4 we remarked that weakening the concept of for- mal systems to semi-formal ones may bridge the gap between weak and full com- pleteness in LTL. In fact, the “much bigger” step from incompleteness to (full) com- pleteness in FOLTL (but not in SOL) can be achieved in the same way. Interestingly, it is even the sameω-rule

(ω-ind) A→ eⁱB, i∈N A→2B

(appropriate in the LTL case) which works here. Replacing (ind) by (ω-ind) in Σ_FOLTLprovides a (sound) semi-formal system which is complete in the sense that

F A ⇒ F A

then holds for arbitraryFandA.

Second Reading

Besides the consideration of semi-formal systems, there is another concept of weakening completeness called relative completeness. Originally introduced for Hoare logic, this mod- ification can also be defined in the present context.

Focusing on weak completeness, the question of whether some formal system Σ is weakly complete can be reduced to the question of whether any valid formulaAis derivable inΣ(cf. the proof of Theorem 2.4.10). The basic idea of relative completeness is induced by the observation that in applications one often does not want to derive universally valid formulas, but formulas which hold in the context of concrete data types. For example, if Ais a formula expressing some property of temporal structures with the natural numbers as underlying data, i.e., a formula of some languageLFOLTL(TSIGNat), then the relative completeness question forΣis as follows:

• ProvidedAis valid in every temporal structure forTSIGNat which has the standard modelNof natural numbers as its data component, isAderivable inΣif every non- temporal formula of this kind may be taken as assumption?

In other (informal) words: can we derive any formula which holds for arbitrary state se- quences and data fromNif we need not care about how to derive classical first-order for- mulas valid inN, but may use these just as assumptions in the derivation?

In general, and using the terminology introduced in Sect. 5.1, letTSIG= (SIG,X,V) be a temporal signature andCbe a class of structures forSIG. ForS∈ Cwe denote the set of all non-temporalS-valid formulas ofLFOLTL(TSIG)byTh(S). Then a formal systemΣ for FOLTL is called relatively complete with respect toCif

Th(S) _ΣA

holds for everyS-valid formulaAand everyS∈ C.

In Hoare logic it turns out that (an analogously defined) relative completeness can be achieved – apart from other trivial cases – for the class of arithmetical structures. Such a structure presupposes that the signatureSIGcontains the sortNATand the usual symbols 0,SUCC,+,∗ofSIGNat, andSrestricted to this part ofSIG is the standard modelN.

For FOLTL we call a formal system arithmetically complete if it is relatively complete with respect to the class of arithmetical structures.

In fact it is possible to give a sound and arithmetically complete axiomatization for FOLTL. Informally this means that an axiomatization with the property

AisS-valid ⇒ Th(S)A

is possible if the temporal logic language is rich enough to contain formulas which express statements about natural numbers and the interpretation of these formulas bySis the “stan- dard” one.

As in the case of a semi-formal axiomatization briefly mentioned in the main text above, the induction rule (ind) of temporal logic plays the crucial role in an approach to an arith- metically complete formal system. One essential part of the modification ofΣFOLTLcould be to replace (ind) by the rule

(ar-ind) Ay(0)→B,Ay(SUCC(y))→ c_{A ∀yA→2B}

in whichyis a variable fromXNatandBdoes not containy. This rule describes just an- other inductive argumentation (“over the natural numbers”) which is easy to understand informally. It obviously corresponds to the basic semantical fact that the states in a state sequenceW= (η0, η1, η2, . . .)are indexed by the natural numbers. (Examining the con- siderations of this section, it is easy to see that this fact is, on the other hand, essentially responsible for the incompleteness of FOLTL.) Interestingly, we will encounter a similar line of argumentation (for another purpose) in Sect. 5.5.

Observe finally that the rule (ind) is just a trivial case of (ar-ind): ifAdoes not contain the variableythen (ar-ind) reduces to

A→B,A→ c_{A A→2B} which is in fact (ind).