Basic Propositional Linear Temporal Logic

2.6 Initial Validity Semantics

Theorem 2.5.6 (Decidability Theorem for LTL). The satisfiability and validity problems forLLTLare decidable.

Proof. In order to decide the satisfiability problem for a given formulaFofLLTL, the decision procedure is applied to the PNP({F},∅). SinceFis valid if and only if¬F is unsatisfiable, the validity problem forF can be decided with the PNP(∅,{F}).

The given tableau definitions refer to the basic logical operators of LTL. Of course, for practical use one could add also “direct” rules for the derived operators, e.g., conditions

(∨⁺) A∨B ∈ F⁺ for some formulasA,B, andQ has precisely two successor nodes: the left-hand successor((F⁺\ {A∨B})∪ {A},F⁻)and the right- hand successor((F⁺\ {A∨B})∪ {B},F⁻),

(∨⁻) A∨B ∈ F⁻ for some formulas A,B, andQ has precisely the successor node(F⁺,(F⁻\ {A∨B})∪ {A,B})

for tableau nodesQ= (F⁺,F⁻), providing expansion steps with respect to∨, or (C4) IfQis a node andAis a formula such that3A∈pos(Q)and every path from

Qto some nodeQ withA∈ pos(Q)contains some closed node thenQis itself closed

as another rule for pruning steps.

Moreover, the description of the decision procedure above seems to suggest that pruning steps are applied only after all nodes have been fully expanded. However, actual implementations would be likely to interleave expansion and pruning steps in order to avoid unnecessary expansions. So, the closure conditions(C1)and(C2) can be implemented at the time of construction ofT. Condition(C3)can be checked by inspecting the strongly connected components (SCC) of the tableau: an SCC is said to promiseAif2A∈neg(Q)holds for some nodeQof the SCC. It is said to fulfillAifA∈neg(Q)holds for some nodeQof the SCC. Finally, we call an SCC honest if it fulfills all formulasAthat it promises. A tableauT is successful if and only if it contains some honest SCC that is reachable on a path from the root ofT. The existence of honest SCCs can be decided, for example using Tarjan’s algorithm, in time linear in the size ofT.

Formulas that occur in nodes of a tableauT for a PNPPare either subformulas of formulas inFPor formulas of the form eAwhereAis a subformula of some formula inFP. Because the number of subformulas of a formula is linear in the length of the formula (measured as the number of symbols), it follows that the number of nodes ofT is at most exponential in the size ofP, measured as the sum of the lengths of the formulas inP. Altogether we find that the tableau method can be implemented in time exponential in the size ofP.

a temporal structure and the evaluation of formulas remain unchanged, validity and consequence are defined as follows.

Definition. A formulaAofLLTL(V)is called initially valid in the temporal struc- tureKforV, denoted by ⁰_KA, ifK0(A) =tt.Ais called an initial consequence of a setFof formulas (F ⁰A) if ⁰_KAholds for everyKsuch that⁰_KBfor allB ∈ F. Ais called (universally) initially valid (A) if⁰ ∅⁰A.

We denote LTL equipped with this initial validity semantics by LTL₀. This se- mantics and LTL₀are also called anchored semantics and anchored LTL. (In some presentations of LTL₀the notion of initial validity is defined in a technically some- what different way. We will come back to this in another context in Sect. 10.2.)

Temporal logic can be used to “specify” temporal structures, as we will see in Chap. 6, similar to the description of first-order structures by theories in Sect. 1.3.

For such applications, it is often desirable to express that some formulaAholds in the initial state of some temporal structure. This is clearly possible in the framework of LTL0, just by assertingA, whereas the same effect cannot be achieved in LTL whereAwould then have to hold in all states of the structure (we will come back to this issue, however, in Sects. 3.4 and 3.5). In LTL0the latter condition can obviously be expressed by asserting2A.

More technically, the connections between LTL and LTL0 are rendered by the following lemma.

Lemma 2.6.1. LetAbe a formula, and letKbe a temporal structure.

a) If _KAthen⁰_KA.

b)_KAif and only if ⁰_K2A.

Proof. _KAmeansKi(A) =ttfor everyi ∈N, and this impliesK0(A) =tt; hence 0_KAwhich proves a), and it is, moreover, equivalent toK₀(2A) =tt, i.e.,⁰_K2A, thus

proving also b).

With the help of this lemma we are now able to state the precise connections on the level of the different consequence relations.

Theorem 2.6.2. LetAbe a formula,Fbe a set of formulas, and let 2F denote the set{2B|B∈ F}.

a) IfF ⁰AthenFA.

b)FAif and only if 2F⁰A.

Proof. a) Assume thatF ⁰A, letKbe a temporal structure such that _KB for all B ∈ F, and leti ∈ N. For Kⁱ = (η_i, η_i+1, η_i+2, . . .)we have, by Lemma 2.1.5, Kⁱ₀(B) = K_i(B) = tt, i.e.,_K⁰ⁱB for allB ∈ F. Because of the assumption that F ⁰A, this implies_K⁰iA; hence again by Lemma 2.1.5,Ki(A) =Kⁱ₀(A) = tt, and shows thatF A.

b) Assume thatF Aand letKbe a temporal structure such that⁰_K2Bfor all B∈ F. Then_KBfor allB ∈ F by Lemma 2.6.1 b); hence_KA, and therefore ⁰_KA by Lemma 2.6.1 a). This means that 2F ⁰A. Conversely, assume that2F ⁰A, let Kbe a temporal structure such that_KBfor allB ∈ F, and leti ∈N. Then, for all B ∈ F,Kj(B) = ttfor everyj ∈N. This implies, forKⁱ as in a) and again for all B∈ F,Kⁱ_j(B) =Ki+j(B) =ttfor everyj ∈Nby Lemma 2.1.5; hence _KiB, and therefore _K⁰i2B by Lemma 2.6.1 b). From this we get _K⁰iA, which shows as in a)

thatFA.

The converse of part a) of Theorem 2.6.2 does not hold in general. For example, we haveA eA, but eAis not an initial consequence ofA. This is easy to see by takingAto be somev ∈VandK= (η₀, η₁, η₂, . . .)withη₀(v) =ttandη₁(v) =ff.

Then ⁰_Kv but not ⁰_K ev. From Theorem 2.6.2 b) we only learn that 2A ⁰ eA holds.

The relationship between implication and initial consequence also has to be re- considered. The characteristic (if part of the) equivalence

F ∪ {A} B ⇔ F 2A→B

of LTL (cf. Theorem 2.1.6) does not hold in general for LTL₀. For example (with F=∅),⁰2A→ eAsinceK0(2A) =tt ⇒ K1(A) =K0(eA) =tt, butA⁰ eA does not hold as we just saw. Instead, we get back the relationship of classical logic for LTL0:

Theorem 2.6.3.F ∪ {A}⁰B if and only if F ⁰A→B.

Proof. Assume thatF ∪{A}⁰Band letKbe a temporal structure such that⁰_KCfor allC ∈ F. To see that⁰_KA→B, assume thatK₀(A) =tt. Then_K⁰Aand therefore 0_KB, i.e.,K0(B) =tt. This shows thatF ⁰A→B. If, conversely, the latter holds andKis a temporal structure with⁰_KCfor allC ∈ F ∪{A}then we haveK₀(A) =tt andK₀(A→B) =tt, and by Lemma 2.1.1 we obtainK₀(B) =ttwhich shows that

F ∪ {A}⁰B.

Despite all these differences between LTL and LTL0it is remarkable, however, that the two (universal) validity concepts still coincide:

Theorem 2.6.4. Aif and only if ⁰A.

Proof. The assertion follows directly from Theorem 2.6.2 b), choosingF=∅which,

of course, implies2F=∅.

This observation generalizes to another connection: a consequence relationship of LTL likeA eAcan be “weakened” to

0A ⇒ ⁰ eA

in LTL0. In general, we have:

Theorem 2.6.5. If FAand ⁰Bfor allB∈ Fthen ⁰A.

Proof. From ⁰Bwe get Bfor allB ∈ Fwith Theorem 2.6.4. UsingF Aand Theorem 2.1.8, we obtainA; hence⁰Aagain with Theorem 2.6.4.

To sum up, we realize that LTL and LTL0coincide with respect to (universal) validity, but differ in their consequence relations. In particular, all laws (T1), (T2), etc. (expressed by formulas) also hold in LTL0. Any consequence relationship

FA

of LTL is changed to 2F ⁰A

and can also be “rewritten” as 0Bfor allB∈ F ⇒ ⁰A in LTL0.

These semantical observations carry over to axiomatizations of LTL₀. If we are interested only in deriving valid formulas (without any assumptions) thenΣ_LTL would obviously be an adequate formal system for LTL₀, too. Rules ofΣ_LTL (and derived rules) have then to be understood in a new way, semantically indicated by Theorem 2.6.5. For example, the rule

A eA

should be read as asserting

“ifAis derivable then eAis derivable”

whereas in LTL it reads

“for anyF, ifAis derivable fromFthen eAis derivable fromF”.

If we want, however, to axiomatize LTL0 such that the relationF Amirrors the relationF ⁰Aof initial consequence then Σ_LTL is no longer appropriate. For example, the ruleA eAwould not be sound any more with respect to this reading.

One possible formal systemΣ_LTL0for LTL₀in this sense is given as follows:

Axioms

(taut₀) 2Afor all tautologically valid formulas, (ltl1₀) 2(¬ eA ↔ e¬A),

(ltl20) 2(e(A→B) → (eA→ eB)), (ltl30) 2(2A → A∧ e2A).

Rules

(mp) A,A→B B, (mp0) 2A,2(A→B) 2B, (refl0) 2A A,

(nex0) 2A 2eA,

(ind0) 2(A→B),2(A→ eA) 2(A→2B).

The axioms (taut0), (ltl10), (ltl20), and (ltl30) are obvious transcriptions from the axioms ofΣLTL. Modus ponens occurs in the usual form (mp) and in a transcribed version (mp0). The rules (nex0) and (ind0) are adjustments of (nex) and (ind) of ΣLTL. The additional rule (refl0) reminds us of the reflexivity law (T4).

Theorem 2.6.6 (Soundness Theorem forΣLTL0). LetAbe a formula andFa set of formulas. IfF _ΣLTL

0

AthenF ⁰A. In particular: if _ΣLTL

0

Athen ⁰A.

Proof. The proof runs by induction on the assumed derivation ofAfromF. 1. All axioms ofΣLTL0are of the form2AwhereAis an axiom ofΣLTL. Together

with rule (alw) we get _ΣLTL2A, which implies 2A by Theorem 2.3.1, and hence⁰2A by Theorem 2.6.4. This impliesF ⁰ 2Afor all axioms 2Aof ΣLTL0.

2. IfA∈ FthenF⁰Aholds trivially.

3. IfA is concluded by a rule of ΣLTL0 then, by induction hypothesis, we have F ⁰C for the premisesC of that rule. So, for a temporal structureKwith⁰_KB for allB ∈ F we have⁰_KC, i.e.,K₀(C) = ttfor theseC. It remains to show that, for each rule, this impliesK₀(A) =tt. For the rule (mp) the claim follows directly using Lemma 2.1.1. For (mp₀),K₀(2B) =K₀(2(B→A)) =ttmeans K_i(B) = K_i(B → A) = ttfor everyi ∈ Nand yieldsK_i(A) = ttfor every i ∈ N by Lemma 2.1.1, and therefore we obtain K₀(2A) = tt. For (refl₀), K0(2A) = ttclearly impliesK0(A) = tt. IfA ≡ 2 eB is the conclusion of (nex0), the premiseCis of the form2B, andK0(2B) =ttimpliesKi(B) =tt for everyi ≥ 1, which meansK0(2 eB) = tt. Finally, in the case of (ind0), K0(2(D →E)) =ttandK0(2(D → eD)) =ttimplyKi(D →E) =ttand Ki(D → eD) = ttfor everyi ∈N. Letj ∈ Nand assume thatKj(D) = tt.

As in the proof of Theorem 2.3.1 we obtainKk(E) =ttfor everyk ≥j, hence Kj(D →2E) =tt. Sincejis arbitrary this impliesK0(2(D →2E)) =tt.

The (weak) completeness ofΣ_LTL0 can be reduced to that of Σ_LTL proved in Sect. 2.4. (In fact, we have statedΣ_LTL0 in just such a form that this reduction is directly possible.) The crucial step is the following proof-theoretical counterpart of (the “only if” part of) Theorem 2.6.4:

Lemma 2.6.7. LetAbe a formula. If _ΣLTLA then _ΣLTL

0A.

Proof. Assume that_ΣLTLA. We show_ΣLTL

02Aby induction on the presumed deriva- tion ofAinΣ_LTLfrom which the assertion of the lemma follows immediately with an application of the rule (refl0).

IfAis an axiom ofΣ_LTLthen2Ais an axiom ofΣ_LTL0 and therefore derivable in the latter. IfAis concluded from premisesBandB →Aby (mp) then we have _ΣLTL

02Band _ΣLTL

02(B→A)by induction hypothesis and therefore _ΣLTL

02Awith (mp0). IfA≡ eBis concluded fromBwith (nex) then, by induction hypothesis,2B is derivable inΣLTL0and so is2 eB, i.e.,2Awith (nex0). Finally, ifA≡B →2C is the conclusion of applying (ind) toB →C andB → eB then2(B →C)and 2(B → eB)are derivable inΣLTL0 by induction hypothesis, and2(B → 2C)is

obtained by (ind0).

With this lemma we are able to establish the weak completeness ofΣ_LTL0: Theorem 2.6.8 (Weak Completeness Theorem forΣLTL₀).ΣLTL0 is weakly com- plete, i.e., for every finite setFof formulas and formulaA, ifF⁰AthenF _ΣLTL

0A.

In particular: if ⁰Athen _ΣLTL

0A.

Proof. LetF={A₁, . . . ,A_n}wheren ≥0. We then have F⁰A ⇒ ⁰A₁→(A₂→. . .→(A_n →A). . .)

(by Theorem 2.6.3, appliedntimes)

⇒ A1→(A2→. . .→(An →A). . .) (by Theorem 2.6.4)

⇒ _ΣLTLA1→(A2→. . .→(An →A). . .) (by Theorem 2.4.10)

⇒ _ΣLTL

0A1→(A2→. . .→(An→A). . .) (by Lemma 2.6.7)

⇒ F _ΣLTL

0A (by (mp), appliedntimes).

We do not want to develop the proof theory of LTL₀ in further detail. We only remark that the Deduction Theorem (and its converse) forΣ_LTL0holds in the classical form

F ∪ {A} _Σ

LTL0B ⇔ F _Σ

LTL0A→B

which obviously corresponds to the semantical considerations above.

Bibliographical Notes

As mentioned in the Second Reading paragraph in Sect. 2.3, temporal logic is a branch of modal logic, a detailed presentation of which can be found, e.g., in [21, 66].

The “possible worlds” semantics (here adapted to the notion of temporal structures) was introduced by Kripke [76]. Prior [125] was the first to suggest a “temporal”

interpretation of the modal operators 2 and3 as “always” and “sometime”. An overview of different subsequent developments can be found in [130].

In the framework of a discrete and linearly ordered time structure, v. Wright [156]

developed a logic with the operators “always” and “next” which was axiomatized by Prior [126] who also suggested using the logical formalism for proofs of the “work- ing of digital computers”. Prior attributes the axiomatization to Lemmon. Proba- bly it should appear in [90] but Lemmon died before finishing this book. Other similar formal systems were given by Scott (reported in [126]), Clifford [36], and Segerberg [136].

A first concrete mention of how the modal operators “always” and “sometime”

could be used in program verification was given by Burstall [25]. This idea was elab- orated by Pnueli [120]. Kr¨oger [77, 78] developed logics with “next” and used the operators “next”, “always”, and “sometime” in the field of verification of (sequen- tial) programs in [79]. Pnueli [121] introduced the (normal) semantical apparatus for this logic as described in this book and applied it to concurrent programs.

From that time on, a large number of investigations arose. We will cite extracts from the relevant literature in the following chapters. Here we only add some remarks with respect to the contents of Sects. 2.4–2.6. The completeness proof presented in Sect. 2.4 is based on proofs given in [79] and [132]. The tableau method is a very general approach to show the decidability of logics. A survey of its application in the area of temporal logics is given in [160]. Initial validity semantics was introduced in [100], some other semantical aspects are discussed in [44].

3