State Systems

6.2 State Transition Systems

In Sects. 5.3 and 5.6 we have indicated by means of the natural numbers that temporal logic could be used for such data type specifications as well (possibly achieving results which cannot be obtained by classical logic specifications). In fact, the considerations car- ried out there precisely fit into the concept of FOLTL-theories. For example, the setAN

consisting of the formulasP1–P8given in Sect. 5.3 constitute, together with an appropri- ate languageLFOLTL, an FOLTL-theoryThN= (LFOLTL,AN). According to the results of Sect. 5.3,ThNspecifies the standard modelNof natural numbers in the sense that there exists a model(N,W)ofThN, and even more: for any model(S,W)ofThN,SandNare

“isomorphic”.

So, while the FOLTL-specification of state systems mainly intends to describe the com- ponentsWof modelsK= (S,W), temporal logic specifications of data types would allow us also to address the data componentS. For example, in the “even and odd number” system in the above main text the axioms forNcould be given just by the formulasP1–P8.

The general notions for this approach are easy to define in the framework of this section.

LetTSIG= (SIG,X,V)be a temporal signature,Sbe a structure forSIG, andThbe an FOLTL-theory.Sis called a model structure ofThif there exists a model ofThwhich has Sas its data component. (Observe that this definition includes the classical specifications of Sect. 1.3 since the non-logical axioms ofThcould be only non-temporal formulas.)

Let us illustrate this method by a further example. In Sect. 1.3 we have specified stacks within classical FOL by the axioms

PUSH(x,y)=EMPTY, POP(PUSH(x,y)) =x, TOP(PUSH(x,y)) =y

formulated in a languageLFOL(SIGst)whereSIGstcontains the sortsOBJandSTACK. As with natural numbers, this specification has “non-standard” models. Using temporal logic, it is possible to specify stacks uniquely (up to isomorphism). Actually, there are several approaches to achieve this. One simple way is to choose the temporal signature TSIGst(SIGst,∅,∅)and a languageL^qFOLTL(TSIGst)of the logic FOLTL+q with flexible quantification. Let thenThst be the FOLTL-theory with the three axioms above and the additional axiom

∃z(z=EMPTY ∧3(z=x)∧(z=x → ∃y(z=PUSH(z,y))))

(wherez ∈ XSTACK^fl ,x ∈ XSTACK,y ∈ XOBJ and the priming notation of Sect. 5.4 is extended to flexible variables in an obvious way). The “standard model”Sof stacks (where elements of|S|STACK are finite sequences of elements of|S|OBJ) is a model structure of Thst and, in fact, all other model structures ofThst are isomorphic to it. The idea of the additional axiom is quite simple: it says that every stackx is “generated” by subsequently

“pushing” some finitely many elements from|S|OBJto the “empty stack”.

is helpful to represent state systems – besides the “descriptive” definitions through specifications (and other possible formal representations like the circuit example in the previous section) – also in a separate uniform formal way.

A very general and powerful concept for formally representing state systems is that of a (state) transition system which, roughly speaking, is a “generating mech- anism” for the runs of a state system. Transition systems are used widely and in various different versions. We adjust the definition here in a way such that their rela- tionship to temporal logic specifications becomes very close.

Definition. LetSIG = (S,F,P)be a signature andSa structure forSIG. A first- order (state) transition system (briefly: STS)Γ = (X,V,W,T)overSIGandSis given by

• X =

s∈SXswith setsXsfor everys∈S,

• a setV,

• a setW of (system) states η :X ∪V → |S| ∪ {ff,tt}

withη(a)∈ |S|sfora∈Xs,s∈Sandη(v)∈ {ff,tt}forv ∈V,

• a total binary relationT ⊆W ×W, called transition relation.

(A binary relationRover some setDis called total if for everyd1∈Dthere is ad2∈ Dwith(d₁,d₂)∈R.) Elements ofX andV are called (individual or propositional, respectively) system (or state) variables. An execution sequence ofΓ is an infinite sequenceW= (η₀, η₁, η₂, . . .)of system states such that(η_i, η_i+1)∈T for every i∈N. For any(η, η)∈T,ηis called a successor state ofη.

To indicate the basis of an STSΓ we will also writeΓ(SIG,S). Furthermore, we will often writeSIGΓ,SΓ,FΓ,PΓ,SΓ,XΓ,VΓ,WΓ,TΓ,WΓ for the single con- stituents of a givenΓ(SIG,S)and depict an execution sequence(η0, η1, η2, . . .)by

η₀ -η₁ -η₂ -. . . .

Basing Γ on a signature and a structure informally means that Γ uses a fixed underlying data type. Notice, however, that in the definition of an STSΓ the setsF_Γ andP_Γ ofSIG_Γ and the interpretations of their elements inS_Γ are not (yet) rele- vant. They will come into play subsequently and are included already here in order to provide a common framework. One first trivial outcome can be noted immediately:

following patterns given in Sect. 5.1, the signatureSIGΓ induces a (classical) first- order languageLFOL(SIG⁺)whereSIG⁺results fromSIGΓ by adding the elements ofX andV to the individual and propositional constants, respectively. In order to meet our general assumption about countable languages in this definition we will assume throughout that the setsX andV are at most denumerable. (Actually, in ap- plicationsX andV will usually even be finite, but we leave it with the more general assumption in order to maintain the close correspondence to the logical framework.

This will particularly be used in the subsequent Theorem 6.2.1.)

We callLFOL(SIG⁺)a first-order language of Γ and denote it byLΓ. Formulas ofLΓ are called state formulas (ofΓ). Given a variable valuationξfor the variables ofLΓ, the structureS_Γ together withξand any stateη ∈ W_Γ defines a mapping S^(ξ,η)_Γ which associates a truth valueS^(ξ,η)_Γ (A)∈ {ff,tt}with every atomic formula AofLΓ as in Sect. 5.1. As usual (cf. Sect. 1.2),S^(ξ,η)_Γ can be extended to all state formulas ofLΓ. IfAis a closed formula thenS^(ξ,η)_Γ (A)does not depend onξand we will sometimes writeS^(η)_Γ (A)instead.

An STS is called first-order in our definition because of the setX of individ- ual system variables ranging over arbitrary sorts. IfX = ∅then the STS is called propositional. In this case, of course,SIG andSare completely irrelevant and can be omitted from the definition. We will also writeΓ(V)for a propositional STSΓto indicate the underlying setV of state variables. ForΓ(V)the languageLΓ reduces to a languageLPL(V)of (classical) propositional logic in an obvious way.

An STSΓ represents a state system in a formal way, the execution sequences ofΓ are the runs of the state system. As a first simple example consider a natural number counter which can be switched on and off. As long as it is on its value increases by 1 in each step. Switching it off “freezes” the value which then remains unchanged until it is switched on again in which case the value is reset to 0. This informal description is formalized by the STSΓ_count(SIG_Nat,N)consisting of

X =X_NAT ={c}, V ={on},

W ={η:X ∪V →N∪ {ff,tt} |η(c)∈N, η(on)∈ {ff,tt}},

T ={([tt,n],[tt,n+ 1]),([tt,n],[ff,n]),([ff,n],[ff,n]),([ff,n],[tt,0])|n∈N}

where we represent inT a stateη by the pair[η(on), η(c)]so that, e.g.,[tt,n]de- notes the stateη withη(on) = ttandη(c) = n.W comprises all possible values ofc andon, and the four kinds of pairs of states (for everyn ∈ N) listed inT de- scribe all possible transitions (one-step changes) of the system variableson andc:

counting, switching off, pausing, and switching on, respectively. A possible execu- tion sequence ofΓcount is

[ff,7] -[tt,0] -[tt,1] -[tt,2] -[tt,3] -[ff,3] -[ff,3] -. . . expressing that the counter starts switched off and with value 7, is switched on, counts up to 3, is switched off, remains off, and so on.

By definition, execution sequences of STSs are infinite (and for generating them, transition relations are total). In fact, many real systems, often called reactive sys- tems, are intended for “running forever” (“reacting” with the environment). Other systems (usually calculating some input-output relation and called transformational systems) like the Towers of Hanoi, for which we indicated this discussion already in Sect. 6.1, are intended to terminate. They provide finite runs and seem, at a first glance, not to be covered by our formalization. However, such systems may be “en- coded” very easily in the given framework: a finite run terminating with some state

ηis represented by the infinite one which is obtained by repeatingηforever when it is reached.

Consider, as a simple example, a modified counter Γ_tcount which terminates whenever it reaches some value, say, 100. (If it never reaches this value it still runs forever.) Reasonably, the statesη are then restricted to those withη(c) ≤ 100. A finite run could (informally) look like, e.g.,

[ff,32] -[tt,0] -[tt,1] -. . . -[tt,99] -[tt,100]

where the counter, after being switched on, counts from 0 to 100 and then terminates.

Such runs are generated by the (non-total) transition relation T={([tt,n],[tt,n+ 1]),([tt,n],[ff,n]),

([ff,n],[ff,n]),([ff,n],[tt,0])|n ∈N,n ≤99}.

In order to cause infinite repetitions of the state in which the counter value100 is reached,Thas to be enriched by the pair([tt,100],[tt,100]), and in order to make T total,([ff,100],[ff,100]) has to be added as well. For subsequent, more general use we define the total closuretot(R)of a binary relationRover a setDby

tot(R) =R∪ {(d,d)∈D×D|there is nod∈Dsuch that(d,d)∈R}.

Then

WΓtcount ={η∈WΓcount |η(c)≤100}, T_Γtcount =tot(T)

(withX andV as inΓ_count) obviously defineΓ_tcount in the desired way. The above sample run is formally represented by the execution sequence

[ff,32] -[tt,0] -[tt,1] -. . . -

[tt,99] -[tt,100] -[tt,100] -[tt,100] -. . . generated byT_Γtcount.

It should be clear that the examples of Sect. 6.1 can also be formulated as STSs.

While the Towers of Hanoi and the system with the even and odd number sequences have additional properties which will be addressed in the next section, the oscillator circuit can be reasonably represented in the uniform STS framework and according to the present definitions by a propositional STSΓosc(V),V ={b0,b1,b2}, with

W ={η:V → {ff,tt}}

and

T ={(η, η)∈W ×W | η(b0) =η(b0),

η(b₁) =tt ⇔ η(b₀)=η(b₁),

η(b₂) =tt ⇔ η(b₂) =tt if and only if η(b₀) =η(b₁) =ff}.

A possible execution sequence ofΓ_oscis

011 -101 -011 -101 -011 -. . .

where, with regard to the concrete background, we represent states by binary num- bers: e.g., the entry 011 forη₀meansη₀(b₀) =tt,η₀(b₁) =tt,η₀(b₂) =ff.

In preceding sections we have stressed several times a certain contrast between state systems and mathematical systems which are just data types in a functional setting. However, data types in computer science can be viewed and handled both in a functional and in an imperative way. In fact, the counters above are simple data types which could also be viewed (and algebraically specified) in a functional framework. The other way round, consider, e.g., the algebraic stack specification in Sect. 1.3 given by the (classical) first-order theoryStackwith the characteristic sig- natureSIG_st. Taking this data type in an imperative view as a “pushdown storing device” the “contents” of which may “change in time” by executing the typical stack operations we obtain a state system.

An STSΓ_st describing a stack in such a way is based on the signatureSIG_stand some structure forSIG_st. To make it concrete here, let this structureUbe given by

|U|OBJ =N,

|U|STACK =N^∗, EMPTY^U=ε, PUSH^U=push, POP^U=pop, TOP^U=top,

whereε∈N^∗is the empty sequence of natural numbers andpush,pop,topare the usual stack operations onN^∗. Then we letΓ_st(SIG_st,U)consist of

X =X_STACK ={pd}, V =∅,

W ={η:X →N^∗},

T ={(η, η)∈W ×W |η(pd) =push(η(pd),m),m ∈N} ∪ {(η, η)∈W ×W |η(pd)=εandη(pd) =pop(η(pd))}.

The system variablepdrepresents the pushdown store which carries stacks of natural numbers as its value. The states ofW map all such values topd.T comprises all possible transitions: in a single step, some natural numbermcan be “pushed” onpd, orpdcan be “popped”.

An example of an execution sequence ofΓ_st is

(7,13) -(7,13,5) -(7,13,5,21) -(7,13,5) -. . .

where states are represented by their values ofpd. In the initial statepdcontains the numbers 7 and 13, then 5 and after that 21 are pushed topd, thenpdis popped, and so on.

As indicated already, the definition of STSs perfectly fits the temporal logic notions. Let Γ = (X,V,W,T) be an STS over someSIG andS. A language LTL(TSIG_Γ)whereTSIG_Γ = (SIG,X,V)andLTLdenotes a language as intro- duced in Sect. 6.1 is called language of linear temporal logic of Γ and denoted by LTLΓ. Thus,LTLΓ takes over the signatureSIG fromΓ and identifies the flexible individual and propositional constants with the individual and propositional system variables fromX andV, respectively. Clearly, the state formulas ofΓ are just the non-temporal formulas ofLTLΓ.

It is obvious that, for every execution sequenceWΓ ofΓ,K = (SΓ,WΓ)is a temporal structure forTSIGΓ:SΓ is a structure for the underlying SIG andWΓ

is just an infinite sequence of states in the sense of the semantical definitions in Sect. 5.1. The class

CΓ ={K= (SΓ,WΓ)|WΓ is an execution sequence ofΓ}

then represents “all possible runs” of the state system formalized byΓ. Note that in CΓ, as inΓ itself,S_Γ is fixed.

As mentioned already, any state formulaAofΓ can be evaluated byS_Γ, a vari- able valuationξ, andη∈WΓ (denoted byS^(ξ,η)_Γ (A)). So, ifK∈ CΓ, this evaluation is possible for a stateηiofWΓ and obviously coincides with evaluating “inK”, i.e.,

K^(ξ)_i (A) =S^(ξ,η_Γ ⁱ⁾(A)

holds for everyξ.

Definition. LetΓ be an STS. A formulaAofLTLΓ is calledΓ-valid (denoted by _ΓA) ifAis valid in everyK∈ CΓ.

Of course, all these notions can be transferred to the case thatΓ is propositional.

ThenLTLΓ reduces to someLLTL(V)taking the system variables ofΓas the proposi- tional constants of the language,LΓ is the “sublanguage” ofLTLΓ without temporal operators, everyW_Γ is a temporal structure forV, andCΓ is just the class of all such W_Γ.

ACΓ-FOLTL-theory (orCΓ-LTL-theory in the case of a propositionalΓ) will be briefly called aΓ-theory and denoted byTh(Γ) = (LTLΓ,AΓ). As mentioned already, it can be understood as a temporal logic specification of (the state system represented by)Γ.

If we want to specify a state system given by an STSΓ in this sense we have to find an adequate language version LTLΓ and, more essential, appropriate non- logical axioms. We remark again (cf. Sect. 1.3) that aΓ-theory does not necessarily

“characterize”Γ. The only requirement forAΓ is that its formulas areΓ-valid, so evenAΓ = ∅would be a sound choice. It is clear, however, that we should try to makeAΓ as “powerful” and “close to distinguish” the systemΓ as possible.

Looking for appropriate axioms, a first observation is thatAΓ should contain axioms for the data involved inΓthrough the structureS_Γ (providedΓ is not propo- sitional). Since the specification of (functional) data types is not the subject of this

book and we therefore do not care (except for some remarks already made) about how this is possible, we help ourselves by simply taking every state formula ofΓ which isS_Γ-valid as an axiom ofAΓ without any regard to how this formula could really be derived. So, anyAΓ will contain the axioms

(dataΓ) AllSΓ-valid state formulas ofΓ

and we will freely use these axioms without explicitly justifying them. For example, ifS_Γ =Nas in the counters above then (data_Γ) contains formulas like

x1+x2=x2+x1,

x1∗(x2+x3) =x1∗x2+x1∗x3, etc.

Clearly, in the case of a propositional STS there is no need of such axioms.

The axioms in the proper focus of our investigations are those which specify the execution sequencesWΓ ofΓ. We call them temporal axioms (ofΓ), and they should reflect the setsWΓ andTΓ of states and transitions ofΓ. We illustrate this for the four examples introduced in this section.

For the counterΓcount the two obviouslyΓcount-valid formulas on→(on∧c=c+ 1)∨(¬on∧c =c),

¬on→(¬on∧c=c)∨(on∧c= 0)

could be taken as temporal axioms. They reflect the possible counting and switch- ing off transitions if the counter is on and the possible pausing and switching on transitions if it is off.

For the terminating counter Γ_tcount these axioms can be easily modified and extended to

c≤100,

on∧c<100→(on∧c=c+ 1)∨(¬on∧c=c),

¬on∧c<100→(¬on∧c=c)∨(on∧c = 0), c= 100→(on ↔on)∧c=c.

Note that the first axiom reflects the restriction of the state setW_Γtcount.

Appropriate temporal axioms for the oscillatorΓosccould be just the three for- mulas

b₀ ↔b0,

b₁ ↔ ¬(b0↔b₁), b₂ ↔ ¬(b0∨b1↔b2)

already shown in Sect. 6.1. TheirΓ_osc-validity is clear.

For the stackΓ_sta reasonable specification could be given by the singleΓ_st-valid axiom

∃y(pd=PUSH(pd,y))∨(pd=EMPTY ∧pd =POP(pd))