2 PLTL Let P be a set of propositional variables. The set of formulae of propositional linear time logic PLTL (over P) is inductively dened as follows

Transcription

1 Translating PLTL into WSS: Application Description B. Hirsch and U. Hustadt Department of Computer Science, University of Liverpool Liverpool L69 7ZF, United Kingdom, Abstract This paper introduces a technique for translating propositional linear time logic PLTL into the weak second-order logic of one successor WSS. Using the Mona tool, a decision procedure for WSS, we obtain a decision procedure for PLTL. We demonstrate the viability of this approach by an empirical comparison with STeP, SMV, and the Logics Workbench on a class of semi-randomly generated PLTL-formulae. Introduction Temporal logics have long been recognised as being appropriate languages for specifying a wide variety of important computational properties in computer science and articial intelligence [3]. Hence, key techniques for utilising temporal logic specications have been investigated, including verication via proof [3, 4], verication via model-checking [2], direct execution, and combinations of some of these techniques [9]. In particular, verication via model-checking has seen sustained eort in converting theoretical approaches into reasonably ecient methods and providing tool support for practical applications. Although there is also an extensive body of work on verication via proof, most of it is only of theoretical nature and only a small number of maintained tools exists, in particular, if we look for fully automated decision procedures for logics like PLTL or computation tree logic CTL*. In this paper we describe a translation from PLTL into the weak second-order logic of one successor WSS, which will allow us to utilise the Mona tool as a decision procedure for the satisability problem in PLTL. The Mona tool [6] provides decision procedures for WSS and WS2S by translating WSS and WS2S formulae into minimum deterministic nite automata and guided tree automata, respectively. Although the satisability problem of WSS and WS2S is non-elementary, Mona has been successfully applied in a number of applications []. Furthermore, since the translation we propose is computable in polynomial time and also the translation back into PLTL can be computed in polynomial time, we are considering a fragment of WSS whose satisability problem is PSPACE-complete. Thus, considerations of the computational complexity of the satisability problem alone provide no a priori insight into the practicality of the approach. Consequently, it is important to evaluate this approach by further theoretical and empirical analysis. Concerning the latter we can build upon of the preliminary investigations by Hustadt and Schmidt [7] who have performed empirical comparisons of various decision procedures for PLTL on a class of semi-randomly generated PLTL-formulae. We will use the same class to compare our approach with STeP, SMV, and the Logics Workbench. This work is based on ideas investigated by the rst author while working on his MSc project under the supervision of U. Hustadt and M. de Rijke.

2 2 PLTL Let P be a set of propositional variables. The set of formulae of propositional linear time logic PLTL (over P) is inductively dened as follows: (i) every propositional variable in P is a formula of PLTL, (ii) if ' and are formulae of PLTL, then :', (' _ ), ', ', ', ' U, and ' W are formulae of PLTL. Other boolean connectives including >,?, ^,!, and $ are dened using :, and _. A formula of the form ' is a -formula. Analogously, for the remaining temporal operators. We also use > and? to denote the empty conjunction and disjunction, respectively. A literal is either p or :p where p is a propositional variable. By j'j we denote the length of a formula ' which is the number of symbols in ', and SF(') is the set of subformulae of ' or their negations (after eliminating double negations). PLTL-formulae are interpreted over ordered pairs I = hs; i where (i) S is an innite sequence of states (s i ) i2n and (ii) is a function assigning to each state a subset of P. We dene a semantic relation j= between pairs consisting of a PLTL-interpretation I = hs; i and a state s i 2 S, and PLTL-formulae (omitting U- and W-formulae) as follows. I; s i j= p i p 2 (s i ) I; s i j= :' i I; s i 6j= ' I; s i j= ' _ i I; s i j= ' or I; s i j= I; s i j= ' i I; s i+ j= ' I; s i j= ' i for all j 2 N, j i implies I; s j j= ' I; s i j= ' i there exists j 2 N such that j i and I; s j j= ' If I; s i j= ' then we say ' is true or holds at s i in I. If s i is a state in I, then let [s i ] I;' = f 2 SF(') j I; s i j= g. An interpretation I satises a formula ' i ' holds at s 0 in I and it satises a set N of formulae i for every formula 2 N, I satises. In this case, I is a model for ' and N, respectively, and we say ' and N are (PLTL-)satisable. The satisability problem of PLTL is PSPACE-complete [2]. Arbitrary PLTL-formulae can be transformed into a separated normal form (SNF) in a satisability equivalence preserving way using a renaming technique replacing non-atomic subformulae by new propositions and removing all occurrences of the U and W operator [5]. The result is a set of SNF clauses of the following form (which diers slightly from [5]). W n i= L i (initial clause) (( W m j= K j) _ ( W n i= L i)) (global clause) (( W m j= K j) _ L) (sometime clause) Here, K j, L i, and L (with j m, 0 m, and i n, 0 n) denote literals. Thus, in the following we consider without loss of generality only PLTL-formulae without occurrences of the temporal connectives U and W. 3 WSS WSS is the weak second-order logic of successor function which is interpreted over the natural numbers. Formally, let V = fx; x ; x 2 ; : : : g and V 2 = fx; X ; X 2 ; : : : g be sets of rst-order and second-order variables, respectively, and s be a successor function. Then the ordered tuple = hv ; V 2 ; si is a WSS-signature. The set of terms T() over a WSS-signature is inductively dened as follows: (i) 0 2 T(), (ii) every variable x 2 V is in T(), and (iii) if t 2 T() then s(t) 2 T(). The set of well-formed formulae L() over a WSS-signature is inductively dened as follows: (i) if 2

3 X 2 V 2 and t 2 T() then X(t) 2 L(), (ii) if t, t 2 2 T() then t < t 2, t = t 2 2 L(), (iii) if x 2 V, X 2 V 2, ', ' 2 2 L() then :', ' _ ' 2 2 L(), 9x(') 2 L(), and 9X(') 2 L(). Again, additional boolean connectives can be dened using the ones included in L(). Other connectives which can be dened in terms of L() include 8x(') := :9x(:'), 8X(') := :9X(:'), X X 2 := 8x(:X (x) _ X 2 (x)), x y := (x = y) _ (x < y), and x + := s(x). A WSS-interpretation M ; over a signature is an ordered tuple ht; s; <; ; i, where (i) T is the set of natural numbers, elements of T are called states, (ii) s is a successor function such that s(n) = n + for every n 2 T, (iii) < denotes the `less than' relation on the natural numbers, (iv) : V 7! T is a valuation function for rst-order variables, and (v) : V 2 7! Fin(2 T ) is a valuation function for second-order variables, where Fin(2 T ) denotes the set of all nite subsets of T. We omit the indices and whenever possible. Let [x := n] and [X := N] denote assignment functions identical to and, respectively, except [x := n] assigns n to x and [X := N] assigns N to X, respectively. The function mapping rst-order variables to T is lifted to a function ^ mapping terms in T() to elements of T as follows: ^(x) = (x), ^(0) = 0, and ^(s(t)) = s(^(t)) = ^(t) +. Let be a WSS-signature. We inductively dene a relation j= between WSS-interpretations M = ht; s; <; ; i over and WSS-formulae as follows. M ; j= X(t) i ^(t) 2 (X) M ; j= t = t 2 i ^(t ) = ^(t 2 ) M ; j= t < t 2 i ^(t ) < ^(t 2 ) M ; j= :' i M ; 6j= ' M ; j= ' _ i M ; j= ' or M ; j= M ; j= 9x(') i there exists a n 2 T such that M [x:=n]; j= ' M ; j= 9X(') i there exists an N 2 Fin(2 T ) such that M ; [X:=N ] j= ' For readability we will drop the super- and subscripts whenever possible. If M ; j= ' then we say ' is true in M ; and that M ; satises '. Similarly, if X 2 V 2, M ; is a WSnS-interpretation with n 2 T, then X is true at n i n 2 (X). If ' is a WSSformula over such that there is an interpretation M ; over such that ' is true in M ;, then ' is satisable and M ; is a WSS-model for '. The complexity of the satisability problem of WSS is non-elementary [0]. 4 Coping with Innity Given that the domain underlying both the interpretation of PLTL and WSS is isomorphic to the natural numbers and that the language of WSS allows us to quantify over elements of this domain and at the same time provides us with a successor function s and a binary relation < interpreted as the successor function and `less than' relation on the natural number, respectively, the translation of PLTL to WSS seems to be straightforward. Given a set P of propositional variables, we uniquely associate with each element p 2 P a second-order variable X p. Then part of a translation of PLTL to WSS could be given by $(p; x) = X p (x) $('; x) = $('; s(x)) $('; x) = 8y(x y! $('; y)) Extending $ to cover the remaining connectives of PLTL is straightforward. The translation (') of a PLTL-formula ' over P can then be given by $('; 0). However, we only need to look at a very simple example to see that this translation to WSS is not satisability equivalence preserving. Consider p and its translation (p) = 8y(0 y! X p (y)). If we try to construct a model for 8y(0 y! X p (y)), the valuation 3

4 function has to map X p to T, since for all elements n of T, 0 n is true. However, T is an innite set while only nite subsets of T can be in the codomain of. Thus, (p) is unsatisable. Of course, p is satisable, any interpretation hs; i with p 2 (s i ) for every s i 2 S is a model for p. Our solution to this problem is based on a result by Sistla and Clarke [2]. They have shown that if a PLTL-formula is satisable, then it is satisable in a so-called ultimately periodic interpretation. Formally, a PLTL-interpretation I = hs; i is ultimately periodic with starting index b and period p i for every j b, (s j ) = (s j+p ). Let be a formula of the form such that I; s i j=. We say that is fullled before s j i i j and there is an l, i l j, such that I; s l j=. Then a PLTL-formula ' is satisable i it is satisable in an ultimately periodic interpretation I = hs; i with starting index b 2 j'j, period p j'j2 j'j, and for every j b, [s j ] I;' = [s j+p ] I;' and every -formula in [s j ] I;' is fullled before s j+p. An ultimately periodic interpretation I = hs; i with starting index b and period p can be nitely represented by the tuple hs <b+p ; j S<b+p ; s b i where S <b+p = (s i ) i<b+p. For our purposes a slightly dierent representation which includes the state s b+p as well as s b and is given by I n = hs e ; j Se ; s b ; s e i, where e = b + p and S e = (s i ) ie, turns out to be more convenient. It is then possible to dene the semantics of PLTL-formulae with respect to these nite representations of ultimately periodic PLTL-interpretations instead of the interpretations themselves. To this end, we can rst dene a function N on S e which determines for each state s i 2 S e the `next state' in the ultimately periodic interpretation represented by I n : si+ ; if i < e N(s i ) = s b+ ; if i = e By N we denote the reexive, transitive closure of N. Finally, we dene a semantic relation j= between a PLTL-formula ' and a pair I n and a state s i : I n ; s i j= p i p 2 j Se (s i ) I n ; s i j= ' i I n ; N(s i ) j= ' I n ; s i j= ' i for all s j 2 S e, (s i ; s j ) 2 N implies I n ; s j j= ' I n ; s i j= ' i there exists s j 2 S e, (s i ; s j ) 2 N such that I n ; s j j= ' The denition of the semantics of the boolean connectives remains unchanged. This reformulation of the semantics of PLTL forms a suitable basis for a translation to WSS as we will see in the following section. 5 The Translation The translation we propose is a semantics-based translation. However, it is not based on the standard semantics presented in Section 2, but on the semantics presented in Section 4 where the semantic structures are nite representations of ultimately periodic PLTL-interpretations. We uniquely associate with every propositional variable p a second-order variable X p. In addition we use rst-order variables x b and x e. These will be mapped by the valuation function of a WSS-interpretation to states of the interpretation which correspond to the states s b and s e of a ultimately periodic PLTL-interpretation as described in the previous section. Formally, the translation morphism tr is dened as follows: tr x (p) = X p (x) tr x (:') = :tr x (') tr x (' _ ) = tr x (') _ tr x ( ) tr x (') = 9y(tr xy ^ tr y (')) tr x (') = 8y(tr xy! tr y(')) tr x (') = 9y(tr xy ^ tr y(')) 4

5 where tr xy = ((x < x e ) ^ (y = s(x))) _ ((x = x e ) ^ (y = s(x b ))) tr xy = 9X(X(x) ^ X(y) ^ 8y ; z ((X(y ) ^ tr y z )! X(z )) ^ 8Y ((Y (x) ^ 8y 2 ; z 2 ((Y (y 2 ) ^ tr y2 z 2 )! Y (z 2 )))! X Y )) and we dene the translation of a PLTL-formula ' to WSS by (') = tr 0 ('): Theorem 5.. Let ' be PLTL-formula. Then ' is satisable if and only if (') is satisable. Proof. First, let M = ht; s; <; ; i be a model of ('). We show how to construct a PLTL-interpretation I = hs; i that satises '. (') contains free rst-order variables x b and x e, and for each propositional variable p occurring in ' it contains a corresponding second-order variable X p. Let b and e be (x b ) and (x e ), respectively, and let p = e b. We obtain I by unravelling the subset T e = fi 2 N j i eg. We dene each state s i in S by s i = i and we dene a function r : S 7! T as follows: r(s i ) = i, for i e, and r(s i ) = ((i (b + )) mod p) + (b + ), for i > e. Finally, the valuation function is dened by (s i ) = fp 2 P j r(s i ) 2 (X p )g. We show by induction on the structure of ' that for any subformula # of ' and any state s i, I; s i j= # i M 0 ; j= tr x(#) where 0 = [x := r(s i )]. Assume that # is a propositional variable p occurring in '. By denition, tr x = X p (x) and M 0 ; j= X p(x) i 0 (x) = r(s i ) 2 (X p ). By denition of, p 2 (s i ) i r(s i ) 2 (X p ). Finally, I; s i j= p i p 2 (s i ). Thus, I; s i j= p i M [x:=r(si )]; j= tr x(p). The cases for the boolean connectives are straightforward. For # = we have to show that for any s i, I; s i j= i M 0 ; j= tr x ( ). By denition, I; s i j= i I; s i+ j= and by induction hypothesis I; s i+ j= i M j= 0 [y:=r(s i+ )]; tr y( ). Let 00 = 0 [y := r(s i+ )]. Note that 00 (x b ) = 0 (x b ) = (x b ) and 00 (x e ) = 0 (x e ) = (x e ). By denition of r, r(s i+ ) = r(s i ) + and r(s i ) < e, or r(s i+ ) = b+ and r(s i ) = e. So, 00 (y) = 00 (x)+ and 00 (x) < 00 (x e ), or 00 (y) = 00 (x b )+ and 00 (x) = 00 (x e ). In both cases we have M 00 ; j= tr xy. So, I; s i+ j= i M 00 ; j= tr xy and M 00 ; j= tr y( ) i M 0 ; j= 9y(tr xy ^ tr y ( )) i M 0 ; j= tr x( ). For # =, we have to show that for any s i, I; s i j= i M 0 ; j= tr x( ). If I; s i j=, then for all j 2 N, if j i then I; s j j=. We have to show that M 0 ; j= 8y(tr xy! tr y ( )). Let n be an element of T such that M 0 [y:=n]; j= tr xy. We can show by induction that M 0 [y:=n]; j= tr xy implies that there is a sequence n 0 ; : : : ; n k of elements of T such that n 0 = r(s i ), n k = n, and for every l, 0 l < k, M [x:=nl ;y:=n l+ ]; j= tr xy. By denition of tr xy, for every l, 0 l < k, either n l+ = n l + and n l < e, or n l+ = b + and n l = e. Again, by induction we can show that for every l, 0 l k, r(s i+l ) = n l. So, in particular, r(s i+k ) = n k = n, that is, there is a j i such that r(s j ) = n. By induction hypothesis, for any s l, I; s l j= i M 0 [y:=r(s l )] j= tr y ( ). Since I; s j j= we infer that M 0 [y:=r(s j )] j= tr y( ). Thus, for an arbitrary element n of T, M 0 [y:=n] j= tr xy! tr y( ), and consequently M 0 ; j= 8y(tr xy! tr y( )). Conversely, assume M 0 ; j= tr x( ). So, M 0 ; j= 8y(tr xy! tr y( )). We show by induction that that for every j 2 N, if j i then M 0 [y:=r(s j )]; j= tr xy and I; s j j=. For j < i this is trivially true. For j = i we have to show that M 0 [y:=r(s i )]; j= tr xy and I; s i j=. Both are straightforward to check. In the induction step, we consider j + > i and we can assume that M 0 [y:=r(s l )]; j= tr xy for every l, i l j. This, together with the observation that M 0 [x:=r(s j );y:=r(s j+ )]; j= tr xy holds, implies M 0 [y:=r(s j+ )]; j= tr xy. Then we again use 5

6 M 0 ; j= tr x( ) to show that M 0 [y:=r(s j+ )]; j= tr y( ), from which we infer I; s j+ j=. Thus, I; s i j=. Since and are duals, we are done. Second, let I = hs; i be an ultimately periodic PLTL-model for a satisable PLTL-formula ' with starting index b and period p. We show how to construct a a WSS-interpretation M = ht; s; <; ; i that satises ('). Let T be the set of natural numbers, s the successor function +, and < the `less than' relation. Let be an arbitrary mapping from V to T such that (x b ) = b and (x e ) = b + p. Let be an arbitrary mapping from V 2 to Fin(2 T ) such that for every propositional letter p in ', (X p ) = fi 2 N j I; s i j= p and i b + pg. We dene a mapping r : S 7! T as follows: r(s i ) = i for every i e, and r(s i ) = ((i (b + )) mod p) + (b + ) for every i > e. Along the lines of the rst case, we can then show by induction on the structure of ' that for every subformula # of ' and every state s i 2 S, I; s i j= # i M [x:=r(si )]; j= tr x(#). Since I; s 0 j= ', M [x:=r(s0 )]; j= tr x(') holds. By denition, r(s 0 ) = 0, which implies M j= tr 0 ('). Thus, I satises ('). 6 Experiments In [7] Hustadt and Schmidt consider a class of semi-randomly generated PLTL-formulae in separated normal form which is intended to highlight dierences between tableaux-based or automata-based decision procedures for PLTL and temporal resolution [4, 5]. It turns out that this class is also suitable to exemplify dierences between various tableaux-based and automata-based decision procedures. The random generator we have used in our experiments takes as input the number of propositional variables n, the number of clauses l, the number of literals per step clause k, and a probability p. A semi-randomly generated formula ' is a conjunction of global and sometime clauses of the following form (L _ : : : _ L k ) ^ : : : ^ (Ll _ : : : _ Ll k ) ^ (:p _ p 2 ) ^ (:p 2 _ p 3 ) ^ : : : ^ (:p n _ p ) where for each global clause, the literals L i, : : :, Li k are generated by choosing k distinct variables randomly from the set fp ; : : : ; p n g of n propositional variables and by determining the polarity of each literal with probability p. The sometime clauses included in ' only depend on the parameter n. In the following we call the formulae generated in this way semi-random SNF formulae. In all our experiments the parameters k and p have been xed to 3 and 0:5, respectively. The absence of initial clauses and the restricted form of global clauses in semi-random SNF formulae indicates that they form a strict subclass of the class of sets (or conjunctions) of SNF clauses. Thus, not every PLTL-formula is equivalent to some semi-random SNF formula. Concerning the satisability of semi-random SNF formulae we observe that similar to random ksat formulae, a semi-random SNF formula is likely to be satisable if the number l of global clauses is small and it is likely to be unsatisable if the number l of clauses is large. Figure shows the percentage of satisable semi-random SNF formulae for two values of the parameter n, namely, n = 5 and n = 2. For each value of n and particular values of l we have generated semi-random SNF formulae which were tested for satisability. For ratios l=n between 2 and 4 we note a phase transition in the satisability of semi-random SNF formula which becomes more abrupt with greater values of n. 6

7 In our experiments we have compared four systems: (i) the Logics Workbench (LWB).0 which contains an implementation of Schwendimann's one-pass tableau calculus for PLTL [] (written in C++), (ii) a system written by Klaus Schneider at the University of Karlsruhe which combines a PLTL-to-SMV translator (written in Java) and the SMV model checker (written in C) which we will call TLSMV in the following, (iii) the Stanford Temporal Prover STeP which includes a tableaux-based decision procedure for PLTL developed by McGuire [8], and (iv) the combination of the translation described in Section 5 (written in Prolog) and the Mona tool (written in C). The Prolog program for the translation can be downloaded from the second author's homepage. The experiments have been performed on a PC with a 0MHz Pentium III processor, 256MB main memory, and 52MB virtual memory running RedHat Linux 6.2. For each individual satisability test a time-limit of 0 CPU seconds was used. Figures 3 to 5 show the CPU time percentile graphs of the four systems on random SNF formulae for n = 5 and n = 2. It is obvious that the combination of translation to WSS and Mona shows a better performance than any of the other three systems on almost all formulae considered in the experiments described in this paper. It is certainly premature to make the same claim for other classes of formulae and there will be classes where our approach is inferior to others (in particular, temporal resolution shows the same good performance on C ran as can be seen in [7]), but it can be said that the experiments support our view that the combination of translation and automata-based techniques can provide viable decision procedures for PLTL. References [] A. Ayari, D. A. Basin, and A. Podelski. LISA: A specication language based on WS2S. In Proc. CSL'97, LNCS 44, pp. 8{34. Springer, 998. [2] E. Clarke, O. Grumberg, and D. A. Peled. Model Checking. MIT Press, [3] E. A. Emerson. Temporal and modal logic. In Handbook of Theoretical Computer Science, pp. 997{072. Elsevier, 990. [4] M. Fisher. A resolution method for temporal logic. In Proc. IJCAI'9, pp. 99{04. Morgan Kaufman, 99. [5] M. Fisher, C. Dixon, and M. Peim. Clausal Temporal Resolution. ACM Transactions on Computational Logic, 2():2{56, 200. [6] J. G. Henriksen et al. Mona: Monadic second-order logic in practice. In Proc. TACAS'95, LNCS 09, pp. 89{9. Springer, 996. [7] U. Hustadt and R. A. Schmidt. Formulae which highlight dierences between temporal logic and dynamic logic provers. In Issues in the Design and Experimental Evaluation of Systems for Modal and Temporal Logics, Technical Report DII 4/0, pp. 68{76. Unversita degli Studi di Siena, 200. [8] Y. Kesten, Z. Manna, H. McGuire, and A. Pnueli. A decision algorithm for full propositional temporal logic. In Proc. CAV'93, LNCS 697, pp. 97{09. Springer, 993. [9] Z. Manna and the STeP group. STeP: The Stanford Temporal Prover. Technical report STAN-CS-TR-94-58, Stanford University, 994. [0] A. R. Meyer. Weak monadic second order theory of successor is not elementary recursive. In Proc. Logic Colloquium, LNCS 453, pp. 32{54. Springer, 975. [] S. Schwendimann. Aspects of Computational Logic. PhD thesis, Universitat Bern, Switzerland,

8 [2] A. P. Sistla and E. M. Clarke. The complexity of propositional linear temporal logic. Journal of the ACM, 32(3):733{749, 985. [3] M. Vardi and P. Wolper. Reasoning about innite computations. Inform. and Computat., 5:{37, 994. [4] P. Wolper. The tableau method for temporal logic: An overview. Logique et Analyse, 28:9{36, Ratio of number of global clauses over prop. variables Ratio of number of global clauses over prop. variables Figure : Satisability of random PLTL-formulae for n = 5 (left) and n = 2 (right) Figure 2: CPU time percentiles of the LWB.0 for n = 5 (left) and n = 2 (right) Figure 3: CPU time percentiles of TLSMV for n = 5 (left) and n = 2 (right) Figure 4: CPU time percentiles of STeP for n = 5 (left) and n = 2 (right) Figure 5: CPU time percentiles of Mona for n = 5 (left) and n = 2 (right). 8