for Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty

Similar documents
of acceptance conditions (nite, looping and repeating) for the automata. It turns out,

Diagram-based Formalisms for the Verication of. Reactive Systems. Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas E.

2 PLTL Let P be a set of propositional variables. The set of formulae of propositional linear time logic PLTL (over P) is inductively dened as follows

Temporal Logic with Past is Exponentially More Succinct

Extending temporal logic with!-automata Thesis for the M.Sc. Degree by Nir Piterman Under the Supervision of Prof. Amir Pnueli Department of Computer

Socratic Proofs for Some Temporal Logics RESEARCH REPORT

Wojciech Penczek. Polish Academy of Sciences, Warsaw, Poland. and. Institute of Informatics, Siedlce, Poland.

Non-elementary Lower Bound for Propositional Duration. Calculus. A. Rabinovich. Department of Computer Science. Tel Aviv University

2 Real-Time Systems Real-time systems will be modeled by timed transition systems [7, 15]. A timed transition system S = hv; ; ; T ; L; Ui consists of

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

of concurrent and reactive systems is now well developed [2] as well as a deductive methodology for proving their properties [3]. Part of the reason f

Alan Bundy. Automated Reasoning LTL Model Checking

The State Explosion Problem

Real-Time Logics: Fictitious Clock as an Abstraction of Dense Time Jean-Francois Raskin and Pierre-Yves Schobbens Computer

PSPACE-completeness of LTL/CTL model checking

Modular Model Checking? URL: orna

Logic Model Checking

Contents 1 Introduction A historical note : : : : : : : : : : : : : : : : : : : : : : : : : Modal logic : : : : : : : : : : : : : : : : :

7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing-

On some Metatheorems about FOL

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

3 Propositional Logic

In a second part, we concentrate on interval models similar to the traditional ITL models presented in [, 5]. By making various assumptions about time

From Liveness to Promptness

Linear Temporal Logic and Büchi Automata

Computability and Complexity

What You Must Remember When Processing Data Words

{},{a},{a,c} {},{c} {c,d}

Exercises 1 - Solutions

On Controllability and Normality of Discrete Event. Dynamical Systems. Ratnesh Kumar Vijay Garg Steven I. Marcus

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Local knowledge assertions in a changing world. (Extended abstract) R. Ramanujam. C.I.T. Campus. Madras India.

Weak ω-automata. Shaked Flur

Computing the acceptability semantics. London SW7 2BZ, UK, Nicosia P.O. Box 537, Cyprus,

A Foundation for Metareasoning. Part

Tableau Calculus for Local Cubic Modal Logic and it's Implementation MAARTEN MARX, Department of Articial Intelligence, Faculty of Sciences, Vrije Uni

Tableau-based decision procedures for the logics of subinterval structures over dense orderings

Splitting a Default Theory. Hudson Turner. University of Texas at Austin.

Partially Ordered Two-way Büchi Automata

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004

In this paper, we take a new approach to explaining Shostak's algorithm. We rst present a subset of the original algorithm, in particular, the subset

An optimal tableau-based decision algorithm for Propositional Neighborhood Logic

Electronic Notes in Theoretical Computer Science 18 (1998) URL: 8 pages Towards characterizing bisim

Linear Algebra (part 1) : Vector Spaces (by Evan Dummit, 2017, v. 1.07) 1.1 The Formal Denition of a Vector Space

An Alternative To The Iteration Operator Of. Propositional Dynamic Logic. Marcos Alexandre Castilho 1. IRIT - Universite Paul Sabatier and

arxiv:cs/ v2 [cs.lo] 24 Apr 2005

University of California. Berkeley, CA fzhangjun johans lygeros Abstract

A shrinking lemma for random forbidding context languages

Optimal Tableaux for Right Propositional Neighborhood Logic over Linear Orders

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

Watson-Crick ω-automata. Elena Petre. Turku Centre for Computer Science. TUCS Technical Reports

Pairing Transitive Closure and Reduction to Efficiently Reason about Partially Ordered Events

Alternating Time Temporal Logics*

Automata-based Verification - III

Finite Automata. Mahesh Viswanathan

The Underlying Semantics of Transition Systems

A version of for which ZFC can not predict a single bit Robert M. Solovay May 16, Introduction In [2], Chaitin introd

Asynchronous cellular automata for pomsets. 2, place Jussieu. F Paris Cedex 05. Abstract

On Reducing Linearizability to State Reachability 1

Opleiding Informatica

An Axiomatization of. Lamport's Temporal Logic of Actions. Martn Abadi. October 12, revised March 4, 1993

How to Pop a Deep PDA Matters

KRIPKE S THEORY OF TRUTH 1. INTRODUCTION

An Independence Relation for Sets of Secrets

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

On Stateless Multicounter Machines

Canonical Calculi: Invertibility, Axiom expansion and (Non)-determinism

Introduction to Metalogic

A Context Dependent Equivalence Relation Between Kripke Structures (Extended abstract)

Computer-Aided Program Design

UNIT-VI PUSHDOWN AUTOMATA

INDEPENDENCE OF THE CONTINUUM HYPOTHESIS

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Finite information logic

Adding a temporal dimension to a logic. Abstract. We introduce a methodology whereby an arbitrary logic system L can be enriched

Our decision procedure has been implemented as part of the Stanford Temporal Prover, STeP [2], a system which supports the computer-aided verication o

Pairing Transitive Closure and Reduction to Efficiently Reason about Partially Ordered Events

Halpern situations incomparable as far as normality or likelihood goes. For example, one situation may be better in one dimension but worse in another

and combine the results of the searches. We consider parallel search with subdivision, although most notions can be generalized to using dierent searc

Moshe Y. Vardi y. IBM Almaden Research Center. Abstract. We present an automata-theoretic framework to the verication of concurrent

distinct models, still insists on a function always returning a particular value, given a particular list of arguments. In the case of nondeterministi

PSL Model Checking and Run-time Verification via Testers

Model Checking Real-Time Properties. of Symmetric Systems? E. Allen Emerson and Richard J. Treer. Computer Sciences Department and

Equational Logic. Chapter Syntax Terms and Term Algebras

Temporal Logic Model Checking

Sampled Semantics of Timed Automata

Mathematical Logic Propositional Logic - Tableaux*

Automata-Theoretic LTL Model-Checking

Behavioural theories and the proof of. LIENS, C.N.R.S. U.R.A & Ecole Normale Superieure, 45 Rue d'ulm, F{75230 Paris Cedex 05, France

A Lower Bound of 2 n Conditional Jumps for Boolean Satisfiability on A Random Access Machine

STGs may contain redundant states, i.e. states whose. State minimization is the transformation of a given

Linear-time Temporal Logic

a cell is represented by a triple of non-negative integers). The next state of a cell is determined by the present states of the right part of the lef

Automata-based Verification - III

Finite-Delay Strategies In Infinite Games

From Constructibility and Absoluteness to Computability and Domain Independence

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

A Compositional Approach to Bisimulation of Arenas of Finite State Machines

5-valued Non-deterministic Semantics for The Basic Paraconsistent Logic mci

Transcription:

An Automata-Theoretic Decision Procedure for Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty Department of Electrical and Computer Engineering Department of Computer Science University of California, Santa Barbara Abstract We present an automata-theoretic decision procedure for Since/Until Temporal Logic (SUTL), a linear-time propositional temporal logic with strong non-strict since and until operators. The logic, which is intended for specifying and reasoning about computer systems, employs neither next nor previous operators. Such operators obstruct the use of hierarchical abstraction and renement and make reasoning about concurrency dicult. A proof of the soundness and completeness of the decision procedure is given, and its complexity is analyzed. AMS Subject Classication: 03B25, 03B35, 03B45, 68Q40, 68Q68, 68T15 1 Introduction Since/Until Temporal Logic (SUTL) is a linear-time temporal logic based on propositional calculus and the temporal operators until U and since S. The U operator is a strong non-strict until in that f U g requires g to be true either now or at some future point; furthermore, from now up to the point at which g is true f must be true. Likewise, the S operator is a strong non-strict since in that f S g requires g to be true either now or at some point in the past; furthermore, from now back to the point at which g is true f must be true. The eventually operator can be expressed in SUTL as 3f true U f and the henceforth operator as 2f :3:f. The weak until U can be expressed in terms of the strong until U as f U g f U g _ 2f. Unlike the strong until, the weak until does not require g ever to be true. There is no loss (or gain) in expressiveness in considering a logic with a strong, rather than a weak, until operator. The weak since, past henceforth and past eventually operators are similarly dened. There is neither a next nor a previous operator in SUTL, as in the logics of [7, 10, 12, 15, 16]. It is widely recognized by computer scientists [1, 2, 3, 6, 8, 9] that the next operator is not necessary and, moreover, is not conducive to good specications. Although a This work was partially supported by NSF grant CCR-9014382 with cooperation from DARPA.

next operator is potentially useful when describing a single sequential program at the statement level, it is less useful for describing concurrent computer systems. In the design of a concurrent system, we must reason separately about the behavior of each process and its interactions with other processes. Specications containing the next operator are at risk of prescribing an order of execution on unsynchronized processes, an order that may overspecify the system by excluding other equally acceptable orders and that may be dicult or impossible to implement. Another drawback of the next operator is that it obstructs the use of hierarchical abstraction and renement in temporal reasoning. A computation may be viewed at dierent levels of abstraction with dierent granularities of time. The next for one level of abstraction may be quite dierent from the next for another level of abstraction. While it is possible to envisage a mapping between levels for the next operator, as is provided for state predicates, the problems of specifying such a mapping are substantial. In [5] Burgess provided an axiomatization for a since/until temporal logic. logic diers from SUTL in that his until operator is a strict until; its eventuality requirement cannot be satised in the current state and must be satised in a future state. In eect, his logic distinguishes the present from the future, whereas SUTL does not. The increased expressiveness of the logic of Burgess appears attractive, but for reasoning about concurrent systems that expressiveness is counterproductive. In reasoning about one process in the system, it is not possible to know whether the transition into the future is the result of an action by this process or some other. Indeed, in the view of one process, the most likely \rst state of the future" is one in which some other process has acted and in which the state of this process has remained unchanged. Consequently, we are most likely to reason correctly about concurrency in a system if the present merges seamlessly into the future without any dividing line. Burgess has provided a version of his logic that is based on a discrete time line. The combination of a discrete time line and a strict until operator yields a next operator that can be expressed as next(f) false U f. For the reasons given above, SUTL does not provide a next (or previous) operator, and uses non-strict versions of the since and until operators. Although SUTL involves the since operator S that refers to the past, the automaton for our decision procedure always proceeds forward on its input. The automaton carries forward enough information in its (local) state to decide if a given formula involving the since operator should be accepted at any point in its run. Crucial to this approach for logics involving a past operator is the careful denition of the subformula closure set and the transition conditions on the automata. This is particularly true of the local automaton. The eventuality automaton is less aected by the presence of the since operator (except through its interaction with the local automaton) because it is responsible for progress properties that involve the sux of a computation. The decision procedure presented in this paper is the rst automata-theoretic decision procedure known to us for a logic with since and until operators but without next and previous operators. The rest of this paper is organized as follows. In Section 2 we present the syntax, models and semantics for SUTL. Section 3 contains the denitions of the subformula closure set and the size of a well-formed formula. Section 4 introduces the concept of worlds and describes the decision procedure in terms of Buchi automata operating on His

!-sequences of worlds. In Section 5 we outline a proof of the completeness and soundness of the decision procedure, and in Section 6 we characterize its complexity. Finally, in Section 7 we use the decision procedure to show that, for the class of!-sequences, the logic is transparent to nite stuttering, thereby demonstrating that the next (or previous) operator cannot be fabricated within the logic. Section 8 contains concluding remarks. 2 Syntax, Models and Semantics 2.1 Syntax The syntax of SUTL is dened relative to a nite set P of primitive propositions in terms of its well-formed formulas (w) as follows :? true and false are w? if p 2 P then p is a w? if f is a w then so is :f? if f and g are w then so are f ^ g; f U g; f S g? nothing is a w except if obtained by nite application of these rules As is customary, we use f _ g as an abbreviation for :(:f ^ :g). 2.2 Models The structures on which w of SUTL are interpreted are the usual!-sequences of states, where a state is an element in 2 P. Such an!-sequence is a satisfying model for a SUTL formula if the formula is satised at the initial state of the sequence under the semantic interpretation outlined below. We shall represent a model for SUTL as a mapping M :!! 2 P. For technical reasons we shall extend M to a mapping from! to the power set of a larger set of w of SUTL in some parts of the sequel and, where required, this will be done as usual by means of the semantics of w. 2.3 Semantics The semantics for SUTL formul are dened at a state M(i) in an!-sequence M as follows :? hm; ii j= true and hm; ii 6j= false? hm; ii j= p for p 2 P i p 2 M(i)? hm; ii j= :f i hm; ii 6j= f? hm; ii j= f ^ g i hm; ii j= f and hm; ii j= g? hm; ii j= f U g i there exists k i such that hm; ki j= g and for all j, i j < k; hm; ji j= f? hm; ii j= f S g i there exists k i such that hm; ki j= g and for all j, k < j i; hm; ji j= f

A formula f is satisable i there exists a model M 2 (2 P )! such that hm; 0i j= f. We then say that M is a satisfying model for f. A formula f is valid i every model in (2 P )! is a satisfying model for f. 1 3 Preliminary Denitions 3.1 Subformula Closure As is usually done for automata-theoretic decision procedures, we now dene the subformula closure for a given SUTL formula f, whose satisability we intend to check. The subformula closure scl(f) captures the idea that in deciding the satisability of a formula f, one need only consider formul in the set scl(f). Denition 3.1 The subformula closure scl(f) of a formula f is the smallest set such that 2? f 2 scl(f)? true 2 scl(f) and false 2 scl(f)? f 1 2 scl(f) i :f 1 2 scl(f)? if f 1 ^ f 2 2 scl(f) then f 1 2 scl(f) and f 2 2 scl(f)? if f 1 U f 2 2 scl(f) then f 1 2 scl(f) and f 2 2 scl(f)? if f 1 S f 2 2 scl(f) then f 1 2 scl(f) and f 2 2 scl(f) To characterize the complexity of the decision procedure and to facilitate the inductions used in the proofs of correctness, we shall use the notion of the size of a well-formed formula in our language. The size of a formula is the number of primitive propositions and logical connectives in the formula, as dened below. Denition 3.2 The size of a formula is dened by? size(true) = 1 and size(false) = 1? size(p) = 1 for p 2 P? size(:f) = 1 + size(f)? size(f ^ g) = 1 + size(f) + size(g)? size(f U g) = 1 + size(f) + size(g)? size(f S g) = 1 + size(f) + size(g) We use card to denote the cardinality of a set. Lemma 3.3 For a formula f of size n, card(scl(f)) = O(n). Proof. The proof is by induction on the size n of the formula f and a case analysis of the subformula closure rules. 1 This is the \anchored version" [11] of the logic. In the alternative unanchored version, f is satisable i there exists a model M 2 (2 P )! and i 2! such that hm; ii j= f. This denition is, however, subsumed by the anchored version by noting that f is satisable in the unanchored version i true U f is satisable in the anchored version. 2 As usual we identify ::f1 with f1, true with :false and false with :true.

4 Automata on World Models The automata-theoretic approach to the satisability problem is to construct a Buchi automaton for a formula f. This automaton takes models of the logic as input. A model is accepted by the automaton if and only if it satises f. The decision procedure consists of checking if there is any model that is accepted by the automaton for f. To describe the construction of the automata, and subsequently to prove the correctness of the decision procedure, we shall use the following concepts of worlds and world models. 4.1 Worlds and World Models Denition 4.1 A world with respect to a formula f is any subset of scl(f). Denition 4.2 A world model M f respect to f. :!! 2 scl(f) is an!-sequence of worlds with Denition 4.3 A world s with respect to f is complete if for every f 1 2 scl(f) either f 1 2 s or :f 1 2 s. Denition 4.4 A C(f)-world is a world s with respect to f that satises the following conditions :? true 2 s and false 62 s? for all f 1 2 scl(f); f 1 2 s i :f 1 62 s? for all f 1 ^ f 2 2 scl(f); f 1 ^ f 2 2 s i f 1 2 s and f 2 2 s? for all f 1 U f 2 2 scl(f); if f 2 2 s then f 1 U f 2 2 s? for all f 1 U f 2 2 scl(f); if f 1 U f 2 2 s then f 1 2 s or f 2 2 s? for all f 1 S f 2 2 scl(f); if f 2 2 s then f 1 S f 2 2 s? for all f 1 S f 2 2 scl(f); if f 1 S f 2 2 s then f 1 2 s or f 2 2 s Intuitively, a C(f)-world is closed under semantic consequence up to the elements in scl(f) and contains no propositional inconsistencies. Clearly, a C(f)-world is a complete world. We shall refer to the set of all C(f)-worlds by C(f). Denition 4.5 An initial world s is a C(f)-world such that for all f 1 S f 2 2 s it is the case that f 2 2 s. Informally, a world is initial if it does not contain any \unsatised past eventualities." Denition 4.6 A C(f)-world model M f :!! C(f) is an!-sequence of C(f)-worlds such that M f (0) is initial. Denition 4.7 The label F(s) for any world s is the conjunction V f 1 2s f 1.

Lemma 4.8 If a complete world s with respect to f is not a C(f)-world, then F(s) is unsatisable. Proof. We use a case analysis of the condition in Denition 4.4 which was violated, and the semantics of the formul involved. Consider for instance the last condition. Assume that f 1 S f 2 2 s but that f 1 62 s and f 2 62 s. Since s is complete, :f 1 2 s and :f 2 2 s, whence the semantics yield an immediate contradiction. The remaining cases are similar and are therefore omitted. Denition 4.9 (Extension) Given a model M and a formula f, the extension of M with respect to f is the world model M f :!! 2 scl(f) satisfying M f (i) = ff 1 j f 1 2 scl(f) and hm; ii j= f 1 g: Lemma 4.10 For any model M and any formula f, the extension of M with respect to f is a C(f)-world model. Proof. For any f 1 2 scl(f) either hm; ii j= f 1 or hm; ii j= :f 1 so M f (i) is a complete world. Initiality of M f (0) follows from the semantics of the S operator. The remainder of the proof follows from the denition of extension and Lemma 4.8. Note, however, that not every C(f)-world model is the extension of a model. This is the case since the temporal formul in C(f)-worlds may impose restrictions on their sequencing. Of course, if a world model M f is the extension of a model M, then M is simply the restriction of each world in M f to P. 4.2 Automata for the Decision Procedure All the automata used in this paper are Buchi Sequential Automata, rst used by Buchi [4] to give a decision method for S1S, generalized by Rabin in the classic paper [13] for his decision procedure for S2S, and used with variations subsequently by many other researchers (see [16] for a comprehensive survey). The following denition of a Buchi Automaton is the standard one recast in our notation and terminology. Denition 4.11 (Buchi Sequential Automaton) A Buchi Automaton is a tuple h; S; ; S I ; S F i where? is a nite input alphabet? S is a nite set of states? : S! 2 S denes a transition function specifying for each state and input symbol the set of possible next states? S I S is the set of initial states? S F S is the set of accepting states. A run of the automaton on an!-string 2! is an!-string 2 S! such that (0) 2 S I and for all i 2!; (i + 1) 2 ((i); (i)). The run is accepting i the set fi 2! j (i) 2 S F g is innite. An automaton in state s 2 S consumes an input symbol t 2 i (s; t) 6= ;. We shall say that an automaton consumes a string if it has a run (not necessarily accepting) on that string.

We are now ready to dene the construction of the automata that will be used in our decision procedure. For any formula f, the local automaton A L (f) will be responsible for ensuring that local consistency conditions are not violated. These will essentially guarantee that, starting in a \legal" initial state, the automaton can only enter states that are consistent with its previous state. The eventuality automaton A E (f) will be responsible for ensuring that eventualities are met. For instance, if the formula f 1 U f 2 is to be satised in a run, the semantics require that there exists a state in the future that satises f 2. Where it is clear from context, we shall often omit the parameterization of the automata. 4.3 Local Automaton The local automaton checks the consistency of local transition conditions. We represent the local automaton by A L (f) = h2 scl(f) ; C(f); L ; N(f); C(f)i, where? L : C(f) 2 scl(f)! 2 C(f) is the non-deterministic transition function such that t 2 L (s; i) i the following conditions are satised? i = s? if f 1 U f 2 2 s and :f 2 2 s, then f 1 U f 2 2 t? if :(f 1 U f 2 ) 2 s and f 1 2 s, then :(f 1 U f 2 ) 2 t? if f 1 S f 2 2 s and f 1 2 t, then f 1 S f 2 2 t? if :(f 1 S f 2 ) 2 s and :f 2 2 t, then :(f 1 S f 2 ) 2 t? N(f) = fs j s 2 C(f); s is initial and f 2 sg is the set of initial states. Observation 4.12 1. A L is non-deterministic and, in a sense, \drives" the model-generation procedure by making choices, wherever they are available, without violating local consistency conditions. 2. In any state, A L accepts a unique symbol from its alphabet corresponding to that state. In particular, no world that is not a C(f)-world is ever consumed by A L. 3. For all s 2 C(f); s 2 L (s; s); i.e. each state of A L has a self-loop. 4.4 Eventuality Automaton The eventuality automaton is required for checking whether eventuality requirements for formul containing the U operator are fullled. We represent the eventuality automaton by A E (f) = h2 scl(f) ; 2 U(f) ; E ; f;g; f;gi, where? U(f) is the subset of scl(f) that contains all formul of the form f 1 U f 2? E : 2 U(f) 2 scl(f)! 2 U(f) is the deterministic transition function such that t = E (s; i) i? if s = ; then for all f 1 U f 2 2 U(f), f 1 U f 2 2 t i f 1 U f 2 2 i and f 2 62 i? if s 6= ; then for all f 1 U f 2 2 U(f), f 1 U f 2 2 t i f 1 U f 2 2 s and f 2 62 i

Observation 4.13 1. A E is fully deterministic. In particular, in any state s 2 2 U(f), there is a transition specied for any i 2 C(f). A E ensures that unsatised eventualities continue to be remembered. 2. If s 6= ; and E (s; i) = t, then t s. 3. For all s 2 2 U(f) and i 2 2 scl(f), if E (s; i) = t then either s = t or E (t; i) = t, i.e. for any state on any input, either there is a self-loop on that input or the state that is reached on that input has a self-loop for that input. In the terminology of fundamental-mode asynchronous automata, A E does not cycle. 4.5 Model-Checking Automaton The model-checking automaton A M (f) is the product A L (f) A E (f) of the local and eventuality automata : A M (f) = h2 scl(f) ; C(f) 2 U(f) ; L E ; N(f) f;g; C(f) f;gi where L E : (C(f) 2 U(f) ) 2 scl(f)! 2 C(f) 2 U(f) is dened by L E (hs L ; s E i; i) = L (s L ; i) E (s E ; i): The decision procedure now follows by checking for the existence of an innite accepting path in the product automaton's state graph. The formula f is satisable i such a path exists. A satisfying model is then simply the!-sequence of worlds corresponding to the input labels on such a path. This sequence is actually a world model, but as we show in the next section, the restriction of such a world model to P gives us the required satisfying model. Theorem 4.14 (Decision Procedure) A SUTL formula f is satisable i the language of the model-checking automaton A M (f) is non-empty. Whether the language of A M (f) is non-empty can be checked in time polynomial in the number of states of the automaton. Proof. The rst part follows from Theorem 5.3 (Completeness) and Theorem 5.5 (Soundness) which we prove in the next section. The second part is a well-known result [16] for Buchi automata.

5 Proof of Correctness of the Decision Procedure 5.1 Completeness Our strategy for the completeness proof is to show that the extension with respect to f of any satisfying model for f will be accepted by A M. In Lemmas 5.1 and 5.2, M f denotes the extension with respect to f of a satisfying model M for f. A L and A E represent the local and eventuality automata for f as described earlier. Lemma 5.1 A L accepts M f. Proof. We need only show that there is an innite run of A L that consumes M f, since all states of A L are accepting states. By Lemma 4.10, any world in M f is a state of A L and, by Observation 4.12.2, A L can consume the input symbol M f (n) i it is in the state M f (n). Thus, if there is an innite run consuming M f, then it must be unique. That there is an innite run can be demonstrated as follows: Initial Consumption : Since hm; 0i j= f, we have that f 2 M f (0) by the denition of an extension. That M f (0) is an initial C(f)-world is straightforward from the semantics. Thus, M f (0) is an initial state of A L. Continuing Consumption : We need to show that M f (n + 1) 2 L (M f (n); M f (n)). Assume not. Then M f (n + 1) violates one of the four transition conditions for A L. It is then easy, using the semantics of the logic and the denition of an extension, to exhibit a contradiction. For example, consider the last condition. Suppose that :(f 1 S f 2 ) 2 M f (n), :f 2 2 M f (n+1) but that :(f 1 S f 2 ) 62 M f (n+1). By the completeness of M f (n + 1), f 1 S f 2 2 M f (n + 1) and, by the denition of an extension, hm; n + 1i j= f 1 S f 2. Thus, by the SUTL semantics, there exists k n + 1 such that hm; ki j= f 2 and for all j, k < j n + 1, hm; ji j= f 1. But k 6= n + 1 since :f 2 2 M f (n + 1) and, thus, hm; n + 1i 6j= f 2. Therefore, there exists k n such that hm; ki j= f 2 and for all j, k < j n, hm; ji j= f 1. Consequently, by the SUTL semantics, hm; ni j= f 1 S f 2. However, :(f 1 S f 2 ) 2 M f (n) and, thus, by the denition of an extension hm; ni j= :(f 1 S f 2 ), which is a contradiction. The proofs for the other conditions are similar. Lemma 5.2 A E accepts M f. Proof. By Observation 4.13.1 there is a unique innite run of A E that consumes M f, call it. If is not accepting, then there is a largest i such that (i) = ;. By Observation 4.13.2 and because the states of are nite, there is some formula f 1 U f 2 2 scl(f) such that for all j > i; f 1 U f 2 2 (j). By the denition of E, f 1 U f 2 2 M f (i) and f 2 62 M f (j) for all j i. However, since M f (j) is complete, :f 2 2 M f (j) for all j i whence the denition of an extension and the semantics yield hm; ii j= :(f 1 U f 2 ). Thus f 1 U f 2 62 M f (i), which is a contradiction. Theorem 5.3 (Completeness) For any formula f, if f is satisable, then the language accepted by A M is nonempty. Proof. The statement follows immediately from Lemmas 5.1 and 5.2 and the denition of A M.

5.2 Soundness Lemma 5.4 Let M f be a C(f)-world model accepted by A M and let M be its restriction to P. Then, for any i 2! and f 1 2 scl(f), f 1 2 M f (i) i hm; ii j= f 1. Proof. The proof is by induction on the size of f 1 for all i. The base case is obvious since if p 2 P then p 2 M f (i) i hm; ii j= p. The inductive step makes use of the presence of certain subformul in scl(f), as well as the denitions of A L and A E. For example, if f 1 U f 2 2 M f (i) then, by the transition conditions of A L and the transition and acceptance conditions of A E, there exists j i such that f 2 2 M f (j). Consider the least such j. Then, f 2 62 M f (k) for all k, i k < j, and the transition conditions of A L and the denition of C(f)-world imply that f 1 2 M f (k). Thus, by the inductive assumption, hm; ji j= f 2 and for all k, i k < j, hm; ki j= f 1. Hence, by the semantics, hm; ii j= f 1 U f 2. The proof that hm; ii j= f 1 U f 2 implies f 1 U f 2 2 M f (i) is similar, as are the proofs for the other cases. Theorem 5.5 (Soundness) For any formula f, if the language accepted by A M is nonempty, then f is satisable. Proof. The statement follows immediately from Lemma 5.4 and the fact that f 2 M f (0). 6 Complexity Let f be a SUTL formula of size n. By Lemma 3.3, card(scl(f)) = O(n). Therefore, the number of states in each of A L and A E is at most 2 O(n) and, therefore, so is the number of states in their product A M. Thus, the construction of the state transition tables for the automata may be done in 2 O(n) time, since the construction of a transition table requires checking each state against every other and each state has O(n) formul, each of size at most n. Since checking for emptiness of the language of a Buchi automaton is polynomial in the number of states of the automaton, the complexity of the decision procedure is 2 O(n). This is also the best one can do, unless P = PSPACE, since it is known that the decision problem for UTL, which is subsumed by SUTL, is PSPACEhard [14]. It is easy to rene the given automata-based method into a tableau-based method which has a better average-case complexity. That method essentially consists of incrementally building the states of the automaton beginning with the initial states, while exploiting the \don't care" conditions on states to search all possible futures from a set of states at once. The intuitive complexity of such an algorithm is usually much lower than a direct implementation of the automata method, which has a complexity of (2 n ). 7 Small Stuttering Models The above decision procedure for SUTL can now be used to prove the properties of existence of small models and invariance under nite stuttering. Both properties are readily proved from the properties of the model-checking automaton.

The rst property follows trivially from the fact that the model-checking automaton for a formula f of size n is a nite automaton with 2 O(n) states and therefore has an exponential (small) representation. Thus, any satisable formula has a set of models that have a small representation (by the corresponding model-checking automaton). For the second property, we shall show that if A M accepts an!-string M, then it also accepts any string M 0 obtained by nitely stuttering any set of states in the string. This result follows directly from our earlier observations. By Observation 4.12.3, each state of A L has a reexive arc and is accepting. The language accepted by A L is thus closed under (nite or innite) stuttering. By Observation 4.13.3, A E does not cycle. Thus, in any state for a given input, A E has either a self arc or a transition to a new state with a self arc on that input. Thus, all stuttering strings are consumed, establishing that if a formula is satisable in a model it is satised in any model isomorphic to it up to nite stuttering. However, arbitrary innite stuttering is ruled out since not all states of A E are accepting. For instance, the model = (:p) k p(:p)! satises 3p, but = (:p)! obtained by innite stuttering of does not. 8 Conclusion We have presented a decision procedure for Since/Until Temporal Logic, a linear-time propositional logic with strong non-strict since and until operators. An important feature of this logic is the absence of next and previous operators or the ability to manufacture such operators from the existing machinery in the logic. This makes the logic transparent to nite stuttering and is a desirable feature of a logic that is intended for specifying and reasoning about computer systems, both because it supports the use of hierarchical abstraction and renement and because it facilitates reasoning about concurrency in such systems. References [1] H. Barringer, R. Kuiper and A. Pnueli, Now You May Compose Temporal Logic Specications, in: Proc. 16th ACM Symp. on Theory of Computing, Washington, DC (April 1984), pp. 51-63. [2] H. Barringer, R. Kuiper and A. Pnueli, A Really Abstract Concurrent Model and Its Temporal Logic, in: Proc. 18th ACM Symp. on Principles of Programming Languages, St. Petersburg Beach, FL (January 1986), pp. 173-183. [3] M. C. Browne, E. M. Clarke and O. Grumberg, Reasoning about Networks with Many Identical Finite State Processes, Information and Computation 81 (1) (1989), pp. 13-31. [4] J. R. Buchi, On a Decision Method in Restricted Second Order Arithmetic, in: Proc. 1960 Congress on Logic, Methodology and Philosophy of Science, Stanford University Press, Stanford, pp. 1-11.

[5] J. P. Burgess, Axioms for Tense Logic I. `Since' and `Until,' Notre Dame Journal of Formal Logic 23 (4) (October 1982), pp. 367-374. [6] E. M. Clarke and O. Grumberg, Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, in: Proc. 6th ACM Symp. on Principles of Distributed Computing, Vancouver, BC (August 1987), pp. 294-303. [7] D. Gabbay, A. Pnueli, S. Shelah and J. Stavi, On the Temporal Analysis of Fairness, in: Conf. Record Seventh Annual ACM Symp. Principles of Programming Languages, Las Vegas, NV (January 1980), pp. 163-173. [8] L. Lamport, What Good is Temporal Logic, in: Proc. International Federation of Information Processing Congress, Paris, FR (1983), pp. 657-668. [9] L. Lamport, Specifying Concurrent Program Modules, ACM Trans. Programming Languages and Systems 5 (2) (1983), pp. 190-222. [10] O. Lichtenstein, A. Pnueli and L. Zuck, The Glory of the Past, in: Proc. Conf. on Logics of Programs, LNCS 193, Springer-Verlag (1985), pp. 196-218. [11] Z. Manna and A. Pnueli, The Anchored Version of the Temporal Framework, in: Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, eds: J. de Bakker, W. P. de Roever and G. Rozenberg, LNCS 354, Springer-Verlag (1989), pp. 201-284. [12] A. Pnueli, The Temporal Semantics of Concurrent Programs, Theoretical Computer Science 13 (1981), pp. 45-60. [13] M. O. Rabin, Decidability of Second Order Theories and Automata on Innite Trees, Trans. AMS 141 (1969), pp. 1-35. [14] A. P. Sistla and E. Clarke, The Complexity of Propositional Linear Temporal Logics, J. ACM 32 (3) (1985), pp. 733-749. [15] P. Wolper, Temporal Logic Can Be More Expressive, Information and Control 56 (1983), pp. 72-99. [16] P. Wolper, On the Relation of Programs and Computations to Models of Temporal Logic, in: Proc. Conf. on Temporal Logic in Specication, Altrincham, England, LNCS 398, Springer-Verlag (1987), pp. 75-123.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback