Temporal Logic

Lecture, October 2019 Temporal logic What I will present today

Semantics of CTL

More examples of CTL algorithm (mutual exclusion)

A better algorithm for computing [[EGψ]]

A similar algorithm with fairness

Connection with fixpoint results on posets

Deciding = ψ in LTL | This corresponds to Chapters 2.6 and 2.7 in the book

1 Temporal logic Semantics of CTL

s = AXψ if s0 = ψ for all s0 N(s) | | ∈ s = EXψ if s0 = ψ for some s0 N(s) | | ∈

2 Temporal logic Semantics of CTL

s = EGψ if there exists a path σ starting from s such that σ(k) = ψ for all k | | s = EF ψ if there exists a path σ starting from s with σ(k) = ψ for some k | | s = AF ψ if for all path σ starting from s there exists k such that σ(k) = ψ | | s = AGψ if for all path σ starting from s we have σ(k) = ψ for all k | |

3 Temporal logic Fixpoint characterisation of CTL

s = EGψ means that there exists a path σ starting from s and such that σ(k) |= ψ for all k | Alternatively using EGψ = ψ EX(EGψ) we have seen that [[EGψ]] is the greatest set Z such that ∧

Z = [[ψ]] p∃(Z) ∩ where p∃(Y ) = s S N(s) Y = { ∈ | ∩ 6 ∅}

4 Temporal logic Fixpoint characterisation of CTL

We compute [[EGψ]] by the approximation algorithm

Z0 = [[ψ]] Zn+1 = Zn p∃(Zn) ∩

5 Temporal logic Fixpoint characterisation of CTL

s = AF ψ means that for all path σ starting from s we have σ(k) = ψ for some |k |

Alternatively using AF ψ = ψ AX(AF ψ) we have seen that [[AF ψ]] is the least set Z such that ∨

Z = [[ψ]] p∀(Z) ∪ where p∀(Y ) = s S N(s) Y { ∈ | ⊆ }

6 Temporal logic Fixpoint characterisation of CTL

We compute [[AF ψ]] by the approximation/labelling algorithm

Z0 = [[ψ]] Zn+1 = Zn p∀(Zn) ∪

7 Temporal logic Alternative algorithm for EGψ

Here is another clever algorithm for computing EGψ

It uses the notion of strongly connected component

By duality we get an alternative algorithm for computing AF ψ

8 Directed Graphs

In a directed graph G=(V,E), two nodes u and v are strongly connected if and only if there is a path from u to v and a path from v to u.

The strongly connected relation is an equivalence relation. Its equivalence classes are the strongly connected components.

Directed Graphs

In a directed graph G=(V,E), two nodes u and v are strongly connected if and only if there is a path from u to v and a path from v to u.

The strongly connected relation is an equivalence relation. Its equivalence classes are the strongly connected components.

Every node is in precisely one strongly connected component, since the equivalence classes partition the set of nodes. Component Graph

Take a directed graph G=(V,E) and let ≡ be the strongly connected scc relation. Then we can define a graph G = (V/≡, E≡), where the nodes are the strongly connected components of G and there is an edge from component C to component D iff there is an edge in G from a vertex in C to a vertex in D. Temporal logic Strongly Connected Components

R is a relation on a set S, so R S S ⊆ × We can consider the reflexive transitive closure R∗ of R

R∗(a, b) means that a = b or that there exists a path going from a to b

S,R∗ is a preorder

We may not have R∗(a, b) R∗(b, a) a = b ∧ →

12 Temporal logic Strongly Connected Components

The relation a b defined by ≡ R∗(a, b) R∗(b, a) ∧ is a reflexive, symetric and transitive relation

This is an equivalence relation

A strongly connected component (SCC) of the graph S,R is an equivalence class for the relation a b ≡

13 Temporal logic Condensation graph

If we have two different equivalence classes X and Y we define a new relation R(X,Y ) to mean R(a, b) for all a X and b Y ∈ ∈ This is equivalent to R(a, b) for some a X and b Y ∈ ∈ This new relation R is a strict poset relation

The associated graph is a directed acyclic graph

This is the condensation graph of the initial graph

14 Temporal logic Strongly Connected Components

Linear time algorithms to compute the strongly connected components

-Kosaraju

-Tarjan

-Dijkstra

A SCC is non trivial if it contains at least one arrow

Note that it may have only one point

15 Temporal logic Alternative algorithm

We compute the SCCs of the graph restricted to [[ψ]]

The “good” states are the one connected to a non trivial SCC

Non trivial means that there is at least one arrow in this component

Example of this algorithm for mutual exclusion

16 Temporal logic Alternative algorithm with fairness

One interesting feature of this algorithm is that we can refine it by asking some fairness constraints

A fairness contraint C = ψ1, . . . , ψn is given by formulae

s = EGCψ means that there exists a path σ starting from s such that | σ(k) = ψ for all k and σ is fair for C means that σ(k) = ψi for infinitely many k, for| each i = 1, . . . , n |

17 Temporal logic Alternative algorithm with fairness

The only modification in the previous algorithm is to look for a non trivial SCC B such that

B [[ψ1]] = ,...,B [[ψn]] = ∩ 6 ∅ ∩ 6 ∅ i.e. B meets each [[ψi]] for i = 1, . . . , n

18 Temporal logic Fixpoint characterisation of CTL

s = EGψ means that there exists a path σ starting from s and such that σ(k) |= ψ for all k | Alternatively using EGψ = ψ EX(EGψ) we have seen that [[EGψ]] is the greatest set Z such that ∧

Z = [[ψ]] p∃(Z) ∩ where p∃(Y ) = s S N(s) Y = { ∈ | ∩ 6 ∅}

19 Temporal logic Fixpoint characterisation of CTL

Note that F : Z [[ψ]] p∃(Z) is a monotone function 7→ ∧ We have seen the following result

Theorem: if F : P ow(S) P ow(S) is a monotone function then it has a greatest fixed point, which→ is computed by the approximation algorithm Y0 = S,Yn+1 = F (Yn) until we have Yn+1 = Yn

20 Temporal logic Fixpoint characterisation of CTL

So the algorithm for computing the greated fixpoint is

(1) Y0 = S,Yn+1 = [[ψ]] p∃(Yn) ∩ On the other hand, the approximation/labelling algorithm we have used is given by

(2) Z0 = [[ψ]],Zn+1 = Zn p∃(Zn) ∩ This is not the same!!

How to connect the two algorithms?

21 Temporal logic Discussion

The algorithm (2) is more efficient than (1)

(1) follows from a general method of computing fixpoint

The method we show to prove the correctness of (2) is to prove that (1) and (2) are equivalent without trying to prove directly the correctness of (2) but we rely on the correctness of (1)

This is a usual pattern: to prove the correctness of an algorithm w.r.t. a specification it is sometimes easier to prove that this algorithm is equivalent to a less efficient but clearly correct other algorithm

22 Temporal logic Fixpoint

We have

(1) Y0 = S,Yn+1 = [[ψ]] p∃(Yn) ∩ (2) Z0 = [[ψ]],Zn+1 = Zn p∃(Zn) ∩ Theorem: We have Yn+1 = Zn for all n

23 Temporal logic Fixpoint

To simplify the notation we write A = [[ψ]] and p = p∃

(1) Y0 = S,Yn+1 = A p(Yn) ∩ (2) Z0 = A, Zn+1 = Zn p(Zn) ∩ Lemma: We have A p(Zn) Zn for all n ∩ ⊆ We prove this by induction on n

24 Temporal logic Fixpoint

(1) Y0 = S,Yn+1 = A p(Yn) ∩ (2) Z0 = A, Zn+1 = Zn p(Zn) ∩ Lemma: We have A p(Zn) Zn for all n ∩ ⊆ Theorem: We have Zn = Yn+1 for all n

So the labelling algorithm is justified by the fixpoint algorithm!

25 Temporal logic Deciding a LTL formula

Theorem: The problem = ψ is decidable | This is a non trivial result

I sketch a possible proof since it uses a very interesting method

The Tableau Method

26 Temporal logic Tableau method

We can consider the following syntax

ψ, ϕ ::= p p ψ ψ ψ ψ Xψ F ψ Gψ | ¬ | ∨ | ∧ | | | since using de Morgan laws, we can always assume that negation appears only in front of atomic formulae

Also ψ0 ψ1 can be replaced by ψ0 ψ1 → ¬ ∨ We give an algorithm to decide if a finite set of formulae Γ can be satisfied

27 Temporal logic Tableau method

For instance (G(p Xp) p Gp) can be written ¬ → ∧ → G(p Xp) p (Gp) → ∧ ∧ ¬ and then

G( p Xp) p F ( p) ¬ ∨ ∧ ∧ ¬

28 Temporal logic Good sets

A literal is a formula of the form p or p ¬ A finite set ∆ is good if it contains only literals or formulae of the form Xψ

It should not contain both p and p ¬ We write X−1∆ the set of ψ such that Xψ ∆ ∈ We write ∆, ∆0,... for good sets

Note that the empty set is a good set

29 Temporal logic Tableau method

The first step is to compute a list K(Γ) of good sets ∆1,..., ∆n such that

σ = Γ if and only if σ = ∆i for some i | |

30 Temporal logic Tableau method

In propositional logic this is like computing a disjunctive normal form

K((p q) (r s)) has for elements ∨ ∧ ∨ p, r and p, s and q, r and q, s

K((p q) ( p s)) has for elements ∨ ∧ ¬ ∨ p, s and q, p and q, s ¬ In LTL we use Gψ ψ XGψ and F ψ ψ XF ψ ≡ ∧ ≡ ∨

31 Synthesis of Boolean programs

Specication of a Boolean program: If the boss is in, I need to work unless the telephone rings. If the boss is not in, I go drink tea.

b =boss is in, r =telephone rings, w =I work, w 0 =I drink tea

φ(b, r, w) = br 0 w b0 w 0 → → = w 0 br 0 0 +
wb = w 0
b0 + r + wb Goal: given any b and r, compute
w such that φ(b,
r, w) = 1. One solution is just φ(b, r, w = 1):

w = φ(b, r, 1) = 0 b0 + r + 1b = b I work if and only if the boss is in

(Other solutions exist, e.g. w = br 0) Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 7 / 23 LTL: temporal specication

Whenever the boss comes by my oce, I will start working. Once I start working, I will keep working until the telephone rings.

G ((b Fw)(w wUr)) = G b0 + Fw w 0 + wUr → → Whenever the button is pressed, the dialog will appear.


The dialog will disappear after 1 minute of user inactivity.

G (b Fd)(d Ft) d dUtd 0 → → → The timer t is an external event and is not specied

here Dicult to say x stays true until further notice

Sergei Winitzki (Versal Group Inc.) Temporal Logic and FRP April 25, 2014 11 / 23 Temporal logic Tableau method

K(F p) has two elements p and XF p

K(Gp) has one element p, XGp

K(Γ) where Γ = F p, F ( p) has three elements p, XF ( p) and p, XF p and XF p, XF ( p) ¬ ¬ ¬ ¬ K(Gp, G( p)) is empty ¬

34 Temporal logic Tableau method

K(Γ) where Γ = F (p q),G( p),G( q) has only one element ∨ ¬ ¬ XF (p q),XG( p),XG( q), p, q ∨ ¬ ¬ ¬ ¬ K(Γ) where Γ = F p, F q, G( p q) has for elements ¬ ∨ ¬ p, q, XF q, XG( p q) ¬ ¬ ∨ ¬ p, q, XF p, XG( p q) ¬ ¬ ∨ ¬ p, XF p, XF q, XG( p q) ¬ ¬ ∨ ¬ q, XF p, XF q, XG( p q) ¬ ¬ ∨ ¬

35 Temporal logic Tableau method

We define a finite transition system starting from Γ

The first elements are all elements in K(Γ)

If ∆ is in, we add all elements in K(X−1∆) where X−1∆ = ψ Xψ ∆ { | ∈ } We have ∆ ∆0 if ∆0 K(X−1∆) → ∈ L(∆) is the set of atoms p such that p ∆ ∈

36 Temporal logic Tableau method

We define “∆ validates ψ” by induction on ψ

ψ = p it means p in ∆

ψ = p it means p in ∆ ¬ ¬ ψ = ψ0 ψ1 it means ∆ validates ψ0 and ψ1 ∧ ψ = ψ0 ψ1 it means ∆ validates ψ0 or ψ1 ∨ ψ = F ϕ it means XF ϕ in ∆ or ∆ validates ϕ

ψ = Gϕ it means XGϕ in ∆ and ∆ validates ϕ

37 Temporal logic Tableau method

A path ∆0 ∆1 ... in this transition system is good if whenever F ψ ∆i → → ∈ there exists j i such that ψ ∆j > ∈ Theorem: If σ is a good path then σ = Γ | Theorem: Γ is satisfiable if and only if there exists a good path

Theorem: There exists a good path if and only if there exists a non trivial SCC having the property that XF ψ ∆ for ∆ in this SCC implies ∆0 validates ψ for some ∆0 in the same SCC ∈

38 Temporal logic Tableau method

In this way we can check for instance G(p Xp) p Gp → ∧ → We start from Γ = G( p Xp), p, F ( p) we compute K(Γ) which has only one element ∆ = p, Xp,¬ XF∨( p),XG(¬p Xp) ¬ ¬ ∨ We have ∆ ∆ → This does not define a good path

XF ( p) ∆ but ∆ does not validate p ¬ ∈ ¬ So Γ is not satisfiable and = G(p Xp) p Gp | → ∧ →

39 Temporal logic Tableau method

Similarly we can check F (p q) (F p F q) ∨ → ∨ We find automatically a counter-example to (F p F q) F (p q) ∧ → ∧

40