invalid P1

Model Cheking

Edmund M. Clarke

Bernd-Holger Shlinglo

Seond readers: NikolajBjorner andPerditaStevens.

Contents

1 Introdution . . .. . . .. . . .. . . .. . . .. . . . 1637

2 LogialLanguages,Expressiveness . . . .. . . .. . . .. . . . 1641

2.1 PropositionalandFirstOrderLogi . . . .. . . .. . . .. . . . 1642

2.2 MultimodalandTemporalLogi . . . .. . . .. . . .. . . . 1644

2.3 ExpressiveCompletenessofTemporalLogi. . . .. . . .. . . . 1648

3 SeondOrderLanguages . . . . .. . . .. . . .. . . .. . . . 1654

3.1 LinearandBranhingTimeLogis . . . . .. . . .. . . .. . . . 1654

3.2 PropositionallyQuantiedLogis. . . .. . . .. . . .. . . . 1656

3.3 !-automataand!-languages . . . .. . . .. . . .. . . . 1665

3.4 AutomataandLogis . . . .. . . .. . . .. . . .. . . . 1668

4 ModelTransformationsandProperties . . . . .. . . .. . . .. . . . 1670

4.1 Models,AutomataandTransitionSystems . . . .. . . .. . . . 1671

4.2 SafetyandLivenessProperties . . . .. . . .. . . .. . . . 1673

4.3 SimulationRelations. . . . .. . . .. . . .. . . .. . . . 1676

5 Equivaleneredutions . . . .. . . .. . . .. . . .. . . . 1681

5.1 Bisimulations(p-morphisms) . . . .. . . .. . . .. . . . 1682

5.2 DistinguishingPowerandEhrenfeuht-FrasseGames . .. . . .. . . . 1685

5.3 Auto-bisimulationsandthePaige/TarjanAlgorithm . . .. . . .. . . . 1687

6 Completeness. . .. . . .. . . .. . . .. . . .. . . . 1689

6.1 DedutionsinMultimodalLogi . . . .. . . .. . . .. . . . 1691

6.2 TransitiveClosureOperators . . . .. . . .. . . .. . . . 1695

7 DeisionProedures . . . .. . . .. . . .. . . .. . . . 1700

7.1 DeidingBranhingTimeLogis . . . .. . . .. . . .. . . . 1700

7.2 SatisabilityAlgorithmsforNaturalModels . . . .. . . .. . . . 1704

8 BasiModelChekingAlgorithms . . . .. . . .. . . .. . . . 1711

8.1 GlobalBranhingTimeModelCheking. .. . . .. . . .. . . . 1712

8.2 LoalLinearTimeModelCheking . . . .. . . .. . . .. . . . 1716

8.3 ModelChekingforPropositional-Calulus . . . .. . . .. . . . 1720

9 ModellingofReativeSystems . .. . . .. . . .. . . .. . . . 1724

9.1 ParallelProgrammingParadigms. . . .. . . .. . . .. . . . 1724

9.2 SomeConreteFormalismsforFiniteStateSystems . . .. . . .. . . . 1726

HANDBOOKOFAUTOMATEDREASONING

EditedbyAlanRobinsonandAndreiVoronkov

10.2 SymboliModelChekingforCTL . . . .. . . .. . . .. . . . 1744

10.3 Relational-Calulus . . . .. . . .. . . .. . . .. . . . 1746

11 PartialOrderTehniques . . . . .. . . .. . . .. . . .. . . . 1751

11.1 StutteringInvariane . . . .. . . .. . . .. . . .. . . . 1752

11.2 PartialOrderAnalysisofElementaryNets . . . .. . . .. . . . 1754

12 BoundedModelCheking . . . . .. . . .. . . .. . . .. . . . 1755

12.1 AnExample . . . .. . . .. . . .. . . .. . . . 1756

12.2 TranslationintoPropositionalLogi . . . .. . . .. . . .. . . . 1757

13 Abstrations . . .. . . .. . . .. . . .. . . .. . . . 1759

13.1 Abstrationfuntions . . . .. . . .. . . .. . . .. . . . 1759

13.2 SymmetryRedutions . . . .. . . .. . . .. . . .. . . . 1762

13.3 ParameterizedSystems . . .. . . .. . . .. . . .. . . . 1763

14 CompositionalityandModularVeriation . . .. . . .. . . .. . . . 1764

14.1 ModelChekingandTheoremProving. . .. . . .. . . .. . . . 1765

14.2 CompositionalAssume-GuaranteeReasoning . . . .. . . .. . . . 1766

15 FurtherTopis . .. . . .. . . .. . . .. . . .. . . . 1767

15.1 CombinationofHeuristis. .. . . .. . . .. . . .. . . . 1768

15.2 RealTimeSystems . . . . .. . . .. . . .. . . .. . . . 1769

15.3 ProbabilistiModelCheking. . . .. . . .. . . .. . . . 1770

15.4 ModelChekingforSeurityProtools. . .. . . .. . . .. . . . 1771

Bibliography . . .. . . .. . . .. . . .. . . .. . . . 1774

Index . . . .. . . .. . . .. . . .. . . .. . . . 1788

1. Introdution

Model heking is an automati tehnique for verifying orretness properties of

safety-ritialreativesystems.This method hasbeensuessfully appliedto nd

subtleerrorsinomplexindustrial designssuhassequentialiruits,ommunia-

tionprotoolsanddigitalontrollers[Browne,ClarkeandDill1985,Clarke,Emer-

son and Sistla 1986, Clarke,Long and MMillan 1991, Burh, Clarke,Dill, Long

and MMillan 1994℄.It is expeted that besides lassial quality assurane mea-

sures suh as stati analysis and testing, model heking will beome a standard

proedurein thedesignofreativesystems.

Areative system [HarelandPnueli 1985,Manna andPnueli 1992,Manna and

Pnueli1995℄onsistsofseveralomponentswhiharedesignedtointeratwithone

another and with the system's environment. In ontrast to funtional (or trans-

formational)systems,in whih thesemantisis givenasafuntion frominput to

outputvalues,areativesystemisspeiedbyitstemporalproperties.A(tempo-

ral) property isasetofdesiredbehaviorsintime;thesystemsatisestheproperty

if eah exeution ofthe systembelongs to this set. Froma logialviewpoint, the

systemisdesribedbyasemantial(Kripke-)model,andapropertyisdesribedby

alogialformula. Arguingaboutsystemorretness, therefore,amountsto deter-

miningthetruthofformulas inmodels.

Inordertobeabletoperformsuhaveriation,oneneedsamodellinglanguage

in whihthesysteman bedesribed, aspeiation language for theformulation

of properties, and a dedutive alulus or algorithm for the veriation proess.

Usually, the systemto be veriedis modeled asa (nite) statetransition graph,

and theproperties areformulated in anappropriatepropositional temporal logi.

An eÆient searh proedure is then used to determine whether ornot thestate

transition graph satises the temporal formulas. When model heking was rst

developedin1981[ClarkeandEmerson1981,EmersonandClarke1982,Quielleand

Sifakis1981℄,itwasonlypossibletohandleonurrentsystemswithafewthousand

states.Inthelast few years, however,the sizeof theonurrentsystemsthat an

behandled hasinreaseddramatially.Byusingsophistiateddatastruturesand

heuristi searh proedures, it is now possible to hek systems many orders of

magnitudelarger[Burh,Clarke,MMillan, DillandHwang1992℄.

Muh of the suess of model heking is due to the fat that it is a fully au-

tomati veriation method. Interativemethods are moregeneral but harder to

use; automatimethods have alimitedrange but are morelikelyto beaepted.

Ininterativeveriation,theuserprovidestheoverallproofstrategy;themahine

augmentsthisby

hekingtheorretnessofeahstep,

maintainingalistofassumptionsandsubgoals,

applyingtherulesand substitutionswhihtheuserindiates,andby

searhingforappliabletransformationrulesandassumptions.

Sophistiatedtoolsarealsoabletoproveertainlemmasautomatially,usuallyby

useoftheoremprovers,termrewritingsystemsandproofhekersforveriation,

these tehniques are time onsuming and often require a great deal of manual

intervention.Moreover,sinemostinterativeproversaredesignedforundeidable

languages(e.g.,rstorhigherorderlogi),theproofproessanneverbeompletely

automati. User interation is required, e.g., to nd loop invariants or indutive

hypotheses,andonlyanexperieneduseranperformanontrivialproof.

On theother hand,with model hekingall theuser hasto provide isa model

ofthesystemandaformulationofthepropertytobeproven.Theveriationtool

willeitherterminatewithananswerindiatingthatthemodelsatisestheformula

or show why the formula fails to hold in the model. These ounterexamples are

partiularlyhelpful inloatingerrorsin themodelorsystem.

Withtheompletelyautomatiapproahitmaybeneessaryforthemodelhek-

ingalgorithmtotraverseallreahablestatesofthesystem.Thisisonlypossibleif

thestatespaeisnite.Whereasotherautomateddedutionmethodsmaybeable

to handlesomeinnite-stateproblems,modelhekingusually isonstrainedtoa

nite abstration.Infat,modelheking algorithmsanberegardedasdeision

proeduresfortemporalpropertiesofnite-statereativesystems.However,many

interesting systems like sequential iruits or network protools are nite state.

Moreover,inthedesignofsafetyritialsystemsitisoftenpossibletoseparatethe

(nite state) ontrol struture from the (innite state) data struture of a given

module.Finally,inmanyasesitispossibleto abstrat aninnitedomainintoan

appropriate nite one, suh that \interesting" properties are preserved. In an `a

posteriori'veriation,someeortsmaybeneessarytoonstrutsuhanabstra-

tionfromagivenprogram.Inastruturedsoftwaredevelopmentproess,however,

theabstratsystemoftenarisesnaturallyduringanearlydesignphase.

A main impediment of the fully automati approah is the state explosion: if

any state of the system is uniquely desribed by n state bits, then there are 2 n

possiblestatesthesystemanbein.Atthepresenttime,thenumberofstatesthat

an be representedexpliitly (e.g., by lists or hash tables) is approximately10 6

.

In [Burh, Clarke,MMillan, Dill andHwang 1992, MMillan 1993℄,binary dei-

siondiagrams (BDDs)wereusedto representstatespaessymbolially. With this

tehnique,modelswith several hundredstatebits and morethan 10 100

reahable

statesanbeheked.Beauseofthisandothertehnialadvanesintheavailable

toolsit is now possible to verify reative systems of realisti industrial omplex-

ity,andanumberofmajorompaniesinludingIntel,Motorola,ATT,Fujitsuand

Siemenshavestartedusingsymbolimodelhekerstoverifyatualdesigns.

We now desribe a onrete example of a nontrivial appliation, where model

heking has been used to improve a proposed international standard. Consider

the ahe oherene protool desribed in the draft IEEE Futurebus+ stan-

dard[IEEE1994℄.Thisprotoolisrequiredtoinsureoherene:onsistenyofdata

inhierarhialsystemsomposedofmanyproessorsandahesinteronnetedby

multiplebussegments.Suhprotoolsarenotoriouslyomplexand,therefore,quite

diÆulttodebug.TheFuturebus+protoolmaintainsoherenebyhavingthein-

protoolallowstransationstobesplit.Thatis,theompletionofatransationmay

bedelayedandthebusfreed.Then,itispossibletoservieloalrequestswhilethe

remoterequestisbeingproessed.Atsomelatertime,anexpliitresponseisissued

to ompletethe transation.Considerasample ongurationwith twoproessors

P

1 andP

2

aessing datafrom aommonmemory viaasinglebus(seeFig.1on

page1640).Initially,neitherproessorhasaopyofthedatainitsahe;theyare

saidtobeintheinvalidstate.ProessorP

1

issuesareadsharedrequesttoobtain

areadableopyofthedatafrommemory.P

2

mayobservethistransationandalso

obtainareadableopy,suhthatattheendofthetransation,bothahesontain

asharedunmodifiedopyofthedata.Next,ifP

1

deidestomodifythedata,the

opyheldbyP

2

must beeliminatedinorderto maintainoherene. Therefore,P

1

issues an invalidate transation on the bus. When P

2

noties this transation,

itpurgesthedatafromitsahe.Afterexeutingtheinvalidate-transation,P

1

nowhasanexlusiveopyofthedata.

Thestandardspeiesthepossiblestatesoftheahedatawithineahproessor

andhowthisstateisupdatedduringeahpossibletransation.Itonsistsofroughly

300so-alledattributes,whihareessentiallybooleanvariablestogetherwithsome

rulesforsettingandlearingthem.IntheautomatedveriationoftheFuturebus+

protool desribedin [Clarke,Grumberg,Hiraishi, Jha,Long,MMillan andNess

1993℄,theseattributesweretransformedintotheinputlanguageoftheSMVmodel

heker[MMillan 1993℄.Forexample,thefollowingSMVodefragmentindiates

howtheahestateisupdatedwhentheaheissuesaread sharedtransation:

next(state) :=

ase CMD=read_shared:

ase state=invalid:

ase !SR & !TF: exlusive_unmodified;

!SR : shared_unmodified;

1 : invalid;

esa;

...

esa;

...

esa;

If the transation is notsplit (!SR), then the data will be supplied to the ahe.

Either no other aheswill read the data (!TF), in whih asethe ahe obtains

an exlusiveunmodified opy, or someother ahe also obtainsthe data, and

everyoneobtainssharedunmodifiedopies. If thetransation is split, the ahe

dataremainsintheinvalidstate.

Themodelfortheaheohereneprotoolonsistsofapproximately2300lines

ofSMVode(notountingomments).Themodelishighlynondeterministi,both

to redue the omplexity of veriation by hiding details, and to over allowed

designhoies.ThismodelisompiledintoaninternalBDDrepresentationbythe

SMV program.Corretnesspropertiesareformulatedin thetemporal logiCTL .

opiesofaaheline,thentheyagreeonthedata inthatline:

AG (P1.readable & P2.readable -> P1.data = P2.data)

This formulaisevaluatedautomatially ontheBDD representationofthemodel.

SMVndsthatitisnotvalidandexhibitsasenariowhihouldleadtotheerror:

initially, bothahesare invalid.ProessorP

1

obtainsanexlusive unmodified

opyofthedata(say,data1)asdesribedaboveandthedataofP

2

isinvalid(see

Fig.1).Then,P

2

issuesareadmodified,whihP

1

splitsforinvalidation.Thatis,

thememorysuppliesaopyofthedatatoP

2 ,andP

1

postponestheinvalidationof

ahedatauntilloalationsareompleted.Stillhavinganexlusive unmodified

opy of data1, P

1

now modies the data (say, into data2) and transitions to

exlusivemodified. At this point,P

1 and P

2

areinonsistent.This bug anbe

xed by requiring P

1

to go to the sharedunmodified state when it splits the

readmodifiedtransationforinvalidation.

data1 exclusive

data1

invalid P1

P2

BUS data1

shared_unmod

data1 shared_unmod

data1

invalidate

data1 data2

invalid read_shared

data1 invalid exclusive

data2

invalid invalid

read_modified

Figure1:ErrorsenariointheFuturebus+protool

Givenaformalmodelofasystemtobeveried,andaformulationoftheproper-

tiesthesystemshouldsatisfy,therearethreepossibleresultswhihanautomated

modelhekeranprodue:

1. eitheritndsaproof fortheformulain themodelandoutputs\veried",or

2. itonstrutsarefutation,i.e.,anexeutionofthe(modelofthe)systemwhih

dissatisesthe(formulationofthe) property,or

3. theomplexityoftheveriationproedureexeedsthegivenmemorylimitor

timebound.

IfthereisnotsuÆientspaeortime,insomeasesitispossibletousebiggerand

fastermahines forveriation.Alternatively, oneanuseaoarserabstrationof

the systemand its properties. Thethird possibility isto employ heuristiswhih

improvetheperformaneof the verier.Some of these heuristisare disussed in

Setions10and11.

Insomesenseitismoreinterestingtogetarefutationthantogetaproof.With

arefutation,oneandeidewhetheritisduetothemodellingandformulation,or

whether this undesired sequene of events ould indeed happen in reality. In the

formerase,theunrealistibehavioranbeeliminatedbyadditionalassumptions

onthe modelorformula. Inthelatterase, onehasfound abug, andthesystem

automati approah is that there is almost no additional overhead for the new

veriationofthehangedsystem.

Ifthe model hekeris ableto proveallspeiedformulasfor thegivenmodel,

then the veriation is suessfully ompleted. However, there an never be any

guaranteethat asystemwhih hasbeenveriedbyaomputertoolwillfuntion

orretlyin reality. Even ifweouldassumethatthe verier'shard-andsoftware

isorret(whihweannot),thereisafundamentalsoureofinaurayinvolved.

Veriationprovestheorems aboutmodelsofsystemsandformulationsofproper-

ties,notaboutphysialsystemsanddesiredbehavior;weanneverknowto what

extentourmodelsandformulationsreetphysialrealityandintuitions.Itisnot

possibleto guaranteethat aphysial systemwill behave orretly in unexpeted

(i.e., unmodeled) situations. It would be unreasonable, however, to rejet formal

methods beause they annot oer suh guarantees. Civil engineering an never

prove that aertainbuilding will notollapse. Nevertheless it usesmathematial

models to alulate loads and wallthiknesses and soon. Similarly,weannever

prove that our model adequately represents the reality. Therefore we an never

prove that a system will funtion as planned. Nevertheless, ompared to urrent

pratie,theuseofformalmethodsansigniantlydereasetheamountoferrors

inomplexsoftwaresystems.Atemporallogispeiationaddsredundanytothe

designbyrestatingan intendedpropertyin a(dierent)oniseformalism.Com-

puteraidedveriationanhelptoloate errors andtoinreasereliability ofthese

systems.Inthefuture,formalveriationbymodelhekingwillaugmentlassial

softwaredesigntoolssuhasstruturedanalysis,odereviewandtesting.

Inthis survey,wegivea tutorialon thetheoretial foundationsand tehniques

used in model heking. Starting with elementarymaterial on propositional tem-

poral logis and automata we derive basi model heking algorithms from om-

pletenessresultsandtableaudeisionproedures.Thenwedisussappliationsand

tehniquesforeÆientimplementation ofthese algorithms.Weextendtheresults

tomoreexpressivelogisandmodels.Finally,wedisusssomeopenproblemsand

future researhdiretions in the area. At the end of this hapter,the reader an

ndalistofallsymbolsandnotationsandanindexoftopis.

2. Logial Languages,Expressiveness

Oneofthemajoronernsofphilosophiallogiistondanappropriatelanguage

for the formalization of naturallanguagereasoning. The rst and probablymost

suessful of these languagesis rst order logi. Almost all mathematial state-

ments and proofs anbe formulated in this language.However, ertain onepts

importantforomputersienelikewell-foundednessandtransitivelosurerequire

moreexpressivelanguages.

Temporallogiwasinventedtoformalizenaturallanguagesentenesaboutevents

intime,whihusetemporaladverbslike\eventually"and\onstantly".Temporal

logishaveprovedtobeusefulforspeifyingonurrentsystems,beausetheyan

manyvariantsoftemporallogiproposedin theliterature.Temporallogisanbe

lassiedas

state- or transition- (interval-) based, depending on whether the formulated

propertiesinvolveoneormorereferenepoints,

linearorbranhing time, depending ontheintuition of timeasasequene or

asatreeofevents,

star-freeorregular, depending onthe formal languageswhih anbe dened

byformulasofthelogi,and

propositional or rst-order, depending on the ardinality of the nontemporal

domains.

In priniple, these lassiations are orthogonal; in pratie, however, only er-

tainombinationsarewidelyused.Inthissurvey,weonentrateonpropositional

modal logi, linear temporal logi, omputation tree logi, and xpoint alulus.

Restritionsandextensionsoftheselogisareintroduedwheneverappropriate.

2.1. Propositional andFirstOrderLogi

We assume a set P = fp;q;p

1

;:::g of (atomi) propositions whih an be either

trueorfalse.

1

Forexample,thepropositionstakisemptydenotesthefat that

\thestakisempty".Thepropositionallogi PLisbuiltfromP withthefollowing

syntax:

PL ::= P j ? j (PL!PL )

Thatis,

Everyp2P isawell-formedformulaofpropositionallogi,

?isawell-formed formula(\thefalsum"),

if'and arewell-formedformulae,thensois('! ),and

nothingelseisaformula.

Pisaparameterofthelogi;thespeialaseP =fgisallowed.Otheronnetives

an be dened as usual: :' , (' ! ?), > , :?, ('_ ) , (:' ! ),

('^ ),:(:'_: ), and ('$ ),(('! )^( !')).Thepreedeneof

theseoperatorsisxedby(:;^;_;!;$),andparenthesesareomittedinformulas

whenever appropriate. Atomi propositions and negated propositions are alled

literals.

AninterpretationIforthepropositionsisafuntionassigningatruthvaluefrom

ftrue;falsegtoeveryproposition.(Forexample,theproposition stakis empty

is interpreted dierently on a farm, in a library, or in front of a omputer ter-

minal.) A propositional model M , (U;I) onsists of the xed binary domain

U , ftrue;falsegand aninterpretation forP. (Later on,wewill onsider logis

1

overarbitrarynonbinarydomains.)Themostbasisemantialnotionisthevalida-

tionrelation j=betweenamodelMandaformula'.Itisdenedbythefollowing

lauses.

Mj=p i I(p)=true ,

Mj== ?, and

Mj=('! ) i Mj='impliesMj= .

That is, M j=(' ! ) i Mj== ' orM j= . If Mj=', then we say that M

validates ',or,equivalently,'isvalid in M.

Propositional logi is not well-suited to formalize statements about events in

time. Eventhough theinterpretation of astatementan be xed, its truthvalue

mayvary intime.Thisannotbeexpresseddiretlyin PL .

Toexpresssuhtemporaldependenies,rstorderlogi anbeused.ThesetP

is redened to beaset ofmonadi prediates. That is, eah p2 P is augmented

withanadditionalparameterdenotingtime,forexample,stakisempty(t).

Forsakeofsimpliity, wedonotinlude funtion symbols(or onstants)in the

rst-order language.Assume in addition to theset P of unary prediates axed

set R, fR ;a;b;:::gof aessibility relations, and letR +

,R[f; <;=g. Fur-

thermore, let T be aset of rst-order variables T , ft;t

0

;:::g for points in time

(whih isassumedto beinniteunlessstatedotherwise).

FOL ::= P(T) j ? j (FOL!FOL) j R +

(T;T) j 9T FOL

Whenwritingformulas,weoftenuseinx notationforrelationalterms: t

1 R t

2 ,

R (t

1

;t

2

).Thenotation8t'isanabbreviationfor:9t:',thestringx>ystands

fory<x,andxy for(x<y_x=y),et.

Toassignatruthvaluetoaformulaontaining(free) variables,weassumethat

wearegivenanonemptyuniverse U ofpoints in time,andthattheinterpretation

I assigns to every proposition p 2 P a subset of points I(p ) U, and to every

relation symbol R 2R abinary relation I(R ) U U. Forthe speial relation

signs=,,and<werequirethatI(=),f(w;w)jw2Ugistheequalityrelation,

I() , S

fI(R ) j R 2 Rg is the transition relation, and I(<) is the transitive

losure of I(), the reahability relation. A variable valuation v assigns to any

variable t 2 T a point w 2 U. A rst-order model M , (U;I;v ) onsists of a

universeU,aninterpretationI,andavariablevaluationv .Asinthepropositional

ase,wedenewhenaformulaholdsin amodel:

Mj=p(t)iv (t)2I(p);

Mj== ?,and

Mj=('! ) i Mj='impliesMj= ;

Mj=R (t

0

;t

1

)i(v (t

0 );v (t

1

))2I(R );

Mj=9t' i (U;I;v 0

)j='forsomev 0

whihdiersfromvat mostin t.

Thislanguageisratherexpressive:onsiderthefollowingexampleformulas.

(1) (stak isempty(t

0 )!9t

1 (put(t

0

;t

1

)^:stak isempty(t

1 )))

If stakisempty, then it is possible to perform a put suh that not

stakisemptyholds.

(2) 8t

1 ((t

0 t

1

^req(t

1 ))!9t

2 (t

1

<t

2

^ak(t

2 )))

Everyrequestiseventuallyaknowledged.

(3) 8t

1 ((t

0 t

1

^req(t

1 ))!9t

2 ((t

1

<t

2

^ak(t

2 ))^

8t

3 ((t

1

<t

3

^t

3

<t

2

)!req(t

3 ))))

Norequestiswithdrawnbeforeitisaknowledged.

2.2. MultimodalandTemporal Logi

First order logi has been ritiized by theoretial linguists for not being intu-

itive. Exeptfrom text in mathematial books, one anhardly nd Englishsen-

tenes whih expliitly use variables to refer to objets. Natural languagestate-

mentsuse modal adverbslike\possibly" and \neessarily"to referto analterna-

tive stateofaairs.Temporalphrasesin naturallanguageuse theadverbs\even-

tually" and \onstantly" (or \sometime" and \always") to refer to future points

in time.Modallogiwasinventedto formalizethesemodalandtemporaladverbs

[Lewis 1912, Prior1957, Prior 1967℄.The ideais to suppress rst-order variables

t 2 T; propositions p 2 P are nullary again. In modal logis, the meaning of a

propositionlikestakisemptyisintendedtobe\thestakisemptynow".Thus,

inatemporalinterpretation,everyformuladesribesaertainstateofaairsata

given point.

Tobeableto desribepropertiesdepending ontherelationsbetweenpoints, in

multimodallogiforeveryR2RanewoperatorhR i'isintrodued.Themeaning

ofhR i'is\possibly'",i.e.,\thereexistssometaessibleviaRsuhthat'holds

at t".Dually,[R ℄',:hR i:'means \neessarily'"; \forallt aessibleviaR ,

itistheasethat 'holds att".

ML ::= P j ? j (ML!ML) j hRiML:

Intuitively,theaboveexample(1)ouldbewritten

(stak isempty!hputi:stak is empty):

AssumeagainthatU isanonemptysetofpointsintime(or\possibleworlds").

AninterpretationIformultimodallogiassignstoeveryp2PandR2Rasubset

I(p)U andarelationI(R )UU,respetively.ThetupleF,(U;I)isalled

aframeforPandR.A(Kripke-)model (introduedin[Kripke1963,Kripke1975℄)

M,(U;I;w

0

)formultimodallogionsistsofaframe(U;I)and aurrentpoint

w

0

2U.IfM=(U;I;w

0

),wesaythatMisbasedon theframeF =(U;I).Thus,

a Kripke model for multimodal logi is similar to a rst order model, where the

variablevaluationv isreplaedbyasingledesignatedpointw

0 .

Note that ournotionofframe and model issomewhat dierentfrom thetradi-

and a model is the triple (U;fI(R ) j R 2 Rg;fI(p) j p 2 Pg). Historially,

atomi propositions have been regarded as being \variable" in a formula, thus

fI(p)jp2Pgisaseparatevaluation forthesevariables. Inthis paper,aproposi-

tiondenotesaxedprediate,heneitsmeaningisgivenbytheinterpretation.In

alatersetionweintrodueaseparatesyntatiategoryofproposition variables,

whihanbeevaluated dierentlyineahontext.

Validity of a modal formula in a Kripke model M , (U;I;w

0

) is dened as

follows.

Mj=piw

0

2I(p);

Mj== ?,and

Mj=('! ) i Mj='impliesMj= .

Mj=hR i'ithereexistsw

1

2U with(w

0

;w

1

)2I(R )and(U;I;w

1 )j='.

We write w j= 'instead of (U;I;w) j= ' whenever theframe (U;I)is given. A

formula 'is universally valid (or frame-valid)in (U;I), iffor allw 2 U it holds

thatwj='.

As dened above, is interpreted as the transition relation, i.e., the union of

allaessibilityrelations,<isinterpretedasthetransitivelosureof,and as

thereexivetransitivelosure(thereahabilityrelation).Forthesespeialrelations

2f;<;=;g, weheneforthsimply write v w insteadof (v;w)2I(). We

introduethespeialoperatorsX,F +

andF

:

w

0

j=X'ithereexistsw

1

2U suh thatw

0 w

1 andw

1 j=',

w

0 j=F

+

'ithereexists w

1

2U suhthatw

0

<w

1 andw

1

j=',and

w

0 j=F

'ithereexistsw

1

2U suhthatw

0 w

1 andw

1 j='.

For thedual operators,weuse thesymbolsX',:X:', and G +

',:F +

:',

andG

',:F

:'.Traditionally, X,F, andGhavebeenused toindiate neXt

time,FutureandGlobaloperators 2

.Alternatively,F +

andG +

arealledsometime-

andalways-operators.X isreferredtoasweak next-operator.

Herearesomehistorialremarksontheuseoftheseoperators.Inthe1950'sand

1960's,prooftheoryandmodeltheoryofmodallogiwasdeveloped([Resherand

Urquhart1971,HughesandCresswell1977℄arehistorial,and[Blakburn,deRijke

andVenema2000℄isamoderntextbookonthistopi).Itsappliabilitytoomputer

sienewasdisoveredinthe1970's: [Burstall1974℄suggestedamodallogibuilt

upon F +

and G +

to desribe program properties. [Kroger1978℄ suggested to use

both X and F +

for program veriation. [Pnueli 1977℄ used a similar system for

parallelprograms.[Gabbay,Pnueli,ShelahandStavi1980℄extendedtemporallogi

for program speiation by the binary onnetive until (explained below). The

frameworkwasfurtherelaboratedin[Pnueli1981,MannaandPnueli1981,Manna

and Pnueli 1982b, Manna andPnueli 1982a,Pnueli 1984, Harel and Pnueli 1985,

2

Anoteonnotation:withtheaboveonvention,theX,X,F +

,F

,G +

andG

operatorsould

bewrittenashi ,[℄,h<i ,hi ,[<℄and[℄,respetively.Intheliterature,someauthorsusethe

MannaandPnueli1987,MannaandPnueli1989℄.TheombinationofhR i-andF -

operatorsoriginatesfromdynamilogi[Salwiki1970,Pratt1976℄(foranoverview

ondynamilogis,see[Harel1984,KozenandTiuryn 1990℄).

Intuitively,X'indiatesthat'holdsatsomepointaessibleviaasingletran-

sition, F +

' speies that ' must hold in somepointwhih an be reahed bya

nonemptysequeneoftransitions,andF

'meansthat'holdsatsomereahable

point (possibly now). Dually, X'holds if all suessorssatisfy ', and G

' and

G +

' determine that allreahablepoints (exeptmaybethe urrent point) must

validate'.With theseoperators,example(2)ouldbewritten

G

(req!F +

ak):

From the denition, w

0

j= X' i w

1

j= ' for all w

1

2 U suh that w

0

w

1 .

Similarly, w

0 j= G

+

' i w

1

j= ' for all w

1

2 U suh that w

0

< w

1

. A point

w2U isalledterminal,iffw 0

jww 0

g=fg.Aterminalpointrepresentsanal

stateofaterminatingomputation.TerminalpointssatisfyallX-andG +

-formulas

vauously: ifw

0

hasnoaessible suessors,then w

0

j=X' and w

0 j=G

+

'for

anyformula'.

Thedierene betweenF +

and F

isthat in the latter\the future inludes the

present". Using the X operator, F +

and F

an bemutually dened:learly, the

formula (F

' $ '_F +

') is valid. Therefore, the F

-operator anbe expressed

byF +

.Usingtheequivalene(F +

'$XF

'),eahourreneoftheoperatorF +

in aformula an be replaedby F

and X , withonly alinearinreasein formula

length.ItisnotpossibletodenetheF +

-operatorbyF

alone(without X):

2.1. Lemma. WithoutX, theoperator F +

isstritlymore expressivethanF

.

Proof: Consider two models M

1

and M

2

, where U

1 , U

2

, fwg, I

1 () ,

fg, I

2

() , f(w;w)g and I

1

(p) = I

2

(p) for all p 2 P. Then M

1

= j= F

+

> and

M

2 j= F

+

>. However, w j= F

' i w j=' in both M

1

and M

2

. Therefore, for

allformulas 'whihinvolveonly propositions, booleanoperators and F

it holds

that M

1

j= ' i M

2

j= '. (The formal proof of this statement is omitted; it is

astraightforwardindution ontheonstrutionof suh formulas.)Hene,there is

noformula 'onsisting only ofpropositions, boolean operators and F

suh that

forallmodels Mitholdsthat Mj='iMj=F +

>.Inotherwords,F +

>isnot

expressiblein thislanguage. 2

A similar proof shows that modal operators annot express statements about

intervals.Forexample,there isnoformulaequivalenttoexample(3)oftheabove.

Toremedythis lakof expressiveness,[Kamp 1968℄ introdued abinary operator

('U +

)meaning\'holdsuntil holds".Weusethetermtemporal logi torefer

toanymodallogiwhihontainssomesortofuntil-operator.Inomputersiene,

thisoperatorwasrstusedby[Gabbayetal.1980℄tolassifyimportantproperties

ofonurrentprograms.ThesemantisofU +

isdened asfollows:

w

0

j=('U +

) i thereexistsw

1

2U withw

0

<w

1 andw

1

j= ,andforall

w 2U withw <w andw <w ,wehavew j='.

Thissituationisillustratedbythefollowingpiture.

- - - -

' ' '

...

Asanexample,theaboveformula(3) anbeexpressedwithanuntil-operatoras

G

(req!(reqU +

ak)):

Various other operators an be dened viaU +

. Sometime-operator and nexttime

operators(fordisrete)areobtainedasfollows:

X'$(?U +

')

F +

'$(>U +

')

The proofof these equivalenesis immediate from the denition:w

0

j=(?U +

)

i there exists w

1

2 U with w

0

< w

1 and w

1

j= , and for all w

2

2 U with

w

0

<w

2

<w

1

itholdsthatw

2

j=?,whihisimpossible.Inotherwords,w

0

<w

1 ,

but there isno w

2

that satises w

0

<w

2 and w

2

<w

1

. Thereforew

1

mustbean

immediate suessorof w

0

, i.e., w

0

w

1

. Consequently, w

0

j= X'. The seond

equivaleneisobtainedin asimilarway.

Thereexiveuntil-operatorisdenedas('U

),( _'^('U +

)).

- - - -

' ' ' '

...

Asabove,F

'$(>U

')and('U +

)$X ('U

).WithoutXitisnotpossible

todeneU +

orF +

fromU

.Hene,Xannotbedened byU

.

Theunless orweakuntil-operatorisdened as

('W +

),:(: U +

:('_ )):

Whereas ('U +

) requires that eventually holds, ('W +

) is also true if is

never and ' always true. Intuitively, ('W +

) says that ' holds at least up to

the next point where holds. This an be seen as follows: assume that w

0 j=

:(: U +

:('_ )). Bydenition,it is notthe asethat for somew

1

> w

0 both

w

1

j=:('_ )andw

2

j=: forallw

0

<w

2

<w

1

. Thus, forallw

1

>w

0

itholds

thatw

1

j=('_ ),or w

2

j= forsomew

0

<w

2

<w

1

.Inotherwords,ifw

1

>w

0

theneither w

1

j='or thereis somew

0

<w

2 w

1

suh that w

2

j= .Therefore,

ifw

2

=

j= forallw

0

<w

2 w

1

, i.e.ifw

1

is before thenextpointwhere holds,

thenw

1 j='.

Notethat bydenition ('W +

?)=:(>U +

:')=G +

'.Sometexts denethe

unlessoperatorby(('U +

)_G +

').Innaturalmodels,whihonsistofasequene

ofpoints,thesetwodenitionsareequivalent:

2.2. Lemma. Fornatural models,('W +

)$(('U +

)_G +

').

Proof: Wemust showthat forallmodelsM whih are sequenes,the following

+ + + + +

and (iii) Mj=(('U ) !('W )). For(i), assumethat w

0

j=('W ) and

w

0

= j=G

+

'. Then w

1

=

j=' for somew

1

>w

0

. Aording to above,there issome

w

0

<w

2 w

1

suhthatw

2

j= .Sinethemodelisassumedtobeasequene,itis

well-founded. Thereforethere mustbeasmallestw

2

withthis property; i.e.w

0

<

w

2

w

1 , w

2

j= , and w

3

=

j= for all w

0

< w

3

< w

2

. Again, aording to

the above, if w

0

< w

3

< w

2

then w

3

j= '. Therefore w

0

j= ('U +

). Formula

(ii) follows immediately from the denition: if w

0 j= G

+

', then w

1

j= ' for all

w

1

> w

0

. Therefore, it is not the ase that some w

1

>w

0

exists whih satises

w

1

j= :('_ ). This implies w

0

= j= (: U

+

:('_ )), i.e., w

0

j= ('W +

). For

impliation(iii), weneedtheproperty thatthe modelis linear:ifw

0

j=('U +

),

then there exists w

1

>w

0

suhthat w

1

j= and w

2

j='for allw

0

<w

2

<w

1 .

Assume any pointw>w

0

. Thenw<w

1

orww

1

.In therstase, wj='.In

the seond ase,there exists w 0

= w

1

suh that w 0

j= . Thus, forall w >w

0 it

holdsthat wj=',orthereexists w

0

<w 0

w suhthat w 0

j= .This showsthat

w

0

j=('W +

). 2

Thisequivalenedoesnotholdfordensetime:forexample,if(U;)isisomorphi

to therationalsand I( ),f1=njn2Ng,then8t

1

>09t

2

>0(t

2

<t

1

^ (t

2 )),

hene0j= (?W +

'). Moreover,0j== X>and 0j=F +

>, hene0j== ((?U +

)_

G +

?). For more information on other models of time, see [van Benthem 1991,

Gabbay,HodkinsonandReynolds1994℄.AnimmediateonsequeneofLemma2.2

isthatin naturalmodelstheoperatorU +

isdenablebyW +

andF +

:

('U +

)$(('W +

)^F +

):

With rstorder logi, itis possibleto usereverse relations:x >y iy <x.In

[Lihtenstein,PnueliandZuk1985℄,theauthorsarguethattheabilitytoreferto

thepastanfailitateprogramspeiations.Thetemporalpastorsine-operator

U isdenedwith thefollowingsemantis:

w

0

j=('U ) i thereexistsw

1

2U withw

1

<w

0 andw

1

j= ,andforall

w

2

2U withw

1

<w

2 andw

2

<w

0

,wehavew

2 j='.

Thesyntaxof lineartemporallogi(LTL )isdened asfollows:

LTL ::= P j ? j (LTL!LTL ) j (LTLU +

LTL ) j (LTLU LTL ):

WewriteF 'andG 'for(>U ') and :F :',respetively.Intuitively, these

operatorsreferto\sometimeinthepast"and\alwaysinthepast".Moreover,F

'

andG

'areabbreviationsfor(F '_'_F +

') and:F

:',respetively.

2.3. Expressive Completeness ofTemporal Logi

How an rst order and temporal logi be ompared? Temporal logi an be re-

garded as a ertain fragment of rst order logi; this is explained more formally

referenepoints(freevariables).Tobeabletoomparetheexpressiveness ofboth

typeoflogis,werestritFOL toformulaswithatmostonefreevariable.

The abovesemantisindues a translation\FOL" from modal ortemporal to

rstorderlogi,whereFOL (')hasexatlyone freevariablet

0 .

FOL (p),p(t

0 )

FOL (?),(t

0 6=t

0 )

FOL (('! )),(FOL (')!FOL ( ))

FOL (hR i'),9t 0

(t

0 R t

0

^FOL(')ft

0 :=t

0

g)

FOL (X'),9t 0

(t

0 t

0

^FOL(')ft

0 :=t

0

g)

FOL (F +

'),9t 0

(t

0

<t 0

^FOL (')ft

0 :=t

0

g)

FOL (F

'),9t 0

(t

0 t

0

^FOL (')ft

0 :=t

0

g)

FOL (('U +

)),

9t 0

(t

0

<t 0

^FOL ( )ft

0 :=t

0

g^8t 00

(t

0

<t 00

<t 0

!FOL (')ft

0 :=t

00

g)).

FOL (('U )),

9t 0

(t 0

<t

0

^FOL ( )ft

0 :=t

0

g^8t 00

(t 0

<t 00

<t

0

!FOL (')ft

0 :=t

00

g)).

Thistranslationissometimesalledthestandardtranslation[Blakburnetal.2000℄.

In the translation of hR i', ...,('U +

), the symbols t 0

and t 00

denote arbitrary

variableswhihdonotourinFOL(')orFOL ( ).TheformulaFOL ( )ft

0 :=t

0

g

denotes the formula FOL ( ), where every (free) ourrene of the variable t

0 is

replaedbythevariablewhihisdenotedbyt 0

.Thefollowingexampledemonstrates

thestandardtranslation.

FOL (((:akU req)U +

ak))

= 9t

1 (t

0

<t

1

^ak(t

1 )^8t

2 (t

0

<t

2

<t

1

!FOL ((:akU req))ft

0 :=t

2 g))

= 9t

1 (t

0

<t

1

^ak(t

1 )^8t

2 (t

0

<t

2

<t

1

!

9t

3 (t

3

<t

2

^req(t

3 )^8t

4 (t

3

<t

4

<t

2

!:ak(t

4 ))))).

The standard translation of a modal or temporal formula is a rst-order for-

mulawithexatlyonefreevariablet

0

.Corretnessofthestandardtranslationan

formallybestatedasfollows:

2.3. Fat. Forevery'2MLorLTL there exists arstorder formulaFOL (')

suhthatforeveryframe(U;I),pointw

0

2Uandvaluationvforwhihv (t

0 )=w

0

itholdsthat(U;I;w

0

)j='i(U;I;v )j=FOL (').

Hene,FOLisatleastasexpressiveasLTL.Alogiisalledexpressivelyomplete

(ordenitionally omplete),ifthereexistsalsoatranslationintheotherdiretion:

given any rst-order formula with exatly one free variable, does an equivalent

temporal formulaexist?

Forthetranslationofanygiventemporalformulaintorstorderlogionlythree

variables (say, t

0 , t

1 andt

2

) are reallyneeded. Other variables anbe reused;for

example,theaboveFOL (((:akU req)U +

ak))isequivalentto

9t (t <t ^ak(t )^8t (t <t <t !

9t

0 (t

0

<t

2

^req(t

0 )^8t

1 (t

0

<t

1

<t

2

!:ak(t

1 ))))).

Similarly,modallogianbetranslatedintotheso-alledguardedfragment ofrst-

order logi,whih allowsonlytwovariables. Inthe rst-orderlause for ('U +

)

threevariablesareneeded.Thisisthereasonwhytheuntil-operatorisnotdenable

in modal logi. Likewise, LTL annot express any property whih \inherently"

usesfourvariables.Forexample,thestatement\therearethreedierentonneted

pointsreahablefromtheurrentpoint" isnotexpressiblein temporallogi.

9t

1

;t

2

;t

3 (t

0

<t

1

^t

0

<t

2

^t

0

<t

3

^t

1

<t

2

^t

1

<t

3

^t

2

<t

3 )

If<isirreexive,thenaminimalmodelsatisfyingthisformulaise.g.thefollowing:

t

0

t

1

t

2

t

3

-

R? U

Inasethat <isalinearorder(antisymmetriandtotal)thisisequivalentto

9t

1 (t

0

<t

1

^9t

2 (t

1

<t

2

^9t

3 (t

2

<t

3 )))

inwhihweanrenamet

3 byt

0

togettheequivalent

9t

1 (t

0

<t

1

^9t

2 (t

1

<t

2

^9t

0 (t

2

<t

0 )))

whihinturnan beexpressedtemporallyasF +

F +

F +

>.

Therefore, attention is restrited to ertain lassesof strutures, like omplete

linearorders,ornitely-branhingtrees,et.Anatural modelonsistsofaniteor

innitesequene ofpoints.Formally,anaturalmodelM,(U;I;w

0

)isaKripke-

model with only oneaessibility relation, suh that (U;) is isomorphi to the

natural numbers or an initial segment of the natural numbers 3

, where is the

usualsuessorrelation.

2.4. Theorem (Kamp,Gabbay). Temporal logi isexpressively omplete for nat-

uralmodels.

The original proof of this theorem in [Kamp 1968, pp. 39{94℄ is extremely om-

pliated.Theproofgivenbelowfollows[Gabbay1989℄andusesaertainproperty

alledseparation. Callatemporalformula

3

Sometextbooksrestritattentiontoinnitemodels.Terminatingomputationsarethenmod-

pure future,if it isof form ('U ), where in both' and no U -operator

ours,and

pure past, if it is of form ('U ), where in both ' and no U +

-operator

ours,and

purepresent, ifitontainsnoU +

orU -operators.

Afutureformulaisabooleanombinationofpurefutureandpurepresentformulas,

i.e., onewhihdoesnotontainanyU -operators.Similarly, apastformula does

notontainanyU +

.Aformulaisseparated ifitisabooleanombinationoffuture

andpastformulas.Alogihastheseparationproperty (foragivenlassofmodels),

if for every formula there exists a separated formula whih is equivalent for all

modelsunder onsideration.

2.5. Lemma. Theseparation property impliesexpressive ompleteness.

Proof:ThislemmaisprovenbyindutiononthestrutureofFOL -formulas.For

the proof, we assume that LTL has the separation property for natural models.

Thatis, foreahlineartemporalformulathereexistsanequivalentformulawhih

isseparated.Weshowthatanyrstorderformula'(t

0

)whihhasexatlyonefree

variablet

0

anbetranslatedintoatemporalformulaLTL (').ItsuÆestoonsider

rstorderlogiwhereR +

,f<;=g:innaturalmodels,thereisasingleaessibility

relation,andeveryatomisubformulatt 0

anbeequivalentlyreplaedby(t<t 0

^

:9t 00

(t<t 00

^t 00

<t 0

)).Furthermore,thesopeofquantiationanbeminimized

suhthatnosub-formula',9t ontainsapropositionp(t 0

)wheret 0

isfreein'.

Forexample,9t

1 (t

1

>t

0

^ p(t

0 ) ^ p(t

1

))anberewrittenasp(t

0 ) ^ 9t

1 (t

1

>t

0

^ p(t

1 )).

Thetranslationofp(t

0

)isp.Itisnotneessarytogiveatranslationforformulas

p(t

1 ) or t

0 t

1

, sine they involve other free variables than t

0

. The translation

of a boolean onnetiveof sub-formulas is theboolean onnetiveof the transla-

tionof thesub-formulas.The onlyremaining aseare formulas',9t

1 (t

0

;t

1 ).

Sinethesopeofthequantier9t

1

isminimal,'doesnotontainanyproposition

p(t

0

). That is, (t

0

;t

1

) is a boolean ombination of formulas p(t

1 ), t

0 t

1 , and

' 0

,9t

2 0

(t

0

;t

1

;t

2

). Replaeeverysub-formula t

0

<t by anew unaryproposi-

tionfuture(t), replaeeverysub-formulat

0

=t byanewunarypresent(t), and

replaeeveryt<t

0

by past(t).That is,'nowdoesnotontainanyt

0

, andthus

eah ' 0

is a formulawith exatly onefree variable t

1

. Sine thenesting depth of

existentialquantiersineah' 0

issmallerthanthat of',weanapplytheindu-

tion hypothesis to get temporal formulaeLTL (' 0

). Reinserting these into and

replaing p(t

1

) in by p, and q(t

1

) by q for q 2 ffuture;present;pastg gives

thetemporal formula LTL ( ). Totranslate ',9t

1

weseparate thetemporal

formula(F LTL( )_LTL( )_F +

LTL ( )).Theresulting formulaisaboolean

ombination of purefuture, pure pastand pure presentformulas. Replae in this

formula every futureinside apure future formula by >, every other futureby

?.Similarly, replaeeverypastinside apurepastformulaby>,andeveryother

pastby?.Finally,replaeeverypresentinsideapurepresentformulaby>,every

otherpresentby?.TheresultingformulaistherequiredtranslationLTL(').

Given anynatural model M ,(U;I;w ) for ', dene I(future) ,fw j w >

w

0

g, I(present) , fw

0

gand I(past) , fw j w < w

0

g. Then every step in the

abovetranslationpreservesvalidityinM.Therefore,Mj='iMj=LTL ('). 2

Toillustratethisonstrution,letusndthetemporalequivalentof',9t

1 (t

0

<

t

1

^p(t

1 )^8t

2 (t

0

<t

2

<t

1

!q(t

2

))). (Wealreadyknowthattheoutomeshould

be(qU +

p).)Therstreplaementresultsin9t

1

,where ,(future(t

1 )^p(t

1 )^

:9t

2

(future(t

2 )^t

2

<t

1

^:q(t

2

))).Theformula' 0

(t

1 )=9t

2 (t

2

<t

1

^future(t

2 )^

:q(t

2

)))indutivelytranslatesto LTL (' 0

)=F (future^:q)=:G (future!

q). Thus LTL( ) = (future^p^G (future ! q)). To obtain LTL (9t

1 ) we

have to separate F

LTL( ) = F +

LTL ( )_LTL ( )_F LTL( ). Separating

F +

LTL( )=F +

(future^ p ^ G (future!q))givesG (future!q) ^ (future!

q)^((future ! q)U +

(future^p)) (see below). The disjunts F LTL( ) =

F (future^p^G (future!q))andLTL ( )=(future^p^G (future!q))

arealreadyseparated.ToobtainLTL ('),wenowreplaeeveryfutureinsideapure

pastorpure presentformulaby ?andeveryfutureinside apurefuture formula

by >. Then G (future ! q)^(future ! q) redues to >, and ((future !

q)U +

(future^p)) redues to (qU +

p). The disjunts F LTL ( ) and LTL ( )

redueto?.Therefore,F

LTL ( )reduesto(qU +

p),whihistheexpetedresult

forLTL ( ).

Intheabove,weusedthefollowingequivaleneto separateanestedourrene

offuture-and past-operators:

j=F +

('^G )$G ^ ^( U +

')

Proof: The left side of this formula statesthat sometimesin thefuture, ' and

alwaysinthepast holds.Inotherwords,thereissomew

1

>w

0

suhthat'holds

atw

1

,andforallw

2

<w

1

,theformula holdsatw

2

.Inanaturalmodel,eahsuh

w

2

must be in the past(w

2

<w

0

), present(w

2

=w

0

)orfuture (w

0

<w

2

<w

1 )

of the urrent point w

0

. Therefore, for eah w

2

< w

0

, the formula holds, and

holds at w

0

, and there is some w

1

> w

0

suh that ' holds at w

1

, and for all

w

0

<w

2

<w

1

, theformula holds at w

2

. This isstated bytherightside ofthe

formula. 2

Amoreonvenientwaytoshowtheorretnessofsuhformulasthanbyseman-

tialreasoningisbyanautomatedproofproedure.InSetion7,wewillshowthat

LTLisdeidable.Thereareseveralautomatedproversfreelyavailable.Infat,the

aboveformulaishekedbytheSTePsystemwithinmilliseonds.

Toshowexpressiveompleteness,itremainstoprovethefollowing:

2.6. Lemma. LTL has the separation property fornatural models.

Proof: Consider the ase of a non-separated formula ' , ('

1 U

+

'

2

), whih

ontains a diret subformula , (

1 U

2

) (i.e., is a boolean omponent of

'

1

and/or '

2

, and does not our elsewhere in '

1 or '

2

). We write '

>

i and

'

?

for '

i

f := >g and '

i

f := ?g, respetively. By propositional reasoning,

'

1

$(( _'

?

1

)^(: _'

>

1

))and '

2

$(( ^'

>

1

)^(: _'

?

2

)).Therefore, 'is

equivalent to ((( _'

?

1

)^(: _'

>

1 ))U

+

(( ^'

>

2

)_(: ^'

?

2

))). Bytemporal

reasoning,thisinturnisequivalentto((( _'

?

1 )U

+

( ^'

>

2

))_ (( _'

?

1 )U

+

(: ^

'

?

2

))) ^ (((: _'

>

1 )U

+

( ^'

>

2

)) _ ((: _'

>

1 )U

+

(: ^'

?

2 ))).

Foreahofthefourbooleanomponentsofthisformula,anequivalentseparated

formula is given in Fig. 2. Though these formulas are hard to read and diÆult

to provemanually, theirvalidityan be easily hekedby anautomated theorem

prover.Intuitively, theyare generalizationsoftheexamplegivenabove.With the

separatinglauses, 'an berewrittensuhthat isnotinthesopeofanyU +

.

Sine the formulas of Fig. 2 still hold if U +

and U are interhanged, eah

('

1 U '

2

) ontaininga diret subformula ,(

1 U

+

2

)an berewritten suh

that doesnotourin thesopeof a U . Thegeneral aseof several dierent

pasttime-subformulasnestedwithinfuture-subformulasandvie versaanbehan-

dled byrepeatedappliation ofthese transformations.Formally,the laimfollows

byindutiononthenestingdepthandnumberofU sub-formulaswithinU +

and

vieversa. 2

Sineintheseparationstepofthisonstrutionsubformulasmaybedupliated,

the resulting LTL formula an be nonelementary larger than the original FOL

formula.

(i)(h(

1 U

2 )_'

1 iU

+

h(

1 U

2 )^'

2 i)$

(

1 U

+

'

2 )^h

2 _

1

^(

1 U

2 )i_

(h

1 _

2

_:(:

2 U

+

:'

1 )iU

+

h

2

^(

1 U

+

'

2 )i)^

(:(:

2 U

+

:'

1 )_h

2 _

1

^(

1 U

2 )i)

(ii)(h(

1 U

2 )_'

1 iU

+

h:(

1 U

2 )^'

2 i)$

(h'

1

^:

2 iU

+

'

2

)^h(:

2

^(:

1 _:(

1 U

2 )))i_

(h

1 _

2 _('

1 U

+

h'

2 _'

1

^

2 i)iU

+

h:

1

^:

2

^(h'

1

^:

2 iU

+

'

2 )i)^

('

1 U

+

h'

1

^

2 i)_h

2 _

1

^(

1 U

2 )i

(iii)(h:(

1 U

2 )_'

1 iU

+

h(

1 U

2 )^'

2 i)$

(h'

1

^

1 iU

+

'

2 )^h

2 _

1

^(

1 U

2 )i_

(h:

2 _('

1 U

+

h'

2 _'

1

^:

1

^:

2 i)iU

+

h

2

^(h'

1

^

1 iU

+

'

2 )i)^

(['

1 U

+

h'

1

^:

1

^:

2

i℄_[:

2

^h:

1 _:(

1 U

2 )i℄)

(iv)(h:(

1 U

2 )_'

1 iU

+

h:(

1 U

2 )^'

2 i)$

(:(

1 U

+

:'

1 )_h:

2

^(:

1 _:(

1 U

2 ))i)^

(:(h

1 _

2

_:(:

2 U

+

'

2 )iU

+

h

2

^(

1 U

+

:'

1 )i)_

((:

2 U

+

'

2 )^h:

2

^(:

1 _:(

1 U

2 ))i))^

(F +

[:

1

^:

2

^(:

2 U

+

'

2

)℄_[(:

2 U

+

'

2 )^(:

2

^h:

1 _:(

1 U

+

2 )i)℄)

Figure2:SeparationlausesforLTL

3. SeondOrder Languages

3.1. Linear andBranhing TimeLogis

As wehave seen, lineartemporal logi is expressively omplete for naturalmod-

els.Thesameresult(withminormodiations) anbeprovedfornitely branh-

ing trees [Shlinglo 1992a, Shlinglo 1992b℄, and for ertain partially ordered

strutures [Thiagarajan and Walukiewiz 1997℄. In omputer siene, the possi-

ble exeutions of a program an be modelled as a set of exeution sequenes.

Alternatively, it an be modelled as a uniqueexeution tree, where branhes de-

note nondeterministi deisions.This viewis adopted in branhing timetemporal

logi[Lamport1980,Ben-Ari,MannaandPnueli1983,EmersonandHalpern1986℄.

Statementsaboutorretnessofprogramaninvolveassertionsaboutallmaximal

paths in a tree. A path in a model is a (nite or innite) nonempty sequene of

points =(w

0

;w

1

;:::), where foreah iwith 0i<jj there exists an R

i 2R

suhthat (w

i

;w

i+1

)2I(R

i

).A pathismaximal, ifeah ofitspointswhih hasa

suessorinthemodelalsohasasuessorinthepath.Inotherwords,amaximal

path is either innite, or its nal point w

n

is terminal (there is no w suh that

w

n

w).Computationtreelogi(CTL )[ClarkeandEmerson1981,Emersonand

Clarke1982℄hasthefollowingsyntax:

CTL ::= P j ? j (CTL!CTL ) j E(CTLU +

CTL )jA(CTLU +

CTL):

CTLisinterpretedontreemodels.A treeis denedasusual: ithasasingleroot

w

0

, and everynode w

n

an be reahed from w

0

by exatly onenite path. The

transitive losure \<"of the suessorrelation \"then denotes the usual tree-

order:(w

1

;w

2

)2I(<)iw

1

isonthe(unique)pathfromtherootw

0

uptow

2 .

w

0

j= E('U +

) i there exists w

1

> w

0

suh that w

1

j= , and for all

w

2

2U,ifw

0

<w

2

<w

1 thenw

2 j='.

w

0

j=A('U +

) i for all maximal paths pfrom w

0

there exists w

1

> w

0

onpath psuhthatw

1

j= ,andforallw

0

<w

2

<w

1 ,w

2 j='.

Thus,theEU +

-operatorisdenedsimilartotheLTLuntil-operator.However,the

intendedmodelsforCTLaretrees,whereasLTLusuallyisinterpretedonnatural

models. InCTLweakand derivedoperatorsanalsobedened asabbreviations.

However,in branhingtime,there aretwovariantsofeahderivedoperator.

EX ,E(?U +

), AX ,A(?U

+

),

EX ,:AX: , AX ,:EX: ,

EF +

,E(>U +

), AF

+

,A(>U +

),

EG +

,:AF +

: , AG

+

,:EF +

: ,

E('U

),( _'^E('U +

)), A('U

),( _'^A('U +

)),

EF

,( _EF +

), AF

,( _AF +

),

+ +

E('W ),:A (: U :('_ )), A('W ),:E (: U :('_ )).

Informally, EX means that some suessornode satises , and AX holds

if all suessors are . In a terminal point, AX? is valid, but AX? not: if

w

0

hasno suessors, then the only maximal path p from w

0

is the one-element

sequene = (w

0

). On this unique path there is no w

1

> w

0

, therefore eah

formula A('U +

) and E('U +

) must be invalid. As a speial ase, in suh a

pointEX>is notvalid, butEX>and EX?arevalid.Inanonterminalpoint,

(EX'$EX') and(AX'$AX').Thus, ifwerestritattentionto models

withoutterminalpoints,theseoperatorsoinide.TheoperatorsAXandEX an

be expressed by EX and AX (with at most linear inrease of formula length)

via(AX'$AX'^EX>)and (EX'$EX'_AX?),that is,(EX'$

(EX>!EX')). Thus, all CTLnexttime-operatorsan be expressedin terms

ofEX.

TheformulaEF

means that somenode in theomputation tree satises ,

andAF

speiesthat mustholdsomewherealongeverymaximalomputation

path.Dually,AG

meansthateverynodeinthe(sub-)treesatises ,whereas

EG

indiates that isgloballyvalidalongsomepath.

E('U +

) A('U

) EX AX

Inthe abovepiture, nodessatisfying 'are shown solid (or asashaded area),

whereas nodesareindiatedbyairle.

TheoperatorAU +

anbeexpressedbyEU +

andAF +

.Thisharaterizationis

similartothedenitionoftheunless-operatorinlineartemporallogi,f.page1648:

A('U +

)$(A('W +

)^AF +

)=(:E(: U +

:('_ ))^AF +

):

Therefore,itissuÆienttoonsideronlythetwobasioperatorsEU +

andAF +

in

formalproofsandalgorithms.Similarly,theformulaE('W +

)anbereplaedby

(E('U +

)_EG +

'). However,there is no negation-free\dual" haraterization

ofAW +

andEU +

.

WenowgivesomeexamplesofCTLformulas.Thefollowingpropertiesaretyp-

ial orretness requirements that might arise in the veriation of a nite state

onurrentprogram.

| EF +

(started^:ready):it is possibleto get to astatewhere started holds

butreadydoesnothold.

| AG

(req!AF +

ak):ifarequestours,thenitwillbeeventuallyaknowl-

| AG AF stakisempty: the proposition stakisempty holds innitely

oftenoneveryomputationpath

| AG

EF

restart:fromanystateitispossibleto gettoarestartstate.

FormanyCTLformulasitispossibletoformulatesimilarorretnesspropertiesin

LTL .Possibilitypropertieslikethelastonementionedaboveannotbeformulated

in LTL. On the other hand, ertain fairness properties annot be formulated in

CTL .

HowanweomparetheexpressivityofCTLwith(thefuturefragmentof)LTL?

DiretomparisonisdiÆult,sinemodelsaredierent:onnaturalmodels,whih

arespeialtreemodelswithbranhingdegreeone,AU +

andEU +

-operatorsoin-

ide.Ontreemodelswithhigherbranhingdegree,LTL obviouslyannotexpress

A('U +

).

Therefore,oneonsidersLTLandCTLon(nonlinear,non-tree)Kripke-models

(U;I;w

0

).Inontrasttonaturalortreemodels,Kripke-modelsanontainreexive

points,loopsorevendenserelations.WeallanLTLfutureformulasequene-valid

inaKripke-modelM,ifitisvalidin allnaturalmodels ((w

0

;w

1

;:::);I;w

0 )whih

aregenerated fromM,thatis,forallmaximalpathsw

0

;w

1

;:::)inU startingfrom

w

0

.(AformaldenitionofthisnotionwillbegiveninSetion4.)Similarly,aCTL -

formulaisalledtree-valid inaKripke-model,ifitisvalidintherootoftheunique

maximaltreegeneratedfromit.

With this denition, the expressivity of LTL and CTL an be ompared. It

turns outthat onKripkemodels,neither ofbothis stritly moreexpressivethan

the other one. For example, the LTL formula ' , F +

G +

p is not expressible in

CTL (it is not the same property as AF +

AG +

p). That is, there is no CTL -

formula suh that is tree-valid in exatlythe same Kripke-models in whih

' is sequene-valid. Similarly, AG +

EF +

p is not expressible in LTL (it is not

thesameasG +

F +

p). Formoreinformationontheexpressiveness oflinearversus

branhingtimesee[EmersonandLei1985,EmersonandHalpern1986,Clarkeand

Draghiesu1988,Emerson1990℄.

On Kripke-models, thelogi CTL

(see [Emerson and Lei 1985, Emerson and

Halpern 1986℄) subsumes CTL and LTL by separating path quantiation (E )

fromtemporalquantiation(U +

). Thus itispossibleto writee.g.EG

F

p.The

logiCTL

isstritlymoreexpressivethanbothCTLandLTL .Onbinarytrees,

the expressiveness of CTL

anbe ompared to rst order logi with additional

(seondorder)quantiationonpaths.Formoreinformationontheexpressiveness

andomplexityofvarioussublogis ofCTL

,see[Emerson1990℄.

3.2. Propositionally QuantiedLogis

Quantiation overmaximal paths is nota rst-order notion. It is lear that for

naturalmodels, whih onsist of exatlyone maximal path,this quantier isnot

veryuseful.However,evenfornaturalmodels,theremightbeothertypesofseond-

order quantiationwhih ould be interesting. Wolperremarked that \temporal

orderlogi,itisnotpossibleto speifythataertainpropositionpholdsonevery

seond point of an exeution sequene, without onstraining the values of p in

intermediate points. Formally, for anaturalmodel where U =(w

0

;w

1

;:::), dene

thenewoperatorG 2n

by

w

i j=G

2n

' i w

i+2n

j='foralln0

Wewillshowthatthis operatorannotbeexpressedin LTLorFOL.First,note

thatthefollowingoperatorsarenotequivalenttoG 2n

'.

G 2n

LTL

','^G

('!XX')

(G 2n

FOL ')(t

0 ),'(t

0

)^8tt

0

('(t)!8t

1

;t

2 (tt

1 t

2

!'(t

2 )))

Theseformulasdeneastrongerpropertythanrequired:theyimplythatif'holds

in twoadjaentstates,itmusthold always.Therefore,j=(G 2n

LTL

'!G 2n

').The

reverseimpliationdoesnothold:therearemodelssatisfyingG 2n

'butnotG 2n

LTL '

orG 2n

FOL '(t

0

),respetively.

3.1. Theorem (Wolper). Let p be any atomi proposition. There is no LTL -

formula 'suhthatj='$G 2n

p.

Proof: Consider the following sequene (M

0

;M

1

;M

2

;:::) of models. For eah

i 0, dene M

i , (U

i

;I

i

;w i

0

), where (U

i

;) is isomorphi to the integers:

U

i

,(:::;w i

2

;w i

1

;w i

0

;w i

1

;w i

2

;:::).Furthermore,deneI

i

(q),U

i nw

i

i

forallq2P.

Thatis, w i

n

j=qii6=nforallatomipropositionsq.Sine(U

i

;I

i

;w i

0

)isisomor-

phi to (U

i+1

;I

i+1

;w i+1

1

), wehave w i

0

j=' i w i+1

1

j='for allformulas '. Asa

onsequene,w i

0

j='iw i+1

0

j=X'.

Inthenextstep,weprovethatanyLTL formulawill almostalwaysbetrue or

almost always be false in the sequene(M

i

): forany' 2LTL there exists an i

suhthatforalljiitholdsthatM

i

j='iM

j

j='.Thisisprovedbyindution

onthestruture ofLTLformulas. Theonlyinterestingaseisgiven bytheuntil-

onnetives.Weprovetheaseof('U

).Forthisase,theindutionhypothesis

guaranteesthatthereisanisuhthatforallji, bothw j

0

j='iw j+1

0

j='(*)

and w j

0

j= i w j+1

0

j= (**).We haveto show that w j

0

j=('U

)i w j+1

0 j=

('U

).Fromtheaboveonsequene,w j

0

j=('U

)iw j+1

0

j=X('U

)(***).

Thefollowingreursiveharaterizationisvalid:j=('U

)$( _'^X('U

)).

In partiular, this implies j= ( ! ('U

)) (y), j= (: ! (('U

) $ ('^

X('U

))))(yy),and j=(: !(('U

)!')) (yyy).

If w j

0

j= , then w j

0

j= ('U

) by(y). Inthis ase, by (**),w j+1

0

j= , hene

alsow j+1

0

j=('U

)by(y).Therefore,ifw j

0

j= ,thenw j

0

j=('U

)iw j+1

0 j=

('U

). Now we onsider the ase that w j

0

=

j= . By (yyy), w j

0

j= ('U

) i

w j

0

j='and w j

0

j=('U

).By(*)and(***),this inturnholds iw j+1

0

j='and

w j+1

0

j=X('U

).By(yy),thisistheaseiw j+1

0

j=('U

).

To omplete theproof, wenowshowthat this eventualstabilitypropertydoes

not hold for formulaswhih inlude theG 2n

operator.It is nothard to see that

M

i j= G

2n

pi i is odd:reall that w i

=

j=p. Thus, ifi is even, then for n ,i=2

we havew i

0+2n

=

j=p, whih means w i

0

= j= G

2n

p. If i is odd, however,then for all

n 0, w i

0+2n

j=p, and thus w i

0 j= G

2n

p. Hene,we haveshown that for every

LTLformula'thereisamodelM

i

suh thatM

i

=

j=('$G 2n

p). 2

TheaboveproofshowsthattheG 2n

operatorannotbedenedinthebasitem-

poralorrstorder language.However,itanbedened ifadditionalpropositions

areallowed.Toassertthat G 2n

'holds,itsuÆesto providea\new"proposition

q (not ourring in ') suh that G 2n

LTL

q holds, and that ' is valid whereverq is

valid. This putsan additionalonstraintonthe\auxiliary variable"q,whih an

beonsidered asan \implementation detail" in the ontext of '. If we disregard

thevalueof q,thenthemodelssatisfying(G 2n

LTL q^G

(q!'))areexatlythose

satisfyingG 2n

'.That is,foranymodelMsuhthat Mj=(G 2n

LTL q^G

(q!'))

itholds thatMj=G 2n

',andforeverymodel Msuh thatMj=G 2n

'itholds

that M 0

j=(G 2n

LTL q^G

(q!')),where M 0

diersfromMonlyin thefat that

I(q)=fw

0

;w

2

;w

4

;:::g.Logially,thisprojetionoperationamountstoexistential

quantiationontemporalpropositionsorsetsofpoints:

G 2n

'$9q(G 2n

LTL q^G

(q!'))

(G 2n

')(t

0

)$9q((G 2n

FOL q)(t

0

)^8tt

0

(q(t)!'(t))))

Thelanguageusedin therstofthese formulasisalled quantied temporallogi

qTL [Sistla 1983℄,the languageofthe seond itemis monadi seond order logi

MSOL.

qTL ::= P jQj ?j(qTL!qTL )j

(qTLU +

qTL )j (qTLU qTL )j9QqTL :

MSOL ::= P(T) j Q(T) j ? j (MSOL!MSOL)j

R +

(T;T) j 9T MSOL j 9QMSOL

To dene this syntax, we used another syntati ategory Q = fq;q

0

;:::g of

propositionvariables.Anyvaluationinamodelvassignsasetv (q)U toeahof

these(seondorder)variables.Theformula9q 'isvalidinamodelM=(U;I;v )

if itis valid in some model M 0

=(U;I;v 0

)whih diers from Mat mostin the

valuationofthepropositionvariableq2Q.

Itiseasytolifttheexpressiveompletenesstheorem2.4toseond order.

3.2. Lemma. Onnatural models,qTL has the sameexpressivenessasMSOL.

Proof:IntheproofofTheorem2.4,itwasshownhowtoonstrutthetranslation

LTL (') of a rst order formula '. For any MSOL formula there is an equiva-

lent prenex formula of the form q

1 q

2 :::q

n

, where is a rst order formula

andeah isaseondorder quantier.Thus, dening MSOL(q

1 q

2 :::q

n )by

q

1 q

2 :::q

n

LTL ( )givesatranslationfromMSOLinto qTL . 2