Tableau-based decision method for testing satisfiability of the - - PowerPoint PPT Presentation

V Goranko

Tableau-based decision method for testing satisfiability of the linear temporal logic LTL

Valentin Goranko DTU Informatics November 2010

V Goranko

Tableau for LTL: introduction

The tableau method for LTL searches systematically for a linear model satisfying the input formula. We will consider LTL over a minimal language with one transition relation, containing ⊤, ¬, and ∧ as Boolean connectives, and X, G, and U as temporal operators. The other Boolean constants and connectives ⊤, ⊥, ∨, →, as well as the operators F and R will be assumed definable. We will present an optimized version of the first construction of tableau for LTL developed by Wolper in 1983-85. It takes exponential time and space in the length of the formula, but can be optimized to work in PSpace.

V Goranko

Types of formulae

We distinguish 4 types of formulae:

• 1. α-formulae, of conjunctive type.

Every α-formula θ is associated with its α-components, and is equivalent to their conjunction. E.g., the α-components of ϕ ∧ ψ are θ1 = ϕ and θ2 = ψ, and the only α-component of ¬¬ϕ is θ1 = ϕ.

• 2. β-formulae, of disjunctive type.

Every β-formula θ is associated with its β-components, and is equivalent to their disjunction. E.g., the β-components of ϕ ∨ ψ are θ1 = ϕ and θ2 = ψ.

• 3. Nexttime formulae in LTL are those of the type Xϕ.

The nexttime component of Xϕ is ϕ.

• 4. literals: ⊤, ¬⊤, atomic propositions and their negations.

The literals and the nexttime formulae are primitive formulae.

V Goranko

α- and β-formulae in LTL

The α- and β-formulae in LTL and their components: α α1 α2 ¬¬ϕ ϕ ϕ ¬Xϕ X¬ϕ X¬ϕ ϕ ∧ ψ ϕ ψ Gϕ ϕ XGϕ ¬(ϕUψ) ¬ψ ¬ϕ ∨ ¬X(ϕUψ) β β1 β2 ¬(ϕ ∧ ψ) ¬ϕ ¬ψ ¬Gϕ ¬ϕ X¬Gϕ ϕUψ ψ ϕ ∧ X(ϕUψ)

Lemma

• I. For every α-formula ϕ: ϕ ≡ α1(ϕ) ∧ α2(ϕ).
• II. For every β-formula ϕ: ϕ ≡ β1(ϕ) ∨ β2(ϕ).

V Goranko

Closure of an LTL- formula

The closure cl(η) of an LTL-formula η is the least set of formulae such that:

• 1. ⊤, ϕ ∈ cl(η);
• 2. cl(η) is closed under taking all components of α-formulae,

β-formulae, and nexttime-formulae. NB: closure under subformulae and negation is not required. For any set of formulae Φ we define cl(Φ) := { cl(ϕ) | ϕ ∈ Φ }. A set of formulae Φ is closed if Φ = cl(Φ). The closure of a formula (and, of any finite set of formulae) is always a finite set, of cardinality linear in the length of the formula.

V Goranko

Closure of LTL formulae: example

Running example 1: η = (pUq) ∧ Gr cl(η) = {η, pUq, Gr, p ∧ X(pUq), q, r, XGr, p, X(pUq)} Running example 2: η = (pUq) ∧ (p → ¬Xq) cl(η) = {η, pUq, p → ¬Xq, p∧X(pUq), q, p, X(pUq), ¬p, ¬Xq, X¬q} Exercise: Define explicitly closure of LTL-formulae. Exercise: Show that cl(ϕ) is finite for every ϕ ∈ LTL.

V Goranko

Consistent and fully expanded subsets of a closure

A set of formulae is patently inconsistent if it contains ⊥, or ¬⊤,

• r a contradictory pair of formulae ¬ϕ and ϕ.

Definition (Fully expanded set)

A set of formulae Φ is fully expanded iff:

• 1. it is not patently inconsistent;
• 2. for every α-formula in Φ, all of its α-components are in Φ;
• 3. for every β-formula in Φ, at least one of its β-components is

in Φ. Exercise: Give explicitly the closure conditions for fully expanded sets of LTL-formulae.

V Goranko

Full expansions of a set of LTL formulae

Just like in ML, a fully expanded set ∆ of LTL formulae is a full expansion of a set of LTL formulae Γ, if ∆ can be obtained from Γ by repeated application of the following rules:

• 1. for every α-formula in the current set, add all of its

α-components.

• 2. for every β-formula in the current set, at one of its

β-components. Computing the full expansions of Γ corresponds to saturating a local tableau for LTL with input set Γ and collecting the sets of formulae on every open branch. Thus, a set Γ may have several, possibly none, full expansions. Like in ML, not every fully expanded set is satisfiable. The purpose of the tableau for LTL is to determine whether at least one full expansion of the input formula set is satisfiable.

V Goranko

Local tableau for LTL

The local tableau for LTL is defined by extending the the unlabeled tableau for classical propositional logic with the following rules: Non-branching rules (α-rules) Branching rules (β-rules) (¬X) ¬Xϕ ↓ X¬ϕ (G) Gϕ ↓ ϕ, XGϕ (¬G) ¬Gϕ ւ ց ¬ϕ X¬Gϕ (¬U) ¬(ϕUψ) ↓ ¬ψ, ¬ϕ ∨ ¬X(ϕUψ) (U) ϕUψ ւ ց ψ ϕ ∧ X(ϕUψ) The rest is just like the local tableau for ML.

V Goranko

Computing full expansions of sets of LTL-formulae by encapsulating the local tableau

The procedure FullExpansion for computing the family FE(Γ)

• f full expansions of a given set of formulae Γ uses the following

set replacement operations applied to a set of formulae Φ in a family of sets of formulae F: (α): If ϕ ∈ Φ for some α-formula ϕ with α-components ϕ1 and ϕ2, replace Φ by Φ ∪ {ϕ1, ϕ2}. (β): If ϕ ∈ Φ for some β-formula ϕ with β-components ϕ1 and ϕ2, replace Φ by Φ ∪ {ϕ1} and Φ ∪ {ϕ2}. An expansion step:

• 1. choose a set Φ from the current family of sets F;
• 2. choose an α- or β- formula ϕ ∈ Φ;
• 3. apply the respective set replacement operation for ϕ to Φ.

Proviso: if a patently inconsistent set is added to F as a result of such application, it is removed immediately after the replacement.

V Goranko

Exercise: Give explicitly the set-replacement operations of the procedure FullExpansion for the LTL-formulae ¬Xϕ, ϕUψ, ¬(ϕUψ), and Gϕ. Given a finite set of formulae Γ, the procedure FullExpansion starts with the singleton family {Γ} and checks if it is patently inconsistent. If so, it returns FE(Γ) = ∅. Otherwise, it applies repeatedly expansion steps to the current family F until saturation, i.e. until no application of a set replacement operation can change F. The stage of saturation is guaranteed to occur. At that stage, the family FE(Γ) of sets of formulae is produced and returned.

V Goranko

Full expansions: Example 1

Let η := (pUq) ∧ Gr. The full expansions of {η}: Φ1 = {η, pUq, Gr, q, r, XGr} Φ2 = {η, pUq, Gr, p ∧ X(pUq), p, X(pUq), r, XGr}

V Goranko

Full expansions: Example 2

Let η := (pUq) ∧ (p → ¬Xq). The full expansions of {(pUq) ∧ (p → ¬Xq)}: Φ1 = {η, pUq, q, p → ¬Xq, ¬p} Φ2 = {η, pUq, q, p → ¬Xq, ¬Xq, X¬q} Φ3 = {η, pUq, p ∧ X(pUq), p, X(pUq), (p → ¬Xq), ¬p} This set is patently inconsistent and is eliminated immediately. Φ4 = {η, pUq, p ∧ X(pUq), p, X(pUq), (p → ¬Xq), ¬Xq, X¬q}

V Goranko

Eventualities in LTL

Eventualities are formulae stating that something will happen eventually in the future, but without specifying exactly when. In particular, the eventualities in LTL are the formulae of the type ϕUψ and ¬Gϕ.

V Goranko

Hintikka structures for LTL: Hintikka traces

Hintikka trace is the linear version of Hintikka structure.

Definition (Hintikka trace)

Given a set of formulae Φ, a Hintikka trace (HT) for Φ is a mapping H : N → P(Φ) satisfying the following conditions for every n ∈ N: H1 H(n) is fully expanded; H2 If Xϕ ∈ H(n), then ϕ ∈ H(n + 1) H3 If ϕUψ ∈ H(n), then there exists i ≥ 0 such that ψ ∈ H(n + i) and ϕ ∈ H(n + j) for every j such that 0 ≤ j < i.

Definition

A formula θ ∈ LTL is satisfiable in a Hintikka trace H if θ ∈ H(n) for some n ∈ N.

V Goranko

Proposition

In every Hintikka trace H:

• 1. If ¬(ϕUψ) ∈ H(n), then for every i ∈ N if ¬ψ ∈ H(n + i)

then ϕ ∈ H(n + j) for some j such that 0 ≤ j < i.

• 2. If Gϕ ∈ H(n), then ϕ ∈ H(n + i) for every i ∈ N.

Lemma

For any set of formulae Φ, every linear ITS M = (N, L) generates a Hintikka trace H : N → P(Φ) for Φ, where H(n) = {ϕ ∈ LTL | M, n | = ϕ} for every n ∈ N. Proof: Straightforward verification of H1-H3. Exercise. Usually, we will be interested in Hintikka traces for sets cl(η), where η is a formula for which we want to find a model.

V Goranko

Satisfiability and Hintikka traces

Theorem

A formula η ∈ LTL is satisfiable iff it is satisfiable in a Hintikka trace for cl(η). Proof: One direction follows by the Lemma above for Φ = cl(η). For the converse, suppose η ∈ H(m) for some Hintikka trace H : N → P(cl(η)) and m ∈ N. We can assume that m = 0. We define the following state description L in N: L(n) := PROP ∩ H(n). Let M = (N, succ, L), where succ is the successor relation in N. We show by induction on θ ∈ LTL that for every n ∈ N: (i) if θ ∈ H(n) then M, n | = θ; (ii) if ¬θ ∈ H(n) then M, n | = ¬θ. Exercise: Complete the details of the proof above.

V Goranko

Tableaux construction for testing satisfiability in LTL

The tableau procedure for a given input formula η attempts to construct a non-empty graph T η, called a tableau, representing in a way sufficiently many possible Hintikka traces for η. The procedure consists of three major phases:

• 1. Pretableau construction phase
• 2. Prestate elimination phase
• 3. State elimination phase

Since no different prestates or states with the same labels will be created, we will identify prestates or states with their labels.

V Goranko

Pretableau construction phase

That phase produces a finite digraph with labeled vertices Pη – the pretableau for η – following prescribed construction rules. The set of nodes of the pretableau properly contains the set of nodes of the tableau T η that is to be ultimately built. The pretableau has two types of nodes: states and prestates. The states are labeled with fully expanded subsets of cl(η) and represent states of a Hintikka structure, while the prestates can be labeled with any subsets of cl(η) and play only a temporary role.

V Goranko

State construction rule PrExpLTL

The rule PrExpLTL produces all offspring states of a prestate. Rule PrExpLTL: Given a prestate Γ to which the rule has not yet been applied, do the following:

• 1. Compute the family FE(Γ) = {∆1, . . . ∆n} of all full

expansions of Γ and add these as (labels of) new states in the pretableau, called the offspring states of Γ.

• 2. For each newly introduced state ∆, create an edge Γ =

⇒ ∆.

• 3. If, however, the pretableau already contains a state with label

∆ then do not create a new state with that label, but create an edge Γ = ⇒ ∆ to that state. We denote the set { ∆ | Γ = ⇒ ∆ } of offspring states of Γ by states(Γ).

V Goranko

Prestate construction rule NextLTL

The rule NextLTL produces the successor prestate of a state (recall that we are looking for a linear model). Rule NextLTL: Given a state with label ∆, to which the rule has not yet been applied, do the following:

• 1. Add a successor prestate Γ of ∆ with label { ψ | Xψ ∈ ∆ }.
• 2. If the label of ∆ does not contain any formula of the type Xψ

then add a successor prestate Γ of ∆ with label {⊤}.

• 3. Create an edge ∆ −

→ Γ.

• 4. If, however, the pretableau already contains a prestate with

label Γ then do not create a new prestate with that label, but extend an arrow ∆ − → Γ to that prestate.

V Goranko

Pretableau construction phase completion

The pretableau construction phase for an input formula η begins with creating a single prestate {η}, followed by alternating applications of the rules PrExp and Next, respectively to the prestates and the states created earlier in the construction. The construction phase ends when none of these rules can add any new states or prestates to the current graph. The resulting graph is the pretableau Pη.

V Goranko

Pretableau examples: notation

In what follows: The mark * means that an expansion step has been applied to the formula. Superscript ‘s’ means that the set is a state. Superscript ‘p’ means that the set is a prestate.

V Goranko

Pretableau: example 1

(pUq) ∧ Gr 1.

• (pUq) ∧ Gr

P

• ✠

❅ ❅ ❅ ❘

2.

S

   (pUq) ∧ Gr∗ pUq∗, Gr∗ q, r, XGr   

❄

4.

P

• Gr
• ❄

✒

5.

S

• Gr∗

r, XGr

• 3.

S

   (pUq) ∧ Gr∗ pUq∗, p, X(pUq) Gr∗, r, XGr   

❄

6.

P

• pUq, Gr
• ✠

❅ ❅ ❘

7.

S

• pUq∗, q

Gr∗, r, XGr

• ❅

❅ ❅ ❅ ■

8.

S

pUq∗, p, X(pUq) Gr∗, r, XGr

• ✛

V Goranko

Pretableau: example 2

(pUq) ∧ (p → ¬Xq) 1.

• (pUq)∧

(p → ¬Xq) P

• ✠

❄ ❅ ❅ ❅ ❘ ❄

2.

S

           (pUq)∧ (p → ¬Xq)∗, pUq∗, q, p → ¬Xq∗, ¬p           

❄

3.

S

           (pUq)∧ (p → ¬Xq)∗, pUq∗, q, p → ¬Xq∗, ¬Xq∗, X¬q           

❄

4.

S

               (pUq)∧ (p → ¬Xq)∗ pUq∗, p, X(pUq), (p → ¬Xq)∗, ¬p                removed 5.

S

               (pUq)∧ (p → ¬Xq)∗ pUq∗, p, X(pUq), (p → ¬Xq)∗, ¬Xq∗, X¬q               

• ✠

6.

P

• ⊤
• ❄

■

7.

S

• ⊤
• 8.

P

• ¬q
• ❄

9.

S

• ¬q
• ✛

10.

P

• pUq, ¬q
• ✠

❅ ❅ ❅ ❘

11.

S

pUq∗, ¬q p, X(pUq)

• ❄

12.

S

• pUq∗, ¬q, q
• removed

13.

P

• pUq
• ✠

❅ ❅ ❘

14.

S

• pUq∗, q
• ■

15.

S

pUq∗, p, X(pUq)

• ✛

V Goranko

Pretableau: example 2

(pUq) ∧ (p → ¬Xq) 1.

• (pUq)∧

(p → ¬Xq) P

• ✠

❄ ❄

2.

S

           (pUq)∧ (p → ¬Xq)∗, pUq∗, q, p → ¬Xq∗, ¬p           

❄

3.

S

           (pUq)∧ (p → ¬Xq)∗, pUq∗, q, p → ¬Xq∗, ¬Xq∗, X¬q           

❄

5.

S

               (pUq)∧ (p → ¬Xq)∗ pUq∗, p, X(pUq), (p → ¬Xq)∗, ¬Xq∗, X¬q               

• ✠

6.

P

• ⊤
• ❄

■

7.

S

• ⊤
• 8.

P

• ¬q
• ❄

9.

S

• ¬q
• ✛

10.

P

• pUq, ¬q
• ✠

11.

S

pUq∗, ¬q p, X(pUq)

• ❄

13.

P

• pUq
• ✠

❅ ❅ ❘

14.

S

• pUq∗, q
• ■

15.

S

pUq∗, p, X(pUq)

• ✛

V Goranko

Pretableau: example 3

(pUq) ∧ G¬q 1. (pUq) ∧ G¬q P

• ✠

❅ ❅ ❅ ❘

2.

S

   (pUq) ∧ G¬q∗ pUq∗, G¬q∗ q, ¬q, XG¬q    removed 3.

S

   (pUq) ∧ G¬q∗ pUq∗, p, X(pUq), G¬q∗, ¬q, XG¬q   

❄

4.

P

• pUq, G¬q
• ✠

❅ ❅ ❘

5.

S

• pUq∗, q

G¬q∗, ¬q, XG¬q

• removed

6. pUq∗, p, X(pUq) G¬q∗, ¬q, XG¬q

• ✛

V Goranko

Pretableau: example 3

(pUq) ∧ G¬q 1. (pUq) ∧ G¬q P

❅ ❅ ❅ ❘

3.

S

   (pUq) ∧ G¬q∗ pUq∗, p, X(pUq), G¬q∗, ¬q, XG¬q   

❄

4.

P

• pUq, G¬q
• ❅

❅ ❘

6. pUq∗, p, X(pUq) G¬q∗, ¬q, XG¬q

• ✛

V Goranko

Prestate elimination phase for LTL

In this phase, all prestates are removed from Pη, together with their incoming and outgoing arrows, by applying the following prestate elimination rule: Rule PrElimLTL: For every prestate Γ in Pη, do the following:

• 1. Remove Γ from Pη;
• 2. If there is a state ∆ in Pη with ∆ −

→ Γ, then for every state ∆′ ∈ states(Γ), create an edge ∆ − → ∆′. The resulting graph T η

0 is called the initial tableau for η.

The offspring states of the input prestate {η} are called input states of T η

0 .

V Goranko

Prestate elimination and initial tableau: example 1

(pUq) ∧ Gr 2. ⋆          (pUq) ∧ Gr∗ pUq∗, Gr∗ q, r, XGr         

• ✠

3. ⋆          (pUq) ∧ Gr∗ pUq∗, p, X(pUq), Gr∗, r, XGr         

• ✠

❅ ❅ ❘

5.

• Gr∗, ⊤

r, XGr

• ❘

7.

• pUq∗, ⊤, q,

Gr∗, r, XGr

• ✛

8.

• pUq∗, p, X(pUq)

⊤, Gr∗, r, XGr

• ✠

The initial states of the tableau are marked with ⋆.

V Goranko

Prestate elimination and initial tableau: example 2

(pUq) ∧ (p → ¬Xq) 2. ⋆            (pUq)∧ (p → ¬Xq)∗, pUq∗, q, p → ¬Xq∗, ¬p           

❄

3. ⋆            (pUq)∧ (p → ¬Xq)∗, pUq∗, q, p → ¬Xq∗, ¬Xq∗, X¬q           

❄

5. ⋆                (pUq)∧ (p → ¬Xq)∗ pUq∗, p, X(pUq), (p → ¬Xq)∗, ¬Xq∗, X¬q               

• ✠

7.

• ⊤
• ✻

9.

• ¬q, ⊤
• ✛

11. pUq∗, ¬q, ⊤ p, X(pUq)

• ✠

❅ ❅ ❘

14.

• pUq∗, q, ⊤
• ■

15. pUq∗, ⊤, p, X(pUq) ✛

V Goranko

Prestate elimination and initial tableau: example 3

(pUq) ∧ G¬q 3. ⋆    (pUq) ∧ G¬q∗ pUq∗, p, X(pUq), G¬q∗, ¬q, XG¬q   

❅ ❅ ❘

6. ⊤, pUq∗, p, X(pUq) G¬q∗, ¬q, XG¬q

• ✠

V Goranko

State elimination phase for LTL

The purpose of the state elimination phase is to remove from the tableau all ‘bad’ states, the labels of which are not satisfiable in any Hintikka trace, and hence in any linear model for LTL. That will be done using the state elimination rules StElim1LTL and StElim2LTL.

V Goranko

State elimination rule StElim1LTL

One possible reason for existence of a ‘bad state’ in a current tableau is that it may lack a successor state. Such states can arise because some prestates may have no full expansions, and hence may yield no offspring states. Once such bad states are removed, some of their predecessor states may be left without successors, so they must be removed, too, etc., until stabilization. Formally, the elimination of states with no successors is done by applying the following rule. Rule StElim1LTL: If a state ∆ has no successor states in the current tableau, then remove ∆ from the tableau.

V Goranko

Realization of eventualities in LTL

A state is ‘bad’ if it contains an eventuality that is not ‘realized’ in any reachable state. Such states are removed by another state elimination rule, using the notion of eventuality realization. Path in T η

n : path of successor states ∆0 −

→ ∆1 − → . . . in T η

n .

Definition (Realization of eventualities in LTL)

An eventuality ξ = ϕUψ is realized at the state ∆ in T η

n if there

exists a finite path ∆ = ∆0, ∆1, . . . , ∆min T η

n , such that

ξ, ψ ∈ ∆m and ξ, ϕ ∈ ∆i for every i = 0, . . . , m − 1. We say that ξ is realized on the path ∆0, ∆1, . . . , ∆m. The shortest length of such a path is the rank of the state with respect to the eventuality ξ. If ψ ∈ ∆, then ξ is immediately realized at the state ∆. Realization of eventualities ¬Gϕ is defined likewise. Efficient algorithms for testing the realization of the eventualities in tableau states use global approach, where that testing is done for all eventualities at all states simultaneously.

V Goranko

State elimination rule StElim2LTL

Rule StElim2LTL: If an eventuality ξ ∈ ∆ is not realized on any path starting from a state ∆, then remove ∆ from the current tableau.

V Goranko

The state elimination phase in LTL

The state elimination phase is carried out in a sequence of stages:

• starting at stage 0 with the initial tableau T η

0 ,

• eliminating at every stage n at most one state for the current

tableau T η

n , by applying one of the state elimination rules,

• thus producing the new current tableau T η

n+1.

The rules StElim1LTL and StElim2LTL are applied alternatively, in any order, which may be determined by a specific strategy. This procedure continues until reaching a stage when no further elimination of states by an application of any of the rules is possible.

V Goranko

The final tableau for LTL

When the state elimination phase reaches a stabilization stage the current tableau at that stage is the final tableau for η, denoted by T η, with a set of states denoted by Sη.

Definition

The final tableau T η is open if η ∈ ∆ for some ∆ ∈ Sη; otherwise, T η is closed. The procedure returns not satisfiable if the final tableau is closed. Otherwise, it returns satisfiable. Moreover, an open tableau provides sufficient information for producing a finite Hintikka trace satisfying η.

V Goranko

State elimination and final tableau: example 1

(pUq) ∧ Gr 2. ⋆    (pUq) ∧ Gr∗ pUq∗, Gr∗ q, r, XGr   

• ✠

3. ⋆

1

   (pUq) ∧ Gr∗ pUq∗, p, X(pUq), Gr∗, r, XGr   

• ✠

❅ ❅ ❘

5. Gr∗, ⊤ r, XGr

• ∞

❘

7. ⊤, pUq∗, q, Gr∗, r, XGr

• ✛

8. pUq∗, p, X(pUq) ⊤, Gr∗, r, XGr

• ∞

✠

No state gets eliminated due to patent inconsistency. There is only one eventuality, pUq. The ranks are shown as subscripts. State 8 gets eliminated due to Rule StElim2LTL. The final tableau is open; it gives two possible Hintikka traces for the formula.

V Goranko

State elimination and final tableau: example 2

(pUq) ∧ (p → ¬Xq) 2. ⋆            (pUq)∧ (p → ¬Xq)∗, pUq∗, q, p → ¬Xq∗, ¬p           

❄

3. ⋆            (pUq)∧ (p → ¬Xq)∗, pUq∗, q, p → ¬Xq∗, ¬Xq∗, X¬q           

❄

5. ⋆

2

               (pUq)∧ (p → ¬Xq)∗ pUq∗, p, X(pUq), (p → ¬Xq)∗, ¬Xq∗, X¬q               

• ✠

7.

• ⊤
• ∞

✻

9.

• ¬q, ⊤
• ✛

∞ 11.

pUq∗, ¬q, ⊤ p, X(pUq)

• 1
• ✠

❅ ❅ ❘

14.

• pUq∗, q, ⊤
• ■

0 15.

pUq∗, ⊤, p, X(pUq)

• ✛

∞

There is only one eventuality, pUq. The rank of each state is shown next to its bottom-right corner. State 15 is eliminated due to Rule StElim2LTL. The final tableau contains three initial states: 2, 3, and 5. Hence, it is open. The final tableau represents three Hintikka traces satisfying the formula.

V Goranko

State elimination and final tableau: example 3

(pUq) ∧ G¬q 3. ⋆

∞

   (pUq) ∧ G¬q∗ pUq∗, p, X(pUq), G¬q∗, ¬q, XG¬q   

❅ ❅ ❘

6. ⊤, pUq∗, p, X(pUq) G¬q∗, ¬q, XG¬q

• ∞

✠

There is only one eventuality, pUq. States 3 and 6 get eliminated due to Rule StElim2LTL. The final tableau is empty, therefore closed. The attempt to build a Hintikka trace for the formula (pUq) ∧ G¬q has failed, hence it is not satisfiable.

V Goranko

Soundness of the tableau for LTL

Soundness of the tableau procedure means that if the input formula η is satisfiable, then the tableau T η is open. It suffices to prove that every state elimination rule is ‘sound’, meaning that it never eliminates a state with a satisfiable label.

Theorem (Soundness of the tableau for LTL)

If η ∈ LTL is satisfiable then T η is open.

V Goranko

Completeness of the tableaux for LTL: the problem

Completeness of the tableau procedure means that if the input formula η is not satisfiable, then the final tableau T η is closed, so the tableau procedure is guaranteed to establish the unsatisfiability. For completeness of the tableaux it suffices to show how from open final tableau T η one can construct a Hintikka trace satisfying η. One can try to extract such a Hintikka trace from T η, by starting with any state ∆ containing η and building up a path of successor states through T η, while ensuring that all eventualities appearing along that path eventually get realized on that path. However, not every path in T η satisfies that requirement, because different eventualities may be realized along different paths.

V Goranko

Building Hintikka traces from open tableaux

So, we have to guide the process of building a Hintikka trace. The idea: build the Hintikka trace H(η) in a sequence of steps, each producing a finite partial Hintikka trace appending to the previous one a finite path realizing one pending eventuality, while possibly adding more pending eventualities at the end. Thus, an infinite path is produced in the limit, as a union of all partial Hintikka traces, in which there are no unrealized eventualities – and that is the required Hintikka trace. That construction is possible because the realization of any eventuality can be deferred indefinitely.

V Goranko

Completeness of the tableaux for LTL

Theorem (Completeness of the tableau for LTL)

For any formula η ∈ LTL, if the final tableau T η is open, then the formula is satisfiable.

Corollary

The logic LTL has the small model property.

Proof.

The construction of H(η) above can be made finite by propagating the list of pending eventualities to every next state in the partial Hintikka traces produced as above and looping back whenever a state is to be created for which a state with the same label and same set of pending eventualities (even possibly listed in different

• rder) appears earlier in the current trace.

That construction produces an ultimately periodic Hintikka trace with a number of states bounded exponentially by the size of the formula.

V Goranko

On the complexity and optimality of the tableau for LTL

The tableau procedure for LTL, as described above, shows that it takes exponential time in the size of the input formula η. On the other hand, it is known [Sistla&Clarke’85] that the problem

• f testing satisfiability of an LTL formula is PSpace-complete, so

the tableau presented here uses more space resources than necessary. It can be optimized to work in (non-deterministic) PSpace by first guessing a satisfying ‘Hintikka trace’ already in the pretableau, i.e.,

• rganizing a depth-first expansion of the pretableau, and then

testing for its suitability with a more judicial memory use, namely

• nly keeping in the memory the current position and the set of

eventualities currently waiting to be satisfied.

V Goranko

Online implementation of the tableau for LTL

The tableau procedure for LTL described above has been implemented (in Python) by Angelo Kyrilov, and is available online: http://msit.wits.ac.za/ltltableau More optimized tableau procedure for LTL, implemented in Ocaml, can be downloaded and installed from http://users.cecs.anu.edu.au/~rpg/PLTLProvers

V Goranko

Exercises on tableau for LTL

Using the tableau method check the following LTL formulae for satisfiability:

• 1. Gp ∧ Fq → pUq
• 2. Gp ∧ Gq → G(p ∧ q)
• 3. Gp ∨ Gq → G(p ∨ q)
• 4. p ∧ G(p → Xp) → Gp
• 5. pU(q ∧ r) → (pUq ∧ pUr)
• 6. (pUq ∧ pUr) → pU(q ∧ r)
• 7. pU(q ∨ r) → (pUq ∨ pUr)
• 8. (pUq ∨ pUr) → pU(q ∨ r)
• 9. p ∧ G(p → Fp) → GFp
• 10. p ∧ G(p → XFp) → GFp