Correctness

In this section we argue that LS4 is correct, meaning that the algorithm only returns UNSAT when the given TST T does not have a model, and that the algorithm only returns an ultimately periodic interpretation _{V when this interpretation is indeed a} model of _{T . Together with a termination proof, which we provide in the next section,} this will show that LS4 is a decision procedure for TSTs and thus for LTL.

Our strategy to proving the correctness is the following. First, we analyze layer rep- etitions of LS4 and define infinitely repeating layers, a semantic version of derivation replaying argument from LPSup. We then use this concept in two places: 1) to prove soundness of the Leap inference and 2) to justify the case of “conditional” empty clauses in the main theorem.

All the line numbers below refer to the pseudocode of the main loop (Algorithm 3.2). Layer repetitions

When LS4 detects a repetition of layers (line 26) we know there is a block b _{∈ B and} indexes 0 < i < j_{≤ s}b such that Lbi = Lbj. We define the following sequence of (marked)

clauses Lk, called the infinitely repeating layers derived from the repetition Lbi = Lbj in

block b, by setting Lk= ( Lb k for 0≤ k < i, Lb

i+(k−i) mod (j−i) for k≥ i.

It is straightforward to check that the infinitely repeating layers Lk satisfy the initial

and progress layer properties (3.3) and (3.4), and, therefore, the following analogy of Invariant 3.2 item 4 holds for the infinitely repeating layers.

Lemma 3.1. Let W = (Wl)l∈N be any model of the input TST T and let Lk be the

infinitely repeating layers derived from a repetition. Then for every k, l_{∈ N} if Wk+l|= G then Wl |= Lk.

Soundness of Leap

Although LS4 does not explicitly attempt to construct a (K, L)-model (see Defini- tion 2.6), it relies on the (K, L)-model semantics to justify soundness of Leap. The Leap inference may remove some standard models from consideration, but guarantees to preserve the existence of at least one (K, L)-model.

Lemma 3.2. Let _{T = (Σ, I, T, G) be the input TST of LS4. Assume the algorithm has} just detected a layer repetition Lb

i = Lbj for a block b ∈ B and indexes 0 < i < j ≤

sb. Let o = i and p = (j− i) be the offset and period passed to the Leap procedure.

Furthermore, let r = p_{· do/pe be the only multiple of p such that o ≤ r < o + p and let} G+ _{= {C | C}{ } _{∈ G} and H = {C | C}{b} _{∈ L}b

r}. If the TST T+ = (Σ, I, T, G+) is

satisfiable then so is the TST_T++_{= (Σ, I, T, G}+_{∪ H).}

Proof. Let us assume that the TST _T+ _{is satisfiable. By Lemma 2.1 (page 23) it must}

have a (K, L)-model _{W = (W}k)k∈N for some K ∈ N and L ∈ N+. In such a model

WK+l·L|= G+ (3.12)

for every l ∈ N. We will prove the lemma by showing that at the indexes of the form K + l_{· L the model W, in fact, also satisfies the formula H.}

Let K + l_{· L for l ∈ N be such an index. We consider the following linear Diophantine} equation

l0_{· L = r + k}0_{· p,} (3.13)

which must have a solution pair l0, k0 ∈ N, because r is a multiple of p. It follows from (3.12) that WK+(l+l0_)·L |= G+ or, equivalently, W_(K+l·L)+l0_·L |= G. By Lemma 3.1, we

obtain

WK+l·L|= Ll0_·L,

where Lk is the sequence of the infinitely repeating layers derived from our repetition.

Now Ll0_·L = L_r+k0_·p by (3.13) and L_r+k0_·p = L_r = Lb_r by the definition of the infinitely

repeating layers. Therefore, WK+l·L |= H, since the sets Lbr and H contain the same

clauses up to the markers. Correctness theorem

Below we prove the main theorem of this section. When justifying correctness in the unsatisfiable case, the presented contradictions depend on the values of U and G at the moment when they are detected. We implicitly rely on the soundness of learning univer- sal clauses (Invariant 3.2 item 3) and the soundness of the Leap inference (Lemma 3.2) to relate these contradictions back to the original input TST _{T .}

Theorem 3.1. LS4 only returns UNSAT when the input TST_{T does not have a model,} and it only returns an ultimately periodic interpretation _{W when W is a model of T .} Proof. Let us first consider the case when LS4 returns an ultimately periodic interpre- tation. This happens when the model repetition check (line 6) succeeds and there is an index i and a block b _{∈ B such that i ≤ i}b < |V| and Vi = V . Recall that V is the

just extracted valuation to be added to _{V after a successful extension. The ultimately} periodic interpretationW = (Wj)j∈N to be returned is defined (see also line 7) by

Wj =

(

Vj for 0≤ j < i,

It follows from Invariant 3.1 that _{W is indeed a model of T . In particular, the goal} clauses G are satisfied at every index of the form ib+ j· (|V| − i) for j ∈ N.

When LS4 returns UNSAT on line 16, it means it has just derived an empty clause ⊥m_{from an unsuccessful extension. Depending on the set of markers m and on the kind}

of the extension query, which could have been either the initial query (3.5) or the proper extension query (3.6), there are the following entailments to consider:

• U |= ⊥∅ _{or T∧ (U)}0 _{|= ⊥}∅_, • I ∧ U |= ⊥{◦}_{, or} • U ∧ Lb i |= ⊥ {b} _{or T} ∧ (U ∧ Lb i) 0

|= ⊥{b} for some i_{∈ N and b ∈ B.}

The first two options imply contradiction in the set of universal clauses, the third op- tion the same between the initial and universal clauses, and with the last two options the contradiction arises i (or i + 1) steps before the goal clauses can be satisfied (see Invariant 3.2 item 4). We can see that the input TST _{T cannot have a model in any of} the listed cases.

When LS4 returns UNSAT on line 28, it has just detected a repetition in the first block (line 27), which means that_{B = {b} and L}b

i = Lbj for some indexes 0 < i < j≤ sb.

Previously, there must have been (sb − 1) moments during the run of the algorithm

when the block b was extended. Because b is the first block, the extensions happened as a result of deriving the empty explaining clause_⊥{◦,b} _{from an unsuccessful extension,}

which means that the conjunction

I∧ U ∧ Lbl, (3.14)

was (and remained thanks to monotonicity) unsatisfiable for every 0_{≤ l < s}b.

Let us now recall the sequence Lk of infinitely repeating layers derived from our repe-

tition. It is easy to see that every Lk for k∈ N is equal to some Lb_l for 0≤ l < sb. This

implies there cannot be a model of the input TST _{T . Indeed, suppose otherwise. Let} W = (Wl)l∈N be such a model and let k∈ N be the first index at which the goal clauses

G are satisfied in W:

Wk|= G.

It follows by Lemma 3.1 that W0|= Lkin that model and so W0 |= Lbl for some 0≤ l < sb.

But this in not possible, because (3.14) is unsatisfiable. A contradiction.