Temporal Logics

Modal logics (of sorts) can also be used to reason about time. In the simplest setting the operator2 can be used to represent “at the next state”, where the accessibility relation represents the flow of time through a system.

In this section, we present two temporal logics: linear temporal logic (LTL) and computational tree logic (CTL). The difference between these logics is that LTL considers time as a linear flow, where the next state is uniquely defined given a run of the system, while CTL uses a branching model of time where each state may have many possible successors.

We begin by introducing the notion of a transition system.

3.2.1 Transition Systems

A transition system is an extension to a Kripke structure as follows. A transition system is a tuple T = hW, R,W0,V i, where:

• W is a set of states

• R ⊆ W ×W is a transition relation • W0⊆ W is a set of initial states

• V : W → 2AP_{is a valuation function mapping states to the propositions that state}

satisfies

To reason about logics related to the flow of time, it is desirable to speak about the unwinding of a transition system into a set of paths. Given a transition system T , we wish to speak about the set of paths or runs that T induces. In what follows, we assume that R is serial, that is:

∀w ∈ W, ∃w0∈ W, wRw0

Informally: there exists at least one successor for each state in W .

By way of notation, for a finite set X , for an infinite string x ∈ Xω_{, we denote by}

x(i) ∈ X the i-th element in x. Definition 3.5. Path

A path π ∈ Wω_{, is an infinite series of states in W , such that π(0) ∈ W}

0and for all

i≥ 0, (π(i), π(i + 1)) ∈ R. As R is serial, this means that each run of T must be infinite (i.e., that there exist no “dead end” states that have no successors).

3.2 Temporal Logics 51

3.2.2 Linear Temporal Logic

We now introduce Linear Temporal Logic (LTL) [Pnueli, 1977; Clarke et al., 1999; Baier and Katoen, 2008], a temporal logic which is interpreted over runs of the transition system.

3.2.2.1 LTL Syntax

The syntax of an LTL formula ϕ is given inductively as follows: ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | X ϕ | ϕU ϕ

where p ∈ AP.

The formula X ϕ is read “at the next state ϕ”, and ψU φ is read “ψ until φ .

Given a path π in T , such that π(0) ∈ W0, we denote by πithe infinite suffix of π

starting at the state π(i) ∈ W .

3.2.3 LTL Semantics and Abbreviations

The satisfaction (|=) of an LTL formula ϕ, with respect to an infinite run π in a transition system T , is defined as follows:

π |= p iff p∈ V (π0)

π |= ¬ϕ iff it is not the case that π |= ϕ π |= ϕ ∨ ψ iff π |= ϕ or π |= ϕ

π |= X ϕ iff π1|= ϕ

π |= ϕU ψ iff ∃i ≥ 0, s.t., πi|= ψ and ∀ j < i, πj|= ψ

Intuitively, a run π satisfies the LTL formula ψU φ iff the formula ψ holds up until the formula φ holds. Similarly, it follows that a run π satisfies X ϕ if the suffix of the path starting at the next state satisfies ϕ.

3.2.3.1 LTL Abbreviations

The temporal operators G (“always”, globally) and F (“eventually”, future) can be further defined as:

Fϕ ≡ trueU ϕ

The definition of Fϕ is naturally expressed as an until formula, as until formulae require the consequent to eventually hold at some point on the run. Furthermore, as true holds at all states, the definition of F is intuitive.

3.2.3.2 Closure of an LTL formula

The closure cl (ϕ) of an LTL formula is the set of all subformulae of a given formula including itself. For example, the closure of ϕ = X pU X q is:

cl(ϕ) = {X pUX q, X p, X q, p, q}

3.2.4 Computational Tree Logic

Computational Tree Logic (CTL) [Clarke et al., 1986; Clarke et al., 1999; Baier and Katoen, 2008] is a branching-time logic and is able to express the existence of, and properties upon, runs of a system.

3.2.4.1 CTL Syntax

The inductive syntax of CTL as is as follows:

ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | EX ϕ | EGϕ | E [ϕU ϕ ]

The readings are as follows:

• EXϕ – “there exists a next state that satisfies ϕ”

• EGϕ – “there exists a path along where ϕ holds globally” • E [ψUϕ] – “there exists a path where ψ holds until ϕ”.

3.2.5 CTL Semantics and Abbreviations

Unlike LTL, the satisfaction of a CTL formula is given with respect to a state s ∈ W :

s|= p iff p∈ V (s)

s|= ¬ϕ iff it is not the case that s |= ϕ s|= ϕ ∨ ψ iff s|= ϕ or s |= ψ

s|= ϕ ∧ ψ iff s|= ϕ and s |= ψ

3.2 Temporal Logics 53

s|= EGϕ iff ∃π, s.t., π0= s and ∀m ≥ 0, πm|= ϕ

s|= E [ϕUψ] iff ∃π π0= s, s.t., ∃m ≥ 0, πm|= ψ and ∀0 ≤ j < m πj|= ϕ

3.2.5.1 CTL Abbreviations

Given the syntax of CTL, we define the further temporal operators: AX ϕ ≡ ¬EX (¬ϕ)

EFϕ ≡ E [trueU ϕ] AGϕ ≡ ¬EF (¬ϕ)

A[ϕUψ] ≡ ¬E [¬ψU¬ϕ ∧ ¬ψ] ∧ ¬EG¬ψ AFϕ ≡ A [trueU ϕ]

In contrast to their existential counterparts, an “A” formula is read as “for all paths”. This can easy be seen in the case of AXϕ; if it is not the case that the exists a successor satisfying ¬ϕ, then it must be the case that all successors satisfy ϕ.

3.2.5.2 Closure of a CTL formula

As for LTL, we define the closure of a CTL formula to be the formula itself and all of its constituent subformulae.

For example, the closure of ϕ = A [AX pU EX q] is:

cl(ϕ) = {A [AX pUEX q] , AX p, EX q, p, q}

3.2.6 Further Logics

For completeness in later in the thesis, we now introduce three further logics: CTL∗, ACTL and ECTL.

3.2.6.1 CTL∗

The logic CTL∗is the branching-time logic that subsumes both CTL and LTL [Emerson and Halpern, 1986]. The logic is consisting of both path and state formulae, where path formulae come from LTL and state formulae come from CTL.

The two types of formulae are defined as follows. • State formulae:

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | A (ψ ) | E (ψ ) Where p is an atomic propositions and ψ is a path formula. • Path formulae:

ψ ::= ϕ | ¬ψ | ψ ∧ ψ | ψU ψ | Gψ | F ψ | X ψ Where ϕ is a path state formula.

We refer the reader to [Emerson and Halpern, 1986] for the exact semantics of CTL∗. It is clear from the above definition that CTL∗subsumes both CTL and LTL.

3.2.6.2 ACTL and ECTL

The two logics ACTL and ECTL are themselves subfragments of the logic CTL. ACTL is called the universal fragment of CTL and ECTL the existential fragment.

The fragments have the following syntax. • Universal fragment:

ϕ ::= p | ¬ p | AXϕ | A [ϕU ϕ ] | AϕU ϕ | AGϕ | AFϕ • Existential fragment:

ϕ ::= p | ¬ p | EXϕ | E [ϕU ϕ ] | EϕU ϕ | EGϕ | EFϕ

It is important to note that in ACTL and ECTL that negation can only be applied to propositional atoms. As such, ACTL can only be used to specify properties over all runs, while ECTL can only be used to express the existence of runs.