Revisiting Separation: Algorithms and Complexity

(1)

Revisiting Separation: Algorithms and Complexity

Daniel Oliveira

¹

and Jo˜ ao Rasga

^1,2

1Dep. Matem´atica, Instituto Superior T´ecnico, U Lisboa, Portugal

2Centro de Matemática, Aplica¸cões Fundamentais e Investiga¸cão Operacional, U Lisboa, Portugal

December 2019

Abstract

Linear temporal logic with Since and Until modalities is expressively equivalent, over the class of complete linear orders, to a fragment of first-order logic known as FOMLO. It turns out that linear temporal logic, under some basic assumptions, is expressively complete if and only if it has the property, called separation, that every formula is equivalent to a Boolean combination of formulas that each refer only to the past, present or future. Herein we present simple algorithms and their implementations to perform separation of the linear temporal logic with Since and Until, over discrete and complete linear orders, and translation from FOMLO formulas into equivalent temporal logic formulas. We additionally show that the separation of a certain fragment of linear temporal logic results in at most a double exponential size growth.

1 Introduction

In 1957 in [1], Arthur Prior introduced Tense Logic, by extending propositional logic with two operators P and F , with the intended semantics that P ϕ is true if ϕ was true at some time in the past, and F meaning the same but in the future direction.

A few years later, Amir Pnueli proposed the use of this logic in the analysis of properties of computer programs ([2]), and although Prior’s Tense Logic is strong enough to express many useful properties, there are still properties that are not expressible. Examples of properties of practical interest that cannot be expressed can be found in [3].

The question of how expressive these logics are naturally arose. A way to measure the expressiveness follows by considering a fragment of first-order logic which seems to appropriately describe everything that we ought to be able to say, and then check if all these properties can also be expressed in temporal logic. Or, more precisely, a temporal logic is expressively complete if for every first-order formula in this fragment, there is a temporal logic formula that has exactly the same models (and vice-versa from temporal logic to the first-order fragment).

In 1968 in [4], Hans Kamp introduced two temporal operators Since and Until, with the intended meaning that A Until B holds if in the future B will be true and until then A is always true, and similarly for Since but in the past direction. He also defined a fragment of first-order logic now known as FOMLO (First-Order Monadic Logic of Order) which appears appropriate in the sense described above, and showed that if we consider a Dedekind-complete linear model of time, then a temporal logic with just these two operators is expressively complete. A shorter proof of this result can be found in [5].

Still in [3], it is shown that a logic with only the temporal operator Until is expressively complete over the natural numbers, when considering satisfaction at the initial point of time. Or alternatively over complete and discrete linear orders when considering a fragment of FOMLO that restricts quantifiers such that they can only do bounded quantification and never into the past. This result also implies that, at the initial point, having the additional Since operator does not add expressive power. Although it does not add expressive power, it still gives us something, namely succinctness. In [6] it is shown that there are formulas in the language with both operators such that an equivalent formula using only Until is necessarily at least exponentially larger. Even so, nowadays, this language only with Until is quite popular and has found many practical applications, for example in the analysis of the correctness of computer programs and systems with concurrent processes. This language is now known as LTL (Linear Temporal Logic).

Dov Gabbay showed that the logic with both Since and Until has the property, called separation, that for every formula there is an equivalent formula consisting of a Boolean combination of formulas that each talk only about the past, present or future. This is mentioned already in [3]

(2)

and a proof of this over the integers can be found in [7]. A proof over Dedekind-complete linear time was later developed in [8]. This property not only leads to a proof of Kamp’s theorem, but it turns out that, over any class of linear orders, a temporal logic has the separation property if and only if it is expressively complete, provided that the temporal logic can at least express Prior’s P and F operators. This is shown in [8] and [9].

In this paper we provide simple algorithms that perform separation and translation. We show that they are sound and complete; that is, given any formula of the temporal language with Since and Until, the separation algorithm constructs a separated formula equivalent to the first over complete and discrete linear time, and given any FOMLO formula, the translation algorithm constructs an equivalent temporal logic formula. In particular we show that these algorithms always terminate and that separation of a certain fragment of temporal logic results in at most doubly exponential size growth.

The translation algorithm is a simplified version of the algorithm that can be extracted from Theorem 2.3 in [7]. The same translation algorithm can in fact be used to translate from FOMLO to any expressively complete temporal logic, when provided with a separation algorithm for the logic. We also give an algorithm to translate FOMLO to LTL, which only requires a small addition to the main translation algorithm.

The algorithm that can be extracted from Gabbay’s proof of separation over integer time is of a different nature. It works by using a family of algorithms that can separate a restricted class of formulas, with the last one being able to perform separation on every formula. Each algorithm considers the whole formula, identifying the most “unseparated” subformulas and substituing certain subformulas with atoms so that the formula as a whole is of a form that can be processed with the previous algorithm. Then it substitutes the previously introduced atoms back with the subformulas they had replaced, and continues recursively. We instead opt for a simple unified recursive algorithm to perform separation. We also simplify some of the basic steps in the separation process and provide detailed proofs after introducing some concepts and notation that make it easier to do so.

All of the algorithms we describe have been implemented in the Haskell programming language (https://github.com/drdo/logic-translation).

1.1 Outline

Section 2 is an introduction to temporal logic and FOMLO. We define their syntax and semantics and some notation we will be using.

In section 3 we concern ourselves with separation of temporal logic. It begins by proving some results about temporal logic, then in section 3.1 the algorithm is fully defined, with section 3.2 being devoted to proving its correctness. Section 3.3 shows a double exponential upper bound on the size blowup of separation for a certain fragment of temporal logic.

In section 4 we turn to the problem of translating from FOMLO to temporal logic. We define the algorithm in section 4.1 and prove its correctness in section 4.2. Section 4.3 shows how to use the algorithm to perform the translation for other temporal logics.

2 Temporal Logic and FOMLO

In this section we introduce the logics, some notation, and show how to translate from temporal logic to FOMLO. For the remainder of this text, unless explicitly mentioned, when we say

“temporal logic” or “TL”, we mean the temporal logic defined in this section.

2.1 Syntax

Fix a countable set Pred that will serve as both the propositional variables in temporal logic and monadic predicates in FOMLO.

Definition 1. The language of temporal logic LTLis defined inductively by:

• ⊥ ∈ LTL

• > ∈ LTL

• ¬A ∈ LTL (A ∈ LTL)

• A ∨ B ∈ LTL (A, B ∈ LTL)

• A ∧ B ∈ LTL (A, B ∈ LTL)

• p ∈ LTL (p ∈ Pred)

• ASB ∈ LTL (A, B ∈ LTL)

• A U B ∈ LTL (A, B ∈ LTL)

(3)

The connectives are ordered by binding strength as follows: ¬ > S, U > ∨, ∧.

Definition 2. The set L_LTL of LTL formulas is defined just like the one of TL, but omitting the S case.

Definition 3. Some additional temporal operators:

• A := ⊥SA (Previous)

• A := >SA (Eventually in the past)

• A := ¬¬A (Forever in the past)

• A := ⊥ U A (Next)

• ♦A := > UA (Eventually)

• A := ¬♦¬A (Forever)

Definition 4. We say a formula A is simple if it has no outer Boolean structure, that is, if it is of the form p, BSC, or B U C (for some p ∈ Pred and B, C ∈ L_TL).

Definition 5. A formula is called non-future if it has no occurrences of U and non-past if it has no occurrences of S.

A pure past formula is then a Boolean combination of formulas of the form ASB where both A and B are non-future and similarly a formula is pure future if it is a Boolean combination of formulas of the form A U B with A and B non-past.

A formula is pure present if it is a Boolean combination of variables, ⊥ and >.

Definition 6. A formula is separated if it is a Boolean combination of pure formulas.

For FOMLO, we also need a set of variables, we call it Var and assume it is countable and infinite.

Definition 7. The set L_FOMLO of FOMLO formulas is defined inductively by:

• ⊥ ∈ LFOMLO

• > ∈ LFOMLO

• ¬α ∈ LFOMLO (α ∈ LFOMLO)

• α ∨ β ∈ LFOMLO (α, β ∈ L_FOMLO)

• α ∧ β ∈ L_FOMLO (α, β ∈ L_FOMLO)

• P (x) ∈ LFOMLO (P ∈ Pred, x ∈ Var)

• x = y ∈ LFOMLO (x, y ∈ Var)

• x < y ∈ LFOMLO (x, y ∈ Var)

• ∃_xα ∈ L_FOMLO (x ∈ Var, α ∈ L_FOMLO)

• ∀xα ∈ LFOMLO (x ∈ Var, α ∈ LFOMLO)

In both TL and FOMLO, we additionally define ϕ → ψ as an abbreviation for ¬ϕ ∨ ψ.

We use lower case letters from the latin alphabet to refer to elements of Pred in the context of temporal logic, and upper case latin letters to refer to these same elements in the context of FOMLO. Additionally, each letter refers to the same predicate symbol in both the lower case and upper case versions, for example p and P refer to the same predicate symbol.

We write Subs(A) to denote the set of subformulas of A.

2.2 Semantics

We will consider interpretation structures over a signature with a binary predicate < and countable unary predicates P ∈ Pred, with the interpretation of < a complete and discrete linear order. Where complete means that every non-empty bounded above subset has a supremum and every non-empty bounded below subset has an infimum, and discrete means that every non- maximal element has an immediate successor and every non-minimal element has an immediate predecessor. These conditions also imply that every infimum is in fact a minimum element of the subset, as if the infimum was not a minimum element, then its immediate successor would be a larger lower bound for the subset. A similar reasoning also allows us to conclude that every non-empty bounded above subset has a greatest element.

Definition 8. An interpretation structure I is a tuple I =D

D, <^I,P^I

P ∈Pred

E where D is a non-empty set called the domain of I, <^I is a complete and discrete linear order over D, and each P^I ⊆ D.

We write Domain(I) to refer to this D.

In temporal logic, we use the notation I, (t, s) A to mean that all the points in the interval (t, s) satisfy A. That is, for all r^>t_<s: I, r A. And similarly for [t, s), (t, s] and [t, s], which mean r^≥t_<s, r^>t_≤s and r_≤s^≥t, respectively. When we use 6 with this interval notation, we mean that no

(4)

point in the interval satisfies the formula, it does not mean that some point in the interval fails to satisfy.

This use of < should in fact have been <^I. We will continue to write < to refer to <^I when there is no risk of confusion. We might also write t ∈ I to mean t ∈ Domain(I).

Definition 9. Let I be an interpretation structure and t ∈ I. Then we define satisfaction of a temporal logic formula by the structure I at the point t by:

• I, t 6 T L⊥

• I, t T L>

• I, t T Lp if and only if t ∈ P^I

• I, t T L¬A if and only if I, t 6 T LA

• I, t T LA ∨ B if and only if I, t T LA or I, t T LB

• I, t T LA ∧ B if and only if I, t T LA and I, t T LB

• I, t T LASB if and only if there is an s <^I t such that: I, s T LB

I, r T LA for all r ∈ (s, t)

• I, t T LA U B if and only if there is an s >^I t such that: I, s ^{T L}B

I, r ^{T L}A for all r ∈ (t, s) Naturally, in the last two cases, s and r are over the domain of I.

We call the s in the definition of S (U ) satisfaction a witness for ASB (A U B) at t.

Satisfaction for FOMLO is defined in the usual way.

Definition 10. An assignment ρ into an interpretation structure I is a function ρ : Var → Domain(I).

We use the notation [x 7→ x₀, y 7→ y₀] to denote an assignment ρ such that ρ(x) = x₀ and ρ(y) = y₀. And the notation ρ[x 7→ x₀, y 7→ y₀] for an assignment identical to ρ except possibly at x and y, to which it assigns x₀ and y₀, respectively.

Definition 11. Let I be an interpretation structure and ρ an assignment into I, then:

• I, ρ 6 F OM LO ⊥

• I, ρ F OM LO >

• I, ρ F OM LO P (x) if and only if ρ(x) ∈ P^I

• I, ρ F OM LO (x = y) if and only if ρ(x) = ρ(y)

• I, ρ F OM LO (x < y) if and only if ρ(x) <^I ρ(y)

• I, ρ F OM LO ¬α if and only if I, ρ 6 F OM LOα

• I, ρ F OM LO α ∨ β if and only if I, ρ F OM LOα or I, ρ F OM LO β

• I, ρ F OM LO α ∧ β if and only if I, ρ ^{F OM LO}α and I, ρ ^{F OM LO} β

• I, ρ F OM LO ∃xα iff there is an assignment ρ⁰ identical to ρ except possibly at x such that I, ρ⁰ ^{F OM LO}α

• I, ρ F OM LO ∀xα iff for all assignments ρ⁰identical to ρ except possibly at x: I, ρ⁰ ^{F OM LO} α

Definition 12. In both TL and FOMLO, we may simply write when it is clear which logic we mean. And in TL we may write t A instead of I, t A when it is clear from the context which interpretation we are considering.

We use ≡ to denote semantic equivalence of formulas. That is, in the case of temporal logic:

A ≡ B means that for all interpretations I and points t of I: I, t A if and only if I, t B. And in the case of FOMLO, ϕ ≡ ψ means that for all interpretations I and assignments ρ: I, ρ ϕ if and only if I, ρ ψ.

(5)

3 Separation

In this section we define and prove the correctness of an algorithm that separates a temporal logic formula. But before we show the algorithm, we prove some crucial properties of temporal logic.

Definition 13. The dual of a formula is a formula obtained by replacing every S with an U , and vice-versa, in the given formula. We write Dual(A) for the dual of A.

We now show that this Dual has some expected properties, which allows us to only worry about U inside S and get the cases where S is inside U “for free”.

Definition 14. Given an interpretation structure I, I^op is called the opposite structure. It is defined just like I except that the interpretation of < is precisely the opposite order of the one of I. That is:

Domain(Iôp) = Domain(I) PÎôp= PÎ (for every P ∈ Pred)

<Îôp=hy, xi | hx, yi ∈ <Î Proposition 15. For every formula A: Dual(Dual(A)) = A.

Proof. It’s clear that swapping S and U twice results in the same formula.

Proposition 16. Let I be an interpretation structure, t a point of I, and A a formula. Then I, t A if and only if I^op, t Dual(A)

Proof. Straightforward induction on the structure of A.

Proposition 17. For all A, B ∈ LTL: A ≡ B if and only if Dual(A) ≡ Dual(B) Proof. We first show that A ≡ B implies Dual(A) ≡ Dual(B):

I, t Dual(A)

iff I^op, t Dual(Dual(A)) = A (Propositions 16 and 15)

iff I^op, t B (by assumption)

iff (I^op)^op= I, t Dual(B) (Proposition 16) For the other direction, using the result just above and proposition 15:

Dual(A) ≡ Dual(B) =⇒ Dual(Dual(A)) ≡ Dual(Dual(B)) ⇐⇒ A ≡ B

Thus far we have seen that dual formulas really are dual in the expected sense.

We now prove two important distribution results, namely that S distributes over ∧ on the right and over ∨ on the left. Naturally, by duality, U also distributes over ∧ on the right and ∨ on the left.

Proposition 18. For all A, B, C ∈ L_TL: (A ∧ B)SC ≡ ASC ∧ BSC Proof.

(⇒) Let t (A ∧ B)SC.

Then there is a tC < t such that tC C, (t^C, t) A and (t^C, t) B.

This same tC is also a witness for both ASC and BSC at t.

(⇐) Let t ASC ∧ BSC

Then there are tC, sC< t that satisfy C and (tC, t) A and (s^C, t) B.

Let r be the greatest of tC and sC.

Then r C. And (r, t) ⊆ (tC, t) ∩ (s_C, t), since t_C, s_C≤ r, so (r, t) A ∧ B.

This means that r is a witness for (A ∧ B)SC at t.

Corollary 19 (S right-distributes over ∧). For all A₁, . . . , A_n, B ∈ L_TL:

n

^

i=1

A_i

! SB ≡

n

^

i=1

(A_iSB)

Proof. Induction on n using proposition 18.

(6)

Corollary 20 (U right-distributes over ∧). For all A₁, . . . , A_n, B ∈ L_TL:

n

^

i=1

Ai

! U B ≡

n

^

i=1

(AiU B)

Proof. Duality, replace A and B with variables, use Proposition 17 with Corollary 19 and replace back A and B.

Proposition 21. For all A, B, C ∈ L_TL: AS(B ∨ C) ≡ ASB ∨ ASC Proof.

(⇒) Let t AS(B ∨ C).

Then there is a t_T < t such that t_T B ∨ C and (tT, t) A.

If t_T satisfies B then t ASB, similarly if tT satisfies C then t ASC.

(⇐) Let t ASB ∨ ASC.

There’s either a tBsuch that tB B and (t^B, t) A, or a t^Csuch that tC C and (t^C, t) A.

Either way, both tB and tC satisfy B ∨ C as well and are witnesses for AS(B ∨ C) at t.

Corollary 22 (S left-distributes over ∨). For all A, B1, . . . , Bn ∈ LTL:

AS

n

_

i=1

B_i

!

≡

n

_

i=1

(ASB_i)

Proof. Induction on n using Proposition 21.

Corollary 23 (U left-distributes over ∨). For all A, B1, . . . , Bn∈ LTL:

A U

n

_

i=1

B_i

!

≡

n

_

i=1

(A U B_i)

Proof. Duality with Corollary 22.

3.1 Algorithm

The algorithm works by recursively separating the immediate subformulas, which is all that is required for a Boolean operator. Instead of worrying about both S and U , the U case is handled by duality and the bulk of the algorithm is on how to separate a S.

When trying to separate a S, the distribution results we proved earlier help in the following way: Consider a formula ASB where A and B are already separated. A and B can be arbitrary Boolean combinations of simple pure formulas. If we convert the outer Boolean structure of A to conjunctive normal form and the one of B to disjunctive normal form, we can then use distribution to “split” ASB into a Boolean combination of formulas of the form CSD, where the outer Boolean structures are much simpler, namely C is a disjunctive clause of simple pure formulas and D is a conjunctive clause of simple pure formulas. We then only have to worry about “pulling” the simple pure U s from inside the S in this narrower case where the left side is a disjunctive clause and the right side is a conjunctive clause. We then eliminate one U from inside the S, removing it from both sides at once. There are eight possibilities for each, it can occur only on the left, or only on the right, or in both, and it can appear negated or not. Having pulled out one of the U s, we continue separating the result recursively.

Before we show the algorithm, we introduce the concept of path and paths of a formula. This is necessary later for the proof of correctness, but also allows us to define the algorithm a bit more conveniently, so we introduce it now.

Definition 24. A path is a finite sequence over {S, U }. We use hi to denote the empty path.

To avoid confusion, we call a path (in the usual sense of graph theory) on the syntax tree of a formula, a syntax path. And we call the path corresponding to a syntax path the sequence obtained by considering the labels on the syntax path and then deleting the labels outside of {S, U }.

For example, take A = pSq ∧ > U (⊥Sr). It has the following syntax tree:

(7)

∧

U

S

⊥ r

>

S

q p

Figure 1: Syntax tree of A

In this example, the path corresponding to the syntax path that starts from the root and goes left twice is S, and the one from the root to the right twice and then left is U S.

This leads to the definition of the paths of a formula.

Definition 25. Given a formula A, Paths(A) is the set of paths corresponding with the syntax paths from the root of the syntax tree of A to a leaf, except for the empty path.

The following definition, used in the algorithm, is why we needed to define Paths beforehand.

Definition 26. The temporal depth of a formula A is the maximum length of a path of A.

We can finally present the algorithm. The eight transformations (T1, T2, etc) are defined afterwards.

When we write (¬?) in the algorithm, we mean to allow the possibility of a negation occurring there.

Definition 27. We assume the following regarding normal forms and normal form conversions in the context of the Sep algorithm:

• Non-future formulas and simple pure future formulas are considered atoms.

• Each clause in a normal form has no repeated literals and no complementary literals.

• Normal form conversion is done in the conventional way, by first converting to negation normal form and then distributing ∨ over ∧ or vice-versa.

procedure Sep(X)

0if X is separated then return X

1else if X = ¬A then return ¬Sep(A)

2else if X = A ∨ B then return Sep(A) ∨ Sep(B)

3else if X = A ∧ B then return Sep(A) ∧ Sep(B)

4else if X = ASB with A a separated disjunctive clause, and B a separated conjunctive clause

let

m

W

i=1

(¬?)A_i:= A let

n

V

j=1

(¬?)Bj:= B

let C := {(¬?)Ai| Ai is a pure future formula, i ∈ [1, m]}

let A := {(¬?)Ai| i ∈ [1, m]} − C

let D := {(¬?)Bj | Bj is a pure future formula, j ∈ [1, n]}

let B := {(¬?)Bj | j ∈ [1, n]} − D (X ≡ (W A ∨ W C)S(V B ∧ V D)) let (¬?)(F U G) ∈ C ∪ D with maximal temporal depth in C ∪ D

let A⁰:=W ((A ∪ C) − {F U G, ¬ (F U G)}) let B⁰:=V ((B ∪ D) − {F U G, ¬ (F U G)})

4.1if F U G ∈ C and F U G, ¬ (F U G) 6∈ D (X ≡ (A⁰ ∨ F U G)SB⁰) return Sep(T₁(A⁰, B⁰, F, G))

4.2else if F U G, ¬ (F U G) 6∈ C and F U G ∈ D (X ≡ A⁰S(B⁰ ∧ F U G)) return Sep(T₂(A⁰, B⁰, F, G, ))

4.3else if F U G ∈ C and F U G ∈ D (X ≡ (A⁰ ∨ F U G)S(B⁰ ∧ F U G)) return Sep(T3(A⁰, B⁰, F, G))

4.4else if ¬ (F U G) ∈ C and F U G, ¬ (F U G) 6∈ D (X ≡ (A⁰ ∨ ¬ (F U G))SB⁰) return Sep(T4(A⁰, B⁰, F, G))

4.5else if F U G, ¬ (F U G) 6∈ C and ¬ (F U G) ∈ D (X ≡ A⁰S(B⁰ ∧ ¬ (F U G))) return Sep(T5(A⁰, B⁰, F, G, ))

4.6else if F U G ∈ C and ¬ (F U G) ∈ D (X ≡ (A⁰ ∨ F U G)S(B⁰ ∧ ¬ (F U G)))

(8)

return Sep(T₆(A⁰, B⁰, F, G, ))

4.7else if ¬ (F U G) ∈ C and ¬ (F U G) ∈ D (X ≡ (A⁰ ∨ ¬ (F U G))S(B⁰ ∧ ¬ (F U G))) return Sep(T₇(A⁰, B⁰, F, G, ))

4.8else if ¬ (F U G) ∈ C and F U G ∈ D (X ≡ (A⁰ ∨ ¬ (F U G))S(B⁰ ∧ F U G)) return Sep(T8(A⁰, B⁰, F, G, ))

5else if X = ASB let

m

V

i=1

Ai be a CNF of Sep(A) let

n

W

j=1

Bj be a DNF of Sep(B)

if m = 0 then set m to 1 and A1 to >

if n = 0 then set n to 1 and B1 to ⊥ return

n

W

j=1 m

V

i=1

Sep(AiSBj)

6else if X = A U B then return Dual(Sep(Dual(X)))

In case 4 what we are doing is essentially picking one of the “hardest” cases and choosing to eliminate that one first.

3.1.1 Transformations

To make things easier to follow, we will be using diagrams such as the following:

s

B A ∨ F U G

t

C

Figure 2: Example diagram

Where , and represent points in the domain of the interpretation. With referring to a specific point, to the existence of a point and to a point that may or may not exist.

The order of the points in the diagram, from left to right, reflects the intended relationship between them in the interpretation’s order. And if a point is next to another, it means there is no other point between them. To represent an arbitrary number of points, we use .

Diagram 2 would mean that there is a point s < t, s satisfies B, (s, t) satisfies A ∨ F U G and all points greater than s satisfy C.

Proposition 28. Let A, B ∈ L_TL, t a point and t ASB.

Then there is a witness t_B for ASB at t such that (t_B, t) ¬B, and we call such a tB the nearest witness.

Proof. Let W = {s < t | s B and (s, t) A} be the set of witnesses.

W is non-empty because t ASB, and is bounded above by t.

So let t_B be the greatest element of W .

If any s⁰ ∈ (t_B, t) satisfied B, then s⁰ would be a witness for ASB at t greater than t_B, but this contradicts the fact that tB is the greatest element of W , so (tB, t) ¬B.

Definition 29. Given a point t in a discrete order, Suc(t) is the immediate successor of t and Pred(t) is the immediate predecessor of t.

We are indeed overloading the use Pred for the immediate predecessor as well as the set of propositions, but we will do so as confusion is unlikely.

Proposition 30. For all A, B ∈ LTL: A U B ≡ (B ∨ (A ∧ A U B)) Proof. (⇒) Let t A UB with t^B as witness.

If tB = Suc(t) then Suc(t) B which is equivalent to t B.

Otherwise Suc(t) ∈ (t, tB), and so Suc(t) A and also Suc(t) A UB (with t^B as witness).

(⇐) If Suc(t) B then Suc(t) is a witness for t A UB.

If Suc(t) A and Suc(t) A UB with t^B as witness, then tB is also a witness for A U B at t, as (t, tB) = [Suc(t), tB) A.

(9)

Proposition 31. Let T₁(A, B, F, G) := P ∧ P⁰SB where

N := (¬G ∧ ¬B)S(¬A ∧ ¬B) P⁰:= N → G ∨ F P := N → G ∨ (F ∧ F U G) Then (A ∨ F U G)SB ≡ T1(A, B, F, G)

In this case, if t0 satisfies (A ∨ F U G)SB, then there is some tB < t0 with tB B and (tB, t0) A ∨ F UG. The difficulty here is finding a way to ensure all the points in (t^B, t0) satisfy F U G if they don’t happen to satisfy A, but without explicitly using U .

For some point to satisfy F U G, there needs to be an uninterrupted chain of F s followed by a G. When a point s ∈ (tB, t0) satisfies N = (¬G ∧ ¬B)S(¬A ∧ ¬B), this intuitively means that there is some point in (tB, s) that did not satisfy A and so needs to satisfy F U G, but there has been no witness so far since ¬G has been true.

Our point s then needs to ensure that this happens by either being a witness itself or continuing the chain of F s, this what P⁰ = N → G ∨ F means. Finally at t₀, if there is still no witness, t₀ itself must either be a witness or ensure that one exists in the future, this is done with P = N → G ∨ (F ∧ F U G).

Proof. (⇒) Let t0satisfy (A ∨ F U G)SB with a witness tB. We show that t0 P and (t^B, t0) P⁰, which implies that tB is a witness for P⁰SB at t0.

To do this, we first notice that P → P⁰, and prove the stronger result (tB, t0] P . So, for this purpose, let s ∈ (tB, t0] with s N = (¬G ∧ ¬B)S(¬A ∧ ¬B), and let s¬Abe a witness for this fact. s_¬Acannot be before tB, as that would imply that tB∈ (s_¬A, s) and so would have to satisfy ¬B, which is a contradiction. And it cannot be equal to tB, for the same reason. Hence s¬A occurs between tB and s. This means that s¬A must satisfy F U G as it does not satisfy A.

A diagram illustrating the situation:

t_B

B A ∨ F U G

s¬A

¬A F U G

¬G

s

Figure 3: s N with s^¬A as witness

Since s_¬A satisfies F U G, there must be a witness w > s_¬A of this fact, and w ≥ s since no point between s_¬A and s satisfies G. If w = s then s G. If w > s then s is between s¬A and w and so satisfies F , and w is also a witness for F U G at s.

(⇐) Let t₀ P ∧ P⁰SB with t_B the nearest witness for P⁰SB. If we show that (t_B, t₀) A ∨ F U G then tB is also a witness for (A ∨ F U G)SB at t0.

We now show that P is satisfied in the whole of (tB, t0] by induction on the order t0 → Pred(t0) → Pred²(t0) → · · · . The base case is trivial, we already know t0 P . For the inductive step, let Pred(s) ∈ (tB, t0) and assume Pred(s) N = (¬G ∧ ¬B)S(¬A ∧ ¬B) with r as witness. Remember that we have s P by the induction hypothesis. Diagram:

(10)

r

¬A

¬B

¬G

¬B

Pred(s)

P⁰

s

P

Figure 4: Pred(s) N with r as witness If Pred(s) G then also Pred(s) G ∨ (F ∧ F UG) and we are done.

If Pred(s) ¬G, then we have Pred(s) F via P⁰, and remember that Pred(s) ∈ (t_B, t₀), which means that Pred(s) ¬B since tB is the nearest witness for P⁰SB at t₀. This gives us Pred(s) ¬G ∧ ¬B and so r is also a witness for N at s, which gives us s G ∨ (F ∧ F UG) via P . Given this, by proposition 30, Pred(s) F UG as well.

We have thus showed that (tB, t0] P .

Now consider s¬A∈ (tB, t0) such that s¬A ¬A. Again because t^B is the nearest witness, s¬A ¬A ∧ ¬B and so s^¬A is a witness for N at Suc(s¬A) ∈ (tB, t0]. Therefore Suc(s¬A) G ∨ (F ∧ F U G) via P , and s_¬A F UG by proposition 30.

Proposition 32. Let T2(A, B, F, G) := H< ∨ H= ∨ H>

where

H<:= AS(G ∧ A ∧ (A ∧ F )SB) H₌:= (A ∧ F )SB ∧ G H_>:= (A ∧ F )SB ∧ F ∧ F U G Then AS(B ∧ F U G) ≡ T₂(A, B, F, G)

Proof. The satisfaction of AS(B ∧ F U G) at t₀is equivalent to the existence of a witness t_B< t₀ for AS(B ∧ F U G) at t₀ and a witness t_G> t_B for F U G at t_B.

Since we are working over linear orders, we can split this into a disjunction of three cases, depending on whether t_G< t₀, t_G= t₀ or t_G> t₀.

For the first case, we have the following diagram:

t_B

B A

F

t_G

G

t₀

Figure 5: t0 AS(B ∧ F UG) with t^G< t0

Adjusting this diagram slightly by “splitting” the A, we obtain:

t_B

B A

F

t_G

A

G

A

t₀

Figure 6: t0 AS(B ∧ F UG) with t^G< t0, simplified

(11)

It is then clear that this diagram is equivalent to t_B being a witness for (A ∧ F )SB at t_G, and t_G a witness for AS(G ∧ A ∧ (A ∧ F )SB) = H_< at t₀.

The second case (tG= t0) is equivalent to the diagram:

tB

B A

F

t0, tG

G

Figure 7: t₀ AS(B ∧ F UG) with tG= t₀ Which is equivalent to (A ∧ F )SB ∧ G = H₌ at t₀.

The third case (tG > t0):

tB

B A

F

t0 tG

G

Figure 8: t₀ AS(B ∧ F UG) with tG> t₀ By splitting the F we get:

t_B

B A

F

t₀

F F

t_G

G

Figure 9: t0 AS(B ∧ F UG) with t^G> t0, simplified And so diagram 9 is equivalent to (A ∧ F )SB ∧ F ∧ F U G = H> at t0. Proposition 33. Let T3(A, B, F, G) := H< ∨ H≥

where

N := ¬GS¬A P⁰:= N → G ∨ F P := N → G ∨ (F ∧ F U G)

H< := P ∧ P⁰S(G ∧ F SB) H_≥:= F SB ∧ (G ∨ (F ∧ F U G)) Then (A ∨ F U G)S(B ∧ F U G) ≡ T₃(A, B, F, G)

Proof. Let t0 be a point. Then t0 satisfies (A ∨ F U G)S(B ∧ F U G) if and only if there is a tB < t0such that tB B ∧ F UG and (t^B, t0) A ∨ F UG. The satisfaction of F UG at t^B is equivalent to the existence of a witness tG > tB. We can split this into two cases, tG∈ (tB, t0) or tG≥ t0. We show that these cases are equivalent to H< and H_≥, respectively.

(12)

The first case, where t_G occurs between t_B and t₀ is equivalent to the following diagram:

t_B

B A ∨ F U G

F

t_G

G

t₀

Figure 10: t0 (A ∨ F UG)S(B ∧ F UG) with t^G < t0

Notice that in this case F U G is also satisfied in (t_B, t_G) with t_G as witness and so we can simplify the diagram to:

tB

B

F

tG

A ∨ F U G

G

t0

Figure 11: t₀ (A ∨ F UG)S(B ∧ F UG) with tG< t₀, simplified

We also have tG G ∧ F SB, this last one with t^B as witness. Given that P → P⁰, we will show that P is satisfied in (tG, t0] to obtain the left to right implication, with tGas a witness for P⁰S(G ∧ F SB) at t0.

Given a point s ∈ (tG, t0], assume s N = ¬GS¬A, we have to show that s satisfies either G or F ∧ F U G. This means there is a witness s¬A < s, which cannot occur before tG, as that would contradict the fact that tG G, and therefore occurs at t^G or between tG and s, which means that s_¬A F UG. In a (partial) diagram:

s¬A

A ∨ F U G

¬A F U G

¬G

s

Figure 12: Consequences of s N

To satisfy F U G at s_¬A there must be a witness at s or after s, since no point between s_¬A and s can be a witness. If s G then we are done. If there is some witness after s, then s must satisfy F and the same witness provides s F UG.

Now, still in the first case, we worry about the other direction. Assume t0 H^< = P ∧ P⁰S(G ∧ F SB), with tG a witness for P⁰S(G ∧ F SB) at t0 and tB a witness for F SB at tG. Diagram:

(13)

tB

B F

tG

G P⁰

t0

P

Figure 13: t0 H^<

We will show that [t_G, t₀) A ∨ F UG, which gives us the situation in diagram 11.

Similarly to the (⇐) case of T1, we first show (tG, t0] P by induction on the order t⁰ → Pred(t0) → Pred²(t0) → · · · .

The base case is again trivial since we have t0 P . So let Pred(s) ∈ (t^G, t0) and assume Pred(s) N = ¬GS¬A with r as witness. Diagram:

r

¬A

¬G

Pred(s)

P⁰

s

P

Figure 14: Pred(s) N with r as witness If Pred(s) G then Pred(s) G ∨ (F ∧ F UG).

If Pred(s) ¬G then Pred(s) F via P⁰, and r is also a witness for N at s which gives us s G ∨ (F ∧ F UG) via P and then Pred(s) F UG by proposition 30.

Given this, any s¬A ∈ [tG, t0) that satisfies ¬A is a witness for N at Suc(s¬A) ∈ (tG, t0], which gives us Suc(s¬A) G ∨ (F ∧ F UG) via P and s^¬A F UG by proposition 30.

This concludes the first case.

For the second case, where tG ≥ t0, we have the following diagrams for the cases where tG = t0and tG> t0, respectively:

t_B

B A ∨ F U G

F

t₀, t_G

G

Figure 15: t0 (A ∨ F UG)S(B ∧ F UG) with t^G = t0

t_B

B A ∨ F U G

F

t₀ t_G

G

Figure 16: t0 (A ∨ F UG)S(B ∧ F UG) with t^G > t0

(14)

In either case, t_G is a witness for F U G everywhere in (t_B, t₀), and so the diagrams without A ∨ F U G in (t_B, t₀) are equivalent.

The first diagram is then equivalent to t₀ F SB ∧ G and the second to t0 F SB ∧ F ∧ F U G, which combined by distribution give us F SB ∧ (G ∨ (F ∧ F U G)) = H_≥.

Proposition 34. For all A ∈ LTL, ¬¬A ≡ A.

Proof. Recall that A is defined as ¬¬A, then: ¬¬A = ¬¬¬¬A ≡ A.

Proposition 35. For all A, B ∈ LTL: ¬ (ASB) ≡ ¬BS(¬A ∧ ¬B) ∨ ¬B Proof. (⇒) Let t ¬ (ASB) and consider the set S = {x < t | x B}.

If S is empty then all points before t satisfy ¬B and so t ¬B.

Otherwise, let s be the greatest point in S. There must be a point in (s, t) that does not satisfy A, as otherwise we would have t ASB, call such point r. We are now in the situation described by the following diagram:

s

B ¬B

r

¬A

t

Figure 17: s is the greatest point before t that satisfies B Which means that r is a witness for ¬BS(¬A ∧ ¬B) at t.

(⇐) If t ¬B then immediately t ¬ (ASB).

If t ¬BS(¬A ∧ ¬B) then let r be a witness. For every point s before t that satisfies B we must have s < r since [r, t) ¬B, but in that case there is at least one point in (s, t) that does not satisfy A, namely r.

Corollary 36. For all A, B ∈ LTL: ¬ (A U B) ≡ ¬B U (¬A ∧ ¬B) ∨ ¬B Proof. Duality with proposition 35.

Proposition 37. Let T4(A, B, F, G) := ¬T2(¬B, ¬A ∧ ¬B, F, G) ∧ B Then (A ∨ ¬ (F U G))SB ≡ T4(A, B, F, G)

Proof. We have (A ∨ ¬ (F U G))SB ≡ ¬¬ ((A ∨ ¬ (F U G))SB). By using proposition 35 with the inner negation and the S we obtain

¬h

¬BS(¬ (A ∨ ¬ (F U G)) ∧ ¬B) ∨ ¬Bi

Applying a De Morgan law to ¬ (A ∨ ¬ (F U G)) and then again on the outer negation and disjunction:

¬ (¬BS(¬A ∧ F U G ∧ ¬B)) ∧ ¬¬B Rearranging the right side of the S and using proposition 34 on ¬¬B:

¬ (¬BS(¬A ∧ ¬B ∧ F U G)) ∧ B

The left conjunct is now in the form of T2(proposition 32), which gives us the final result

¬T2(¬B, ¬A ∧ ¬B, F, G) ∧ B

Lemma 38. AS(B ∧ G) ≡ (A ∧ G)SB ∧ G ∧ G

(15)

Proof. The left side of the equivalence is equivalent to the existence of the diagram:

t_B

B

G A

t₀

Figure 18: t₀ AS(B ∧ G) with t^B as witness By splitting the G we see that it’s also equivalent to the right side.

Proposition 39. Let T5(A, B, F, G) := AS(¬F ∧ ¬G ∧ A ∧ (A ∧ ¬G)SB)

∨ (A ∧ ¬G)SB ∧ ¬G ∧ (¬F ∨ ¬ (F U G)) Then AS(B ∧ ¬ (F U G)) ≡ T5(A, B, F, G)

Proof. We start with AS(B ∧ ¬ (F U G)). By corollary 36, we can split the ¬ (F U G) to get AS(B ∧ (¬G U (¬F ∧ ¬G) ∨ ¬G))

Performing distribution with the newly introduced disjunction, this is equivalent to the disjunction of the following two formulas

AS(B ∧ ¬G U (¬F ∧ ¬G)) AS(B ∧ ¬G)

The first one is in the form of T2(proposition 32), and we use lemma 38 on the second, obtaining T2(A, B, ¬G, ¬F ∧ ¬G)

(A ∧ ¬G)SB ∧ ¬G ∧ ¬G Expanding T2 in the first line:

AS(¬F ∧ ¬G ∧ A ∧ (A ∧ ¬G)SB)

(A ∧ ¬G)SB ∧ ((¬F ∧ ¬G) ∨ (¬G ∧ ¬G U (¬F ∧ ¬G))) (A ∧ ¬G)SB ∧ ¬G ∧ ¬G

Distribution on the second formula with ¬G:

AS(¬F ∧ ¬G ∧ A ∧ (A ∧ ¬G)SB) (A ∧ ¬G)SB ∧ ¬G ∧ (¬F ∨ ¬G U (¬F ∧ ¬G))

(A ∧ ¬G)SB ∧ ¬G ∧ ¬G

Distribution again, the second and third formulas have a common prefix AS(¬F ∧ ¬G ∧ A ∧ (A ∧ ¬G)SB)

(A ∧ ¬G)SB ∧ ¬G ∧ (¬F ∨ ¬G U (¬F ∧ ¬G) ∨ ¬G) Finally, using corollary 36 again, we can get back the ¬ (F U G)

AS(¬F ∧ ¬G ∧ A ∧ (A ∧ ¬G)SB) (A ∧ ¬G)SB ∧ ¬G ∧ (¬F ∨ ¬ (F U G))

Proposition 40. Let T6(A, B, F, G) := T1(A, (A ∧ ¬G)SB ∧ ¬G ∧ ¬F ∧ A, F, G)

∨ T3(A, (A ∧ ¬G)SB ∧ ¬G ∧ ¬F, F, G)

∨ (A ∧ ¬G)SB ∧ ¬G ∧ (¬F ∨ ¬ (F U G)) Then (A ∨ F U G)S(B ∧ ¬ (F U G)) ≡ T6(A, B, F, G)

(16)

Proof. By corollary 36, (A ∨ F U G)S(B ∧ ¬ (F U G)) is equivalent to

A ∨ F U G S

B ∧ (¬G U (¬F ∧ ¬G) ∨ ¬G) Using distribution, this can split this into the disjunction of

(A ∨ F U G)S(B ∧ ¬G U (¬F ∧ ¬G)) (1)

(A ∨ F U G)S(B ∧ ¬G) (2)

Looking at (1) first, we can split this into a disjunction of three cases depending on where the witness for ¬G U (¬F ∧ ¬G) occurs, before t0, at t0, or after t0. Call this witness tT.

The first case leads to the diagram

t_B

B

¬G

A ∨ F U G

t_T

¬G

¬F

t₀

Figure 19: t0satisfies (1) with tT < t0

Notice that ¬G U (¬F ∧ ¬G) is true in (t_B, t_T), which implies ¬ (F U G) by corollary 36, and so this is equivalent to A being true in (t_B, t_T). Updated diagram:

tB

B

¬G A

tT

¬G

¬F

A ∨ F U G A ∨ F U G

t0

Figure 20: t₀ satisfies (1) with t_T < t₀, updated This last diagram is then equivalent to

(A ∨ F U G)S((A ∧ ¬G)SB ∧ ¬G ∧ ¬F ∧ (A ∨ F U G)) (1.<) Again, using distribution on (A ∨ F U G), in the right side of the outer S, we get a disjunction of

(A ∨ F U G)S((A ∧ ¬G)SB ∧ ¬G ∧ ¬F ∧ A) (1.<.1) (A ∨ F U G)S((A ∧ ¬G)SB ∧ ¬G ∧ ¬F ∧ F U G) (1.<.2) By proposition 31, (1.<.1) is equivalent to T₁(A, (A ∧ ¬G)SB ∧ ¬G ∧ ¬F ∧ A, F, G). And by proposition 33, (1.<.2) is equivalent to T₃(A, (A ∧ ¬G)SB ∧ ¬G ∧ ¬F, F, G).

We have now obtained the first and second disjuncts of the definition of T₆, we will see that the disjunction of the two remaining cases and (2) is equivalent to the third disjunct.

Continuing with the other cases of (1). The tT = t0case leads to the following diagram:

(17)

tB

B

¬G A ∨ F U G

t0, tT

¬G

¬F

Figure 21: t₀satisfies (1) with t_T = t₀

For the same reason as previously, this is equivalent to having the stronger A instead of A ∨ F U G in (tB, t0), and the diagram is equivalent to the formula

(A ∧ ¬G)SB ∧ ¬G ∧ ¬F (1.=)

We continue by looking at the final case of (1), where tT > t0, before coming back to (1.=).

Diagram:

t_B

B

¬G A ∨ F U G

t₀ t_T

¬G

¬F

Figure 22: t0satisfies (1) with tT > t0

Similarly, A ∨ F U G can be replaced with A and we get the formula

(A ∧ ¬G)SB ∧ ¬G ∧ ¬G U (¬F ∧ ¬G) (1.>)

We still have the formulas (1.=) and (1.>) to deal with, but we explore (2) before we do so.

A diagram equivalent to (2) is as follows:

t_B

B

¬G A ∨ F U G

t₀

Figure 23: t0satisfies (2)

Again by corollary 36, ¬ (F U G) is satisfied in (tB, t0) and so A ∨ F U G in (tB, t0) is equivalent to A in (tB, t0). Which means (2) is equivalent to AS(B ∧ ¬G). Using lemma 38, we get

(A ∧ ¬G)SB ∧ ¬G ∧ ¬G (2⁰)

We now combine (1.>) and (2⁰) by distribution (notice the common prefix) to get

(A ∧ ¬G)SB ∧ ¬G ∧ (¬G U (¬F ∧ ¬G) ∨ ¬G) (3)

which, by corollary 36, is equivalent to

(A ∧ ¬G)SB ∧ ¬G ∧ ¬ (F U G) (3⁰)

Combining (1.=) and (3⁰) by distribution we obtain the third disjunct.

(18)

Proposition 41. Let T₇(A, B, F, G) := ¬ (T₃(¬B, ¬A, F, G)) ∧ T₅(>, B, F, G) Then (A ∨ ¬ (F U G))S(B ∧ ¬ (F U G)) ≡ T₇(A, B, F, G)

Proof. For clarity, let X = A ∨ ¬ (F U G) and Y = B ∧ ¬ (F U G) and perform these substitutions in the original formula.

This first part is quite similar to the one of proposition 37. We have XSY ≡ ¬¬ (XSY ).

Using proposition 35 we get

¬h

¬Y S(¬X ∧ ¬Y ) ∨ ¬Yi

Rewriting using a De Morgan law with the outer negation and disjunction, and then using proposition 34 on the right conjunct:

¬ (¬Y S(¬X ∧ ¬Y )) ∧ Y Consider Y first. By substituting back Y we get

(B ∧ ¬ (F UG)) = >S(B ∧ ¬ (F UG)) ≡ T⁵(>, B, F, G) Now consider ¬Y S(¬X ∧ ¬Y ), by substituting back X and Y we get

¬ (B ∧ ¬ (F U G)) S(¬ (A ∨ ¬ (F U G)) ∧ ¬ (B ∧ ¬ (F U G))) Using De Morgan laws on ¬ (A ∨ ¬ (F U G)) and ¬ (B ∧ ¬ (F U G)):

(¬B ∨ F U G)S(¬A ∧ F U G ∧ (¬B ∨ F U G)) And then using absorption on the right side of the S:

(¬B ∨ F U G)S(¬A ∧ F U G) ≡ T3(¬B, ¬A, F, G)

The original formula is then equivalent to ¬ (T3(¬B, ¬A, F, G)) ∧ T5(>, B, F, G) Proposition 42. Let T₈(A, B, F, G) := T₄(A, (A ∧ F )SB ∧ G ∧ A, F, G)

∨ T7(A, (A ∧ F )SB ∧ G, F, G)

∨ (A ∧ F )SB ∧ (G ∨ (F ∧ F U G)) Then (A ∨ ¬ (F U G))S(B ∧ F U G) ≡ T₈(A, B, F, G)

Proof. This proof follows fairly similarly to the proof of proposition 40.

We begin by considering the three cases depending on where the witness for F U G in the right side of S (tG) occurs, which give rise to the following three diagrams:

t_B

B

F

A ∨ ¬ (F U G)

t_G

G

t₀

Figure 24: t0 (A ∨ ¬ (F UG))S(B ∧ F UG) with t^G < t0

t_B

B

F A ∨ ¬ (F U G)

t₀, t_G

G

Figure 25: t0 (A ∨ ¬ (F UG))S(B ∧ F UG) with t^G = t0

(19)

tB

B

F A ∨ ¬ (F U G)

t0 tG

G

Figure 26: t0 (A ∨ ¬ (F UG))S(B ∧ F UG) with t^G > t0

In all three diagrams, tG is a witness for F U G in the region (tB, tG), which means that (tB, tG) A ∨ ¬ (F UG) is equivalent to (t^B, tG) A. This then gives us the formulas (respectively):

(A ∨ ¬ (F U G))S((A ∧ F )SB ∧ G ∧ (A ∨ ¬ (F U G))) (1)

(A ∧ F )SB ∧ G (2)

(A ∧ F )SB ∧ F ∧ F U G (3)

We can further split (1) by the (A ∨ ¬ (F U G)) on right side into

(A ∨ ¬ (F U G))S((A ∧ F )SB ∧ G ∧ A) (1.1)

(A ∨ ¬ (F U G))S((A ∧ F )SB ∧ G ∧ ¬ (F U G)) (1.2)

(1.1) and (1.2) are equivalent to T4(A, (A ∧ F )SB ∧ G ∧ A, F, G) and T7(A, (A ∧ F )SB ∧ G, F, G), by propositions 37 and 41, respectively.

(2) and (3) combine into the third disjunct of the definition of T8.

The algorithm is now completely defined, and the next section is devoted to showing that it is correct.

3.2 Algorithm Correctness

We have now seen that the transformations produce equivalent formulas. But we still have to show that the algorithm constructs an equivalent separated formula. In particular we have to show that the algorithm does in fact terminate. We do so by induction on a well-founded partial order on formulas.

This order is obtained by combining several relations, each necessary for some cases of the algorithm.

We start by defining some functions on paths that measure how “unseparated” they are.

Definition 43. Given a path π, the degree of π, D(π), is the number of adjacent pairs in π with both S and U . Or, perhaps more intuitively, it is the number of transitions from S to U and vice-versa.

Definition 44. Let π be a path. We define L1(π) to be the length of the last homogeneous segment, except in the case where the segment is the whole path, in which case we take L1(π) to be zero. That is:

L1(π) :=

(n + 1 if π = λSUⁿ⁺¹or π = λU Sⁿ⁺¹ 0 otherwise

For convenience, we combine these into one.

Definition 45. Let π be a path. Then:

Score1(π) := hD(π) , L1(π)i

So far these have been over paths, we now extend the definitions to formulas.

Whenever we have a Cartesian product of orders, the intended order on it is the usual lexicographic order. That is, if hx, yi , hx⁰, y⁰i ∈ X × Y with <X an order over X and <Y an order over Y , hx, yi < hx⁰, y⁰i if and only if x <X x⁰or (x = x⁰and y <Y y⁰). If all such orders are well-founded then so is the lexicographic order, and if they are total then so is the lexicographic order.

(20)

Definition 46. Let A ∈ L_TL. Then:

Score₁(A) :=

(h0, 0i if Paths(A) = ∅

max Score1[Paths(A)] otherwise

To obtain something that is reduced by every transformation, we need an additional thing, which we call leader count, and whose definition requires the idea of contexted formula.

Definition 47. A contexted formula is a pair hπ, Ai where π is a path and A is a formula.

Definition 48. Let A be a formula. Then C(A) is a set of contexted formulas, consisting of the subformulas of A together with their context (the path corresponding to the syntax path that goes from the root of A to the root of the subformula’s tree).

As an example of a contexted subformula, consider the following formula A = (q U (> U p) ∨ p U q)S(pS(r U (> U p))) The formula A has the following syntax tree:

S

U

> p r p

∨

U

q p U

U

> p q

Figure 27: Syntax tree of A

The circled subformula is > U p. The syntax path that goes from the root of A to the root of this subformula is dashed, and is associated with the path SU . This then represents the contexted subformula hSU , > U pi of A.

For the purposes of our algorithm, it suffices to look at the subset of these contexted subformulas where the subformula is simple and pure, which leads to the following definition.

Definition 49. Let A ∈ LTL.

SPC(A) := {hπ, Bi ∈ C(A) | B is simple and pure}

We now extend the definition of Paths and Score1 to contexted formulas in a natural way.

Definition 50. Let hπ, Ai be a contexted formula. Then:

Paths(hπ, Ai) := {πλ | λ ∈ Paths(A)}

Score1(hπ, Ai) :=

(h0, 0i if Paths(hπ, Ai) = ∅

max Score1[Paths(hπ, Ai)] otherwise With this, we can define the concepts of leader and leader count.

Definition 51. Let A ∈ L_TL and hπ, Bi ∈ SPC(A).

Then we say hπ, Bi is a leader of A if it has maximal Score1in SPC(A) and call Leaders(A) the set of leaders of A.

Notice that both SPC and Leaders can be empty, for example the formula > ∧ ⊥ has no simple pure subformulas and as such SPC(> ∧ ⊥) = ∅ and consequently Leaders(> ∧ ⊥) = ∅.

Definition 52. Given a formula A, N (A) is the number of leaders of A with distinct formulas, that is:

N (A) := # {B | hπ, Bi ∈ Leaders(A)}

(21)

Coming back to the previous example, here we have the syntax tree of A with the pure simple formulas circled:

S

U

> p r p

∨

U

q p U

U

> p q

Figure 28: Syntax tree of A with SPC circled

Now consider only the ones with maximal Score₁, these are the leaders of A, circled in following tree diagram:

S

U

> p r p

∨

U

q p U

U

> p q

Figure 29: Syntax tree of A with leaders circled

We have N (A) = 4 and not 6, as the subformulas > U p and p are repeated in the leaders, even though they appear with different contexts.

So far we have defined Score₁ and N on formulas, and indeed these together are enough to obtain something that is reduced by every transformation when used in the conditions of the algorithm. The idea is that when a transformation “pulls out” one of the F U G from inside the S, it either reduces N or it pulled out the last leader and Score1 decreases.

We now define another pair of functions, quite similar to L1and Score1, which are necessary for case 6 of the algorithm.

Definition 53. Let π be a path. Then L0(π) is the length of the first homogeneous segment, with the exception of a fully homogeneous path. Score0 is analogous to Score1.

L0(π) :=

(n + 1 if π = Sⁿ⁺¹U λ or π = Uⁿ⁺¹Sλ 0 otherwise

Score₀(π) := hD(π) , L₀(π)i

This leads to a definition of Score₀ on formulas analogous to the definition of Score₁. Definition 54. Let A be a formula, then:

Score0(A) :=

(h0, 0i if Paths(A) = ∅

max Score0[Paths(A)] otherwise

We now define three functions measuring how complex a formula is. These are useful when we do the normal form convertions and S distribution.

Definition 55. Let A ∈ LTL. Then:

(22)

• H(A) is the number of vertices under a negation in the syntax tree of A.

• J (A) is the maximum number of transitions from ∧ to ∨ and vice-versa. Analogous to D.

• V(A) is the number of vertices in A’s syntax tree.

And finally something to handle the case where we convert an U to its Dual.

Definition 56. Let A ∈ LTL.

P(A) :=











0 if A has no paths

1 if all paths of A start with S 2 if all paths of A start with U 3 otherwise

For convenience we bundle the previously defined functions in a function called weight.

Definition 57. Given a formula A:

W(A) := hScore₁(A), N (A) , Score₀(A), H(A), J (A), V(A), P(A)i The final relation is then defined by W.

Definition 58. The binary relation < ⊆ LTL× LTLis defined as A < B if and only if W(A) <

W(B).

This < is well-founded by the result below.

Proposition 59. Let R be a well-founded binary relation on A, S a binary relation on X and f : X → A a function such that

xSy =⇒ f (x)Rf (y) Then S is well-founded.

Proof. Let Y ⊆ X be non-empty and let f (m) ∈ f [Y ] ⊆ A be R-minimal in f [Y ]. Then for any x ∈ Y , xSm implies f (x)Rf (m), which is a contradiction. Hence m is S-minimal in Y .

The relation < is in fact also a partial order but we shall not show this.

We now prove some properties related to Score₁ and Leaders.

Proposition 60. For any paths π,λ,µ and formulas A,B we have:

(i) D(πµ) ≤ D(πλµ)

(ii) Score1(πµ) ≤ Score1(πλµ)

(iii) Score1(Sⁿπ) ≤ Score1(Sπ) Score1(Uⁿπ) ≤ Score1(U π)

(iv) Score₁(hπµ, Ai) ≤ Score₁(hπλµ, Ai) (v) Score₁(hSⁿπ, Ai) ≤ Score₁(hSπ, Ai)

(vi) If B is a subformula of A then Score₁(hπ, Bi) ≤ Score₁(hπ, Ai) Proof.

(i) We first consider the case where λ = S.

Inserting a single S at the start of a path either increases the number of transitions, if the initial symbol is U , or does not change it, if the initial symbol is S or if the path is empty.

Similarly, inserting a S at the end also cannot decrease the number of transitions.

If a S is inserted in between two symbols, the number of transitions increases if both symbols are U , and remains the same in the other three cases.

The case where λ = U is very similar to the case above.

The general case can then be obtained by induction on the length of λ.

(23)

(ii) By (ii) we have D(πµ) ≤ D(πλµ).

Assume that D(πµ) = D(πλµ), L₁(πµ) > L₁(πλµ) and λ 6= hi, we show that this is a contradiction.

By assumption, L₁(πµ) > 0 as 0 is a minimum. So let us assume that πµ = τ Uⁿ⁺¹, with Uⁿ⁺¹the final homogeneous segment. The proof for the other case being obtained by swapping S with U .

If λ is inserted before the final homogeneous segment, then it cannot reduce the length of such segment, hence we can assume that λ was inserted inside the final segment.

If λ = U^m+1 (for some m), then the insertion inside the final segment only increases its length, this implies that λ must have at least one S. But this means that D has increased, a contradiction.

(iii) We show only the S case.

If n = 0 we can use (ii) directly. Assume then that n > 0.

There are no transitions in Sⁿ⁻¹, or between Sⁿ⁻¹and S, so deleting Sⁿ⁻¹does not affect degree.

If the final homogeneous segment is the whole of Sⁿπ, then L₁(Sⁿπ) = L₁(Sπ) = 0.

Otherwise, the deletion of the Sⁿ⁻¹prefix does not affect the final homogeneous segment, and so L1(Sⁿπ) = L1(Sπ) again.

(iv)

Score1(hπµ, Ai) = max {Score1(πµτ ) | τ ∈ Paths(A)} (by definition of Score1)

≤ max {Score₁(πλµτ ) | τ ∈ Paths(A)} (item (ii))

= Score1(hπλµ, Ai) (by definition of Score1) (v)

Score₁(hSⁿπ, Ai) = max {Score₁(Sⁿπλ) | λ ∈ Paths(A)} (by definition of Score₁)

≤ max {Score1(Sπλ) | λ ∈ Paths(A)} (item (iii))

= Score₁(hSπ, Ai) (by definition of Score₁) (vi) Given any path λ ∈ Paths(hπ, Bi), we have λ = πλ⁰ for some λ⁰∈ Paths(B).

Since B is a subformula of A, there is a syntax path from the root of A to the root of B, call the corresponding path µ. Then µλ⁰∈ Paths(A), which means πµλ⁰∈ Paths(hπ, Ai).

By item (ii), Score1(πλ⁰) ≤ Score1(πµλ⁰).

Item (iii) of the previous proposition is the reason why we defined L1 to be zero in case the path has degree zero. This is technically not required for our proof of correctness, but it makes things easier. In the case of L0, we do so purely for symmetry with L1.

Proposition 61. Let A ∈ L_TL and x ∈ C(A). Then Paths(x) ⊆ Paths(A).

Proof. Let x = hπ, Bi and let λ ∈ Paths(x). We then have λ = πλ⁰ where λ⁰ is a path of B.

The syntax tree of B is a subtree of the one of A, and there’s a syntax path from the root of A to the root of B, corresponding to π. And another syntax path from the root of B to a leaf, corresponding to λ⁰.

The concatenation of these syntax paths is a syntax path of A and corresponds to πλ⁰ = λ.

Proposition 62. Let A ∈ LTL and x ∈ C(A). Then Score1(x) ≤ Score1(A).

Proof. If x has no paths then it has minimal Score1and we are done. Otherwise, by proposition 61, any path of x is also one of A, in particular a maximal Score1 one, hence Score1(x) ≤ Score1(A).

The next proposition shows that the Score1 of a formula is precisely the Score1of its leaders.

Proposition 63. Let A ∈ L_TL and x ∈ SPC(A). Then:

Score₁(x) = Score₁(A) ⇐⇒ x ∈ Leaders(A)