Propositional Linear Temporal Logic - Semantic Scholar

In: Proceedings of the 3rd International Symposium on Logical Foundations of Computer Science (LFCS). St. Peterburg, Russia 1994. Springer LNCS 813.

Propositional Linear Temporal Logic and Language Homomorphisms Ulrich Nitsche German National Research Centre for Computer Science GMD, Rheinstrasse 75, D-64295 Darmstadt, Germany Email: [email protected]

1 Introduction When verifying speci cations of reactive systems|which are at least nonterminating computer programs|the complexity of the veri cation algorithm is a major problem of practical relevance. Speci cations of practical interest are usually too large to be veri ed by standard veri cation methods in an acceptable amount of time. So what can we do? We can try to get rid of information in the speci cation that is of no use due to the properties that are to be veri ed. Such an abstraction of a system's speci cation based on homomorphic mappings on !-languages can lead to much smaller descriptions of the system's interesting behaviour. We can now verify properties of the small speci cation and using these properties calculate properties of the large speci cation. In this paper we will develop a mapping R from formulae of the Propositional Linear Temporal Logic (abbr.: PLTL) to PLTL-formulae in such a way that if L is a nitary language describing a reactive system, h is an alphabetic language homomorphism that maps sequences of system states to some other state sequences and  is a PLTL-formula then lim(L) j= R() holds if lim(h(L)) j=  does hold; i.e. it suces to verify that  holds for lim(h(L)) to know that R() holds for lim(L). The relation \j=" has to be read as \satis es". 1

2 PLTL (Propositional Linear Temporal Logic) PLTL-formulae [Eme90] are de ned with respect to a set P of atomic propositions and rst of all any atomic proposition is a PLTL-formula. If  and  are PLTL-formulae so are (: ), ( ^  ), (X  ) and ( U  ). Only formulae that are constructable as presented are PLTL-formulae. There exist some other operators as abbreviations of particular operator combinations: 1

An !-language is a set of sequences of in nite length over a nite set called the language's alphabet.

 _  = :((: ) ^ (: )),  )  = ( : ) _  ,  ,  = ( )  ) ^ ( )  ), F  = true U  , G  = :(F (: )),  B = :((: )U  ). Erasing the outermost pair of parentheses in formulae that are constructed as done above will result in what we will call fully parenthized resp. completely parenthized PLTL-formulae. Not completely parenthized formulae are a result of adding parentheses|if  is a PLTLformula then ( ) is a PLTL-formula|or erasing them pairwise with respect to operator priorities: The temporal operators \U ", \B", \F ", \G " and \X " are of highest priority, followed by \:", followed by \^", followed by \_", followed by \)", followed by \,". Ambiguities are handled from right to left; i.e. e.g. GF () = G (F ()). The semantics, i.e. the meaning, of PLTL-formulae is de ned with respect to what is called a linear structure, or more brie y a structure. A structure M = (; ; x) consists of a set of states , a labelling function  :  ! 2P that maps from states to sets of atomic propositions and an in nite sequence x = x x x : : : over the state set, x ; x ; x ; : : : 2 . For all states s in  the labelling (s) is the set of all atomic propositions that are de ned to be satis ed in state s. We denote the fact that a PLTL-formula  is satis ed by a structure M = (; ; x) under state sequence x by M; x j= . If it cannot be confused which structure is meant, we write more brie y x j= . With x i::: for some i 2 IN we denote the in nite sequence xi xi xi : : : . The satisfaction relation \j=" is de ned as follows: 1

(

+1

2

3

1

2

3

)

+2

If  is an atomic proposition then x j=  i  2 (x ). If  = : then x j=  i it is not the case that x j=  . If  =  ^  then x j=  i x j=  and x j=  . If  = X  then x j=  i x ::: j=  . If  =  U  then x j=  i there exists an i 2 IN such that x i::: j=  and, for all j < i, x j::: j=  holds. 2

(2

1

)

(

(

)

)

If for a given state set  and a state labelling function  we look at a set L! of in nite sequences over |such a set we call an !-language over |we say that L! sati es a PLTLformula  which we denote by L! j=  i, for all !-words x 2 L! , x j=  holds. 3

3 Language Homomorphisms

Our de nitions are due to [HU79]. Let  and 0 be two nite sets of symbols. The symbols we call letters, the sets we call alphabets. With  we denote the set of all nitely long 2 3

With \i" we abbreviate \if and only if". An !-word is a sequence of in nite length that contains elements from a nite set.

sequences containing letters of  including the empty sequence ". 0 is de ned in the similar way. Elements of  (resp. 0 ) are called words over  (resp. 0 ). E.g. the sequence containing no letter at all is the empty word ". The concatenation of two words v, w in  is de ned by juxtaposition, that means vw is the concatenation of v and w. The concatenation's neutral element is the empty word; 8w 2  : "w = w" = w. Each subset L of  is called a language over . A mapping h :  ! 0 is called a language homomorphism i

8v; w 2  : h(vw) = h(v)h(w): If we identify words of length 1 with the letter they contain, we say that a language homomorphism is alphabetic i it maps letters on letters or the empty word (8a 2  :j h(a) j 1). In the following we will consider only alphabetic language homomorphisms and might call them just homomorphisms. To operate on !-languages we need something like the notion of language homomophisms on !-words. For this purpose we de ne what we will call an !-homomorphism h! : ! ! 0! induced by some alphabetic language homomorphism h :  ! 0 . !-homomorphisms will be de ned letterwise, i.e. if x = x x x : : : 2 ! then we de ne h! (x) = h(x )h(x )h(x ) : : : presumed that there does not exist an i 2 IN such that, for all j > i, h(xj ) = ". Else we de ne that h! (x) is unde ned. Thus h! (x) is only de ned if x has an image of in nte length. In the following we will not distinguish between mappings on nitely and in nitely long words and call h! just h. If we say that h is an !-homomorphism we want to express that h is an !-homomorphism induced by some alphabetic language homomorphism h. 4

1

4

2

3

1

2

3

!-languages

For each alphabet  we denote by ! the set of all sequences over  of in nite length|such sequences we call !-words. Each subset of ! is called an !-language [Tho90]. We should remind us that xk denotes the kth letter in an !-word x and x k::: denotes the sux of x starting with the kth letter. A nite pre x of an !-word x = x x x : : : is a sequence x x x : : : xn of x's rst n letters for some n 2 IN . We consider the empty word " as a nite pre x of every !-word. With the notion of nite pre xes we are able to de ne !-languages as limits of languages of nite wordlength. Let L   be a language over  of nite wordlength. Then we de ne the limit of L as (

1

2

3

1

2

)

3

lim(L) = fx 2 ! j there are in nitely many dierent nite pre xes of x in Lg:

The length j w j of a word w is the number of letters it consists of. (Multiple occurences of the same letter are multiply counted.) The empty word " has length j " j= 0. 4

5 Translation of PLTL-formulae In this section we consider a PLTL-formula  to be satis ed in lim(h(L)) for some (e.g. regular) language L   and some alphabetic language homomorphism h :  ! 0 ; i.e.

lim(h(L)) j= : We will present a mapping R on PLTL-formulae such that lim(L) j= R() holds if lim(h(L)) j=  holds. For this purpose we restrict ourselves to PLTL-formulae that have the following set P 0 of atomic propositions

P 0 = 0 [ fa~ j a 2 0 g:

5

Herein we suppose that no letter in 0 has a tilde \~" on top. The a~'s in P 0 now are de ned in such a way that for each !-word x in 0! it holds that x j= a~ i x j= :a. Because the letters in 0 are also the states in our logic model, we de ne that for each a in 0 the set of atomic propositions 0(a) that are satis ed in a be 0(a) = fag [ f~b j b 2 (0 ; fag)g: 6

As the set P of atomic propositions in R() we de ne

P = P 0 [ f"g = 0 [ fa~ j a 2 0g [ f"g: For all letters c in  (these are the states in the model for R()) we de ne the set (c) of atomic propositions that are satis ed in c as (c) = fb 2 0 [ f"g j c 2 h; (b)g [ f~b 2 fa~ j a 2 0g j c 62 h; (b)g: 1

1

7

Thus the meaning of the atomic propositions in R() is: The atomic proposition b 2 0 is satis ed in a state c 2  i h(c) = b, the atomic proposition " is satis ed in a state c 2  i c is erased (mapped onto ") by h and the atomic proposition ~b 2 fa~ j a 2 0 g is satis ed in state c 2  i c is mapped by h on some a 2 0 not equal to b (h(c) 6= b). In the following we shall always keep in mind that P 0 and 0 refer to properties of subsets of 0! and that P and  refer to properties of subsets of ! . This is no real restriction because it is our aim to be able to describe a class of !-languages with a particular PLTL-formula. So being able to express that we are at some position in an !-word where we see the letter a or do not see the letter a (the second is expressed by a~) is sucient to express any linear property we like referring to an !-language. By the way: It is not dicult to extend our approach to any other PLTL-formula that uses a dierent set of atomic propositions and a dierent mapping of states to sets of atomic propositions. 6a ~ is the atomic propositions that is the negation of the atomic proposition a. We introduce the a~'s to be able to get rid of explicit negations \:" in our formulae. This is done for technical reasons only. 7 The rst set in this de nition is just fh(c)g. We have used this dierent presentation because of the symmetry in the two set de nitions. 5

We now suppose that  does not contain explicitly negations. If  contains negations we have to transform it into the right form by replacing logical operators by their duals and maybe replacing atomic propositions by their duals. Now we can start with a stepwise development of the mapping R. We will do this by prooving some lemmas and bringing their results together. All variables representing numbers in our proofs are expected to range over the natural numbers IN . Thus e.g. a proposition like \for all i < 1 it holds false" is meaningful and satis ed. First we proof 8

9

Lemma 1. L!  0! be an !-language, h : ! ! 0! be an !-homomorphism and  be

a boolean formula10 that does not contain any negation and has P 0 as de ned above as its set of atomic propositions. (We interpret  as a PLTL-formula without temporal operators.) Then with respect to the above de nitions of P , , and 0 it holds that

L! j=  i h; (L! ) j= " U (): 1

Proof of Lemma 1. Be x 2 L! and z 2 h; (x). That means there exists some i 2 IN 1

such that h(zi ) = x and, for all j < i, it is h(zj ) = ". Thus with respect to the de nition of P , , P 0 and 0, for each atomic proposition , it holds that x j=  i z i::: j= . So because the truthvalue of each atomic proposition in  is exactly the same under x and under z i::: it must hold that x j=  i z i::: j= . Regarding that, for all j < i, it is h(zj ) = " we have, for all j < i, z j::: j= ". So we get x j=  i z j= " U (). 1

(

)

(

)

(

)

(

)

2 Now we de ne a mapping T from PLTL-formulae without negations to PLTL-formulae. Be  a PLTL-formula with P 0 as de ned above as its set of atomic propositions.  may not contain any negations and should be completely parenthized. Then we de ne recursively 11 12

~ is the dual of a and vice versa. \there exists an i < 1 such that it holds true" wouldn't be satis ed. 10 By boolean formula we mean a formula of propositional logic. 11^ b may be any boolean operator; i.e. ^ b 2 f^; _; ); ,g. 12 Applying T to a completely parenthized negation-free PLTL-formula  results in a PLTL-formula T ( ) that is in general not negation-free and not completely parenthized. 8a 9

8 >> ; >> >> (T ( )) ^b (T ( )); >> >> (" _ (T ( ))) U (T ( )); >> < T () = > (T ( )) B (T ( )); >> >> F (T ( )); >> >> G (" _ (T ( ))) ^ GF (T ( )); >> >: " U (:" ^ X (" U (T ( ))));

if  2 P 0, if  = ( ) ^b ( ), if  = ( )U ( ), if  = ( )B( ), if  = F ( ), if  = G ( ), if  = X ( ).

Before prooving the main lemma for the mapping T we have to de ne the notion of boolean connection. We say that a PLTL-formula  is a boolean connection i there is a fully parenthized boolean formula that contains at least one boolean operator such that we can get  by substituting all atomic propositions in by fully parenthized subformulae of  that have an additional pair of parentheses around. We call the basic boolean structure underlying  and we call each subformula of  that is used to substitute some atomic proposition in a subformula in the boolean connection. E.g. (a U b) ^ (a _ (X c)) is a boolean connection with x ^ y or x ^ (y _ z) as its underlying basic boolean structure. In the rst case we substitute (a U b) for x and (a _ (X c)) for y in the second we substitute (a U b) for x, a for y and (X c) for z. In our example not all atomic propositions are in the scope of a temporal operator (the a before the \_"-operator is not). a U (b ^ c) for example is not a boolean connection.

Lemma 2. L!  0! be an !-language, h : ! ! 0! be an !-homomorphism and  be a PLTL-formula that has the following properties: i.  is fully parenthized. ii.  does not contain any negations. iii. P 0 as de ned above is  's set of atomic propositions. iv. Each atomic proposition in  is in the scope of some temporal operator. v.  is not a boolean connection. Then with respect to the de nitions of P ,  and 0 the following condition holds

L! j=  i h; (L! ) j= T (): 1

Proof of Lemma 2. The proof is by induction on the structure of . Be x 2 L! and z 2 h; (x). All atomic propositions that appear in the proof are in P resp. P 0 and are 1

interpreted under  resp. 0 as de ned above.

As the basis of our induction we have to investigate the case that  contains exactly one temporal operator and all atomic propositions in  are in the scope of that temporal operator; i.e.  = ( ) t^( ) for some temporal operator t^ and some formulae of propositional logic  and  . We now have to look at each temporal operator separately. (We use that T ( ) =  for any formula  of propositional logic.)  = ( ) U ( ): If x j=  then there exists an i 2 IN such that x i::: j=  and, for all j < i, x j::: j=  . Be k 2 IN such that h(z k::: ) = x i::: and h(xk ) 6= ". Using the previous lemma we get z k::: j= " U ( ) which implies, because h(zk ) 6= ", z k::: j=  . For all l < k with h(zl ) 6= " we know that h(z l::: ) = x j::: for some j < i. Thus with the same arguments as for k we nd z l::: j=  and so, for all l < k it holds that z l::: j= (" _ ( )). Alltogether we have z j= (" _ ( )) U ( ) which is equal to z j= T (). If z j= T () then there is an i 2 IN such that z i::: j=  and, for all j < i, z j::: j= (" _ ( )). Thus there is a k < i such that, for all l < k, z l::: j= " U ( ) and, for all l with k  l < i, it is h(zl ) = ". Then there is an m 2 IN with h(z i::: ) = x m::: and, for all n < m, there is an l < k such that h(z l::: ) = x n::: . Using the previous lemma we nd x m::: j=  and, for all n < m, x n::: j=  and so x j= ( ) U ( ) which is equal to x j= .  = ( ) B( ): If x j=  then there is the possibility that there does not exist an i such that x i::: j=  or there exists an i 2 IN such that x i::: j=  and, for all j < i, x j::: 6j=  and there is a j 0 < i with x j ::: j=  . In the rst case there cannot be a k 2 IN with z k::: j=  or we could nd|using the previous lemma|an i 2 IN such that x i::: j=  which is a contradiction. In the second case we look at the smallest k 2 IN such that h(z k::: ) = x i::: and h(xk ) 6= ". Using the previous lemma we can conclude z k::: j=  . We choose the l0 < k with h(z l ::: ) = x j ::: and h(zl ) 6= " what gives us z l ::: j=  . For all l < k it cannot be the case that z l::: j=  or we could nd|using the previous lemma|some j < i such that x j::: j=  which would be a contadiction. So in both cases we nd z j= ( ) B( ) which is equal to z j= T (). If z j= T () then there is either no i 2 IN such that z i::: j=  or there is an i 2 IN with z i::: j=  such that, for all j < i, z j::: 6j=  and such that there is a j 0 < i with z j ::: j=  . In the rst case there cannot be a k 2 IN with x k::: j=  or we could nd an i 2 IN such that x i::: j=  which leads to the contradiction. In the second case we look at the smallest k 2 IN with h(z i::: ) = x k::: and at the l0 < k with h(z j::: ) = x l ::: . Using the previous lemma we nd x k::: j=  and x l ::: j=  . Also using the above lemma we know that there cannot be an l < k such that x j::: j=  or we 13

(

(

)

(

(

(

(

)

(

(

(

(

(

)

(

)

)

)

(

)

)

(

)

(

)

(

(

)

)

(

)

(

0

(

)

(

)

(

)

(

0

0

)

(

0

(

)

)

)

(

)

(

)

)

)

(

(

(

)

)

(

(

)

)

(

(

)

)

(

(

)

)

(

0

)

)

)

(

(

)

0

)

)

)

(

(

)

(

0

)

(

)

)

(

)

(

0

(

)

)

If  or  is an atomic proposition then there are no parentheses around them. E.g. if  is an atomic proposition and  is not then  is in fact ( )t^ and not ( )t^( ). But for simplicity we will always write  = ( )t^( ). 13

would get the contradiction that there is a j < i such that z j::: j=  . Thus in both cases we have x j= ( ) B( ) which is equal to x j= .  = F ( ): If x j=  then there must be an i 2 IN such that x i::: j=  . Be k 2 IN such that h(z k::: ) = x i::: and h(zk ) 6= ". Using the previous lemma we get z k::: j=  what means z j= F ( ) which is equal to z j= T (). If z j= T () then there is an i 2 IN such that z i::: j=  . Be k 2 IN with h(z i::: ) = x k::: . Using the previous lemma we nd x k::: j=  . Thus x j= F ( ) which is equal to x j= .  = G ( ): If x j=  then, for all i 2 IN , it holds x i::: j=  . So for all k 2 IN with h(zk ) 6= " we get using the previous lemma that z k::: j=  what means that z j= G (" _ ( )). And because there must be in nitely many dierent k 2 IN with h(zk ) 6= " we also nd z k::: j=  for in nitely many dierent k 2 IN . So it also holds that z j= GF ( ). Bringing these two formula together in one we have z j= G (" _ ( )) ^GF ( ) which is equal to z j= T (). If z j= T () then there are in nitely many i 2 IN such that z i::: j=  and, for all j 2 IN with z j::: 6j=  , we have h(zj ) = ". So for all k 2 IN there must be an i 2 IN with h(z i::: ) = x k::: . Using the previous lemma we nd that, for all k 2 IN , x k::: j=  holds. Thus x j= G ( ) which is equal to x j= .  = X ( ): If x j=  then x ::: j=  . So for some k 2 IN with h(z k::: ) = x ::: we have|using the previous lemma|z k::: j= " U ( ). We can choose k in such a way that h(z k; ::: ) = x and h(zl ) = " for all l < (k ; 1). Because we do not know anything about x we just know that z k; ::: j= :". So together with z k::: j= " U ( ) we have z k; ::: j= :" ^ X (" U ( )). And because, for all l < (k ; 1), h(zl ) = " we have z j= " U (:" ^ X (" U ( ))) which is equal to z j= T (). If z j= T () then there is an i 2 IN such that z i::: j=  and such that there is just one j < i with h(zj ) 6= ". So h(z i::: ) must be x ::: and we know by the previous lemma that x ::: j=  which is equal to x j= X ( ) which is equal to x j= . (

)

(

(

)

(

)

(

(

(

)

)

(

)

(

)

)

(

(

(

)

)

)

)

(

(

(

)

(

)

)

(

(2

)

(

(

((

1)

)

)

(2

)

)

)

1

((

1)

)

(

(

(

(2

)

)

(2

)

((

1)

)

)

)

)

So we have nished the proof of our induction's basis and now suppose as the induction's hypothesis that for all proper subformulae  of  such that the lemma's preconditions are satis ed it holds that x j=  i z j= T ( ). We will now conclude a little more from the induction's hypothesis that will allow us to slightly weaken the preconditions for the hypothesis. 14

15

If  is a proper subformula of  such that the lemma's preconditions are satis ed except that  is a boolean connection then  can be represented as a boolean connection such that all the boolean connection's subformulae  satisfy the lemma's precondition. Then by de nition of boolean connection there is some boolean formula and we get  by substituting each atomic propositions in by some  . By induction it holds that x j=  i z j= T ( ). Because the basic boolean structure underlying  and T ( ) is the same (namely ) and the  's resp. T ( )'s are the subformulae in this basic boolean structure to form  resp. T ( ) we nd that 14 15

Proper implies that we look at subformulae that are not the formula itself and not the empty formula. For all subformulae that we will look at we will assume complete parenthization.

x j=  i z j= T ( ). So for each proper subformula  of  such that all atomic propositions are in the scope of some temporal operator it holds that x j=  i z j= T ( ). Now be  a proper subformula of  such that  is a boolean connection and not all of its atomic propositions are in the scope of a temporal operator. Because all subformulae  of  are proper subformulae of  we have that for all subformulae  of  such that all atomic propositions in  are in the scope of some temporal operator it holds that x j=  i z j= T ( ). For all subformulae  of  that are formulae of propositional logic it holds with respect to the previous lemma that x j=  i z j= " U ( ). So if we assume that h(z ) 6= " we get x j=  i z j=  . Regarding that T ( ) =  we have x j=  i z j= T ( ). We now partition  in pure temporal formulae and formulae of the propositional logic such that  is the boolean connection of the formulae in the partition. Because for each formula  in the partition it holds|presumed h(z ) 6= "|that x j=  i z j= T ( ) we conclude that, if substT ( ) means the formula that we get by replacing in  each formula  of  's partition by T ( ), h(z ) 6= " implies x j=  i z j= substT ( ) which implies|regarding that substT ( ) = T ( ) | x j=  i z j= T ( ). Thus we have that h(z ) 6= " implies that for each proper subformula  of  it holds that x j=  i z j= T ( ). We can also conclude a bit more if we realize that each proper subformula  of  contains atomic propositions that are not in the scope of a temporal operator i T ( ) contains atomic propositions not in the scope of a temporal operator. The condition h(z ) 6= " above is only needed to handle the boolean parts in  . So if  does not contain atomic propositions that are not in the scope of some temporal operator then|as we already have derived| z j= T ( ) ) x j=  must hold and if  contains atomic propositions that are not in the scope of some temporal operator z j= T ( ) can only be satis ed if h(z ) 6= ". Thus also in this second case we have z j= T ( ) ) x j=  which means that z j= T ( ) ) x j=  is always true. Bringing our implications from the induction's hypothesis together we can formulate as the hypothesis that we will use in the inductive step that, for all proper subformulae  of , it holds that z j= T ( ) ) x j=  and h(z ) 6= " ) ( x j=  , z j= T ( ) ): To proof the inductive step we have to look at each possible logical operator separately. Because of condition v: of the lemma we do not have to investigate the case where the logical operator is a boolean operator.  = ( ) U ( ): If x j=  then there exists an i 2 IN such that x i::: j=  and, for all j < i, x j::: j=  . Be k 2 IN such that h(z k::: ) = x i::: and h(xk ) 6= ". With respect to the induction's hypothesis we get z k::: j= T ( ). For all l < k with h(zl ) 6= " we know that 1

16

1

1

1

1

1

1

(

(

)

(

(

)

(

)

)

)

We want to call formulae where all atomic propositions are in the scope of some temporal operator pure temporal. 16

h(z l::: ) = x j::: for some j < i and thus z l::: j= T ( ). Because for all other l < k it holds z l::: j= " we have z j= (" _ (T ( ))) U (T ( )) which is equal to z j= T (). If z j= T () then there is an i 2 IN such that z i::: j= T ( ) and, for all j < i, z j::: j= (" _ (T ( ))). Then there is a k 2 IN with h(z i::: ) = x k::: and for all l < k there is a j < i such that h(z j::: ) = x l::: and z j::: j= T ( ). With respect to the induction's hypothesis we nd x k::: j=  and, for all l < k, x l::: j=  and so x j= ( ) U ( ) which is equal to x j= .  = ( ) B( ): If x j=  then there is the possibility that there does not exist an i such that x i::: j=  or there exists an i 2 IN such that x i::: j=  and, for all j < i, x j::: 6j=  and there is a j 0 < i with x j ::: j=  . In the rst case there cannot be a k 2 IN with z k::: j= T ( ) or we could nd|using the induction's hypothesis|an i 2 IN such that x i::: j=  which is a contradiction. In the second case we look at the smallest k 2 IN such that h(z k::: ) = x i::: and h(xk ) 6= ". So by induction z k::: j= T ( ). Also we choose the l0 < k with h(z l ::: ) = x j ::: and h(zl ) 6= " what gives us z l ::: j= T ( ). There cannot be a l < k such that z l::: j= T ( ) or we could imply by induction that there must be a j < i with x j::: j=  which would be a contradiction. So in both cases we nd z j= (T ( )) B(T ( )) which is equal to z j= T (). If z j= T () then there is either no i 2 IN such that z i::: j= T ( ) or there is an i 2 IN with z i::: j= T ( ) such that, for all j < i, z j::: 6j= T ( ) and such that there is a j 0 < i with z j ::: j= T ( ). In the rst case there cannot be a k 2 IN with x k::: j=  or we could nd an i 2 IN such that x i::: j= T ( ) which leads to a contradiction. In the second case we look at the smallest k 2 IN with h(z i::: ) = x k::: and at the l0 < k with h(z j ::: ) = x l ::: . By induction we conclude x k::: j=  and x l ::: j=  . Also there could not be a l < k with x l::: j=  because otherwise we could|using the induction's hypothesis|imply the contradiction that there is a j < i with z j::: j= T ( ). Thus in both cases we have x j= ( ) B( ) which is equal to x j= .  = F ( ): If x j=  then there must be an i 2 IN such that x i::: j=  . Be k 2 IN such that h(z k::: ) = x i::: and h(zk ) 6= ". By induction we get z k::: j= T ( ) what means z j= F (T ( )) which is equal to z j= T (). If z j= T () then there is an i 2 IN such that z i::: j= T ( ). Be k 2 IN with h(z i::: ) = x k::: . With respect to the induction's hypothesis we nd x k::: j=  . Thus x j= F ( ) which is equal to x j= .  = G ( ): If x j=  then, for all i 2 IN , it holds x i::: j=  . So for all k 2 IN with h(zk ) 6= " we get using the induction's hypothesis that z k::: j= T ( ) what means that z j= G (" _ (T ( ))). And because there must be in nitely many dierent k 2 IN with h(zk ) 6= " we also nd z k::: j= T ( ) for in nitely many dierent k 2 IN . So it also holds that z j= GF (T ( )). Bringing these two formulae together we have z j= G (" _ (T ( ))) ^GF (T ( )) which is equal to z j= T (). If z j= T () then there are in nitely many i 2 IN such that z i::: j= T ( ) and, for all j 2 IN with z j::: 6j= T ( ), we have h(zj ) = ". So for all k 2 IN there must be an i 2 IN (

(

)

(

)

(

)

)

(

(

(

(

)

(

)

)

(

)

(

)

(

)

)

(

(

)

)

(

(

0

)

(

(

)

(

)

)

(

)

(

(

(

0

)

)

)

)

)

(

)

(

(

0

)

(

0

)

(

(

)

(

)

(

)

(

)

(

(

(

)

)

(

)

)

(

)

)

(

(

(

)

)

)

)

(

)

)

(

(

0

)

(

(

)

0

)

(

0

0

)

(

(

)

)

(

(

)

)

(

(

(

)

(

0

)

)

)

with h(z i::: ) = x k::: and z i::: j= T ( ). By induction we nd that, for all k 2 IN , x k::: j=  holds. Thus x j= G ( ) which is equal to x j= .  = X ( ): If x j=  then x ::: j=  . So for the k 2 IN with h(z k::: ) = x ::: and h(zk ) 6= " we have with repect to the induction's hypothesis z k::: j= T ( ). There must also be an m < k with h(z m::: ) = x and h(zm ) 6= ". Because we do not know anything about x's rst letter we just can conclude z m::: j= :". And because for all l between k and m or less than m it must hold that h(zl ) = " we can derive z j= " U (:" ^ X (" U (T ( )))) which is equal to z j= T (). If z j= T () then there is an i 2 IN such that z i::: j= T ( ) and there is just one j < i with h(zj ) 6= ". So h(z i::: ) must be x ::: . So we know by induction that x ::: j=  which is equal to x j= X ( ) which is equal to x j= . (

)

(

)

(

)

(2

)

(

(

(

)

(2

)

)

)

(

)

(

(

)

(

)

(2

)

)

(2

)

2 In the preceding proof we have derived (after presenting the induction's hypothesis) that for each x 2 L! and each z 2 h; (x) it holds x j=  , z j= T ( ) i  is a boolean connection such that the boolean connection's subformulae  all satisfy the above lemma's preconditions and it holds for them all that x j=  i z j= T ( ). Applying this step to the above lemma we get rid of the precondition that  is not a boolean connection. We nd 1

17

Corollary 1. L!  0! be an !-language, h : ! ! 0! be an !-homomorphism and  be a PLTL-formula that has the following properties: i.  is fully parenthized. ii.  does not contain any negations. iii. P 0 as de ned above is  's set of atomic propositions. iv. Each atomic proposition in  is in the scope of some temporal operator. Then with respect to the de nitions of P ,  and 0 the following condition holds

L! j=  i h; (L! ) j= T (): 1

We will now use the mapping T to de ne a mapping R on completely parenthized negation-free PLTL-formulae. Be  such a formula. If all atomic propositions in  are in the scope of some temporal operator then we de ne R () = T (). Else  is a boolean connection or an atomic proposition. If  is an atomic proposition we de ne R() = " U . Thus in the two cases where  is pure temporal or an atomic proposition it holds|using the preceding 18

We should realize that the succeeding corollary gives us a complete characterization of T in the sense that it describes in addition to the preceding lemma the part in T 's de nition where the logical operator is a boolean operator. 18 All atomic propositions are in some temporal operator's scope. 17

corollary resp. the rst lemma|for any !-language L!  0! and any !-homomorphism h : ! ! 0! that L! j=  i h; (L! ) j= R (): We now suppose that  is a boolean connection. We partition  in pure temporal subformulae t and in boolean subformulae b of  such that all these subformulae of  are subformulae of a boolean connection that is . Now we substitute each pure temporal subformula t in the boolean connection by T (t) and substitute each propositional subformula b in the boolean connection by " U (b). We de ne R () to be the resulting formula. Be the basic boolean structure underlying the boolean connection that we investigate. Due to our de nition R () is also a boolean connection and is a basic boolean structure for a boolean connection that is R(). Also by our de nition we know that if an atomic proposition in is substituted by a pure temporal formula t to result  then it is substituted by T (t) to result R (). If an atomic proposition in is substituted by a propositional formula b to result  then it is substituted by " U (b) to result R (). For all t and b we know because of the preceding corollary resp. the rst lemma that for any !-language L!  0! and any !-homomorphism h : ! ! 0! it holds 1

19

L! j= t i h; (L! ) j= T (t) and L! j= b i h; (L! ) j= " U (b): Because the underlying boolean structure is the same for  and R() and the t and b (resp. T (t) and " U (b)) are 's (resp. R()'s) boolean connection's subformulae we conclude that for any !-language L!  0! and any !-homomorphism h : ! ! 0! it holds L! j=  i h; (L! ) j= R (): 1

1

1

So we have found that the above condition holds for all possible structures that  might have. We state this by the following corollary.

Corollary 2. L!  0! be an !-language, h : ! ! 0! be an !-homomorphism and  be a completely parenthized negation-free PLTL-formula. Then with respect to the de nitions of P , P 0,  and 0 the following condition holds L! j=  i h;1 (L! ) j= R ():

We now consider a nitary language L   and an alphabetic language homomorphism h :  ! 0 . We will investigate the relation of properties of lim(h(L)) to properties of lim(L). Be  a negation-free fully parenthized PLTL-formula with P 0 as de ned above as its set of atomic propositions. Using the previous corollary we know that lim(h(L)) j=  i h; (lim(h(L))) j= R(). We now will look at the relation between lim(L) and h; (lim(h(L))). Firstly lim(L) may contain !-words x for those h(x) is unde ned. h(x) is herein the !-homomorphism induced 1

1

19 20

In general there need not exist pure temporal subformulae of  in the investigated case. Herein h;1 is the inverse of the !-homomorphism induced by h.

20

by h applied to x. These are the !-words x that would have|if it would be de ned| nitely long images under h. So these words are not in h; (lim(h(L))). Thus we can separate lim(L) into two sets|lim(L) = defh [ undefh|containing the !words x in lim(L) for that h(x) is de ned or unde ned respectively. So we have h(lim(L)) = h(defh) because, for all x 2 undefh, h(x) is unde ned. For all x 2 defh it holds that there exist in nitely many dierent words in L that are nite pre xes of x (because defh  lim(L)) and in nitely many of these words must have dierent images under h (otherwise h(x) couldn't be de ned which would be a contradiction to x 2 defh). So the in nitely many dierent homomorphic images of words in L generate h(x) as their limit which means that h(x) must be in lim(h(L)) for all x 2 defh . Thus defh is a subset of h; (lim(h(L))). Using the previous corollary we know that if  is negation-free and fully parenthized it holds lim(h(L)) j=  ) defh j= R(): 1

1

For the !-words in undefh we know that they would have|if de ned|a nitely long image under h. We want to express this by satisfaction of the proposition finiteh . This does not lead us out of the scope of PLTL because we can express finiteh by the PLTL-formula F (G "). So we have undefh j= finteh. We de ne R~ () = finiteh _ (R ()) and have for any negation-free fully parenthized PLTL-formula  (because lim(L) = defh [ undefh) lim(h(L)) j=  ) lim(L) j= R~(): Be N a mapping on PLTL-formulae that constructs to each PLTL-formula an equivalent completely parenthized negation-free PLTL-formula. This is done by replacing some operators and atomic proposition by their duals and erasing and adding some parentheses. Now we de ne R() = R~ (N ()) for any PLTL-formula  and get as a nal result

Corollary 3. L   be a nitary language, h :  ! 0 be an alphabetic language homomorphism and  be an arbitrary PLTL-formula. Then it holds

lim(h(L)) j=  ) lim(L) j= R():

6 A Short Example

Let  = fa; b; c; d; e; f g be the set of elementary actions in the representation of a reactive system's full behaviour. We present the system by a regular language L describing all nitely long sequences of possible behaviour of the system. We de ne

L = cd [ ab cd [ e f : For an abstraction of the system's behaviour we de ne 0 = fA; B; C g as the set of elementary abstracted actions and de ne as the abstraction's homomorphism h :  ! 0 +

with h(a) = h(b) = A; h(c) = B; h(d) = h(f ) = C and h(e) = ": So we have h(L) = BC  [ AA BC  [ " C 0 = ABC  [ C 0 and thus +

lim(h(L)) = ABC ! [ C 0! : We will investigate the PLTL-formula  = (:A) _ ((A U B ) ^ (G (B ) (X (G C ))))). It holds lim(h(L)) j= . To go on we have to make  negation-free. We set 0 = A~ _ ((A U B ) ^ (G (B ) (X (G C ))))) that is equivalent to . 0 is a boolean connection with s _ t as a basic boolean structure. We have to substitute s by A~ and t by ((A U B ) ^ (G (B ) (X (G C ))))) to get 0. So s is substituted by a boolean formula and t by a pure temporal formula. Thus we have a boolean connection of the right form to calculate R (). This is done by substituting (" U A~) for s and (T ((A U B ) ^ (G (B ) (X (G C )))))) for t in the basic boolean structure. We get R(0) = (" U A~) _ ( ((" _ A) U B ) ^ ( G (" _ (B ) (" U (:" ^ X (" U (G (" _ C ) ^ GF C )))))) ^ GF (B ) (" U (:" ^ X (" U (G (" _ C ) ^ GF C ))))) ) ). Next we set R~ (0) = finiteh _ R (0) and because 0 is negation-free and completely parenthized and is equivalent to  we have R() = R~ (0). Regarding the fact that lim(L) = cd! [ ab cd! [ e f ! we get undefh = e f  e! and by de nition defh = lim(L) ; undefh = cd! [ ab cd! [ e f ( ; feg)! . As we already know by the preceding lemmas and corollaries it holds defh j= R (0) and thus lim(L) j= R(): +

+

+

7 Interpretation of the Result If we are given a formal speci cation of a reactive system and calculate the system's full behaviour by a complete analysis of the speci cation which gives us as a result a nite description of the !-language representing the system's behaviour, we normally cannot verify system properties directly. This is because of the usually large size of the system's description and the complexity of the veri cation algorithms. Since the descriptions of !-languages are in our case usually by deterministic automata the system's full behaviour can be described by lim(L) for some regular language L. With our result we can now break down the size of the system description by a homomorphism h that only preserves necessary information about the system with respect to the properties we want to verify. We now have to show that some property expressed by a 21

21

We are thinking of a complete reachability analysis.

PLTL-formula  holds for lim(h(L)) using a model checker or a proof system. This can be done now eectively if the nite description of lim(h(L))|the nite automaton|is small enough. From this veri cation step we directly know that the corresponding property R() holds for lim(L). At GMD's Institute for Telecooperations' Technology we specify systems by Product Nets which are high-level Petri Nets [BOP89]. There we can calculate for an alphabetic language homomorphism h the language h(L) where L is the Product Net's ring sequencelanguage without calculating L completely. This is done via what is called a reduced reachability analysis. So together with our results we can calculate properties of the often very large !-language lim(L) without having to compute this !-language at all. The method presented in this paper suers in one point. It's the fact that all !-words in lim(L) that have a nitely long homomorphic image fall out of the scope of R() and only R () contains real information about the system. That is really a problem since there are no reasons why errors in a reactive system's speci cation should not be apparent only in these !-words. So there is some future work to be done: We could de ne extensions of homomorphisms in such a way that no words of nite length are in the resulting mapping's image. We can think of other temporal logics that are able to handle nite and in nite state sequences. Since some interesting properties can't be expressed in PLTL, it would also be interesting to extend our method for some branching time logics [Eme90]. This is one part of the actual basic work. The other part is to cope with liveness properties. Special liveness properties are preserved under some particular type of homomorphisms, the simple homomorphisms [Och92]. It should be investigated if we get some improvements in the property-retranslation from the image to the original model by taking only simple homomorphisms for our abstractions into account. 22

23

Last but really not least I want to thank my colleagues Peter Ochsenschlager, Wolfgang Orth and Jurgen Repp for lots of interesting discussions according to the topics of this paper.

References [BOP89] Heinz Jurgen Burkhardt, Peter Ochsenschlager, and Rainer Prinoth. Product nets | a formal description technique for cooperating systems. GMD-Studien 165, Gesellschaft fur Mathematik und Datenverarbeitung (GMD), Darmstadt, September 1989. [Eme90] E. Allen Emerson. Temporal and modal logic. In van Leeuwen [vL90], pages 995{1072. A regular language representing the speci ed system's full behaviour. The reduced reachability analysis is carried out by a software tool called the Product Net Machine [Och91]. 22

23

[HU79] John E. Hopcroft and Jerey D. Ullman. Introduction to Automata Theory, Languages and Computation. Addison-Wesley, Reading, Mass., rst edition, 1979. [Och91] Peter Ochsenschlager. Die Produktnetzmaschine. Petri Net Newsletter, 39:11{31, August 1991. Also appeared as a GMD Arbeitspapier Nr. 505, 1991. [Och92] Peter Ochsenschlager. Veri kation kooperierender Systeme mittels schlichter Homomorphismen. Arbeitspapiere der GMD 688, Gesellschaft fur Mathematik und Datenverarbeitung (GMD), Darmstadt, Oktober 1992. [Tho90] Wolfgang Thomas. Automata on in nite objects. In van Leeuwen [vL90], pages 133{191. [vL90] Jan van Leeuwen, editor. Formal Models and Semantics, volume B of Handbook of Theoretical Computer Science. Elsevier, 1990.