on the relationship between -automata and temporal logic ...uros.m/logcom/hdb/volume_12/... ·...

On the Relationship between �-automataand Temporal Logic Normal Forms

ALEXANDER BOLOTOV, Harrow School of Computer Science, Universityof Westminster, Harrow HA1 3TP, UK.E-mail: [email protected]

MICHAEL FISHER and CLARE DIXON, Department of ComputerScience, University of Liverpool, Liverpool L69 7ZF, UK.E-mail: �M.Fisher,C.Dixon�@csc.liv.ac.uk

AbstractWe consider the relationship between �-automata and a specific logical formulation based on a normal form fortemporal logic formulae. While this normal form was developed for use with execution and clausal resolution intemporal logics, we here show how it can represent, syntactically, �-automata in a high-level way. Technical proofsof the correctness of this representation are given.

Keywords: Temporal logics, normal forms, automata, theorem-proving, clausal resolution.

1 Introduction

Automata over infinite objects, termed �-automata, were originally introduced as a tool forinvestigating the decidability of restricted classical first-order and second-order logics [3], buthave also been extensively used in recent developments within wider areas of computer sci-ence. In particular, the success of the model-checking approach [6, 12, 15, 20], when appliedto the analysis of infinite computations, is primarily due to the incorporation of automata-related methods.

On the other hand, in line with their original aim, �-automata have been used to estab-lish theoretical properties of a variety of logics used within computer science. In particu-lar, automata-theoretic techniques give elegant and efficient methods for proving decidabil-ity of varieties of temporal logic [6]. Note that, in some cases, for example in the caseof the branching-time logic CTL�, where the tableau construction is not directly applicable,automata-based methods are essential for proving decidability of such expressive systems [6].In decidability results for temporal logic, Buchi automata [3] over infinite words and infinitetrees are especially important. It is known [5] that Buchi word automata, which are as ex-pressive as propositional linear-time �-calculus [16], are themselves strictly more expressivethan propositional linear-time temporal logic, PLTL [22]. A well-known example exhibitingthis is the characterization of the property ‘� holds at every even moment of (a linear, dis-crete sequence of) time’ (i.e.‘��’), which is expressible using Buchi automata, but notPLTL [22].

In this paper we consider the relationship between �-automata on infinite words and aspecific logical formalism based on a normal form for temporal logic formulae, calledSNF�� [8]. While this normal form was developed for use with clausal resolution in

J. Logic Computat., Vol. 12 No. 4, pp. 561–581 2002 c� Oxford University Press

562 On the Relationship between �-automata and Temporal Logic Normal Forms

temporal logics [7, 10] and execution [8], we here show how it can represent, syntactically,�-automata in a high-level way.

The general problem structure that we are trying to solve is given in Figure 1. Here we areattempting to analyse a system specification (S) and provide some (formal) verification of itsproperties (V).

Verification

Specification

Automaton Normal Form(A)

(S)

(V)

(N)

FIGURE 1. Specification-verification problem

If the specification (S) is given in a high-level language, for example a logic, then we caneither translate (S) to an automaton (A) and then carry out as verification (V) an automatonemptiness check, or we can carry out the translation from (S) to a normal form (N) and thenuse as verification (V) some form of efficient deduction, for example clausal resolution. Thecomplexity of the translation from (S) to an automaton (A) is usually exponential [21]. Forexample, a PLTL formula � can be translated into a Buchi automaton with �� states[21]. In contrast, checking non-emptiness for a Buchi automaton is decidable in linear time[6, 21]. Note, however, that the situation is different when we carry out the translation ofa PLTL formula � into alternating automata [21, 1], where the translation (S)�(A) resultsin an automaton of the size ��, while checking non-emptiness involves an exponentialblow-up.1

On the other hand, the complexity of the translation from (S) to (N) is polynomial or oftenlinear [10]. In contrast, verification of formulae in the normal form ((N) � (V)) is usuallyexponential since it involves some form of proof (in our case, clausal resolution).2

Our particular concern here is what is the relationship between the normal form (N) givenas the normal form for PLTL (SNF��) and the automaton (A) in the diagram above. Wewill show that SNF��, which was originally developed as a normal form for the formulaeof PLTL, can represent Buchi automata. The essential reason for this is that, in translating aproblem specification into our normal form, we actually derive clauses within a fragment ofquantified propositional linear-time temporal logic (QPLTL) [18, 14]. In particular, formulaewithin SNF�� are existentially quantified. In order to utilize the normal form as part of aproof, we effectively skolemize the normal form producing temporal formulae without anyquantification (i.e.PLTL).

1No direct methods of checking non-emptiness of alternating automata are known. Usually an alternating au-tomaton is simulated by a standard non-deterministic automaton and the known emptiness check is applied to thelatter [1, 21].

2However, we are often able to use either improved proof strategies [9] or restricted forms of the normal form [4]in order to improve the practical efficiency of such a proof.

On the Relationship between �-automata and Temporal Logic Normal Forms 563

Having established this relationship between SNF�� and Buchi automata, we will beable to represent a problem specification directly as a set of formulae in the normal form andapply a resolution-based verification technique to the latter. Also, taking into account thatnon-deterministic Buchi automata on infinite words recognize the same class of -languagesas non-deterministic Rabin or Streett word automata [20], we believe that by varying theformulation of acceptance conditions in our syntactic representation of Buchi automata, ourapproach allows us to specify other types of �-automata such as Rabin or Streett automata.

The remainder of the paper is organized as follows. In Section 2 we overview SNF��outlining its syntax in Section 2.1 and its semantics, in Section 2.2, together with an example,Section 2.3. In Section 3 we describe the representation of Buchi automata in QPLTL, defin-ing this type of automata in Section 3.1, overviewing the logic QPLTL in Section 3.2, and therepresentation of Buchi automata in QPLTL in Section 3.3 following [14], which inspired thework presented in this paper. Consequently, in Section 4, we show how to obtain similar re-sults using SNF�� language. In Section 4.1 we describe the translation of Buchi automatainto SNF�� and in Section 4.2 the reverse translation from SNF�� into Buchi automata.In Section 4.3 we establish the correctness of these translations, while in Section 4.4 we applySNF�� as a specification language to express the property ‘��’. Finally, in Section5, we provide concluding remarks.

2 Normal form in clausal resolution for PLTL

The clausal resolution method for propositional linear-time temporal logic, PLTL, describedin [7, 10], is divided into two main procedures. First, a PLTL formula � is translated into itsnormal form, called Separated normal form, and abbreviated SNF�� . Then a resolu-tion procedure is applied to SNF�� .

The basic idea behind the normal form is to present information contained in the originalPLTL formula, �, generating formulae that are either relevant to the first state in a model, orconstrain future behaviour of �. The transformation procedure uses fixpoint unwinding [2]and sub-formula renaming [17] in order to obtain an SNF�� representation for an arbitraryPLTL formula.

2.1 Language ofSNF��We define the language of SNF�� based on the following symbols:

- atomic propositions � � � � � � �� ;- classical operators � � � �;- classically defined constants �� , �� ;- temporal operators

‘at the initial moment of time’ �� ;‘always in the future’ ;‘sometime in the future’ �;‘at the next moment in time’ �.

DEFINITION 2.1 (Separated normal form)Separated normal form is a formula

��

��


where each of the ‘��’ is known as a ‘clause’ and must be one of the following (see Fig-ure 2) with each particular ��, �� , ��, Æ� and � representing literals, i.e.propositions or theirnegations.

��

�� (an initial clause)��

��

�� (a stepclause)

��

Æ� � �� (a sometimeclause)

FIGURE 2. Varieties of SNF�� clauses

The intuition behind this formulation is that the initial clauses provide the initial conditionswhile each step or sometime clause represents a constraint upon the future behaviour of theformula, given the current conjunction of literals. Thus, the step clauses constrain successorstates and the sometime clauses constrain sequences of states over a longer period.

The semantics of SNF�� is given in the next section. However, to illustrate Definition2.1 we exhibit a simple example of SNF�� clauses explaining its intuitive interpretation.Consider the following SNF�� expression:

�� (2.1)

Formula (2.1) expresses the following properties of the linear-time model:

- � is satisfied in the initial state (given by the first conjunct);

- once � is satisfied, � must occur eventually (given by the second conjunct); and

- �� occurs everywhere apart from possibly in the initial state in a model (given by thethird conjunct).

Note that although the language of PLTL includes ‘� ’ and ‘� ’ operators as well as theoperators used in SNF��, in the latter language we use only ‘ ’, ‘�’, and ‘ �’ operators.This is possible since in the transformation procedure the ‘ ’3, ‘� ’ and ‘� ’ operators arereplaced by their fixpoint definitions. We will provide the corresponding rules in Section 2.3,together with other main transformation rules.

2.2 Interpretation ofSNF��Models of a set of SNF�� clauses are tuples � � � �� where

3In the language of SNF�� the operator is used only as an operator which surrounds the conjunction ofclauses which is needed for the correctness of the translation. In the translation of a PLTL formula � into SNF��,we remove any occurrence of the ‘ ’ operator in � substituting it by a corresponding fixpoint definition. This isbased on the fact that this operator can be understood as an infinite sequence of the ‘ �’ operations and, thus, can berepresented in SNF�� by a set of the step clauses (see [10] for details).


�� iff ��

�� iff ��

�� iff ��

�� iff ��

�� iff ��

�� iff � � � �� iff ��

�� iff ��

��

�� iff ��

FIGURE 3. Semantics of SNF��

� � is a discrete, linear sequence of states, isomorphic to Natural Numbers,� ;

� � is a binary relation over� ; and

� � is an interpretation function mapping atomic propositional symbols to truth values ateach state, i.e. � � � � �� !�"��.

In Figure 3 we define a relation ‘��’, which evaluates an SNF�� clause at a state �� in amodel.

DEFINITION 2.2 (Satisfiability)An SNF�� clause, #, is satisfiable if, and only if, there exists a model such that �� #.

DEFINITION 2.3 (Validity)An SNF�� clause, #, is valid if, and only if, it is satisfiable in every possible model, i.e.for each , �� #.

2.3 Example transformation

We precede our example of transformation into SNF�� by describing the main stages ofthis procedure referring the interested reader to [10] for further details. Recall that SNF��is used as a normal form for PLTL formulae to which resolution rules could be applied inorder to test their validity [8, 10]. Thus, assuming that our aim is to check if a PLTL formula� is valid, we first negate it, and then push negations inward until they are applied only topropositional variables. This gives $$� ��, the Negation normal formof �. Then we an-chor the latter to �� , obtaining �� $$� �� and, following the algorithm in[8, 10], gradually apply transformation rules in order to obtain the desired form of SNF��clauses. Abbreviating the corresponding transformation procedure by % , we next describe itsmain stages.

First, we reduce the nesting of the temporal operators providing renaming of the complexsubformulae, arguments of these operators, by new propositions. As a result, any temporaloperator applies to literals.


Second, we remove unwanted temporal operators, , � , and � . The correspondingrules are based upon fixpoint definitions of these modalities [2]. In the formulation of theserules below, & abbreviates a classical formula,� and � are literals, and � is a new proposition.

Removal of

% � �&� ��

�% � �&� � � �� % � ��

�

Removal of �

% � �&� ��

��

% � �&� �� % � �&� �� % � ��

�

Removal of �

% � �&� ��

�% � �&� �� % � ��

�

Having removed unwanted temporal operators, we apply the transformation procedure %

obtaining the desired form of SNF�� clauses. Many of the rules used here are classicaltransformations. (In the example below we refer to these rules as ��.) Other rules [10]invoke temporal reasoning. One of these rules called ‘��’, applies to � � �, where� and � are purely classical formulae, introducing a temporal context. Since this techniquewill be used in the example below, here we formulate the corresponding rule:

��

% � ��

�% � �� % � ��

�

As an example, let us consider the translation into SNF�� of the PLTL inductionprinci-ple:

�� (2.2)

To check that (2.2) is valid we negate it, obtaining �� andthen derive the Negation normal formof (2.2):

�� (2.3)

In carrying out the translation of (2.3) into SNF��, below we omit the outer ‘ ’ connec-tive that surrounds the conjunction of clauses and, for convenience, consider a set of clausesrather than the conjunction.

Thus, we first anchor (2.3) to �� , and rename a complex subformula on the right-handside of the generated formula by a new proposition, � (steps 2 and 3). Then we simplify theformula in step 3 by splitting conjunctions on its right-hand side (steps 4–6).

� ��

��

� � � ��

��

��

� � � ��

At this stage we reduce the nesting of temporal operators (in 4) by renaming the embeddedsubformula �� by a new proposition, '.


�� ' � � ��

�� ' � ��

Now, since the ‘ ’ operator applies to a literal (in 7), we remove it deriving formulae 9and 10 below, and introducing a new variable, �.

�� ' � � � � ��

�� ' � ��

Further steps of the translation give us the desired SNF�� clauses. First, we transform 8 toobtain the following:

� ' � � � ��

Then we simplify formulae 9 and 10 splitting the conjunction in 9 (steps 12 and 13) anddistributing �over the conjunction in 10 (steps 14 and 15).

�� ' � ��

� � � � � ��

�� ' � ��

��

Finally, note that steps 5, 12 and 13 are purely classical expressions. Here we introduce atemporal context incorporating the rule ‘��’:

� ��

��

�� ' � ��

�� '� � ��

��

��

The normal form of the given PLTL formula is represented by the set of formulae 2, 6, 11,14–21. However, the following reasoning can be applied to this set of clauses, producing asemantically equivalent, but simpler, set.

First, note that the initial clause 2 and the initial clauses 16, 18 and 20, following thesemantics of SNF��, can be satisfied together in a model, only if the initial state of satisfies � ' and �. Thus, without loss of generality we can consider clauses �� ,�� ' and �� instead of the clauses 16, 18 and 20.

This reasoning is simulated in the clausal resolution technique by a stepresolution opera-tion [8], which, for example, being applied to �� and �� , results in�� (see [8, 10] for details of the clausal resolution method).

Also, as follows from the temporal resolution algorithm [10], clauses 17, 19 and 21 cannoteffectively participate in the subsequent refutation, hence, they are redundant. Therefore, wecan omit these clauses without loss of generality.

As a result we obtain a simplified set of the SNF�� clauses for (2.3). We present this setin Figure 4 such that we first give initial clauses, then step clauses and, finally, any sometimeclauses.

Note that, in this set of clauses, all propositions except � are new — they have been intro-duced during the translation of (2.3) either via renaming or via removing unwanted temporaloperators. The truth values of these new propositions are associated, for example, in the case


� ��

��

� �� '

��

�� ' � � � ��

� � � �'

��

��

FIGURE 4. Normal form for the negation of PLTL induction

of renaming, with the truth values of the renamed formulae [8, 17].It is easy to establish that the set of clauses in Figure 4 is unsatisfiable. Indeed, consider

an arbitrary model . Clauses 1–4 indicate that � � ' � are satisfied at the initial moment� of a model . Further, if ' � �, which occur on the left-hand side of clauses 5–7, aresatisfied at some moment �� , then � must occur at every moment �� , where � ( �.Therefore, since ' � and � are satisfied at �, and since � also satisfies �, we conclude that� must be satisfied at every state of . However, since � is satisfied at the initial moment�, and clause 8 requires that once � is satisfied, �� must eventually occur, there must be amoment �� )� which satisfies ��. Thus, �� must satisfy both � and �� — hence, acontradiction.

A resolution method defined in [7], if applied to the set of clauses in Figure 4, producesa refutation, thus, indicating that (2.3), a negation normal form of induction, is unsatisfiable,hence, that (2.2), the induction principle itself, is valid.

3 Representation of Buchi automata in QPLTL

The main stages of our translation of Buchi automaton into normal form are similar to thoseused in [14], where the authors describe the encoding of Buchi automata in terms of quantifiedpropositional temporal logic (QPLTL). Thus, we precede the presentation of our result byintroducing Buchi automata, the logic QPLTL and the translation of Buchi automata intoQPLTL.

3.1 Non-deterministic Buchi automata

Automata over infinite words were introduced by Buchi as a tool for investigating the de-cidability of restricted classical second-order logics [3], monadic second-order logic of onesuccessor (S1S).

DEFINITION 3.1A Buchi word automaton,� (or a Buchi automaton over a structure) is a tuple � * � Æ �� where:

� � is an alphabet;


� * � " "� � � � "� is a finite set of states;

� � � * is a set of initial states;

� Æ � * �� is a non-deterministic transition function;

� � � * is a set of accepting states.

Visiting a state "� �� )� and reading +� �� ,�, a component of an infinite word� � ++�+ � � �, the automaton makes a moveto one of the states, members of *, say, to "� ,according to the non-deterministic transition function Æ.

A run, %�, of a Buchi automaton� over the word � is an infinite sequence of states wherethe first state is one of the initial states, elements of �, and every other state is reached fromits immediate predecessor by a move.

A run, %�, is successfulif there is a state " � � such that " appears in %� infinitely often.4

An automaton � accepts the infinite word � (in other terms, the language recognized by �is not empty) if it has a successful run %�.

3.2 Quantified propositional temporal logic (QPLTL)

Quantified propositional temporal logic, QPLTL, introduced in [18]5 extends linear-time tem-poral logic by allowing propositional quantification (see also [19, 14] for details). Note that,while in [19] the logic QPLTL is formulated using only future-time operators, in [14], the au-thors presented a complete axiomatization for QPLTL formulated with both past and future-time operators. As is known for linear-time temporal logic [11], given the underlying tem-poral structures have the initial moment of time, the introduction of the past-time operatorsdoes not increase the expressiveness of the logic and is usually provided only for conve-nience. Since in our representation of Buchi automata in SNF, we essentially use the ideas ofrepresentation of Buchi automata in QPLTL [14], below we present the syntax and semanticsof QPLTL incorporating both linear and future-time operators, following closely [14].

3.2.1 QPLTL syntax

We define the language of QPLTL based on the following symbols:- atomic propositions � � � � � � �� ;- classical operators � � � �;- temporal operators

FUTURE:‘always in the future’ ,‘at sometime in the future’ �,‘until’ � ,‘at the next moment in time’ �,

PAST:‘always in the past’ ,‘at sometime in the past’ �� ,‘since’ � ,‘weak previous’ �,

4Note that by varying the acceptance condition we induce different types of �-automata [20].5Usually this logic is known as QPTL. We adopt here the abbreviation ‘QPLTL’ to emphasize that the propo-

sitional quantification is introduced here in the framework of linear-time (but not, for example branching-time)temporal logic.


- (propositional) quantifiers‘universal quantifier’ �,‘existential quantifier’ �.

Well-formed QPLTL formulae are defined as follows:

� Every atomic proposition is a formula.

� If � and � are formulae then so are��

� ��

� �� .

� If � is an atomic proposition and � is a formula then �� and �� are formulae.

3.2.2 QPLTL semantics

Similar to SNF�� clauses, we interpret formulae of QPLTL over linear, discrete structures � � � �� which satisfy the conditions mentioned in Section 2.2.

Below we define a relation ‘��’, which evaluates QPLTL formulae at a state �� in a model. For clarity, we present the semantics separately for the temporal operators (Figure 5) andpropositional quantification (Figure 6), omitting the cases of the Boolean connectives whichare similar to those given in the semantics for SNF�� in Section 2.2.

�� iff �� iff ��

�� iff �� iff ��

�� ) �� ) ( � �� iff �� iff ��

�� iff � � � �� ( � �� iff ��

�� ) �� ( ) � � ��

FIGURE 5. Semantics of QPLTL for temporal operators

DEFINITION 3.2 (Satisfiability)A QPLTL formula,&, is satisfiable if, and only if, there exists a model such that �� &.

DEFINITION 3.3 (Validity)A QPLTL formula, &, is valid if, and only if, it is satisfiable in every possible model, i.e. foreach, �� &.


�� iff for every model � which differs from at mostin the evaluation of �, � �� ;

�� iff there exists a model� such that it differs from at most in the evaluation of �and � �� .

FIGURE 6. Semantics of QPLTL for propositional quantification

3.3 Representation of Buchi automata in QPLTL

In [14] a complete axiom system for QPLTL formulated with both future and past-time oper-ators is presented. In the proof of completeness of this axiom system, which is based on thefact that QPLTL is expressively equivalent to Buchi automata, the construction of the QPLTLformula characterizing a Buchi automaton is essential. Thus, in [14] the authors represent aBuchi automaton as a QPLTL expression whose construction is defined in stages as below.

Given a Buchi automaton � � � * � Æ ��, let * � " � � � "�. Let "� � � � "� �� ! � , � )� be the initial states, i.e. members of �, let "� � � � "� �� )� bethe accepting states, i.e. members of �, and let a set of variables & � � � � � �� consistof new propositions of QPLTL language such that �� )� encodes the state "� ofthe automaton. Let & � & abbreviate a subset of & which encodes the initial states, i.e.members of �, and & � & abbreviate a subset of & which encodes the accepting states,i.e.members of �.

Further, let � and ' be new propositions of QPLTL such that � � ' � ��, for any � � � � ).Finally, let �� be defined as �� .6

Now, the following QPLTL formula defines a marker, �, which is determined to be true inthe current state of the automaton and false elsewhere.

*�� (3.1)

Next, a concept of a successful run is represented as

!--��'� � ��'� � ��'� � !-- ��'�� (3.2)

The ‘��’ component, defined below, determines a proposition ' to be true at one of theinitial states.

��'� ��

��

�' � �� (3.3)

6As we mentioned, the introduction of the past-time operators in QPLTL does not increase its expressiveness,being provided only for convenience. This, for example, allows the authors of [14] to define the constant �� interms of other operators. Similarly, SNF�� can be defined either with past-time operators or only with future-time operators. We gave the preference to the latter case, as this formulation of SNF�� is more convenient fordefining our resolution technique. As a consequence, we must introduce the constant, �� , as one of the initialsymbols of the language.


Considering .�"� "�� as a propositional assertion which is true if Æ�"� +�� "� , for someelement, +�, of an infinite word, the ‘��’ component is given by

��'� ��

��

��' � �� ' � �� .�"� "�� (3.4)

The latter requires that a proposition ' is true at the state "� and at the next moment in time,"� , when the automaton is moving from a state "� to a state "� , according to the transitionfunction Æ.

The ‘!-- ��'�’ component represents the Buchi acceptance condition:

!-- ��'� � ��

��

�' � �� (3.5)

Thus, (3.5) requires that ' is true infinitely often in one of the accepting states.Now, having defined (3.2), the last component, !��'�, needed for representation of

Buchi automaton, is composed as

!��'� � �� !--��'�� (3.6)

Finally, the desired QPLTL formula /�, a characteristic formula for a Buchi automaton,�, is given as

/� � ��'�*�� !��'�� (3.7)

where � is a marker which indicates the current state of the automaton and ' is a propositionwhich encodes its accepting run.

Given a successful run, % , of a Buchi automaton, � � � * � Æ ��, over an in-finite word � � ++�+ � � �, we can build a linear-time model � � � ��, such that �� + �� +� � � � �� +� � � �.

Now, as follows from [14], we can define a new model, �, which is the same as except for the interpretation of the new propositions � � � � �� and ' which were used inthe construction of the characteristic formula /�, following the construction of (3.7), suchthat � �� /�. (This is a reformulation of Claim 15 in [14], which states that every Buchiautomaton, �, is congruent to its characteristic formula /�. The relevant terminology andcorresponding definitions can be found in [14].)

As we mentioned, the above construction was essential to the authors of [14] in provingthe completeness of the axiom system for QPLTL. We will utilize similar ideas in our repre-sentation of Buchi automata in terms of SNF��, which is described in the next section.

4 Buchi automata and SNF��In this section we will present the main result of the paper — translation of Buchi automatainto SNF�� (Section 4.1) and from SNF�� into Buchi automata (Section 4.2). We es-tablish the correctness of these translations in Section 4.3.

4.1 Translation of Buchi automata intoSNF��Here, given a Buchi automaton �, we construct its characteristic formula, *$��, as a setof SNF�� clauses. The main stages of the construction of *$��, encoding of the set of


initial states, representing the run of the automaton and the acceptance condition are similarto those in [14]. However, due to the specifics of the SNF�� notation, where we use onlyfuture-time temporal operators, we do not invoke the backward recursion.Let � � � * � Æ ��, be a Buchi automaton such that

� � � �� is an alphabet;

� * � " � � � "� is a finite set of states;– "� � � � "� �� ! � , � )� are the initial states, members of �,– "� � � � "� �� )� are the accepting states, members of �.

Also, we assume that the states of a Buchi automaton are labelled as follows. For everyproposition � � ��, given Æ�"� +� � "� , if � � + then � � 0�"�� else if � � + then�� 0�"��. In our translation we will explicitly encode this labelling. Now, in order todescribe the construction of the characteristic clause set *$�� (expression (4.5) below) weintroduce formulae (4.1)–(4.4), which represent the set of initial states, the transition function,the labelling and the acceptance condition of a Buchi automaton. Note that each of theseformulae is thought of as a conjunction of formulae in the scope of the outer operator. Let� � � � �� be new propositions of our SNF�� language such that �� )� encodesthe state "� of the automaton.

The set � is specified by the following SNF�� expression.

*$� �� (4.1)

Further, we introduce the following set of clauses to represent the transition function of theautomaton. Note that some of the expressions below should be further translated (by simplemanipulations) into the required form of SNF�� clauses. For every � �� )� and forany � �� ,

*$� �� Æ��

��

��

� ��

��

��

��

�

(4.2)

where Æ�� encodes the disjunction of states which the automaton may move to when it visits"� according to the transition function Æ, or Æ�� is �� if "� does not have successor states.Formulae 2 and 3 above encode the fact that for any �, if �� is true at some state "� then everyproposition �� , different from ��, is false there, i.e. the automaton can be at only one state atany particular time.

Next, we represent the labelling of the states of the automaton by the following set ofclauses, constructed for every �� and every �� 0�"��.

*$� ��

� ��

��

��

��

��

��

(4.3)


The Buchi acceptance condition is given by the following set of SNF�� clauses.

*$� ��

�

� �� '

�� ' � ��

� � � ��

��

��

(4.4)

where �� encode the accepting states of the automaton and ' � and � are new proposi-tions.

Finally, let *$� ��

*$� ��

*$� ��

and *$� ��

�

be obtained from*$� �� *$� �� *$� �� and *$� ��

�, respectively, by translating their com-

ponents into the required form of SNF�� clauses and dropping the outer operators.Now, a Buchi automaton� is characterized by the following SNF�� expression known

as a characteristic clause setand abbreviated by *$��:

*$�� *$� ��

� *$� ��

� *$� ��

� *$� ��

�

�� (4.5)

4.2 Translation ofSNF�� into Buchi automata

In this section we will present the reverse translation of SNF�� into Buchi automata. Thus,we will show that given a set, #, of SNF�� clauses, we can construct a Buchi automaton� �#� such that # is satisfiable, if and only if, � �#� has an accepting run.

Assume that we are given a satisfiable set, #, of SNF�� clauses. Following [10], we use# to construct a behaviour graph, � � $ ��, where $ is a (finite) set of states and� is a setof transitions, i.e.a structure from which models that satisfy # can be extracted. (Constructionof behaviour graphs has been used in [10] as a part of the completeness proof for the temporalresolution method for PLTL.) Members of $ are pairs �� , where � is an evaluation of allthe propositions in # and � is a subset of eventualities in #. Transitions in � are constructedas follows. From a state �� we draw edges to any state �� according to the followingcriteria. Let # � be a set of step clauses from the original set clause # such that the left-handside of clauses in # � is satisfied by � . Then � � must satisfy the right-hand side of clausesin # � (having deleted the �operator). � � keeps track of unfulfilled eventualities. Thus,� � contains those eventualities from � that were not satisfied in �� , and, additionally � �

contains any new eventuality triggered by � � (i.e. those eventualities that appear on the right-hand side of any eventuality clause from # whose left-hand side is satisfied by � �). Havingconstructed a finite graph as above we delete those paths which cannot give us models for theset of clauses. Thus, we first delete every state without successors. Also if a state �� satisfiesthe eventuality�� but there is no path from this state to a state which satisfies � itself then wedelete �� and all its successors. According to [10], a reduced behaviour graph �� $ � ��(i.e. the one obtained after deletions of states in the behaviour graph �) is not empty if, andonly if, the given set of SNF�� clauses, #, is satisfiable. Therefore, from this reducedbehaviour graph �� constructed for the set of clauses # we can obtain a model [10].

Now, based on the properties of the reduced behaviour graph �� $ � ��, we can definea Buchi automaton� � � * � Æ �� as follows.

� � � �� , where �� is a set of propositions of the clause set #;


� * is a finite set, $ �, of states of ��;

� � is a set of those states that satisfy all the initial clauses occurring within the clause set#;

� � � * � $ � is a set of all states in the reduced behaviour graph;

� Æ is a transition function such that for any "� "� � $ �, �"��. �� "�� Æ if "� "��

and . is the valuation in "� .

Given that a set of SNF�� clauses, #, has � propositions and � eventualities, the worstcase size of the automaton� �#� obtained from the reduced behaviour graph for# is ��

states [10].

4.3 Correctness of the translationTHEOREM 4.1Given a Buchi word automaton � , we can construct a characteristic clause set, *$��,such that � has an accepting run, %� (over an infinite word �), if and only if, *$�� issatisfiable.

PROOF. Recall that, given an automaton, � � � * � Æ ��, where * � " "�

" � � � "�, and its run, %� over an infinite word � � ++�+ � � �, each state, "� � %�, islabelled by 0�� , a member of �. Now, let %� be an infinite sequence of states "� "

�� "

� � � �

such that "� "� "� � * �� ! 1 - � )� and the upper index, �, of the state "�� (where� � ! 1 - � � � and � � �) indicates that "� is the �th state visited by the automaton on run %�.Let be a function such that for every such �, �� "� if, and only if, "� is the �th statevisited by the automaton on run %. Thus, we can unwind the run %� of the automaton intoan infinite sequence of states � � � �� and build an intermediate model structure � � � ��, such that �� is identified with the label of the �th state of the run%�. Therefore, for every �� 0�"��, �� .

Now we first show that if %� is an accepting run of the automaton� over an infinite word� � ++�+ � � �, we can construct a model � which satisfies a characteristic formula (4.5)built in accordance with our translation. Then we will show that, if the automaton� has noaccepting run, we cannot construct a model which satisfies a characteristic formula (4.5).

Let a model � � � � � � �� be the same as except for the interpretation of the newpropositions � � � � �� ' � and � which satisfy the following conditions:

(i) for every proposition �� )� and every state �� , � �� "� ;

(ii) � �� ' and for every �� , � �� ';

(iii) � is satisfied exactly at those states that satisfy some �� (for � � � � )) and false else-where;

(iv) � is satisfied by every state �� ,� such that �� satisfies �.

Thus, by the construction of �, (4.1) is satisfied in it. Also, from (i), for any �� ,and any � �� )�, if � �� then � �� 0�"��. Hence, (4.3) is satisfied in��.

Further, from the definition of the run and from (i), for any ��, if the left-hand side ofthe condition 1 of (4.2) is satisfied at some state �� , then, by construction of �,


� �� Æ�� . Also, by definition of �, conditions 2 and 3 are satisfied, therefore,(4.2) is satisfied in �.Finally, consider the *$� ��

�component of (4.5). Since % is the accepting run, it hits at

least one of the accepting states, say "� �"� � "� � � � "��, infinitely often. The condition 1of (4.4) is satisfied by (ii). Also, since "� is visited by the automaton (at least once), then,by (ii) and (iii), the condition 2 of (4.4) is satisfied. Further, if "� is also one of the initialstates of the automaton then �� must be true at �. Alternatively, if "� � � then, by (iii), �does not satisfy �, i.e. � �� , hence, condition 5 is satisfied. Further, for every state�� , either � �� or � �� in which case, by (iii), �� , hence�� . Therefore, condition 6 of (4.4) is satisfied in �. Finally, since "� is visited bythe automaton infinitely often, due to (iii) and (iv), conditions 3 and 4 of (4.4) are satisfied.Therefore, all conditions required by (4.4) have been shown satisfiable in �. Hence, �

satisfies formulae (4.1)–(4.4), and, by the semantics of the operator, it satisfies (4.5) asrequired.

Now, assuming that a Buchi word automaton� � � * � Æ ��, has no acceptingrun, we will show that we cannot construct a model which satisfies the characteristic clauseset, *$��, built as (4.5). Since � does not have an accepting run, the Buchi acceptancecondition is violated, i.e. for any run %� of � , there is no state "� � � which occurs in%� infinitely often. According to the construction of the intermediate model structure �� , �� is identified with the label of the �th state of the run %� and for every�� 0�"��, �� . Now we will show that any model � � � � � � �� whichagrees with everywhere except for the interpretation of the new propositions appearedin the characteristic formula (4.5), does not satisfy the latter. Indeed, since �� arelabels of the accepting states, and none of the accepting states is visited infinitely often, forevery �� , for any � we must have � �� , and hence,� �� . Thus, � must have a state, say �� such thatfor any ��

�� .At the same time to satisfy clauses 1-4 of the *$� ��

�component (formula (4.4)) of the

characteristic formula (4.5), we must have � �� . The latter, together with thesatisfiability conditions for clause 6 of the (4.4), would require �� to be satisfied in� infinitely often, and therefore, at some state �� - contradiction.

Now we will establish the correctness of the reverse translation from SNF�� to Buchiautomata. Let # be a set of SNF�� clauses and � � � * � Æ �� be a Buchiautomaton constructed for # as described in Section 4.2.

THEOREM 4.2Given a set, #, of SNF�� clauses, we can construct a Buchi word automaton� �#� suchthat # is satisfiable, if and only if, � �#� has an accepting run, %�.

PROOF. Recall that our construction of the automaton � for a set of SNF�� clauses# described in Section 4.2 is based upon the properties of the behaviour graph � � $ ��obtained for #. As follows from [10], having created such a graph and carrying out deletions,we obtain the reduced behaviour graph, �� $ � ��, such that a model can be constructedfrom �� if, and only if, the set # of SNF�� clauses is satisfiable.

Now let # be a satisfiable set of SNF�� clauses. Every (infinite) path through the re-duced behaviour graph would give us a model which satisfies the set #. By construction of


the automaton � , since we have defined the set, �, of accepting states as � � $ �, weare, therefore, assured that there is a run %� of the automaton� which hits (at least) one ofthe accepting states, members of �, infinitely often. Thus, the run %� is an accepting run ofthe automaton� .

Finally, if # is an unsatisfiable set of SNF�� clauses then, according to [10], the reducedbehaviour graph �� constructed for # is empty, and therefore, the automaton � whoseconstruction is based upon the properties of ��, as described in Section 4.2, cannot have anaccepting run.

4.4 Expressing ‘even(p)’ inSNF��As mentioned in the introduction, a famous example which shows that Buchi automata arestrictly more expressive than PLTL [22], is the property ‘p occurs at every even moment oftime’ (of some computation). Specifications of this property can be found, in particular, interms of Buchi automata [22], QPLTL [16, 13]. In Figure 7 we give a Buchi automaton whichexpresses this property, then construct a characteristic clause set as described in the previoussection. Further, we give a simpler, direct, specification of ‘even(p)’ directly in terms ofSNF�� and show that the latter is satisfiable if, and only if, the characteristic clause set isalso satisfiable.

��

��

FIGURE 7. Buchi automaton for ‘even(p)’

The state structure of this Buchi automaton, ��, is very simple, it consists of only twostates " and "�, such that " is at the same time the initial and the accepting state. A runwhich this automaton accepts is an infinite sequence of states, where every even state satis-fies �.

To construct a characteristic clause set, we first introduce a set of new propositions � ��which encode the states " and "�, respectively. Now, the (singleton) set of accepting statesof�� is specified by the following formula:

*$� �� (4.6)

Next, the transition function of the automaton�� is given by the following set of SNF��


clauses:

*$� ��

� � � ��

(4.7)

The labelling of the states of the automaton is represented by the following set of clauses:

*$� ��

� ��

(4.8)

Next, to express the Buchi acceptance condition for �� we introduce new propositions' � and � and proceed as follows:

*$� ��

�

� �� '

�� ' � ��

� � � ��

��

��

(4.9)

Now, a Buchi automaton �� is characterized by the set of clauses (4.6)–(4.9). Note,however, that this merging makes some of the clauses redundant as they do not affect thesatisfiability of the whole set, while other clauses can be simplified. For example, clause 5 of(4.9) is subsumed by clause (4.6) and thus, can be omitted. Also, clause 3 of (4.7) and clause1 of (4.8) can be satisfied together with clause (4.6) only if �� and ��

are valid. Thus, we present the simplified characteristic set of clauses for �� in Figure 8such that we first give initial clauses, then step clauses and, finally, any sometime clauses.

Now we show how the property ‘even(p)’ can be directly represented as a much simplerset of SNF�� clauses, avoiding the construction of the automaton.

��

� ��

(4.10)

First, note that it is easy to establish that the set of clauses (4.10) indeed defines the desiredproperty. Also, we can see that the set (4.10) is simply a subset of the set of clauses givenin Figure 8. On the other hand, given a model for (4.10), it is straightforward that we canaugment it by the new propositions ' � and � such that the set of clauses in Figure 8 becomessatisfiable. Therefore, the characteristic clause set for �� is satisfiable if, and only if, theset of clauses (4.10) is satisfiable.


� ��

�� '

��

�� ' � ��

��

FIGURE 8. Characteristic set for the automaton ‘even(p)’

5 Discussion

We have shown that normal form used for clausal resolution method for PLTL is expressiveenough to give the succinct high-level syntactic representation of one of the types of �-automata, Buchi automata.

Thus, we can redraw Figure 1 producing a new diagram given in Figure 9. Here, werepresent the expressiveness results established in this paper by showing the possibility of thetranslation of an automaton (A) into the normal form (N) and vice versa.

Verification

Specification

Automaton Normal Form(A)

(S)

(V)

(N)

FIGURE 9. Specification-verification problem reviewed

Although the main stages of our translation of a Buchi automaton into normal form are similarto the encoding of the latter in terms of QPLTL [14], we believe that our representation ofBuchi automata in terms of SNF�� is more practical. To the best of our knowledge, theonly known deductive system for the logic QPLTL is the axiom systemdeveloped in [14],


while a well-developed clausal resolution technique can be applied to a set of SNF��clauses [10].

However, we consider the contribution of this work not only in that it answers a particularquestion on the expressiveness of the temporal logic normal form, but represents a step to-wards solving the general problem structure described in the introduction. As mentioned inthe introduction, in using an automata-based approach to analyse a system specification, themost expensive step is the translation of the latter into the corresponding automaton. Basedon the expressiveness equivalence of automata and normal form, we can directly translatea problem specification into the normal form and apply the temporal resolution techniqueas a verification method. We believe that application of SNF�� is useful when a systemspecification given in a high-level language, such as temporal logic, is required to representcomplex temporal properties. In this case, generating an automaton can be especially costly,while the translation into normal form will involve only a linear blow-up mostly due to theintroduction of new propositions [10]. Therefore, we consider a detailed analysis of the casesthat are ‘easy’ for automata/normal form representation as an important direction of futurework.

Also, in the future we will investigate the representation of other types of �-automataacceptance conditions in SNF��, which will enable us to give an SNF�� specificationfor Rabin and Streett automata. Noting also the similarity between SNF�� clauses andalternating automata, we believe that SNF�� can be used as a syntactic representation ofthe latter. This, in turn, will enable us to apply temporal resolution as a non-emptiness checkfor alternating automata.

Finally, taking into account the equivalence between Buchi automata and linear-time fix-point calculus [16, 2], the result established in this work enables us to investigate an interest-ing problem of the translation from linear-time fixpoint calculus into SNF��, and thus, topotentially apply the clausal resolution method to temporal fixpoint logic.

Acknowledgements

The authors would like to thank Damian Niwinsky, Igor Walukiewicz and Giacomo Lenzi foruseful discussions, and anonymous referees for useful comments and suggestions.

This work was partially supported by funding from EPSRC, under research grantGR/L87491.

References[1] O. Bernholtz, M. Y. Vardi, and P. Wolper. An automata-theoretic approach to branching-time model checking.

In Computer Aided Verification, Proceedings of the 6th International Workshop, volume 818 of Lecture Notesin Computer Science, pp. 142–155. Springer-Verlag, Stanford, CA, 1994.

[2] J. Bradffield and C. Stirling. Modal logics and mu-calculi. In Handbook of Process Algebra, J. Bergstra,A. Ponse, and S. Smolka, eds, pp. 293–330. Elsevier, North-Holland, 2001.

[3] J. R. Buchi. On a decision method in restricted second-order arithmetics. In Proceedings of InternationalCongress of Logic, Methodology and Philosophy of Science, pp. 1–12. Stanford University Press, 1962.

[4] C. Dixon, M. Fisher, and M. Reynolds. Execution and proof in Horn-clause temporal logic.In Advances in Temporal Logic, Volume 16 of Applied Logic Series, H. Barringer, M. Fisher, D. Gabbay, andG. Gough, eds, pp. 413–433. Kluwer, 2000. Proceedings of the Second International Conference on TemporalLogic (ICTL).

[5] E. A. Emerson. Temporal and modal logic. In Handbook of Theoretical Computer Science: Volume B, FormalModels and Semantics, J. van Leeuwen, ed., pp. 996–1072. Elsevier, 1990.


[6] E. A. Emerson. Automated reasoning about reactive systems. In Logics for Concurrency: Structures VersusAutomata, Proceedings of International Workshop, volume 1043 of Lecture Notes in Computer Science, pp.41–101. Springer-Verlag, 1996.

[7] M. Fisher. A resolution method for temporal logic. In Proceedings of the XII International Joint Conferenceon Artificial Intelligence (IJCAI), pp. 99–104, 1991.

[8] M. Fisher. A normal form for temporal logic and its application in theorem-proving and execution. Journal ofLogic and Computation, 7, 429–456, 1997.

[9] M. Fisher and C. Dixon. Guiding clausal temporal resolution. In Advances in Temporal Logic, Volume 16 ofApplied Logic Series, H. Barringer, M. Fisher, D. Gabbay, and G. Gough, eds, pp. 167–184. Kluwer, 2000.Proceedings the Second International Conference on Temporal Logic (ICTL).

[10] M. Fisher, C. Dixon, and M. Peim. Clausal temporal resolution. ACM Transactions on Computational Logic(TOCL), 1, 12–56, 2001.

[11] D. Gabbay, A. Phueli, S. Shelah, and J. Stavi. On the temporal analysis of fairness. In Proceedings of 7th ACMSymposium on Principles of Programming Languages, pp. 163–173. Las Vegas, Nevada, 1980.

[12] J. Y. Halpern and M. Y. Vardi. Model checking vs. theorem proving - a manifesto. In Artificial Intelligence andMathematical Theory of Computation, V. Lifschitz, ed., pp. 151–176. Academic Press, 1991.

[13] R. Kaivola. Using Automata to Characterise Fixed Point Temporal Logics. PhD thesis, University of Edinburgh,1997.

[14] Y. Kesten and A. Pnueli. A complete deductive system for QPTL. In Proceedings of the 10th Annual IEEESymposium of Logic in Computer Science, pp. 2–12, 1995.

[15] O. Kupferman and M. Y. Vardi. Model checking of safety properties. In Computer Aided Verification (CAV’ 99),Proceedings of Interntational Conference, volume 1633 of Lecture Notes in Computer Science, pp. 172–183.Springer-Verlag, 1999.

[16] O. Lichtenstein. Decidability, Completeness, and Extensions of Linear-Time Temporal Logic.PhD thesis, TheWeizmann Institute, Rehovot, Israel, 1991.

[17] D. A. Plaisted and S. A. Greenbaum. A structure-preserving clause form translation. Journal of SymbolicComputation, 2, 293–304, 1986.

[18] A. Sistla. Theoretical Issues in the Design and Verification of Distributed Systems.PhD thesis, HarvardUniversity, 1983.

[19] A. Sistla, M. Y. Vardi, and P. Wolper. The complementation problem for Buchi automata with application totemporal logic. Theoretical Computer Science, 49, 217–237, 1987.

[20] W. Thomas. Languages, automata, and logic. In Handbook of Formal Language Theory, G. Rozenberg andA. Salomaa, eds, pp. 389–455. Springer-Verlag, 1997.

[21] M. Y. Vardi. An automata-theoretic approach to linear temporal logic. In Logics for Concurrency: StructuresVersus Automata, Proceedings of International Workshop, volume 1043 of Lecture Notes in Computer Science,pp. 238–266. Springer-Verlag, 1996.

[22] P. Wolper. Temporal logic can be more expressive. Information and Control, 56, 72–99, 1983.

Received 9 January 2001

on the relationship between -automata and temporal logic ...uros.m/logcom/hdb/volume_12/... ·...

Documents