on the expressiveness of tptl and mtl - lsv · on the expressiveness of tptl and mtl patricia...

On the Expressiveness of TPTL and MTL

Patricia Bouyer, Fabrice Chevalier, and Nicolas Markey

Lab. Specification et Verification,ENS Cachan & CNRS, France

February 16, 2006

Model checking

Does a system satisfy some property?

Modelling

E.g. with temporal logics [Pnu77]:

Always(problem ⇒ Eventually alarm)

Specification

Linear-time Temporal Logic: LTL

LTL allows to express properties over one single path:

running ∧ X problem

problem U alarm

F problem (≡ true U problem)

G running (≡ ¬ F ¬ running)




problem U alarm

LTL




problem U alarm

LTL

Past-time modalities have symmetric meanings:

G (reboot ⇒ X−1 alarm)

G (alarm ⇒ (alarm S problem))




problem U alarm

LTL




LTL+Past




problem U alarm

LTL




LTL+Past

Theorem ([Kam68, GPSS80])

LTL and LTL+Past are equally expressive.

Adding real-time constraints

Timed automata: Finite automata + real-valuedclocks [AD90]

Timed LTL: 2 standard extensions:

MTL [Koy90]: adding subscripts to modalities:

G (problem ⇒ problem U≤5 alarm)

TPTL [AH89]: adding clocks in formulas:

G (problem ⇒ x .[problem U (alarm ∧ x ≤ 5)])

G (problem ⇒ x .F [alarm ∧ F (reboot ∧ x ≤ 5)])

Conjecture ([AH90])

TPTL is strictly more expressive than MTL.

Outline of the talk

1 Introduction

2 DefinitionsTwo frameworks: pointwise and continuousSemantics of TPTL and MTL

3 Expressiveness of TPTL and MTL

Alur and Henzinger’s conjectureThe formula can be expressed......but the conjecture holds!

4 What if we only allow the F modality?TPTLF and MTLF are equally expressiveAn interesting corollary

Two possible semantics for a timed path

pointwise semantics: discrete view of a continuous system:

timed word: ((wi )i∈N, (ti)i∈N)

word in (2AP)N sequence of dates in (Q+)N

interval-based: continuous view of the system:

timed state sequence: ((wi )i∈N, (Ii)i∈N)




ε, 0 problem, 1.7 alarm, 3.9 reboot, 5.7









word in (2AP)N sequence of intervals of R+







running running

problem

running

problem

alarm

reboot

0 1.1 2.7 4.4

TPTL and MTL in the pointwise semantics

Syntax of MTL:

MTL ∋ φ ::= p | ¬φ | φ ∨ φ | φ UI φ

where p ranges over AP and I is an interval with boundsin Q+ ∪ {+∞}.

Pointwise semantics of MTL: over π = ((wi )i , (ti)i ):

π, i |= φ UI ψ iff there exists some j > 0 s.t.

– π, i + j |= ψ,

– π, i + k |= φ for all 0 < k < j ,

– ti+j − ti ∈ I .

Examples:


Syntax of TPTL:

TPTL ∋ φ ::= p | ¬φ | φ ∨ φ | φ U φ | x ∼ c | x . φ

where p ranges over AP, x ranges over a set of formulaclocks, c ∈ Q+ and ∼ ∈ {<,≤,=,≥, >}.

Pointwise semantics of TPTL: over π = ((wi)i , (ti)i ):π, i , τ |= x ∼ c iff τ (x) ∼ c

π, i , τ |= x . φ iff π, i , τ [x←0] |= φ

π, i , τ |= φ U ψ iff there exists some j > 0 s.t.– π, i + j , τ + ti+j − ti |= ψ,

– π, i + k , τ + ti+k − ti |= φ for all 0 < k < j .

Examples:


Syntax of TPTL:




π, i , τ |= x . φ iff π, i , τ [x←0] |= φ



Examples:

x . (problem U (alarm ∧ x ≤ 5))problem

4.5

alarm

8.5

reboot

11.5


Syntax of TPTL:




π, i , τ |= x . φ iff π, i , τ [x←0] |= φ



Examples:

x . (problem U (alarm ∧ x ≤ 5))problem

4.5

alarm

8.5

reboot

11.5✔


Syntax of TPTL:




π, i , τ |= x . φ iff π, i , τ [x←0] |= φ



Examples:

x . (problem U (alarm ∧ x ≤ 5))

≡ problem U≤5 alarmproblem

4.5

alarm

8.5

reboot

11.5✔


Syntax of TPTL:




π, i , τ |= x . φ iff π, i , τ [x←0] |= φ



Examples:

x . F (alarm ∧ F (reboot ∧ x ≤ 8))problem

4.5

alarm

8.5

reboot

11.5


Syntax of TPTL:




π, i , τ |= x . φ iff π, i , τ [x←0] |= φ



Examples:

x . F (alarm ∧ F (reboot ∧ x ≤ 8))problem

4.5

alarm

8.5

reboot

11.5✔


Syntax of TPTL:



π, t, τ |= x ∼ c iff τ (x) ∼ c

π, t, τ |= x . φ iff π, t, τ [x←0] |= φ


– π, t + u, τ + u − t |= ψ,


Examples:

x . G (x ≤ 5 ⇒ ¬ problem)running

3.7

problem

11.5


Syntax of TPTL:



π, t, τ |= x ∼ c iff τ (x) ∼ c

π, t, τ |= x . φ iff π, t, τ [x←0] |= φ


– π, t + u, τ + u − t |= ψ,


Examples:

x . G (x ≤ 5 ⇒ ¬ problem)running

3.7

problem

11.5

✔

Outline of the talk

1 Introduction





Alur and Henzinger’s conjecture

Clearly, MTL can be translated into TPTL:

φ UI ψ ≡ x . φ U (ψ ∧ x ∈ I ).

Conjecture ([AH90])

TPTL is strictly more expressive than MTL,

the TPTL formula

G (a ⇒ x . F (b ∧ F (c ∧ x ≤ 2))

cannot be expressed in MTL.

The formula can be expressed...

It turns out that the formula can be expressed in MTL:

G (a ⇒ x . F (b ∧ F (c ∧ x ≤ 2))

a

0 1 2

G a ⇒

F≤1 b ∧ F[1,2] c

∨

F≤1 (b ∧ F≤1 c)∨

F≤1 (F≤1 b ∧ F=1 c)



G (a ⇒ x . F (b ∧ F (c ∧ x ≤ 2))

a b c

0 1 2

G a ⇒

F≤1 b ∧ F[1,2] c

∨

F≤1 (b ∧ F≤1 c)∨

F≤1 (F≤1 b ∧ F=1 c)



G (a ⇒ x . F (b ∧ F (c ∧ x ≤ 2))

a b c

F=1 c

0 1 2

G a ⇒

F≤1 b ∧ F[1,2] c

∨

F≤1 (b ∧ F≤1 c)∨

F≤1 (F≤1 b ∧ F=1 c)


x . F (b ∧ F (c ∧ x ≤ 2)) ≡

F≤1 b ∧ F=1 F≤1 c

∨

F≤1 (b ∧ F≤1 c)∨

F≤1 (F≤1 b ∧ F=1 c)

Several remarks:

of course, it does not mean that TPTL ≡ MTL.

the formulas are equivalent only for the continuous semantics.

... but the result still holds!

We prove the following results:

Theorem

TPTL is strictly more expressive than MTL for both

semantics,

the TPTL formula

G (a ⇒ x . F (b ∧ F (c ∧ x ≤ 2))

cannot be expressed in MTL under the pointwise semantics,

the TPTL formula

x . F (a ∧ x ≤ 1 ∧ (¬ b) U (a ∧ x ≥ 1))

cannot be expressed in MTL under both semantics.

How to prove expressiveness results?

How to prove that a TPTL formula φ can’t be expressed in MTL?

Find two models A and B such that

A |= φ and B 6|= φ,

any MTL formula is either true on both or false on both

Problem: if A and B differ at some point t, the modality F=t

permits to distinguish them... (distinguishing power)

Find two families of models (Ai )i and (Bi )i s.t.

Ai |= φ and Bi 6|= φ, for any i ,

for any MTL formula ψ, there exists an index i s.t. ψ is eithertrue on both Ai and Bi , or false on both Ai and Bi .

Alur and Henzinger’s formula in the pointwise semantics

Let φ = x . F (b ∧ F (c ∧ x ≤ 2)

Let ψ be an MTL formula.

n = temporal height of ψ = maximum number of nestedmodalities in ψ,p = granularity of ψ = inverse of the least commondenominator of the constants appearing in ψ.

→ we assume that the constants of ψ are multiples of p.

We build the following two families of models:

c c c c c c c cb b b b b

22−p

c c c c c c c cb b b b

22−p

p/n p/4n

An,p

Bn,p


Let φ = x . F (b ∧ F (c ∧ x ≤ 2)



22−p


22−p

p/n p/4n

An,p

Bn,p

Lemma

An,p, 0 |= φ and Bn,p, 0 6|= φ

For any formula ψ of MTL with temporal height n andgranularity p,

An+3,p, 0 |= ψ ⇔ Bn+3,p, 0 |= ψ


Let φ =(

((

((

((

((

((

(

x . F (b ∧ F (c ∧ x ≤ 2) F≤2 (c ∧ F−1 b)



22−p


22−p

p/n p/4n

An,p

Bn,p

Lemma

An,p, 0 |= φ and Bn,p, 0 6|= φ


An+3,p, 0 |= ψ ⇔ Bn+3,p, 0 |= ψ

Results for the pointwise semantics

Theorem

Under the pointwise semantics:


MTL+Past is strictly more expressive than MTL,

MITL+Past is strictly more expressive than MITL.

Nota: MITL is the fragment of MTL where punctuality is notallowed, i.e., where timing constraints cannot be singular.

A new formula for the continuous semantics

Let φ = x . F (a ∧ x ≤ 1 ∧ G (x ≤ 1 ⇒ ¬ b))


b b b

p/2 1−p/2 1

b b b

p/2n p/12n

A′n,p

B ′n,p

︸︷︷︸

n times a


Let φ = x . F (a ∧ x ≤ 1 ∧ G (x ≤ 1 ⇒ ¬ b))


b b b

p/2 1−p/2 1

b b b

p/2n p/12n

A′n,p

B ′n,p

︸︷︷︸

n times a

1

b

b


Let φ = x . F (a ∧ x ≤ 1 ∧ G (x ≤ 1 ⇒ ¬ b))


b b b

p/2 1−p/2 1

b b b

p/2n p/12n

A′n,p

B ′n,p

︸︷︷︸

n times a

1

b

b

Lemma

A′n,p, 0 |= φ and B ′

n,p, 0 6|= φ


A′n+3,p, 0 |= ψ ⇔ B ′

n+3,p, 0 |= ψ

Our results

Theorem

Under both semantics:


MTL+Past is strictly more expressive than MTL,

MITL+Past is strictly more expressive than MITL.

Outline of the talk

1 Introduction





Existential fragment of TPTL

TPTLF ∋ φ ::= p | ¬ p | x ∼ c | φ ∨ φ | φ ∧ φ | F φ | x . φ

For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

z0

z0 = 0



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

z1

z0 = 0

z1 − z0 > 0z1 − z0 ≥ 1π, z1 |= a



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

z2

z0 = 0

z1 − z0 > 0z1 − z0 ≥ 1π, z1 |= a

z2 − z1 > 0z2 − z0 ≤ 3π, z2 |= b



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

z3

z0 = 0

z1 − z0 > 0z1 − z0 ≥ 1π, z1 |= a

z2 − z1 > 0z2 − z0 ≤ 3π, z2 |= b

z3 − z1 > 0z3 − z0 ≤ 3z3 − z1 > 1π, z3 |= ¬a



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

π, z1 |= a

π, z2 |= b

π, z3 |= ¬aDBM:

z0 z1 z2 z3

z0 = 0 ≤ 3 ≤ 3z1 ≤ −1 = 0z2 < 0 = 0

z3 < −1 = 0



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

π, z1 |= a

π, z2 |= b

π, z3 |= ¬aDBM:

z0 z1 z2 z3

z0 = 0 < 3 ≤ 3 ≤ 3z1 ≤ −1 = 0 ≤ 2 ≤ 2z2 < −1 < 0 = 0 < 2

z3 < −2 < −1 < 1 = 0



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

π, z1 |= a

π, z2 |= b

π, z3 |= ¬aDBM:

z0 z1 z2 z3

z0 = 0 < 3 ≤ 3 ≤ 3z1 ≤ −1 = 0 ≤ 2 ≤ 2z2 < −1 < 0 = 0 < 2

z3 < −2 < −1 < 1 = 0

z3 ≤ z2 or z2 ≤ z3?



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

π, z1 |= a

π, z2 |= b

π, z3 |= ¬aDBM:

z0 z1 z2 z3

z0 = 0 < 3 ≤ 3 ≤ 3z1 ≤ −1 = 0 ≤ 2 ≤ 2z2 < −1 < 0 = 0 ≤ 0

z3 < −2 < −1 < 1 = 0

z3 ≤ z2 or z2 ≤ z3?



For instance:

x .F ( a ∧ x ≥ 1 ∧ F ( b ∧ x ≤ 3 ) ∧ y .F ( ¬a ∧ x ≤ 3 ∧ y > 1 ) )

π, z1 |= a

π, z2 |= b

π, z3 |= ¬aDBM:

z0 z1 z2 z3

z0 = 0 < 3 ≤ 3 ≤ 3z1 ≤ −1 = 0 ≤ 2 ≤ 2z2 < −1 < 0 = 0 < 2

z3 < −2 < −1 ≤ 0 = 0

z3 ≤ z2 or z2 ≤ z3?


π, z1 |= a

π, z2 |= b

π, z3 |= ¬a

z0 z1 z2 z3

z0 = 0 < 3 ≤ 3 ≤ 3z1 ≤ −1 = 0 ≤ 2 ≤ 2z2 < −1 < 0 = 0 < 2z3 < −2 < −1 ≤ 0 = 0


π, z1 |= a

π, z2 |= b

π, z3 |= ¬a

z0 z1 z2 z3

z0 = 0 < 3 ≤ 3 ≤ 3z1 ≤ −1 = 0 ≤ 2 ≤ 2z2 < −1 < 0 = 0 < 2z3 < −2 < −1 ≤ 0 = 0

Region decomposition


π, z1 |= a

π, z2 |= b

π, z3 |= ¬a

z0 z1 z2 z3

z0 = 0 < 3 ≤ 3 ≤ 3z1 ≤ −1 = 0 ≤ 2 ≤ 2z2 < −1 < 0 = 0 < 2z3 < −2 < −1 ≤ 0 = 0

Region decomposition

π, z1 |= a

π, z2 |= b

π, z3 |= ¬a

z0 z1 z2 z3

z0 = 0 < 2 < 3 < 3z1 < −1 = 0 = 1 < 2z2 < −2 = −1 = 0 < 1z3 < −2 < −1 < 0 = 0


π, z1 |= a

π, z2 |= b

π, z3 |= ¬a

z0 z1 z2 z3

z0 = 0 < 2 < 3 < 3z1 < −1 = 0 = 1 < 2z2 < −2 = −1 = 0 < 1z3 < −2 < −1 < 0 = 0


π, z1 |= a

π, z2 |= b

π, z3 |= ¬a

z0 z1 z2 z3

z0 = 0 < 2 < 3 < 3z1 < −1 = 0 = 1 < 2z2 < −2 = −1 = 0 < 1z3 < −2 < −1 < 0 = 0

Time shift


π, z1 |= a

π, z2 |= b

π, z3 |= ¬a

z0 z1 z2 z3

z0 = 0 < 2 < 3 < 3z1 < −1 = 0 = 1 < 2z2 < −2 = −1 = 0 < 1z3 < −2 < −1 < 0 = 0

Time shift

π, z ′1 |= F=1 a

π, z ′2 |= F=2 b

π, z ′3 |= F=2 ¬a

z′0 z′1 z′2 z′3

z′0 = 0 < 1 < 1 < 1z′1 < 0 = 0 = 0 < 1z′2 < 0 = 0 = 0 < 1z′3 < 0 < 0 < 0 = 0


π, z1 |= a

π, z2 |= b

π, z3 |= ¬a

z0 z1 z2 z3

z0 = 0 < 2 < 3 < 3z1 < −1 = 0 = 1 < 2z2 < −2 = −1 = 0 < 1z3 < −2 < −1 < 0 = 0

Time shift

π, z ′1 |= F=1 a

π, z ′2 |= F=2 b

π, z ′3 |= F=2 ¬a

z′0 z′1 z′2 z′3

z′0 = 0 < 1 < 1 < 1z′1 < 0 = 0 = 0 < 1z′2 < 0 = 0 = 0 < 1z′3 < 0 < 0 < 0 = 0

eq. to 0 = z ′0 < z ′1 = z ′2 < z ′3 < 1


π, zi |= φi 0 < zh < zh+1 < · · · < zh+k < r (1)

We inductively (on k) build an MTL formula Ψ[h..h+k,r ] s.t.

(1) ⇔ π |= Ψ[h..h+k,r ].


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a

– Ψ[1..1,r ] = F<r (F=1 a ∧ F=2 b).

– Ψ[2..2,r ] = F<r (F=2 ¬ a).


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a

– Ψ[1..2,r ] is the conjunction of the following possibilities:


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


0 r/p r

z1 z2


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


0 r/p r

z1 z2

• Ψ1[1..2,r ] = F[0, r

p)

(

F= rpφ2 ∧ Ψ[1..1, r

p]

)

.

• Ψ2[1..2,r ] = F[0, r

p)

(

F= r2(F=2 ¬ a) ∧ F< r

2(F=1 a ∧ F=2 b)

)


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


0 r/p r

z1 z2


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


0 r/p r

z1 z2

• Ψ2[1..2,r ] = Ψ[1..1], r

p∧ F= r

pΨ[2..2,r− r

p]

• Ψ2[1..2,r ] = F< r

2(F=1 a ∧ F=2 b) ∧ F= r

2F< r

2(F=2 ¬ a)


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


0 r/p r

z1z2

• Ψ3[1..2,r ] = F< r

2(F=1 a ∧ F=2 b) ∧ F= r

2(F< r

2(F=2 ¬ a))


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


0 r/p r

z1 z2


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


0 r/p r

z1 z2

• Ψ4[1..2,r ] = F< r

p

(

φ1 ∧ F< rpφ2

)

• Ψ4[1..2,r ] = F< r

2

(

F=1 a ∧ F=2 b ∧ F< r2

(F=2 ¬ a))


π, z1 |= F=1 a ∧ F=2 b 0 < z1 < z2 < r

π, z2 |= F=2 ¬ a


0 r/p r

z1 z2

• Ψ4[1..2,r ] = F< r

p

(

φ1 ∧ F< rpφ2

)

• Ψ4[1..2,r ] = F< r

2

(

F=1 a ∧ F=2 b ∧ F< r2

(F=2 ¬ a))

Theorem

The resulting MTL formula is equivalent to the original TPTLF

one, and has size exponential.

An interesting corollary

This transformation also yields the following result:

Theorem

Under both the interval-based and the pointwise semantics,satisfiability of a TPTLF formula is decidable, and is NP-complete.

Conclusion

Many new expressiveness results:

TPTL is more expressive than MTL,(this result extends to the branching-time case)Past-time modalities do add expressive power to timed logics,The expressive power depends on the underlying semantics,

Decidability of TPTLF , and translation into MTL.

Recent result: the formula

G (a ⇒ x . F (b ∧ F (c ∧ x ≤ 2))

cannot be expressed in MITL, while it does not express a“punctual” property.

References

Rajeev Alur and Thomas A. Henzinger.

A really temporal logic.In Proceedings of the 30th Annual Symposium on Foundations of Computer Science (FOCS’89), pages164–169. IEEE Comp. Soc. Press, October 1989.

Rajeev Alur and Thomas A. Henzinger.

Real-time logics: Complexity and expressiveness.In Proceedings of the 5th Annual Symposium on Logic in Computer Science (LICS’90), pages 390–401.IEEE Comp. Soc. Press, 1990.

Dov M. Gabbay, Amir Pnueli, Saharon Shelah, and Jonathan Stavi.

On the temporal analysis of fairness.In Conference Record of the 7th ACM Symposium on Principles of Programming Languages (POPL’80),pages 163–173. ACM Press, January 1980.

Hans W. Kamp.

Tense Logic and the Theory of Linear Order.PhD thesis, UCLA, Los Angeles, California, USA, 1968.

Ron Koymans.

Specifying real-time properties with metric temporal logic.Real-Time Systems, 2(4):255–299, 1990.

Amir Pnueli.

The temporal logic of programs.In Proceedings of the 18th Annual Symposium on Foundations of Computer Science (FOCS’77), pages46–57. IEEE Comp. Soc. Press, October-November 1977.

on the expressiveness of tptl and mtl - lsv · on the expressiveness of tptl and mtl patricia...

Documents