A History of Until
aa r X i v : . [ c s . L O ] O c t A History of Until
Andrea Masini Luca Vigan`o Marco Volpe
Department of Computer Science, University of Verona, Italy { andrea.masini | luca.vigano | marco.volpe } @univr.it Abstract.
Until is a notoriously difficult temporal operator as it is bothexistential and universal at the same time: A U B holds at the currenttime instant w iff either B holds at w or there exists a time instant w ′ in the future at which B holds and such that A holds in all thetime instants between the current one and w ′ . This “ambivalent” natureposes a significant challenge when attempting to give deduction rules foruntil. In this paper, in contrast, we make explicit this duality of until byintroducing a new temporal operator ∇ that allows us to formalize the“history” of until, i.e., the “internal” universal quantification over thetime instants between the current one and w ′ . This approach providesthe basis for formalizing deduction systems for temporal logics endowedwith the until operator. For concreteness, we give here a labeled naturaldeduction system for a linear-time logic endowed with the new historyoperator and show that, via a proper translation, such a system is alsosound and complete with respect to the linear temporal logic LTL withuntil.
Until is a notoriously difficult temporal operator. This is because of its “am-bivalent” nature of being an operator that is both existential and universal atthe same time: A U B holds at the current time instant (sometimes “world” or“state” is used in place of “time instant”) w iff either B holds at w or there exists a time instant w ′ in the future at which B holds and such that A holdsin all the time instants between the current one and w ′ . The words in emphasishighlight the dual existential and universal nature of U , which poses a significantchallenge when attempting to give deduction rules for until, so that deductionsystems for temporal logics either deliberately exclude until from the set of op-erators considered or devise clever ways to formalize reasoning about until. Andeven if one manages to give rules, these often come at the price of additionaldifficulties for, or even the impossibility of, proving useful metatheoretic proper-ties, such as normalization or the subformula property. (This is even more so inthe case of Hilbert-style axiomatizations, which provide axioms for until, but arenot easily usable for proof construction.) See, for instance, [1,2,7,12,13,20], wheretechniques for formalizing suitable inference rules include introducing additionalinformation (such as the use of a Skolem function f ( A U B ) to name the timenstant where B begins to hold), or exploiting the standard recursive unfoldingof until A U B ≡ B ∨ ( A ∧ X ( A U B )) (1)which says that A U B iff either B holds or A holds and in the successor timeinstant (as expressed by the next operator X ) we have again A U B .In this paper, in contrast, we make explicit the duality of until by introducinga new temporal operator ∇ that allows us to formalize the “history” of until,i.e., the fact that when we have A U B the formula A holds in all the time instantsbetween the current one and the one where B holds. We express this “historic”universal quantification by means of ∇ with respect to the following intuitivetranslation: A U B ≡ B ∨ F ( X B ∧ ∇ A ) (2)That is: A U B iff either B holds or there exists a time instant w ′ in the future(as expressed by the sometime in the future operator F ) such that – B holds in the successor time instant, and – A holds in all the time instants between the current one and w ′ (included).The latter conjunct is precisely what the history operator ∇ expresses . This isbetter seen when introducing labeling: since ∇ actually quantifies over the timeinstants in an interval (delimited by the current instant and the one where the B of the until holds), we adopt a labeling discipline that is slightly different fromthe more customary one of labeled deduction.The framework of labeled deduction has been successfully employed for severalnon-classical, and in particular modal and temporal, logics, e.g., [8,21,22], sincelabeling provides a clean and effective way of dealing with modalities and givesrise to deduction systems with good proof-theoretical properties. The basic ideais that labels allow one to explicitly encode additional information, of a semanticor proof-theoretical nature, that is otherwise implicit in the logic one wants tocapture. So, for instance, instead of a formula A , one can consider the labeledformula b : A , which intuitively means that A holds at the time instant denotedby b within the underlying Kripke semantics. One can also use labels to specifyhow time instants are related, e.g., the relational formula bRc states that thetime instant c is accessible from b .Considering labels that consist of a single time instant is not enough for ∇ ,as the operator is explicitly designed to speak about a sequence of time instants(namely, the ones constituting the history of the corresponding until, if indeed ∇ results from the translation of an U ). We thus consider labels that are builtout of a sequence of time instants, so that we can write αb b : ∇ A to express,intuitively, that A holds in the interval between time instants b and b , whichtogether with the sub-sequence α constitute a sequence of time instants αb b . This is in contrast to the unfolding (1). The decoupling of U that we achieve with ∇ is precisely what allows us to give well-behaved (in a sense made clearer below)natural deduction rules. αb b : ∇ A b b b b αb b : A ∇ E that says that if ∇ A holds at time instant b at the end of the sequence αb b and if b is in-between b and b , as expressed by the relational formulas withthe accessibility relation , then we can conclude that A holds at b .Dually, we can introduce ∇ A at time instant b at the end of the sequence αb b whenever from the assumptions b b and b b for a fresh b we caninfer αb b : A , i.e. ,: [ b b ] [ b b ].... αb b : Aαb b : ∇ A ∇ I The adoption of time instant sequences for labels has thus allowed us to giverules for ∇ that are well-behaved in the spirit of natural deduction [17]: thereis precisely one introduction and one elimination rule for ∇ , as well as for theother connectives and temporal operators ( ⊃ , G , and X ). This paves the way toa proof-theoretical analysis of the resulting natural deduction systems, e.g., toshow proof normalization and other useful meta-theoretical analysis, which weare tackling in current work.Moreover, the rules ∇ I and ∇ E provide a clean-cut way of reasoning aboutuntil, according to the translation (2), provided that we also give rules for F and X . These operators have a local nature, in the sense that they speak not aboutsequences of time instants but about single time instants. Still, we can easilygive natural deduction rules for them by generalizing the more standard “single-time instant” rules (e.g., [1,2,12,16,21,22,23]) using our labeling with sequencesof time instants. As we will discuss in more detail below, if we collapse thesequences of time instants to consider only the final time instant in the sequence(or, equivalently, if we simply ignore all the instants in a sequence but the last),then these rules reduce to the standard ones. For instance, for the always inthe future operator G (the dual of F ) and X , with the corresponding successorrelation ⊳ , we can give the elimination rules αb : G A b b αb b : A G E and αb : X A b ⊳ b αb b : A X E The rule G E says that if G A holds at time instant b , which is the last in thesequence αb and b is -accessible from b (i.e., b b ), then we can concludethat A holds for the sequence αb b . The rule X E is justified similarly (via ⊳ ).The corresponding introduction rules are given in Section 4, together with rulesfor ⊥ and the connective ⊃ , as well as a rule for induction on the underlyinglinear ordering. As we will see, we also need rules expressing the properties of the The side condition that b is fresh means that b is different from b and b , and doesnot occur in any assumption on which αb b : A depends other than the discardedassumptions b b and b b . and ⊳ . Moreover, the fact that we consider sequences of time instantsas labels requires us to consider some structural rules to express properties ofsuch sequences (with respect to formulas).This approach thus provides the basis for formalizing deduction systems fortemporal logics endowed with the until operator. For concreteness, we give herea labeled natural deduction system for a linear-time logic endowed with the newhistory operator ∇ and show that, via a proper translation, such a system is alsosound and complete with respect to the linear temporal logic LTL with until.(We do not consider past explicitly here, but adding operators and rules for itshould be unproblematic, e.g., as in [23].)We proceed as follows. In Section 2, we briefly recall the syntax and semanticsof
LTL , and an axiomatization for it. In Section 3, we define
LTL ∇ , the logicthat is obtained from LTL by replacing U with the history ∇ , and give a validity-preserving translation, based on (2), from LTL into
LTL ∇ . In Section 4, we givea labeled natural deduction system N ( LTL ∇ ) that it is sound with respect tothe semantics of LTL ∇ . By focusing only on those derivations whose conclusionand open assumptions correspond to the translation of LTL -formulas, we showthat N ( LTL ∇ ) can be used to capture reasoning in LTL and that it is in factsound and complete with respect to the semantics of
LTL . In Section 5, we drawconclusions and illustrate directions of current and future work. Full proofs aregiven in the appendix.
LTL
We recall the syntax and semantics of
LTL and an axiomatization for it.
Definition 1.
Given a set P of propositional symbols, the set of (well-formed)LTL-formulas is defined by the grammar A ::= p |⊥| A ⊃ A | G A | X A | A U A where p ∈ P . The set of LTL - atomic formulas is P ∪ {⊥} . The complexity ofan
LTL -formula is the number of occurrences of the connective ⊃ and of thetemporal operators G , X , and U .The intuitive meaning of G , X , and U is the standard one: G A states that A holds always in the future, X A states that A holds in the next time instant, and A U B states that B holds at the current time instant or there is a time instant w in the future such that B holds in w and A holds in all the time instantsbetween the current one and w . As usual, we can introduce abbreviations anduse, e.g., ¬ , ∨ and ∧ for negation, disjunction, and conjunction, respectively: ¬ A ≡ A ⊃⊥ , A ∨ B ≡ ¬ A ⊃ B , and A ∧ B ≡ ¬ ( ¬ A ∨ ¬ B ). We can also defineother temporal operators, e.g., F A ≡ ¬ G ¬ A to express that A holds sometimein the future. We write Λ to denote a set of LTL-formulas . Definition 2.
Let N = h N , s : N → N , ≤i be the standard structure of naturalnumbers, where s and ≤ are respectively the successor function and the total4reflexive) order relation. An LTL-model is a pair M = hN , Vi where V : N → P . Truth for an
LTL -formula at a point n ∈ N in an LTL -model M = hN , Vi is the smallest relation | = LTL satisfying: M , n | = LTL p iff p ∈ V ( n ) M , n | = LTL A ⊃ B iff M , n | = LTL A implies M , n | = LTL B M , n | = LTL G A iff M , m | = LTL A for all m ≥ n M , n | = LTL X A iff M , n + 1 | = LTL A M , n | = LTL A U B iff there exists n ′ ≥ n such that M , n ′ | = LTL B and M , m | = LTL A for all n ≤ m < n ′ Note that M , n LTL ⊥ for every M and n . By extension, we write: M | = LTL A iff M , n | = LTL A for every natural number n M | = LTL Λ iff M | = LTL A for all A ∈ ΛΛ | = LTL A iff M | = LTL Λ implies M | = LTL A , for every LTL -model M We now present a sound and complete Hilbert-style axiomatization, whichwe call H ( LTL ), for
LTL (see, e.g., [10]). H ( LTL ) consists of the axioms ( A1 ) Any tautology instance ( A2 ) G ( A ⊃ B ) ⊃ ( G A ⊃ G B )( A3 ) ( X ¬ A ↔ ¬ X A ) ( A4 ) X ( A ⊃ B ) ⊃ ( X A ⊃ X B )( A5 ) G A ⊃ A ∧ XG A ( A6 ) G ( A ⊃ X A ) ⊃ ( A ⊃ G A )( A7 ) A U B ↔ ( B ∨ ( A ∧ X ( A U B ))) ( A8 ) A U B ⊃ F B where we denote with ↔ the double implication, and of the rules of inference ( MP ) If A and A ⊃ B then B ( Nec X ) If A then X A ( Nec G ) If A then G A The set of theorems of H ( LTL ) is the smallest set containing these axiomsand closed with respect to these rules of inference. LTL ∇ : LTL with history
In this section, we give the linear temporal logic
LTL ∇ , which is obtained from LTL by replacing the operator U with a new unary temporal operator ∇ , called history . The definition of the semantics of LTL ∇ requires a notion of truth givenwith respect to sequences of time instants rather than just to time instants. Wewill then provide a translation from the language of LTL into the language of
LTL ∇ and show some properties of such a translation.5 .1 Syntax and semanticsDefinition 3. Given a set P of propositional symbols, the set of (well-formed)LTL ∇ -formulas is defined by the grammar A ::= p |⊥| A ⊃ A | G A | X A | ∇ A where p ∈ P . The set of LTL ∇ - atomic formulas is P ∪ {⊥} . The complexity ofan
LTL ∇ -formula is the number of occurrences of the connective ⊃ and of thetemporal operators X , G , and ∇ .The intuitive meaning of the operators G and X is the same as for LTL ,while ∇ A intuitively states that A holds at any instant of a particular timeinterval (but here we see that we need sequences of time instants to formalizethe semantics of the history operator, as we anticipated in the introduction).Again, we can define other connectives and operators as abbreviations, e.g., ¬ , ∨ , ∧ , F and so on. We write Γ to denote a set of LTL ∇ -formulas .To define a labeled deduction system for the logic LTL ∇ , we extend thelanguage with a set of labels and finite sequences of labels, and introduce thenotions of labeled formula and relational formula. Definition 4.
Let L be a set of labels. A finite non-empty sequence of labels(namely, an element of L + ) is called a sequence . If A is an LTL ∇ -formula and α is a sequence, then α : A is a labeled (well-formed) formula ( lwff for short). Theset of relational (well-formed) formulas ( rwffs for short) is the set of expressionsof the form b c or b ⊳ c , where b and c are labels.In the rest of the paper, we will assume given a fixed denumerable set L oflabels and we will use b, c, d, . . . to denote labels, α, β, γ to denote finite sequencesof labels (e.g., bcd . . . or just b in the case of a sequence consisting of only onetime instant), ϕ to denote a generic formula (either labeled or relational) and Φ to denote a set of generic formulas . Definition 5. An observation sequence is a non-empty sequence σ = [ n , . . . ,n k ] of natural numbers. Truth for an
LTL ∇ -formula at an observation sequence σ in an LTL -model M = hN , Vi is the smallest relation | = ∇ satisfying: M , [ n , . . . , n k ] | = ∇ p iff p ∈ V ( n k ) M , [ n , . . . , n k ] | = ∇ A ⊃ B iff M , [ n , . . . , n k ] | = ∇ A implies M , [ n , . . . , n k ] | = ∇ B M , [ n , . . . , n k ] | = ∇ G A iff M , [ n , . . . , n k , m ] | = ∇ A for all m ≥ n k M , [ n , . . . , n k ] | = ∇ X A iff M , [ n , . . . , n k , n k + 1] | = ∇ A M , [ n , . . . , n k − , n k ] | = ∇ ∇ A iff M , [ n , . . . , n k − , m ] | = ∇ A for all n k − ≤ m ≤ n k (if 0 < k ) With a slight abuse of notation, we will also use α, β, γ to denote possibly emptysubsequences and thus write αb . . . b k (for k ≥
1) to denote a sequence where α maybe empty. , [ n ] | = ∇ ∇ A iff M , [ n ] | = ∇ A By extension, we write:
M | = ∇ A iff M , σ | = ∇ A for every observation sequence σ M | = ∇ Γ iff M | = ∇ A for all A ∈ ΓΓ | = ∇ A iff M | = ∇ Γ implies M | = ∇ A , for every LTL -model M Given an
LTL -model M , a structure is a pair S = hM , Ii where I : L → N . Let Σ be the set of observation sequences and I + : L + → Σ the extension of I tosequences, i.e., I + ( b . . . b n ) = [ I ( b ) , . . . , I ( b n )]. Truth for a generic formula ϕ in a structure S = hM , Ii is the smallest relation | = ∇ satisfying: M , I | = ∇ a b iff I ( a ) ≤ I ( b ) M , I | = ∇ a ⊳ b iff I ( b ) = I ( a ) + 1 M , I | = ∇ α : A iff M , I + ( α ) | = ∇ A Note that M , σ ∇ ⊥ and M , I ∇ α : ⊥ for every M , σ and I .Given a set Φ of generic formulas and a generic formula ϕ : M , I | = ∇ Φ iff M , I | = ∇ ϕ for all ϕ ∈ ΦΦ | = ∇ ϕ iff M , I | = ∇ Φ implies M , I | = ∇ ϕ for all M and I LTL into
LTL ∇ LTL and
LTL ∇ are, obviously, related logics. In fact, below we will define avalidity-preserving translation ( · ) ∗ from LTL into
LTL ∇ . Then, in Lemma 1, wewill show that if an LTL ∇ -formula corresponds to the translation of some LTL -formula, then it can be interpreted “locally”, i.e., its truth value with respectto an observation sequence depends only on the last element of the sequence.Finally, in Lemma 2 and Theorem 1, we will use this result to prove that thetranslation preserves the validity of formulas. This property allows us to use thededuction system for
LTL ∇ , which will be presented in Section 4, for reasoningon LTL too, as we will show in Section 4.2, when discussing soundness andcompleteness of the system.
Definition 6.
We define the translation ( · ) ∗ from the language of LTL into thelanguage of
LTL ∇ inductively as follows:( p ) ∗ = p , for p atomic( G A ) ∗ = G ( A ) ∗ ( ⊥ ) ∗ = ⊥ ( X A ) ∗ = X ( A ) ∗ ( A ⊃ B ) ∗ = ( A ) ∗ ⊃ ( B ) ∗ ( A U B ) ∗ = ( B ) ∗ ∨ ( F ( X ( B ) ∗ ∧ ∇ ( A ) ∗ ))7e extend ( · ) ∗ to sets of formulas in the obvious way: Λ ∗ = { B ∗ | B ∈ Λ } . Lemma 1.
Let M be an LTL-model, [ n , . . . , n k ] an observation sequence, and A an LTL-formula. Then M , [ n , . . . , n k ] | = ∇ A ∗ iff M , [ m , . . . , m r , n k ] | = ∇ A ∗ for every sequence m , . . . , m r . Corollary 1.
Let M be an LTL-model, [ n , . . . , n k ] an observation sequence,and A an LTL-formula. Then M , [ n , . . . , n k ] | = ∇ A ∗ iff M , [ n k ] | = ∇ A ∗ . Lemma 2.
Let M be an LTL-model, n a natural number, and A an LTL-formula. Then M , n | = LTL A iff M , [ n ] | = ∇ A ∗ . Theorem 1.
Let Λ be a set of LTL-formulas, A an LTL-formula and Λ ∗ = { B ∗ | B ∈ Λ } . Then Λ | = LTL A iff Λ ∗ | = ∇ A ∗ . Proof.
By Definition 2, Λ | = LTL A iff ∀M . M | = LTL Λ implies M | = LTL A iff ∀M . ( ∀ B ∈ Λ. ∀ n. M , n | = LTL B implies ∀ n. M , n | = LTL A ) iff (by Lemma 2) ∀M . ( ∀ B ∈ Λ. ∀ n. M , [ n ] | = ∇ B ∗ implies ∀ n. M , [ n ] | = ∇ A ∗ ) iff (by Lemma1) ∀M . ( ∀ B ∈ Λ. ∀ σ. M , σ | = ∇ B ∗ implies ∀ σ. M , σ | = ∇ A ∗ ) iff (by Definition5) ∀M . ( ∀ B ∈ Λ. M | = ∇ B ∗ implies M | = ∇ A ∗ ) iff ∀M . ( M | = ∇ Λ ∗ implies M | = ∇ A ∗ ) iff Λ ∗ | = ∇ A ∗ . N ( LTL ∇ ): a labeled natural deduction system for LTL ∇ In this section, we will first define a labeled natural deduction system N ( LTL ∇ )that is sound with respect to the semantics of LTL ∇ . Then, by consideringa restriction of the set of N ( LTL ∇ )-derivations and by using the translation( · ) ∗ and the related results, we will show that N ( LTL ∇ ) can be also used forreasoning on LTL : we will prove soundness with respect to the semantics of
LTL and we will give a proof of weak completeness with respect to
LTL , by exploitingthe Hilbert-style axiomatization H ( LTL ). N ( LTL ∇ ) The rules of N ( LTL ∇ ) are given in Figure 1. In N ( LTL ∇ ) we do not makeuse of a proper relational labeling algebra (as, e.g., in [22]) that contains rulesthat derive rwffs from other rwffs or even lwffs. Since we are mainly interestedin the derivation of logical formulas, we rather follow an approach that aimsat simplifying the system: we use rwffs only as assumptions for the derivationof lwffs (as in Simpson’s system for intuitionistic modal logic [21]). Thus, in N ( LTL ∇ ) there are no rules whose conclusion is an rwff.The rules ⊃ I and ⊃ E are just the labeled version of the standard [17] naturaldeduction rules for implication introduction and elimination, where the notionof discharged/open assumption is also standard; e.g., [ α : A ] means that the8 α : A ⊃⊥ ].... α : ⊥ α : A ⊥ E [ α : A ].... α : Bα : A ⊃ B ⊃ I α : A ⊃ B α : Aα : B ⊃ E [ b b ].... αb b : Aαb : G A G I αb : G A b b αb b : A G E [ b ⊳ b ].... α : Aα : A ser ⊳ b ⊳ b b ⊳ b ϕ [ ϕ [ b /b ]].... α : Aα : A lin ⊳ [ b ⊳ b ].... αb b : Aαb : X A X I αb : X A b ⊳ b αb b : A X E [ b b ].... α : Aα : A refl b b b b [ b b ].... α : Aα : A trans [ b b ] [ b b ].... αb b : Aαb b : ∇ A ∇ I αb b : ∇ A b b b b αb b : A ∇ E βb : A l αb : A l last b b b b αb : Aαb : A eq b b ϕ [ ϕ [ b /b ]].... α : A [ b ⊳ b ′ ] [ b ′ b ].... α : Aα : A split b ⊳ b [ b b ].... α : Aα : A base αb : A b b [ b b i ] [ b i ⊳ b j ] [ αb i : A ].... αb j : Aαb : A ind The rules have the following side conditions: – In X I ( G I ), b is fresh , i.e., it is different from b and does not occur in any assumption onwhich αb b : A depends other than the discarded assumption b ⊳ b ( b b ). – In ∇ I , b is fresh , i.e., it is different from b and b , and does not occur in any assumption onwhich αb b : A depends other than the discarded assumptions b b and b b . – In last , the formula must be of the form A l , as defined in (3). – In ser ⊳ , b is fresh, i.e., it is different from b and does not occur in any assumption on which α : A depends other than the discarded assumption b ⊳ b . – In split , b ′ is fresh, i.e., it is different from b and b and does not occur in any assumptionon which α : A depends other than the discarded assumptions b ⊳ b ′ and b ′ b . – In ind , b i and b j are fresh, i.e., they are different from each other and from b and b , and donot occur in any assumption on which αb b j : A depends other than the discarded assumptionsof the rule. Fig. 1.
The rules of N ( LTL ∇ )9ormula is discharged in ⊃ I . The rule ⊥ E is a labeled version of reductio adabsurdum , where we do not constrain the time instant sequence ( α ) in whichwe derive a contradiction to be the same ( α ) as in the assumption.The rules for the introduction and the elimination of G and X share the samestructure since they both have a “universal” formulation. Consider, for instance, G and the corresponding relation . The idea underlying the introduction rule G I is that the meaning of αb : G A is given by the metalevel implication b b = ⇒ αb b : A for an arbitrary b -accessible from b (where the arbitrarinessof b is ensured by the side-condition on the rule). As we remarked above, theoperators G and X have a local nature, in that when we write αb : G A (andsimilarly for αb : X A ) we are stating that G A holds at time instant b , whichis the last in the sequence αb . Hence, the elimination rule G E says that if b is -accessible from b (i.e., b b ), then we can conclude that A holds for thesequence αb b . Similar observations hold for X and the corresponding relation ⊳ . The rule ser ⊳ models the fact that every time instant has an immediatesuccessor, while the rule lin ⊳ specifies that such a successor must be unique. ser ⊳ tells us that if assuming b ⊳ b we can derive α : A , then we can dischargethe assumption and conclude that indeed α : A . lin ⊳ is slightly more complex:assume that b had two different immediate successors b and b (which we knowcannot be) and assume that the generic formula ϕ holds; if by substituting b for b in ϕ we obtain α : A , then we can discharge the assumption and concludethat indeed α : A .Similarly, the rules refl and trans state the reflexivity and transitivityof , while eq captures substitution of equals. The rule split states that if b b , then either b = b or b < b . The rule thus works in the style of adisjunction elimination: if by assuming either of the two cases, we can derive aformula α : A , then we can discharge the assumptions and conclude α : A . Sincewe do not use = and < explicitly in our syntax, we express such relations in anindirect way: the equality of b and b is expressed by replacing one with theother in a generic formula ϕ , < by the composition of ⊳ and .The rule base expresses the fact that contains ⊳ , while the rule ind modelsthe induction principle underlying the relation between ⊳ and . If (base case) A holds in αb and if (inductive step) by assuming that A holds in αb i for anarbitrary b i -accessible from b , we can derive that A holds also in αb j , where b j is the immediate successor of b i , then we can conclude that A holds in every αb such that b is -accessible from b . Finally, we have three rules that speak about the history and the label se-quences: the rules ∇ I and ∇ E , which we already described in the introduction, Recall that in this paper we use rwffs only as assumptions for the derivation of lwffs,so we do not need a more general rule that concludes ϕ [ b /b ] from ϕ , b b and b b . The rule is given only in terms of relations between labels, since we restrict thetreatment of operators in the system to the specific rules for their introduction andelimination. last . This rule expresses what we also anticipated in the introduction: thestandard operators (and connectives) of
LTL speak not about sequences of timeinstants but about single time instants, and thus if a formula A whose outer-most operator is not ∇ holds at βb , then we can safely replace β by any othersequence α and conclude that A holds at αb . To formalize this, we define the setof (well-formed) LTL l -formulas (denoted by A l ) by means of the grammar A l ::= p |⊥| ( A l ) ⊃ ( A l ) | G ( A l ∇ ) | X ( A l ∇ ) (3) A l ∇ ::= A l | ( A l ∇ ) ⊃ ( A l ∇ ) | ∇ ( A l ∇ )where p is a propositional symbol. Hence, in a formula A l , the history operator ∇ can only appear in the scope of a temporal operator G (and thus of F as inthe translation (2)) or X . The rule last applies to these formulas only; in fact,the “ l ” in A l stands for “last”, but it also conveniently evokes both “local” and“ LTL ”. For formulas ∇ A whose outermost operator is the history operator ∇ ,such a rule does not make sense (and in fact is not sound) as it would meanchanging the interval over which A holds.Such considerations are formalized in the following lemma, where we prove,for LTL l -formulas, a result that is the analogous of the one given in Lemma 1with respect to the translation of LTL -formulas. At the same time, we also provethat if A is a formula belonging to the syntactic category A l ∇ of the grammar (3)(we will call such formulas LTL l ∇ -formulas ), then the truth value of A dependson at most the last two elements of an observation sequence. Lemma 3.
Let M be an LTL-model, [ n , . . . , n k ] an observation sequence, A l anLTL l -formula and A l ∇ an LTL l ∇ -formula. Then: ( i ) M , [ n , . . . , n k ] | = ∇ A l iff M , [ m , . . . , m r , n k ] | = ∇ A l for every sequence m , . . . , m r and ( ii ) M , [ n , . . . ,n k − , n k ] | = ∇ A l ∇ iff M , [ m , . . . , m r , n k − , n k ] | = ∇ A l ∇ for every sequence m , . . . , m r . Given the rules in Fig. 1, the notions of derivation , assumption ( open or discharged , as we remarked) and conclusion are the standard ones for naturaldeduction systems [17]. We write Φ ⊢ ∇ α : A to say that there exists a derivationof α : A in the system N ( LTL ∇ ) whose open assumptions are all contained in theset of formulas Φ . A derivation of α : A in N ( LTL ∇ ) where all the assumptionsare discharged is a proof of α : A in N ( LTL ∇ ) and we then say that α : A is a theorem of N ( LTL ∇ ) and write ⊢ ∇ α : A .To denote that Π is a derivation of α : A whose set of assumptions maycontain the formulas ϕ , . . . , ϕ n , we write ϕ . . . ϕ n Πα : A If we are interested in
LTL -reasoning, then we can restrict our attentionto a subset of the N ( LTL ∇ )-derivations, namely, to the derivations where theconclusion and all the open assumptions correspond to the translations of LTL -formulas. In fact, Lemma 1 is a direct consequence of Lemma 3 and of Lemma 4 below. efinition 7. Let Π be a derivation in N ( LTL ∇ ) and Φ the set containing theconclusion and the open assumptions of Π . We say that Π is an LTL-derivation iff there exists a label b such that for every ϕ in Φ there exists an LTL -formula A such that ϕ = b : A ∗ . We write Λ ⊢ LTL A to denote that in N ( LTL ∇ ) thereexists an LTL -derivation of b : A ∗ from open assumptions in a set Φ , where Λ = { B | b : B ∗ ∈ Φ } .In Definition 7, we require all the open assumptions and the conclusion ofan LTL -derivation to be lwffs labeled by the same single label b . Note that, as aconsequence of Corollary 1, we would obtain the same notion of LTL -derivationby requiring instead that such formulas were labeled by the same sequence α .In Section 4.2, we will show that N ( LTL ∇ ) is sound with respect to the se-mantics of LTL ∇ and, by considering the notion of LTL -derivability ⊢ LTL , that itis sound and weakly complete with respect to
LTL . An investigation of complete-ness with respect to
LTL ∇ is left for future work, together with the formalizationof an axiomatization of LTL ∇ .Related to this, it is important to understand what exactly is the relationshipof the class of LTL l -formulas and the class of LTL -formulas, in particular withrespect to the translation ( · ) ∗ . It is not difficult to see that the co-domain of thetranslation is included in LTL l by construction of ( · ) ∗ , i.e., by induction on theformula complexity it follows that: Lemma 4. If A is an LTL-formula, then A ∗ is an LTL l -formula. The other direction is trickier, as it basically amounts to defining an inversetranslation. To solve this problem, we have been considering normal forms of
LTL l -formulas and we conjecture that the following fact indeed holds. Conjecture 1. If A is an LTL l -formula, then there exists an LTL -formula B suchthat B ∗ is semantically equivalent to A . For every set Φ of labeled and relational formulas and every labeledformula α : A , if Φ ⊢ ∇ α : A , then Φ | = ∇ α : A .Proof. The proof proceeds by induction on the structure of the derivation of α : A . The base case is when α : A ∈ Φ and is trivial. There is one step case forevery rule and we show here only the two representative cases [ b b ] [ b b ] Πβb b : Bβb b : ∇ B ∇ I and Πβ ′ b : Aβb : A last Some more cases are in Appendix A.3. First, consider the case in which thelast rule application is a ∇ I , where α = βb b , A = ∇ B , and Π is a proofof βb b : B from hypotheses in Φ ′ , with b fresh and with Φ ′ = Φ ∪ { b } ∪ { b b } . By the induction hypothesis, for every interpretation I , if M , I | = ∇ Φ ′ , then M , I | = ∇ βb b : B . We let I be any interpretation such that M , I | = ∇ Φ , and show that M , I | = ∇ βb b : ∇ B . Let I ( b ) = n , I ( b ) = m and I + ( β ) = [ n , . . . , n k ]. Since b is fresh, we can extend I to an interpretation(still called I for simplicity) such that I ( b ) = n + i for an arbitrary 0 ≤ i ≤ m .The induction hypothesis yields M , I | = ∇ βb b : B , i.e., M , [ n , . . . , n k , n, n + i ] | = ∇ B , and thus, since i is an arbitrary point between 0 and m , we obtain M , [ n , . . . , n k , n, n + m ] | = ∇ ∇ B . It follows M , I | = ∇ βb b : ∇ B .Now consider the case in which the last rule applied is last and α = βb ,where Π is a proof of β ′ b : A from hypotheses in Φ . By applying the induc-tion hypothesis on Π , we have Φ | = ∇ β ′ b : A . We proceed by considering ageneric LTL -model M and a generic interpretation I on it such that M , I | = ∇ Φ and showing that this entails M , I | = ∇ βb : A . By the induction hypothesis, M , I | = ∇ β ′ b : A , i.e., M , I + ( β ′ b ) | = ∇ A by Definition 5. Since A is an LTL l -formula by the side condition of the rule and the two observation sequences I + ( β ′ b ) and I + ( βb ) share the same last element I ( b ), we can apply Lemma 3and obtain M , I + ( βb ) | = ∇ A , i.e., M , I | = ∇ βb : A by Definition 5.By exploiting the translation of Section 3.2 and the notion of LTL -derivationof Definition 7, we also prove a result of soundness with respect to
LTL . Theorem 3.
For every set Λ of LTL-formulas and every LTL-formula A , if Λ ⊢ LTL A , then Λ | = LTL A .Proof. By definition of ⊢ LTL , for a given label b , there exists a derivation in N ( LTL ∇ ) of b : A ∗ from open assumptions in Φ = { b : B ∗ | B ∈ Λ } . ByTheorem 2, Φ ⊢ ∇ b : A ∗ implies Φ | = ∇ b : A ∗ . Since b is generic, we have that forevery LTL -model M and every interpretation I , M , I | = ∇ Φ implies M , I | = ∇ b : A ∗ iff for every natural number n , M , [ n ] | = ∇ Λ ∗ implies M , [ n ] | = ∇ A ∗ ,where Λ ∗ = { B ∗ | B ∈ Λ } . By Lemma 1, we infer that for every observationsequence σ , M , σ | = ∇ Λ ∗ implies M , σ | = ∇ A ∗ . By Definition 5, Λ ∗ | = ∇ A ∗ andthus, by Theorem 1, we conclude Λ | = LTL A .As we anticipated, an analysis of the completeness of N ( LTL ∇ ) with respectto LTL ∇ is left for future work. Here we discuss completeness with respect to LTL . The proposed natural deduction system consists of only finitary rules;consequently, it cannot be strongly complete for
LTL . Nevertheless, by usingthe axiomatization H ( LTL ) and the translation ( · ) ∗ , we can give a proof of weakcompleteness for it; namely: Theorem 4.
For every LTL-formula A , if | = LTL A , then ⊢ LTL A .Proof. We can prove the theorem by showing that N ( LTL ∇ ) is complete withrespect to the axiomatization H ( LTL ) given in Section 2, which is sound and This is not a problem of our formulation: all the finitary deduction systems fortemporal logics equipped with at least the operators X and G have such a defect;see, e.g., [15, Ch. 6]. LTL . That is, we need to prove that: (i) the translation,via ( · ) ∗ , of every axiom of H ( LTL ) is provable in N ( LTL ∇ ) by means of an LTL -derivation, and (ii) the notion of ⊢ LTL is closed under the (labeled equivalent ofthe) rules of inference of H ( LTL ). Showing (ii) is straightforward and we omit ithere. As an example for (i), we give here a derivation of the translation of ( A [ b : A ] [ b c ] [ b : G ( A ⊃ X A )] [ b b i ] bb i : A ⊃ X A G E [ b i : A ] bb i : A last bb i : X A ⊃ E [ b i ⊳ b j ] bb i b j : A X Eb j : A last c : A ind bc : A last b : G A ⊃ b : A ⊃ G A ⊃ I b : G ( A ⊃ X A ) ⊃ ( A ⊃ G A ) ⊃ I The introduction of the operator ∇ has allowed us to formalize the “history”of until and thus, via a proper translation, to give a labeled natural deductionsystem for a linear time logic endowed with ∇ that is also sound and completewith respect to LTL with until. As we remarked above, we see this work asspawning several different directions for future research. First, the “recipe” fordealing with until that we gave here is abstract and general, and thus providesthe basis for formalizing deduction systems for temporal logics endowed with U , both linear and branching time. We are currently considering CTL ∗ and itssublogics as in [16,18] and are also working at a formal characterization of theclass of logics that can be captured with our approach.Second, the well-behaved nature of our approach, where each connective andoperator has one introduction and one elimination rule, paves the way to a proof-theoretical analysis of the resulting natural deduction systems, e.g., to show proofnormalization and other useful meta-theoretical properties, which we are tacklingin current work. Moreover, we are also considering different optimizations of therules. In particular, along the lines of the discussion about the rule last (andCorollary 1 and Definition 7), we are investigating to what extent we can usesequences as labels only when they are really needed, which would also simplifythe proofs of normalization and other meta-properties . As an interesting side-track, we believe that the restrictions we imposed on formulasfor the rule last , i.e., considering A l and A l ∇ , is closely related, at least in spirit, to thefocus on persistent formulas when combining intuitionistic and classical logic so asto avoid the collapse of the two logics into one, see [6] but also [4,9]. We are, after all,considering here formulas stemming from two classes (if not two logics altogether),and it makes thus sense that they require different labeling (single instants andsequences). LTL l -formulas and that of LTL -formulas, which in turn will allow usto reason about the completeness of N ( LTL ∇ ) with respect to the semanticsof LTL ∇ and also to provide an axiomatization of LTL ∇ (thus treating it as afull-fledged logic as opposed to as a “service” logic for LTL as we did here).Finally, it is worth observing that several works have considered interval tem-poral logics , e.g., [3,5,11,14,19]. While these works consider intervals explicitly,we have used them somehow implicitly here, as a means to formalize the dualnature of until via the history ∇ , and this is another reason why it is interest-ing to reduce the use of label sequences as much as possible. A more detailedcomparison of our approach with these works is left for future work. Acknowledgments
This work was partially supported by the PRIN projects“CONCERTO” and “SOFT”.
References
1. Basin, D., C. Caleiro, J. Ramos and L. Vigan`o,
Labeled Tableaux for DistributedTemporal Logic , J. Logic and Computation (2009, doi: ).2. Bolotov, A., O. Grigoriev and V. Shangin,
Automated natural deduction forpropositional linear-time temporal logic. , in:
Proc. TIME’07 (2007), pp. 47–58.3. Bowman, H. and S. Thompson,
A decision procedure and complete axiomatizationof finite interval temporal logic with projection , J. Logic and Computation (2003).4. Caleiro, C. and J. Ramos, Combining classical and intuitionistic implications , in:
Proc. FroCoS’07 , LNCS 4720, 2007, pp. 118–132.5. Cerrito, S. and M. Cialdea Mayer,
Labelled Tableaux for Linear Time TemporalLogic over Finite Time Frames , in:
Labelled Deduction , Kluwer, 2000, pp. 130–144.6. Fari˜nas Del Cerro, L. and A. Herzig,
Combining classical and intuitionistic logic ,in:
Proc. FroCos’96 , 1996, pp. 93–102.7. Fisher, M., D. M. Gabbay and L. Vila, editors, “Handbook of Temporal Reasoningin Artificial Intelligence I,” Elsevier, 2005.8. Gabbay, D. M., “Labelled Deductive Systems,” Clarendon Press, 1996.9. Gabbay, D. M.,
An overview of fibred semantics and the combination of logics , in:
Proc. FroCoS’07 , LNCS 4720, 2007, pp. 1–56.10. Goldblatt, R. I., “Logics of Time and Computation,” CSLI Lecture Notes, 1987.11. Goranko, V., A. Montanari, P. Sala and G. Sciavicco,
A general tableau methodfor propositional interval temporal logics: Theory and implementation , J. Applied ogic (2006), pp. 305–330.12. Gore, R., Tableau methods for modal and temporal logics , in:
Handbook of TableauMethods , Kluwer, 1999.13. Gough, G. D.,
Decision procedures for temporal logic , Technical Report UMCS-89-10-1, Department of Computer Science, University of Manchester (1984).14. Halpern, J. and Y. Shoham,
A propositional modal logic of time intervals , JACM (1991), pp. 935–962.15. Kr¨oger, F., “Temporal logic of programs,” Springer-Verlag, 1987.16. Masini, A., L. Vigan`o and M. Volpe, A labeled natural deduction system for afragment of CTL ∗ , in: Proc. LFCS’09 , LNCS 5407 (2009), pp. 338–353.17. Prawitz, D., “Natural Deduction, ”Almquist and Wiskell, 1965.18. Reynolds, M.,
A tableau for bundled CTL* , J. Logic and Computation (2007).19. Schmitt, P. H. and J. Goubault-Larrecq, A Tableau System for Linear-TIMETemporal Logic , in:
Proc. TACAS’97 , LNCS 1217 (1997), pp. 130–144, See alsothe unpublished manuscript
A Tableau System for Full Linear Temporal Logic .20. Schwendimann, S.,
A New One-Pass Tableau Calculus for PLTL , in:
Proc. Tableaux’98 , LNAI 1397 (1998), pp. 277–291.21. Simpson, A., “The Proof Theory and Semantics of Intuitionistic Modal Logic,”Ph.D. thesis, School of Informatics, University of Edinburgh (1994).22. Vigan`o, L., “Labelled Non-Classical Logics,” Kluwer, 2000.23. Vigan`o, L. and M. Volpe,
Labeled Natural Deduction Systems for a Family of TenseLogics , in:
Proc. TIME’08 (2008), pp. 118–126. Proofs
A.1 Properties of the translation ( · ) ∗ Proof of Lemma 1
By induction on the complexity of A . The base case is when A = p or A = ⊥ and is trivial. There is one inductive step case for each connectiveand temporal operator. A = B ⊃ C . Then the translation of A is A ∗ = B ∗ ⊃ C ∗ . By Definition 5,we obtain M , [ n , . . . , n k ] | = ∇ B ∗ ⊃ C ∗ iff M , [ n , . . . , n k ] | = ∇ B ∗ implies M , [ n , . . . , n k ] | = ∇ C ∗ . By the induction hypothesis, we see that this holdsiff M , [ m , . . . , m r , n k ] | = ∇ B ∗ implies M , [ m , . . . , m r , n k ] | = ∇ C ∗ for ev-ery sequence m , . . . , m r and thus, by Definition 5, iff for every sequence m , . . . , m r , M , [ m , . . . , m r , n k ] | = ∇ B ∗ ⊃ C ∗ . A = G B . Then A ∗ = G B ∗ . By Definition 5, M , [ n , . . . , n k ] | = ∇ G B ∗ iff ∀ m ≥ n k . M , [ n , . . . , n k , m ] | = ∇ B ∗ iff (by the induction hypothesis) ∀ m ≥ n k . M , [ m , . . . , m r , n k , m ] | = ∇ B ∗ for every sequence m , . . . , m r iff (by Definition5) M , [ m , . . . , m r , n k ] | = ∇ G B ∗ , for every sequence m , . . . , m r . A = X B . This case is very similar to the previous one and we omit it. A = B U C . Then A ∗ = C ∗ ∨ ( F ( X C ∗ ∧ ∇ B ∗ )). By Definition 5, we have M , [ n , . . . , n k ] | = ∇ A ∗ iff ( M , [ n , . . . , n k ] | = ∇ C ∗ or M , [ n , . . . , n k ] | = ∇ F ( X C ∗ ∧ ∇ B ∗ )) iff ( M , [ n , . . . , n k ] | = ∇ C ∗ or ∃ m ≥ n k . ( M , [ n , . . . , n k , m ] | = ∇ X C ∗ ∧∇ B ∗ )) iff ( M , [ n , . . . , n k ] | = ∇ C ∗ or ∃ m ≥ n k . ( M , [ n , . . . , n k , m ] | = ∇ X C ∗ and M , [ n , . . . , n k , m ] | = ∇ ∇ B ∗ )) iff ( M , [ n , . . . , n k ] | = ∇ C ∗ or ∃ m ≥ n k . ( M , [ n , . . . , n k , m, m + 1] | = ∇ C ∗ and ∀ l. n k ≤ l ≤ m im-plies M , [ n , . . . , n k , l ] | = ∇ B ∗ )) iff (by the induction hypothesis) for ev-ery sequence m , . . . , m r , we have ( M , [ m , . . . , m r , n k ] | = ∇ C ∗ or ∃ m ≥ n k . ( M , [ m , . . . , m r , n k , m, m + 1] | = ∇ C ∗ and ∀ l. n k ≤ l ≤ m implies M , [ m , . . . , m r , n k , m, l ] | = ∇ B ∗ )) iff (by Definition 5) M , [ m , . . . , m r , n k ] | = ∇ C ∗ ∨ ( F ( X C ∗ ∧ ∇ B ∗ )) for every sequence m , . . . , m r . ⊓⊔ Proof of Corollary 1
Immediate, by Lemma 1. ⊓⊔ Proof of Lemma 2
By induction on the complexity of A . The base case is when A = p or A = ⊥ and is trivial. As inductive step, we have a case for eachconnective and temporal operator. A = B ⊃ C . Then A ∗ = B ∗ ⊃ C ∗ . We have M , n | = LTL B ⊃ C iff (by Definition2) M , n | = LTL B implies M , n | = LTL C iff (by the induction hypothesis) M , [ n ] | = ∇ B ∗ implies M , [ n ] | = ∇ C ∗ iff (by Definition 5) M , [ n ] | = ∇ B ∗ ⊃ C ∗ . A = G B . Then A ∗ = G B ∗ . We have M , n | = LTL G B iff (by Definition 2) ∀ m ≥ n. M , m | = LTL B iff (by the induction hypothesis) ∀ m ≥ n. M , [ m ] | = ∇ B ∗ iff (by Lemma 1) ∀ m ≥ n. M , [ n, m ] | = ∇ B ∗ iff (by Definition 5) M , [ n ] | = ∇ G B ∗ . A = X B . This case is very similar to the previous one and we omit it.17 = B U C . Then A ∗ = C ∗ ∨ ( F ( X C ∗ ∧ ∇ B ∗ )). We have M , n | = LTL A iff (byDefinition 2) ∃ m ≥ n. M , m | = LTL C and ∀ n ′ . n ≤ n ′ < m implies M , n ′ | = LTL B iff M , n | = LTL C or ( ∃ m > n. M , m | = LTL C and ∀ n ′ . n ≤ n ′ < m implies M , n ′ | = LTL B ) iff (by the induction hypothesis) M , [ n ] | = ∇ C ∗ or ( ∃ m >n. M , [ m ] | = ∇ C ∗ and ∀ n ′ . n ≤ n ′ < m implies M , [ n ′ ] | = ∇ B ∗ ) iff (byLemma 1) M , [ n ] | = ∇ C ∗ or ( ∃ m > n. M , [ n, m ] | = ∇ C ∗ and ∀ n ′ . n ≤ n ′ < m implies M , [ n, n ′ ] | = ∇ B ∗ ) iff M , [ n ] | = ∇ C ∗ or ( ∃ l ≥ n. M , [ n, l, l + 1] | = ∇ C ∗ and ∀ n ′ . n ≤ n ′ ≤ l implies M , [ n, n ′ ] | = ∇ B ∗ ) iff (by Definition 5) M , [ n ] | = ∇ C ∗ or ( ∃ l ≥ n. M , [ n, l ] | = ∇ X C ∗ ∧ ∇ B ∗ ) iff (by Definition 5) M , [ n ] | = ∇ C ∗ ∨ F ( X C ∗ ∧ ∇ B ∗ ) . ⊓⊔ A.2 The system N ( LTL ∇ ) Proof of Lemma 3
The proofs of the statements ( i ) and ( ii ) proceed in par-allel and are by induction on the formula complexity. The base case is when A l = p or A l = ⊥ and is trivial. There is one inductive step case for each otherformation case coming from the recursive definition of the grammar (3). Alongthe proof, A l , B l , C l , . . . denote LTL l -formulas while A l ∇ , B l ∇ , C l ∇ , . . . denote LTL l ∇ -formulas. A l = B l ⊃ C l . By Definition 5, we have M , [ n , . . . , n k ] | = ∇ B l ⊃ C l iff M , [ n ,. . . , n k ] | = ∇ B l implies M , [ n , . . . , n k ] | = ∇ C l . By the induction hypothesis,we see that this holds iff M , [ m , . . . , m r , n k ] | = ∇ B l implies M , [ m , . . . ,m r , n k ] | = ∇ C l for every sequence m , . . . , m r and thus, by Definition 5, ifffor every sequence m , . . . , m r , M , [ m , . . . , m r , n k ] | = ∇ B l ⊃ C l . A l = G B l ∇ . M , [ n , . . . , n k ] | = ∇ G B l ∇ iff (by Definition 5) ∀ m ≥ n k . M , [ n , . . . , n k , m ] | = ∇ B l ∇ iff (by the induction hypothesis) ∀ m ≥ n k . M , [ m , . . . , m r , n k , m ] | = ∇ B l ∇ for every sequence m , . . . , m r iff (by Definition5) M , [ m , . . . , m r , n k ] | = ∇ G B l ∇ for every sequence m , . . . , m r . A l = X B l ∇ . This case is very similar to the previous one and we omit it. A l ∇ = B l . M , [ n , . . . , n k ] | = ∇ B l iff (by the induction hypothesis) M , [ i , . . . ,i s , n k ] | = ∇ B l for every sequence i . . . , i s and thus also M , [ m , . . . ,m r , n k − , n k ] | = ∇ B l for every sequence m , . . . , m r . A l ∇ = B l ∇ ⊃ C l ∇ . M , [ n , . . . , n k ] | = ∇ B l ∇ ⊃ C l ∇ iff (by Definition 5) M , [ n ,. . . , n k ] | = ∇ B l ∇ implies M , [ n , . . . , n k ] | = ∇ C l ∇ . By the induction hy-pothesis, this holds iff M , [ m , . . . , m r , n k − , n k ] | = ∇ B l ∇ implies M , [ m ,. . . , m r , n k − , n k ] | = ∇ C l ∇ for every sequence m , . . . , m r and thus, byDefinition 5, iff for every sequence m , . . . , m r , M , [ m , . . . , m r , n k − , n k ] | = ∇ B l ∇ ⊃ C l ∇ . A l ∇ = ∇ B l ∇ . M , [ n , . . . , n k ] | = ∇ ∇ B l ∇ iff (by Definition 5) ∀ n. n k − ≤ n ≤ n k implies M , [ n , . . . , n k − , n ] | = ∇ B l ∇ iff (by the induction hypothesis) ∀ n. n k − ≤ n ≤ n k implies M , [ m , . . . , m r , n k − , n ] | = ∇ B l ∇ for everysequence m , . . . , m r iff (by Definition 5) M , [ m , . . . , m r , n k − , n k ] | = ∇ ∇ B l ∇ for every sequence m , . . . , m r . ⊓⊔ .3 Soundness Proof of Theorem 2
We present here some more cases related to the proof ofTheorem 2, which states the soundness of the system N ( LTL ∇ ) with respect tothe semantics of LTL ∇ .Consider the case in which the last rule application is a G I , where α = βb and A = G B : [ b b ] Πβb b : Bβb : G B G I where Π is a proof of βb : G B from hypotheses in Φ ′ , with b fresh and with Φ ′ = Φ ∪ { b b } . By the induction hypothesis, for all interpretations I , if M , I | = ∇ Φ ′ , then M , I | = ∇ βb b : B . We let I be any interpretation such that M , I | = ∇ Φ , and show that M , I | = ∇ βb : G B . Let I ( b ) = n and I + ( β ) =[ n , . . . , n k ]. Since b is fresh, we can extend I to an interpretation (still called I for simplicity) such that I ( b ) = n + m for an arbitrary m >
0. The inductionhypothesis yields M , I | = ∇ βb b : B , i.e., M , [ n , . . . , n k , n, n + m ] | = ∇ B ,and thus, since m is arbitrary, we obtain M , [ n , . . . , n k , n ] | = ∇ G B . It follows M , I | = ∇ βb : G B .Now consider the case in which the last rule applied is G E and α = βb b : Πβb : G A b b βb b : A G E where Π is a proof of βb : G A from hypotheses in Φ , with Φ = Φ ∪ { b b } for some set Φ of formulas. By applying the induction hypothesis on Π , wehave: Φ | = ∇ βb : G A .
We proceed by considering a generic
LTL -model M and a generic interpretation I on it such that M , I | = ∇ Φ and showing that this entails M , I | = ∇ βb b : A .
Since Φ ⊂ Φ , we deduce M , I | = ∇ Φ and, from the induction hypothesis, M , I | = ∇ βb : G A . Furthermore M , I | = ∇ Φ entails M , I | = ∇ b b . Then,by Definition 5, we obtain M , I | = ∇ βb b : A .Now consider the case in which the last rule applied is ∇ E and α = βb b : Πβb b : ∇ A b b b b βb b : A ∇ E where Π is a proof of βb b : ∇ A from hypotheses in Φ , with Φ = Φ ∪ { b b }∪{ b b } for some set Φ of formulas. By applying the induction hypothesison Π , we have: Φ | = ∇ βb b : ∇ A .
19e proceed by considering a generic
LTL -model M and a generic interpretation I on it such that M , I | = ∇ Φ and showing that this entails M , I | = ∇ βb b : A .
Since Φ ⊂ Φ , we deduce M , I | = ∇ Φ and, from the induction hypothesis, M , I | = ∇ βb b : ∇ A . Furthermore M , I | = ∇ Φ entails M , I | = ∇ b b and M , I | = ∇ b b . Then, by Definition 5, we obtain M , I | = ∇ βb b : A .Finally, consider the case in which the last rule applied is ind and α = βb : Π ′ βb : A b b [ b b i ] [ b i ⊳ b j ] [ βb i : A ] Πβb j : Aβb : A ind where Π is a proof of βb j : A from hypotheses in Φ and Π ′ is a proof of βb : A from hypotheses in Φ , with Φ = Φ ∪ { b b } and Φ = Φ ∪ { b b i } ∪ { b i ⊳ b j } ∪ { βb i : A } for some set Φ of formulas. The side-condition on ind ensures that b i and b j are fresh in Π . Hence, by applying the inductionhypothesis on Π and Π ′ , we have: Φ | = ∇ βb j : A and Φ | = ∇ βb : A .
We proceed by considering a generic
LTL -model M and a generic interpretation I on it such that M , I | = ∇ Φ and showing that this entails M , I | = ∇ βb : A .
First, we note that Φ ⊂ Φ and therefore M , I | = ∇ Φ implies M , I | = ∇ Φ and,by the induction hypothesis on Π ′ , M , I | = ∇ βb : A . Now let I ( b ) = n forsome natural number n . From M , I | = ∇ Φ , we deduce M , I | = ∇ b b and thus I ( b ) = n + k for some k ∈ N . We show by induction on k that M , I | = ∇ βb : A .As a base case, we have k = 0; it follows that I ( b ) = I ( b ) and thus trivially that M , I | = ∇ βb : A entails M , I | = ∇ βb : A . Let us consider now the inductionstep. Given a label b k − such that I ( b k − ) = n + k −
1, we show that the inductionhypothesis M , I | = ∇ βb k − : A entails the thesis M , I | = ∇ βb : A . We can buildan interpretation I ′ that differs from I only in the points assigned to b i and b j , namely, I ′ = I [ b i n + k − b j n + k ]. It is easy to verify that theinterpretation I ′ is such that the following three conditions hold:( i ) M , I ′ | = ∇ βb i : A ;( ii ) M , I ′ | = ∇ b b i ;( iii ) M , I ′ | = ∇ b i ⊳ b j .Furthermore, the side-condition on the rule ind ensures that I and I ′ agree onall the labels occurring in Φ , from which we can infer M , I ′ | = ∇ Φ . It follows M , I ′ | = ∇ Φ and thus, by the induction hypothesis on Π , M , I ′ | = ∇ βb j : A .We conclude M , I ′ | = ∇ βb : A by observing that I ′ ( b j ) = I ( b ). ⊓⊔ .4 Completeness Proof of Theorem 4
We present here the N ( LTL ∇ )-derivations of the remainingaxioms of H ( LTL ). Note that, for simplicity, we use also some rules (i.e., F I , F E , ∨ I , ∨ E , ∧ I and ∧ E ) concerning derived operators. They can be easily derivedfrom the set of rules in Figure 1.( A2 ) [ b : G ( A ⊃ B )] [ b c ] bc : A ⊃ B G E [ b : G A ] [ b c ] bc : A G Ebc : B ⊃ Eb : G B G I b : G A ⊃ G B ⊃ I b : G ( A ⊃ B ) ⊃ ( G A ⊃ G B ) ⊃ I ( A3 ) ( X ¬ A ↔ ¬ X A ) [ b : X ¬ A ] [ b ⊳ c ] bc : ¬ A X E [ b : X A ] [ b ⊳ c ] bc : A X Ebc : ⊥ ⊃ Eb : ¬ X A ⊥ E b : ¬ X A ser ⊳ b : X ¬ A ⊃ ¬ X A ⊃ I [ b : ¬ X A ] [ b ⊳ c ] [ b ⊳ d ] [ bc : A ] bd : A lin ⊳ b : X A X I b : ⊥ ⊃ Ebc : ¬ A ⊃ b : X ¬ A X I b : ¬ X A ⊃ X ¬ A ⊃ I ( A4 ) This proof is similar to the one for ( A2 ) and we thus omit it.( A5 ) [ b : G A ] [ b b ] bb : A G Eb : A last b : A refl [ b ⊳ c ] [ b c ] [ c d ] [ b : G A ] [ b d ] bd : A G Ebd : A trans bd : A base bcd : A last bc : G A G I b : XG A X I b : A ∧ XG A ∧ Ib : G A ⊃ ( A ∧ XG A ) ⊃ I ( A7 ) Note that, for brevity, we give here a derivation of a, clearly equivalent,simplified version of the translation of ( A7 ). Namely, we consider F ( X B ∧ ∇ A ) ⊃ ( A ∧ X ( B ∨ F ( X B ∧∇ A ))) instead of B ∨ F ( X B ∧∇ A ) ⊃ B ∨ ( A ∧ X ( B ∨ F ( X B ∧∇ A ))).21eft-to-right direction: [ b : F ( X B ∧ ∇ A )] [ bc : X B ∧ ∇ A ] bc : ∇ A ∧ E [ b b ] [ b c ] bb : A ∇ Ebb : A refl b : A last Π b : X ( B ∨ F ( X B ∧ ∇ A )) b : A ∧ X ( B ∨ F ( X B ∧ ∇ A )) ∧ Ib : A ∧ X ( B ∨ F ( X B ∧ ∇ A )) F E b : F ( X B ∧ ∇ A ) ⊃ ( A ∧ X ( B ∨ F ( X B ∧ ∇ A ))) ⊃ I where Π is the following derivation: [ b c ] [ b ⊳ b ′ ] [ bc : X B ∧ ∇ A ] bc : X B ∧ E [ c b ′ ] bcb ′ : B X Ebb ′ : B last bb ′ : B ∨ F ( X B ∧ ∇ A ) ∨ I b ⊳ b ′ b ⊳ b ′′ Π bb ′′ : B ∨ F ( X B ∧ ∇ A ) [ bb ′ : B ∨ F ( X B ∧ ∇ A )] bb ′ : B ∨ F ( X B ∧ ∇ A ) lin ⊳ bb ′ : B ∨ F ( X B ∧ ∇ A ) split b : X ( B ∨ F ( X B ∧ ∇ A )) X I and Π is the following derivation: [ bc : X B ∧ ∇ A ] bc : X B ∧ E [ c ⊳ c ′ ] bcc ′ : B X Ebb ′′ cc ′ : B last bb ′′ c : X B X I [ b ⊳ b ′′ ] [ b b ′′ ] [ b ′′ d ] [ bc : X B ∧ ∇ A ] bc : ∇ A ∧ E [ b d ] [ d c ] bd : A ∇ Ebd : A trans bd : A base bb ′′ d : A last bb ′′ c : ∇ A ∇ I bb ′′ c : X B ∧ ∇ A ∧ I [ b ′′ c ] bb ′′ : F ( X B ∧ ∇ A ) F Ibb ′′ : B ∨ F ( X B ∧ ∇ A ) ∨ I Right-to-left direction: in the following derivations, we denote with ϕ theformula b : A ∧ X ( B ∨ F ( X B ∧ ∇ A )). [ ϕ ] b : X ( B ∨ F ( X B ∧ ∇ A )) ∧ E [ b ⊳ e ] be : B ∨ F ( X B ∧ ∇ A ) X E [ be : B ] Π b : F ( X B ∧ ∇ A ) [ be : F ( X B ∧ ∇ A )] Π b : F ( X B ∧ ∇ A ) b : F ( X B ∧ ∇ A ) ∨ E b : F ( X B ∧ ∇ A ) ser ⊳ b : ( A ∧ X ( B ∨ F ( X B ∧ ∇ A ))) ⊃ F ( X B ∧ ∇ A ) ⊃ I where Π is the following derivation: [ b ⊳ e ] [ b ⊳ f ] [ be : B ] [ bf : B ] bf : B lin ⊳ bbf : B last bb : X B X I [ b b ′ ] [ b ′ b ] [ ϕ ] b : A ∧ Eb ′ : A eq bb ′ : A last bb : ∇ A ∇ I bb : X B ∧ ∇ A ∧ I [ b b ] b : F ( X B ∧ ∇ A ) F Ib : F ( X B ∧ ∇ A ) refl is the following derivation: [ be : F ( X B ∧ ∇ A )] [ b ⊳ e ] [ b e ] [ e c ] [ bec : X B ∧ ∇ A ] bec : B ∧ E [ c ⊳ f ] becf : B X Ebcf : B last bc : X B X I Π bc : ∇ Abc : X B ∧ ∇ A ∧ I [ b c ] b : F ( X B ∧ ∇ A ) F Ib : F ( X B ∧ ∇ A ) trans b : F ( X B ∧ ∇ A ) base b : F ( X B ∧ ∇ A ) F E and Π is the following derivation: [ b d ] [ ϕ ] b : A ∧ E [ d : A ] bd : A last [ b ⊳ f ] [ b ⊳ e ] [ f d ] [ bec : X B ∧ ∇ A ] bec : ∇ A ∧ E [ e d ] [ d c ] bed : A ∇ Ebed : A lin ⊳ bd : A last bd : A split bc : ∇ A ∇ I roof of the axiom ( A8 ) [ b : B ∨ ( F ( X B ∧ ∇ A ))] [ b : B ] bb : B last [ b b ] b : F B F Ib : F B refl [ b : F ( X B ∧ ∇ A )] [ c ⊳ d ] [ b c ] [ c d ] [ bc : X B ∧ ∇ A ] bc : X B ∧ E [ c ⊳ d ] bcd : B X Ebd : B last [ b d ] b : F B F Ib : F B trans b : F B base b : F B ser ⊳ b : F B F E b : F B ∨ E b : B ∨ ( F ( X B ∧ ∇ A )) ⊃ F B ⊃ I1