Being correct is not enough: efficient verification using robust linear temporal logic
Tzanis Anevlavis, Matthew Philippe, Daniel Neider, Paulo Tabuada
aa r X i v : . [ c s . L O ] F e b BEING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USINGROBUST LINEAR TEMPORAL LOGIC
TZANIS ANEVLAVIS, MATTHEW PHILIPPE, DANIEL NEIDER, AND PAULO TABUADA
Abstract.
While most approaches in formal methods address system correctness, ensuring robustness hasremained a challenge. In this paper we introduce the logic rLTL which provides a means to formally reasonabout both correctness and robustness in system design. Furthermore, we identify a large fragment of rLTL forwhich the verification problem can be efficiently solved, i.e., verification can be done by using an automaton,recognizing the behaviors described by the rLTL formula ϕ , of size at most O ( ∣ ϕ ∣ ) , where ∣ ϕ ∣ is the length of ϕ . This result improves upon the previously known bound of O ( ∣ ϕ ∣ ) for rLTL verification and is closer to theLTL bound of O ( ∣ ϕ ∣ ) . The usefulness of this fragment is demonstrated by a number of case studies showingits practical significance in terms of expressiveness, the ability to describe robustness, and the fine-grainedinformation that rLTL brings to the process of system verification. Moreover, these advantages come at a lowcomputational overhead with respect to LTL verification. Introduction
As Cyber-Physical Systems (CPS) inevitably become increasingly complex, the ability to completely guaranteecorrectness of their design and implementation via exhaustive testing fades. Moreover, almost every aspect ofcontemporary life is becoming intertwined with CPSs, such smart grids, smart cities, mobility on demand andautonomous vehicles, and even medical devices. Consequently, in an attempt to reduce design errors, formalmethods have been investigated to support modeling and verification of CPSs.Most work in formal methods has focused on system correctness, i.e., in ensuring that systems are guaranteedto meet their design specifications. We argue that correctness is necessary, but not sufficient for a gooddesign. To illustrate this point, just consider the correctness specifications for open reactive systems, whichare typically written in the form of an implication:(1.1) ϕ ⇒ ψ, where ϕ is an environment assumption and ψ is a system guarantee. In Linear Temporal Logic (LTL) theimplication in (1.1) is equivalent to ¬ ϕ ∨ ψ , and, ergo, whenever the assumption ϕ is violated the abovespecification yields no information on the guarantee. In other words, the system can behave arbitrarily.Thus, in addition to correctness, systems should also be designed to be robust, i.e., small deviations from theassumptions made at design time should lead to, at most, small violations of the design specifications. While itis hard to dispute that design time assumptions may not hold in the environments where systems will actuallybe deployed, since these may not be completely known at design time or may be evolving over time, how toformally describe robustness is a question that has not received enough attention despite the recent effortsdescribed in Section 1.1. In this paper, we address this problem by introducing a new logic, termed robustLinear-time Temporal Logic and abbreviated as rLTL, that allows to specify robustness. Its syntax closelymirrors that of LTL to lower the barriers to its adoption. Its semantics, however, is different in many regards.In particular, it is a many-valued logic so that one can reason about the different ways in which assumptionsand guarantees can be violated. This work was partially supported by the NSF grant 1645824 and by the CONIX Research Center, one of six centers in JUMP,a Semiconductor Research Corporation (SRC) program sponsored by DARPA.
To shed more light into the mechanics of rLTL, consider the LTL formula □ p with p an atomic proposition.There is only one way in which this formula is satisfied, namely when p holds at every time step. In contrast,there are several ways in which this formula can be violated over an infinite trace: (1) the worst possibleviolation occurs when p fails to hold at every time step; (2) a slightly better scenario is where p holds for atmost finitely many time instants; (3) better yet would be that p holds at infinitely many instants, while stillfailing to hold at infinitely many instants; (4) finally, among all the possible ways in which □ p can be violated,the most preferable case would be the one where p fails to hold for at most finitely many time instants. Thesemantics of rLTL is exactly designed to distinguish between these different ways.In preliminary work [TN16], we introduced a fragment of rLTL that only contained the always, eventually,and next operators. We showed, in that restricted context, that we can decide if a system satisfies an rLTLformula ϕ by using an automaton with size O ( ∣ ϕ ∣ ) , where ∣ ϕ ∣ denotes the length of ϕ . The correspondingautomaton for LTL has size O ( ∣ ϕ ∣ ) and the change in the base of the exponential follows from the fact thatLTL is a 2-valued logic, whereas rLTL is 5-valued. In this paper we offer a fragment of rLTL, including alsothe until and release operators, for which the verification problem can be solved more efficiently, i.e., by usingan automaton of size O ( ∣ ϕ ∣ − κ ( ϕ ) κ ( ϕ ) ) , where κ ( ϕ ) measures the number of unique subformulae of ϕ thatcontain always and release operators. In particular, this provides the upper bound O ( ∣ ϕ ∣ ) on the size of thisautomaton which is closer to the LTL bound.To illustrate the usefulness of rLTL and the proposed fragment, we offer several case studies that demonstrate:(1) how rLTL can identify a non-robust system, whereas LTL cannot, as it does not provide information aboutthe guarantee of an implication when the environment deviates from the modeling assumptions; (2) how theproposed fragment contains the most important reactivity patterns [DAC99]; and (3) how the five truth valuesprovide insightful information when a specification is violated, which can be useful for a designer seeking toimprove the designed system and/or the specification. Moreover, the computational overhead associated withrLTL model-checking is relatively low with respect to LTL model-checking as shown by our experiments.1.1. In a labyrinth of robustness.
A number of efforts has been made in order to express the “correct”notion of robustness with regards to cyber-physical systems in formal methods. In this section, we presentan extensive, but not exhaustive, review of various formalizations of robustness. We begin by a series ofapproaches, which require the designer to provide information in addition to the desired specification.In [BCG + k ∈ N (k-robustness). Counting is achieved through error functionsprovided by the designer. The second concept, robustness for liveness, considers specifications of the form ∧ i ∈ I ◇ □ p i ⇒ ∧ j ∈ J ◇ □ q j , where p i , q j are atomic propositions, and then compares the number of violatedassumptions to the number of violated guarantees. The rLTL semantics, even though being able to distinguishbetween the different ways in which a specification can be violated, does not distinguish between the violationof one assumption from the violation of multiple assumptions. Hence, the second approach cannot be comparedto the one proposed here. Furthermore, we make no distinctions between safety and liveness properties.Moreover, in [BCES19], a different framework for robust synthesis is proposed, that does not encompass theone above. Different notions of robustness are considered, e.g., a robust system satisfies a guarantee, eventhough a finite number, or even all, of the inputs are hidden/misread, or even though the assumption is violatedfinitely/infinitely often. Many of the considered notions are incorporated in rLTL, and in fact our definition ofrobustness allows systems to satisfy weaker guarantees, whenever the assumptions are also weakened, whichis more general. Nonetheless, we cannot compare with the notions of robustness in [BCES19] that count thenumber of violations, since the rLTL semantics distinguishes only between zero, finite, and infinite violationsof a specification. EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 3
In the intriguing work of [RBNG16], a link between both MTL/LTL, and Linear Time-Invariant (LTI) filteringis established. More specifically, it is shown that LTI filtering corresponds to MTL if addition and multiplica-tion are interpreted as max and min, and if true and false are interpreted as one and zero. By using differentfiltering kernels, one expresses weaker or stronger interpretations of the same formula. However, this burdensthe designer both with the choice of kernels and the use multiple semantics to reason about how weakeningthe assumptions leads to weakening the guarantees.Contrary to all the approaches described so far, which require robustness metrics to be provided by thedesigner, when working with rLTL the designer only needs to provide the desired specification and no otherinformation. Hence, we ease the designers effort since it is not always clear which quantitative metric leads tothe desired qualitative behavior.Another interpretation of robustness is provided in [TUS +
17] by utilizing a mean-payoff objective. Givenan LTL specification of the form □ ϕ ⇒ □ ψ , the environment may violate the assumption, and it is thenplausible that a robust system produces a small difference between the number of steps violating □ ψ and thenumber of steps violating □ ϕ , which is interpreted as a mean-payoff objective. Again, such approaches are notcomparable to ours since rLTL distinguishes only between zero, finite, and infinite violations of a specification.In the domain of software systems, [ZGK20] defines robustness as the largest set of deviating environmentalbehaviors under which the system still guarantees a desired property. Therefore, robustness is defined, withrespect to a property, as the set of all deviations under which a system continues to satisfy that property.Although this work focuses on computing robustness, rather than characterizing it, it is possible that certaintemporal deviations could be expressed in rLTL. Additional noteworthy works, although incomparable with themethods described here, are [CGL10] and [MS09], which consider continuity properties of software expressed bythe requirement that a deviation in a program’s input causes a proportional deviation in its output. Althoughnatural, these notions of robustness only apply to the Turing model of computation and not to the reactivemodel of computation employed in this paper.A plethora of works exists regarding robustness of specifications when reasoning over real-valued, continuous-time signals, with the most prominent being [FP09], [DM10]. In these works, no discussion of the specificchoices made when crafting the many-valued semantics is provided. It is interesting, though, that the notionof “time robustness” in [DM10] is close to the one of rLTL in the sense that it measures the time needed for thetruth value of a formula to change. Nevertheless, in this line of work robustness is derived from the real-valuednature of the signals, whereas in rLTL, we reason over the more classical setting of discrete-time and Booleanvalued signals, with robustness derived from the temporal evolution of these signals. Consequently, the worksof [FP09], [DM10], and their extensions can be considered of orthogonal and complementary nature to ours.Another relevant approach of multi-valued extensions of LTL is found in [ABK16]. This work introduces twoquantitative extensions of LTL, one by propositional quality operators termed LTL [ F ] , parameterized by aset F of functions over [ , ] , and one by discounting operators termed LTL disc [ D ] , parameterized by a set D of discounting functions. Both logics employ a many-valued variant of LTL to reason about quality, and thesatisfaction value of a specification is a number in [ , ] , which describes the quality of the satisfaction. Theuse of a many-valued semantics in the context of quality is as natural as in the context of robustness. In fact,it was shown in [TN16] that by dualizing the semantics of rLTL in a specific sense we obtain a logic that isadequate to reason about quality. Nevertheless, there are strong conceptual differences between the approachtaken in this paper and the approach in [ABK16]. First, our notion of robustness or quality is intrinsic to thelogic, while the approach in [ABK16] requires the designer to provide their own interpretation in the form ofthe sets F or D of functions that parameterize the logic. Second, there are several choices to define the logicalconnectives on the interval [ , ] . As an illustration for the latter, note that there are three commonly usedconjunctions: Lukasiewicz’s conjunction a ∧ b = max { , a + b − } , G¨odel’s conjunction a ∧ b = min { a, b } , andthe product of real numbers a ∧ b = a ⋅ b also known as Goguen’s conjunction. Moreover, each such choice leadsto a different notion of implication via residuation. Whether G¨odel’s conjunction, used in [ABK16], is the ANEVLAVIS, ET AL. most adequate to formalize quality is a question not addressed in [ABK16]. In contrast, we carefully discussand motivate all the choices made when defining the semantics of rLTL with robustness considerations.The last body of work related to the contents of this paper is [KL07, AK14] on lattice automata and latticeLTL. The syntax of lattice LTL is similar to the syntax of LTL except that atomic propositions assume valueson a finite lattice (which has to satisfy further restrictions such as being distributive). Although both latticeLTL as well as rLTL are many-valued logics, lattice LTL derives its many-valued character from the atomicpropositions. In contrast, atomic propositions in rLTL are interpreted classically (i.e., they only assume twotruth values). Therefore, the many-valued character of rLTL arises from the temporal evolution of the atomicpropositions and not from the nature of the atomic propositions or their interpretation. In fact, if we only allowtwo truth values for the atomic propositions in lattice LTL, as is the case for rLTL, lattice LTL degeneratesinto LTL. Hence, these two logics capture orthogonal considerations, and results on lattice LTL and latticeautomata do not shed light on how to address similar problems for rLTL.1.2.
Outline of the paper.
The outline of the paper is as follows: in Section 2, the basic definitions ofLTL and results on the LTL model-checking problem are reviewed. Following up in Section 3, the syntax ofrLTL is presented, its semantics are thoroughly derived, and the necessity of the 5 truth values is justified.Subsequently, Section 4 discusses the relationship between rLTL and LTL and provides translations betweenthe two. Section 5 defines the rLTL model-checking problem and settles its decidability. After that, thefragment for efficient rLTL model-checking is identified in Section 6, and refined complexity bounds for therLTL model-checking are derived. A comprehensive case study on rLTL model-checking is conducted in Section7. Finally, concluding remarks are found in Section 8.2.
Preliminaries
Notation.
Let N = { , , . . . } be the set of natural numbers and B = { , } the set of Boolean values with0 interpreted as false and 1 interpreted as true . For a set A , let 2 A be the powerset of A , i.e., the set of allsubsets of A , let A ω be the set of all infinite sequences of elements of A , and let card ( A ) denote the cardinalityof A . An alphabet Σ is a finite, nonempty set whose elements are called symbols . An infinite word σ is aninfinite sequence σ = a a ⋅ ⋅ ⋅ ∈ Σ ω of symbols with a i ∈ Σ, i ∈ N . For an infinite word σ = σ σ ⋅ ⋅ ⋅ ∈ Σ ω and i ∈ N , let σ ( i ) = σ i denote the i -th symbol of σ and σ i.. the (infinite) suffix of σ starting at position i ,i.e., σ i.. = σ i σ i + . . . ∈ Σ ω . Notice that σ .. = σ .2.2. Review of Linear Temporal Logic (LTL) and LTL model-checking.
In this section, we describethe syntax and semantics of
Linear Temporal Logic (LTL) and recall the model-checking problem. This willform the backdrop against which rLTL will be introduced in the next section. The syntax of LTL is definedas follows.
Definition 1 (LTL syntax) . Let P be a nonempty, finite set of atomic propositions. The set of all LTLformulae on P , written LTL ( P ) , is the smallest set satisfying: • each p ∈ P is an LTL formula; and • if ϕ and ψ are LTL formulae, then so are ¬ ϕ , ϕ ∧ ψ , ϕ ∨ ψ , ϕ ⇒ ψ , ◯ ϕ , ◇ ϕ , □ ϕ , ϕ U ψ , and ϕ R ψ .The closure of ϕ , denoted by cl ( ϕ ) , is the set of its distinct subformulae, defined as: • cl ( p ) = { p } , if p is an atomic proposition, i.e., p ∈ P ; • cl ( op ( ϕ )) = { op ( ϕ )} ∪ cl ( ϕ ) , if op is a unary LTL operator, i.e., op ∈ { ¬ , ◯ , ◇ , □ } ; and • cl ( op ( ϕ, ψ )) = { op ( ϕ, ψ )} ∪ cl ( ϕ ) ∪ cl ( ψ ) , if op is a binary LTL operator, i.e., op ∈ { ∧ , ∨ , ⇒ , U , R } .The length of a formula ϕ ∈ LTL ( P ) , defined as ∣ ϕ ∣ = card ( cl ( ϕ )) , is the number of distinct subformulae itcontains. EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 5
For notational convenience, we have added syntactic sugar in the above definition by including the operators ∧ , ⇒ , □ , ◇ , R with their usual meaning as part of the syntax, although they can be defined using the ¬ , ∨ ,and U operators.Usually, the semantics of LTL are defined in terms of a satisfiability relation between an LTL formula overthe set of atomic propositions P and an infinite word over Σ = P . Having in mind the rLTL version of thesenotions, we provide a mathematically equivalent definition of the semantics as a mapping W assigning aninfinite word σ ∈ Σ ω and an LTL formula ϕ to the element W ( σ, ϕ ) ∈ B . Definition 2 (LTL Semantics) . The
LTL semantics is a mapping W ∶ ( P ) ω × LTL ( P ) → { , } , inductivelydefined as follows for p ∈ P and ϕ, ψ ∈ LTL ( P ) : • For atomic propositions: W ( σ, p ) = { , if p ∉ σ ( ) , , if p ∈ σ ( ) . • For logical connectives: W ( σ, ¬ ϕ ) = − W ( σ, ϕ ) , W ( σ, ϕ ∧ ψ ) = min { W ( σ, ϕ ) , W ( σ, ψ )} ,W ( σ, ϕ ∨ ψ ) = max { W ( σ, ϕ ) , W ( σ, ψ )} , W ( σ, ϕ ⇒ ψ ) = max { W ( σ, ¬ ϕ ) , W ( σ, ψ )} . • For temporal operators: W ( σ, ◯ ϕ ) = W ( σ .. , ϕ ) , W ( σ, ◇ ϕ ) = sup i ≥ W ( σ i.. , ϕ ) , W ( σ, □ ϕ ) = inf i ≥ W ( σ i.. , ϕ ) ,W ( σ, ϕ U ψ ) = sup j ≥ min { W ( σ j.. , ψ ) , inf ≤ i < j W ( σ i.. , ϕ )} , W ( σ, ϕ R ψ ) = inf j ≥ max { W ( σ j.. , ψ ) , sup ≤ i < j W ( σ i.. , ϕ )} . The evaluation of the mapping W on the LTL formula ϕ and the infinite word σ , W ( σ, ϕ ) , is the valuation of ϕ over σ . Having introduced the semantics of LTL, we now recall the problem of
LTL model-checking [CGP99, CHVB18,KPR98, LP85, PZ08, Sch02, VW86], which is essential in formal in verification. Given a model of a system, thequestion is to decide whether or not all possible executions of the model satisfy a specification. Traditionally,these models are described by
Kripke structures [CHVB18, Section 2.2], and the specifications are describedby LTL formulae.
Definition 3 (Kripke structures) . A Kripke structure over a set P of atomic propositions is a quadruple K = ( Q, Q , R, ℓ ) , where Q is a finite set of states, Q ⊆ Q is a set of initial states, R ⊆ Q × Q is a set oftransitions, and ℓ ∶ Q → P is the labeling function that associates each state with a set of atomic propositions.A path in K is an infinite sequence of states q q ⋅ ⋅ ⋅ ∈ Q ω such that q ∈ Q and ( q i , q i + ) ∈ R for all i ∈ N .Any path induces a corresponding computation ℓ ( q ) ℓ ( q ) ⋅ ⋅ ⋅ ∈ ( P ) ω . In addition to Kripke structures, B¨uchi automata are another ingredient in the solution of the LTL model-checking problem. LTL formulae can be translated to
B¨uchi Automata (BA) [BKL08, Section 4.3], [CHVB18,Section 4.2] and the set of words they recognize.
Definition 4 (B¨uchi Automaton) . A (non-deterministic) B¨uchi Automaton (BA) is a quintuple A = ( Q, Σ , Q , ∆ , F ) consisting of a nonempty, finite set Q of states, a (finite) input alphabet Σ , a set ofinitial states Q ⊆ Q , a (nondeterministic) transition relation ∆ ⊆ Q × Σ × Q , and a set F ⊆ Q defining theacceptance conditions.The run of a BA on a word σ ∈ Σ ω (also called input ) is an infinite sequence of states q q . . . ∈ Q ω satisfying q ∈ Q and ( q i , σ ( i ) , q i + ) ∈ ∆ for all i ∈ N . A run ρ is called accepting if at least one of its infinitely oftenoccurring states is in F . The language of a BA A , denoted by L ( A ) , is the set of all infinite words σ ∈ Σ ω for which an accepting run of A exists. ANEVLAVIS, ET AL.
The translation of an LTL formula ϕ to a BA A ϕ is done in two steps: 1) the LTL formula ϕ is translated toa Generalized B¨uchi Automaton (GBA); and 2) the GBA is translated to a BA.
Definition 5 (Generalized B¨uchi Automaton) . A (non-deterministic) Generalized B¨uchi Automaton (GBA)is a quintuple G = ( Q, Σ , Q , ∆ , F ) consisting of a nonempty, finite set Q of states, a (finite) input alphabet Σ , a set of initial states Q ⊆ Q , a (nondeterministic) transition relation ∆ ⊆ Q × Σ × Q , and a set F ⊆ Q denoting the acceptance conditions.The run of a GBA is defined analogously to the run of a BA. The difference is that a run is accepting if itsset of infinitely often occurring states contains at least one state from each accepting set in F . Note that theremay be no accepting sets, in which case any infinite run trivially satisfies this property. Proposition 2.1 (Section 5.2, [BKL08]) . Any LTL formula ϕ can be translated to a GBA G ϕ with at most ∣ ϕ ∣ states and at most ∣ ϕ ∣ accepting conditions. Moreover, the GBA G ϕ can be translated to a BA A ϕ withat most ∣ ϕ ∣ ⋅ ∣ ϕ ∣ states. Therefore, the time complexity of translating an LTL formula ϕ to a GBA A ϕ is O ( ∣ ϕ ∣ ) , and that oftranslating an LTL formula ϕ to a BA A ϕ is O (∣ ϕ ∣ ⋅ ∣ ϕ ∣ ) . Problem 1 (LTL model-checking) . Given a set of atomic propositions P , a Kripke structure K and an LTLformula ϕ , do all the computations of K satisfy ϕ ? The classical approach to solving Problem 1 has running time depending linearly on the size of the Kripkestructure and exponentially on the length of the LTL formula.
Corollary 2.2 (LTL model-checking) . The standard procedure for model-checking an LTL formula ϕ on aKripke structure K is as follows [BKL08, Section 5.2] , [CHVB18, Section 4] :1) Construct a BA A K such that A K accepts a computation π ∈ ( P ) ω if and only if π is a computation of K . The size of A K is linear in the size of K , i.e., in its number of states denoted by ∣ K ∣ .2) Construct a BA A ¬ ϕ recognizing the words satisfying the negation of ϕ , i.e., ¬ ϕ . The size of A ¬ ϕ isexponential in ∣ ϕ ∣ , specifically O (∣ ϕ ∣ ⋅ ∣ ϕ ∣ ) by Proposition 2.1.3) Compose A K with A ¬ ϕ to obtain A K , ¬ ϕ , which recognizes all the words of L ( A K ) that do not satisfy ϕ ,i.e., L ( A K , ¬ ϕ ) = L ( A K ) ∩ L ( A ¬ ϕ ) . The size of A K , ¬ ϕ is O (∣ K ∣ ⋅ ∣ ϕ ∣ ⋅ ∣ ϕ ∣ ) .4) Check the emptiness of L ( A K , ¬ ϕ ) : if A K , ¬ ϕ only recognizes the empty language, then L ( A K ) satisfies ϕ .The time complexity of Step 4 in terms of the size of K and the length of the LTL formula ϕ is: (2.1) O (∣ K ∣ ⋅ ∣ ϕ ∣ ⋅ ∣ ϕ ∣ ) . The above represents the classical, and tight, upper bound for the time complexity of LTL model-checking.
In this work, we are concerned with solutions to the model-checking problem that employ a translation offormulae to GBAs as we described in the previous paragraph. For this reason, when discussing the complexityof the model-checking problem induced by different temporal logics, we focus on the size of the correspondingGBA. For example, for an LTL formula ϕ the corresponding GBA has size O ( ∣ ϕ ∣ ) , and in Sections 5 and 6we will derive similar upper bounds for rLTL and an rLTL fragment respectively.3. The Syntax and Semantics of Robust Linear Temporal Logic
The main goal of robust Linear Temporal Logic (rLTL) is to embed a notion of robustness into LTL. With thisin mind, we crafted the syntax of rLTL so as to closely resemble that of LTL by using robust versions of LTLoperators. In addition to defining the rLTL syntax, we also define the rLTL semantics in this section and justifythe necessity of the many-valued semantics, i.e., the five rLTL truth values. We do so by first considering
EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 7 the rLTL ⊡ , ⟐ ( P ) fragment, i.e., the fragment of rLTL formulae that only allows the “robust always” ⊡ and“robust eventually” ⟐ temporal operators. This fragment was first introduced in [TN16], and in this sectionwe extend those results from the fragment rLTL ⊡ , ⟐ ( P ) to full rLTL.3.1. rLTL Syntax. We begin by presenting the rLTL syntax.
Definition 6 (rLTL syntax) . Let P be a nonempty, finite set of atomic propositions. The set of all rLTLformulae on P , written rLTL ( P ) , is the smallest set satisfying: • each p ∈ P is an rLTL formula; and • if ϕ and ψ are rLTL formulae, then so are ¬ ϕ , ϕ ∨ ψ , ϕ ∧ ψ , ϕ ⇛ ψ , ⊙ ϕ , ⟐ ϕ , ⊡ ϕ , ϕ U ⋅ ψ , and ϕ R ⋅ ψ .The length of a formula ϕ ∈ rLTL ( P ) , denoted by ∣ ϕ ∣ , is the number of distinct subformulae it contains. Notice that in LTL, the conjunction and implication operators can be derived from negation and disjunction.This is no longer the case in rLTL since it has a many-valued semantics. On these grounds, we directlyincluded conjunction and robust implication as part of the rLTL syntax in Definition 6. The same reasonjustifies the presence of the robust release operator R ⋅ , which, in the case of LTL, can be derived from theuntil and negation operators as ϕ R ψ = ¬ ( ¬ ϕ U ψ ) .3.2. The rLTL ⊡ , ⟐ ( P ) fragment. Consider, as a running example, the LTL formula □ p with p an atomicproposition. There is only one way in which this formula can be satisfied, namely when p holds at everytime step. In contrast, there are several ways in which this formula can be violated. Our goal is to find asemantics that distinguishes between these different ways. We aim for such distinction to be limited by whatcan be expressed in LTL so that we can easily leverage the wealth of existing results on LTL verification andsynthesis.By intuitively investigating the different ways in which □ p is violated over an infinite trace, we are able todistinguish the following four cases: (1) the worst possible violation occurs when p fails to hold at every timestep; (2) a slightly better scenario, which still violates □ p , is where p holds for at most finitely many timeinstants; (3) better yet would be that p holds at infinitely many instants, while still failing to hold at infinitelymany instants; (4) finally, among all the possible ways in which □ p can be violated, the most preferable casewould be the one where p fails to hold for at most finitely many time instants. Consequently, our robustsemantics is designed to distinguish between satisfaction and these four possible different ways to violate □ p .However, as convincing as this argument might be, a question persists: in which sense can we regard thesefive alternatives as canonical?3.2.1. Why truth values? We answer this question by interpreting satisfaction of □ p as a counting problem,and showing that there exists a partition of the infinite strings B ω = { , } ω , which is induced by the LTL □ , ◇ formulae. The semantics of the LTL □ operator is given by: W ( σ, □ ϕ ) = inf i ∈ N W ( σ i.. , ϕ ) . (3.1)We make the following observation: the truth value of the LTL formula □ ϕ on the infinite word σ ∈ Σ ω isinvariant under permutations of W ω ( σ, ϕ ) = W ( σ .. , ϕ ) W ( σ .. , ϕ ) ⋯ . To make this observation precise, let f ∶ N → N be a permutation of N , i.e., a bijection. Then, we have:inf i ∈ N W ( σ i.. , ϕ ) = inf i ∈ N W ( σ f ( i ) .. , ϕ ) . (3.2)The above property shows that the □ operator counts the number of zeros in the infinite string W ω ( σ,ϕ ) ∈ { , } ω .When this number is 0, W ( σ, □ ϕ ) is one ( true ), and otherwise zero ( false ). The position where zeros occuris not relevant, only their presence or their absence is. Towards characterizing how to count in LTL □ , ◇ , wefirst note that by successively applying permutations that swap position i with position i + N unaltered, we can transform any string ρ ∈ { , } ω into one of the following forms ANEVLAVIS, ET AL. ω , k ω , ( ) ω , k ω , ω , where k ∈ N . Moreover, since LTL □ , ◇ is stutter-free [PW97], it follows that theprevious cases degenerate into the following five:1 ω , ω , ( ) ω , ω , and 0 ω . (3.3)We interpret these as the ability to count if the number of zeros and ones is zero , finite , or infinite . If wedenote by ( z, o ) the number of zeros and ones, with z, o ∈ { zer , fin , inf } , then we have: • ω corresponds to ( zer , inf ) . • ω corresponds to ( fin , inf ) . • ( ) ω corresponds to ( inf, inf ) . • ω corresponds to ( inf , fin ) . • ω corresponds to ( inf , zer ) .We can thus conclude the need for 5 truth values to describe the 5 different ways of counting zeros and ones.Concretizing this discussion, in particular (3.3), on the running example of the formula □ p , we obtain thefollowing canonical forms that can be distinguished:(3.4) { p } ω , ({ ¬ p }{ p }) + { p } ω , ({ ¬ p }{ p }) ω , ({ ¬ p }{ p }) + { ¬ p } ω , and { ¬ p } ω . It is no surprise that these are exactly the five cases discussed in the beginning of this subsection.The considerations in this section suggest the need for a semantics that is 5-valued rather than 2-valued so thatwe can distinguish between the aforementioned five cases. Therefore, we need to replace Boolean algebras by adifferent type of algebraic structure that can accommodate a 5-valued semantics.
Da Costa algebras , reviewedin the next section, are an example of such algebraic structures.3.2.2. da Costa Algebras.
According to our running example □ p , the desired semantics should have one truthvalue corresponding to true and four truth values corresponding to different shades of false . It is instructiveto think of truth values as the elements of B , i.e., the four-fold Cartesian product of B , that arise as thepossible values of the 4-tuple of LTL formulae:(3.5) ( □ p, ◇ □ p, □ ◇ p, ◇ p ) . To ease notation, we denote such values interchangeably by b = b b b b and b = ( b , b , b , b ) with b i ∈ B for i ∈ { , , , } . The value 1111 then corresponds to true since □ p is satisfied. The most preferred violationof □ p ( p fails to hold at only finitely many time instants) corresponds to 0111, followed by 0011 ( p holds atinfinitely many instants and also fails to hold at infinitely many instants), 0001 ( p holds at most at finitelymany instants), and 0000 ( p fails to hold at every time instant). Such preferences can be encoded in the linearorder:(3.6) 0000 ≺ ≺ ≺ ≺ , that renders the set: B = { , , , , } , (3.7)a (bounded) distributive lattice with top element ⊤ = ⊥ = B isthe subset of B consisting of the 4-tuples ( b , b , b , b ) ∈ B satisfying the monotonicity property: i ≤ N j implies b i ≤ B b j , (3.8)where i, j ∈ { , . . . , } , ≤ N is the natural order on the natural numbers and ≤ B is the natural order on theBoolean algebra B . In B , the meet ⊓ can be interpreted as minimum and the join ⊔ as maximum with respectto the order in (3.6). We use ⊓ and ⊔ when discussing lattices in general and use min and max for the specificlattice B or the Boolean algebra B .The first choice to be made in using the lattice ( B , min , max ) to define the semantics of rLTL ⊡ , ⟐ ( P ) is thechoice of an operation on B modeling conjunction. It is well know that all the desirable properties of a many-valued conjunction are summarized by the notion of triangular-norm, see [H´98, NPM99]. One can compare EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 9 two triangular-norms s and t using the partial order defined by declaring s ≤ t when s ( a, b ) ≤ t ( a, b ) for all a, b ∈ B . According to this order, the triangular-norm min is maximal among all triangular-norms (i.e., wehave t ( a, b ) ≤ min { a, b } for every a, b ∈ B and every triangular-norm t ). This shows that if we choose anytriangular-norm t different from min, there exist elements a, b ∈ B for which we have t ( a, b ) < min { a, b } .Hence, any choice different from min would result in situations where the value of a conjunction is smaller than the value of the conjuncts, which is not reasonable when interpreting the value of the conjuncts asdifferent shades of false . To illustrate this point, consider the formula □ p ∧ □ q and the word σ = ∅ { p, q } ω .As introduced above, the value of □ p on σ corresponds to 0111 and the value of □ q on σ corresponds to 0111since on both cases we have the most preferred violation of the formulae. Therefore, the value of □ p ∧ □ q on σ should also be 0111 since the formula □ p ∧ □ q is only violated a finite number of times. It thus seemsnatural to model conjunction in B by min and, for similar reasons, to model disjunction in B by max.As in intuitionistic logic, our implication is defined as the residue of ⊓ . In other words, we define theimplication a → b by requiring that c ⪯ a → b if and only if c ⊓ a ⪯ b for every c ∈ B . This leads to: a → b = { a ⪯ b ; and b otherwise.However, we now diverge from intuitionistic logic (and most many-valued logics) where negation of a is definedby a → B , except for1111, represent (different shades of) false and thus their negation should have the truth value 1111. To makethis point clear, we present in Table 1 the intuitionistic negation in B and the desired negation compatiblewith the interpretation of the truth values in B . Table 1.
Desired negation vs. intuitionistic negation in B .Value Desired negation Intuitionistic negation1111 0000 00000111 1111 00000011 1111 00000001 1111 00000000 1111 1111What is then the algebraic structure on B that supports the desired negation, dual to the intuitionisticnegation? This very same problem was investigated in [Pri09], and the answer is da Costa algebras. Definition 7 (da Costa algebra) . A da Costa algebra is a sextuple ( A, ⊓ , ⊔ , ⪯ , → , ⋅ ) where: • ( A, ⊓ , ⊔ , ⪯ ) is a distributive lattice where ⪯ is the ordering relation derived from ⊓ and ⊔ , • → is the residual of ⊓ (i.e., a ⪯ b → c if and only if a ⊓ b ⪯ c for every a, b, c ∈ A ), • a ⪯ b ⊔ b for every a, b ∈ A , and • a ⪯ b whenever c ⊔ c ⪯ a ⊔ b for every a, b, c ∈ A . Note that there are situations where it is convenient to model conjunction differently. In the work of Bloem et al. [BCG + ∧ i ∈ I ϕ i . This cannot be accomplished if conjunction is modeled by min, and a different triangular-norm would haveto be used for this purpose. Note that both Lukasiewicz’s conjunction as well as Goguen’s conjunction have the property thattheir value decreases as the number of conjuncts that are true decreases. This is also done in context of residuated lattices that is more general than the Heyting algebras used in intuitionistic logic.Recall that a residuated lattice is a lattice ( A, ⊓ , ⊔ ) , satisfying the same additional conditions, and equipped with a commutativemonoid ( A, ⊗ , ) satisfying additional compatibility conditions. Since we chose the lattice meet ⊓ to represent conjunction, wehave a residuated lattice where ⊗ = ⊓ and = ⊤ . In a da Costa algebra, one can define the top element ⊤ to be ⊤ = a ⊔ a for an arbitrary a ∈ A ; note that ⊤ is unique and independent of the choice of a . Hence, the third requirement in Definition 7 amounts to thedefinition of top element, while the fourth requirement can be simplified to a ⪯ b whenever ⊤ ⪯ a ⊔ b . We caneasily verify that B is a da Costa algebra if we use the desired negation defined in Table 1.It should be mentioned that working with a 5-valued semantics has its price. The law of non-contradictionfails in B (i.e., a ⊓ a may not equal ⊥ = a = a ⊓ a ≺ a ⊓ a is to be interpreted as a shade of false but not necessarilyas the least preferred way of violating a ⊓ a , which corresponds to ⊥ . Contrary to intuitionistic logic, the lawof excluded middle is valid (i.e., a ⊔ a = ⊤ = a = a ≠ a , although it is stilltrue that a → a . Interestingly, we can think of the double negation: a = { , if a = , otherwise,as quantization in the sense that true is mapped to true and all the shades of false are mapped to false . Hence,double negation quantizes the five different truth values into two truth values ( true and false ) in a mannerthat is compatible with our interpretation of truth values.3.2.3. Semantics of rLTL ⊡ , ⟐ ( P ) on da Costa Algebras. The semantics of rLTL ⊡ , ⟐ ( P ) is given by a mapping V , called valuation as in the case of LTL, that maps an infinite word σ ∈ Σ ω and an rLTL ⊡ , ⟐ ( P ) formula ϕ to an element of B . In defining V , we judiciously use the algebraic operations of the da Costa algebra B togive meaning to the logical connectives in the syntax of rLTL ⊡ , ⟐ ( P ) . In the following, let Σ = P , where P isa finite set of atomic propositions.The semantics of rLTL is a mapping V ∶ ( P ) ω × rLTL ( P ) → B . On atomic propositions p ∈ P , V is definedby: V ( σ, p ) = { , if p ∉ σ ( ) ; and1111 , if p ∈ σ ( ) .(3.9)Hence, atomic propositions are interpreted classically, i.e., only two truth values are used. Since we are usinga 5-valued semantics, we provide a separate definition for all the four logical connectives: V ( σ, ¬ ϕ ) = V ( σ, ϕ ) , (3.10) V ( σ, ϕ ∧ ψ ) = V ( σ, ϕ ) ⊓ V ( σ, ψ ) , (3.11) V ( σ, ϕ ∨ ψ ) = V ( σ, ϕ ) ⊔ V ( σ, ψ ) , (3.12) V ( σ, ϕ ⇛ ψ ) = V ( σ, ϕ ) → V ( σ, ψ ) . (3.13)Note how the semantics mirrors the algebraic structure of da Costa algebras. This is no accident sincevaluations are typically algebra homomorphisms.Unfortunately, da Costa algebras are not equipped with operations corresponding to ⊡ and ⟐ , the robustversions of □ and ◇ , respectively. Therefore, we resort to the counting interpretation in Section 3.2.1 tomotivate the semantics of ⊡ . Formally, the semantics of ⊡ is given by: V ( σ, ⊡ ϕ ) = ( inf i ≥ V ( σ i.. , ϕ ) , sup j ≥ inf i ≥ j V ( σ i.. , ϕ ) , inf j ≥ sup i ≥ j V ( σ i.. , ϕ ) , sup i ≥ V ( σ i.. , ϕ )) , (3.14)where V k ( σ, ϕ ) = π k ◦ V ( σ, ϕ ) for k ∈ { , , , } and π k ∶ B → B are the projections on the k -th element of atruth value defined by:(3.15) π k ( a , a , a , a ) = a k . One could consider developing a notion of da Costa algebras with operators in the spirit of Boolean algebras with operators[JT51]. We leave such investigation for future work.
EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 11
To illustrate the semantics of ⊡ , let us consider the simple case where ϕ is just an atomic proposition p . Thismeans that one can express V ( σ, ⊡ p ) in terms of the LTL valuation W by: V ( σ, ⊡ p ) = ( W ( σ, □ p ) , W ( σ, ◇ □ p ) , W ( σ, □ ◇ p ) , W ( σ, ◇ p )) . (3.16)In other words, V ( σ, ⊡ p ) corresponds to the LTL truth value of □ p , V ( σ, ⊡ p ) corresponds to the LTL truthvalue of ◇ □ p , V ( σ, ⊡ p ) corresponds to the LTL truth value of □ ◇ p , and V ( σ, ⊡ p ) corresponds to the LTLtruth value of ◇ p . Equation (3.16) connects the semantics of ⊡ to the counting problems described in Section3.2.1 and to the 4-tuple of LTL formulae in (3.5).The last operator is ⟐ , whose semantics is given by: V ( σ, ⟐ ϕ ) = ( sup i ≥ V ( σ i.. , ϕ ) , sup i ≥ V ( σ i.. , ϕ ) , sup i ≥ V ( σ i.. , ϕ ) , sup i ≥ V ( σ i.. , ϕ )) . (3.17)According to the counting problems used in Section 3.2.1 to motivate the proposed semantics, there is onlyone way in which the LTL formula ◇ p , for an atomic proposition p , can be violated. Hence, V ( σ, ⟐ p ) is oneof only two possible truth values: 1111 or 0000. We further note that ⟐ is not dual to ⊡ , as expected in amany-valued logic where the law of double negation fails.Having defined the semantics of rLTL ⊡ , ⟐ ( P ) , let us now see if the formula ⊡ p ⇛ ⊡ q , where ⊡ p is an environ-ment assumption and ⊡ q is a system guarantee with p, q ∈ P , lives to the expectations set in the introductionand to the intuition provided in Section 3.2.1.1) According to (3.16), if □ p holds, then ⊡ p evaluates to 1111 and the implication ⊡ p ⇛ ⊡ q is true , i.e., thevalue of ⊡ p ⇛ ⊡ q is 1111, if ⊡ q evaluates to 1111, that is, if □ q holds. Therefore, the desired behavior of □ p ⇒ □ q , when the environment assumptions hold, is retained.2) Consider now the case where □ p fails but the weaker assumption ◇ □ p holds. In this case ⊡ p evaluatesto 0111 and the implication ⊡ p ⇛ ⊡ q is true if ⊡ p evaluates to 0111 or higher. This means that ◇ □ q needsto hold.3) A similar argument shows that we can also conclude the following consequences whenever ⊡ p ⇛ ⊡ q evalu-ates to 1111: □◇ q follows whenever the environment satisfies □◇ p and ◇ q follows whenever the environmentsatisfies ◇ p . We thus conclude that the semantics of ⊡ p ⇛ ⊡ q captures the desired robustness property bywhich a weakening of the assumption ⊡ p leads to a weakening of the guarantee ⊡ q .3.3. Full rLTL ( P ) . In this section, we present the semantics of full rLTL ( P ) by providing the semantics forthree additional operators: the “robust release”, denoted by R ⋅ , the “robust until”, denoted by U ⋅ , and the“next”, denoted by ⊙ , operators.3.3.1. Why truth values? We revisit this question to better motivate the full rLTL semantics. According tothe safety-progress classification of temporal properties, eloquently put forward in [CMP93, MP87], □ p definesa safety property. It can be expressed as A ( L ) with L being the regular language Σ ∗ { p } and A the operatorgenerating all the infinite words in ( P ) ω with the property that all its finite prefixes belong to L . In additionto A , we can find in [CMP93, MP87] the operators E , R , and P defining guarantee, response, and persistenceproperties, respectively. The language E ( L ) consists of all the infinite words that contain at least one prefixin L , the language R ( L ) consists of all the infinite words that contain infinitely many prefixes in L , and thelanguage P ( L ) consists of all the infinite words such that all but finitely many prefixes belong to L . Usingthese operators we can reformulate the semantics of ⊡ p from (3.14) as:(3.18) V ( σ, ⊡ p ) = ⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩ σ ∈ A ( L ) ;0111 if σ ∈ P ( L ) \ A ( L ) ;0011 if σ ∈ R ( L ) \ ( A ( L ) ∪ P ( L )) ;0001 if σ ∈ E ( L ) \ ( A ( L ) ∪ P ( L ) ∪ R ( L )) ; and0000 if σ ∉ E ( L ) . We thus obtain a different justification for the five different truth values used in rLTL and why the five differentcases in (3.4) can be seen as canonical. Moreover, we can build on this perspective to define the semantics ofthe robust release and the robust until.3.3.2.
Semantics of full rLTL ( P ) . We are now ready to define the semantics for the “robust release” R ⋅ , and“robust until” U ⋅ operators. Equality (3.18) suggests how we can define the 5-valued semantics for the releaseoperator. Recall that the LTL formula p R q , for atomic propositions p and q , defines a safety property, andthat its semantics is given by:(3.19) W ( σ, p R q ) = inf j ≥ max { V ( σ j.. , q ) , sup ≤ i < j V ( σ i.. , p )} . We can interpret: max { V ( σ j.. , q ) , sup ≤ i < j V ( σ i.. , p )} , as the definition of the regular language L = Σ ∗ { q } + Σ ∗ { p } Σ + and inf j ≥ as the requirement that everyprefix of a string satisfying p R q belongs to L , i.e., as the definition of the operator A . Therefore, the 5-valued semantics can be obtained by successively enlarging the language A ( L ) through the replacement of theoperator A , formalized by inf in Equation (3.19), by the operators P formalized by sup inf, R formalized byinf sup, and E for formalized by sup. This observation leads to the semantics: V ( σ, ϕ R ⋅ ψ ) = ( V ( σ, ϕ R ⋅ ψ ) , V ( σ, ϕ R ⋅ ψ ) , V ( σ, ϕ R ⋅ ψ ) , V ( σ, ϕ R ⋅ ψ )) , (3.20)where: V ( σ, ϕ R ⋅ ψ ) = inf j ≥ max { V ( σ j.. , ψ ) , sup ≤ i < j V ( σ i.. , ϕ )} , V ( σ, ϕ R ⋅ ψ ) = sup k ≥ inf j ≥ k max { V ( σ j.. , ψ ) , sup ≤ i < j V ( σ i.. , ϕ )} ,V ( σ, ϕ R ⋅ ψ ) = inf k ≥ sup j ≥ k max { V ( σ j.. , ψ ) , sup ≤ i < j V ( σ i.. , ϕ )} , V ( σ, ϕ R ⋅ ψ ) = sup j ≥ max { V ( σ j.. , ψ ) , sup ≤ i < j V ( σ i.. , ϕ )} . We note that, as in the case of LTL, ⊡ ψ = false R ⋅ ψ holds, thereby showing that the semantics for the R ⋅ operator is compatible with the semantics of the ⊡ operator. We can glean further intuition behind thedefinition of R ⋅ by considering the special case where ϕ is given by p and ψ is given by q , for two atomicpropositions p, q ∈ P . Expressing V ( σ, p R ⋅ q ) in terms of an LTL valuation W , we obtain: V ( σ, p R ⋅ q ) = ( W ( σ, p R q ) , W ( σ, ◇ □ q ∨ ◇ p ) , W ( σ, □ ◇ q ∨ ◇ p ) , W ( σ, ◇ q ∨ ◇ p )) . We see that, as long as p occurs, the value of p R ⋅ q is at least 0111. It could be argued that the semanticsof p R ⋅ q should also count the number of occurrences of q preceding the first occurrence of p . As we detail inSection 3.5, such property can be expressed in rLTL by making use of the proposed semantics.In LTL, the U operator is dual to the R operator, but such relationship does not extend to rLTL in virtue ofhow negation was defined. Hence, the semantics of the U ⋅ operator has to be introduced independently of the R ⋅ operator. We follow the same approach as above by interpreting the LTL semantics of p U ⋅ q , given by:(3.21) W ( σ, p U q ) = sup j ≥ min { V ( σ j.. , q ) , inf ≤ i < j V ( σ i.. , p )} , as defining the language E ({ p } ∗ { q }) . In the hierarchy of the operators E , R , P , and A , defined by theinclusions A ( L ) ⊂ P ( L ) ⊂ R ( L ) ⊂ E ( L ) for any regular language L , the language E ({ p } ∗ { q }) cannot be EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 13 enlarged as it sits at the top of the hierarchy. Therefore, the semantics of the U ⋅ operator is given by: V ( σ, ϕ U ⋅ ψ ) = ( V ( σ, ϕ U ⋅ ψ ) , V ( σ, ϕ U ⋅ ψ ) , V ( σ, ϕ U ⋅ ψ ) , V ( σ, ϕ U ⋅ ψ )) , (3.22)where: V k ( σ, ϕ U ⋅ ψ ) = sup j ≥ min { V k ( σ j.. , ψ ) , inf ≤ i < j V k ( σ i.. , ϕ )} , for each k ∈ { , , , } . We obtain, by definition, that the semantics of the U ⋅ operator is compatible with the semantics of the ⟐ operator in the sense that ⟐ ψ = true U ⋅ ψ .Finally, we define the robust semantics of next as a direct generalization of the LTL semantics from B to B : V ( σ, ⊙ ϕ ) = V ( σ .. , ϕ ) . (3.23)3.4. Review of rLTL semantics.
To recap the discussion of the previous two subsections, we compactlypresent the formal rLTL semantics below.
Definition 8 (rLTL Semantics) . The rLTL semantics is a mapping V ∶ ( P ) ω × rLTL ( P ) → B , inductivelydefined as follows for p ∈ P and ϕ, ψ ∈ rLTL ( P ) : • For atomic propositions: V ( σ, p ) = { , if p ∉ σ ( ) , , if p ∈ σ ( ) . • For logical connectives: V ( σ, ¬ ϕ ) = V ( σ, ϕ ) , V ( σ, ϕ ∧ ψ ) = V ( σ, ϕ ) ⊓ V ( σ, ψ ) ,V ( σ, ϕ ∨ ψ ) = V ( σ, ϕ ) ⊔ V ( σ, ψ ) , V ( σ, ϕ ⇛ ψ ) = V ( σ, ϕ ) → V ( σ, ψ ) . • For temporal operators: V ( σ, ⊙ ϕ ) = V ( σ .. , ϕ ) ,V ( σ, ⟐ ϕ ) = ( sup i ≥ V ( σ i.. , ϕ ) , sup i ≥ V ( σ i.. , ϕ ) , sup i ≥ V ( σ i.. , ϕ ) , sup i ≥ V ( σ i.. , ϕ )) ,V ( σ, ⊡ ϕ ) = ( inf i ≥ V ( σ i.. , ϕ ) , sup j ≥ inf i ≥ j V ( σ i.. , ϕ ) , inf j ≥ sup i ≥ j V ( σ i.. , ϕ ) , sup i ≥ V ( σ i.. , ϕ )) ,V ( σ, ϕ U ⋅ ψ ) = ( V ( σ, ϕ U ⋅ ψ ) , V ( σ, ϕ U ⋅ ψ ) , V ( σ, ϕ U ⋅ ψ ) , V ( σ, ϕ U ⋅ ψ )) , where: V k ( σ, ϕ U ⋅ ψ ) = sup j ≥ min { V k ( σ j.. , ψ ) , inf ≤ i < j V k ( σ i.. , ϕ )} , for each k ∈ { , , , } .V ( σ, ϕ R ⋅ ψ ) = ( V ( σ, ϕ R ⋅ ψ ) , V ( σ, ϕ R ⋅ ψ ) , V ( σ, ϕ R ⋅ ψ ) , V ( σ, ϕ R ⋅ ψ )) , where: V ( σ, ϕ R ⋅ ψ ) = inf j ≥ max { V ( σ j.. , ψ ) , sup ≤ i < j V ( σ i.. , ϕ )} , V ( σ, ϕ R ⋅ ψ ) = sup k ≥ inf j ≥ k max { V ( σ j.. , ψ ) , sup ≤ i < j V ( σ i.. , ϕ )} ,V ( σ, ϕ R ⋅ ψ ) = inf k ≥ sup j ≥ k max { V ( σ j.. , ψ ) , sup ≤ i < j V ( σ i.. , ϕ )} , V ( σ, ϕ R ⋅ ψ ) = sup j ≥ max { V ( σ j.. , ψ ) , sup ≤ i < j V ( σ i.. , ϕ )} . Examples.
In this section, we showcase the applicability of the proposed semantics with a number ofexamples.3.5.1.
The usefulness of implications that are not true . We argued in the previous section that rLTL capturesthe intended robustness properties for the specification ⊡ p ⇛ ⊡ q whenever this formula evaluates to 1111.But does the formula ⊡ p ⇛ ⊡ q still provide useful information when its value is lower than 1111? It followsfrom the semantics of implication that V ( σ, ⊡ p ⇛ ⊡ q ) = b , for b ≺ V ( σ, ⊡ q ) = b , i.e.,whenever a value of b can be guaranteed despite b being smaller than V ( σ, ⊡ p ) . The value V ( σ, ⊡ p ⇛ ⊡ q ) thus describes which weakened guarantee follows from the environment assumption whenever the intendedsystem guarantee does not. This can be seen as another measure of robustness: despite ⊡ q not following from ⊡ p , the behavior of the system is not arbitrary, a value of b is still guaranteed. A case study on the usefulnessthat the different shades of false provide will be discussed in Section 7 in the context of a concrete case study.3.5.2. GR(1) in rLTL.
The GR(1) fragment of LTL is becoming increasingly popular for striking an interestingbalance between its expressiveness and the complexity of the corresponding synthesis problem [BJP + ( □ , ◇ ) formula of the form:(3.24) ⋀ i ∈ I □ ◇ p i ⇒ ⋀ j ∈ J □ ◇ q j , where p i and q j are atomic propositions and I, J are finite sets. We obtain the rLTL version of (3.24) simplyby dotting the boxes and the diamonds:(3.25) ⋀ i ∈ I ⊡ ⟐ p i ⇛ ⋀ j ∈ J ⊡ ⟐ q j . Any valuation V for ⊡ ⟐ p i can be expressed in terms of a valuation W for LTL as: V ( σ, ⊡ ⟐ p i ) = ( W ( σ, □ ◇ p i ) , W ( σ, □ ◇ p i ) , W ( σ, □ ◇ p i ) , W ( σ, ◇ p i )) . Therefore, V ( σ, ⊡ ⟐ p i ) can only assume three different values: 1111 when □ ◇ p i holds, 0001 when □ ◇ p i fails to hold but ◇ p i does hold, and 0000 when ◇ p i fails to hold. Based on this observation, and assumingthat (3.25) evaluates to 1111, we conclude that ⋀ j ∈ J □ ◇ q j holds whenever ⋀ i ∈ I □ ◇ p i does, as requiredby (3.24). In contrast to (3.24), however, the weakened system guarantee ⋀ j ∈ J ◇ q j holds whenever the weakerenvironment assumption ⋀ i ∈ I ◇ p i does.3.5.3. Non-counting formulae.
All the preceding examples were counting formulae. We now consider thesimple non-counting formula □ ( p ⇒ ◇ q ) , which requires each occurrence of p to be followed by an occurrenceof q . The word σ = { p }{ q } ∅ ω clearly satisfies this formula although its permutation σ = { q }{ p } ∅ ω doesnot. In addition to being a non-counting formula, □ ( p ⇒ ◇ q ) is one of the most popular examples of an LTLformula used in the literature known as the “request-response” property, and, for this reason, constitutes alitmus test to rLTL. Actually, such formula is part of the reactive specification patterns identified in [DAC99],which are part of our case studies in Section 7. The semantics of the dotted version of □ ( p ⇒ ◇ q ) can beexpressed using an LTL valuation W as: V ( σ, ⊡ ( p ⇛ ⟐ q )) = ( W ( σ, □ ( p ⇒ ◇ q )) , W ( σ, □ ◇ p ⇒ □ ◇ q ) , W ( σ, ◇ □ p ⇒ □ ◇ q ) , W ( σ, □ p ⇒ ◇ q )) . It is interesting to observe how the semantics of ϕ = ⊡ ( p ⇛ ⟐ q ) recovers: strong fairness, also known ascompassion, when the value of ϕ is 0111; weak fairness, also known as justice, when the value of ϕ is 0011;and the even weaker notion of fairness represented by the LTL formula □ p ⇒ ◇ q , when the value of ϕ is 0001.The fact that all these different and well known notions of fairness naturally appear in the proposed semanticsis another strong indication of rLTL’s naturalness and usefulness. EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 15
Counting with “robust release”.
As we discussed before, the semantics of ϕ R ⋅ ψ does not count howmany times ψ holds before the first occurrence of ϕ . This property, however, is captured by the rLTL formula(3.26) ( ϕ R ⋅ ψ ) ∧ ( ¬ ϕ U ⋅ ψ ) . To see why, we assume ϕ = p and ψ = q for atomic propositions p and q . Then, express the semantics of therLTL formula (3.26) in terms of an LTL valuation W as: V ( σ, ( p R ⋅ q ) ∧ ( ¬ p U ⋅ q )) = ( W ( σ, p R q ) , W ( ¬ p U q ) , W ( ¬ p U q ) , W ( ¬ p U q )) . Note how we can now distinguish between three cases: (1) p R q holds, corresponding to value 1111; (2) q holds at least once before being released by p , corresponding to value 0111; and (3) q does not hold beforebeing released by p , corresponding to value 0000.3.5.5. Non-decomposition of “robust until”.
The previous example showed how the LTL equivalence between ϕ R ψ and ( ϕ R ψ ) ∧ ( ¬ ϕ U ψ ) is not valid in rLTL. Another LTL equivalence that is not valid in rLTL is thedecomposition of the until operator into its liveness and safety parts, that is the equivalence between ϕ U ψ and ◇ ψ ∧ ( ψ R ( ψ ∨ ϕ )) . The rLTL formula ⟐ ψ ∧ ( ψ R ⋅ ( ψ ∨ ϕ )) expresses a weaker requirement than ϕ U ⋅ ψ that is also useful to express robustness. When ϕ and ψ are the atomic propositions p and q , respectively, thesemantics of ⟐ ψ ∧ ( ψ R ⋅ ( ψ ∨ ϕ )) can be expressed in terms of an LTL valuation W as: V ( σ, ◇ q ∧ ( q R ( q ∨ p ))) = ( W ( σ, p U q ) , W ( σ, ◇ q ) , W ( σ, ◇ q ) , W ( σ, ◇ q )) . Whereas ϕ U ⋅ ψ only assumes two values, ⟐ ψ ∧ ( ψ R ⋅ ( ψ ∨ ϕ )) assumes three possible values allowing toseparate the words that violate ϕ U ψ into those that satisfy ◇ q and those that do not.4. Relating LTL and r LTL
In this section we discuss, at the technical level, the relationships between rLTL ( P ) and LTL ( P ) . Recall themappings π j ∶ B → B introduced in (3.15), defined by π j ( a , a , a , a ) = a j , j ∈ { , , , } . Composing π j with the rLTL valuation V we obtain the function V j = π j ◦ V that transforms an infinite word σ ∈ Σ ω andan rLTL ( P ) formula ϕ into the element V j ( σ, ϕ ) ∈ B . Each truth value in B can be viewed as a sequence of4 bits. Consequently, we show how to translate an rLTL ( P ) formula ϕ into four LTL ( P ) formulae ϕ , . . . , ϕ such that: π j ( V ( σ, ϕ )) = V j ( σ, ϕ ) = W ( σ, ϕ j ) , (4.1)for all σ ∈ Σ ω and j ∈ { , . . . , } . The key idea is to emulate the semantics of each operator occurring in ϕ component-wise by means of dedicated LTL formulae. To make this clear and straightforward, we define theoperator:(4.2) ltl ∶ { , . . . , } × rLTL ( P ) → LTL ( P ) , as in Table 2. Then, each ϕ j formula is constructed as: ϕ j ≔ ltl ( j, ϕ ) . (4.3)It is not hard to verify that the formulae ϕ j have indeed the desired meaning. Moreover, notice that due tothe ordering of the rLTL truth values in B , see (3.6), it follows that: W ( σ, ϕ j ) ≥ W ( σ, ϕ i ) , for j ≥ i. (4.4)Although the above construction only incurs a linear blowup in the number of subformulae of ϕ j , the resultingLTL formula itself might be exponentially larger when explicitly constructed due to the recursive substitution.Next, we show that the LTL ( P ) semantics can be recovered from the first bit of the rLTL ( P ) semantics. Morespecifically, for any φ ∈ LTL ( P ) , there exists a ϕ ∈ rLTL ( P ) , such that V ( σ, ϕ ) = W ( σ, φ ) for every σ ∈ Σ ω .The construction of a suitable ϕ ∈ rLTL ( P ) , given any φ ∈ LTL ( P ) , is straightforward given Table 2. First,every implication ψ ⇒ ψ in φ ∈ LTL ( P ) is replaced by the equivalent in LTL formula ¬ ψ ∨ ψ . Second, Table 2.
The rLTL semantics via the ltl operator.
Operator Symbol Semantics, for p ∈ P , ϕ, ψ ∈ rLTL ( P ) .Atomic Proposition ∀ ≤ i ≤ ∶ ltl ( i, p ) = p .Negation ¬ ∀ ≤ i ≤ ∶ ltl ( i, ¬ ϕ ) = ¬ ltl ( , ϕ ) .Conjunction ∧ ∀ ≤ i ≤ ∶ ltl ( i, ϕ ∧ ψ ) = ltl ( i, ϕ ) ∧ ltl ( i, ψ ) .Disjunction ∨ ∀ ≤ i ≤ ∶ ltl ( i, ϕ ∨ ψ ) = ltl ( i, ϕ ) ∨ ltl ( i, ψ ) .Robust Implication ⇛ ∀ ≤ i ≤ ∶ ltl ( i, ϕ ⇛ ψ ) = ( ltl ( i, ϕ ) ⇒ ltl ( i, ψ )) ∧ ltl ( i + , ϕ ⇛ ψ ) , ltl ( , ϕ ⇛ ψ ) = ( ltl ( , ϕ ) ⇒ ltl ( , ψ )) . Next ⊙ ∀ ≤ i ≤ ∶ ltl ( i, ⊙ ϕ ) = ◯ ltl ( i, ϕ ) .Robust Eventually ⟐ ∀ ≤ i ≤ ∶ ltl ( i, ⟐ ϕ ) = ◇ ltl ( i, ϕ ) .Robust Always ⊡ ltl ( , ⊡ ϕ ) = □ ltl ( , ϕ ) , ltl ( , ⊡ ϕ ) = ◇ □ ltl ( , ϕ ) , ltl ( , ⊡ ϕ ) = □ ◇ ltl ( , ϕ ) , ltl ( , ⊡ ϕ ) = ◇ ltl ( , ϕ ) . Robust Until U ⋅ ∀ ≤ i ≤ ∶ ltl ( i, ϕ U ⋅ ψ ) = ltl ( i, ϕ ) U ltl ( i, ψ ) .Robust Release R ⋅ ltl ( , ϕ R ⋅ ψ ) = ltl ( , ϕ ) R ltl ( , ψ ) , ltl ( , ϕ R ⋅ ψ ) = ◇ ltl ( , ϕ ) ∨ ◇ □ ltl ( , ψ ) , ltl ( , ϕ R ⋅ ψ ) = ◇ ltl ( , ϕ ) ∨ □ ◇ ltl ( , ψ ) , ltl ( , ϕ R ⋅ ψ ) = ◇ ltl ( , ϕ ) ∨ ◇ ltl ( , ψ ) . φ is brought into negation normal form. Finally, by taking the robust version of the latter LTL formula, i.e.,replacing the LTL temporal operators with their corresponding rLTL temporal operators, one obtains thedesired ϕ ∈ rLTL ( P ) . Remark 1.
In the construction above, we replace every implication in φ ∈ LTL ( P ) by its LTL-equivalentnegation form. To justify this decision, note that the semantics of implication in rLTL and LTL is related bythe inequality: V ( σ, ϕ ⇛ ψ ) ≤ V ( σ, ¬ ϕ ∨ ψ ) = W ( σ, ¬ ϕ ∨ ψ ) = W ( σ, ϕ ⇒ ψ ) , (4.5) which follows from the LTL and rLTL semantics. Furthermore, we can construct simple examples for which theinequality in (4.5) is strict, i.e., it fails to be an equality. For instance, consider the LTL formula □ p ⇒ □ q ,its corresponding rLTL formula ⊡ p ⇛ ⊡ q , and the word σ = ∅ { p } ω . Then, V ( σ, ⊡ p ⇛ ⊡ q ) = , however V ( σ, ¬ ⊡ p ∨ ⊡ q ) = = W ( σ, □ p ⇒ □ q ) . The preceding discussion leads to the following result.
Proposition 4.1.
Since the translations from
LTL ( P ) to rLTL ( P ) and vice versa are effective, it immediatelyfollows that any problem for rLTL ( P ) , whose corresponding problem for LTL ( P ) is decidable, is also decidable.Moreover, due to their effective translations to each other, LTL ( P ) and rLTL ( P ) are equally expressive. The r LTL model checking problem
Similarly to LTL, rLTL gives rise to various decision problems. One of the most important problems is the model-checking problem. In this section we first formalize this problem in the context of rLTL. Then, throughthe translation from rLTL to LTL provided in Section 4, the decidability of the rLTL model-checking problemis immediately settled. However, the treatment provided by the translation results in the construction of
EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 17 relatively large automata, which is inefficient for the purposes of model-checking. Therefore, we review thetighter known complexity bounds for the reader’s convenience. Although the proof of such results is outside ofthe scope of this paper (the interested reader is referred to [TN15, TN16] for more details), they provide thesetting in which we can appreciate the results in Section 6 on an rLTL fragment for which the model checkingproblem can be solved with lower complexity.5.1. rLTL model-checking: definitions and background.
As discussed in Section 2, given a model ofa system that is represented as a GBA, the LTL model-checking problem essentially asks whether or notall possible computations of the model satisfy an LTL specification. The LTL model-checking problem isfundamental [CGP99, CHVB18, KPR98, LP85, PZ08, Sch02, VW86] in verification.In a similar manner, the rLTL model-checking problem is intuitively understood as the question of “to whatdegree does a model satisfy a specification?”. The specification in this section is represented by an rLTLformula. For simplicity, we consider the model of the system to be given directly as a GBA. This leads to thefollowing formulation of the rLTL model-checking problem . Problem 2 (rLTL model-checking) . Given a set of atomic propositions P , a GBA G with the correspondingset of words L ( G ) ⊆ ( P ) ω that it recognizes, an rLTL formula ϕ ∈ rLTL ( P ) , and a truth value b ∈ B , weask if V ( σ, ϕ ) ≥ b holds for all σ ∈ L ( G ) . In practice, one would be more interested in finding what is the largest b ∈ B such that V ( σ, ϕ ) ≥ b holdsfor all σ ∈ L ( G ) . Section 5.2 provides the answer to Problem 2, and repeatedly solving this problem fordecreasing values of b addresses the optimization problem of finding the largest b ∈ B such that V ( σ, ϕ ) ≥ b for all σ ∈ L ( G ) . Note that this requires at most four invocations of the rLTL model-checking procedure and,hence, does not change the asymptotic complexity of the problem.5.2. Improved bounds for rLTL model-checking.
In the preceding section, we provided a simple means totranslate rLTL formulae into LTL formulae via the ltl operator in (4.2). Hence, as a consequence of Proposition4.1 the decidability question for Problem 2 is settled. In practice, however, this translation involves a blow-up,which results in relatively large automata that would then be used to solve the rLTL model-checking problem.To alleviate this problem, a more efficient approach, via a direct translation from rLTL ( P ) formulae intoGeneralized B¨uchi Automata (GBAs), was presented in [TN16] for the rLTL ⊡ , ⟐ fragment and for the fullrLTL in [TN15]. This construction, given an rLTL ( P ) formula ϕ , results in a GBA with O ( ∣ ϕ ∣ ) states,where ∣ ϕ ∣ is the number of subformulae of ϕ . This is the same complexity as for the LTL translation, whichresults in an automaton with size in O ( ∣ ϕ ∣ ) , once we replace 2 with 5 since rLTL is 5-valued while LTL is2-valued. Recall that in this paper, we reason about the model-checking complexity by focusing on the sizeof the corresponding GBA constructed from a given formula. On these grounds, we recall the following resultfrom [TN16, TN15]. Theorem 5.1.
Given an rLTL ( P ) formula ϕ , the rLTL model-checking problem (Problem 2) can be decidedby using an automaton with at most: O ( ∣ ϕ ∣ ) (5.1) states, where ∣ ϕ ∣ denotes the length of formula ϕ , i.e., the number of its distinct subformulae. It is interesting to realize that the many valued semantics of rLTL allows posing useful optimization problemsin system verification. For instance, as discussed in the beginning of this section, a user might be interested inthe largest value that a system guarantees. Therefore, by repeatedly solving Problem 2 for decreasing truthvalues, one finds the largest value that a system guarantees.Finally, Theorem 5.1 provides a non-trivial upper bound, when compared to the direct translation via the ltloperator, as the following example suggests.
Example 1.
Consider the rLTL ( P ) formula ⊡ p ⇛ ⊡ q , and assume we wish to check V ( σ, ϕ ) = forevery σ ∈ L ( G ) , where G is the GBA representing the model of a given system. By using the ltl operator inTable 2, this is equivalent to model-checking the formula: ltl ( , ⊡ p ⇛ ⊡ q ) = ( □ ◇ p ⇒ □ ◇ q ) ∧ ( ◇ □ p ⇒ ◇ □ q ) ∧ ( ◇ p ⇒ ◇ q ) . The original rLTL formula is of length , and the LTL formula above has length . Hence, by na¨ıvely applyingLTL complexity bounds (2.1) , we count an upper bound of states the corresponding GBA, which is worsethan the upper bound of states from (5.1) . A fragment for efficient r LTL model-checking
Theorem 5.1 states that the rLTL ( P ) model-checking problem can be solved by using a GBA of size O ( ∣ ϕ ∣ ) .Nonetheless, this bound is still more expensive than the one of the LTL ( P ) model-checking problem, whichis O ( ∣ ϕ ∣ ) . It is then natural to ask the following question, can we find a fragment of rLTL ( P ) for which themodel-checking problem can be solved more efficiently?To motivate an answer to the above question, we show that the high complexity of rLTL ( P ) model-checkingstems from the fact that the four bits of an rLTL truth value are coupled by the ⇛ and ¬ operators. Example 2.
Consider the rLTL ( P ) formula ϕ given by ¬ ( p ⇛ ( q R ⋅ r )) , where p , q and r are atomicpropositions. To compute, for example, the -th bit of its valuation, one needs to unfold the corresponding LTL ( P ) formula: ltl ( , ¬ ( p ⇛ ( q R ⋅ r ))) = ¬ ltl ( , p ⇛ ( q R ⋅ r )) = ¬ (( ltl ( , p ) ⇒ ltl ( , q R ⋅ r )) ∧ ltl ( , p ⇛ ( q R ⋅ r )) = ¬ (( p ⇒ ( q R r )) ∧ ltl ( , ( p ⇛ ( q R ⋅ r )))) = ( p ∧ ¬ ( q R r )) ∨ ¬ (( ltl ( , p ) ⇒ ltl ( , q R ⋅ r )) ∧ ltl ( , p ⇛ ( q R ⋅ r ))) = ( p ∧ ¬ ( q R r )) ∨ ¬ (( p ⇒ ( ◇ q ∨ ◇ □ r )) ∧ ltl ( , p ⇛ ( q R ⋅ r ))) . If we continue unfolding the formula, we see that one needs to check an LTL formula that non-trivially dependson the bits 1, 2, and 3 of the valuation of ϕ . With this intuition in mind, we aim to identify a fragment of rLTL ( P ) that suffers minimally from the couplingrequired by, e.g., the robust implication.6.1. Main results.
We begin by defining the following fragments of rLTL ( P ) . Definition 9 (Fragments rLTL \{ ⇛ } ( P ) and rLTL \{ ⇛ } ( P ) ) . Given a set of atomic propositions P , define rLTL \{ ⇛ } ( P ) ⊂ rLTL ( P ) as the set of all rLTL formulae that either do not contain any ⇛ operator, or if theydo, the antecedent of the implication does not contain any ⊡ or R ⋅ operators. Then define the more generalfragment rLTL \{ ⇛ } ( P ) as: rLTL \{ ⇛ } ( P ) = rLTL \{ ⇛ } ( P ) ⋃ { ψ ⇛ ψ ∣ ψ , ψ ∈ rLTL \{ ⇛ } ( P )} , (6.1) which allows for one ⇛ operator on the outermost level with no restrictions on the implication’s antecedent. The main result of this section establishes refined complexity bounds for the model-checking problem of theabove defined fragments.
Theorem 6.1.
Consider a set of atomic propositions P . The rLTL model-checking problem for any formulain rLTL \{ ⇛ } ( P ) can be solved by performing at most LTL model-checking steps, each using an automatonwith at most: (6.2) O ( ∣ ϕ ∣ − κ ( ϕ ) κ ( ϕ ) ) states, where κ ( ϕ ) = card ({ ψ ∈ cl ( ϕ ) ∣ ψ = ⊡ ψ }) + card ({ ψ ∈ cl ( ϕ ) ∣ ψ = ψ R ⋅ ψ }) , i.e., the number ofdistinct subformulae of ϕ of the form ⊡ ψ and ψ R ⋅ ψ , and ∣ ϕ ∣ is the length of ϕ . EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 19
Remark 2.
Similarly to LTL, one can verify that for any ϕ ∈ rLTL ( P ) , it holds that ⟐ ϕ = true U ⋅ ϕ , and ⊡ ϕ = false R ⋅ ϕ . Hence, the function κ ( ϕ ) can be understood as the number of distinct ψ R ⋅ ψ subformulaeof ϕ , accounting for those underlying the ⊡ operators. The above result provides a smaller complexity bound for the rLTL model-checking problem, which is closerto the tight bound of the LTL model-checking problem, i.e., O ( ∣ ϕ ∣ ) . In fact, in the absence of ⊡ and R ⋅ operators, the bound in (6.2) reduces to that of LTL. A special case of Theorem 6.1 is the result proposed in[APNT18], where the same complexity bound is proven for a smaller rLTL fragment, specifically the set ofrLTL formulae that do not contain any R ⋅ or ⇛ (regardless of their antecedent) operators, or that allow forat most one ⇛ operator only on the outermost level.To illustrate the practicality of the proposed fragment rLTL \{ ⇛ } ( P ) , we examine the LTL formulae found inthe B¨uchi Store [TTC + \{ ⇛ } ( P ) . Moreover, as discussed in Section 7.2 in more detail, allthe relevant reactivity patterns [DAC99] fit into the fragment rLTL \{ ⇛ } ( P ) . Finally, the proposed fragmentincludes the GR(1) fragment. These considerations establish rLTL \{ ⇛ } ( P ) as a practically useful fragment ofrLTL.We devote the rest of this section to formally proving Theorem 6.1. To accomplish this, we prove the followingpoints: (1) the fragment rLTL \{ ⇛ } ( P ) allows independent bit-wise computations for the rLTL model-checkingproblem; (2) smaller automata can be constructed for the formulae in the rLTL \{ ⇛ } ( P ) fragment by utilizing temporal testers ; and (3) for any formula in the rLTL \{ ⇛ } ( P ) fragment, the claimed bound on the size of thecorresponding automaton is satisfied.6.2. Bit-wise independence of rLTL \{ ⇛ } ( P ) and insights on the robust implication. The goal of thissection is to establish that for any formula ϕ ∈ rLTL \{ ⇛ } ( P ) , the truth value of the j -th bit of its valuation, V j ( σ, ϕ ) , is independent of any bit i ≠ j . Recall from Definition 9 that rLTL \{ ⇛ } ( P ) contains all rLTL formulaethat either do not contain any ⇛ operators or, if they do, there exist no ⊡ or R ⋅ operators in the implication’santecedent.For the formulae that do not contain any ⇛ operators, the desired result is easily verified by inspection ofTable 2. For the formulae that contain ⇛ , but their assumptions do not contain any ⊡ or R ⋅ operators weperform the following analysis.As Examples 1 and 2 show, the ⇛ operator induces coupling of the different LTL formulae corresponding tothe bits of an rLTL truth value. Thus, we now draw insight on when it makes sense for an implication tobe evaluated robustly. The notion of robustness, namely that “small violations of the assumption lead to,at most, small violations of the guarantee”, is infused in the semantics of the ⇛ operator, see (3.13), sinceby weakening the assumption and the guarantee, different rLTL truth values are obtained. Consequently, weinvestigate what “weakening a formula” means in the context of rLTL. Definition 10 (Weakened rLTL ( P ) formula) . Given any formula ϕ ∈ rLTL ( P ) , we say that ϕ admits a weakened version if there exists an infinite word σ ∈ Σ ω such that V ( ϕ, σ ) ∈ { , , } . Based on the above definition, for any rLTL formula ϕ that does not admit a weakened version and any infiniteword σ ∈ Σ ω , we have that V ( ϕ, σ ) ∈ { , } , i.e., the valuation of ϕ admits only a binary truth value.This is equivalent to the statement that the corresponding LTL formulae ϕ j , for j ∈ { , , , } , defined in(4.3) are semantically equivalent. Given the rLTL semantics, we make the following crucial observation. Proposition 6.2.
Given any formula ϕ ∈ rLTL ( P ) , if ϕ admits a weakened version , then ϕ contains at leastone ⊡ or one R ⋅ operator.Proof. We prove the result by contraposition. Consider any ϕ ∈ rLTL ( P ) that does not contain any ⊡ or R ⋅ operators. The proof proceeds in three steps.
1) If, additionally, ϕ does not contain any ⇛ operators, by inspection of Table 2 we see that the corre-sponding LTL formulae ϕ j , for j ∈ { , , , } , defined in (4.3) are identical. Thus, the valuations W ( σ, ϕ j ) , j ∈ { , , , } , over any σ ∈ Σ ω are equal, and, hence, V ( σ, ϕ ) ∈ { , } .2) If ϕ is of the form φ ⇛ ψ , where neither φ nor ψ contain a ⇛ operator, then from the semantics of robustimplication in (3.13) we have that V ( σ, ϕ ) = V ( σ, φ ) ⪯ V ( σ, ψ ) , and that V ( σ, ϕ ) = V ( σ, ψ ) otherwise.Furthermore, from 1) V ( σ, φ ) , V ( σ, ψ ) ∈ { , } , and, hence, V ( ϕ, σ ) ∈ { , } .3) Finally, if ϕ ∈ rLTL ( P ) does not contain any ⊡ or R ⋅ operators, but may contain an arbitrary number of ⇛ operators, the same result follows simply by induction on the subformulae of ϕ .Therefore, if ϕ does not contain a ⊡ , or a R ⋅ operator, then it does not admit a weakened version . Equiva-lently, if ϕ admits a weakened version, then ϕ contains at least one ⊡ , or one R ⋅ operator. This concludes theproof. (cid:3) We use this proposition to determine when it is necessary to evaluate an implication robustly. Given an rLTLformula of the form ϕ ⇛ ψ , if the assumption ϕ does not admit a weakened version, then the implicationdoes not have to be evaluated robustly, and the LTL equivalence ¬ ϕ ∨ ψ can be used instead. The followingproposition formalizes this idea. Proposition 6.3. An rLTL ( P ) formula ϕ ⇛ ψ is semantically equivalent to ¬ ϕ ∨ ψ , i.e., for any σ ∈ Σ ω itholds that V ( σ, ϕ ⇛ ψ ) = V ( σ, ¬ ϕ ∨ ψ ) if ϕ does not contain any ⊡ or R ⋅ operators.Proof. Consider the rLTL formula ϕ ⇛ ψ , where ϕ does not contain a robust implication operator for sim-plicity. The valuation of ϕ ⇛ ψ over σ ∈ Σ ω , denoted by V ( σ, ϕ ⇛ ψ ) , is: V ( σ, ϕ ⇛ ψ ) = ( W ( σ, ⋀ j = ( ϕ j ⇒ ψ j )) , W ( σ, ⋀ j = ( ϕ j ⇒ ψ j )) , W ( σ, ⋀ j = ( ϕ j ⇒ ψ j )) , W ( σ, ϕ ⇒ ψ )) , (6.3)where ϕ j , ψ j , for j ∈ { , , , } , are defined in (4.3) by using the ltl operator according to Table 2. If ϕ contains no ⊡ and no R ⋅ , as described by Proposition 6.2, the LTL formulae ϕ j are identical. Let us denoteall of them by ϕ . Then V ( σ, ϕ ⇛ ψ ) becomes: ( W ( σ, ⋀ j = ( ϕ ⇒ ψ j )) , W ( σ, ⋀ j = ( ϕ ⇒ ψ j )) , W ( σ, ⋀ j = ( ϕ ⇒ ψ j )) , W ( σ, ϕ ⇒ ψ )) , (6.4)where we can see that, contrary to (6.3), all the antecedents are now identical. We now show that (6.4) isequal to: ( W ( σ, ϕ ⇒ ψ ) , W ( σ, ϕ ⇒ ψ ) , W ( σ, ϕ ⇒ ψ ) , W ( σ, ϕ ⇒ ψ )) . (6.5)For any σ ∈ Σ ω :1) Assume W ( σ, ϕ ) =
0. Then W ( σ, ϕ ⇒ ψ j ) = , for j ∈ { , , , } , and both (6.4) and (6.5) are equalto 1111.2) Assume W ( σ, ϕ ) =
1, and denote each truth value in B as: B = { , , , , } = { B [ ] , B [ ] , B [ ] , B [ ] , B [ ]} . If W ( σ, ψ j ) = j ∈ { , , , } , then both (6.4) and (6.5) are equal to B [ ] . Else, let k be the smallestelement of { , , , } such that W ( σ, ψ k ) =
1. Then, by (4.4), we have that W ( σ, ψ j ) ≥ W ( σ, ψ k ) for j ≥ k ,yielding W ( σ, ψ j ) = j ≥ k , which, in turn, implies that both (6.4) and (6.5) are equal to B [ − k ] .The above shows that (6.4) and (6.5) are equal when evaluated over any σ ∈ Σ ω . By using the LTL equivalencebetween ϕ j ⇒ ψ j and ¬ ϕ j ∨ ψ j , we have that (6.5) is equal to: ( W ( σ, ¬ ϕ ∨ ψ ) , W ( σ, ¬ ϕ ∨ ψ ) , W ( σ, ¬ ϕ ∨ ψ ) , W ( σ, ¬ ϕ ∨ ψ )) , (6.6)and, thus, equal to (6.4). This yields the desired equality V ( σ, ϕ ⇛ ψ ) = V ( σ, ¬ ϕ ∨ ψ ) . EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 21
The result for any ϕ ∈ rLTL ( P ) that does not contain any ⊡ , or R ⋅ operators, but may contain an arbitrarynumber of ⇛ operators, follows simply by induction on the subformulae of ϕ since neither the assumptions,nor the guarantees of these implications contain any ⊡ or R ⋅ operators. (cid:3) Finally, by Proposition 6.3 and the rLTL semantics in Table 2, we conclude that for any ϕ ∈ rLTL \{ ⇛ } ( P ) the value of V j ( σ, ϕ ) is independent of any bit i ≠ j . This concludes the objective of this section.6.3. Introducing temporal testers.
In this section, we review the concept of temporal testers [PZ08,KPR98]. Temporal testers are discrete transition systems equipped with justice conditions. One of theappeals of temporal testers is that they can be used to obtain automata recognizing infinite words that satisfyan LTL formula by composing testers recognizing its subformulae. For example, from testers for the formulae p U q and □ r , one can construct a tester for p U ( □ r ) by composing the testers for p U q and □ r using theconstraint q = □ r . We start by providing the necessary definitions. Definition 11.
A temporal tester for an LTL formula ϕ ∈ LTL ( P ) is a tuple T ϕ = ( S, Θ , R, J ) where: • S is the set of states, S ⊆ B cl ( ϕ ) . Each state x ∈ S is a function x ∶ cl ( ϕ ) → B mapping a formula ψ ∈ cl ( ϕ ) to an element of B . We denote the evaluation of x on ψ as x ψ and interpret it as the truthvalue of ψ at the state x . • Θ ⊆ S is a set of initial states. • R ⊆ S × S is a transition relation. • J = { J , . . . , J K } ⊆ S is the set of justice requirements, where J ⊆ S for each J ∈ J .A computation of a tester is an infinite sequence of states γ = x ( ) x ( ) . . . such that x ( ) ∈ Θ , ( x ( i ) , x ( i + ) ) ∈ R for i ≥ , and for every J ∈ J , γ contains infinitely many states x ( i ) ∈ J . Given a computation γ , we let σ ( γ ) ∈ ( P ) ω be the word σ ( γ ) = σ ( γ ) σ ( γ ) . . . where σ i ( γ ) is the subset of P defined by p ∈ σ i ( γ ) if andonly if x ( t ) p = . It is easily verified that the above definition of a temporal tester is equivalent to the one in [PZ08, KPR98].
Example 3 (A tester for the until operator adapted from [PZ08]) . A tester for p U q , where p and q areatomic propositions, is as follows: (6.7) T p U q ∶ ⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎪⎪⎩ S = { x ( ) , x ( ) , x ( ) , x ( ) , x ( ) } , Θ = S,R = {( x, x ′ ) ∈ S × S ∣ x p U q = x q ∨ ( x p ∧ x ′ p U q )} , J = { J } , J = { x ∈ S ∣ ¬ x p U q ∨ x q = } . The above tester can be represented as an automaton with , see Figure 1a.
In the general case, the tester T ϕ U ψ , where ϕ and ψ are LTL ( P ) formulae, is constructed by composition of thetesters for their subformulae. The following definition is adapted from [KPR98, Section 3.2], [PZ08, Section7]. Definition 12 (Composition of Temporal Testers) . The synchronous parallel composition of two testers is ( S, Θ , R, J ) = ( S , Θ , R , J ) ( S , Θ , R , J ) , where S = S ∪ S , Θ = Θ ∩ Θ , R = R ∩ R , and J = J ∪ J .(1) For a unary LTL operator op , a tester T op ( ϕ ) is given by T op ( p )∣ p ← ϕ T ϕ , where the subscript p ← ϕ denotes that we replace every instance of x p and x op ( p ) in the first tester, by x ϕ and x op ( ϕ ) respectively.(2) For a binary LTL operator op , a tester T op ( ϕ ,ϕ ) is given by T op ( p,q )∣ p ← ϕ ,q ← ϕ T ϕ T ϕ , where wereplace every instance of x p , x q and x op ( p,q ) in the first tester, by x ϕ , x ϕ and x op ( ϕ ,ϕ ) respectively. x p , x q , x p U q ¯ x p , x q , x p U q x p , ¯ x q , ¯ x p U q x p , ¯ x q , x p U q ¯ x p , ¯ x q , ¯ x p U q (a) Tester T p U q . x p , x ◇ p ¯ x p , x ◇ p ¯ x p , ¯ x ◇ p (b) Tester T ◇ p . ¯ x p , ¯ x □ p x p , ¯ x □ p x p , x □ p (c) Tester T □ p . x p , x □ p , x ◇□ p x p , ¯ x □ p , ¯ x ◇□ p ¯ x p , ¯ x □ p , x ◇□ p x p , ¯ x □ p , x ◇□ p ¯ x p , ¯ x □ p , ¯ x ◇□ p (d) Tester T ◇□ p with two disjoint components. Figure 1.
At each state, for a subformula ψ , x ψ denotes x ψ =
1, and ¯ x ψ denotes x ψ =
0. Allstates are valid initial states. The double line states are contained in the justice requirement.By using the identities ◇ p = true U p , □ p = ¬ ◇ ¬ p , and T p U q , we construct T ◇ p and T □ p , which are shown inFigures 1b and 1c. By composing them, we obtain T ◇□ p , shown in Figure 1d. Such testers play an importantrole in proving smaller upper bounds for the rLTL model-checking problem. Towards this, the following resultsfrom [APNT18] provide recursive bounds on the size of a tester T ϕ for an LTL ( P ) formula ϕ . Definition 13 (Size of a tester) . Given a tester T ϕ for ϕ ∈ LTL ( P ) , let ∣ T ϕ ∣ denote its size, i.e., the numberof its states, and let ∣ T ϕ ∣ i be the number of states where x ϕ = i . Then, for any formulae ϕ, ψ ∈ LTL ( P ) , and i, j, k ∈ B : • for any unary operator op , ∣ T op ( ϕ ) ∣ i,j is the number of states where x ϕ = i, x op ( ϕ ) = j , • for any binary operator op , ∣ T op ( ϕ ,ϕ ) ∣ i,j,k is the number of states where x ϕ = i, x ψ = j, x op ( ϕ,ψ ) = k . The number of states in a tester can be decomposed as follows for any ϕ, ψ ∈ LTL ( P ) : ∣ T op ( ϕ ) ∣ = ∑ i,j ∣ T op ( ϕ ) ∣ i,j , ∣ T op ( ϕ ,ϕ ) ∣ = ∑ i,j,k ∣ T op ( ϕ ,ϕ ) ∣ i,j,k . Proposition 6.4.
Let p, q be two atomic propositions in P , ψ , ψ ∈ LTL ( P ) be two LTL formulae, and op denote an LTL operator. The following holds: ∣ T op ( ψ ) ∣ i,j ≤ ∣ T ψ ∣ i ⋅ ∣ T op ( p ) ∣ i,j , (6.8) ∣ T op ( ψ ,ψ ) ∣ i,j,k ≤ ∣ T ψ ∣ i ⋅ ∣ T ψ ∣ j ⋅ ∣ T op ( p,q ) ∣ i,j,k . (6.9) EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 23
Corollary 6.5 (Recursive Bounds) . Consider a tester T ϕ for ϕ ∈ LTL ( P ) . The following recursive boundshold on its number of states ∣ T ϕ ∣ :if ϕ is p ∈ P ∶ ∣ T ϕ ∣ = , (6.10) if ϕ is ¬ ψ ∶ ∀ i, j ∶ ∣ T ¬ ψ ∣ i,j = {∣ T ψ ∣ i , if i ≠ j, otherwise , , (6.11) if ϕ is op ( ψ ) , op ∈ { ◇ , □ , ◯ } ∶ ∣ T ϕ ∣ ≤ ⋅ ∣ T ψ ∣ , (6.12) if ϕ is ◇ □ ψ ∶ ∣ T ϕ ∣ = ∣ T ◇□ ψ ∣ ≤ ⋅ ∣ T ψ ∣ , (6.13) if ϕ is op ( ψ , ψ ) , op ∈ { ∨ , ∧ , ⇒ } ∶ ∣ T ϕ ∣ ≤ ∣ T ψ ∣ ⋅ ∣ T ψ ∣ , and (6.14) if ϕ is ψ U ψ or ϕ is ψ R ψ ∶ ∣ T ϕ ∣ ≤ ⋅ ∣ T ψ ∣ ⋅ ∣ T ψ ∣ . (6.15)Similarly to LTL, see Corollary 2.2, the complexity of the rLTL model-checking problem is proportional tothe size of the GBAs constructed, see Theorem 5.1. Hence, we are motivated to construct GBAs with thesmallest possible number of states and accepting conditions. We focus on elementary temporal testers arisingin the study of rLTL formulae and use them to construct smaller GBAs using the following remark. Remark 3 (Link with Generalized B¨uchi Automata) . For any tester T ϕ = ( S, Θ , R, J ) , one can construct aGBA G ϕ = ( Q, Σ , Q , ∆ , F ) whose runs correspond to the computations of the tester as follows: • Q = S , Q = { x ∈ Θ ∣ x ϕ = } , and F = J . • ( q, σ, q ′ ) ∈ ∆ if and only if ( q, q ′ ) ∈ R and σ = { p ∈ P ∣ q ′ p = } .Notice the relation between Q and Θ . Since T ϕ detects whether a computation satisfies ϕ or ¬ ϕ , in order toobtain a GBA G ϕ whose runs satisfy ϕ , it suffices to remove from Θ any state x satisfying x ϕ = . Remark 4 (Justice requirements) . In T p U q , and therefore in T ◇ p , T □ p , the number of justice requirements J ∈ J is always 1. Following Definition 12, the composition T ◇□ p = T ◇ p ∣ p ← □ p T □ p has two justice require-ments: J = { x ∈ S ∣ ¬ x ◇□ p ∨ x □ p = } ∪ { x ∈ S ∣ x □ p ∨ ¬ x p = } . The two justice requirements are met simultaneously at the states ( x p , x □ p , x ◇□ p ) and ( ¯ x p , ¯ x □ p , ¯ x ◇□ p ) . In lightof this, we use J = { x ∈ S ∣ ( x p ∧ x □ p ∧ x ◇□ p ) ∨ ¬ ( x p ∨ x □ p ∨ x ◇□ p ) = } for the tester in Figure 1d,while preserving the computations of T ◇□ p = T ◇ p ∣ p ← □ p T □ p . In this regard, the tester T ◇□ p in Figure 1d isoptimized. We are now ready to proceed onto constructing smaller, specialized GBAs for the fragment rLTL \{ ⇛ } ( P ) andprove the refined complexity upper bounds.6.4. Refined complexity bounds.
The next lemma is integral to providing the promised complexity boundsof Theorem 6.1.
Lemma 6.6.
Given a set of atomic propositions P , for any ϕ ∈ rLTL \{ ⇛ } ( P ) , and for any j ∈ { , , , } : (6.16) ∣ T ltl ( j,ϕ ) ∣ ≤ ∣ ϕ ∣ − κ ( ϕ ) κ ( ϕ ) , where κ ( ϕ ) = card ({ ψ ∈ cl ( ϕ ) ∣ ψ = ⊡ ψ }) + card ({ ψ ∈ cl ( ϕ ) ∣ ψ = ψ R ⋅ ψ }) , i.e., the number of distinctsubformulae of ϕ of the form ⊡ ψ and ψ R ⋅ ψ , and ∣ ϕ ∣ is the length of ϕ .Proof. To maintain a streamlined presentation we provide a sketch of the proof here. The full proof ofLemma 6.6 is found in Appendix A.
Algorithm 1:
Model-checking algorithm for the rLTL \{ ⇛ } ( P ) fragment. Input:
A language L ( G ) generated by a GBA G , and a formula ϕ ∈ rLTL \{ ⇛ } ( P ) . Output:
The truth value of ϕ on L ( G ) , i.e., b ( L ( G ) , ϕ ) ∈ B . for j = , , , do w ∶ = inf σ ∈ L ( G ) W ( σ, ltl ( − j, ϕ )) . if w = thenreturn B [ j ] return B [ ] Given any ϕ ∈ rLTL \{ ⇛ } ( P ) we prove the claimed bound on ∣ T ltl ( j,ϕ ) ∣ , j ∈ { , , , } , by induction on thelength of the formula for all operators except for the R ⋅ operator. In the base case where ϕ is of length 1, i.e.,an atomic proposition, (6.16) is satisfied as an equality given (6.10). For the induction step, if ϕ is of the formop ( ψ ) , with op any unary rLTL operator, or of the form op ( ψ , ψ ) , with op any binary operator except for R ⋅ , then the claim in (6.16) is proved using (6.11) through (6.15).Finally, in the case of the R ⋅ operator we construct specialized testers for each bit, which we prove to be correctand to satisfy the claimed bound (6.16) in the Appendix. (cid:3) So far, Lemma 6.6 shows that we can construct specialized temporal testers of smaller size. These, in turn,can be used to construct smaller GBAs as per Remark 3. To conclude the proof of Theorem 6.1, we con-sider Algorithm 1 for rLTL model-checking. This algorithm model-checks the LTL formulae correspondingto each bit of the truth value of an rLTL formula, and by exploiting the order of the truth values in B ,0000 ≺ ≺ ≺ ≺ L ( G ) generated by a GBA G , and assume we wish to model-check a formula ϕ of the form ψ ⇛ ψ ∈ rLTL \{ ⇛ } ( P ) , as defined in (6.1). Denote, again, each truth value in B as: B = { , , , , } = { B [ ] , B [ ] , B [ ] , B [ ] , B [ ]} . Let b ( L ( G ) , ϕ ) ∈ B be the computed truth value. Algorithm 1 first model-checks the corresponding LTLformula ϕ , which is of the form ltl ( , ψ ) ⇒ ltl ( , ψ ) . From Lemma 6.6 and Remark 3, this first model-checking step makes use of an automaton with the number of states as in (6.2). There are two possibleoutcomes:1) the formula is not satisfied, then b ( L ( G ) , ϕ ) = B [ ] , the algorithm terminates, and Theorem 6.1 holds;2) the formula is satisfied, i.e., b ( L ( G ) , ϕ ) ⪰ B [ ] , and we need to check bit 3.However, having checked bit 4, and given that neither ψ , nor ψ contain a ⇛ operator since they belong inrLTL \{ ⇛ } ( P ) , it follows from the semantics in Table 2 that V ( σ, ϕ ) = W ( σ, ltl ( , ψ ) ⇒ ltl ( , ψ )) . We can,hence, perform a second model-checking step, using an automaton with size, again, as in (6.2), and decide if b ( L ( G ) , ϕ ) = B [ ] or b ( L ( G ) , ϕ ) ⪰ B [ ] . The two other bits are computed similarly if needed.Overall, the number of model-checking steps that the algorithm goes through depends on b ( L ( G ) , ϕ ) . If wehave exactly ℓ < ℓ + ℓ is valued 1 and that the next bit is valued 0. The fourth verification disambiguates between thevalues B [ ] and B [ ] . Hence, if b ( L ( G ) , ϕ ) = B [ ℓ ] , we do min ( ℓ + , ) model-checking steps. Consequently,by using Algorithm 1, the rLTL model-checking problem for any ϕ ∈ rLTL \{ ⇛ } ( P ) is solved by performingat most 4 LTL model-checking steps, each using an automaton with at most O ( ∣ ϕ ∣ − κ ( ϕ ) κ ( ϕ ) ) states. Thisconcludes the proof of Theorem 6.1 and this section. EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 25 Case studies
In the introduction we argued that system correctness is not sufficient for a good design as the system needsto also be robust. Towards this goal, we now provide a series of case studies that exemplify the usefulness ofrLTL when compared to standard LTL. For rLTL model-checking we use Evrostos [ANPT19]. Evrostos is atool for verifying rLTL specifications in the rLTL \{ ⇛ } ( P ) fragment, and it is built on top of an LTL model-checker. Currently, it supports two modes: (1) smv-mode , which uses NuSMV [CCG +
02] as the underlyingmodel-checker; and (2) pml-mode , which uses SPIN [Hol97]. In this section, we compare rLTL and LTLverification in terms of the ability to guarantee robustness, the information provided via verification, andthe computational costs. Our case studies showcase the advantages of verification in the proposed fragmentrLTL \{ ⇛ } ( P ) :1) the designer is able to identify a non-robust system, which cannot be directly done with standard LTL;2) the designer gains access to fine-grained information about the degree of specification violations, whichcan be useful towards improving the design; and3) the computational overhead that incurs with respect to LTL model-checking is relatively small.7.1. Case study 1: Aircraft Wheel Brake System (WBS).
For our first case study, we revisit theaircraft WBS described in the Aerospace Information Report (AIR) 6110 [oAES11]. As aerospace systems havebecome more complex and integrated with the passing of time, it is essential that their development proceedsin a systematic way that minimizes development errors. Towards this, the Federal Aviation Administration(FAA) has specified methods and guidelines [oAES96, oAES10] for equipment manufacturers, e.g., Boeingand Airbus, to guarantee that the development of products and the final products themselves meet thenecessary performance and safety requirements. AIR6110 provides an application of the specified processes[oAES96, oAES10] to the non-proprietary example of a WBS. The WBS comprises a complex hydraulic plantmanaging two landing gears, each with four wheels, and controlled by an independent computer system withdifferent operation modes.An extended formal verification of the WBS is found in [BCFP +
15] and the models used can be found inthe references therein. The formal modeling and analysis are based on the integration of the contract-baseddesign tool OCRA [CDT13], the model-checker nuXmv [CCD + .smv models provided and model-check the requiredproperties using Evrostos [ANPT19].7.1.1. Formal specifications:
A number of safety requirements from the AIR6110 document are formalized inLTL and are expressed as reactive specifications, where the assumption is on the environment of the WBSand the guarantee is the exact safety specification [BCFP + “S18-WBS-R-0325-wheelX: never inadvertent braking of wheel X without locking” . The environment assumption for thesafety specifications is that “at all times the power of the system is on, the power of the hydraulic pumpsis on, and the hydraulic supplies maintain their nominal values” . The above assumption and guarantee areformalized as a reactive LTL specification: □ ( ⋀ i = power i 2 ⋀ i = pump power i 2 ⋀ i = hydraulic supply i = ) ⇒ (7.1) □ ¬ ( ¬ mechanical pedal L ∧ wheel status = rolling ∧ wheel braking force > ∧ ground speed > ) , where power i , pump power i , hydraulic supply i are the i -th system’s power, pump power (both boolean),and hydraulic supply (integer) respectively, mechanical pedal L (boolean) is true if the left pedal is pressed, Evrostos is available at: https://github.com/janis10/evrostos. NuSMV is available at: http://nusmv.fbk.eu. SPIN is available at: http://spinroot.com. ground speed (integer) is the aircraft’s current speed relative to the ground, wheel status is either rollingor stopped, and wheel braking force (integer) is the force applied by the brakes to the wheel.The development of the WBS in the AIR6110 document is described through four evolutionary architectures:1) Arch1: comprises one Braking System Control Unit (BSCU) and one Hydraulic Circuit (HC) backed byan accumulator.2) Arch2: includes additional backup components, i.e., two BSCUs, a green HC, and a blue HC.3) Arch3: the two BSCUs of the control system are replaced by one dual channel BSCU.4) Arch4: accumulator placement is modified, a link from the control system validity to the selector valve inthe physical system is added.For more details see [BCFP + Example scenario:
We consider the Arch4 architecture and investigate how rLTL identifies a non-robustsystem, which cannot be directly done in LTL. While the nominal Arch4 model is correct and robust, weintroduce a modification that makes it non-robust. In particular, we inject a bug in the sensor of the leftpedal that makes it periodically miss the pressing of the pedal. This results in the BSCU not always receivingan electrical signal when the left pedal is pressed. To demonstrate our case, we consider a scenario where theenvironment assumption is violated finitely many times. This is reasonable as during the course of a flight,there can be perturbations to the environment assumption, but we expect the assumption to stabilize andnot fail catastrophically. For example, the power input of the system might be interrupted, but eventuallybecomes stable.Model-checking separately the guarantee in (7.1) under the model with the sensor bug returns false . Model-checking separately the assumption in (7.1) under the environment scenario above returns false . However,model-checking the LTL specification in (7.1) under the discussed scenario returns true . This is a consequenceof the fact that in LTL, violation of the assumption leads to vacuous satisfaction of the specification.In contrast to LTL model-checking, we evaluate the corresponding rLTL reactive specification: ⊡ ( ⋀ i = power i 2 ⋀ i = pump power i 2 ⋀ i = hydraulic supply i = ) ⇛ (7.2) ⊡ ¬ ( ¬ mechanical pedal L ∧ wheel status = rolling ∧ wheel braking force > ∧ ground speed > ) . Using Evrostos, the resulting rLTL truth value is 0011. This is interpreted as the guarantee being both satisfiedand violated infinitely often under the environment of this scenario. To be more precise, the assumption iseventually always satisfied, meaning that its truth value is 0111. However, the sensor pedal does not alwayspick up the pressing of the left pedal, meaning that it misses infinitely often during a system execution and,hence, the truth value of the guarantee is 0011. By the semantics of robust implication in (3.13) we expectthe truth value of the specification to be 0011, which is what Evrostos returns.The above case study demonstrates the fact that the LTL implication cannot provide any actual informationabout the guarantee of a reactive specification whenever the assumption fails. Contrary, the rLTL implicationdoes really verify whether a guarantee is satisfied, is violated, and to what degree.7.2.
Case study 2: Meaningful reactivity rLTL patterns.
For the second case study, we exhibit thepracticality of the proposed fragment rLTL \{ ⇛ } ( P ) in Definition 9, and illustrate how rLTL provides moreinsight when a specification is violated compared to LTL. We first consider reactivity patterns of practicalimportance that occur commonly in the specification of concurrent and reactive systems [DAC99]. Typicalbehaviors include the occurrence of a given event during system execution, such as absence, existence, anduniversality, or the relative order in which multiple events occur during system execution, such as precedenceand response. The following corollary stems from studying all the relevant LTL patterns [DAC99]. The files to replicate this case study are available at: https://github.com/janis10/evrostos/tree/master/case studies/WBS.
EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 27
Table 3.
Frequency of occurrence for each different rLTL truth value for 160 properties fromthe RERS benchmark. rLTL Truth Value1111 0111 0011 0001 0000Frequency (160 formulae) 53 .
75% 13 .
75% 25 . . . − .
43% 58 .
57% 10% 0%
Corollary 7.1.
The relevant reactivity patterns [DAC99] fall under the rLTL \{ ⇛ } ( P ) fragment, as describedin Definition 9, when written in rLTL. It is the case for all these patters that the antecedent of any nested implication does not contain a □ or a R operator. Hence, the same holds for their rLTL counterparts. By Proposition 6.3, we can equivalently writeany robust implication formula ϕ ⇛ ψ in these patterns, as ¬ ϕ ∨ ψ , which makes them immediately part ofthe efficient fragment rLTL \{ ⇛ } ( P ) . We verified this for the 97 LTL formulae in [DAC99]. Remark 5.
A number of the patterns [DAC99] are expressed using the “weak until” operator W , which isrelated to the U operator by the LTL semantic equivalence between p W q and p U ( q ∨ □ p ) , and to the R operator by the LTL semantic equivalence between p W q and q R ( q ∨ p ) . It can be verified that in the contextof rLTL, only the second equivalence captures the desired meaning of a robust version of the W operator.Therefore, to obtain the rLTL versions of these patterns, we first replace every subformula of the form p W q with q R ( q ∨ p ) . Benchmark: Rigorous Examination of Reactive Systems (RERS).
The second goal of this case studyis to showcase how rLTL provides more fine-grained information when a specification is violated, as opposedto LTL, by mapping an LTL false boolean value to different shades of false. To show this, we utilize thebenchmarks found in the RERS Challenge [RER20]. The RERS Challenge contains a rich repository ofproblems of increasing complexity.Using available benchmarks, we analyze meaningful reactive specifications that fall under the patterns [DAC99],that is 160 formulae spanning from RERS 2016 to RERS 2019. We use the provided .pml models fromthe RERS LTL parallel track and evaluate the rLTL counterparts of the specifications therein using Evros-tos [ANPT19]. Our findings are summarized in Table 3. The considered set is balanced between falsified and satisfied specifications. Focusing on the falsified formulae,one appreciates the variation of the different shades of false that rLTL provides. More specifically, Table3 indicates that, empirically, it is rarely the case that a falsified reactive specification fails catastrophically.The results suggest that a weaker version holds most of the times. In particular, when looking only at theformulae that do admit a weaker version according to Proposition 6.2, the value 0000 is not observed at all. Tobetter interpret the above analysis, consider as an example the truth value 0111. This value can be actuallyunderstood as “the safety specification holds with a delay”, i.e., it is violated only finite times over any infinitetrace of the system. This information can guide the designer towards more efficiently fixing the faulty model, soas to trace the root of the problem, or can provide insight about modifying a possibly inaccurate specification.7.3.
Case study 3: Studying the complexity blowup between LTL and rLTL.
For our last experi-ment, we aim to meaningfully compare the runtimes between LTL model-checking, and rLTL model-checkingin the fragment rLTL \{ ⇛ } ( P ) . Towards this, we study the time complexity blowup , ζ , between LTL and rLTL,which is defined below.The complexity of the rLTL model-checking problem for any ϕ ∈ rLTL \{ ⇛ } ( P ) , with respect to the GBAconstructed for ϕ , is between O ( ∣ ϕ ∣ ) and O ( ∣ ϕ ∣ ) as Theorem 6.1 establishes. Similarly, the complexity of The files to replicate this case study are available at: https://github.com/janis10/evrostos/tree/master/case studies/RERS. rLTL Times (sec.)min ( t rLTL ) max ( t rLTL ) mean ( t rLTL ) ( t LTL ) max ( t LTL ) mean ( t LTL ) ( ζ ) max ( ζ ) mean ( ζ ) − rLTL runtimes (sec.) L T L r un t i m e s ( s ec . ) Figure 2.
Automated Air Traffic Control System. Left: minimum, maximum, and meanruntimes for rLTL and LTL model-checking, and time complexity blowup between rLTL andLTL. Right: Comparison between runtimes for rLTL and LTL (logarithmic scale). Computedover 24 experiments.the LTL model-checking problem for the corresponding LTL formula ϕ is O ( ∣ ϕ ∣ ) . Recall ϕ is obtained asthe LTL version of ϕ simply by substituting the rLTL operators with their LTL counterparts. Let the timesrequired to solve the LTL and the rLTL model-checking problems be t LT L and t rLT L respectively. We knowthat t LT L is proportional to 2 ∣ ϕ ∣ , and notice that ∣ ϕ ∣ = ∣ ϕ ∣ . Furthermore, t rLT L ≥ t LT L , and, hence, we canwrite t rLT L = ζ ∣ ϕ ∣ , ζ ≥
1. Then, we ask what is the exponent ζ that describes the overhead, i.e., what is thetime complexity blowup. From the expressions above we obtain: ζ = + log ( t rLTL t LTL )∣ ϕ ∣ . (7.3)Since the time complexity of rLTL model-checking for the proposed fragment rLTL \{ ⇛ } ( P ) is proportional toat most 3 ∣ ϕ ∣ , we have an upper bound for ζ of log ( ) = . ∣ ϕ ∣ for a formula ϕ ∈ rLTL \{ ⇛ } ( P ) . However, observe that the time complexityblowup, ζ , is well below this upper bound, even at its maximum value in this benchmark, meaning that theempirical time complexity of rLTL for the fragment we consider is close to that of LTL.8. Conclusion
The logic rLTL provides a means to formally reason about both correctness and robustness in system design.While its syntax closely resembles that of LTL to ease its adoption, its semantics embeds a notion of robustnessexpressing that small deviations from the assumptions made at design time should lead to, at most, smallviolations of the design specifications. In this paper we presented a large fragment of rLTL, for which theverification problem can be efficiently solved by using an automaton of size O ( ∣ ϕ ∣ − κ ( ϕ ) κ ( ϕ ) ) , where κ ( ϕ ) measures the number of unique subformulae of ϕ that contain always and release operators. This bound is EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 29 closer to the LTL bound of O ( ∣ ϕ ∣ ) and an improvement to the previously known bound of O ( ∣ ϕ ∣ ) . Theusefulness of this fragment has been demonstrated by a number of case studies showing its expressiveness,the ability to capture robustness, and the benefits of the information the designer gains from the 5-valuedsemantics towards refining the system and/or the specifications. Moreover, these advantages come at lowcomputational overhead with respect to LTL model-checking, and a small learning curve from the designer asthe syntax of rLTL closely mirrors that of LTL. References [ABK16] Shaull Almagor, Udi Boker, and Orna Kupferman. Formally reasoning about quality.
J. ACM , 63(3), June 2016.[AK14] Shaull Almagor and Orna Kupferman. Latticed-ltl synthesis in the presence of noisy inputs. In Anca Muscholl, editor,
Foundations of Software Science and Computation Structures , pages 226–241, Berlin, Heidelberg, 2014. SpringerBerlin Heidelberg.[ANPT19] Tzanis Anevlavis, Daniel Neider, Matthew Phillipe, and Paulo Tabuada. Evrostos: The rLTL Verifier. In
Proceedingsof the 22nd ACM International Conference on Hybrid Systems: Computation and Control , HSCC ’19, pages 218–223,New York, NY, USA, 2019. Association for Computing Machinery.[APNT18] T. Anevlavis, M. Philippe, D. Neider, and P. Tabuada. Verifying rLTL formulas: now faster than ever before! In , pages 1556–1561, Dec 2018.[BCES19] R. Bloem, H. Chockler, M. Ebrahimi, and O. Strichman. Synthesizing reactive systems using robustness and recoveryspecifications. In , pages 147–151, Oct 2019.[BCFP +
15] M. Bozzano, A. Cimatti, A. Fernandes Pires, D. Jones, G. Kimberly, T. Petri, R. Robinson, and S. Tonetta. Formaldesign and safety analysis of AIR6110 wheel brake system. In Daniel Kroening and Corina S. P˘as˘areanu, editors,
Computer Aided Verification , pages 518–535, Cham, 2015. Springer International Publishing.[BCG +
10] R. Bloem, K. Chatterjee, K. Greimel, T.A. Henzinger, and B. Jobstmann. Robustness in the presence of liveness. InTayssir Touili, Byron Cook, and Paul Jackson, editors,
Computer Aided Verification , volume 6174 of
Lecture Notesin Computer Science , pages 410–424. Springer Berlin Heidelberg, 2010.[BCG +
14] Roderick Bloem, Krishnendu Chatterjee, Karin Greimel, Thomas A. Henzinger, Georg Hofferek, Barbara Jobstmann,Bettina K¨onighofer, and Robert K¨onighofer. Synthesizing robust systems.
Acta Informatica , 51(3):193–220, 2014.[BJP +
12] R. Bloem, B. Jobstmann, N. Piterman, A. Pnueli, and Y. Saar. Synthesis of reactive(1) designs.
Journal of Computerand System Sciences , 78(3):911–938, January 2012.[BKL08] Christel Baier, Joost-Pieter Katoen, and Kim Guldstrand Larsen.
Principles of model checking . MIT press, 2008.[CCD +
14] Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, Andrea Micheli, SergioMover, Marco Roveri, and Stefano Tonetta. The nuXmv symbolic model checker. In Armin Biere and Roderick Bloem,editors,
Computer Aided Verification , pages 334–342, Cham, 2014. Springer International Publishing.[CCG +
02] Alessandro Cimatti, Edmund M. Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri,Roberto Sebastiani, and Armando Tacchella. NuSMV 2: An OpenSource Tool for Symbolic Model Checking. In
Proceedings of the 14th International Conference on Computer Aided Verification , CAV ’02, pages 359–364, London,UK, UK, 2002. Springer-Verlag.[CDT13] Alessandro Cimatti, Michele Dorigatti, and Stefano Tonetta. OCRA: A tool for checking the refinement of temporalcontracts. In
Proceedings of the 28th IEEE/ACM International Conference on Automated Software Engineering ,ASE’13, pages 702–705. IEEE Press, 2013.[CGL10] Swarat Chaudhuri, Sumit Gulwani, and Roberto Lublinerman. Continuity analysis of programs. In
Proceedings ofthe 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages , POPL ’10, pages57–70, New York, NY, USA, 2010. Association for Computing Machinery.[CGP99] E. M. Clarke, O. Grumberg, and D. Peled.
Model Checking . MIT Press, 1999.[CHVB18] Edmund M. Clarke, Thomas A. Henzinger, Helmut Veith, and Roderick Bloem.
Handbook of Model Checking .Springer, 2018.[CMP93] E. Chang, Z. Manna, and A. Pnueli. The safety-progress classification. In F. L. Bauer, W. Brauer, and H. Schwicht-enberg, editors,
Logic and Algebra of Specification , volume 94 of
NATO ASI Series , pages 143–202. Springer Verlag,1993.[DAC99] Matthew B. Dwyer, George S. Avrunin, and James C. Corbett. Patterns in property specifications for finite-stateverification. In
Proceedings of the 21st International Conference on Software Engineering , ICSE ’99, pages 411–420,New York, NY, USA, 1999. Association for Computing Machinery.[DM10] Alexandre Donz´e and Oded Maler. Robust satisfaction of temporal logic over real-valued signals. In KrishnenduChatterjee and Thomas A. Henzinger, editors,
Formal Modeling and Analysis of Timed Systems , pages 92–106,Berlin, Heidelberg, 2010. Springer Berlin Heidelberg.[(FB14] Embedded Systems Unit Fondazione Bruno Kessler (FBK). XSAP User Manual. 2014.[FP09] Georgios E. Fainekos and George J. Pappas. Robustness of temporal logic specifications for continuous-time signals.
Theoretical Computer Science , 410(42):4262–4291, September 2009. [H´98] P. H´ajeck.
Metamathematics of Fuzzy Logic , volume 4 of
Trends in Logic - Studia Logica Library . Kluwer AcademicPublishers, 1998.[Hol97] G.J. Holzmann. The model checker spin.
IEEE Transactions on Software Engineering , 23(5):279–295, 1997.[JT51] B. Jonsson and A. Tarski. Boolean algebras with operators. Part I.
American Journal of Mathematics , 73(4):891 –939, 1951.[KL07] Orna Kupferman and Yoad Lustig. Lattice automata. In Byron Cook and Andreas Podelski, editors,
Verification,Model Checking, and Abstract Interpretation , pages 199–213, Berlin, Heidelberg, 2007. Springer Berlin Heidelberg.[KPR98] Yonit Kesten, Amir Pnueli, and Li-on Raviv. Algorithmic verification of linear temporal logic specifications. In
International Colloquium on Automata, Languages, and Programming , pages 1–16. Springer, 1998.[LP85] Orna Lichtenstein and Amir Pnueli. Checking that finite state concurrent programs satisfy their linear specification.In
Proceedings of the 12th ACM SIGACT-SIGPLAN symposium on Principles of programming languages , pages97–107. ACM, 1985.[MP87] Z. Manna and A. Pnueli. A hierarchy of temporal properties. In
Proceedings of the Sixth Annual ACM Symposiumon Principles of Distributed Computing , PODC ’87, pages 205–205, New York, NY, USA, 1987. ACM.[MS09] R. Majumdar and I. Saha. Symbolic robustness analysis. In , pages355–363, Dec 2009.[NPM99] V. Nov´ak, I. Perfilieva, and J. Mˇockoˇr.
Mathematical Principles of Fuzzy Logic . Kluwer Academic Publishers, 1999.[oAES96] Society of Automotive Engineers (SAE). ARP4761 guidelines and methods for conducting the safety assessmentprocess on civil airborne systems and equipment. December 1996.[oAES10] Society of Automotive Engineers (SAE). ARP4754A guidelines for development of civil aircraft and systems. Decem-ber 2010.[oAES11] Society of Automotive Engineers (SAE). AIR6110, contiguous aircraft/system development process example. Decem-ber 2011.[Pri09] G. Priest. Dualising Intuitionist Logic.
Principia , 13(2):165 – 184, 2009.[PW97] D. Peled and T. Wilke. Stutter-invariant temporal properties are expressible without the next-time operator.
Inf.Process. Lett. , 63:243–246, 1997.[PZ08] Amir Pnueli and Aleksandr Zaks. On the merits of temporal testers. In
25 Years of Model Checking , pages 172–195.Springer, 2008.[RBNG16] Alena Rodionova, Ezio Bartocci, Dejan Nickovic, and Radu Grosu. Temporal logic as filtering. In
Proceedings of the19th International Conference on Hybrid Systems: Computation and Control , HSCC ’16, pages 11–20, New York,NY, USA, 2016. Association for Computing Machinery.[RER20] RERS. Rigorous Examination of Reactive Systems (RERS) Challenge. 2010-2020.[Sch02] Philippe Schnoebelen. The complexity of temporal logic model checking.
Advances in modal logic , 4(393-436):35,2002.[TN15] Paulo Tabuada and Daniel Neider. Robust linear temporal logic. 1510.08970. arXiv, 2015.[TN16] Paulo Tabuada and Daniel Neider. Robust linear temporal logic.
Computer Science Logic 2016 , 2016.[TTC +
13] Y.-K. Tsay, M.-H. Tsai, J.-S. Chang, Y.-W. Chang, and C.-S. Liu. B¨uchi store: An open repository of ω -automata. International Journal on Software Tools for Technology Transfer , 2(15):109–123, 2013.[TUS +
17] Takashi Tomita, Atsushi Ueno, Masaya Shimakawa, Shigeki Hagihara, and Naoki Yonezaki. Safraless ltl synthesisconsidering maximal realizability.
Acta Informatica , 54(7):655–692, 2017.[VW86] Moshe Y Vardi and Pierre Wolper. An automata-theoretic approach to automatic program verification. In
Proceedingsof the First Symposium on Logic in Computer Science , pages 322–331. IEEE Computer Society, 1986.[ZGK20] Changjian Zhang, David Garlan, and Eunsuk Kang. A behavioral notion of robustness for software systems. In
Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on theFoundations of Software Engineering , ESEC/FSE 2020, pages 1–12, New York, NY, USA, 2020. Association forComputing Machinery.[ZR14] Yang Zhao and Kristin Yvonne Rozier. Formal Specification and Verification of a Coordination Protocol for anAutomated Air Traffic Control System.
Sci. Comput. Program. , 96(P3):337–353, December 2014.
Appendix A. Proof of Lemma 6.6
Proof.
The proof follows from the rLTL semantics as defined in Table 2, Proposition 6.4, and Corollary 6.5.We proceed by induction for all operators except for the R ⋅ operator, for which we construct a specializedtester. Base Case . Take a formula ϕ ∈ rLTL \{ ⇛ } ( P ) of length 1, i.e., ϕ is p ∈ P . Then we get ∣ T p ∣ = ∣ ϕ ∣ =
2, whichis the higher possible number of states here, and the claim holds.
Induction . First, consider formulae ϕ ∈ rLTL ( P ) of the form op ( ψ ) , where op is any unary rLTL operator.Note that ∣ ϕ ∣ = ∣ ψ ∣ + EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 31
1) If op is ⊡ , from (6.13) we obtain for j ∈ { , , , } : ∣ T ltl ( j, ⊡ ψ ) ∣ ≤ ∣ T ltl ( j,ψ ) ∣ ≤ ⋅ ∣ ψ ∣ − κ ( ψ ) κ ( ψ ) ≤ ∣ ψ ∣ − κ ( ψ ) + − κ ( ψ ) + = ∣ ϕ ∣ − κ ( ϕ ) κ ( ϕ ) , which holds for the second and third bit.2) If op is any other unary rLTL operator, from (6.11), (6.12) we obtain for j ∈ { , , , } : ∣ T ltl ( j, op ( ψ )) ∣ ≤ ∣ T ltl ( i,ψ ) ∣ ≤ ∣ ψ ∣ + − κ ( ψ ) κ ( ψ ) = ∣ ϕ ∣ − κ ( ϕ ) κ ( ϕ ) , where i = ¬ , and otherwise i = j .Consider now ϕ ∈ rLTL ( P ) of the form op ( ψ ,ψ ) , where op is a binary operator. Its length is ∣ ϕ ∣ = + ∣ ψ ∣ + ∣ ψ ∣ .1) If op is either ∧ or ∨ , from (6.14) we obtain for j ∈ { , , , } : ∣ T ltl ( j, op ( ψ ,ψ )) ∣ ≤ ∣ T ltl ( j,ψ ) ∣ ⋅ ∣ T ltl ( j,ψ ) ∣ ≤ ∣ ψ ∣ + ∣ ψ ∣ − κ ( ψ ) − κ ( ψ ) κ ( ψ ) + κ ( ψ ) .
2) If op is U ⋅ , from (6.15) we obtain for j ∈ { , , , } : »»»»» T ltl ( i,ψ U ⋅ ψ ) »»»»» ≤ ∣ T ltl ( j,ψ ) ∣ ⋅ ∣ T ltl ( j,ψ ) ∣ ≤ ∣ ψ ∣ + ∣ ψ ∣ + κ ( ψ ) − κ ( ψ ) κ ( ψ ) + κ ( ψ ) . This concludes the proof by induction.Finally, we need to prove the same bounds for the R ⋅ operator. This case is slightly more tricky, but it sufficesto show that for any two LTL formulae ϕ and ψ , there exist appropriate testers such that: ∣ T ϕ R ψ ∣ ≤ ⋅ ∣ T ϕ ∣ ⋅ ∣ T ψ ∣ , (A.1) ∣ T ◇□ ψ ∨◇ ϕ ∣ ≤ ⋅ ∣ T ϕ ∣ ⋅ ∣ T ψ ∣ , (A.2) ∣ T □◇ ψ ∨◇ ϕ ∣ ≤ ⋅ ∣ T ϕ ∣ ⋅ ∣ T ψ ∣ , (A.3) ∣ T ◇ ψ ∨◇ ϕ ∣ ≤ ⋅ ∣ T ϕ ∣ ⋅ ∣ T ψ ∣ , (A.4)which according to Table 2 are the testers for the corresponding 4 LTL formulae due to the R ⋅ operator.1) Proof of (A.1): The inequality follows from (6.15). Note that we can replace the constant 3 by a 2 here.2) Proof of (A.2): The equality ◇ □ q ∨ ◇ p = ◇ ( □ q ∨ p ) holds for any atomic propositions p , q . Weconstruct a tester for ϕ of the form ◇ ( □ q ∨ p ) in Figure 3a by following the composition rules. In this tester,there are at most 3 nodes that assign the same value to the atomic propositions p and q : two states assign ( x p , x q , x ϕ ) = ( , , ) , and one state assigns ( x p , x q , x ϕ ) = ( , , ) . From this and Proposition 6.4 we conclude(A.2).3) Proof of (A.3): We provide a specialized tester for the formula ϕ of the form □ ◇ q ∨ ◇ p in Figure 3b andprove its correctness. To do so, we need to show that the tester is both sound and complete [PZ08, Section 5].Recall from Definition 11 that given a computation γ , we let σ ( γ ) ∈ ( P ) ω be the word σ ( γ ) = σ ( γ ) σ ( γ ) . . . where σ t ( γ ) is the subset of P defined by p ∈ σ t ( γ ) , if and only if, x ( t ) p =
1. Soundness is defined as follows.
Definition 14 (Soundness) . Given a formula ϕ ∈ LTL ( P ) , a tester T ϕ is sound if for all computations γ = x ( ) x ( ) . . . of T ϕ , we have that x ( t ) ϕ = , if and only if, W ( σ ( γ ) t... , ϕ ) = , where σ ( γ ) t... is the suffix of σ ( γ ) starting at the t -th position. We prove soundness by considering all possible initial states for computations γ = x ( ) x ( ) . . . of T ϕ : • If x ( ) is any of the three states on the left, then at time t =
0, we have W ( σ ( γ ) , ϕ ) = • If x ( ) is any of the two middle states, then W ( σ ( γ ) , p ) =
1, hence W ( σ ( γ ) , ϕ ) = • If x ( ) is any of the rightmost states, then either the computations visit one of the middle states, ornever do so. In the first case, we have W ( σ ( γ ) , ◇ p ) =
1. In the second case, they had to visit thebottom right node infinitely often due to the justice requirements. Therefore, W ( σ ( γ ) , □ ◇ q ) = W ( σ ( γ ) , ϕ ) = x p , x q , x ϕ x p , x q , x ϕ x p , ¯ x q , x ϕ ¯ x p , x q , x ϕ ¯ x p , ¯ x q , x ϕ ¯ x p , x q , x ϕ ¯ x p , x q , ¯ x ϕ ¯ x p , ¯ x q , ¯ x ϕ (a) Tester T ◇□ q ∨◇ p . ¯ x p , ¯ x q , ¯ x ϕ ¯ x p , x q , ¯ x ϕ ¯ x p , ¯ x q , ¯ x ϕ x p , x q , x ϕ x p , ¯ x q , x ϕ ¯ x p , ¯ x q , x ϕ ¯ x p , x q , x ϕ (b) Tester T □◇ q ∨◇ p . Figure 3.
All states are initial, double line states are contained in the set of justice require-ments.
Definition 15 (Completeness) . Given a formula ϕ ∈ LTL ( P ) , a tester T ϕ is complete if for any word σ ∈ ( P ) ω , there exists a computation γ of T , such that ∀ t ≥ , x ( t ) ϕ = , if and only if, W ( σ t... , ϕ ) = , where σ t... is the suffix of σ starting at the t -th position. To prove completeness, we consider words σ ∈ { p, q } ω and different cases based on which subformulae of ϕ they satisfy: • If σ satisfies ◇ p , pick a computation with initial state either in the middle or in the right parts of thetester. The computation remains in these parts and visits middle states as many times as p occursin σ . If it occurs infinitely often, then the computation satisfies the justice requirements. Otherwise,there is a t > σ t... satisfies □¬ p , which is discussed next. • If σ satisfies □¬ p , we are only interested in the evolution of the x q variables. In particular, thecorresponding computations are to remain either in the left or in the right parts of the tester. Hence,we can ignore the two middle nodes here. To conclude, observe that by doing so, we obtain a testerfor □ ◇ q (see Figure 1d and the fact that ◇ □ ψ is equivalent to ¬ □ ◇¬ ψ ).The tester is therefore sound and complete. The constant 3 in (A.3) is obtained by counting the correspondingnumber of nodes in T ϕ for all combinations of x p and x q , and then using Proposition 6.4. There are 3 nodessuch that x p = x q = ◇ p ∨ ◇ q = ◇ ( p ∨ q ) = true U ( p ∨ q ) andequations (6.14) and (6.15). (cid:3) EING CORRECT IS NOT ENOUGH: EFFICIENT VERIFICATION USING ROBUST LINEAR TEMPORAL LOGIC 33
Department of Electrical Engineering, University of California at Los Angeles, Los Angeles, CA 90095
Email address : [email protected] Email address : [email protected] Universit`e catholique de Louvain, Louvain, Belgium
Email address : [email protected] Max Plank Institute for Software Systems, Kaiserslauten, Germany
Email address ::