Variable and clause elimination for LTL satisfiability checking
VVariable and clause elimination forLTL satisfiability checking (cid:63)
Martin Suda
Max-Planck-Institut f¨ur Informatik, Saarbr¨ucken, GermanySaarland University, Saarbr¨ucken, GermanyCharles University, Prague, Czech Republic
Abstract.
We study preprocessing techniques for clause normal formsof LTL formulas. Applying the mechanism of labelled clauses enables usto reinterpret LTL satisfiability as a set of purely propositional problemsand thus to transfer simplification ideas from SAT to LTL. We demon-strate this by adapting variable and clause elimination, a very effectivepreprocessing technique used by modern SAT solvers. Our experimentsconfirm that even in the temporal setting substantial reductions in for-mula size and subsequent decrease of solver runtime can be achieved.
Linear temporal logic (LTL) is a modal logic with modalities referring to time[13]. Traditionally, it finds its use in formal verification of reactive systems whereit serves as a specification language for expressing the system’s desired behav-ior. The specifications are subsequently checked against a model of the systemduring the process of model checking [3]. More recently, the importance of LTL satisfiability checking is becoming recognized [14, 16], where the task is to decidewhether a given LTL formula has a model at all. This is, for instance, essentialfor assuring quality of formal specifications [12]. Satisfiability checking of LTL isa computationally difficult task, in fact a PSPACE-complete one [17], and thustechniques for improving solving methods are of practical importance.One possibility for speeding up the checking lies in simplifying the input for-mula before the actual decision method is started. In the context of resolution-based methods for LTL satisfiability [8, 18], on which we focus here, formulas arefirst translated into a clause normal form. Simplification then means reducingthe number of clauses and variables while preserving satisfiability of the for-mula. Such a preprocessing step may have a significant positive impact on thesubsequent running time.In this paper we take inspiration from the SAT community where a techniquecalled variable and clause elimination [5] has been shown to be particularlyeffective. It combines exhaustive application of the resolution rule over selectedvariables with subsumption and other reductions. Our main contribution lies inshowing that variable and clause elimination can be adapted from SAT to the (cid:63)
Partly supported by Microsoft Research through its PhD Scholarship Programme. a r X i v : . [ c s . L O ] S e p Martin Suda setting of LTL. This is quite non-trivial, because LTL normal forms consist of temporal clauses , which are bound to specific temporal contexts and so theirinteractions in inferences and reductions need to be carefully controlled.A general method for reducing LTL satisfiability to the purely propositionalsetting has been introduced in [18]. There, the existence of a model of an LTLformula is shown to be equivalent to satisfiability of one of infinitely many po-tentially infinite standard clause sets. These are, however, finitely representedwith the help of labels , which allows for an effective transfer of resolution-basedreasoning techniques from propositional logic to LTL. In this paper, we extendthe ideas of [18] to adapt variable and clause elimination. An additional labelcomponent is needed to justify elimination in its general form, but we prove itcan be dispensed with after the elimination process.Our exposition starts in Sect. 2, where we describe our version of clause nor-mal form of LTL formulas, which we call LTL-specification. Specifications area particular refinement of the Separated Normal Form [7], which can be seenas concise descriptions of B¨uchi automata. This observation, which is of inde-pendent interest, represents another contribution of this paper. The mechanismof labelled clauses itself is introduced in Sect. 3 and utilized for variable andclause elimination in Sect. 4. Practical potential of our method is demonstratedin Sect. 5, where we describe the effect of the simplification on runtimes of tworesolution-based LTL provers over an extensive set of benchmark problems. InSect. 6 we follow the connection to B¨uchi automata to discuss related work, andwe conclude in Sect. 7 by mentioning possibilities for future work.
We assume the reader is familiar with propositional logic and the syntax and se-mantics of LTL. LTL formulas are built over a given signature Σ = { p, q, r, . . . } of propositional variables using propositional connectives ¬ , ∧ , ∨ , . . . , and tempo-ral operators (cid:13) , (cid:3) , ♦ , U , . . . Propositional clauses, denoted
C, D , possibly withsubscripts, are sets of literals understood as disjunctions. A propositional val-uation is a mapping W : Σ → { , } . We write W | = C if a valuation W propositionally satisfies a clause C . An interpretation of an LTL formula is aninfinite sequence of valuations ( W i ) i ∈ N , in this context also referred to as states .In order to talk about two neighboring states at once we introduce a disjointcopy of the basic signature Σ (cid:48) = { p (cid:48) , q (cid:48) , r (cid:48) , . . . } . Given a clause C over Σ , wewrite C (cid:48) to denote its obvious counterpart over Σ (cid:48) . For a valuation W over Σ let W (cid:48) denote the valuation over Σ (cid:48) that behaves on primed symbols in the sameway as W does on unprimed ones. We therefore have W | = C if and only if W (cid:48) | = C (cid:48) for any such W and C . If W and W are two valuations over Σ , welet [ W , W ] denote the joined valuation W ∪ ( W ) (cid:48) : Σ ∪ Σ (cid:48) → { , } . Such avaluation is needed to evaluate clauses over the joined signature Σ ∪ Σ (cid:48) .Most resolution-based approaches to satisfiability checking first translate theinput formula into a certain normal form. In the context of LTL, the Separated See Appendix A for a short overview.ariable and clause elimination for LTL satisfiability checking 3
Normal Form (SNF) developed by Fisher [7] has proven to be very useful. It isobtained from an LTL formula by applying transformations that 1) introducenew variables as names for complex subformulas, 2) remove temporal operatorsby expanding their fixpoint definitions, 3) apply classical style rewrite operationsto obtain a result which is clausal, i.e. represented by a top-level conjunction oftemporal clauses, which are disjunctive in nature. The whole transformationpreserves satisfiability of the input formula and it is ensured that the result doesnot grow in size by more than a linear factor [8]. In this paper we use a particular refinement of SNF which we call LTL-specification [18]. To obtain a specification, a general SNF is first normalizedfurther by using the ideas of [4]. In particular, we transform the so called condi-tional eventuality clauses to unconditional ones and then reduce the potentiallymultiple (unconditional) eventuality clauses to just one eventuality clause. Fi-nally, to obtain a compact representation, we explicitly sort the clauses intothree categories, strip them off the temporal operators and write them downusing standard propositional clauses instead. The semantics is preserved as itnow follows from the context. Even after these refinements the result is linearlybounded in size and equisatisfiable with respect to the original formula.
Definition 1. An LTL-specification is a quadruple S = ( Σ, I, T, G ) such that – Σ is a finite propositional signature, – I is a set of initial clauses C i over the signature Σ , – T is a set of step clauses C t ∨ ( D t ) (cid:48) over the joined signature Σ ∪ Σ (cid:48) , – G is a set of goal clauses C g over the signature Σ . The initial and step clauses are directly translated from SNF. The goal clauses alltogether express the single eventuality obtained in the previous step. This gener-alization (from a single goal clause) is for free and appears to make the definitionconceptually cleaner. Intuitively, specification stands for the LTL formula (cid:16)(cid:94) C i (cid:17) ∧ (cid:3) (cid:16)(cid:94) ( C t ∨ (cid:13) D t ) (cid:17) ∧ (cid:3)♦ (cid:16)(cid:94) C g (cid:17) , which directly translates to the following formal definition. Definition 2.
An interpretation ( W i ) i ∈ N is a model of S = ( Σ, I, T, G ) if1. for every C i ∈ I , W | = C i ,2. for every i ∈ N and every C t ∨ ( D t ) (cid:48) ∈ T , [ W i , W i +1 ] | = C t ∨ ( D t ) (cid:48) , and3. there are infinitely many indices j such that for every C g ∈ G , W j | = C g .An LTL-specification S is satisfiable if it has a model.Remark 1. We close this section with an interesting observation relating ourapproach to LTL satisfiability to explicit methods based on automata. It is wellknown (see e.g. [9]) that for any LTL formula ϕ there is a B¨uchi automaton A ϕ A streamlined version of the transformation can be found in Appendix B. A recapitulation of these refinements has been moved to Appendix C. Martin Suda recognizing models of ϕ , i.e. an automaton that accepts exactly those valuations( W i ) i ∈ N that are models of ϕ . The size of such an automaton, i.e. the numberof its states, is bounded by 2 | ϕ | , where | ϕ | denotes the size of the formula.Now we can easily interpret an LTL-specification S as a symbolic descrip-tion of such an automaton. The states of the automaton are formed by theset Q = 2 Σ , i.e. the set of all valuations over Σ , its transition function δ = { ( W , W ) | [ W , W ] | = (cid:86) ( C t ∨ ( D t ) (cid:48) ) } contains those pairs of valuations thatsatisfy the step clauses, and its initial and accepting sets are defined as Q I = { W | W | = (cid:86) C i } and Q F = { W | W | = (cid:86) C g } , respectively. It is easy to checkthat the models of S are exactly the accepting runs of this automaton.This way one can view the transformations from an LTL fomula to SNF andfurther to LTL-specification as an alternative way of obtaining a B¨uchi automa-ton for the formula. Interestingly, it is only the last step, when the automatonis made explicit, that incurs the inherent exponential blowup. The purpose of this section is to show that the task of LTL satisfiability can bereduced to a set of purely propositional SAT problems. This provides a meansfor transferring the well-known resolution-based reasoning techniques from thepropositional level to that of LTL. In particular, it will in Sect. 4 allow us totransfer variable and clause elimination. The reduction from LTL that we presentleaves us with infinitely many propositional problems over an infinite signature.Labels are then used to finitely represent and control clauses within these prob-lems, abbreviating entire clause sets.Assume we have an LTL-specification S = ( Σ, I, T, G ) and want to decidesatisfiability of the formula it represents. It is a known fact that when con-sidering satisfiability of LTL formulas attention can be restricted to ultimatelyperiodic [17] interpretations. These start with a finite sequence of states andthen repeat another finite sequence of states forever. This observation, which isone of the key ingredients of our approach, motivates the following definition.
Definition 3.
Let K ∈ N , and L ∈ N + = N \ { } be given. An interpretation ( W i ) i ∈ N is a ( K, L )-model of S = ( Σ, I, T, G ) if1. for every C ∈ I , W | = C ,2. for every i ∈ N and every C ∈ T , [ W i , W i +1 ] | = C ,3. for every i ∈ N and every C ∈ G , W ( K + i · L ) | = C . Satisfiability within a (
K, L )-model for some values of K and L correspondsto the original semantics except that the condition on the goal clauses to besatisfied in infinitely many states is now controlled and we require that thesestates form an arithmetic progression with K as the initial term and L thecommon difference. Please consult [19] for a detailed proof of why focusing onlyon ( K, L )-models does not change the notion of satisfiability.For a particular choice of K and L , the existence of a ( K, L )-model can bestated as an infinite but purely propositional problem over the infinite signature ariable and clause elimination for LTL satisfiability checking 5
Σ Σ ′ Σ (2) Σ (3) Σ (4) Σ (5) C i ∈ IC t ∨ ( D t ) ′ ∈ TC g ∈ G K K + L . . .. . . Fig. 1.
Schematic presentation of the potentially infinite set of clauses that is satisfiableif and only if an LTL-specification S = ( Σ, I, T, G ) has a (
K, L )-model with K = 2and L = 3. The axis represents the infinite signature Σ ∗ , while the grey bars stand forindividual copies of the initial, step, and goal clauses, respectively. Σ ∗ = (cid:83) i ∈ N Σ ( i ) . Here we extend the convention about priming and allow it tobe applied more than once. Thus along with signatures Σ and Σ (cid:48) we also have Σ (cid:48)(cid:48) , Σ (cid:48)(cid:48)(cid:48) , . . . (also written Σ (2) , Σ (3) , . . . ), as other disjoint copies of the basicsignature implicitly meant to represent states further in the future. Now thepurely propositional problem simply restates the definition of a ( K, L )-modelin the form of clauses over Σ ∗ , making use of the natural bijection betweenpropositional valuations over Σ ∗ and interpretations. It consists of: – the set of initial clauses I = { C (0) | C ∈ I } , – together with { C ( i ) | C ∈ T, i ∈ N } , – and with { C ( K + i · L ) | C ∈ G, i ∈ N } ,where the symbol C ( i ) means that each literal in C is being “moved i signaturesforward”. Thus, e.g., for a clause C = p ∨ q (cid:48) over Σ ∪ Σ (cid:48) we denote by C (2) theclause p (2) ∨ q (3) over Σ (2) ∪ Σ (3) . See Figure 1 for an illustration of the situation.We have now reduced LTL satisfiability of a specification S to infinitely many(for every pair of K and L ) infinite propositional problems over Σ ∗ . We proceedby assigning labels to the clauses of S such that a labelled clause represents up toinfinitely many standard clauses over Σ ∗ . Then an inference performed betweenlabelled clauses corresponds to infinitely many inferences on the level of Σ ∗ . Thisis similar to the idea of “lifting” from first-order theorem proving where clauseswith variables represent up to infinitely many ground instances. Here, however,we deal with the additional dimension of performing infinitely many reasoningtasks on the “ground level” in parallel, one for each pair ( K, L ). Definition 4. A label is a triple ( b, k, l ) ∈ {∗ , } × ( {∗} ∪ N ) × N . A labelledclause C is a pair ( b, k, l ) || C consisting of a label and a standard clause over Σ ∗ . Semantics of labels is given via a map to certain sets of time indices.
Definition 5.
Let K ∈ N and L ∈ N + be given. We define a set R ( K,L ) ( b, k, l ) of indices represented by the label ( b, k, l ) as the set of all t ∈ N such that Given W ∗ : Σ ∗ → { , } , the corresponding interpretation ( W i ) i ∈ N : N × Σ → { , } is defined by the equation W i ( p ) = W ∗ ( p ( i ) ) for every i ∈ N and every p ∈ Σ . Martin Suda b (cid:54) = ∗ → t = 0 and2. k (cid:54) = ∗ → ∃ s ∈ N . t + k = K + s · L and3. L divides l .Now a standard clause of the form C ( t ) is said to be represented by the labelledclause ( b, k, l ) || C in ( K, L ) if t ∈ R ( K,L ) ( b, k, l ) . The three label components stand for three independent conditions on the timeindices to which the clause relates. The first label component b relates the clauseto the beginning of time, and the second component relates the clause to theindices of the form K + i · L , where the goal should be satisfied. In both cases, ∗ stands for a “don’t care” value, so if b or k equals ∗ , the respective condition istrivially satisfied by any index. The same effect is achieved for the third conditionwhen l = 0, because every positive integer divides 0.New label values are computed from old ones using certain operations whenlabelled clauses interact in inferences, as will be detailed shortly. When, initially,a labelled clause set is constructed from an LTL-specification (see Definition 6below) three particular label values are used. Further values arise as results ofapplying the mentioned operations, and the full generality of labels reflects anentire “closure” of the three initial values under these operations. Definition 6.
Given an LTL-specification S = ( Σ, I, T, G ) , the initial labelledclause set N S for S is defined to contain – labelled clauses of the form (0 , ∗ , || C for every C ∈ I , – labelled clauses of the form ( ∗ , ∗ , || C for every C ∈ T , and – labelled clauses of the form ( ∗ , , || C for every C ∈ G . For any particular choice of K and L the standard clauses over Σ ∗ representedby the labelled clauses from the initial labelled clause set N S form the purelypropositional problem that encodes the existence of a ( K, L )-model of S . Example 1.
Let us assume that a specification S contains a goal clause ( a ∨ b ) ∈ G . In the initial labelled clause set N S this goal clause becomes ( ∗ , , || a ∨ b .If we now, for example, fix K = 2 and L = 3 as in Fig. 1, our labelled clause willrepresent all the standard clauses ( a ∨ b ) ( t ) with t ∈ R (2 , ( ∗ , ,
0) = { , , , . . . } .The ultimate goal of this section is to “lift” the classical resolution inferencerule to labelled clauses. When two labelled clauses resolve with each other, amerge operation is applied to their labels to produce the label of the resolvent.The idea is that the labelled resolvent represents exactly those standard clausesthat are resolvents of all the possible indicated resolution inferences betweenstandard clauses represented by the labelled premises. Definition 7 (Labelled resolution). ( b , k , l ) || A ∨ C ( b , k , l ) || ¬ A ∨ D ( b, k, l ) || C ∨ D . (1)
The two labelled clauses above the line are the inference’s premises. A is anatom, C and D are standard clauses over Σ ∗ , and the label ( b, k, l ) is the merge of ( b , k , l ) and ( b , k , l ) defined imperatively as follows: ariable and clause elimination for LTL satisfiability checking 7 – if b = ∗ then b := b else if b = ∗ then b := b else b := 0 , – if k = ∗ then k := k else if k = ∗ then k := k else k := min( k , k ) , – if k = ∗ or k = ∗ then l := gcd( l , l ) else l := gcd( l , l , k − k ) . It is straightforward to verify that for every (
K, L ) the merge operation capturesthe intersection of the sets of indices represented by its operands and thus theresulting label represents all the time indices where standard clauses representedby the inference’s premises interact to produce a resolvent.
Example 2.
Merge of ( ∗ , ,
0) and ( ∗ , ,
0) is ( ∗ , , k components, and the greatest common divisor of their difference andthe original l components. Merge of ( ∗ , ,
3) and ( ∗ , ,
3) is ( ∗ , , ∗ , ,
3) and ( ∗ , ∗ ,
0) is ( ∗ , , ∗ , ∗ , ∗ , ,
3) and (0 , ,
4) is (0 , , Σ ∗ are directlyvisible to the labelled resolution inference (1) above. To obtain a complete cor-respondence, labelled resolution must, in general, be preceded by applying thefollowing time shift operation to one of the premises, so that the atom A and itsmatching partner ¬ A from the “ground level” become represented by matchingcounterparts in labelled clauses:( ∗ , ∗ , l ) || C (cid:32) ( ∗ , ∗ , l ) || ( C ) (cid:48) , (2)( ∗ , k, l ) || C (cid:32) ( ∗ , k + 1 , l ) || ( C ) (cid:48) . (3)Soundness of time shift is the statement that all the standard clauses representedby the right hand side of (2) and (3) are also represented by the respective lefthand sides in any ( K, L ). Note that the operation is undefined for labelled clauseswith the first component b = 0, because these only represent standard clausesfixed to the first time index. Example 3.
Let two labelled clauses ( ∗ , , || ¬ p ∨ q and ( ∗ , , || r ∨ p (cid:48) be given.They cannot directly participate in a labelled resolution inference, although in( K, L ) = (0 ,
1) there are (for every t ) standard clauses ¬ p ( t +1) ∨ q ( t +1) and r ( t ) ∨ p ( t +1) represented, respectively, by the two labelled clauses, which resolveon p ( t +1) . When the first labelled clause is shifted to ( ∗ , , || ¬ p (cid:48) ∨ q (cid:48) , the clausesresolve on p (cid:48) and a labelled resolvent ( ∗ , , || r ∨ q (cid:48) is obtained. By variable and clause elimination we understand the preprocessing techniquedescribed in [5] for simplifying propositional SAT problems. It consists of acombination of a controlled version of variable elimination and subsumption reduction for removing clauses, as described below. These two are alternated A standard clause C subsumes a clause D , if C ’s literals are a subset of D ’s literals.Subsumed clauses are redundant and can be discarded. Martin Suda in a saturation loop until no further immediate improvement is possible. Thissection describes how the mechanism of labelled clauses can be used to adaptvariable and clause elimination to the context of LTL.Propositional variable elimination relies on exhaustive application of the res-olution inference rule. Given (standard) clauses C = p ∨ C and D = ¬ p ∨ D ,their standard resolvent C ⊗ D is C ∨ D . Now, given a propositional problemin CNF consisting of a set of clauses N and a variable p , one separates N intothree disjoint subsets N = N p ∪ N ¬ p ∪ N of clauses. The first set, N p , is a setof clauses containing the variable p positively, the clauses from N ¬ p contain p negatively, and N is a set of clauses without variable p . A new clause set N isobtained as ( N p ⊗ N ¬ p ) ∪ N , where N p ⊗ N ¬ p = { C ⊗ D | C ∈ N p , D ∈ N ¬ p } . The set N no longer contains the variable p and is satisfiable if and only if N is.The obtained set N may contain tautological clauses , which are redundantand should be removed. Then the sizes of N and N are compared. In general,eliminating a single variable may incur a quadratic blowup. An elimination stepis only considered an improvement and should be committed to when the sizeof N is not greater than that of N (possibly up to an additive constant). It isshown in [5] that improvement eliminations occur often in practice and that theycan be used to simplify the input formula considerably.Let us now turn to eliminating variables from LTL-specifications. We knowthat specifications naturally correspond to sets of labelled clauses and thesein turn represent propositional problems (albeit, in general, infinite ones) fromwhich variables can be eliminated by the standard procedure described above.There is still a complication, however, because a single variable p ∈ Σ fromthe specification corresponds to all its “instances” p, p (cid:48) , p (2) , . . . on the “groundlevel” of the signature Σ ∗ . To be able to represent the result after elimination,all these instances need to be eliminated from the ground level uniformly, in onestep. This seems to be a difficult task when the specification contains a clausethat mentions the variable p in two different time contexts, like, for example, in ¬ p ∨ q ∨ p (cid:48) . In this case the individual eliminations cannot be done independentlyfrom each other and we rule the case out from further considerations. Remark 2.
There are some interesting subcases where eliminating such a variablewould, in theory, be possible and would yield useful results. Consider the SNFcontaining p, (cid:3) ( ¬ p ∨ p (cid:48) ) , (cid:3) ( ¬ p ∨ r ), from which p can be “semantically”eliminatedand one obtains (cid:3) r . On the other hand, eliminating p from the SNF containing p, (cid:3) ( ¬ p ∨ ¬ p (cid:48) ) , (cid:3) ( p ∨ p (cid:48) ) , (cid:3) ( ¬ p ∨ a ) should give us a formula whose models( W i ) i ∈ N satisfy the condition ( i mod 2 = 0 ⇒ W i | = a ), which is a propertyknown [21] not to be expressible by an LTL formula over the single variable a .Let us now, therefore, assume that we are given a set of labelled clauses N ,perhaps an initial labelled clause set for a specification S , and a variable p ∈ Σ such that no clause in N contains more than one possibly primed occurrence of p . We separate N into N p ∪ N ¬ p ∪ N , a subset containing p positively (possiblyprimed), a subset containing p negatively (possibly primed), and a subset not A tautological clause contains both a variable and its negation.ariable and clause elimination for LTL satisfiability checking 9 containing p at all. A new set of labelled clauses N is constructed as ( N p ⊗ N ¬ p ) ∪ N . This time N p ⊗ N ¬ p stands for the set of all the results of performing labelledresolution inference (1) on pairs of clauses from N p and N ¬ p , respectively, whichmay include shifting one of the premises in time using the rules (2) or (3). Example 4.
Let us assume that a set N contains the following labelled clauses(0 , ∗ , || p ∨ q ∨ r, (4)(0 , ∗ , || ¬ p ∨ ¬ r, (5)( ∗ , ∗ , || r ∨ ¬ p (cid:48) , (6)( ∗ , , || ¬ p ∨ q, (7)and these are the only labelled clauses of N mentioning variable p . Then elimi-nating p from N means removing the above labelled clauses and replacing themby all the possible labelled resolvents over p . Notice that, actually, – the tautology (4) ⊗ (5) = (0 , ∗ , || q ∨ r ∨ ¬ r is immediately dropped, – and (4) ⊗ (6) is undefined, because temporal shift does not apply to (4).Thus the above four clauses are replaced in N by the only nontrivial resolvent(4) ⊗ (7) = (0 , , || q ∨ r .To formulate soundness theorems in this section we need a satisfiability no-tion for labelled clauses. We extend the definition of a ( K, L )-model, relying onthe correspondence between valuations over Σ ∗ and interpretations (see Sect. 3). Definition 8.
Let N ( K,L ) = { C ( t ) | ( b, k, l ) || C ∈ N & t ∈ R ( K,L ) ( b, k, l ) } de-note the set of standard clauses represented in ( K, L ) by the labelled clauses from N . A set of labelled clauses N is called ( K, L )-satisfiable if there is a valuation W ∗ : Σ ∗ → { , } which (propositionally) satisfies N ( K,L ) . The set N is called satisfiable if it is ( K, L ) -satisfiable for some K ∈ N and L ∈ N + . Soundness of variable elimination for labelled clauses now reads.
Theorem 1.
Let N and N = ( N p ⊗ N ¬ p ) ∪ N be sets of labelled clauses asdescribed above. Then N is ( K, L ) -satifiable if and only if N is. Apart from the previously explained limitation, there is another restrictionon practical variable elimination. Consider a clause set consisting of two labelledclauses ( ∗ , ∗ , || ¬ x ∨ p (cid:48) and ( ∗ , ∗ , || ¬ p ∨ y (cid:48) . Eliminating p with the help oflabelled resolution yields the single labelled clause ( ∗ , ∗ , || ¬ x ∨ y (cid:48)(cid:48) . This couldbe a useful simplification in some contexts, but notice that it got us outsideSNF and LTL-specifications, because y now occurs doubly primed. There is,nevertheless, an advantage in knowing that such a step can be performed (has aproper meaning), because in a more complicated clause set such a resolvent withundesirable properties might turn out to be redundant (for instance, subsumedby another clause) and would subsequently be removed anyway. This brings forward the general question of expressivity of labelled clauses.We know that only the clauses labelled by (0 , ∗ , , ( ∗ , ∗ ,
0) and ( ∗ , , Theorem 2.
Let N be a finite set of labelled clauses and let N − be a subset of N obtained be removing all the clauses with label of the form ( b, k, l ) such thateither ( b = 0 and k (cid:54) = ∗ ) or ( l (cid:54) = 0) . Then N − is satisfiable if and only if N is.Proof. One implication is trivial as N − ⊆ N . For the other, we need an aux-iliary definition. We say that a label ( b, k, l ) is relevant for a pair ( K, L ) if R ( K,L ) ( b, k, l ) (cid:54) = ∅ . Now any removed clause ( b, k, l ) || C , i.e. a clause from N \ N − ,with ( b = 0 and k (cid:54) = ∗ ) is only relevant for pairs ( K, L ) with K = k , and anyremoved clause with ( l (cid:54) = 0) is only relevant for pairs ( K, L ) with L dividing l .Let N − be ( K , L )-satisfiable, i.e. some valuation W ∗ satisfies ( N − ) ( K ,L ) .We may choose K of the form K + i · L and L of the form j · L large enoughsuch that none of the clauses from N \ N − is relevant for ( K , L ). Therefore( N \ N − ) ( K ,L ) = ∅ . Moreover, ( N − ) ( K ,L ) ⊆ ( N − ) ( K ,L ) by the choice of K and L , and so W ∗ satisfies N ( K ,L ) and thus N is ( K , L )-satisfiable. Example 5.
Deriving an empty labelled clause during elimination does not im-mediately imply that the current clause set is unsatisfiable. For instance, thelabel of the empty clause ( ∗ , , || ⊥ is only relevant for ( K, L ) when L divides2, and thus the current clause set may still be ( K, L )-satisfiable for
L > ∗ , k, k ∈ N . These do not pose any further expressivity complications, asthey arise naturally in our calculus LPSup [18] for LTL satisfiability.Let us now turn our focus to reductions, namely to showing how to extendsubsumption to work with labels. We follow the same idea as with resolution.Any standard clause represented by the subsumed labelled clause must be sub-sumed by a standard clause represented by the subsuming labelled clause. Thuswe say that ( b , k , l ) || C subsumes ( b , k , l ) || D , if C subsumes D and themerge of the labels ( b , k , l ) and ( b , k , l ) is equal to ( b , k , l ). Similarly toresolution, the subsumption relation on labelled clauses can be made stronger ifwe allow the subsuming clause (but not the subsumed one) to be possibly shiftedin time. For example, the clause ( ∗ , ∗ , || q subsumes ( ∗ , , || p ∨ q (cid:48) in this sense.On the other hand, the clause ( ∗ , ∗ , || q (cid:48) cannot subsume ( ∗ , ∗ , || p ∨ q , because Another useful reduction in this context is self-subsuming resolution [5]. It amountsto a resolution inference followed by subsumption of one of the premises by theresolvent. Its labelled version can be derived by combining the presented ideas.ariable and clause elimination for LTL satisfiability checking 11 there is a standard clause represented by the latter, namely ( p ∨ q ) (0) = p ∨ q , thatis not subsumed by any standard clause represented by the former. Soundnessof labelled clause elimination is stated as follows. Theorem 3.
Let N and (cid:101) N be sets of labelled clauses, such that (cid:101) N ⊆ N andfor every D ∈ N \ (cid:101) N there exists C ∈ (cid:101) N such that C subsumes D . Then N is ( K, L ) -satisfiable if and only if (cid:101) N is. We close this section by shortly discussing the overall variable and clauseelimination procedure. As already mentioned, it is advantageous to alternatevariable elimination attempts with exhaustive application of subsumption andpossibly other reductions. That’s because removing a subsumed clause may turnelimination of a particular variable into an improvement and, on the other hand,new clauses generated during elimination may be subject to subsumption. Thisholds true for the original SAT setting as it does with labels. A detailed descrip-tion on how to efficiently organize this process can be found in [5].
For our evaluation of the effectiveness of variable and clause elimination in LTL,we extended the preprocessing capabilities of Minisat [6] version 2.2. We keptMinisat’s main simplification loop, which efficiently combines variable elimina-tion with subsumption and self-subsuming resolution, along with the fine-tunedheuristics for deciding which variables to eliminate and in what order. We em-ulated labels by extending respective clauses with extra marking literals and,to ensure correctness, we disallowed elimination of variables that occur bothprimed and unprimed in the input formula. Although this does not exploit thefull potential of variable and clause elimination with labelled clauses as describedin Sect. 4, we already obtained encouraging results with this setup.For testing we used a set of LTL benchmarks collected by Schuppan and Dar-mawan [16]. The set consist of total 3723 problems from various sources (mostlyprevious papers on LTL satisfiability) and of various flavors (application, crafted,random), and represents the most comprehensive collection of LTL problems weare aware of. The testing proceeded in three stages. First, all the benchmarkswere translated by our tool from the original format into LTL-specifications.Then we applied the Minisat-based elimination tool and obtained a set of sim-plified LTL-specifications. Finally, we ran two resolution-based LTL provers onboth the original and simplified LTL-specifications to measure the effect of sim-plification on prover runtime. We choose the LTL prover LS4 [20], most likelythe strongest LTL solver currently publically available, and trp++ [10], a wellestablished temporal resolution prover by Boris Konev. Having performed the For example, any goal clause C is inserted as C ∨ g , where g is a fresh variabledesignated for marking goal clauses. LS4 solves 3556 of the above benchmarks within the timelimit of 60s, the bestsystem reported by Schuppan and Darmawan [16], the bounded model checker ofNuSMV 2.5, is able the solve 3368 of these benchmarks under the same conditions.2 Martin Suda
Table 1.
Performance of the two provers on original (o) and simplified (s) problems,grouped by problem subset. Number of problems solved by each prover within the timelimit 300 seconds and the overall time spent during the attempts are shown. Unsolvedproblems contribute 300.0s, solved at least 0.1s due to the measurement technique.The times spent on the actual simplification are not included; these were observed tobe negligible for most of the problems, with maximum of 0.3s for the largest instance.subset size LS4 trp++solved time solved time acacia
71 o 71 7.1s 71 39.3ss 71 7.1s 71 11.3s alaska
140 o 121 6607.0s 9 39423.2ss 139 882.0s 12 38717.5s anzu
111 o 93 5754.2s 0 33300.0ss 94 5482.2s 0 33300.0s forobots
39 o 39 4.3s 39 1198.8ss 39 3.9s 39 194.2s rozier schuppan
72 o 41 9332.8s 36 11189.8ss 41 9320.9s 37 10741.0s trp
970 o 940 12327.5s 364 189045.2ss 934 11887.5s 359 190138.3stotal 3723 o 3583 47345.8s 2582 370490.0ss 3596 40854.3s 2638 350023.4s experiments on two independent implementations should allow us to draw moregeneral conclusions about the effects of variable and clause elimination.The experiments were performed on our servers with 3.16 GHz Xeon CPU,16 GB RAM, and Debian 6.0. All the tools along with intermediate files and ex-periment logs can be found at .We recorded for each problem the number of variables and clauses that wewere able to eliminate during the second stage. We distinguished variables fromthe original problem and auxiliary variables that were introduced during thetransformation in stage one. In total, 39% of the variables (7% original, 32%auxiliary) and 32% of the clauses were eliminated. The numbers vary greatly overindividual subsets of the benchmarks. For example, the family phltl allowed foralmost no simplification: only 3% of the variables (just auxiliary), and 2% of theclauses could be removed. On the other hand, 99% of the variables (almost all ofthem original) and 98% of the clauses were removed on the family
O1formula .While the former extreme can be explained by a concise and already almostclausal structure of the original formulas from phltl , the latter follows from thefact that most of the variables in
O1formula occur in just one polarity, i.e. arepure. Eliminating a pure variable amounts to removal of all the clauses in whichthe variable appears. If x is a pure variable (literal) then N ¬ x is empty and so N x ⊗ N ¬ x is empty as well.ariable and clause elimination for LTL satisfiability checking 13 p r ob l e m s s o l v ed time (seconds)LS4 originalLS4 simplified p r ob l e m s s o l v ed time (seconds)trp++ originaltrp++ simplified Fig. 2.
Comparing the number of problems solved, simplified and original, within agiven time limit. Although the value ranges for LS4 (on the left) and trp++ (on theright) differ, both figures demonstrate better performance on the simplified problems.
The results of the third stage, in which we measured the effect of simplifica-tion on the performance of the two selected provers, are summarized in Table 1and at the same time represented graphically in Fig. 2. We see that both LS4and trp++ substantially benefit from the simplification, both in the number ofsolved instances and the overall runtime. On some subsets the effect is quitepronounced (see, e.g., LS4 on alaska or trp++ on forobots ), while on othersit is more modest. Only on the subset trp did the simplification result in lessproblems solved. What the table does not show, however, is that even amongthe trp problems there were some only solved in the simplified form (16 suchproblems for LS4 and 9 for trp++). When judging the relative number of prob-lems gained by each prover, it should be noted that many problems come fromscalable families and are mostly trivial or too difficult to solve. This leaves the“grey zone” where improvement is possible relatively small.To conclude, the result of our evaluation indicate that variable and clauseelimination represents a useful preprocessing technique of LTL-specifications.Simplifying a clause set not only removes redundancies introduced by a previ-ous, potentially sub-optimal normal form transformation (when auxiliary vari-ables get eliminated), but usually reduces the input even further. This ultimatelydecreases the time needed to solve the problem. Further improvements are ex-pected from an independent implementation that will harness the full potentialof the mechanism of labels.
We are not aware of any related work directly focusing on simplifying clausenormal forms for LTL. However, some interesting connections can be drawnwith the help of Remark 1 of Sect. 2, which shows that an LTL-specification canbe viewed as a symbolic representation of a B¨uchi automaton. For instance, inthe classical paper [9], an automaton accepting the models of an LTL formula ϕ is constructed such that its states are identified with sets of ϕ ’s subformulas.A closer look reveals an immediate connection between these subformulas andthe variables introduced to represent them in the SNF for ϕ . The above paperalso suggests several improvements of the basic algorithm. For instance, it isadvocated that subformulas of the form µ ∧ µ need not be stored, becausethe individual conjuncts µ and µ will be later added as well and they alreadyimply the conjunction as a whole. We can restate this on the symbolic level asan observation that a variable introduced to represent a conjunctive subformulacan always be eliminated, which is a claim easy to verify.We believe this connection deserves further exploration, as one could possiblyuse it to bring some of the numerous techniques for optimizing explicit automataconstruction (see e.g. [14]) to the symbolic level. Note, however, that the mainapplication of the explicit automata construction approach lies in model check-ing and so the resulting automaton is required to be equivalent to the originalformula. On the other hand, our clausal symbolic approach is meant for satisfi-ability testing only and so more general satisfiability preserving transformationsare allowed. An elimination of a variable from the original signature of the for-mula ϕ , or the “forgetting step” justified by Theorem 2 of Sect. 4, are examplesof transformations that do not have a counterpart on the automata side.While the explicit notion of a symbolic representation of a B¨uchi automatonvia a clause normal form has received relatively little attention so far , symbolicapproaches to LTL model checking and satisfiability based on Binary DecisionDiagrams are well known [2]. Again, it seems possible that some optimizationtechniques could be shared between the two approaches. For instance, differentBDD encodings recently studied by Rozier and Vardi [15], could correspond todifferent ways of turning a formula into an LTL-specification. We have shown that variable and clause elimination, a practically successfulpreprocessing technique for propositional SAT problems, can be adapted to thesetting of linear temporal logic. For that purpose we have utilized the mecha-nism of labelled clauses, a method for interpreting an LTL formula as finitely A correspondence between SNF and B¨uchi automata has been shown in [1]. Therelevant theorem of the paper, however, does not establish an equivalence betweenmodels of the formula and accepting runs of the automaton. Its value for translatingtechniques between the symbolic and explicit approaches is, therefore, limited.ariable and clause elimination for LTL satisfiability checking 15 represented infinite sets of standard propositional clauses. The ideas were im-plemented and tested on a comprehensive set of benchmarks with encouragingresults. In particular, variable and clause elimination has been shown to signifi-cantly improve subsequent runtime of resolution-based provers LS4 and trp++.We would like to stress here that labelled clauses provide a general methodfor transferring resolution-based reasoning from SAT to LTL. It is therefore plau-sible that other preprocessing techniques, like, for example, the blocked clauseelimination [11], can be adapted along the same lines. Exploring this possibilitywill be one of the directions for future work.
References [1] A. Bolotov, M. Fisher, and C. Dixon. On the relationship between ω -automataand temporal logic normal forms. J. Logic Comput. , 12(4):561–581, 2002.[2] E. M. Clarke, O. Grumberg, and K. Hamaguchi. Another look at LTL modelchecking.
Formal Methods in System Design , 10(1):47–71, 1997.[3] E. M. Clarke, O. Grumberg, and D. Peled.
Model checking . MIT Press, 2001.[4] A. Degtyarev, M. Fisher, and B. Konev. A simplified clausal resolution procedurefor propositional linear-time temporal logic. In
TABLEAUX ’02 , volume 2381 of
LNCS , pages 85–99. Springer, 2002.[5] N. E´en and A. Biere. Effective preprocessing in SAT through variable and clauseelimination. In
SAT’05 , volume 3569 of
LNCS , pages 61–75. Springer, 2005.[6] N. E´en and N. S¨orensson. An extensible SAT-solver. In
SAT’03 , volume 2919 of
LNCS , pages 502–518. Springer, 2003.[7] M. Fisher. A resolution method for temporal logic. In
IJCAI’91 , pages 99–104.Morgan Kaufmann Publishers Inc., 1991.[8] M. Fisher, C. Dixon, and M. Peim. Clausal temporal resolution.
ACM Trans.Comput. Logic , 2:12–56, January 2001.[9] R. Gerth, D. Peled, M. Vardi, and P. Wolper. Simple on-the-fly automatic verifica-tion of linear temporal logic. In
In Protocol Specification Testing and Verification ,pages 3–18. Chapman & Hall, 1995.[10] U. Hustadt and B. Konev. Trp++ 2.0: A temporal resolution prover. In
CADE-19 ,volume 2741 of
LNCS , pages 274–278. Springer, 2003.[11] M. J¨arvisalo, A. Biere, and M. Heule. Blocked clause elimination. In
TACAS ,volume 6015 of
LNCS , pages 129–144. Springer, 2010.[12] I. Pill, S. Semprini, R. Cavada, M. Roveri, R. Bloem, and A. Cimatti. Formalanalysis of hardware requirements. DAC ’06, pages 821–826. ACM, 2006.[13] A. Pnueli. The temporal logic of programs. In , pages 46–57. IEEE, 1977.[14] K. Rozier and M. Vardi. LTL satisfiability checking. In , volume 4595 of
LNCS , pages 149–167. Springer, 2007.[15] K. Rozier and M. Vardi. A multi-encoding approach for LTL symbolic satisfiabilitychecking. In FM , volume 6664 of LNCS , pages 417–431. Springer, 2011.[16] V. Schuppan and L. Darmawan. Evaluating LTL satisfiability solvers. In
ATVA’11 , volume 6996 of
LNCS , pages 397–413. Springer, 2011.[17] A. P. Sistla and E. M. Clarke. The complexity of propositional linear temporallogics.
J. ACM , 32:733–749, July 1985.[18] M. Suda and C. Weidenbach. Labelled superposition for PLTL. In
LPAR-18 ,volume 7180 of
LNCS , pages 391–405. Springer, 2012.6 Martin Suda[19] M. Suda and C. Weidenbach. Labelled superposition for PLTL. Research ReportMPI-I-2012-RG1-001, Max-Planck-Institut f¨ur Informatik, Saarbr¨ucken, 2012.[20] M. Suda and C. Weidenbach. A PLTL-prover based on labelled superpositionwith partial model guidance. In
IJCAR , volume 7364 of
LNCS , pages 537–543.Springer, 2012.[21] P. Wolper. Temporal logic can be more expressive.
Information and Control ,56(1/2):72–99, 1983.ariable and clause elimination for LTL satisfiability checking 17
A LTL preliminaries
The language of Linear Temporal Logic (LTL) formulas is an extension of thepropositional language with temporal operators. The most commonly used areNext (cid:13) , Always (cid:3) , Eventually ♦ , Until U , and Release R . Formally, let Σ = { p, q, . . . } be a (finite) signature of propositional variables, then the set of LTLformulas is defined inductively as follows: – any p ∈ Σ is a formula, – if ϕ and ψ are formulas, then so are ¬ ϕ , ϕ ∧ ψ , and ϕ ∨ ψ , – if ϕ and ψ are formulas, then so are (cid:13) ϕ , (cid:3) ϕ , ♦ ϕ , ϕ U ψ , and ϕ R ψ .A propositional valuation, or simply a state , is a mapping W : Σ → { , } . An interpretation for an LTL formula is an infinite sequence of states W = ( W i ) i ∈ N .The truth relation W , i | = ϕ between an interpretation W , time index i ∈ N ,and a formula ϕ is defined recursively as follows: W , i | = p iff W i | = p , W , i | = ¬ ϕ iff not W , i | = ϕ , W , i | = ϕ ∧ ψ iff W , i | = ϕ and W , i | = ψ , W , i | = ϕ ∨ ψ iff W , i | = ϕ or W , i | = ψ , W , i | = (cid:13) ϕ iff W , i + 1 | = ϕ , W , i | = (cid:3) ϕ iff for every j ≥ i , W , j | = ϕ , W , i | = ♦ ϕ iff for some j ≥ i , W , j | = ϕ , W , i | = ϕ U ψ iff there is j ≥ i such that W , j | = ψ and W , k | = ϕ for every k , i ≤ k < j , W , i | = ϕ R ψ iff for all j ≥ i , W , j | = ψ orthere is j ≥ i with W , j | = ϕ and for all k , i ≤ k ≤ j , W , k | = ψ .An interpretation W is a model of an LTL formula ϕ if W , | = ϕ . A formula ϕ is called satisfiable if it has a model, and is called valid if every interpretation isa model of ϕ . B Transforming LTL formulas to SNF
Formulas in SNF are conjunctions of temporal clauses , each of them assumingone of the following forms: – an initial clause: (cid:87) j k j , – a step clause: (cid:3) ( (cid:87) j k j ∨ (cid:87) j (cid:13) l j ), – an eventuality clause: (cid:3) ( (cid:87) j k j ∨ ♦ l ),where k j , l j , and l stand for standard literals, i.e. propositional variables or theirnegation.The translation of an LTL formula ϕ into an equisatisfiable SNF starts by firstturning ϕ into an equivalent formula that is in Negation Normal Form (NNF), meaning the negation sign only occurs in front of propositional variables in theleaves of the formula tree. This can be achieved by a standard operation that“pushes negations downwards” with the help of De Morgan’s rules and temporalequivalences like ¬ (cid:13) ϕ ≡ (cid:13)¬ ϕ , ¬ (cid:3) ϕ ≡ ♦ ¬ ϕ , and ¬ ( ϕ U ψ ) ≡ ( ¬ ϕ ) R ( ¬ ψ ).Finally, multiple negations are absorbed with the help of the classical equivalence ¬¬ ϕ ≡ ϕ . In what follows we assume that ϕ is already in NNF. τ [ (cid:3) ( ¬ x ∨ l )] −→ (cid:3) ( ¬ x ∨ l ), if l is a literal,2. τ [ (cid:3) ( ¬ x ∨ ( ϕ ∧ ψ ))] −→ τ [ (cid:3) ( ¬ x ∨ ϕ )] ∧ τ [ (cid:3) ( ¬ x ∨ ψ )] , τ [ (cid:3) ( ¬ x ∨ ( ϕ ∨ ψ ))] −→ (cid:3) ( ¬ x ∨ u ∨ v ) ∧ τ [ (cid:3) ( ¬ u ∨ ϕ )] ∧ τ [ (cid:3) ( ¬ v ∨ ψ )] , τ [ (cid:3) ( ¬ x ∨ (cid:13) ϕ )] −→ (cid:3) ( ¬ x ∨ (cid:13) u ) ∧ τ [ (cid:3) ( ¬ u ∨ ϕ )] , τ [ (cid:3) ( ¬ x ∨ (cid:3) ϕ )] −→ (cid:3) ( ¬ x ∨ u ) ∧ (cid:3) ( ¬ u ∨ (cid:13) u ) ∧ τ [ (cid:3) ( ¬ u ∨ ϕ )] , τ [ (cid:3) ( ¬ x ∨ ♦ ϕ )] −→ (cid:3) ( ¬ x ∨ ♦ u ) ∧ τ [ (cid:3) ( ¬ u ∨ ϕ )] , τ [ (cid:3) ( ¬ x ∨ ( ϕ U ψ )] −→ (cid:3) ( ¬ x ∨ ♦ v ) ∧ (cid:3) ( ¬ x ∨ v ∨ w ) ∧ (cid:3) ( ¬ w ∨ u ) ∧ (cid:3) ( ¬ w ∨ (cid:13) v ∨ (cid:13) w ) ∧ τ [ (cid:3) ( ¬ u ∨ ϕ )] ∧ τ [ (cid:3) ( ¬ v ∨ ψ )] , τ [ (cid:3) ( ¬ x ∨ ( ϕ R ψ )] −→ (cid:3) ( ¬ x ∨ w ) ∧ (cid:3) ( ¬ w ∨ v ) ∧ (cid:3) ( ¬ w ∨ u ∨ (cid:13) w ) ∧ τ [ (cid:3) ( ¬ u ∨ ϕ )] ∧ τ [ (cid:3) ( ¬ v ∨ ψ )] , Fig. 3.
The rules for SNF transformation. The freshly introduced variables are in bold.
The actual transformation is performed with the help of operator τ definedin Fig. 3, which recursively reduces any formula of the form (cid:3) ( ¬ x ∨ ϕ ) into thefinal SNF. During the process, new “fresh” variables are being introduced (wetypeset them in bold) which serve two different purposes: They stand as namesfor subformulas (as in the case of the rules for, e.g., conjunction), and may alsoplay a role of “trackers” that influence the value of other variables not just inthe current state, but also in those to follow. This is how the semantics of, e.g.,the Always operator (cid:3) is being encoded. The overall translation is triggered bythe following rule ϕ −→ i ∧ τ [ (cid:3) ( ¬ i ∨ ϕ )] , with a fresh variable i that represents the whole formula. Example 6.
Here we work out an example from [8] to demonstrate the translationprocedure. Assume we would like to prove the formula ( ♦ p ∧ (cid:3) ( p → (cid:13) p )) → ♦(cid:3) p .In refutational theorem proving we proceed by negating the formula and tryingto show the negation to be unsatisfiable. By taking the negation into NNF (andtranslating away the implication symbol) we obtain( ♦ p ∧ (cid:3) ( ¬ p ∨ (cid:13) p )) ∧ (cid:3)♦ ¬ p , ariable and clause elimination for LTL satisfiability checking 19 which is consequently translated into the following set of clauses: i By the initial rule. (cid:3) ( ¬ i ∨ ♦ u ) The first conjunct by rule 6, (cid:3) ( ¬ u ∨ p ) terminates by rule 1. (cid:3) ( ¬ i ∨ u ) (cid:3) ( ¬ u ∨ (cid:13) u ) The second conjunct by rule 5, (cid:3) ( ¬ u ∨ u ∨ v ) inside which there is disjunction (rule 3), (cid:3) ( ¬ u ∨ ¬ p ) the first argument is a literal (rule 1), (cid:3) ( ¬ v ∨ (cid:13) u ) the second goes by rule 4 (cid:3) ( ¬ u ∨ p ) and terminates by rule 1. (cid:3) ( ¬ i ∨ u ) (cid:3) ( ¬ u ∨ (cid:13) u ) The third conjunct by rule 5, (cid:3) ( ¬ u ∨ ♦ u ) inside which we apply rule 6, (cid:3) ( ¬ u ∨ ¬ p ) and terminate by rule 1.Notice that transformation τ introduces more new variables than would bestrictly necessary. For example, the variable u just “connects” the last twoclauses, which could be replaced by one equivalent eventuality clause (cid:3) ( ¬ u ∨ ♦ ¬ p ). This is a price we pay here for the simple statement of the transforma-tion rules in Fig. 3 (no side conditions). An actual implementation would striveto detect the literal case as soon as possible, and thus, e.g., introduction of u would be avoided. C Transforming general SNF to LTL-specification
The transformation of general SNF to LTL-specifications focuses on eventualityclauses. It consists in two simplification steps:1. turning the conditional eventuality clauses into unconditional ones (of theform (cid:3)♦ l ),2. reducing multiple (unconditional) eventuality clauses from the SNF into justone eventuality clause.We present our modification of the simplifications first introduced in [4] thatperforms both steps at once.Assume that an SNF of a formula contains n (in general) conditional even-tuality clauses (cid:3) ( C i ∨ ♦ l i )for i = 1 , . . . , n , where C i is the conditional part, i.e. a disjunction of literals. Weremove these, and replace them with a single unconditional eventuality clause (cid:3)♦ m (8) together with the following five step clauses for every i = 1 , . . . , n : (cid:3) ( C i ∨ l i ∨ t i ) , (9) (cid:3) ( ¬ t i ∨ (cid:13) l i ∨ (cid:13) t i ) , (10) (cid:3) ( s i ∨ ¬ t i ∨ (cid:13)¬ s i ) , (11) (cid:3) ( ¬ s i ∨ ¬ m ) , (12) (cid:3) ( s i ∨ (cid:13)¬ m ) , (13)where again the bold variables are supposed to be new to the formula.The idea behind the simplification is the following: If the condition ¬ C i issatisfied in the current state and the respective eventuality l i is not satisfied in thesame state we start “tracking” the eventuality with the help of the new variable t i (clause 9). The tracking variable t i is forced to stay true also in the future statesunless the eventuality l i is finally satisfied (clause 10). Now let us look from theother side. The unconditional eventuality (clause 8) will infinitely often ensurethat all the variables s i are false in one state (clause 12) and were true in theprevious state (clause 13). Thus in the intervals between states where m holds,there will always be two consecutive states where s i changes from false to true.But this cannot happen if we are tracking that particular eventuality at that time(clause 11). To sum up, for each of the original eventualities we have a guaranteethat in every interval between states where m holds the eventuality was eithernot triggered at all ( ¬ C i was false in the whole interval) or the eventuality wastriggered and subsequently satisfied in that interval. Please consult [4] for aformal proof. Example 7.
Our previous example contained two conditional eventuality clauses (cid:3) ( ¬ i ∨ ♦ u ) and (cid:3) ( ¬ u ∨ ♦ u ). We may replace these by the following set ofclauses to obtain an equisatisfiable problem with just one unconditional eventu-ality clause: (cid:3)♦ m , (cid:3) ( ¬ i ∨ u ∨ t ), (cid:3) ( ¬ t ∨ (cid:13) u ∨ (cid:13) t ), (cid:3) ( s ∨ ¬ t ∨ (cid:13)¬ s ), (cid:3) ( ¬ s ∨ ¬ m ), (cid:3) ( s ∨ (cid:13)¬ m ), (cid:3) ( ¬ u ∨ u ∨ t ), (cid:3) ( ¬ t ∨ (cid:13) u ∨ (cid:13) t ), (cid:3) ( s ∨ ¬ t ∨ (cid:13)¬ s ), (cid:3) ( ¬ s ∨ ¬ m ), (cid:3) ( s ∨ (cid:13)¬ mm