A traditional tree-style tableau for LTL:LONG VERSION

A traditional tree-style tableau for LTL:
Long Version

Mark Reynolds,
The University of Western Australia.
mark.reynolds@uwa.edu.au
The author would like to thank staff, students and especially Prof. Angelo Montanari at Università degli studi di Udine, for interesting and useful discussions on the development of this approach while the author was kindly hosted on sabbatical there in 2014.
Abstract

Propositional linear time temporal logic (LTL) is the standard temporal logic for computing applications and many reasoning techniques and tools have been developed for it. Tableaux for deciding satisfiability have existed since the 1980s. However, the tableaux for this logic do not look like traditional tree-shaped tableau systems and their processing is often quite complicated. We present a new simple traditional-style tree-shaped tableau for LTL and prove that it is sound and complete. As well as being simple to understand, to introduce to students and to use manually, it also seems simple to implement and promises to be competitive in its automation. It is particularly suitable for parallel implementations.

Note: the latest version of this report can be found via http://www.csse.uwa.edu.au/~mark/research/Online/ltlsattab.html.

1 Introduction

Propositional linear time temporal logic, LTL, is important for hardware and software verification[RV07]. LTL satisfiability checking (LTLSAT) is receiving renewed interest with advances computing power, several industry ready tools, some new theoretical techniques, studies of the relative merits of different approaches, implementation competitions, and benchmarking: [GKS10, SD11, RV07]. Common techniques include automata-based approaches [VW94, RV11] and resolution [LH10] as well as tableaux [Gou89, Wol85, KMMP93, Sch98b]. Each type of approach has its own advantages and disadvantages and each can be competitive at the industrial scale (albeit within the limits of what may be achieved with PSPACE complexity). The state of the art in tableau reasoners for LTL satisfiability testing is the technique from [Sch98b] which is used in portfolio reasoners such as [SD11].

Many LTL tableau approaches produce a very untraditional-looking graph, as opposed to a tree, and need the whole graph to be present before a second phase of discarding takes place. Within the stable of tableau-based approaches to LTLSAT, the system of [Sch98b] stands out in in being tree-shaped (not a more general graph), and in being one-pass, not relying on a two-phase building and pruning process. It also stands out in speed [GKS10]. However, there are still elements of communication between separate branches and a slightly complicated annotation of nodes with depth measures that needs to be managed as it feeds in to the tableau rules. So it is not in the traditional style of classical tableaux [BA12].

This paper presents a new simpler tableau for LTL. It builds on ideas from [SC85] and is influenced by LTL tableaux by [Wol85] and [Sch98b]. It also uses some ideas from a CTL* tableau approach in [Rey11] where uselessly long branches are curtailed. The general shape of the tableau and its construction rules are mostly unsurprising but the two novel PRUNE rules are perhaps a surprisingly simple way to curtail repetitive branch extension and may be applicable in other contexts.

The tableau search allows completely independent searching down separate branches and so lends itself to parallel computing. In fact this approach is “embarrassingly parallel” [Fos95]. Thus there is also potential for quantum implementations. Furthermore, only formula set labels need to be recorded down a branch, and checked back up the one branch, and so there is great potential for very fast implementations.

The soundness, completeness and termination of the tableau search is proved. The proofs are mostly straightforward. However, the completeness proof with the PRUNE rules has some interesting reasoning.

We provide a simple demonstration prototype reasoning tool to allow readers to explore the tableau search process. The tool is not optimised for speed in any way but we report on a small range of experiments on standard benchmarks which demonstrate that the new tableau will be competitive with the current state of the art [Sch98b].

In this paper we give some context in Section 2, before we briefly confirm our standard version of the well-known syntax and semantics for LTL in Section 3, describe our tableau approach is general terms section 4, present the rules section 5, make some comments and provide some motivation for our approach section 6, prove soundness in section 7, prove completeness in section 8, and briefly discuss complexity and implementation issues section 9, and detailed comparisons with the Schwendimann approach in Section 10, before a conclusion section 11.

The latest version of this long report can be found at http://www.csse.uwa.edu.au/~mark/research/Online/ltlsattab.html with links to a Java implementation of the tool and full details of experiments.

2 Context and Short Summary of Other Approaches

LTL is an important logic and there has been sustained development of techniques and tools for working with it over more than half a century. Many similar ideas appear as parts of different theoretical tools and it is hard for a researcher to be across all the threads. Thus it is worth putting the ideas here in some sort of context.

2.1 Satisfiability checking versus Model Checking

We will define structures and formulas more carefully in the next section but a structure is essentially a way of definitively and unambiguously describing an infinite sequence of states and an LTL formula may or may not apply to the sequence: the sequence may or may not be a model of the formula. See section 3 or [Pnu77] for details.

We are addressing a computational task called satisfiability checking. That is, given an LTL formula, decide whether or not there exists any structure at all which is a model of that formula. Input is the LTL formula, output is yes or no. The procedure or algorithm must terminate with the correct answer.

This problem is PSPACE complete in the size of formula [SC85].

There is a related but separate task called model checking. Model checking is the task of working out whether a given structure is a model or not of a given formula. Input is the LTL formula and a description of a system, output is yes or no, whether or not there is a behaviour generated by the system which is a model of the formula (or some variant on that). Model checking may seem to be more computationally demanding in that there is a formula and system to process. On the other hand, as described in [RV07] and outlined below, it is possible to use model checking algorithms to do satisfiability checking efficiently (in PSPACE). Model-checking itself, with a given formula on a given structure, is also PSPACE-complete [SC85], but in [LP85] we can find an algorithm that is exponential in the size of the formula and linear in the size of the model.

2.2 What is a tableau approach as compared to an automata-based approach or a reduction to model-checking

The thorough experimental comparison in [SD11] finds that across a wide range of carefully chosen benchmarks, none of the usual three approaches to LTL satisfiability testing dominates. Here we briefly introduce tableaux and distinguish the automata-based model-checking approach. Resolution is a very different technique and we refer the reader elsewhere, for example to [LH10, FDP01, HK03].

Tableau approaches trace their origins to the semantic tableaux, or truth trees, for classical logics as developed by Beth [Bet55] and Smullyan [Smu68]. The traditional tree style remains for many modal logics [Gir00] but, as we will outline below, this is not so for the LTL logic.

The tableau itself is (typically) a set of nodes, labelled by single formulas or sets of formulas, with a successor relation between nodes. The tree tableau has a root and the successor relation gives each node , or children. The tableau is typically depicted with the root at the top and the children below their parent: thus giving an upside tree-shape.

Building a tableau constitutes a decision procedure for the logic when it is governed by rules for labelling children nodes, for counting a node as the leaf of a successful branch and for counting a node as the leaf of a failed branch. Finding one successful branch typically means that the original formula is satisfiable while finding all branches failing means it is not satisfiable. There are efficiently implemented tableau-based LTL satisfiability reasoning tools, which are easily available, such as pltl [Gor10] and LWB [LWB10]. We describe the approach and its variations in more detail in the next subsection.

The other main approach to LTL satisfiability checking is based on a reduction of the task to a model-checking question, which itself is often implemented via automata-based techniques. The traditional automata approach to model checking seen, for example in [VW94], is to compose the model with an automaton that recognizes the negation of the property of interest and check for emptiness of the composed structure.

Recently there has been some serious development of satisfiability checking on top of automata-based model-checking that ends up having some tableau-like aspects. The automata approach via model-checking as described in [RV07] shows that if you can do model checking you can do satisfiability checking. One can construct an automaton which will represent a universal system allowing all possible traces from the propositions. A given formula is satisfiable iff the universal system contains a model of the formula. By not actually building the universal system entirely the overall task can be accomplished in PSPACE in the size of formula. Some fast and effective approaches to satisfiability checking can then be developed by reasoning about the model checking using symbolic (bounded) SAT or BDD-based reasoners such as CadenceSMV and NuSMV [RV07]. Alternatively, explicit automata-based model-checkers such as SPIN [Hol97] could be used for the model checking but [RV07] shows these to not be competitive.

An important part of the symbolic approach is the construction of a symbolic automaton from the formula and this involves a tableau-like construction with sets of subformulas determining states. The symbolic automaton or tableau presented as part of the model-checking procedure in [CGH97] has been commonly used but this has been extended in [RV11] to a portfolio of translators. Also an LTL to tableau tool used in [RV11] is available via the first author’s website. We discuss these sorts of tableaux again briefly below.

The model-checking approach to LTL satisfiability checking is further developed in [LZP13] where a novel, on-the-fly process combines the automata-construction and emptiness check. The tool out-performs previously existing tools for LTLSAT which use model-checking. Comprehensive experimental comparisons with approaches to LTLSAT beyond automata-theoretic model-checking based ones is left as future work.

2.3 Different shapes of tableaux and different ways to the search through the tableau

In some modal logics, and in temporal logics in particular, variations on the traditional tableau idea have been prevalent and the pure tree-shape is left behind as a more complicated graph of nodes is constructed. As we will see, this may happen in these variant tableaux, when the successor relation is allowed to have up-links from descendants to ancestors, cross-links from nodes to nodes on other branches, or where there is just an arbitrary directed graph of nodes.

Such a graph-shaped approach results if, for example, we give a declarative definition of a node and the successor relation determined by the labels on the node at each end. Typically, the node is identified with its label. Certain sets of formulas are allowed to exist as nodes and we have at most one node with a given label. Examples of this sort include the tableaux in [Gou84] and (the symbolic automaton of ) [CGH97].

Alternatively, the tableau may have a traditional form that is essentially tree-shped with a root and branches of nodes descending and branching out below that. Usually a limited form of up-link is allowed back from a node (leaf or otherwise) to one of its ancestors. There may be tableaux which contain several different nodes with the same label. Examples, include [Sch98a] and the new one. The new style tableau even allows multiple nodes down the same branch with the same labels while this is not permitted in [Sch98a].

The tableau construction may be incremental, where only reachable states are constructed, versus declarative, when we just define what labels are present in the tableau and which pairs of labels are joined by a directed edge.

A tableau is said to be one-pass if the construction process only build legitimate nodes as it proceeds. On the other hand, it is multi-pass if there is an initial construction phase followed by a culling phase in which some of the nodes (or labels) which were constructed are removed as not being legitimate.

A construction of a tableau, or a search through a tableau, will often proceed in a depth-first manner starting at a chosen node and then moving successively to successors. An alternative is via some sort of parallel implementation in which branches are explored concurrently. Search algorithms may make use of heuristics in guessing a good branch to proceed on. Undertaking a depth-first search in a graph-shaped label-determined tableau may seem to be similar to building a tree-shaped tableau but it is likely that the algorithm will behave differently when it visits a label that has been seen before down an earlier branch. In a tree-shaped tableau this may not need to be recorded.

Which is faster? Trees [Sch98a] may have 2EXPTIME worst case complexity. Graphs re-use labels and make many possible branches at one time: in general EXPTIME. However, [GKS10] demonstrated that the tree-shaped approach of [Sch98a] (consistently and sometimes drastically) outperformed the graph-shaped approach of [Wol85].

2.4 The Wolper and Schwendiman Tableau

Wolper’s [Wol83, Wol85] was the first LTL tableau. It is a multi-pass, graph-shaped tableau. The nodes are labelled with sets of formulas (from the closure set) with a minimal amount of extra notation attached to record which formulas already have been decomposed. One builds the graph starting at and using the standard sorts of decomposition rules and the transition rule. The tableau may start off looking like a tree but there must not be repeated labels so edges generally end up heading upwards and/or crossing branches. After the construction phase there is iterated elimination of nodes according to rules about successors and eventualities. (This approach was later extended to cover the inclusion of past-time operators in [LP00]).

There was a similar but slightly quicker proposal for a multi-pass, graph-shaped tableau for LTL in [Gou84]. The similar tableau in [KMMP93] is incremental but multi-pass as it builds a graph from initial states, then looks for strongly connected components (to satisfy eventualities). Other graph-like tableaux include those in [SGL97, MP95].

A graph-shaped tableau for LTL also forms part of the model-checking approach suggested in [CGH97]. Here the need to check fulfilment of eventualities is handed over to some CTL fairness constraint checking on a structure formed from the product of the tableau and the model to be checked. The symbolic model checker SMV is used to check the property subject to those fairness constraints. In [RV11], the ‘symbolic automaton’ approach based on the tableau from [CGH97] was adapted to tackle LTL satisfiability checking. Figure 1 shows a typical graph-style tableau from [CGH97].

Figure 1: A graph-shaped tableau for from [CGH97]

Schwendimann’s tableau [Sch98a] is close to being purely tree-shaped (not a more general graph). It is also one-pass, not relying on a two-phase building and pruning process. However, there are still elements of communication between separate branches and a slightly complicated annotation of nodes with depth measures that needs to be managed as it feeds in to the tableau rules. In general, to decide on success or not for a tableau we need to work back up the tree towards the root, combining information from both branches if there are children. Thus, after some construction downwards, there is an iterative process moving from children to parents which may need to wait for both children to return their data. This can be done by tackling one branch at a time or in theory, in parallel. The data passed up consists in an index number and a set of formulas (unfulfilled eventualities). We describe this approach in more detail in Section 10. Figure 2 shows a typical tree-style tableau from [Sch98a].

Figure 2: A tree-shaped tableau from [Sch98]

2.5 Implementations

The main available tools for LTL satisfiability checking are listed and described in [SD11]. These included pltl which (along with another tableau option) implements Schwendiammn’s approach.

We should also mention [LZP13] here. The tool uses a novel, on-the-fly approach to LTLSAT via model-checking and out performs previously existing tools for LTLSAT which use the model-checking approach. There is an open source LTL to tableau translator available from Rozier’s website used for the [RV11] approach. Also, a more limited implementation was released open-source following the publication of [CGH97]: it is called ltl2smv and distributed with the NuSMV model checker.

2.6 Benchmarking

There is a brief comparison of the tableau approaches of Schwendimann and Wolper in [GKS10] and in [RV11] there is a comparison symbolic model-checking approaches.

However, the most thorough benchmarking exercise is as follows. Most known implemented tools for deciding satisfiability in LTL are compared in [SD11]. The best tools from three classes are chosen and compared: automata-based reduction to model-checking, tableau and resolution. A large range of benchmark patterns are collected or newly proposed. They find that no solver, no one of the three approaches, dominates the others. The tableau tool “pltl” based on Schwendimann’s approach is the best of the tableaux and the best overall on various classes of pattern. A portfolio solver is suggested and also evaluated.

The benchmark formulas, rendered in a selection of different formats, is available from Schuppan’s webpage.

2.7 So what is novel here?

The two PRUNE rules are novel. They force construction of branches to be terminated in certain circumstances. They depend only on the labels at the node and the labels of its ancestors. In general they may allow a label to be repeated some number of times before the termination condition is met.

The overall tableau shape is novel. Although tableaux are traditionally tree-shaped, no other tableau system for LTL builds graphs that are tree shaped. Most tableaux for LTL are more complicated graphs. The Schwendimann approach is close to being tree-shaped but there are still up-links from non-leaves.

The labels on the tableau are just sets of formulas from the closure set of the original formula (that is, subformulas and a few others). Other approaches (such as Schwendimann’s) require other annotations on nodes.

Overall tableau: one that is in completely traditional style (labels are sets of formulas), tree shaped tableau construction, no extraneous recording of calculated values, just looking at the labels.

Completely parallel development of branches. No communication between different branches. This promises interesting and useful parallel implementations.

The reasoning speed seems to be (capable of being) uniquely fast on some important benchmarks.

3 Syntax and Semantics

We assume a countable set of propositional atoms, or atomic propositions.

A (transition) structure is a triple with a finite set of states, a binary relation called the transition relation and labelling tells us which atoms are true at each state: for each , . Furthermore, is assumed to be total: every state has at least one successor

Given a structure an -sequence of states from is a fullpath (through ) iff for each , . If is a fullpath then we write , (also a fullpath).

The (well formed) formulas of LTL include the atoms and if and are formulas then so are , , , and .

We will also include some formulas built using other connectives that are often presented as abbreviations instead. However, before detailing them we present the semantic clauses.

Semantics defines truth of formulas on a fullpath through a structure. Write iff the formula is true of the fullpath in the structure defined recursively by:
iff , for ; iff ; iff and ; iff ; and iff there is some s.t. and for each , if then .

Standard Abbreviations in LTL include the classical , , , , . We also have the temporal: , read as eventually and always respectively. In reasoning with LTL, it is simpler to remove these abbreviations from input formulas and then deal with a relatively small set tableau rules for the disabbreviated language. However, experience with tableaux and typical real life LTL examples gives a strong indication that automated reasoning is quicker if these abbreviations are included as first-class language constructs in their own rights. Thus, inputs are accepted in the larger language including these symbols, they are not disabbreviated and there are enough tableau rules to process the bigger set of formulas directly. In this paper we present a tableau system with the larger set of rules.

A formula is satisfiable iff there is some structure with some fullpath through it such that . A formula is valid iff for all structures for all fullpaths through we have . A formula is valid iff its negation is not satisfiable.

For example, , , , , are each satisfiable. However, , , , are each not satisfiable.

We will fix a particular formula, say, and describe how a tableau for is built and how that decides the satisfiability or otherwise, of . We will use other formula names such as , , e.t.c., to indicate arbitrary formulas which are used in labels in the tableau for .

4 General Idea of the Tableau

The tableau for is a tree of nodes (going down the page from a root) each labelled by a set of formulas. To lighten the notation, when we present a tableau in a diagram we will omit the braces around the sets which form labels. The root is labelled .

Each node has 0, 1 or 2 children. A node is called a leaf if it has 0 children. A leaf may be crossed (), indicating a failed branch, or ticked (), indicating a successful branch. Otherwise, a leaf indicates an unfinished branch and unfinished tableau.

The whole tableau is successful if there is a ticked branch. This indicates a “yes” answer to the satisfiability of . It is failed if all branches are crossed: indicating “no”. Otherwise it is unfinished. Note that you can stop the algorithm, and report success if you tick a branch even if other branches have not reached a tick or cross yet.

A small set of tableau rules (see below) determine whether a node has one or two children or whether to cross or tick it. This depends on the label of the parent, and also, for some rules, on labels on ancestor nodes, higher up the branch towards the root. The rule also determines the labels on the children.

The parent-child relation is indicated by a vertical arrow in diagrams (if needed). However, to indicate use of one particular rule (coming up below) called the TRANSITION rule we will use a vertical arrow () with two strikes across it, or just an equals sign.

A node label may be the empty set, although it then can be immediately ticked by rule EMPTY below.

A formula which is an atomic proposition, a negated atomic proposition or of the form or is called elementary. If a node label is non-empty and there are no direct contradictions, that is no and amongst the formulas in the label, and every formula it contains is elementary then we call the label (or the node) poised.

Most of the rules consume formulas. That is, the parent may have a label , where is disjoint union, and a child may have a label so that has been removed, or consumed.

See the example given in Figure 3 of a simple but succesful tableau.

Figure 3:

As usual a tableau node is an ancestor of a node precisely when or is a parent of or a parent of a parent, etc. Then is a descendent of and we write . Node is a proper ancestor of , written , iff it is an ancestor and . Similarly proper descendent. When we say that a node is between node and its descendent , , then we mean that is an ancestor of and is an ancestor of .

A formula of the form or appearing in a poised label of a node , say, also plays an important role. We will call such a formula an -eventuality because or is often called an eventuality, and its truth depends on being eventually true in the future (if not present). If the formula appears in the label of a proper descendent node of then we say that the -eventuality at has been fulfilled by by being satisfied there.

5 Rules:

There are twenty-five rules altogether. We would only need ten for the minimal LTL-language, but recall that we are treating the usual abbreviations as first-class symbols, so they each need a pair of rules.

Most of the rules are what we call static rules. They tell us about formulas that may be true at a single state in a model. They determine the number, , or , of child nodes and the labels on those nodes from the label on the current parent node without reference to any other labels. These rules are unsurprising to anyone familiar with any of the previous LTL tableau approaches.

To save repetition of wording we use an abbreviated notation for presenting each rule: the rule relates the parent label to the child labels . The parent label is a set of formulas. The child labels are given as either a representing the leaf of a successful branch, a representing the leaf of a failed branch, a single set being the label on the single child or a pair of sets separated by a vertical bar being the respective labels on a pair of child nodes.

Thus, for example, the -rule, means that if node is labelled , if we choose to use the -rule and if we choose to decompose using the rule then the node will have two children labelled and respectively.

Often, several different rules may be applicable to a node with a certain label. If another applicable rule is chosen, or another formula is chosen to be decomposed by the same rule, then the child labels may be different. We discuss this non-determinism later.

These are the positive static rules:
EMPTY-rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: .

There are also static rules for negations:
CONTRADICTION-rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: . -rule: .

The remaining four non-static rules are only applicable when a label is poised (which implies that none of the static rules will be applicable to it). In presenting them we use the convention that a node has label . The rules are to be considered in the following order.

[LOOP]: If a node with poised label has a proper ancestor (i.e. not itself) with poised label such that , and for each -eventuality or in we have a node such that and then can be a ticked leaf.

[PRUNE]: Suppose that and each of , and have the same poised label . Suppose also that for each -eventuality or in , if there is with and then there is such that and . Then can be a crossed leaf.

[PRUNE]: Suppose that share the same poised label . Suppose also that contains at least one -eventuality but there is no -eventuality or in , with a node such that is and . Then can be a crossed leaf.

[TRANSITION]: If none of the other rules above do apply to it then a node labelled by poised say, can have one child whose label is: .

6 Comments and Motivation

A traditional classical logic style tableau starts with the formula in question and breaks it down into simpler formulas as we move down the page. The simpler formulas being satisfied should ensure that the more complicated parent label is satisfied. Alternatives are presented as branches. See the example given in Figure 4.

Figure 4: Classical disjunction Figure 5: Until also gives us choices

We follow this style of tableau as is evident by the classical look of the tableau rules involving classical connectives. The and rules are also in this vein, noting that temporal formulas such as also gives us choices: Figure 5.

Eventually, we break down a formula into elementary ones. The atoms and their negations can be satisfied immediately provided there are no contradictions, but to reason about the formulas we need to move forwards in time. How do we do this? See Figure 6.

Figure 6: But what to do when we want to move forwards in time? Figure 7: Introduce a new type of TRANSITION

The answer is that we introduce a new type of TRANSITION step: see Figure 7. Reasoning switches to the next time point and we carry over only information nested below and .

With just these rules we can now do the whole example. See Figure 3.

This example is rather simple, though, and we need additional rules to deal with infinite behaviour. Consider the example which, in the absence of additional rules, gives rise to a very repetitive infinite tableau. Figure 8.

Figure 8: gives rise to a very repetitive infinite tableau without the LOOP rule, but succeeds quickly with it Figure 9: crossed by PRUNE

Notice that the infinite fullpath that it suggests is a model for as would be a fullpath just consisting of the one state with a self-loop (a transition from itself to itself).

This suggests that we should allow the tableau branch construction to halt if a state is repeated. However the example shows that we can not just accept infinite loops as demonstrating satisfiability: the tableau for this unsatisfiable formula would have an infinite branch if we did not use the PRUNE rule to cross it (Figure 9). Note that the more specialised PRUNE rule can be used to cross the branch one TRANSITION earlier.

Notice that the infinite fullpath that the tableau suggests is this time not a model for . Constant repeating of being made true does not satisfy the conjunct . We have postponed the eventuality forever and this is not acceptable.

If appears in the tableau label of a node then we want to appear in the label of some later (or equal node) . In that case we say that the eventuality is satisfied by .

Eventualities are eventually satisfied in any (actual) model of a formula: by the semantics of .

Thus we introduce the LOOP rule with an extra condition. If a label is repeated along a branch and all eventualities are satisfied in between then we can build a model by looping states. In fact, the ancestor can have a superset and it will work (see the soundness proof below).

Examples like (in Figure 9) and which have branches that go on forever without satisfying eventualities, still present a problem for us. We need to stop and fail branches so that we can answer “no” correctly and terminate and so that we do not get distracted when another branch may be successful. In fact, no infinite branches should be allowed.

The final rule that we consider, and the most novel, is based on observing that these infinite branches are just getting repetitive without making a model. The repetition is clear because there are only a finite set of formulas which can ever appear in labels for a given initial formula . The closure set for a formula is as follows:

Here we use to mean that is a subformula of . The size of closure set is where is the length of the initial formula. Only formulas from this finite set will appear in labels. So there are only possible labels.

A similar observation in the case of the branching time temporal logic CTL* suggested the idea of useless intervals on branches in the tableau in [Rey11]. It is also related to the proof of the small model theorem for LTL in [SC85].

The PRUNE rule is as follows. If a node at the end of a branch (of a partially complete tableau) has a label which has appeared already twice above, and between the second and third appearance there are no new eventualities satisfied then that whole interval of states has been useless. The PRUNE rule applies similar reasoning to an initial repeat in which no eventualities are fulfilled.

It should be mentioned that the tableau building process we describe above is non-deterministic in several respects and so really not a proper description of an algorithm. However, we will see in the correctness proof below that the further details of which formula to consider at each step in building the tableau are unimportant.

Finally a suggestion for a nice example to try. Try .

7 Proof of Correctness: Soundness:

Justification will consist of three parts: each established whether or not the optional rules are used.

Proof of soundness. If a formula has a successful tableau then it has a model.

Proof of completeness: If a formula has a model then building a tableau will be successful.

Proof of termination. Show that the tableau building algorithm will always terminate.

First, a sketch of the Proof of Termination. Any reasonable tableau search algorithm will always terminate because there can be no infinitely long branches. We know this because the LOOP and PRUNE rule will tick or cross any that go on too long. Thus there will either be at least one tick or all crosses. Termination is also why we require that static rules consume formulas in between TRANSITION rules.

Now soundness. We use a successful tableau to make a model of the formula, thus showing that it is satisfiable. In fact we just use a successful branch. Each TRANSITION as we go down the branch tells us that we are moving from one state to the next. Within a particular state we can make all the formulas listed true there (as evaluated along the rest of the fullpath). Atomic propositions listed tell us that they are true at that state. An induction deals with most of the rest of the formulas. Eventualities either get satisfied and disappear in a terminating branch or have to be satisfied if the branch is ticked by the LOOP rule.

Suppose that is a successful tableau for . Say that the branch of nodes of ends in a tick. Denote by , the tableau label on a node . We build from and its tableau labels.

In fact, there are only a few that really matter: each time when we are about to use TRANSITION and when we are about to use EMPTY or LOOP to finish (at ). Let be the indices of nodes from at which the TRANSITION rule is used. That is, the TRANSITION rule is used to get from to . See Figure 10.

Figure 10: TRANSITIONS in : view sideways

If ends in a tick from EMPTY then let : so it contains states. It is convenient to consider that in the EMPTY case and put . The states will correspond to .

See Figure 11.

Figure 11: ends in a tick from EMPTY

If ends in a tick from LOOP then let : so it contains states. These will correspond to .

See Figure 12.

Figure 12: ends in a tick from LOOP

Let contain each for . We will also add extra pairs to to make a fullpath.

If ends in a tick from EMPTY then just put and a self-loop in as well. See Figure 13.

Figure 13: ends in a tick from EMPTY

If ends in a tick from LOOP then just put in as well where is as follows. Say that is the state that “matches” . So look at the application of the LOOP rule that ended in a tick. There is a proper ancestor of in the tableau with and all eventualities in are cured between and . The rule requires to be poised so it is just before a TRANSITION rule. So say that . Put . See Figure 14.

Figure 14:

A model with a line and one loop back is sometimes called a lasso [SC85].

Now let us define the labelling of states by atoms in . Let .

Finally our proposed model of is along the only fullpath of that starts at . That is, if ends in a tick from EMPTY then while if ends in a tick from LOOP then .

Let be the length of the first (non-repeating) part of the model: in the EMPTY case and in the LOOP case . Let be the length of the repeating part: in the EMPTY case and in the LOOP case . So in either case the model has states with state coming (again) after state etc. In particular, for and otherwise.

Now we are going to define a set of formulas for each , that we will want to be satisfied at . They collect formulas in labels in between TRANSITIONS, and loop on forever. Thus is to be a set of formulas that we want to be true at the first state of the model and those true when the model starts to repeat. In the very special case of , when is the first repeating state, let . If then let the collection for the first repeating state be . So in either case, has formulas from two separate sections of the tableau.

If , for , put . For each , except , let , all the formulas that appear between the and th consecutive uses of the TRANSITION rule.

Finally, for all , put .

Lemma 1

If for some , then . Also, if for some , then .

PROOF: Just consider the case: the case is similar.
Choose some such that . As the s repeat, we may as well assume . There are three main cases: , or otherwise.
Consider the and case first. Thus appears in some for . Because no static rules remove them, any formula of the form will survive in the tableau labels until the poised label just before a TRANSITION rule is used. After the TRANSITION rule we will have and will be collected in , the next state label collection.
However, in the other case when , we have surviving to be in the poised label . In that case, will be in and collected in . But, when then and so as required.
Finally, in the case when , we may have in some for or in some for . In the first subcase, it survives until and the reasoning proceeds as above. In the second subcase, for some with . Thus it survives to be in when we are about to use the LOOP rule. However, it will then also be in . After the TRANSITION rule at , will be in and will be collected in as required.

Lemma 2

Suppose . Then there is some such that and for all , if then .

PROOF: For all , whenever then either will also be there or both and will be. To see this, consider which static rules can be used to remove . Only the and -rule can do this.
By Lemma 1, if then . Thus, by a simple induction, , and so also the other two formulas, will be in all for unless with .
It remains to show that does appear in some .

If the branch ended with EMPTY, then we know this must happen as the is empty and so does not contain . So suppose that the branch ended with a LOOP up to tableau node but that for all .
For some , we have , so we know . Thus is one of the eventualities in that have to be satisfied between and .
Say that and it will also be in the next pre-TRANSITION label after . So eventually we find a such that and as required.

Lemma 3

Suppose . Then either 1) or 2) hold. 1) There is some such that and for all , if then . 2) For all , .

PROOF: This is similar to Lemma 2.

Now we need to show that . To do so we prove a stronger result: a truth lemma.

Lemma 4 (truth lemma)

for all , for all , if then .

PROOF: This is proved by induction on the construction of . However, we do cases for and together and prove that for all , for all : if then ; and if then .

The case by case reasoning is straightforward given the preceeding lemmas. See the long version for details.
Case : Fix . If let and otherwise let . Thus . If then, by definition of , . So and as required. If then (by rule CONTRADICTION) we did not put in and thus . This follows as no static rules remove atoms or negated atoms from labels.

Case : Fix . If then because will also have been put in (by the -rule) and so by induction . Note that the -rule also removes a double negation from a label set but it immediately crosses the branch so it is not relevant here. is similar.



Case : Fix . Suppose . We know this formula is removed before the next TRANSITION (or the end of the branch if that is sooner). There are two ways for such a conjunction to be removed: the -rule, or if the optional -rule is able to applied and is used. In the first case because and will also have been put in (by the -rule) and so by induction and .
Suppose instead that and and the -rule is used to remove . Then on branch either and are included and so in as well, or their negations are. In the first case, by induction we have and , and so we also have and as required. The second negated case is similar.
Suppose . Again we know this formula is removed and we see that there are four rules that could cause that to happen: -rule, -rule, -rule and -rule.
If is removed by -rule then because we will have put or (or one or both of them are already there) and so by induction or .
-rule: If is removed by -rule then anyway so we are done.
-rule: If is removed by -rule then because we will have put or (or one or both of them are already there) and so by induction or .
-rule: If is removed by -rule then because we will have put or (or one or both of them are already there) and so by induction or .


Case : If then by the -rule, or the optional -rule, we will have either put both and or we will have .
Consider the second case. so and we are done.

Now consider the first case: as well as and . By Lemma 2, this keeps being true for later until . By induction, for each until then, . Clearly if we get to a with then and as required.
If then -rule and -rule mean that or .


In the first case, and so as required.


In the second case we can use Lemma 3 which uses an induction to show that , , keep appearing in the labels forever or until also appears.


In either case as required.




Case : If then, by Lemma 1 so by induction and as required.
is similar. If then, by Lemma 1, so by induction (because we did first) and as required.
And thus ends the soundness proof.

If we have a successful tableau then the formula is satisfiable.

Notice that the PRUNE rules play no part in the soundness proof. A ticked branch encodes a model even if a PRUNE rule is not applied when it could be.

8 Proof of Completeness:

We have to show that if a formula has a model then it has a successful tableau. This time we will use the model to find the tableau. The basic idea is to use a model (of the satisfiable formula) to show that in any tableau there will be a branch (i.e. a leaf) with a tick.

A weaker result is to show that there is some tableau with a leaf with a tick. Such a weaker result may actually be ok to establish correctness and complexity of the tableau technique. However, it raises questions about whether a “no” answer from a tableau is correct and it does not give clear guidance for the implementer. We show the stronger result: it does not matter which order static rules are applied.

Lemma 5 (Completeness)

Suppose that is a satisfiable formula of LTL. Then any finished tableau for will be successful.

PROOF: Suppose that is a satisfiable formula of LTL. It will have a model. Choose one, say . In what follows we (use standard practice when the model is fixed and) write when we mean .
Also, build a completed tableau for in any manner as long as the rules are followed. Let be the formula set label on the node in . We will show that has a ticked leaf.
To do this we will construct a sequence of nodes, with being the root. This sequence may terminate at a tick (and then we have succeeded) or it may hypothetically go on forever (and more on that later). In general, the sequence will head downwards from a parent to a child node but occasionally it may jump back up to an ancestor.
As we go we will make sure that each node is associated with an index along the fullpath and we guarantee the following invariant for each . The relationship is that for each , .
Start by putting when is the tableau root node. Note that the only formula in is and that . Thus holds at the start.

Now suppose that we have identified the sequence up until . Consider the rule that is used in to extend a tableau branch from to some children. Note that we can also ignore the cases in which the rule is EMPTY or LOOP because they would immediately give us the ticked branch that is sought.
It is useful to define the sequence advancement procedure in the cases apart from the PRUNE rules separately. Thus we now describe a procedure, call it , that is given a node and index satisfying and, in case that the node has children via any rule except PRUNE, the procedure will give us a child node and index which is either or , such that holds. The idea will be to use procedure on and to get and in case the PRUNE rule is not used at node . We return to deal with advancing from in case that a PRUNE rule is used later. So now we describe procedure with assumed.
If then we are done. is a successful tableau as required.


Consider if it is possible for us to reach a leaf at with a cross because of a contradiction. So there is some with and in . But this can not happen as then and .

So is in and there is one child, which we will make and we will put . Because we also have . Also for every other , we still have . So we have the invariant holding.



[-rule] So is in and there is one child, which we will make and we will put . Because we also have and . Also for every other , we still have . So we have the invariant holding.






[-rule] So is in and there are two children. One is labelled and the other, , is labelled . We know . Thus, and it is not the case that both and . So either or .
If the former, i.e. that we will make and otherwise we will make . In either case put . Let us check the invariant. Consider the first case. The other is exactly analogous.
We already know that we have . Also for every other , we still have . So we have the invariant holding.



So and there are two children. One is labelled and the other, , is labelled . We know . Thus, there is some such that and for all , if then . If then we can choose (even if other choices as possible) and otherwise choose any such . Again there are two cases, either or .
In the first case, when , we put and otherwise we will make . In either case put .
Let us check the invariant. Consider the first case. We have .

In the second case, we know that we have and . Thus .

Also, in either case, for every other we still have . So we have the invariant holding.



So and there are two children. One is labelled and the other, , is labelled . We know . So for sure .
Furthermore, possibly as well, but otherwise if then we can show that we can not have . Suppose for contradiction that and . Then there is some such that and for all , if then . Thus . Contradiction.


So we can conclude that there are two cases when the -rule is used. CASE 1: and . CASE 2: and .
In the first case, when , we put and otherwise we will make . In either case put .
Let us check the invariant. In both cases we know that we have . Now consider the first case. We also have . In the second case, we know that we have . Thus . Also, in either case, for every other we still have . So we have the invariant holding.
: similar.

[TRANSITION] So is poised and there is one child, which we will make and we will put .
Consider a formula .
CASE 1: Say that . Thus, by the invariant, . Hence, . But this is just as required.
CASE 2: Say that and . Thus, by the invariant, . Hence, . But this is just as required.

So we have the invariant holding.


[LOOP] If, in , the node is a leaf just getting a tick via the LOOP rule then we are done. is a successful tableau as required.

So that ends the description of procedure that is given a node and index satisfying and, in case that the node has children via any rule except PRUNE or PRUNE, the procedure will give us a child node and index , which is either or , such that holds. We use procedure to construct a sequence of nodes, with being the root. and guarantee the invariant for each .

The idea will be to use procedure on and to get and in case the PRUNE rule is not used at node . Start by putting when is the tableau root node. We have seen that holds at the start.
[PRUNE ] Now, we complete the description of the construction of the sequence by explaining what to do in case is a node on which PRUNE is used. Suppose that is a node which gets a cross in via the PRUNE rule. So there is a sequence