Temporal logic is a non-classical logic that was originally developed in order to represent tense in natural language [Pri67]. More recently, it has achieved a significant role in the formal specification and verification of concurrent and distributed systems [Pnu77]. It is commonly recognised that such reactive systems [HP85] represent one of the most important classes of systems in computer science and, although analysis of these systems is difficult, it has been successfully tackled using modal and temporal logics [Pnu77, Eme90, Sti92]. In particular, a number of useful concepts, such as safety, liveness and fairness can be formally, and concisely, specified using temporal logics [MP92, Eme90].
There are now a wide variety of temporal logics, differing in both their underlying model of time (for example, branching [ES88] versus linear [Pnu77, MP92], and dense [BG85] versus discrete) and their intended area of application (for example, program specification [MP92], temporal databases [Tan93], knowledge representation [AF99], executable temporal logics [BFG96], natural language [Ste97]). In this paper we concentrate on a specific but widely used temporal logic, Propositional Linear Temporal Logic (PLTL), a discrete, linear temporal logic with finite past and infinite future; see for example [GPSS80, MP92, MP95].
Given a specification of some computational system in PLTL, we may want to establish that particular properties of the specification hold. Thus, for concurrent systems, we must often show the absence of deadlock, preservation of mutual exclusion, etc (see for example [Lam83]). There are two main approaches to temporal verification that could be used here. If we can generate a finite-state structure representing all models of the system, then model checking techniques can be applied [Hol97]. Model checking involves establishing that a specific temporal formula is satisfied in the set of models representing the system. An alternative approach involves direct proof in PLTL. We consider this second approach since not only may it be the case that models are not readily available but, even if they are, many systems we are interested in have very large, sometimes infinite, state spaces. Importantly, the use of direct proof methods may obviate the need to traverse all of a possible model structure.
The development of proof methods for temporal logic have followed three main approaches: tableaux, automata and resolution. To show a formula valid, each of these methods is applied to the negation of , i.e. . Tableaux-based approaches, for example [Wol83, Gou84], attempt to systematically construct a structure from which a model can be extracted for . The inability to construct such a model means that is unsatisfiable and therefore is valid. The use of automata-based approaches depends on the fact that models for PLTL are simply infinite sequences of choices for truth values of proposition symbols. That is, an interpretation of a PLTL formula can be viewed as an infinite word over the alphabet that is the powerset of proposition symbols. Translations from PLTL into Büchi Automata are given in [SVW87]. If the automaton for is empty then it accepts no infinite words, hence is unsatisfiable and is valid.
Resolution-based approaches to proof in PLTL fall into two main classes: non-clausal and clausal. A non-clausal method described in [AM85], and extended to first-order temporal logic in [AM90], requires a large number of resolution rules, making implementation of this method difficult. Clausal resolution was suggested as a proof method for classical logic by Robinson [Rob65] and was claimed to be machine oriented, i.e. suitable to be performed by computer as it has one rule of inference that may be applied many times. Again, to show a formula is valid, it is negated and is translated into a normal form. The resolution inference rule is applied until either no new inferences can be made or a contradiction is obtained. The generation of a contradiction means that is unsatisfiable and therefore valid.
Since clausal resolution is a simple and adaptable proof method for classical logics with a bank of research into heuristics and strategies, it is perhaps surprising that few attempts have been made to extend this to temporal logics. However, discrete temporal logics, such as PLTL, are difficult to reason about as the interaction between the-operator (meaning always in the future) and the -operator (meaning
in the next moment in time) encodes a form of induction. Thus, a special temporal resolution rule is needed to handle this. There have been two previous attempts (known to the authors) at developing clausal resolution for temporal logics. The method described in [CFdC84] is only applicable to a subset of the operators allowed in this paper, that is for a less expressive language, and contains a more complex normal form. The method described in [Ven86] is the closest to that described in this paper, the main difference being that the reasoning is carried out forward into the future while our approach involves reasoning backwards until a contradiction is generated in the initial state. Both of these are discussed further in §8.
The development of the new resolution method described in this paper is motivated not only by our wish to show that such a resolution system can be both simple and elegant, but also by our view that clausal resolution techniques will, in the future, provide the basis for the most efficient temporal theorem-provers. While, in previous years, the most sucessful theorem-provers for modal and temporal logics have been tableau-based (e.g. [Hor98]), the use of resolution has now been shown to be at least competitive [HS99]. In the classical framework, clausal resolution has led to many refinements aimed at guiding the search for a refutation, for example, [CL73, WOLB84]. In addition, several efficient, fast, and widely used resolution-based theorem provers have been developed, for example Otter [McC94] and Spass [Wei97]. It is our view that a clausal temporal resolution system has the potential to utilise a range of such efficient improvements developed for both classical and modal resolution.
Thus, our approach is clausal. In particular, we define a very simple (and flexible) normal form, called Separated Normal Form (SNF), that removes all but a core set of temporal operators. Two types of resolution rule are then defined, one analogous to the classical resolution rule and the other a new temporal resolution rule. However, due to the interaction between the and operators mentioned previously, the application of the temporal resolution rule is non-trivial, requiring specialised algorithms [Dix96]. It is not our intention here to analyse experimental results concerning use of the resolution method (which still remain part of our future work), but simply to provide a logically complete basis for clausal temporal resolution. While short reports on this work have appeared previously, notably in [Fis91], this paper provides the first exposition of the full completeness result for this temporal resolution method. In addition, it provides important properties of the translation into the normal form, and presents a simpler future-time formulation of the method.
The structure of the paper is as follows. In §2 we give the syntax and semantics of PLTL. In §3, we define the normal form (SNF), show how any PLTL formula may be translated into SNF and consider the properties of this translation. The resolution rules for formulae in SNF are given in §4 while example refutations are provided in §5. Issues of correctness and complexity are considered in §6 and §7, respectively. Related work is examined in §8 and conclusions and future work are provided in §9.
2 Propositional Temporal Logic
Propositional Temporal Logic (PLTL) was originally developed from work on tense logics [Pri67], but has come to prominence through its application in the specification and verification of both software and hardware [Pnu77]. The particular variety of temporal logic we consider is based on a linear, discrete model of time with finite past and infinite future [GPSS80, LPZ85]. Thus, the temporal operators supplied operate over a sequence of distinct ‘moments’ in time.
There are several ways to view this logic. One is as a classical propositional logic augmented with temporal connectives (or operators). An alternative characterisation can be given in terms of a multi-modal language with two different modalities, one representing the ‘next’ moment in time, the other representing all future moments in time (‘’ and ‘’ below, respectively).
While it is possible to include past-time operators in the definition of the logic we choose not to do so in this exposition since, as models have a finite past, such operators add no extra expressive power [GPSS80, LPZ85]. However, if the addition of past-time operators makes the expression of certain properties easier (see, for example, [LPZ85]) they can be easily incorporated (see §3 for more details).
The future-time connectives that we use include ‘’ (sometime in the future), ‘’ (always in the future), ‘’ (in the next moment in time), ‘’ (until), and ‘’ (unless, or weak until). To assist readers who may be unfamiliar with the semantics of the temporal operators we introduce, in the next section, all operators as basic. Alternatively we could have provided the syntax and semantics of just a subset of the operators and introduced the remainder as abbreviations.
PLTL formulae are constructed from the following elements.
A set, , of propositional symbols.
Propositional connectives, true, false, , , , and .
Temporal connectives, , , , , and .
The set of well-formed formulae of PLTL, denoted by wff, is inductively defined as the smallest set satisfying the following.
Any element of is in wff.
true and false are in wff.
If and are in wff then so are
A literal is defined as either a proposition symbol or the negation of a proposition symbol.
An eventuality is defined as a formula of the form .
PLTL is interpreted over discrete, linear structures, for example the natural numbers, . A model of PLTL, , can be characterised as a sequence of states
where each state, , is a set of proposition symbols, representing those proposition symbols which are satisfied in the moment in time. As formulae in PLTL are interpreted at a particular state in the sequence (i.e. at a particular moment in time), the notation
denotes the truth (or otherwise) of formula in the model at state index . For any formula , model and state index , then either holds or does not hold, denoted by . If there is some such that , then is said to be satisfiable. If for all models, , then is said to be valid and is written . Note that formulae here are interpreted at ; this is an alternative, but equivalent, definition to the one commonly used [Eme90].
The semantics of wff can now be given, as follows. iff [where ] iff and iff or iff or iff iff iff there exists a such that and iff for all , if then iff there exists a , such that and and for all , if then iff or
2.3 Proof Theory
The standard axioms and inference rules for PLTL are as follows (taking the temporal operators , and as primitive and the remaining as abbreviations–see §2.3.1). The axioms are all substitution instances of the following:
all classical tautologies,
The inference rules are modus ponens
[GPSS80] (Soundness) If then is valid in PLTL.
[GPSS80](Completeness) If is valid in PLTL then .
A complete axiom system for PLTL with future-time temporal operators is given in [GPSS80]. The axiom system presented here is slightly different from the original due to slight differences in the semantics of the connectives used. We note that it is difficult to use such an axiom system for automated theorem proving as it is not always clear which step should be taken next to move towards a proof.
2.3.1 Some Equivalences
3 A Normal Form for Propositional Temporal Logic
3.1 Separated Normal Form
The resolution method is clausal, and so works on formulae transformed into a normal form. The normal form, called Separated Normal Form (SNF), was inspired by (but does not require) Gabbay’s separation result [Gab87], which states that temporal formulae can be transformed into their past, present and future-time components. The normal form we present comprises formulae that are implications with present-time formulae on the left-hand side and (present or) future-time formulae on the right-hand side. The transformation into the normal form reduces most of the temporal operators to a core set and rewrites formulae to be in a particular form. The transformation into SNF depends on three main operations: the renaming of complex subformulae; the removal of temporal operators; and classical style rewrite operations.
Renaming, as suggested in [PG86], is a way of preserving the structure of a formula when translating into a normal form in classical logic. Here, complex subformulae can be replaced by a new proposition symbol and the truth value of the new proposition symbol is linked to the subformula it represents at all points in time. The removal of temporal operators is carried out by using (fixed point) equivalences, for example
that ‘unwind’ the temporal operators to give formulae that need to hold both now and in the future. Classical rewrite operations allow us to manipulate formulae into the required form.
To assist in the definition of the normal form we introduce a further (nullary) connective start, that holds only at the beginning of time, i.e.
This allows the general form of the (PLTL-clauses of the) normal form to be implications. An alternative would be to allow disjunctions of literals as part of the normal form representing the clauses holding at the beginning of time.
Formulae in SNF are of the general form
where each is known as a PLTL-clause (analogous to a ‘clause’ in classical logic) and must be one of the following forms with each particular , , , and representing a literal.
For convenience, the outer ‘’ and ‘’ connectives are usually omitted, and the set of PLTL-clauses is considered. Different variants of the normal form have been suggested [Fis92, FN92, Fis97]. For example, where PLTL is extended to allow past-time operators the normal form has start or (where ‘’ means in the previous moment in time and is a conjunction of literals) on the left-hand side of the PLTL-clauses and a present-time formula or eventuality (i.e. ‘’) on the right-hand side. Other versions allow PLTL-clauses of the form . These are all expressively equivalent when models with finite past are considered.
To apply the temporal resolution rule (see §4.2), one or more step PLTL-clauses may need to be combined. Consequently, a variant on SNF called merged-SNF (SNF) [Fis91], is also defined. Given a set of PLTL-clauses in SNF, any PLTL-clause in SNF is also a PLTL-clause in SNF. Any two PLTL-clauses in SNF may be combined to produce a PLTL-clause in SNF as follows.
Thus, any possible conjunctive combination of SNF PLTL-clauses can be represented in SNF.
3.2 Translation into SNF
In this section, we review the translation of an arbitrary PLTL formula into the normal form (this extends the exposition provided in [Fis97]). The procedure uses the technique of renaming complex subformulae by a new proposition symbol and the truth value of the new proposition symbol is linked to that of the renamed formula at all moments in time. Thus, in the exposition below the new proposition symbols introduced, namely those indicated by , and must be new at each iteration of the procedure. In the remainder of §3 we show such new proposition symbols in bold face type.
Take any formula of PLTL and translate into SNF by applying the and transformations described below (where is a new proposition symbol).
Next, we give the transformation where is a proposition symbol. If the main operator on the right of the implication is a classical operator (other than non-negated disjunction) remove it as follows.
Complex subformulae enclosed in any temporal operators are renamed as follows (where , and are new proposition symbols).
The negated and operators involve the introduction of three new proposition symbols. Consider the transformation applied to . Applying the equivalence provided in §2.3.1 we have . To avoid repeating the subformula in the translation, and so that the resultant operator is applied to proposition symbols we introduce three new variables, replaces , replaces , replaces .
Then, any temporal operators, applied to literals, that are not allowed in the normal form are removed as follows (where, again, is a new proposition symbol and and are literals).
Next, we use renaming on formulae whose right-hand side has disjunction as its main operator but may not be in the correct form, where is a new proposition symbol, is a disjunction of formulae and is neither a literal nor a disjunction of literals.
Finally, we rewrite formulae, containing no temporal operators, whose right-hand side is a disjunction of literals, true or false (note that and are rewritten to false and true respectively) into PLTL-clause form and stop applying the transformation to PLTL-clauses already in the correct form (where is a literal or disjunction of literals and and each are literals).
Thus, the above transformations are applied until the formula is in the form
where each is one of the three required formats. This, in turn, is equivalent to
3.3 Properties of the Translation to SNF
Our aim is to show that the transformation is satisfiability preserving. This is shown in two parts. Firstly any model for a transformed formula is also a model for the original and secondly given a model for a PLTL formula there is always a model for its transformation into the normal form.
Thus firstly, we show that
i.e. any model for the transformed formula is a model for the original. However before we show this we first prove a lemma.
For all PLTL formulae
where is a proposition symbol.
Proof The proof is carried out by induction on the structure of . For the base cases we have the following.
Now, we assume that the lemma holds for , , and , e.g. , and show it holds for all combinations of operators or negated operators, e.g. , , , . We consider the cases for , , and and note that proofs for the other operators are similar (where , , and are new proposition symbols).
where from the induction hypothesis.
where from the induction hypothesis.
For all PLTL formulae
Proof For any PLTL formula , the first step in the transformation is to anchor to the first moment in time, i.e.