ICS-E5010 Computer-Aided Verification and Synthesis, Spring 2016
Stavros Tripakis
Homework 2: Temporal logic
Assigned: January 20, 2016
Due: February 1, 2016
Total: 235 points.
1. (20 points)
Two formulae φ1 and φ2 in the same logic are equivalent, written φ1 ⇐⇒ φ2 , if and only
if they have the same set of models, i.e., φ1 is satisfied (by some model) if and only if φ2
is satisfied (by the same model). In particular, two LTL formulae are equivalent iff they are
satisfied by exactly the same set of infinite traces.
φ1 is stronger than φ2 if every model which satisfies φ1 also satisfies φ2 . In other words, if
φ1 implies (or entails) φ2 .
(a) Consider the two LTL formulae
G(a ∨ b)
and
Ga ∨ Gb
Are they equivalent? If yes, prove it. If not, provide a counterexample (i.e., an infinite
trace which satisfies one formula but violates the other).
Solution
A trace that would satisfy only the weaker formula would be one in which a is true only
on even steps and b is true only on odd steps.
(b) Is one of the above two formulae stronger that the other? Solution
Ga ∨ Gb ⇒ G(a ∨ b)
Consider any trace that satisfies the left side. There are two possibilities: in every state
a holds, or in every state b holds. For each of these possibilites, in every state one of the
two hold, satisfying the right side.
(c) Answer the same questions as in (a), (b), for the two LTL formulae
F(a ∧ b)
and
Fa ∧ Fb
1
Solution
F(a ∧ b) ⇒ Fa ∧ Fb
Consider any trace that satisfies the left side. There must exist a state in the trace at
which both a and b hold simultaneously. Both of the conditions on the right hold in this
case.
An example of a trace that would only satisfy the weaker condition would be one in
which a is true only on the first step, and b is only true on the second step.
2. (40 points) (Problem 5.6 from the book by Baier and Katoen, Principles of Model Checking)
For each of the following, either prove that the equivalence is correct, or give a counterexample to show that it is not:
(a) Gφ → Fψ ⇐⇒ φ U (ψ ∨ ¬φ)
Solution
This equivalence is true.
The left hand side can be algebraically transformed by standard temporal logic identities:
Gφ → Fψ
⇐⇒ ¬Gφ ∨ Fψ
⇐⇒ F¬φ ∨ Fψ
⇐⇒ F(¬φ ∨ ψ)
⇐⇒ true U(¬φ ∨ ψ)
For the last formula, any trace satisfying it is unconstrained until either ¬φ or ψ is first
true. For the prefix up to this ’until’ condition is first met, φ must be true. Likewise, for
a trace violating this condition, φ must always be true and ψ must never be true, thus violating the ’until’ condition regardless of the what the prefix condition is. Consequently,
true U(¬φ ∨ ψ) ⇐⇒ φU(¬φ ∨ ψ)
proving the equivalence.
(b) FGφ → GFψ ⇐⇒ G(φ U (ψ ∨ ¬φ))
Solution
This equivalence is true.
To show this, the left and right hand sides can be transformed into an easier comparision.
First, the left, using standard identities, can be transformed as follows
FGφ → GFψ
⇐⇒ ¬FGφ ∨ GFψ
⇐⇒ GF¬φ ∨ GFψ
⇐⇒ G(F¬φ) ∨ G(Fψ)
2
The right can be transformed using the steps from the previous part
G(φ U (¬φ ∨ ψ))
⇐⇒ G(F¬φ ∨ Fψ)
As can be seen (with the parenthesis inserted above for clarity), the transformed equations are of the same form as the comparison in the previous question. What can therefore be determined is that at least
G(F¬φ) ∨ G(Fψ) ⇒ G(F¬φ ∨ Fψ)
which leaves only the implication in the other direction. To show this, the following
lemma is needed:
G(Fa ∨ Fb) ⇒ GFa ∨ GFb
Consider a trace satisfying the left side of the implication. At every state there will
eventually be a state in which either a holds or one in which b holds. Fix some arbitrary
k, and take the suffix of such a trace. There must exist an n ≥ k at which a holds or one
at which b holds. One can therefore always construct a function
(
(n, 0) a holds at n
f (k) =
(n, 1) b holds at n
choosing for each k a step n at which a or b holds. Suppose that neither GFa nor
GFb hold for this trace. Then there would be a maximum n in the range of f . But this
would contradict the property that n ≥ k for all k, of which there are infinite. Thus, by
contradiction, at least one of GFa or GFb must hold, proving the lemma.
Using this lemma, the orignal equation is fully proven.
(c) GG(φ ∨ ¬ψ) ⇐⇒ ¬F(¬φ ∧ ψ)
Solution
This equivalence is true.
This can be shown via a simple derivation.
GG(φ ∨ ¬ψ)
⇐⇒ G(φ ∨ ¬ψ)
⇐⇒ ¬¬G(φ ∨ ¬ψ)
⇐⇒ ¬F¬(φ ∨ ¬ψ)
⇐⇒ ¬F(¬φ ∧ ψ)
(d) GFφ → GFψ ⇐⇒ G(φ → Fψ)
Solution
This equivalence is false.
3
Consider any trace in which φ is true only finitely many times and ψ is never true after
the last state in which φ is. This trace will satisfy the left side of the equation vacuously,
since the premis of the implication is false. However, the last state in which φ is true,
by definition, has no subsequent state in which ψ is true, violating the implication in the
right side. Since there is a state in which the implication is false, it is not always true,
thus violating the right side formula.
3. (30 points) (Problem 5.2 from Baier and Katoen)
Consider the transition system (Kripke structure) shown below, over the set of atomic propositions {a, b, c}.
Determine which of the following LTL formulae hold in this transition system. For those that
do hold, explain why. For those that do not, provide a counterexample trace.
Note: we use → for logical implication, and assume that it binds with lower priority than
other operators. So, for example, X¬c → XXc means (X¬c) → (XXc).
(a) φ1 = FGc
Solution This is false. A counterexample is a trace
s1 (s3 s4 )∗
(b) φ2 = GFc
Solution This is true.
(c) φ3 = X¬c → XXc
Solution This is true.
(d) φ4 = Ga
Solution This is false. A counterexample is any trace starting with s2 .
(e) φ5 = a U (G(b ∨ c))
Solution This is true.
4
(f) φ6 = (XXb) U (b ∨ c)
Solution This is false. A counterexample is any trace starting with s1 s4 s2 .
4. (20 points)
Consider the formula (¬p)Up. Is this formula stronger, weaker, or equivalent to Fp? Justify
your answers (provide proof or counterexample).
Solution
(¬p)Up and Fp are equivalent. To see this, observe that (¬p)Up implies Fp since in general
φUψ implies Fψ. It remains to show that Fp implies φUψ. To see this, consider a trace σ
satisfying Fp. Consider the first point in σ, say point i, where p holds (such an i must exist,
otherwise σ wouldn’t satisfy Fp). Then for all j < i, ¬p holds. Thus σ satisfies (¬p)Up.
5. (40 points)
We want to compare LTL and CTL, to see whether properties stated in one logic could also
be expressed in the other logic. To do this, we need to compare LTL and CTL formulae. If
φ1 is an LTL formula and φ2 is a CTL formula, we need to define what it means for the two
to be equivalent, since they don’t have the same types of models (φ1 is satisfied by traces,
whereas φ2 is satisfied by states of transition systems). However, we know what it means for
a transition system to satisfy an LTL formula as well as a CTL formula. Therefore, we will
say that φ1 and φ2 are equivalent iff they are satisfied by exactly the same set of transition
systems.
(a) Consider the LTL formula FGp and the CTL formula AFAGp. Are the two formulas
equivalent?
Solution
They are not equivalent: consider transition system M with three states, s0 , s1 , s2 , s0
being the initial state, and transitions s0 → s1 , s1 → s2 , s0 → s0 (self-loop) and
s2 → s2 (self-loop). Let p hold at s0 , s2 but not at s1 . Then M |= FGp because every
infinite path in M either always stays at s0 (where p holds) or eventually moves to s2
(where again p holds) and stays there forever after. But M does not satisfy AFAGp.
To see why, observe that neither s0 nor s1 satisfy AGp, because from both there is a
reachable state (s1 ) where p does not hold. Letting ψ := AGp, we then see that s0 does
not satisfy AFψ, because the path that always stays in s0 does not satisfy Fψ.
In fact, there is no equivalent CTL formula for FGp. This is left without proof.
(b) Is the CTL formula (AGp) ∨ (AGq) equivalent to (Gp) ∨ (Gq)?
Solution
(AGp) ∨ (AGq) and (Gp) ∨ (Gq) are not equivalent. For instance, consider transition
system M with three states, s0 , s1 , s2 , s0 being the initial state, and transitions s0 → s1 ,
s0 → s2 , s1 → s1 , and s2 → s2 . At s0 both p, q hold. At s1 only p holds. At s2 only q
holds. Then M |= (Gp) ∨ (Gq). But M does not satisfy AGp, neither AGq.
5
(c) Consider the CTL formula AFp, where p is an atomic proposition. Is there an equivalent
LTL formula?
6. (30 points)
Consider the CTL formula EFp, where p is an atomic proposition.
(a) Is there an equivalent LTL formula? Justify your answer.
Solution
There is not equivalent LTL formula for EFp. LTL formulas are all satisfied by sets of
traces when the properties are true over all the traces in the set. This formula is satisfied
by sets containing only some satisfying traces due to the E quantifier.
(b) Suppose you want to check whether a given transition system M satisfies the CTL formula EFp. You only have a model-checker that can check LTL formulas, but not CTL
formulas. Even if the answer to (a) is there is no equivalent LTL formula can you still
use your LTL model-checker to check the above CTL formula? How?
Solution
Although there is no equivalent LTL formula, we can try to check the negation of the
CTL formula EFp, i.e., ¬EFp, which is equivalent to AG¬p. This has an equivalent
LTL formula G¬p and thus can be checked by the LTL model-checker. If it is verified,
the original formula EFp is false. If a counterexample is found, the original formula
EFp is true, with the witness being the counterexample.
7. (15 points)
Express the following two statements in first-order logic:
(a) There is someone who loves everyone.
Solution
∃x : ∀y : Loves(x, y)
(b) There is someone whom no one loves.
Solution
∃x : ∀y : ¬Loves(y, x)
Are the two statements consistent with each other? (I.e., is their conjunction satisfiable?)
Solution
The conjunction of the above formulas is not satisfiable. Suppose it is. Let a satisfy ∀y :
Loves(a, y) and let b satisfy ∀y : ¬Loves(y, b). Then after setting y := b to the first, we get
Loves(a, b). After setting y := a to the second, we get ¬Loves(a, b). Contradiction.
8. (40 points)
For each of the logic formulas below:
(a) Explain whether they are valid, unsatisfiable, or neither (i.e., satisfiable but not valid).
6
(b) If they are propositional logic formulas, put them in CNF (conjunctive normal form).
(c) If they are first-order logic formulas, put them in prenex normal form.
Here are the formulas:
(a) ¬(p ∧ q) ↔ (¬p ∨ ¬q)
Solution
Valid (de Morgan’s law). CNF: true (or p ∨ ¬p).
(b) (a ∨ b) ∧ (¬a ∨ c) ∧ ¬(b ∨ c)
Solution
Unsatisfiable (resolve first two clauses, obtain new clause b ∨ c, which contradicts the
third clause). CNF: false (or p ∧ ¬p).
(c) (p → (q → r)) ↔ ((p ∧ q) → r)
Solution
Valid. CNF: true.
(d) (p → q) → (p ∨ q)
Solution
Satisfiable but not valid. E.g., p = q = 1 makes it true but p = q = 0 makes it false.
CNF: ¬(p → q) ∨ p ∨ q
⇐⇒
(¬p ∧ q) ∨ p ∨ q
⇐⇒
p ∨ q.
(e) (∀x : ∃y : P (x, y)) → (∃y : ∀x : P (x, y))
Solution
Satisfiable but not valid. E.g., P (a, a) makes it true when a is the only element, and
P (a, a), P (b, b), ¬P (a, b), ¬P (b, a) makes it false.
PNX:
i. Convert to NNF:
¬(∀x : ∃y : P (x, y))∨(∃y : ∀x : P (x, y)) ⇐⇒ (∃x : ∀y : ¬P (x, y))∨(∃y : ∀x : P (x, y))
ii. Rename:
(∃x : ∀y : ¬P (x, y)) ∨ (∃z : ∀w : P (w, z))
iii. PNX:
∃x : ∀y : ∃z : ∀w : ¬P (x, y) ∨ P (w, z)
(f) (∀x : ∀y : P (x, y)) ↔ (∀y : ∀x : P (x, y))
Solution
Valid. PNX: true.
(g) (∀x : P (x)) → (∃x : P (x))
Solution
Satisfiable but not valid. When the set of values is empty, it is false. Otherwise it is true.
PNX:
7
i. Convert to NNF:
¬(∀x : P (x)) ∨ (∃x : P (x)) ⇐⇒ (∃x : ¬P (x)) ∨ (∃x : P (x))
ii. Rename:
¬(∀x : P (x)) ∨ (∃y : P (y))
iii. PNX:
∃x : ∃y : ¬P (x) ∨ P (y)
8