Robust Linear Temporal Logic
Paulo Tabuada 1
1 University
Daniel Neider 1,2
of California, Los Angeles
2 RWTH
Aachen University
25th EACSL Annual Conference on Computer Science Logic
Marseille, France
29 September 2016
Motivation
ϕ
Environment assumption
Paulo Tabuada and Daniel Neider: Robust LTL
⇒
ψ
System guarantee
1
Motivation
ϕ
Environment assumption
Desired Notion of Robustness
⇒
ψ
System guarantee
(from Wikipedia on fault tolerance)
“[...] If its operating quality decreases at all, the decrease is
proportional to the severity of the failure, as compared to a naively
designed system in which even a small failure can cause total
breakdown. [...]”
Paulo Tabuada and Daniel Neider: Robust LTL
1
Motivation
ϕ
Environment assumption
⇒
ψ
System guarantee
Goal
Develop a semantics for LTL capturing “robustness”
I
Here: only the fragment LTL( , ); full LTL on arXiv
Paulo Tabuada and Daniel Neider: Robust LTL
1
Motivation
ϕ
Environment assumption
⇒
ψ
System guarantee
Goal
Develop a semantics for LTL capturing “robustness”
I
Here: only the fragment LTL( , ); full LTL on arXiv
Design Goals
1. Robustness should be internal to the logic
2. Familiarity with LTL should be the only prerequisite
Paulo Tabuada and Daniel Neider: Robust LTL
1
Linear Temporal Logic
Syntax of LTL( , )
Let P be a (finite, nonempty) set of atomic propositions
I
Each p ∈ P is an LTL( , ) formula; and
I
if ϕ, ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ,
Paulo Tabuada and Daniel Neider: Robust LTL
ϕ, and
ϕ
2
Linear Temporal Logic
Syntax of LTL( , )
Let P be a (finite, nonempty) set of atomic propositions
I
Each p ∈ P is an LTL( , ) formula; and
I
if ϕ, ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ,
ϕ, and
ϕ
Semantics of LTL( , ) . . .
. . . is a function W : ΦLTL(
Paulo Tabuada and Daniel Neider: Robust LTL
, )
× (2P )ω → B inductively defined by
2
Linear Temporal Logic
Syntax of LTL( , )
Let P be a (finite, nonempty) set of atomic propositions
I
Each p ∈ P is an LTL( , ) formula; and
I
if ϕ, ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ,
ϕ, and
ϕ
Semantics of LTL( , ) . . .
. . . is a function W : ΦLTL(
× (2P )ω → B inductively defined by
, )
(
W (p, σ) =
Paulo Tabuada and Daniel Neider: Robust LTL
1
0
if p ∈ σ(0)
if p ∈
/ σ(0)
2
Linear Temporal Logic
Syntax of LTL( , )
Let P be a (finite, nonempty) set of atomic propositions
I
Each p ∈ P is an LTL( , ) formula; and
I
if ϕ, ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ,
ϕ, and
ϕ
Semantics of LTL( , ) . . .
. . . is a function W : ΦLTL(
× (2P )ω → B inductively defined by
, )
(
W (p, σ) =
1
0
if p ∈ σ(0)
if p ∈
/ σ(0)
W (¬ϕ, σ) = 1 − W (ϕ, σ)
Paulo Tabuada and Daniel Neider: Robust LTL
2
Linear Temporal Logic
Syntax of LTL( , )
Let P be a (finite, nonempty) set of atomic propositions
I
Each p ∈ P is an LTL( , ) formula; and
I
if ϕ, ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ,
ϕ, and
ϕ
Semantics of LTL( , ) . . .
. . . is a function W : ΦLTL(
× (2P )ω → B inductively defined by
, )
(
W (p, σ) =
1
0
if p ∈ σ(0)
if p ∈
/ σ(0)
W (¬ϕ, σ) = 1 − W (ϕ, σ)
W (ϕ ∨ ψ, σ) = max {W (ϕ, σ), W (ψ, σ)}
Paulo Tabuada and Daniel Neider: Robust LTL
2
Linear Temporal Logic
Syntax of LTL( , )
Let P be a (finite, nonempty) set of atomic propositions
I
Each p ∈ P is an LTL( , ) formula; and
I
if ϕ, ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ,
a
b
a∨b
max {a, b}
Semantics of LTL( , ) . . .
0
. . . is a
0
1
1
a∧b
ϕ, and
ϕ
min {a, b}
0
0
0
0
function W : ΦLTL( , ) × (2P )ω → B inductively
1
1
1
0
(1
0
1
0
1
if
p
∈
σ(0)
1
1
W1(p, σ) = 1
0 if p ∈
/ σ(0)
0
defined by
0
0
1
W (¬ϕ, σ) = 1 − W (ϕ, σ)
W (ϕ ∨ ψ, σ) = max {W (ϕ, σ), W (ψ, σ)}
Paulo Tabuada and Daniel Neider: Robust LTL
2
Linear Temporal Logic
Syntax of LTL( , )
Let P be a (finite, nonempty) set of atomic propositions
I
Each p ∈ P is an LTL( , ) formula; and
I
if ϕ, ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ,
ϕ, and
ϕ
Semantics of LTL( , ) . . .
. . . is a function W : ΦLTL(
× (2P )ω → B inductively defined by
, )
(
W (p, σ) =
1
0
if p ∈ σ(0)
if p ∈
/ σ(0)
W (¬ϕ, σ) = 1 − W (ϕ, σ)
W (ϕ ∨ ψ, σ) = max {W (ϕ, σ), W (ψ, σ)}
W ( ϕ, σ) = inf i≥0 {W (ϕ, σi.. )}
Paulo Tabuada and Daniel Neider: Robust LTL
2
Linear Temporal Logic
Syntax of LTL( , )
Let P be a (finite, nonempty) set of atomic propositions
I
Each p ∈ P is an LTL( , ) formula; and
I
if ϕ, ψ are LTL( , ) formulas, so are ¬ϕ, ϕ ∨ ψ,
ϕ, and
ϕ
Semantics of LTL( , ) . . .
. . . is a function W : ΦLTL(
× (2P )ω → B inductively defined by
, )
(
W (p, σ) =
1
0
if p ∈ σ(0)
if p ∈
/ σ(0)
W (¬ϕ, σ) = 1 − W (ϕ, σ)
W (ϕ ∨ ψ, σ) = max {W (ϕ, σ), W (ψ, σ)}
W ( ϕ, σ) = inf i≥0 {W (ϕ, σi.. )}
W ( ϕ, σ) = supi≥0 {W (ϕ, σi.. )}
Paulo Tabuada and Daniel Neider: Robust LTL
2
Different Shades of False
Consider the specification
Paulo Tabuada and Daniel Neider: Robust LTL
p⇒
q. How can
p be violated?
3
Different Shades of False
Consider the specification
p
¬p
p⇒
q. How can
p be violated?
p
Weakening
Paulo Tabuada and Daniel Neider: Robust LTL
3
Different Shades of False
Consider the specification
p
¬p
p
¬p
p⇒
q. How can
p be violated?
p
p
Weakening
Paulo Tabuada and Daniel Neider: Robust LTL
3
Different Shades of False
Consider the specification
p
¬p
p⇒
q. How can
p
Weakening
p
¬p
p
p
¬p
p
Paulo Tabuada and Daniel Neider: Robust LTL
p be violated?
3
Different Shades of False
Consider the specification
p
¬p
p⇒
q. How can
p
Weakening
p
¬p
p
p
¬p
p
p
¬p
Paulo Tabuada and Daniel Neider: Robust LTL
p be violated?
p
3
Different Shades of False
Consider the specification
p
¬p
p⇒
q. How can
p
Weakening
p
¬p
p
p
¬p
p
p
¬p
p
p
¬p
¬p
Paulo Tabuada and Daniel Neider: Robust LTL
p be violated?
3
Different Shades of False
p
¬p
p⇒
q. How can
p
p be violated?
true
(1, 1, 1, 1)
Weakening
p
¬p
p
(0, 1, 1, 1)
p
¬p
p
(0, 0, 1, 1)
p
¬p
p
p
¬p
¬p
(0, 0, 0, 1)
shades of false
Consider the specification
(0, 0, 0, 0)
false
Paulo Tabuada and Daniel Neider: Robust LTL
3
Different Shades of False
Consider the specification
p
¬p
p⇒
q. How can
p
p be violated?
(1, 1, 1, 1)
Weakening
p
¬p
p
(0, 1, 1, 1)
p
¬p
p
(0, 0, 1, 1)
p
¬p
p
p
¬p
¬p
Paulo Tabuada and Daniel Neider: Robust LTL
B4
(0, 0, 0, 1)
(0, 0, 0, 0)
3
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:
Paulo Tabuada and Daniel Neider: Robust LTL
4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:
I
a u b = min {a, b}
I
a t b = max {a, b}
Paulo Tabuada and Daniel Neider: Robust LTL
4
A Da Costa Algebra over B4
Elements of B4 are ordered:
Negation
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
(1, 1, 1, 1)
We introduce the following four operations:
I
a u b = min {a, b}
I
a t b = max {a, b}
Paulo Tabuada and Daniel Neider: Robust LTL
(0, 0, 0, 0)
(0, 1, 1, 1)
(1, 1, 1, 1)
(0, 0, 1, 1)
(1, 1, 1, 1)
(0, 0, 0, 1)
(1, 1, 1, 1)
(0, 0, 0, 0)
(1, 1, 1, 1)
4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:
I
a u b = min {a, b}
I
a t b = max {a, b}
(
I
a=
(0, 0, 0, 0)
(1, 1, 1, 1)
if a = (1, 1, 1, 1)
otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:
I
a u b = min {a, b}
I
a t b = max {a, b}
(
I
a=
(0, 0, 0, 0)
(1, 1, 1, 1)
(
I
a→b=
if a = (1, 1, 1, 1)
otherwise
(1, 1, 1, 1)
b
Paulo Tabuada and Daniel Neider: Robust LTL
if a ≤ b
otherwise
4
A Da Costa Algebra over B4
Elements of B4 are ordered:
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
We introduce the following four operations:
I
a u b = min {a, b}
I
a t b = max {a, b}
(
I
a=
(0, 0, 0, 0)
(1, 1, 1, 1)
(
I
a→b=
if a = (1, 1, 1, 1)
otherwise
(1, 1, 1, 1)
b
if a ≤ b
otherwise
The structure (B4 , <, u, t, ·, →) is a so-called da Costa algebra
Paulo Tabuada and Daniel Neider: Robust LTL
4
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics of rLTL( , ) is a function
V : ΦrLTL( , ) × (2P )ω → B4 inductively defined by
Paulo Tabuada and Daniel Neider: Robust LTL
5
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics of rLTL( , ) is a function
V : ΦrLTL( , ) × (2P )ω → B4 inductively defined by
(
I
V (p, σ) =
(1, 1, 1, 1) if p ∈ σ(0)
(0, 0, 0, 0) otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
5
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics of rLTL( , ) is a function
V : ΦrLTL( , ) × (2P )ω → B4 inductively defined by
(
(1, 1, 1, 1) if p ∈ σ(0)
(0, 0, 0, 0) otherwise
I
V (p, σ) =
I
V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)
I
V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)
I
V (¬ϕ, σ) = V (ϕ, σ)
I
V (ϕ ⇒ ψ, σ) = V (ϕ, σ) → V (ψ, σ)
Paulo Tabuada and Daniel Neider: Robust LTL
5
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics of rLTL( , ) is a function
V : ΦrLTL( , ) × (2P )ω → B4 inductively defined by
(
(1, 1, 1, 1) if p ∈ σ(0)
(0, 0, 0, 0) otherwise
I
V (p, σ) =
I
V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)
I
V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)
I
V (¬ϕ, σ) = V (ϕ, σ)
I
V (ϕ ⇒ ψ, σ) = V (ϕ, σ) → V (ψ, σ)
I
V ( p, σ) = ( p,
Paulo Tabuada and Daniel Neider: Robust LTL
p,
p,
p)
5
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics
, ) is a function
σ of rLTL( σ(0)
σ(1)
σ(2)
P
ω
V : ΦrLTL( , ) × (2 ) → B4 inductively defined by
V (ϕ, σi.. (
)
(0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1)
(1, 1, 1, 1) if p ∈ σ(0)
I V (p, σ) =
(0, 0, 0, 0) otherwise
I
V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)
I
V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)
I
V (¬ϕ, σ) = V (ϕ, σ)
I
V (ϕ ⇒ ψ, σ) = V (ϕ, σ) → V (ψ, σ)
I
V ( p, σ) = ( p,
Paulo Tabuada and Daniel Neider: Robust LTL
p,
p,
···
p)
5
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics
, ) is a function
σ of rLTL( σ(0)
σ(1)
σ(2)
P
ω
V : ΦrLTL( , ) × (2 ) → B4 inductively defined by
V (ϕ, σi.. (
)
(0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1)
(1, 1, 1, 1) if p ∈ σ(0)
I V (p, σ) =
(0, 0, 0, 0) otherwise
ϕ1 : 000 . . .
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)
ϕ : 100 . . .
···
2
I
V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)
ϕ3 : 111 . . .
V (¬ϕ, σ) = V (ϕ, σ)
ϕ4 : 111 . . .
V (ϕ ⇒ ψ, σ) = V (ϕ, σ) →
V (ψ, σ)
I
V ( p, σ) = ( p,
I
I
Paulo Tabuada and Daniel Neider: Robust LTL
p,
p,
p)
5
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics
, ) is a function
σ of rLTL( σ(0)
σ(1)
σ(2)
P
ω
V : ΦrLTL( , ) × (2 ) → B4 inductively defined by
V (ϕ, σi.. (
)
(0, 1, 1, 1) (0, 0, 1, 1) (0, 0, 1, 1)
(1, 1, 1, 1) if p ∈ σ(0)
I V (p, σ) =
(0, 0, 0, 0) otherwise
ϕ1 : 000 . . .
I V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)
ϕ : 100 . . .
···
2
I
V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)
ϕ3 : 111 . . .
V (¬ϕ, σ) = V (ϕ, σ)
ϕ4 : 111 . . .
V (ϕ ⇒ ψ, σ) = V (ϕ, σ) →
V (ψ, σ)
I
V ( p, σ) = ( p,
I
I
Paulo Tabuada and Daniel Neider: Robust LTL
p,
p,
p)
5
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics of rLTL( , ) is a function
V : ΦrLTL( , ) × (2P )ω → B4 inductively defined by
(
(1, 1, 1, 1) if p ∈ σ(0)
(0, 0, 0, 0) otherwise
I
V (p, σ) =
I
V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)
I
V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)
I
V (¬ϕ, σ) = V (ϕ, σ)
I
V (ϕ ⇒ ψ, σ) = V (ϕ, σ) → V (ψ, σ)
I
V ( ϕ, σ) = ( ϕ1 ,
Paulo Tabuada and Daniel Neider: Robust LTL
ϕ2 ,
ϕ3 ,
ϕ4 )
5
Robust Semantics
We use new symbols
,
and call this “logic” rLTL
The semantics of rLTL( , ) is a function
V : ΦrLTL( , ) × (2P )ω → B4 inductively defined by
(
(1, 1, 1, 1) if p ∈ σ(0)
(0, 0, 0, 0) otherwise
I
V (p, σ) =
I
V (ϕ ∧ ψ, σ) = V (ϕ, σ) u V (ψ, σ)
I
V (ϕ ∨ ψ, σ) = V (ϕ, σ) t V (ψ, σ)
I
V (¬ϕ, σ) = V (ϕ, σ)
I
V (ϕ ⇒ ψ, σ) = V (ϕ, σ) → V (ψ, σ)
I
V ( ϕ, σ) = ( ϕ1 ,
I
V ( ϕ, σ) = ( ϕ1 ,
Paulo Tabuada and Daniel Neider: Robust LTL
ϕ2 ,
ϕ2 ,
ϕ3 ,
ϕ3 ,
ϕ4 )
ϕ4 )
5
Example
Consider
p⇒
q, and assume V ( p ⇒
(
Recall: a → b =
q, σ) = (1, 1, 1, 1)
(1, 1, 1, 1) if a ≤ b
b
otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
6
Example
Consider
I
p⇒
q, and assume V ( p ⇒
q, σ) = (1, 1, 1, 1)
If p holds, then p evaluates to (1, 1, 1, 1). Hence,
evaluate to (1, 1, 1, 1), which means that q holds
(
Recall: a → b =
q has to
(1, 1, 1, 1) if a ≤ b
b
otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
6
Example
Consider
p⇒
q, and assume V ( p ⇒
q, σ) = (1, 1, 1, 1)
I
If p holds, then p evaluates to (1, 1, 1, 1). Hence,
evaluate to (1, 1, 1, 1), which means that q holds
I
If
p holds (and p does not), then p evaluates to
(0, 1, 1, 1). Hence, q has to evaluate to (0, 1, 1, 1) or higher,
q holds
which implies that
(
Recall: a → b =
q has to
(1, 1, 1, 1) if a ≤ b
b
otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
6
Example
Consider
p⇒
q, and assume V ( p ⇒
q, σ) = (1, 1, 1, 1)
I
If p holds, then p evaluates to (1, 1, 1, 1). Hence,
evaluate to (1, 1, 1, 1), which means that q holds
I
If
p holds (and p does not), then p evaluates to
(0, 1, 1, 1). Hence, q has to evaluate to (0, 1, 1, 1) or higher,
q holds
which implies that
I
Similarly,
p implies
(
Recall: a → b =
q and
p implies
q has to
q
(1, 1, 1, 1) if a ≤ b
b
otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
6
Example
Consider
p⇒
q, and assume V ( p ⇒
(
Recall: a → b =
q, σ) < (1, 1, 1, 1)
(1, 1, 1, 1) if a ≤ b
b
otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
6
Example
Consider
I
p⇒
If V ( p ⇒
q, and assume V ( p ⇒
q, σ) < (1, 1, 1, 1)
q, σ) = b < (1, 1, 1, 1), then
V ( q, σ) = b and V ( p, σ) > b
(
Recall: a → b =
(1, 1, 1, 1) if a ≤ b
b
otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
6
Example
Consider
I
p⇒
If V ( p ⇒
q, and assume V ( p ⇒
q, σ) < (1, 1, 1, 1)
q, σ) = b < (1, 1, 1, 1), then
V ( q, σ) = b and V ( p, σ) > b
I
Thus, value V ( p ⇒ q, σ) describes which weakened
guarantee follows from the environment assumption whenever the
intended system guarantee does not follow
(
Recall: a → b =
(1, 1, 1, 1) if a ≤ b
b
otherwise
Paulo Tabuada and Daniel Neider: Robust LTL
6
Expressiveness
Theorem
LTL( , ) and rLTL( , ) are equally expressive:
Paulo Tabuada and Daniel Neider: Robust LTL
7
Expressiveness
Theorem
LTL( , ) and rLTL( , ) are equally expressive:
I
Given an LTL( , ) formula ψ, one can construct an rLTL( , )
formula ϕ such that for σ ∈ (2P )ω
V (ϕ, σ) = (1, 1, 1, 1) if and only if W (ψ, σ) = 1
Paulo Tabuada and Daniel Neider: Robust LTL
7
Expressiveness
Theorem
LTL( , ) and rLTL( , ) are equally expressive:
I
Given an LTL( , ) formula ψ, one can construct an rLTL( , )
formula ϕ such that for σ ∈ (2P )ω
V (ϕ, σ) = (1, 1, 1, 1) if and only if W (ψ, σ) = 1
I
Given an rLTL( , ) formula ϕ and b ∈ B4 , one can construct an
LTL( , ) formula ψ such that for σ ∈ (2P )ω
V (ϕ, σ) = b if and only if W (ψ, σ) = 1
Paulo Tabuada and Daniel Neider: Robust LTL
7
Expressiveness
Theorem
LTL( , ) and rLTL( , ) are equally expressive:
I
Given an LTL( , ) formula ψ, one can construct an rLTL( , )
formula ϕ such that for σ ∈ (2P )ω
V (ϕ, σ) = (1, 1, 1, 1) if and only if W (ψ, σ) = 1
I
Given an rLTL( , ) formula ϕ and b ∈ B4 , one can construct an
LTL( , ) formula ψ such that for σ ∈ (2P )ω
V (ϕ, σ) = b if and only if W (ψ, σ) = 1
However, |ψ| ∈ O(c |ϕ| ) for a suitable c ≥ 4
Paulo Tabuada and Daniel Neider: Robust LTL
7
Complexity Results
Theorem
Given an rLTL( , ) formula ϕ and a set B ⊆ B4 , one can construct
P ω
a generalized Büchi Automaton AB
ϕ such that for all σ ∈ (2 )
V (ϕ, σ) ∈ B if and only if σ ∈ L(AB
ϕ ).
|ϕ|
AB
ϕ comprises O(5 ) states and at most 4 · |ϕ| acceptance sets.
Paulo Tabuada and Daniel Neider: Robust LTL
8
Complexity Results
Theorem
Given an rLTL( , ) formula ϕ and a set B ⊆ B4 , one can construct
P ω
a generalized Büchi Automaton AB
ϕ such that for all σ ∈ (2 )
V (ϕ, σ) ∈ B if and only if σ ∈ L(AB
ϕ ).
|ϕ|
AB
ϕ comprises O(5 ) states and at most 4 · |ϕ| acceptance sets.
Time complexity
rLTL( , )
LTL
Model checking
5|ϕ|
2|ϕ|
Synthesis
25
Paulo Tabuada and Daniel Neider: Robust LTL
|ϕ|
|ϕ|
22
8
Quality
Consider the formula
p⇒
q
We prefer
¬q ≺
Paulo Tabuada and Daniel Neider: Robust LTL
q ≺
q ≺
q ≺
q
9
Quality
Consider the formula
p⇒
q
We prefer
¬q ≺
q ≺
q ≺
q ≺
q
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
|
{z
False
}
|
Paulo Tabuada and Daniel Neider: Robust LTL
{z
Shades of true
}
9
Quality
Consider the formula
p⇒
q
We prefer
¬q ≺
q ≺
q ≺
q ≺
q
(0, 0, 0, 0) < (0, 0, 0, 1) < (0, 0, 1, 1) < (0, 1, 1, 1) < (1, 1, 1, 1)
|
{z
False
}
|
{z
Shades of true
(
a=
(1, 1, 1, 1)
(0, 0, 0, 0)
}
if a = (0, 0, 0, 0)
otherwise
An algebra with this negation is called Heyting algebra
Paulo Tabuada and Daniel Neider: Robust LTL
9
Conclusion
Summary
I
We introduced a semantics
for LTL capturing robustness
I
We demonstrated how to
leverage the existing wealth
of techniques for LTL
Get the full paper from arXiv!
Future Work
I
Address the “problem” of operators that work differently from
classical logics (e.g., “¬¬ϕ 6= ϕ”)
I
Can we improve on the size of AB
ϕ?
I
Do (complexity) results for LTL fragments carry over (e.g.,
GR(1))?
Paulo Tabuada and Daniel Neider: Robust LTL
10
From rLTL to LTL
Construct for an rLTL( , ) (sub-)formula ϕ four LTL( , ) formulas
ψϕ1 , ψϕ2 , ψϕ3 , ψϕ4 such that for σ ∈ (2P )ω and j ∈ {1, . . . , 4}
Vj (ϕ, σ) = 1 if and only if σ |= ψϕj
1. If ϕ = p, then ψϕj := p
2. If ϕ = ϕ1 ∧ ϕ2 , then ψϕj := ψϕj 1 ∧ ψϕj 2
3. If ϕ = ϕ1 ∨ ϕ2 , then ψϕj := ψϕj 1 ∨ ψϕj 2
4. If ϕ =
ϕ0 , then ψϕj :=
ψϕj 0
5. If ϕ =
ϕ0 , then ψϕ1 :=
ψϕ1 0 , ψϕ2 :=
ψϕ2 0 , . . .
6. If ϕ = ¬ϕ0 , then ψϕj := ¬(ψϕ1 0 ∧ ψϕ2 0 ∧ ψϕ3 0 ∧ ψϕ4 0 )
7. If ϕ = ϕ1 ⇒ ϕ2 , then ψϕj :=
W
k
k=1,...,4 ψϕ1
∧ ¬ψϕk 1 ⇒ ψϕj 2
Note: |ψϕj | ∈ O(c |ϕ| ) for a suitable c ≥ 4
Paulo Tabuada and Daniel Neider: Robust LTL
11
From rLTL( , ) to Generalized Büchi Automata
rLTL
LTL
σ
p
q
p∨q
(p ∨ q)
p
q
p∨q
(p ∨ q)
{p}
{q}
∅
{q}
∅
1
0
1
0
0
1
1
0
1111
0000
1111
0011
Paulo Tabuada and Daniel Neider: Robust LTL
0
0
0
0
0000
1111
1111
0011
0
1
1
0
0000
0000
0000
0011
...
0
0
0
...
0
0000
1111
1111
0011
0000
0000
0000
0011
...
12
From rLTL( , ) to Generalized Büchi Automata
rLTL
LTL
σ
p
q
p∨q
(p ∨ q)
p
q
p∨q
(p ∨ q)
{p}
{q}
∅
{q}
∅
1
0
1
0
0
1
1
0
1111
0000
1111
0011
0
0
0
0
0000
1111
1111
0011
0
1
1
0
0000
0000
0000
0011
...
0
0
0
...
0
0000
1111
1111
0011
0000
0000
0000
0011
...
I
States: valuations of subformulas
I
Transitions: defined according to expansion rules
I
Acceptance conditions: assert that an infinite run respects the
temporal operators
Paulo Tabuada and Daniel Neider: Robust LTL
12
From rLTL( , ) to Generalized Büchi Automata
rLTL
LTL
σ
p
q
p∨q
(p ∨ q)
p
q
p∨q
(p ∨ q)
{p}
{q}
∅
{q}
∅
1
0
1
0
0
1
1
0
1111
0000
1111
0011
0
0
0
0
0000
1111
1111
0011
0
1
1
0
0000
0000
0000
0011
...
0
0
0
...
0
0000
1111
1111
0011
0000
0000
0000
0011
...
I
States: valuations of subformulas
I
Transitions: defined according to expansion rules
I
Acceptance conditions: assert that an infinite run respects the
temporal operators
Paulo Tabuada and Daniel Neider: Robust LTL
12
Expansion Rule for
Recall:
ϕ = ( ϕ1 ,
ϕ2 ,
ϕ3 ,
ϕ4 )
ϕ1 = ϕ1 ∧
ϕ2 =
ϕ2 ∨
ϕ2
ϕ3 =
ϕ3 ∧
ϕ3
ϕ4 = ϕ4 ∨
Paulo Tabuada and Daniel Neider: Robust LTL
ϕ1
ϕ4
13
Expansion Rule for
Recall:
ϕ = ( ϕ1 ,
ϕ2 ,
ϕ3 ,
ϕ4 )
ϕ1 = ϕ1 ∧
ϕ2 =
ϕ1 ∨
ϕ2
ϕ3 =
ϕ4 ∧
ϕ3
ϕ4 = ϕ4 ∨
Paulo Tabuada and Daniel Neider: Robust LTL
ϕ1
ϕ4
13
The automaton ABϕ
q0000
"
q0001
..
.
#
1111
0000
1111
0011
"
#
0000
1111
1111
0011
q1111
Paulo Tabuada and Daniel Neider: Robust LTL
14
The automaton ABϕ
q0000
"
ε
q0
q0001
#
1111
0000
1111
0011
ε
..
.
"
#
0000
1111
1111
0011
q1111
|ϕ| + 6 states
Note: AB
ϕ has 5
Paulo Tabuada and Daniel Neider: Robust LTL
14
© Copyright 2026 Paperzz