4507/ 6507 Software and Hardware

Verification Introduction to LTL

Andrei Popescu

University of Sheffield

These slides contain material from Denisa Diaconescu, Georg Struth and Traian Florin S, erb˘anut, ˘a
 LTL

LTL = Linear(-time) Temporal Logic

Introduced into computer science by Amir Pnueli in 1977

A logic for reasoning about execution paths of systems

One of the most important logics for software and

hardware verification

1
 Overview

Syntax: LTL formulas

Semantics: labeled transition systems

Practical specification patterns

Formula equivalence

2
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.

3
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.
while (x < 3) {
print(“hello”);
if (x = = 1) print(“hi”);
if (x = = 2) x = 0;
else x++;
}

3
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.

while (x < 3) {
print(“hello”); Let p be “prints hello”,
if (x = = 1) print(“hi”); q be “prints hi”,
if (x = = 2) x = 0; r be “x is even”.
else x++; Say we start in a state where x is
} 0.

3
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.

while (x < 3) {
print(“hello”); Let p be “prints hello”,
if (x = = 1) print(“hi”); q be “prints hi”,
if (x = = 2) x = 0; r be “x is even”.
else x++; Say we start in a state where x is
} 0.
p,r p,q p,r p,r p,q
x ←i x ←i 1 x ←i 2 x ←i 0 x ←i 1
0

3
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.

while (x < 3) {
print(“hello”); Let p be “prints hello”,
if (x = = 1) print(“hi”); q be “prints hi”,
if (x = = 2) x = 0; r be “x is even”.
else x++; Say we start in a state where x is
} 0.
p,r p,q p,r p,r p,q
x ←i x ←i 1 x ←i 2 x ←i 0 x ←i 1
0
Always p holds.

3
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.

while (x < 3) {
print(“hello”); Let p be “prints hello”,
if (x = = 1) print(“hi”); q be “prints hi”,
if (x = = 2) x = 0; r be “x is even”.
else x++; Say we start in a state where x is
} 0.
p,r p,q p,r p,r p,q
x ←i x ←i 1 x ←i 2 x ←i 0 x ←i 1
0
Always p holds. Always [p implies (q or r)].

3
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.

while (x < 3) {
print(“hello”); Let p be “prints hello”,
if (x = = 1) print(“hi”); q be “prints hi”,
if (x = = 2) x = 0; r be “x is even”.
else x++; Say we start in a state where x is
} 0.
p,r p,q p,r p,r p,q
x ←i x ←i 1 x ←i 2 x ←i 0 x ←i 1
0
Always p holds. Always [p implies (q or r)].
Never (q and r) holds.
3
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.

while (x < 3) {
print(“hello”); Let p be “prints hello”,
if (x = = 1) print(“hi”); q be “prints hi”,
if (x = = 2) x = 0; r be “x is even”.
else x++; Say we start in a state where x is
} 0.
p,r p,q p,r p,r p,q
x ←i x ←i 1 x ←i 2 x ←i 0 x ←i 1
0
Always p holds. Always [p implies (q or r)].
Never (q and r) holds. Always eventually q holds.
3
 Basic Intuition
• Consider execution paths of a system into the future.
• Label states with atomic propositions p, q, r , . . . that hold along paths
at various points in time.
• LTL formulas can express regular patterns about these propositions
as execution proceeds.

while (x < 3) {
print(“hello”); Let p be “prints hello”,
if (x = = 1) print(“hi”); q be “prints hi”,
if (x = = 2) x = 0; r be “x is even”.
else x++; Say we start in a state where x is
} 0.
p,r p,q p,r p,r p,q
x ←i x ←i 1 x ←i 2 x ←i 0 x ←i 1
0
Always p holds. Always [p implies (q or r)].
Never (q and r) holds. Always eventually q holds.
3
Can you think of other
 Syntax

Assume some set Atoms of atomic propositions (atoms for short)

usually denoted p, q, r etc.

4
 Syntax

Assume some set Atoms of atomic propositions (atoms for short)

usually denoted p, q, r etc.

LTL formulas, usually denoted ϕ, ψ etc., are defined as follows:

ϕ ::= p | ¬ ϕ | ϕ ∨ ψ | ϕ ∧ ψ | ϕ → ψ | Q ϕ | ♦ ϕ | □ ϕ | ϕ U
ψ

4
 Syntax

Assume some set Atoms of atomic propositions (atoms for short)

usually denoted p, q, r etc.

LTL formulas, usually denoted ϕ, ψ etc., are defined as follows:

ϕ ::= p | ¬ ϕ | ϕ ∨ ψ | ϕ ∧ ψ | ϕ → ψ | Q ϕ | ♦ ϕ | □ ϕ | ϕ U
ψ

Examples: □(p U (q U r ))

4
 Syntax

Assume some set Atoms of atomic propositions (atoms for short)

usually denoted p, q, r etc.

LTL formulas, usually denoted ϕ, ψ etc., are defined as follows:

ϕ ::= p | ¬ ϕ | ϕ ∨ ψ | ϕ ∧ ψ | ϕ → ψ | Q ϕ | ♦ ϕ | □ ϕ | ϕ U
ψ

Examples: □(p U (q U r )) □♦p

4
 Syntax

Assume some set Atoms of atomic propositions (atoms for short)

usually denoted p, q, r etc.

LTL formulas, usually denoted ϕ, ψ etc., are defined as follows:

ϕ ::= p | ¬ ϕ | ϕ ∨ ψ | ϕ ∧ ψ | ϕ → ψ | Q ϕ | ♦ ϕ | □ ϕ | ϕ U
ψ

Examples: □(p U (q U r )) □♦p

¬, ∨, ∧, → are propositional connectives: “not”, “or”, “and”,

“implies”.

4
 Syntax

Assume some set Atoms of atomic propositions (atoms for short)

usually denoted p, q, r etc.

LTL formulas, usually denoted ϕ, ψ etc., are defined as follows:

ϕ ::= p | ¬ ϕ | ϕ ∨ ψ | ϕ ∧ ψ | ϕ → ψ | Q ϕ | ♦ ϕ | □ ϕ | ϕ U
ψ

Examples: □(p U (q U r )) □♦p

¬, ∨, ∧, → are propositional connectives: “not”, “or”, “and”,

“implies”.
Q , ♦, □ , U are temporal connectives: “next”, “eventually”. “always”,
“until”.

4
 Syntax

Assume some set Atoms of atomic propositions (atoms for short)

usually denoted p, q, r etc.

LTL formulas, usually denoted ϕ, ψ etc., are defined as follows:

ϕ ::= p | ¬ ϕ | ϕ ∨ ψ | ϕ ∧ ψ | ϕ → ψ | Q ϕ | ♦ ϕ | □ ϕ | ϕ U ψ

Examples: □(p U (q U r )) □♦p

¬, ∨, ∧, → are propositional connectives: “not”, “or”, “and”,

“implies”.
Q , ♦, □ , U are temporal connectives: “next”, “eventually”. “always”,
“until”.
Pronunciation:
• Q ϕ – Next ϕ
• ♦ ϕ – Eventually ϕ
• □ ϕ – Always ϕ 4
 Syntax

Assume some set Atoms of atomic propositions (atoms for short)

usually denoted p, q, r etc.

LTL formulas, usually denoted ϕ, ψ etc., are defined as follows:

ϕ ::= p | ¬ ϕ | ϕ ∨ ψ | ϕ ∧ ψ | ϕ → ψ | Q ϕ | ♦ ϕ | □ ϕ | ϕ U
ψ

Examples: □(p U (q U r )) □♦p

¬, ∨, ∧, → are propositional connectives: “not”, “or”, “and”,

“implies”.
Q , ♦, □ , U are temporal connectives: “next”, “eventually”. “always”,
Pronunciation: The unary connectives
“until”.
• Q ϕ – Next ϕ ¬, Q , ♦, □ have higher
precedence than the binary
• ♦ ϕ – Eventually ϕ
connectives ∧, ∨, → , U.
• □ ϕ – Always ϕ E.g., □ ϕ ∨ ψ is the same
4
• ϕ U ψ – ϕ Until ψ as ( □ ϕ ) ∨ ψ.
 Syntax – Examples and Non-Examples

The following are LTL formulas:

• (♦p ∧ □q) → (p U r )
• ♦(p → □ r ) ∨ (¬q U p)
• p U (q U r )
• □ ♦ p → ♦(q ∨ s)

5
 Syntax – Examples and Non-Examples

The following are LTL formulas:

• (♦p ∧ □q) → (p U r )
• ♦(p → □ r ) ∨ (¬q U p)
• p U (q U r )
• □ ♦ p → ♦(q ∨ s)
The following are not LTL formulas:
• Ur
• q□ p

5
 Syntax – Examples and Non-Examples

The following are LTL formulas:

• (♦p ∧ □q) → (p U r )
• ♦(p → □ r ) ∨ (¬q U p)
• p U (q U r )
• □ ♦ p → ♦(q ∨ s)
The following are not LTL formulas:
• Ur
• q□ p

Exercise. 1. Give five more examples of correctly constructed formulas.

Include a formula that contains five atoms p, q, r , u, v , and a formula that
contains three occurrences of ♦, one occurrence of □ and two occurrences
of
U. Read aloud the formulas that you have constructed.
5
 Syntax – Examples and Non-Examples

The following are LTL formulas:

• (♦p ∧ □q) → (p U r )
• ♦(p → □ r ) ∨ (¬q U p)
• p U (q U r )
• □ ♦ p → ♦(q ∨ s)
The following are not LTL formulas:
• Ur
• q□ p

Exercise. 1. Give five more examples of correctly constructed formulas.

Include a formula that contains five atoms p, q, r , u, v , and a formula that
contains three occurrences of ♦, one occurrence of □ and two occurrences
of
U. Read aloud the formulas that you have constructed.
2. Give two examples of incorrectly constructed formulas that do not contain 5
Informal Semantics

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1,

2, . . ..

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.
For every state on the path, we assume to know which atomic
propositions are true in that state.

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.
For every state on the path, we assume to know which atomic
propositions are true in that state.
LTL formulas are evaluated along this path, looking into the future:

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.
For every state on the path, we assume to know which atomic
propositions are true in that state.
LTL formulas are evaluated along this path, looking into the future:
• An atomic proposition p holds if p is true at the current point in time.

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.
For every state on the path, we assume to know which atomic
propositions are true in that state.
LTL formulas are evaluated along this path, looking into the future:
• An atomic proposition p holds if p is true at the current point in time.
• The propositional connectives ¬, ∨, ∧ → have their usual meanings,
e.g.,
ϕ ∧ ψ holds if ϕ holds and ψ holds.

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.
For every state on the path, we assume to know which atomic
propositions are true in that state.
LTL formulas are evaluated along this path, looking into the future:
• An atomic proposition p holds if p is true at the current point in time.
• The propositional connectives ¬, ∨, ∧ → have their usual meanings,
e.g.,
ϕ ∧ ψ holds if ϕ holds and ψ holds.
• Meaning of temporal connectives:
• Q ϕ holds if ϕ holds next, i.e., at the next point in time.

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.
For every state on the path, we assume to know which atomic
propositions are true in that state.
LTL formulas are evaluated along this path, looking into the future:
• An atomic proposition p holds if p is true at the current point in time.
• The propositional connectives ¬, ∨, ∧ → have their usual meanings,
e.g.,
ϕ ∧ ψ holds if ϕ holds and ψ holds.
• Meaning of temporal connectives:
• Q ϕ holds if ϕ holds next, i.e., at the next point in time.
• ♦ ϕ holds if ϕ holds eventually, i.e., now or at some future point in
time.

6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.
For every state on the path, we assume to know which atomic
propositions are true in that state.
LTL formulas are evaluated along this path, looking into the future:
• An atomic proposition p holds if p is true at the current point in time.
• The propositional connectives ¬, ∨, ∧ → have their usual meanings,
e.g.,
ϕ ∧ ψ holds if ϕ holds and ψ holds.
• Meaning of temporal connectives:
• Q ϕ holds if ϕ holds next, i.e., at the next point in time.
• ♦ ϕ holds if ϕ holds eventually, i.e., now or at some future point in
time.
• □ ϕ holds if ϕ holds always, i.e., now and at all future points in time.
6
 Informal Semantics

We model time as the stream of natural numbers: 0, 1, 2, . . ..

We consider an infinite execution path, which at every point in time reaches a
given state.
For every state on the path, we assume to know which atomic
propositions are true in that state.
LTL formulas are evaluated along this path, looking into the future:
• An atomic proposition p holds if p is true at the current point in time.
• The propositional connectives ¬, ∨, ∧ → have their usual meanings,
e.g.,
ϕ ∧ ψ holds if ϕ holds and ψ holds.
• Meaning of temporal connectives:
• Q ϕ holds if ϕ holds next, i.e., at the next point in time.
• ♦ ϕ holds if ϕ holds eventually, i.e., now or at some future point in
time.
• □ ϕ holds if ϕ holds always, i.e., now and at all future points in time.
• ϕ U ψ holds if ϕ holds until ψ holds; i.e., ψ holds now or at some point 6
in the future, and ϕ holds continuously until then.
 Informal Semantics – Examples

We assume that enabled , read , write, etc. are all atoms.

By “further up in the future” we will mean “at the current time or later”.

7
 Informal Semantics – Examples

We assume that enabled , read , write, etc. are all atoms.

By “further up in the future” we will mean “at the current time or later”.
□ enabled means:
enabled holds always, i.e., now and at all points in the future.
•

•
s0 s1 s2 s3 s4 s5 s6 s7

7
 Informal Semantics – Examples

We assume that enabled , read , write, etc. are all atoms.

By “further up in the future” we will mean “at the current time or later”.
□ enabled means:
enabled holds always, i.e., now and at all points in the future.
•

•
s0 s1 s2 s3 s4 s5 s6 s7

□ ¬(read ∧ write) means:

Always (i.e., now and at all points in the future), it is not the case that
read and write hold. In other words: It is never the case that read and
write hold at the same time.
•

•
s0 s1 s2 s3 s4 s5 s6 s7
7
 Informal Semantics – Examples

□♦enabled means:
Always eventually enabled holds. In other words: Now and for all
future points, there is a point further up in the future where enabled
holds.
Another way to say this: enabled holds infinitely often.
•

•
s0 s1 s2 s3 s4 s5 s6 s7

8
 Informal Semantics – Examples

□♦enabled means:
Always eventually enabled holds. In other words: Now and for all
future points, there is a point further up in the future where enabled
holds.
Another way to say this: enabled holds infinitely often.
•

•
s0 s1 s2 s3 s4 s5 s6 s7

♦ □ enabled means:
Eventually always enabled holds. In other words: Starting now or from
a future point, enabled will hold continuously for all points in the future.
•

•
s0 s1 s2 s3 s4 s5 s6 s7

8
 Informal Semantics – Examples
□ (request → ♦grant) means:
Always [request implies eventually grant]. In other words: Always (i.e.,
now and at all points in the future), if request holds then eventually
grant holds (i.e., there exists a point further up in the future where
grant holds).

•
•
•

•
s0 s1 s2 s3 s4 s5 s6 s7

9
 Informal Semantics – Examples
□ (request → ♦grant) means:
Always [request implies eventually grant]. In other words: Always (i.e.,
now and at all points in the future), if request holds then eventually
grant holds (i.e., there exists a point further up in the future where
grant holds).

•
•
•

•
s0 s1 s2 s3 s4 s5 s6 s7

( □ request) → (♦grant) means:

[Always request] implies [eventually grant]. In other words: If
request
holds at all points in time, then grant holds at some point in time.
•
•
•

•
s0 s1 s2 s3 s4 s5 s6 s7 9
 Informal Semantics – Examples
□ (request → (request U grant)) means:
Always, request implies [request until grant]. In other words: At every
point in the future, if request holds than here exists a point further up in
the future where grant holds, and request holds continuously until that
point.
•

•
s0 s1 s2 s3 s4 s5 s6 s7

10
 Informal Semantics – Examples
□ (request → (request U grant)) means:
Always, request implies [request until grant]. In other words: At every
point in the future, if request holds than here exists a point further up in
the future where grant holds, and request holds continuously until that
point.
•

•
s0 s1 s2 s3 s4 s5 s6 s7

Exercise. Consider the following LTL formulas:

(a) □ (request U grant) (b) □ ♦ (request →
(c) □ ♦ request → □ ♦ grant)
grant (d) □ ♦ □ enabled
1.What is the correct way to parenthesize the point (c) formula, based
on the operator precedence?
2.Depict graphically the meaning of these formulas. What is the
difference between the point (d) formula and ♦ □ enabled ? 10
 Informal Semantics – Examples
Exercise. Consider the following LTL
formulas:
(a) □ (request U grant) (b) □ ♦ (request →
(c) □ ♦ request → □ ♦ grant)
grant (d) □ ♦ □ enabled
1.What is the correct way to parenthesize the point (c) formula, based on
the operator precedence?
2.Depict graphically the meaning of these formulas. What is the difference
between the point (d) formula and ♦ □ enabled ?

s0
s1 s2 s3 s4 s5 s6 s7 s8

11
 Practical Specification Patterns

• A process is always active in its starting

state:

□ (start →
active)

12
 Practical Specification Patterns

• A process is always active in its starting state:

□ (start → active)

• It is always the case that requests are eventually

granted:

□ (request → ♦grant)

12
 Practical Specification Patterns

• A process is always active in its starting state:

□ (start → active)

• It is always the case that requests are eventually

granted:

□ (request → ♦grant)

• A given process will be enabled infinitely often:

□♦enabled

12
 Practical Specification Patterns

• A process is always active in its starting state:

□ (start → active)

• It is always the case that requests are eventually granted:

□ (request → ♦grant)

• A given process will be enabled infinitely often:

□♦enabled

• If a process is enabled infinitely often, then it will run infinitely often:

□♦enabled → □♦run
12
 Practical Specification Patterns

• A process will never become permanently

inactive:

¬ ♦ □ ¬ active

13
 Practical Specification Patterns

• A process will never become permanently inactive:

¬ ♦ □ ¬ active

• It is always the case that, when a lift is at the 2nd floor, travels
upwards and the 5th floor is requested, it will not change
direction until the 5th floor is reached:

13
 Practical Specification Patterns

• A process will never become permanently inactive:

¬ ♦ □ ¬ active

• It is always the case that, when a lift is at the 2nd floor, travels
upwards and the 5th floor is requested, it will not change
direction until the 5th floor is reached:

□(@2 ∧ upgoing ∧ pressed5 → (upgoing U @5))

13
 Formal Semantics

Let S be a set of states and L : S → P(Atoms) be a labeling function

associating to each state s a set L(s) of all atoms that are true in that state.
Note: P(Atoms) is the powerset (i.e., set of all subsets) of Atoms.

14
 Formal Semantics

Let S be a set of states and L : S → P(Atoms) be a labeling function

associating to each state s a set L(s) of all atoms that are true in that state.
Note: P(Atoms) is the powerset (i.e., set of all subsets) of Atoms.
Let π be an infinite sequence of states s0s1s2 . . .. We think of L(si ) as the
set of all atoms true at point i in time on π.

14
 Formal Semantics

Let S be a set of states and L : S → P(Atoms) be a labeling function

associating to each state s a set L(s) of all atoms that are true in that state.
Note: P(Atoms) is the powerset (i.e., set of all subsets) of Atoms.
Let π be an infinite sequence of states s0s1s2 . . .. We think of L(si ) as the
set of all atoms true at point i in time on π.
For each i , we write π i for the i ’th suffix of π, namely si
si+1si+2 . . .. E.g., π1 is s1s2s3 . . . and π2 is s2s3s4 . . .

14
 Formal Semantics

Let S be a set of states and L : S → P(Atoms) be a labeling function

associating to each state s a set L(s) of all atoms that are true in that state.
Note: P(Atoms) is the powerset (i.e., set of all subsets) of Atoms.
Let π be an infinite sequence of states s0s1s2 . . .. We think of L(si ) as the
set of all atoms true at point i in time on π.
For each i , we write π i for the i ’th suffix of π, namely si
si+1si+2 . . .. E.g., π1 is s1s2s3 . . . and π2 is s2s3s4 . . .
For an LTL formula ϕ, we define π |=L ϕ, read ” π satisfies ϕ w.r.t. labeling
L” or ” ϕ holds for π w.r.t. labeling L” by structural recursion on ϕ:

14
 Formal Semantics

Let S be a set of states and L : S → P(Atoms) be a labeling function

associating to each state s a set L(s) of all atoms that are true in that state.
Note: P(Atoms) is the powerset (i.e., set of all subsets) of Atoms.
Let π be an infinite sequence of states s0s1s2 . . .. We think of L(si ) as the
set of all atoms true at point i in time on π.
For each i , we write π i for the i ’th suffix of π, namely si
si+1si+2 . . .. E.g., π1 is s1s2s3 . . . and π2 is s2s3s4 . . .
For an LTL formula ϕ, we define π |=L ϕ, read ” π satisfies ϕ w.r.t. labeling
L” or ” ϕ holds for π w.r.t. labeling L” by structural recursion on ϕ:
π |=L p iff p ∈ L(s0)

14
 Formal Semantics

Let S be a set of states and L : S → P(Atoms) be a labeling function

associating to each state s a set L(s) of all atoms that are true in that state.
Note: P(Atoms) is the powerset (i.e., set of all subsets) of Atoms.
Let π be an infinite sequence of states s0s1s2 . . .. We think of L(si ) as the
set of all atoms true at point i in time on π.
For each i , we write π i for the i ’th suffix of π, namely si
si+1si+2 . . .. E.g., π1 is s1s2s3 . . . and π2 is s2s3s4 . . .
For an LTL formula ϕ, we define π |=L ϕ, read ” π satisfies ϕ w.r.t. labeling
L” or ” ϕ holds for π w.r.t. labeling L” by structural recursion on ϕ:
π |=L p iff p ∈ L(s0)
π |=L ϕ ∧ ψ iff π |=L ϕ and π |=L ψ

14
 Formal Semantics

Let S be a set of states and L : S → P(Atoms) be a labeling function

associating to each state s a set L(s) of all atoms that are true in that state.
Note: P(Atoms) is the powerset (i.e., set of all subsets) of Atoms.
Let π be an infinite sequence of states s0s1s2 . . .. We think of L(si ) as the
set of all atoms true at point i in time on π.
For each i , we write π i for the i ’th suffix of π, namely si
si+1si+2 . . .. E.g., π1 is s1s2s3 . . . and π2 is s2s3s4 . . .
For an LTL formula ϕ, we define π |=L ϕ, read ” π satisfies ϕ w.r.t. labeling
L” or ” ϕ holds for π w.r.t. labeling L” by structural recursion on ϕ:
π |=L p iff p ∈ L(s0)
π |=L ϕ ∧ ψ iff π |=L ϕ and π |=L ψ
π |=L ϕ ∨ ψ iff π |=L ϕ or π |=L ψ

14
 Formal Semantics

Let S be a set of states and L : S → P(Atoms) be a labeling function

associating to each state s a set L(s) of all atoms that are true in that state.
Note: P(Atoms) is the powerset (i.e., set of all subsets) of Atoms.
Let π be an infinite sequence of states s0s1s2 . . .. We think of L(si ) as the
set of all atoms true at point i in time on π.
For each i , we write π i for the i ’th suffix of π, namely si
si+1si+2 . . .. E.g., π1 is s1s2s3 . . . and π2 is s2s3s4 . . .
For an LTL formula ϕ, we define π |=L ϕ, read ” π satisfies ϕ w.r.t. labeling
L” or ” ϕ holds for π w.r.t. labeling L” by structural recursion on ϕ:
π |=L p iff p ∈ L(s0)
π |=L ϕ ∧ ψ iff π |=L ϕ and π |=L ψ
π |=L ϕ ∨ ψ iff π |=L ϕ or π |=L ψ
π |=L ϕ → ψ iff π |=L ϕ implies π |=L ψ

14
 Formal Semantics

π |=L Q ϕ iff π1 |=L ϕ

15
 Formal Semantics

π |=L Q ϕ iff π1 |=L ϕ

π |=L ♦ ϕ iff there exists i ≥ 0 such that π i |=L ϕ

15
 Formal Semantics

π |=L Q ϕ iff π1 |=L ϕ

π |=L ♦ ϕ iff there exists i ≥ 0 such that π i |=L ϕ
π |=L □ ϕ iff for all i ≥ 0 we have π i |=L ϕ

15
 Formal Semantics

π |=L Q ϕ iff π1 |=L ϕ

π |=L ♦ ϕ iff there exists i ≥ 0 such that π i |=L ϕ
π |=L □ ϕ iff for all i ≥ 0 we have π i |=L ϕ
π |=L ϕ U iff there exists i ≥ 0 such that π i |=L ψ and
ψ for all j ∈ {0, . . . , i − 1} we have π j |=L
ϕ

15
 Formal Semantics

π |=L Q ϕ iff π1 |=L ϕ

π |=L ♦ ϕ iff there exists i ≥ 0 such that π i |=L ϕ
π |=L □ ϕ iff for all i ≥ 0 we have π i |=L ϕ
π |=L ϕ U iff there exists i ≥ 0 such that π i |=L ψ and
ψ for all j ∈ {0, . . . , i − 1} we have π j |=L
ϕ
|= is called the satisfaction relation. It is a relation between formulas and
infinite sequences of states in the presence of a state labeling with atom
sets.

15
 Formal Semantics

π |=L Q ϕ iff π1 |=L ϕ

π |=L ♦ ϕ iff there exists i ≥ 0 such that π i |=L ϕ
π |=L □ ϕ iff for all i ≥ 0 we have π i |=L ϕ
π |=L ϕ U iff there exists i ≥ 0 such that π i |=L ψ and
ψ for all j ∈ {0, . . . , i − 1} we have π j |=L
ϕ
|= is called the satisfaction relation. It is a relation between formulas and
infinite sequences of states in the presence of a state labeling with atom
sets.
When the labeling L is fixed, we can write π |= ϕ instead of π |=L ϕ.

15
 Semantics of Atoms Illustrated

π |= p

p
s0 s1 s2 s3 s4

16
 Semantics of “Next”
Illustrated

π |= Q p

p
s0 s1 s2 s3 s4

17
 Semantics of “Eventually”
Illustrated

π |= ♦p

p
s0 s1 s2 s3 s4

18
 Semantics of “Always” Illustrated

π |= □p

p p p p p
s0 s1 s2 s3 s4

19
Combined Semantics of “Eventually” and “Always”
Illustrated

π |= ♦□p

p p p
s0 s1 s2 s3 s4

20
 Semantics of “Until” Illustrated

π |= p U
q
p p p q
s0 s1 s2 s3 s4

21
Exercise
s

22
Transition Systems and
Paths

23
 Transition Systems and
Paths

A labeled transition system (LTS for short) is a triple M = (S, → ,

L) consisting of:

23
 Transition Systems and
Paths

A labeled transition system (LTS for short) is a triple M = (S, → ,

L) consisting of:

• S a finite set of states

23
 Transition Systems and
Paths

A labeled transition system (LTS for short) is a triple M = (S, → ,

L) consisting of:

• S a finite set of states

• → ⊆ S × S a transition relation

23
 Transition Systems and
Paths

A labeled transition system (LTS for short) is a triple M = (S, → ,

L) consisting of:

• S a finite set of states

• → ⊆ S × S a transition relation
• L : S → P(Atoms) a labeling function

23
 Transition Systems and
Paths

A labeled transition system (LTS for short) is a triple M = (S, → ,

L) consisting of:

• S a finite set of states

• → ⊆ S × S a transition relation
• L : S → P(Atoms) a labeling function

such that every state has an outward transition, i.e., for all s1 ∈ S
there exists
s2 ∈ S with s1 → s2.

23
 Transition Systems and
Paths

A labeled transition system (LTS for short) is a triple M = (S, → ,

L) consisting of:

• S a finite set of states

• → ⊆ S × S a transition relation
• L : S → P(Atoms) a labeling function

such that every state has an outward transition, i.e., for all s1 ∈ S
there exists
s2 ∈ S with s1 → s2.

A path π in an LTS M = (S, → , L) is an infinite sequence of

states s0s1s2 . . .
such that for all i ≥ 0, si → si+1.

23
 Transition Systems and
Paths

A labeled transition system (LTS for short) is a triple M = (S, → ,

L) consisting of:

• S a finite set of states

• → ⊆ S × S a transition relation
• L : S → P(Atoms) a labeling function

such that every state has an outward transition, i.e., for all s1 ∈ S
there exists
s2 ∈ S with s1 → s2.

A path π in an LTS M = (S, → , L) is an infinite sequence of

states s0s1s2 . . .
such that for all i ≥ 0, si → si+1.

Paths are written as π = s0 → s1 → s2 → . . .

23
 Transition Systems and Paths – Example
Recall the example with two parallel processes, where, for i ∈ {1, 2}:
• ni denotes “process i not in critical section”
• ri denotes “process i requesting to enter critical section”
• ci denotes “process i in critical section”
Atoms = {n1, n2, r1, r2, c1, c2}

24
 Transition Systems and Paths – Example
Recall the example with two parallel processes, where, for i ∈ {1, 2}:
• ni denotes “process i not in critical section”
• ri denotes “process i requesting to enter critical section”
• ci denotes “process i in critical section”
Atoms = {n1, n2, r1, r2, c1, c2}
n1n2
s0

s1 r1n2 n1r2 s5

c1n2 s2 s3 n1c2 s6

r1r2

s4 s7

c1r2 r1c2 24
 Transition Systems and Paths – Example
Recall the example with two parallel processes, where, for i ∈ {1, 2}:
• ni denotes “process i not in critical section”
• ri denotes “process i requesting to enter critical section”
• ci denotes “process i in critical section”
Atoms = {n1, n2, r1, r2, c1, c2}
n1n2
s0

M = (S, → , L) where
• S = {s0, s1, . . . , s7}
s1 r1n2 n1r2 s5
• → = {(s0, s1), (s0,
s5), . . .}
c1n2 s2 s3 n1c2 s6 • L(s0) = {n1, n2}
r1r2 • L(s1) = {r1, n2}
s4 s7 • ...
c1r2 r1c2 24
 Unwinding a Transition System

Visualise all paths from a given state s0 by unwinding the LTS to obtain an
infinite tree.

25
 Unwinding a Transition System

Visualise all paths from a given state s0 by unwinding the LTS to obtain an
infinite tree. For example:

p, q

s0

s1 s2

q, r r

25
 Unwinding a Transition System

Visualise all paths from a given state s0 by unwinding the LTS to obtain an
infinite tree. For example:
s0

p, q p, q
s1 q, r
s2
s0
r

s0 p, q
s2 s2
s1 s2 r r

q, r r s1 q, s2 s2 ...
r
r r

... ... ...

25
 Unwinding a Transition System

Visualise all paths from a given state s0 by unwinding the LTS to obtain an
infinite tree. For example:
s0

p, q p, q
s1 q, r
s2
s0
r

s0 p, q
s2 s2
s1 s2 r r

q, r r s1 q, s2 s2 ...
r
r r

... ... ...

All possible paths starting in s0:

25
 Unwinding a Transition System

Visualise all paths from a given state s0 by unwinding the LTS to obtain an
infinite tree. For example:
s0

p, q p, q
s1 q, r
s2
s0
r

s0 p, q
s2 s2
s1 s2 r r

q, r r s1 q, s2 s2 ...
r
r r

... ... ...

All possible paths starting in s0:
(s0 → s1 → ) ∞

25
 Unwinding a Transition System

Visualise all paths from a given state s0 by unwinding the LTS to obtain an
infinite tree. For example:
s0

p, q p, q
s1 q, r
s2
s0
r

s0 p, q
s2 s2
s1 s2 r r

q, r r s1 q, s2 s2 ...
r
r r

... ... ...

All possible paths starting in s0:
(s0 → s1 → ) ∞
(s0 → s1 → ) n (s2 → ) ∞ for
n≥ 1 25
 Unwinding a Transition System

Visualise all paths from a given state s0 by unwinding the LTS to obtain an
infinite tree. For example:
s0

p, q p, q
s1 q, r
s2
s0
r

s0 p, q
s2 s2
s1 s2 r r

q, r r s1 q, s2 s2 ...
r
r r

... ... ...

All possible paths starting in s0:
(s0 → s1 → ) ∞
(s0 → s1 → ) n (s2 → ) ∞ for
n≥ 1 25
n
Formal Semantics Continued: Satisfaction Relation for LTSs

Let M = (S, → , L) be an LTS and ϕ be an LTL formula.

We extend the satisfaction relation from infinite sequences to LTSs as follows:

For a state s ∈ S , we define M , s |= ϕ, read M satisfies ϕ in state s or ϕ

holds for M in state s, to mean that π |=L ϕ for every path π of M
starting at state s.

26
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧
q

27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧
q
2. M , s0 |= ¬r

27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧
q
2. M , s0 |= ¬r
3. M , s0 |= Q r

27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧ q
2. M , s0 |= ¬r
3. M , s0 |= Q r
4. M , s0 |= Q (q ∧ r
)

27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧ q
2. M , s0 |= ¬r
3. M , s0 |= Q r
4. M , s0 |= Q (q ∧ r )
5. M , s0 |= □¬(p ∧ r
)
27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

6. M , s2 |= □r
1. M , s0 |= p ∧ q
2. M , s0 |= ¬r
3. M , s0 |= Q r
4. M , s0 |= Q (q ∧ r )
5. M , s0 |= □¬(p ∧ r
)
27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧ 6. M , s2 |= □r
q
2. M , s0 |= 7. M , s0 |=
¬r
3. M , s0 |= Q r ♦(¬q ∧ r ) →
♦□r
4. M , s0 |= Q (q ∧ r )
5. M , s0 |= □¬(p ∧ r
)

27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧ 6. M , s2 |= □r
q
2. M , s0 |= 7. M , s0 |=
¬r
3. M , s0 |= Q r ♦(¬q ∧ r ) →
8. M , s0 |= □♦p
♦□r
4. M , s0 |= Q (q ∧ r )
5. M , s0 |= □¬(p ∧ r
)

27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧ 6. M , s2 |= □r
q
2. M , s0 |= 7. M , s0 |=
¬r
3. M , s0 |= Q r ♦(¬q ∧ r ) →
8. M , s0 |= □♦p
♦□r
4. M , s0 |= Q (q ∧ r )
9. M , s0 |= □ ♦ p →
5. M , s0 |= □¬(p ∧ r □♦r
)

27
 Satisfaction Relation for LTSs – Example

p, q
p, q s0

q, r
s0 s1 s2 r

s0
p, q
s2 r s2 r

s1 s2 s1
q, r ..
s2 r s2 r .
q, r r
.. .. ..
. . .

1. M , s0 |= p ∧ 6. M , s2 |= □r
q
2. M , s0 |= 7. M , s0 |=
¬r
3. M , s0 |= Q r ♦(¬q ∧ r ) →
8. M , s0 |= □♦p
♦□r
4. M , s0 |= Q (q ∧ r )
9. M , s0 |= □ ♦ p →
5. M , s0 |= □¬(p ∧ r □ ♦M
10. r , s |= □ ♦ r →
0
) □♦p
27
 Homework Exercise 1
p

s0

Consider the LTS shown in the picture:

s1 s2

p, r

p, q

1. Write down the mathematical definitions of its components S , → and

L.
2. Draw its unwinding tree.
3.s Describe all its possible paths
s0 |= that start at state s0.
1 |= p ∧ r Qr
4.s0Determine
|= Q (p ∨ which
r) of the following
s2 |= □pare true, and explain why or why not:
s0 |= (p ∨ q) U s1 |= (p
5.r Give your own examples of ∧ LTL
¬ r )formulas and states such that the
U q
formula holds or does not hold in the given state, and in each case explain 28
 Homework Exercise 2

In the example with the two processes executed in parallel, determine

whether the following properties are expressible in LTL; and if yes, whether
they hold.

• The safety property: Only one process may execute critical section
code at any point
• The liveness property: Whenever a process requests to enter its critical
section, it will eventually be allowed to do so.
• The non-blocking property: A process can always request to enter its
critical section.

29
 Transition Systems and Paths – Example
Recall the example with two parallel processes, where, for i ∈ {1, 2}:
• ni denotes “process i not in critical section”
• ri denotes “process i requesting to enter critical section”
• ci denotes “process i in critical section”
Atoms = {n1, n2, r1, r2, c1, c2}
n1n2
s0

M = (S, → , L) where
• S = {s0, s1, . . . , s7}
s1 r1n2 n1r2 s5
• → = {(s0, s1), (s0,
s5), . . .}
c1n2 s2 s3 n1c2 s6 • L(s0) = {n1, n2}
r1r2 • L(s1) = {r1, n2}
s4 s7 • ...
c1r2 r1c2 30
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
Safety property: Only one process may execute critical section code at any point.

31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any
point. An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)).

31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

M , s0 |= ϕ

31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

M , s0 |= ϕ
means (by the semantics in an LTS)
for all π ∈ Pathss0 ( M ) , π |=L ϕ

31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

M , s0 |= ϕ
means (by the semantics in an LTS)
for all π ∈ Pathss0 ( M ) , π |=L ϕ
which means (by the semantics of □ ) i
for all π ∈ Pathss L ¬(c1 ∧ c2)
0 ( M ) , for all i ≥ 0, π |=

31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

M , s0 |= ϕ
means (by the semantics in an LTS)
for all π ∈ Pathss0 ( M ) , π |=L ϕ
which means (by the semantics of □ ) i
for all π ∈ Pathss L ¬(c1 ∧ c2)
0 ( M ) , for all i ≥ 0, π |=

which means (by the semantics of the propositional connectives and atoms)
for all π = t0t1t2 . . . ∈ Pathss0 ( M ) , for all i ≥ 0, not (c1 ∈ L(ti ) and c2 ∈ L(ti ))

31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

M , s0 |= ϕ
means (by the semantics in an LTS)
for all π ∈ Pathss0 ( M ) , π |=L ϕ
which means (by the semantics of □ ) i
for all π ∈ Pathss L ¬(c1 ∧ c2)
0 ( M ) , for all i ≥ 0, π |=

which means (by the semantics of the propositional connectives and atoms)
for all π = t0t1t2 . . . ∈ Pathss0 ( M ) , for all i ≥ 0, not (c1 ∈ L(ti ) and c2 ∈
L(ti )) which is implied by
for all s ∈ S , not (c1 ∈ L(s) and c2 ∈ L(s))

31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

M , s0 |= ϕ
means (by the semantics in an LTS)
for all π ∈ Pathss0 ( M ) , π |=L ϕ
which means (by the semantics of □ ) i
for all π ∈ Pathss L ¬(c1 ∧ c2)
0 ( M ) , for all i ≥ 0, π |=

which means (by the semantics of the propositional connectives and atoms)
for all π = t0t1t2 . . . ∈ Pathss0 ( M ) , for all i ≥ 0, not (c1 ∈ L(ti ) and c2 ∈
L(ti )) which is implied by
for all s ∈ S , not (c1 ∈ L(s) and c2 ∈ L(s))
which is true – can be checked by inspecting the system.
31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

M , s0 |= ϕ
means (by the semantics in an LTS)
for all π ∈ Pathss0 ( M ) , π |=L ϕ
which means (by the semantics of □ ) i
for all π ∈ Pathss L ¬(c1 ∧ c2)
0 ( M ) , for all i ≥ 0, π |=

which means (by the semantics of the propositional connectives and atoms)
for all π = t0t1t2 . . . ∈ Pathss0 ( M ) , for all i ≥ 0, not (c1 ∈ L(ti ) and c2 ∈
L(ti )) which is implied by
for all s ∈ S , not (c1 ∈ L(s) and c2 ∈ L(s))
which is true – can be checked by inspecting the system.
31
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.

Safety property: Only one process may execute critical section code at any point.
An LTL formula expressing this is ϕ = □ (¬(c1 ∧ c2)). Let’s prove that M , s0 |= ϕ.

M , s0 |= ϕ
means (by the semantics in an LTS)
for all π ∈ Pathss0 ( M ) , π |=L ϕ
which means (by the semantics of □ ) i
for all π ∈ Pathss L ¬(c1 ∧ c2)
0 ( M ) , for all i ≥ 0, π |=

which means (by the semantics of the propositional connectives and atoms)
for all π = t0t1t2 . . . ∈ Pathss0 ( M ) , for all i ≥ 0, not (c1 ∈ L(ti ) and c2 ∈
L(ti )) which is implied by
for all s ∈ S , not (c1 ∈ L(s) and c2 ∈ L(s))
which is true – can be checked by inspecting the system.
We conclude that M , s |= ϕ.
0
31
This was backwards reasoning, reducing the goal to something true.
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

32
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.
An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)).

32
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)). Let’s

prove that M , s0 |= ϕ.

32
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)). Let’s

prove that M , s0 |= ϕ.
By the semantics in an LTS, it suffices to find one π ∈ Paths0 ( M )
such that π |=L ϕ.

32
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)). Let’s

prove that M , s0 |= ϕ.
By the semantics in an LTS, it suffices to find one π ∈ Paths0 ( M )
such that π |=L ϕ.
We take π = s0(s1s3s7)∞.

π |=L ϕ

32
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)). Let’s

prove that M , s0 |= ϕ.
By the semantics in an LTS, it suffices to find one π ∈ Paths0 ( M )
such that π |=L ϕ.
We take π = s0(s1s3s7)∞.

π |=L ϕ
implies, by the semantics of □ and ∧
(s1s3s7)∞ |=L r1 → ♦c1

32
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)). Let’s

prove that M , s0 |= ϕ.
By the semantics in an LTS, it suffices to find one π ∈ Paths0 ( M )
such that π |=L ϕ.
We take π = s0(s1s3s7)∞.

π |=L ϕ
implies, by the semantics of □ and ∧
(s1s3s7)∞ |=L r1 → ♦c1
which implies, by the semantics of → and atoms (since r1 ∈ L(s1))
(s1s3s7)∞ |=L ♦c1
32
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)). Let’s

prove that M , s0 |= ϕ.
By the semantics in an LTS, it suffices to find one π ∈ Paths0 ( M )
such that π |=L ϕ.
We take π = s0(s1s3s7)∞.

π |=L ϕ
implies, by the semantics of □ and ∧
(s1s3s7)∞ |=L r1 → ♦c1
which implies, by the semantics of → and atoms (since r1 ∈ L(s1))
(s1s3s7)∞ |=L ♦c1
32
which implies, by the semantics of ♦ and atoms
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)). Let’s

prove that M , s0 |= ϕ.
By the semantics in an LTS, it suffices to find one π ∈ Paths0 ( M )
such that π |=L ϕ.
We take π = s0(s1s3s7)∞.

π |=L ϕ
implies, by the semantics of □ and ∧
(s1s3s7)∞ |=L r1 → ♦c1
which implies, by the semantics of → and atoms (since r1 ∈ L(s1))
(s1s3s7)∞ |=L ♦c1
32
which implies, by the semantics of ♦ and atoms
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The liveness property: Whenever a process requests to enter its critical section,
it will eventually be allowed to do so.

An LTL formula expressing this is ϕ = □ ((r1 → ♦c 1 ) ∧ (r2 → ♦c2)). Let’s

prove that M , s0 |= ϕ.
By the semantics in an LTS, it suffices to find one π ∈ Paths0 ( M )
such that π |=L ϕ.
We take π = s0(s1s3s7)∞.

π |=L ϕ
implies, by the semantics of □ and ∧
(s1s3s7)∞ |=L r1 → ♦c1
which implies, by the semantics of → and atoms (since r1 ∈ L(s1))
(s1s3s7)∞ |=L ♦c1
which implies, by the semantics of ♦ and atoms 32
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The non-blocking property: A process can always request to enter its critical
section (provided it is not there already).

33
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The non-blocking property: A process can always request to enter its critical
section (provided it is not there already).
Let’s call a state t reachable from a state s if there is a finite path in M from s to
t.

33
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The non-blocking property: A process can always request to enter its critical
section (provided it is not there already).
Let’s call a state t reachable from a state s if there is a finite path in M from s to
t. We can express the non-blocking property for process 1 as follows:
NB1: For all states s reachable from s0 such that c1 ∈
; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

33
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The non-blocking property: A process can always request to enter its critical
section (provided it is not there already).
Let’s call a state t reachable from a state s if there is a finite path in M from s to
t. We can express the non-blocking property for process 1 as follows:
NB1: For all states s reachable from s0 such that c1 ∈
; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

And similarly NB2 for process 2. Our property is therefore NB = “NB1 and NB2”.

33
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The non-blocking property: A process can always request to enter its critical
section (provided it is not there already).
Let’s call a state t reachable from a state s if there is a finite path in M from s to
t. We can express the non-blocking property for process 1 as follows:
NB1: For all states s reachable from s0 such that c1 ∈
; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

And similarly NB2 for process 2. Our property is therefore NB = “NB1 and NB2”.
The properties NB1 and NB2 (hence NB as well) are true about the system
M . This can be routinely checked by:
- looking at all the states s reachable from s0 such that c1 ∈; L(s)
- and, for of them, finding a state t reachable from s such that r1 ∈ L(t).
33
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The non-blocking property: A process can always request to enter its critical
section (provided it is not there already).
Let’s call a state t reachable from a state s if there is a finite path in M from s to
t. We can express the non-blocking property for process 1 as follows:
NB1: For all states s reachable from s0 such that c1 ∈
; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

And similarly NB2 for process 2. Our property is therefore NB = “NB1 and NB2”.
The properties NB1 and NB2 (hence NB as well) are true about the system
M . This can be routinely checked by:
- looking at all the states s reachable from s0 such that c1 ∈; L(s)
- and, for of them, finding a state t reachable from s such that r1 ∈ L(t).
33
But NB1, NB2 and NB are not expressible as LTL formulas.
 Homework Exercise 2 – Solution
In the example with the two processes executed in parallel, determine whether
the following properties are expressible in LTL; and if yes, whether they hold (for s0). Let M
= (S, → , L) be that transition system.
The non-blocking property: A process can always request to enter its critical
section (provided it is not there already).
Let’s call a state t reachable from a state s if there is a finite path in M from s to
t. We can express the non-blocking property for process 1 as follows:
NB1: For all states s reachable from s0 such that c1 ∈
; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

And similarly NB2 for process 2. Our property is therefore NB = “NB1 and NB2”.
The properties NB1 and NB2 (hence NB as well) are true about the system
M . This can be routinely checked by:
- looking at all the states s reachable from s0 such that c1 ∈; L(s)
- and, for of them, finding a state t reachable from s such that r1 ∈ L(t).
33
But NB1, NB2 and NB are not expressible as LTL
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

34
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

34
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

Let’s assume NB1 expressible in LTL, and let ϕ be an LTL formula as above.

34
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

Let’s assume NB1 expressible in LTL, and let ϕ be an LTL formula as above.
Let M = (S, → , L) and M I = (SI, → I , L I ) be the LTSs shown on the left
and on
r1
the right, respectively.
s0

s1

s0

34
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

Let’s assume NB1 expressible in LTL, and let ϕ be an LTL formula as above.
Let M = (S, → , L) and M I = (SI, → I , L I ) be the LTSs shown on the left
and on
r1
the right, respectively.
s0

s1

s0

Clearly, NB1 is true for

M and s0, but NB1 is 34

 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

Let’s assume NB1 expressible in LTL, and let ϕ be an LTL formula as above.
Let M = (S, → , L) and M I = (SI, → I , L I ) be the LTSs shown on the left
and on
r1
the right, respectively.
s0

s1

s0

I
Clearly, NB1 is true for M and s0, but NB1 is not true for M and s0. Then,
34
by the choice of ϕ , we have M , s0 |= ϕ.
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

Let’s assume NB1 expressible in LTL, and let ϕ be an LTL formula as above.
Let M = (S, → , L) and M I = (SI, → I , L I ) be the LTSs shown on the left
and on
r1
the right, respectively.
s0

s1

s0

I
Clearly, NB1 is true for M and s0, but NB1 is not true for M and s0. Then,
34
by the choice of ϕ , we have
I
M , s0 |= ϕ. I I
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

Let’s assume NB1 expressible in LTL, and let ϕ be an LTL formula as above.
Let M = (S, → , L) and M I = (SI, → I , L I ) be the LTSs shown on the left
and on
r1
the right, respectively.
s0

s1

s0

I
Clearly, NB1 is true for M and s0, but NB1 is not true for M and s0. Then,
34
by the choice of ϕ , we have
I
M , s0 |= ϕ. I I
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

Let’s assume NB1 expressible in LTL, and let ϕ be an LTL formula as above.
Let M = (S, → , L) and M I = (SI, → I , L I ) be the LTSs shown on the left
and on
r1
the right, respectively.
s0

s1

s0

I
Clearly, NB1 is true for M and s0, but NB1 is not true for M and s0. Then,
34
by the choice of ϕ , we have
I
M , s0 |= ϕ. I I
 Expressibility in LTL

NB1: For all states s reachable from s0 such that c1 ∈

; L(s), there exists a state t

reachable from s such that r1 ∈ L(t).

NB1 expressible in LTL means: There exists an LTL formula ϕ such that, for all

LTSs M = (S, → , L) and states s0 ∈ S , NB1 is true for M and s0 iff M , s0 |= ϕ.

Let’s assume NB1 expressible in LTL, and let ϕ be an LTL formula as above.
Let M = (S, → , L) and M I = (SI, → I , L I ) be the LTSs shown on the left
and on
r1
the right, respectively.
s0

s1

s0

I
Clearly, NB1 is true for M and s0, but NB1 is not true for M and s0. Then,

Homework: 34
by the choice ofModify the M
ϕ , we have
I
proof
, s0to|=show
ϕ. that NB is not expressible in LTL.
I I
 Formula Equivalence

Two formulas ϕ and ψ are equivalent, denoted ϕ ≡ ψ, if they are satisfied by

(i.e., hold for) exactly the same state labelings and infinite sequences of
states: Given any labeling L : S → P(Atoms) and any infinite sequence of
states π, we have that π |=L ϕ iff π |=L ψ

35
 Formula Equivalence

Two formulas ϕ and ψ are equivalent, denoted ϕ ≡ ψ, if they are satisfied by

(i.e., hold for) exactly the same state labelings and infinite sequences of
states: Given any labeling L : S → P(Atoms) and any infinite sequence of
states π, we have that π |=L ϕ iff π |=L ψ; in other words:
(1) π |=L ϕ implies π |=L ψ
and
(2) π |=L ψ implies π |=L ϕ.

35
 Formula Equivalence

Two formulas ϕ and ψ are equivalent, denoted ϕ ≡ ψ, if they are satisfied by

(i.e., hold for) exactly the same state labelings and infinite sequences of
states: Given any labeling L : S → P(Atoms) and any infinite sequence of
states π, we have that π |=L ϕ iff π |=L ψ; in other words:
(1) π |=L ϕ implies π |=L ψ
and
(2) π |=L ψ implies π |=L ϕ.

Note. If ϕ ≡ ψ, then ϕ and ψ will also be satisfied by the same LTSs in the
same states: Given any LTS M = (S, → , L) and any s ∈ S , we have
that M , s |= ϕ iff M , s |= ψ.

35
 Formula Equivalence

Two formulas ϕ and ψ are equivalent, denoted ϕ ≡ ψ, if they are satisfied by

(i.e., hold for) exactly the same state labelings and infinite sequences of
states: Given any labeling L : S → P(Atoms) and any infinite sequence of
states π, we have that π |=L ϕ iff π |=L ψ; in other words:
(1) π |=L ϕ implies π |=L ψ
and
(2) π |=L ψ implies π |=L ϕ.

Note. If ϕ ≡ ψ, then ϕ and ψ will also be satisfied by the same LTSs in the
same states: Given any LTS M = (S, → , L) and any s ∈ S , we have
that M , s |= ϕ iff M , s |= ψ.

Homework Exercise 3: Explain why this is the case.

35
 Some Formula
Equivalences
Propositional tautologies:

¬(ϕ ∧ ψ) ≡ ¬ϕ ∨ ¬(ϕ ∨ ψ) ≡ ¬ϕ ∧
¬ψ ¬ψ

36
 Some Formula Equivalences

Propositional tautologies:

¬(ϕ ∧ ψ) ≡ ¬ϕ ∨ ¬(ϕ ∨ ψ) ≡ ¬ϕ ∧
¬ψ ¬ψ
Duality laws:

¬Q ϕ ≡ Q¬ϕ ¬ □ϕ ≡ ¬ ♦ ϕ ≡ □¬ϕ
♦¬ ϕ

36
 Some Formula Equivalences

Propositional tautologies:

¬(ϕ ∧ ψ) ≡ ¬ϕ ∨ ¬(ϕ ∨ ψ) ≡ ¬ϕ ∧
¬ψ ¬ψ
Duality laws:

¬Q ϕ ≡ Q¬ϕ ¬ □ϕ ≡ ¬ ♦ ϕ ≡ □¬ϕ
♦¬ ϕ
Distributive laws:

□ ( ϕ ∧ ψ) ≡ □ ϕ ∧ ♦ ( ϕ ∨ ψ) ≡ ♦ ϕ ∨ Q (ϕ U ψ) ≡ Q ϕ U
□ψ ♦ψ Qψ

36
 Some Formula Equivalences

Propositional tautologies:

¬(ϕ ∧ ψ) ≡ ¬ϕ ∨ ¬(ϕ ∨ ψ) ≡ ¬ϕ ∧
¬ψ ¬ψ
Duality laws:

¬Q ϕ ≡ Q¬ϕ ¬ □ϕ ≡ ¬ ♦ ϕ ≡ □¬ϕ
♦¬ ϕ
Distributive laws:

□ ( ϕ ∧ ψ) ≡ □ ϕ ∧ ♦ ( ϕ ∨ ψ) ≡ ♦ ϕ ∨ Q (ϕ U ψ) ≡ Q ϕ U
□ψ ♦ψ Qψ

Note:
□ ( ϕ ∨ ψ) /≡ □ ϕ ∨ ♦ ( ϕ ∧ ψ) /≡ ♦ ϕ ∧ ♦ψ
□ψ

36
 Some Formula Equivalences

Inter-definability laws:

♦ ϕ ≡ ¬ □¬ϕ □ ϕ ≡ ¬ ♦¬ ϕ ♦ϕ
≡ T Uϕ

where T (read “True”) is an abbreviation for p → p for some atom

p

37
 Some Formula Equivalences

Inter-definability laws:

♦ ϕ ≡ ¬ □¬ϕ □ ϕ ≡ ¬ ♦¬ ϕ ♦ϕ
≡ T Uϕ

where T (read “True”) is an abbreviation for p → p for some atom

p
Idempotency laws:

♦♦ϕ ≡ ♦ϕ □□ϕ ≡ □ϕ (ϕ U ψ) U ψ ≡ ϕ U ϕ U (ϕ U ψ) ≡ ϕ U
ψ ψ

37
 Some Formula Equivalences

Inter-definability laws:

♦ ϕ ≡ ¬ □¬ϕ □ ϕ ≡ ¬ ♦¬ ϕ ♦ϕ
≡ T Uϕ

where T (read “True”) is an abbreviation for p → p for some atom

p
Idempotency laws:

♦♦ϕ ≡ ♦ϕ □□ϕ ≡ □ϕ (ϕ U ψ) U ψ ≡ ϕ U ψ ϕ U (ϕ U ψ) ≡ ϕ U
ψ
Absorption laws:

□♦□ϕ ≡ ♦□ϕ ♦□♦ϕ ≡ □♦ϕ

37
 Some Formula Equivalences

Inter-definability laws:

♦ ϕ ≡ ¬ □¬ϕ □ ϕ ≡ ¬ ♦¬ ϕ ♦ϕ
≡ T Uϕ

where T (read “True”) is an abbreviation for p → p for some atom

p
Idempotency laws:

♦♦ϕ ≡ ♦ϕ □□ϕ ≡ □ϕ (ϕ U ψ) U ψ ≡ ϕ U ϕ U (ϕ U ψ) ≡ ϕ U
ψ ψ
Absorption laws:

□♦□ϕ ≡ ♦□ϕ ♦□♦ϕ ≡ □♦ϕ

Expansion
laws:
♦ϕ ≡ ϕ ∨ Q □ϕ ≡ ϕ ∧ Q ϕ U ψ ≡ ψ ∨ (ϕ ∧ Q (ϕ U
♦ϕ □ϕ ψ))
37
 Proving Formula
Equivalences

Let us prove the following equivalence:

♦ ϕ ≡ ¬ □¬ ϕ

38
 Proving Formula Equivalences

Let us prove the following equivalence:

♦ ϕ ≡ ¬ □¬ ϕ

Fix a labeling function L : S → P(Atoms) and let π be an infinite

sequence
s0s1s2 . . ..

38
 Proving Formula Equivalences

Let us prove the following equivalence:

♦ ϕ ≡ ¬ □¬ ϕ

Fix a labeling function L : S → P(Atoms) and let π be an infinite

sequence
s0s1s2 . . .. We must prove two things:
(1) π |= ♦ ϕ implies π |= ¬ □ ¬ ϕ.
(2) π |= ¬ □ ¬ ϕ implies π |= ♦ϕ.

38
 Proving Formula
Equivalences

Proving that π |= ♦ ϕ implies π |= ¬ □ ¬

ϕ:

39
 Proving Formula
Equivalences

Proving that π |= ♦ ϕ implies π |= ¬ □ ¬

ϕ: Assume π |= ♦ϕ.

39
 Proving Formula Equivalences

Proving that π |= ♦ ϕ implies π |= ¬ □ ¬ ϕ:

Assume π |= ♦ϕ.
Hence, by semantics of ♦, there exists an i such that π i |= ϕ.

39
 Proving Formula Equivalences

Proving that π |= ♦ ϕ implies π |= ¬ □ ¬ ϕ:

Assume π |= ♦ϕ.
Hence, by semantics of ♦, there exists an i such that π i |= ϕ.
Hence, by logic, it is not the case that: for all i , π i |= ϕ.

39
 Proving Formula Equivalences

Proving that π |= ♦ ϕ implies π |= ¬ □ ¬ ϕ:

Assume π |= ♦ϕ.
Hence, by semantics of ♦, there exists an i such that π i |= ϕ.
Hence, by logic, it is not the case that: for all i , π i |= ϕ.
Hence, by semantics of ¬, it is not the case that: for all i , π i
|= ¬ ϕ.

39
 Proving Formula Equivalences

Proving that π |= ♦ ϕ implies π |= ¬ □ ¬ ϕ:

Assume π |= ♦ϕ.
Hence, by semantics of ♦, there exists an i such that π i |= ϕ.
Hence, by logic, it is not the case that: for all i , π i |= ϕ.
Hence, by semantics of ¬, it is not the case that: for all i , π i |= ¬
ϕ. Hence, by semantics of □ , it is not the case that π |= □ ¬ ϕ.

39
 Proving Formula Equivalences

Proving that π |= ♦ ϕ implies π |= ¬ □ ¬ ϕ:

Assume π |= ♦ϕ.
Hence, by semantics of ♦, there exists an i such that π i |= ϕ.
Hence, by logic, it is not the case that: for all i , π i |= ϕ.
Hence, by semantics of ¬, it is not the case that: for all i , π i |= ¬
ϕ. Hence, by semantics of □ , it is not the case that π |= □ ¬ ϕ.
In other words, π |= □ ¬ ϕ.

39
 Proving Formula Equivalences

Proving that π |= ♦ ϕ implies π |= ¬ □ ¬ ϕ:

Assume π |= ♦ϕ.
Hence, by semantics of ♦, there exists an i such that π i |= ϕ.
Hence, by logic, it is not the case that: for all i , π i |= ϕ.
Hence, by semantics of ¬, it is not the case that: for all i , π i |= ¬
ϕ. Hence, by semantics of □ , it is not the case that π |= □ ¬ ϕ.
In other words, π |= □ ¬ ϕ.
Hence, by semantics of ¬, we have π |= ¬ □ ¬ ϕ.

39
 Proving Formula
Equivalences

Proving that π |= ¬ □ ¬ ϕ implies π |= ♦ϕ:

40
 Proving Formula
Equivalences
Proving that π |= ¬ □ ¬ ϕ implies π |=
♦ϕ: Assume π |= ¬ □ ¬ ϕ.

40
 Proving Formula Equivalences

Proving that π |= ¬ □ ¬ ϕ implies π |=

♦ϕ: Assume π |= ¬ □ ¬ ϕ.
Hence, by semantics of ¬, we have π |=
□ ¬ ϕ.

40
 Proving Formula Equivalences

Proving that π |= ¬ □ ¬ ϕ implies π |=

♦ϕ: Assume π |= ¬ □ ¬ ϕ.
Hence, by semantics of ¬, we have π |= □ ¬ ϕ.
In other words, it is not the case that π |= □ ¬
ϕ.

40
 Proving Formula Equivalences

Proving that π |= ¬ □ ¬ ϕ implies π |= ♦ϕ:

Assume π |= ¬ □ ¬ ϕ.
Hence, by semantics of ¬, we have π |= □ ¬ ϕ.
In other words, it is not the case that π |= □ ¬
ϕ.
Hence, by semantics of □ , it is not the case
that: for all i , π i |= ¬ ϕ.

40
 Proving Formula Equivalences

Proving that π |= ¬ □ ¬ ϕ implies π |= ♦ϕ:

Assume π |= ¬ □ ¬ ϕ.
Hence, by semantics of ¬, we have π |= □ ¬ ϕ.
In other words, it is not the case that π |= □ ¬
ϕ.
Hence, by semantics of □ , it is not the case that: for all i , π i |= ¬
ϕ. Hence, by semantics of ¬, it is not the case that: for all i , π i |=
ϕ.

40
 Proving Formula Equivalences

Proving that π |= ¬ □ ¬ ϕ implies π |= ♦ϕ:

Assume π |= ¬ □ ¬ ϕ.
Hence, by semantics of ¬, we have π |= □ ¬ ϕ.
In other words, it is not the case that π |= □ ¬
ϕ.
Hence, by semantics of □ , it is not the case that: for all i , π i |= ¬
ϕ. Hence, by semantics of ¬, it is not the case that: for all i , π i |=
ϕ.
Hence, by logic, there exists an i such that π i |= ϕ.

40
 Proving Formula Equivalences

Proving that π |= ¬ □ ¬ ϕ implies π |= ♦ϕ:

Assume π |= ¬ □ ¬ ϕ.
Hence, by semantics of ¬, we have π |= □ ¬ ϕ.
In other words, it is not the case that π |= □ ¬
ϕ.
Hence, by semantics of □ , it is not the case that: for all i , π i |= ¬
ϕ. Hence, by semantics of ¬, it is not the case that: for all i , π i |=
ϕ.
Hence, by logic, there exists an i such that π i |= ϕ.
Hence, by semantics of ♦, we have π |= ♦ϕ.

40
 Proving Formula Equivalences

Proving that π |= ¬ □ ¬ ϕ implies π |= ♦ϕ:

Assume π |= ¬ □ ¬ ϕ.
Hence, by semantics of ¬, we have π |= □ ¬ ϕ.
In other words, it is not the case that π |= □ ¬
ϕ.
Hence, by semantics of □ , it is not the case that: for all i , π i |= ¬
ϕ. Hence, by semantics of ¬, it is not the case that: for all i , π i |=
ϕ.
Hence, by logic, there exists an i such that π i |= ϕ.
Hence, by semantics of ♦, we have π |= ♦ϕ.

Note. The proof of “ π |= ¬ □ ¬ ϕ implies π |= ♦ ϕ ” is the reverse of the proof

of “ π |= ♦ ϕ implies π |= ¬ □ ¬ ϕ ” . So we could have proved directly “ π |= 40
 Homework Exercise 4

Choose from the previous two slides any three laws (except for
the propositional tautologies) and prove them.

Hint. Take the approach shown above, using the semantics of formulas
and logical reasoning.

41
 Summary of the Discussed
Concepts

• LTL = Linear Temporal Logic

• Syntax = formulas built from
• atoms
• propositional connectives
• temporal connectives
• LTL can express some practical specification
patterns
• Semantics = the satisfaction relation
• between infinite sequences and formulas
• between LTSs and formulas
• Formula equivalence

42
 Further Reading

Sections 5.1.1–5.1.4 of Baier & Katoen’s “Principles of Model Checking”

(MIT Press 2008)

Section 3.2 of Huth & Ryan’s “Logic in Computer Science: Modelling

and Reasoning about Systems” (Cambridge University Press 2004)
Note. Uses another (standard) notation for the temporal
connectives:
X instead of Q
F instead of ♦ (think “in the Future”)
G instead of □ (think “Globally”)

43