Probabilistic Propositional Temporal Logics*hart/papers/pr-logic.pdf · 2004. 12. 11. · PROBABILISTIC PROPOSITIONAL TEMPORAL LOGICS 99 Oftheselogics,thelastthreelogicsareextended

Reprinted from ["'FOR.\1ATIO", A"'D CONTROLAU Rights Reserved by Academic Press, New York and London

Vol. 70, No, 2/3, August/September 1986Printed in Belgium

Probabilistic Propositional Temporal Logics*

SERGIU HART A.ND MICRA SHARIR t

School of Mathematical Sciences, Tel Aviv University,Tel Aviv 69978, Israel

We present two (closely-related) propositional probabilistic temporal logicsbased on temporal logics of branching time as introduced by Ben-Ari, Pnueli, andManna (Acta Inform. 20 (1983), 207-226), Emerson and Halpern ("Proceedings,14th ACM Sympos. Theory of Comput.," 1982, pp.169-179, and Emerson andClarke (Sci. Comput. Program. 2 (1982), 241-266). The first logic, PTLf, is inter-preted over finite models, while the second logic, PTLb, which is an extensionof the first one, is interpreted over infinite models with transition probabilitiesbounded away from O. The logic PTLf allows us to reason about finite-statesequential probabilistic programs, and the logic PTLb allows us to reason about(finite-state) concurrent probabilistic programs, without any explicit reference tothe actual values of their state-transition probabilities. A generalization of thetableau method yields deterministic single-exponential time decision procedures forour logics, and complete axiomatizations of them are given. Several meta-results,including the absence of a finite-model property for PTLb, and the connectionbetween satisfiable formulae of PTLb and finite state concurrent probabilisticprograms, are also discussed. (b) 1986 Academic Press, Inc.

1. INTRODUCTION

Recent progress in the theory of probabilistic programs (Sharir, Pnueli,and Hart, 1984; Hart, Sharir, and Pnueli, 1983; Hart and Sharir, 1985) hasyielded relatively simple methods for verification of certain properties ofsuch programs. Sequential probabilistic programs have been represented inSharir, Pnueli, and Hart (1984) as discrete Markov. chains, whereas con-current probabilistic programs have been represented in Hart, Sharir, andPnueli (1983) and Hart and Sharir (1985) as processes involvingcooperation of several Markov chains (with a common state space) obey-ing certain "fairness" constraints. In both cases, if one assumes that thestate space of the programs in question is finite, then one can obtain simple

* A preliminary verSIOn of this paper has appeared in "Proceedings 16th Sympos. onTheory of Computing," 1984, pp. 1-13.

(t) Work by the second author has been partly supported by a grant from the Bat-ShevaFund.

970019-9958/86 $3.00

Copyright (b) 1986 by Academic Press, Inc.AU rights of reproduction in any form reserved.

98 HAR T AND SHARIR

algorithmic techniques for analyzing and proving termination of suchprograms. For sequential programs these techniques are essentially classicalresults in Markov chain theory, whereas for concurrent programs newtechniques had to be developed. In both cases, the actual values of thestate-transition probabilities proved to be irrelevant for the properties inquestion.

.

These encouraging results have motivated the study of logics forprobabilistic programs, as presented in this paper. These logics allow us toexpress various properties of such programs, including invariant andliveness properties, without explicit reference to the values of the transitionprobabilities. The first logic, which we call PTLf, is intended for reasoningabout sequential programs, whereas the second logic, called PTLb, extendsthe first one and is intended for reasoning about concurrent programs.Both logics are based (at least syntactically) on existing temporal logics forbranching time (Ben-Ari, Pnueli, and Manna 1983; Emerson and Halpern,1982; Emerson and Clarke, 1982). These logics are interpreted over modelswhich can simulate the execution of probabilistic programs; for PTLf theseare essentially finite Markov chains, whereas for PTLb they are infinitestochastic processes whose state-transition probabilities are bounded awayfrom 0 (this assumption holds for finite-state concurrent probabilisticprograms since there are only finitely many different state-transitions).

It turns out that satisfiability of formulae in both logics is decidable, inone-exponential time, by decision procedures based on the tableau techni-que which generalize similar procedures for the nonprobabilistic logics ofBen-Ari, Pnueli and Manna (1983) and Emerson and Clarke (1982). Theprobabilistic context of our logics makes these procedures more com-plicated than their non probabilistic counterparts, and introduces into. themsome special techniques which are variants of the techhiques used in Hart,Sharir, and Pnueli (1983) for analyzing termination of concurrentprobabilistic programs.

Together with these decision procedures, we -also provide completeaxiomatizations for both logics, and show that the same decisionprocedures can be used to construct a proof of the negation of anyunsatisfiable formula.

Moreover, by inspection of the decision procedure for PTLb, we see thatfor many (satisfiable) formulae of that logic the model constructed by thatprocedure can be replaced by a finite model. This establishes a connectionbetweensatisfiability of a formula in PTLb and its satisfiability in PTLf,when certain conditions hold. Some additional properties of the models offormulae in these logics are also discussed. -

Several additional probabilistic logics have been proposed by Lehmannand Shelach (1982), Pnueli (1983), Feldman (1983), Feldman and Harel(1982), and Kozen (1983), in order to reason about probabilistic programs.

PROBABILISTIC PROPOSITIONAL TEMPORAL LOGICS 99

Of these logics, the last three logics are extended dynamic logics, ratherthan temporal ones, and moreover make explicit reference to the actualvalues of the transition probabilities involved. The logic in Pnueli (1983) isincomplete, and its semantic interpretation leads to a rather complicatedpro babilistic analysis.

The logics TCf and TCb of Lehman and She1ah (1982), developed aboutthe same. time as ours, are the closest in spirit to our logics. The semanticinterpretation of PTLf is very similar to that of TCf, whereas the semanticinterpretation of PTLb is similar to that of TC b' The difference betweenthese logics is that the logics TC have richer syntax allowing arbitrarylinear temporal formula to follow the path quantifiers, rather than just asingle iinear temporal operator as in our logics. As a consequence, thelogics in Lehmann and Shelach (1982), although also decidable, have lessefficient decision procedures. (This is analogous to the difference betweenthe more restricted non-probabilistic branching-time logic CTL of Emersonand Halpern (1982) and the more general logic CTL * of Emerson andHalpern (1983).) See also related work by Kraus (1985) and by Kraus andLehmenn (1983).

The paper is organized as follows. In Section 2 we define the syntax andsemantics of our logics, and make a few basic .observations concerningthese notions. In Section 3 we give axiomatic systems for both logics, andprove a few theorems wh~ch are needed later on. Section 4 describes thedecision procedures for our logics, and shows how to construct a model fora satisfiable formula in either logic. Section 5 proves the completeness ofthe systems of both logics, in the sense that the proof of any formula p forwhich", p is unsatisfiable, can be mechanically obtained from the tableauconstructed for

'"p. Section 6 discusses some meta-results concerning

properties of formulae and their models..

The decision procedures for PTLb and PTLf have been programmed inSETL and have been tested on several formulae. Appendix A gives a fewexamples of the output of this procedure.

2. SYNTAX AND SEMANTICS

In this s.ection we introduce our two logic systems, denotedPTLf andPTLb, whIch are almost identical syntactically, but differ in the inter-pretation of their formulae. Formally, (an austere version of) the syntax ofour logics is defined as follows.

DEFINITION. Syntactically valid formulas in the logics PTLf and PTLbare defined recursively as follows:

100 HAR T AND SHARIR

(1) Every formula in the propositional calculus is a formula in theselogics.

(2) If p and g are formulas in PTLf or PTLb then so are", p, p v g,VXp, tIFf, and p VUg.

As will shortly be seen, the bperator \iF in PTLf is redundant, and canbe defined in terms of the other two operators. These logics can beaugmented by additional operators as will be detailed below.

PTL/.and PTLb are interpreted as follows. A model of PTLb is a

(discrete) Markov chain, possibly having infinitely many states, for whichthere exists ex> 0 such that all nonzero transition probabilities of the chainare ~ ex.A specified initial state is associated with the model; in addition,there is an assignment of truth values to all propositions appearing in agiven formula at each state of the chain. Formally,

DEFINITION. A model M of PTLb is a quadruple (S, P, So, p), where S isa set of states, So E S is the initial state, P is a transition probability matrix(i.e., a nonnegative mapping on S x S with LIE S P(s, t) = 1 for each S E S)each of whose entries is either 0 or ~ ex, where exis some positive constant,and p is a mapping on S assigning to each S E S the set of true propositionsat that state. For convenience, we abbreviate p E p(s) as pES.

A model of PTLr is defined similarly, with the additional requirementthat the set S be finite (the requirement of the boundedness of the transi-tion probabilities clearly holds here). .

Each model M induces in a standard manner a probability measure 11Mon the space QM of all infinite paths w = (SI1):=o in S starting at So. Themeasure 11Mis defined on the (j-field generated by the cylindrical sets of theform

Q(So,..., SI1)= {OJEQMIOJ;=s;, i=O,..., n}

and the 11M-measure of each such set is the product

P(SO,Sl)'P(Sl,S2)' ...'P(SI1-1,SI1)

of the transition probabilities along the edges of the common initial prefix

(so,.." SIl) of all paths in this set.Truth of a formula p of either logic, in an appropriate model M, denoted

1= M p, is defined inductively as follows:

(i) If p is a proposition, then PM p <=>pESo.

(ii) If g= ",p, then PMg<=> ft=MP.

(iii) If r= p v g, then PM r <=>PM P or PM g,. and similarly for allother logical connectives.


(iv) If q = VXp, then F M q ~ F Mj P for all Sl E S such thatpeso, sd > 0, where Ail is the model M with initial state Sl, instead of So.

(v) If r = p VUq, then F!'vi r ~ J-LM (Ap,q) = 1, where

Ap,q = {co= (sn) E Q M \inf{ nl F Mnp} ~ inf {nl F Mnq} }

and M nis the model M with initial state Sn' I.e., A p,q consists of paths alongwhich either P always holds, or else p holds until the first time q holds.

(vi) If q = VFp, then F M q iff the set of paths starting at So alongwhich p eventually holds is of measure 1. Following standard terminologyin probability theory, this is equivalent to the existence of a stopping timeN on QM which is J-LM-almost surely finite, such that F MNP for each OJwith N(co) < 00. (A stopping time is a function N defined on QM whosevalues are either nonnegative integers or + 00, having the property thatwhenever N(co)=n then N(OJ')=n for each path OJ' having the same first nstates as OJ.)

We now discuss some important features of our logics:

(1) U sing negations of the modal operators VX, VU, and VF, wedefine additional operators as follows:

3Xp == '" (VX'"

p)

p3U q == '" (('"

q) VU('" P ))

3Gp == '" VF'"

p.

Note that VU and the 3U operators describe different notions of the "until"operator. In p VUq, U denotes the "weak" until (in which p holds eitherindefinitely or until q becomes true, but q need not. ever become true),whereas in p 3Uq, U denotes (a variant of) the "strong" until (in which pholds until q becomes true, including the state at which q is true, and qdoes indeed become true). The reader should keep this difference in mindin what follows.

.

(2) Intuitively,F M VXp means that p holds at all immediate suc-cessors (sons) of the initial state of M. Similarly, F M 3Xp means that p isvalid in at least one son of the initial state of M. F M P VUq means thatalong all paths OJstarting at So and consisting only of transitions with non-zero probability, p holds at all states of co up to the first state, if any; atwhich q holds. Note that "p until q for all paths" is equivalent to "p until qfor almost all paths:" Indeed, "p until q" not being satisfied on some pathmeans that the first time p is not true q is not true also; this is therefore aproperty of finite paths; if it happens at all, its probability must thereforebe positive. Similarly, F M p3Uq if there exists a finite path OJof states


reachable from So via transitions having nonzero probabilities, such that pholds at all states of cv, and q holds at the final state of OJ.These obser-vations imply that the \IV and 3V operators are actually nonprobabilistic,a property that we will use later in discussing PTLf' Also, 1= M \lFp if peventually holds on 11M-almostevery path. In the same manner, 1= M 3Gp ifthe 11M-measure of the set of paths along which p always holds (i.e., the setA p,ralse),is positive.

(3) The modal operators \lGp and 3Fp of Ben-Ari, Pnueli, andManna (1983) can be defined in both logics PTLf and PTLb in the follow-ing usual way:

3Fp ==true 3Vp

\lGp ==P \IV false.

1=M 3Fp if p holds on at least one. state of the model, and 1= M \lGp if pholds at all states of the model.

(4) In PTLr, the operator \IF and its dual 3G can be defined interms of the other operators, as follows:

3Gp ==p3V(\fGp) ==p 3U(p\fU false)

\lFp ==(3Fp) \fUp == (true 3Up) \fOp.

These two definitions are quite nonobvious, and are special to the finitemodel interpretation of PTLr. 1= M \lFp if on 11M-almost every path p holdseventually. However, in the case of finite models (i.e., finite Markovchains), this is equivalent to requiring that on every path OJand every state

.1'"aJon:g OJbefore the first time (if any) p holds on OJ,there exists a pathfrom .1'"on which p eventually holds. This latter property is always impliedby the interpretation of F M \lFp as defined above (including infiniteMarkov chains); the reverse implication can be proved for finite Markovchains using standard "0-1 law" arguments, similar to those in Hart,Sharir, and Pnueli (1983) (e.g., see Theorem 2.2 there). (Such a 0-1 lawstates that, in a finite Markov chain, if there is a positive probability ofeventually reaching a certain set of states from every state in the chain,then this probability is 1 for all starting states.) The definition of 3Gpfollows by negation. However, this will not work for PTLb: as is wellknown, in a denumerable Markov chain, even if every state has an eventualsuccessor where p holds, p need not occur eventually almost surely (sincethis successor may be reached only after arbitrarily many steps, itsprobability may be arbitrarily small-even if all positive single-step transi-tion probabilities in the chain are bounded away from zero).

After reducing formulas in PTLf as above, we obtain equivalent formulaswhich are expressed using only the opera!ors \IX, ~3X,\fU, and 3U. Let p be

"o.-..~<....


...'

such a reduced formula, and let M be a model of PTLf' It is plain that thesame model, viewed as a non-deterministic structure M' (i.e., where statetransitions denote non-deterministic, rather than probabilistic, choices), isalso a model of, say, CTL, and vice versa, each model of CTL can also beregarded as a probabilistic model for PTLf, by assigning appropriateprobabilities to its state transtitions. Moreover, since each of the operators\-IX, jX, \-IV, and jU is nonprobabilistic, it can be easily shown, by induc-tion on the structure of (the reduced) p, that p is satisfiable by a model Mof PTLf if and only if p is also satisfiable, as a formula of CTL, by thecorresponding non-deterministic structure M'. These observations will beused in the following section to show that PTLf is decidable and has com-plete axiomatization, using similar properties of CTL.

(5) Consider a finite-state probabilistic sequential program; itsexecution history can clearly be modelled in PTLf (such that the modelstates become program states, and the propositions contained in each suchstate are considered as properties holding at that program state).

(6) In contrast, consider a finite-state probabilistic concurrentprogram, with finitely many processes (we will refer to such a program inshort as a finite probabilistic concurrent program); it turns out that tomodel its execution requires the use of PTLb. Indeed, as in Hart, Sh~rir,and Pnueli (1983), such a finite concurrent program is specified in terms ofa finite common state space I and a finite collection K of processes, suchthat at each state i E I, if the next process to execute an atomic step is somek E K, then the program will reach after execution of that step a state j E Iwith probability Pt (thus, in particular, L}EIPZ= 1).

Note that we cannot model such a concurrent probabilistic program inPTLb, because at any given program state i, the choice of the next processk to execute an atomic step is nondeterministic and cannot be determ;inedfrom the program description as specified above; at different points in theexecution of the program, different choices may be made.

However, we can model any specific execution of such a program inPTLb. It is specified in terms of a schedule (j which determines at eachexecution step the process k E K to execute the next step. We assume (as inHart, Sharir, and Pnueli, 1983) that (j's decision is a function of the entireexecution history, i.e., the sequence of states (fa, i1"'" irn) reached duringexecution, where irn is the present program state. This execution can bemodeled in PTLb by a model M defined as follows. The states of M are allfinite execution histories as defined above. For each such historyh = (fa, i1,..., irn), let k = (j(h) be the next process to execute; then M con-tains transitions from h to all histories of the form h II(irn

+ 1) such thatpk

" "> 0, and the Probabilit y of that transition in M is the same Pk,. ,. .

mm+l mm+1

The starting state ho of M is the singleton history (io), where fa E I is the'.' ".


initial program state. Finally, each state h in M may contain propositionswhich reflect properties of the last program state in h, or which describe thelast process scheduled along h, etc. Since our program has only finitelymany positive transition probabilities, it is clear that all transitionprobabilities in M are bounded away from zero.

We will say that the program execution as determined by the schedule (Jsatisfies a formula p of PTLb (whose atomic subformulae consist ofpropositions describing properties of individual program states or of theprocesses about to be scheduled), if the corresponding model M as definedabove satisfies p. Intuitively this is an appropriate definition because M isdefined so as to model all possible (infinite) execution sequences of theprogram under (J. Indeed, these execution sequences are precisely. theinfinite paths in M, and the probability measure 11Mas defined above isprecisely the probability distribution induced on the space of all programexecution paths by (J and by the individual program transitionprobabilities. (In other words, the 11M-measure of any cylinder QUo,..., im)is the probability that the first m + 1 program states reached duringprogram execution under (J will be io,..., im.)

As an illustration, consider the following type of formula p of PTLbwhich specifies the structure of some (finite-state) concurrent probabilisticprogram and also asserts that during execution of this program a certainproperty t will hold eventually almost surely.

(at_s1 /\ activ_k1::J3Xat_s~)VUfalse /\ ...

/\ (at - Sm /\ activ - km::J 3Xat - s;n) VV false. (2.1 )

/\ (VFactiv_kd VU false /\'"

/\ (VFactiv_k,) VU false

/\ at_so::JVFt;

here the first group of conjuncts describe the state-transitions of theprogram, the second group of conjuncts specify that the program executionmust be fair, and the last line asserts that if execution starts at So then t willhold eventually almost surely. Note that any execution of the programstarting at So for which t holds eventually almost surely corresponds to amodel of PTLb which satisfies p. Conversely, the results of Section 4 andthe subsequent discussion in Section 6 imply that if p is satisfiable by somemodel of PTLb then it is also satisfiable by a model that corresponds tosome specific execution of the underlying concurrent probabilistic program.

Finally, note that the execution of a finite' state concurrent program(involving more than one process) in general cannot be modeled by a finiteMarkov chain (and thus by a model of PTLf)' For example, suppose thatthe program consists of three states S1, S2, and S3, and of two processes

k" k2, such that under kj the transitions having nonzero probability are

" '


(Sl, Sl), (Sl, S2), (S2,Sl), (S2, S2), (S3, S3)' and under k2 they are (Sl, S3),(S2, S3)' (S3' S3)' Consider the schedule ustarting at Sl and defined by therule: Schedule k1 repeatedly until the first time at which the number ofvisits at S2 is equal to the number of visits at Sl; in this case schedule k2,and thereafter schedule k 1 and k2 alternately. The execution of thisprogram under u cannot be modeled by a finite-state Markov chain; in factthis execution is identical to the behavior of a random walk on 0, 1, 2,...,with absorption at O. Moreover, the fairness of u does depend on the transi-tion probabilities of k1 at Sl and S2 (e.g., u is fair if P~11,S2'P~i,S2~~' and isunfair if both these probabilities are <!.)

The problem with this u is that it is not finitary. Roughly speaking, aschedule is finitary if it is a finite automaton acting on the executionhistory, whose scheduling decisions depend on its current state. That is,there exists a finite partition A of the set of all finite histories (i.e., eachfinite history belongs to exactly one element of A) such that, if h and hIbelong to the same element of A, then (i) u(h) = u(hl); and (ii) for any nextstate i, h II i and hIlii belong to the same element of A. It is easily seen thatfor finite-state concurrent programs, their execution under a schedule u canbe modeled by a finite-state Markov chain if and only if u is finitary.

Fair schedules need not be finitary. However, it can be shown fromTheorem 2.1 of Hart, Sharir, and Pnueli (1983) that almost-sure ter-mination by any fair schedule can be effectively decided by essentially con-sidering only finitary (fair) schedules, and therefore is a property that canbe stated and verified in PTLf' This interplay between PTLb and PTLf willbe studied in more generality in Section 6. We will obtain there theproperty just noted as a special case of a more general rule, which givessufficient conditions for formulae of PTLb to be equivalently represented(and checked) in PTLf' In particular, we will show that if formulae such aspin (2.1) are satisfiable by a model corresponding to some execution of theconcurrent program, then p is also satisfied by a similar execution under afinitary schedule.

3. AXIOMATIC SYSTEMS

We next present sound and complete deductive systems for PTLf andPTLb which are similar to the systems for. UB of Ben-Ari, Pnueli, andManna (1983) and CTL of Emerson and Halpern (1982).

Axioms and Rules Common to Both Logics

AXIOMS.

(AO) Axioms of the propositional calculus

106 HART AND SHARIR

(AI) VX(p -::J q) -::J (VXp -::J VXq)

(A2) pVUq -::J q V (p 1\ VX(pVUq)).

INFERENCE RULES.

(RO) Modus ponens; propositional reasoning

(R 1) I-p =>I-VXp

(R2) I-r =:>q V (p !\ VXr) =>I-r =:>p VUq

(R3) I-p =>I- '" (VF '" p).

Additional Axioms for PTLr

(A3) VFp ==(true3Up) VUp.

Additional Axioms and Rules for PTLb

(A4) VFp ==pv vx VFp

(AS) VF VFp ~ VFp

(A6) (pVUq) 1\ VF( '" p):::J VFq

(R4) I-r -::Jp V (VX VFr 1\ 3Xp) => I-r =:>VFp.

We now justify the soundness of our axioms and rules. Axioms (AI) and(A2) and rules (Rl) and (R2) are nonprobabilistic and are sound in ourinterpretations, as well as in the interpretations of the nonprobabilisticlogic CTL. (It has been pointed out by Pnueli that these axioms and rulescan be used to simplify existing axiomatizations for that logic.) Theaxiom (A 1) and the rule (Rl) are taken from Ben-Ari, Pnueli, and Manna(1983), and their soundness follows from the definition of VX, as in Ben-Ari, Pnueli, and Manna (1983). Axiom (8.2) states that r = p VUq satisfiesthe implication r ~ q v (p 1\ VXr), which again is obvious from thedefinitions of the operators VU and VX; whereas rule (R2) states thatp VUq is the "largest" solution to that implication, in the sense that it isimplied by any other solution. The soundness of this rule can be proved bya silnp1e inductive argument.

The soundness of the rule (R3) is also easy to establish from thedefinitions. As noted in (4) in the preceding section, axiom (A3) is sound

'under finite-model interpretations.The soundness of axioms (A4 )-(A6), in our interpretation of PTLb,

follows from probabilistic arguments (which apply also in the generalunbounded case). Moreover, they are. also sound for non-probabilisticlogics, such as CTL or UB (under their standard non-probabilistic inter-pretation). Specifically, (A4) states that an event p happens eventuallyalmost surely if and only if it either happens now, or else it happens even-tually almost surely from any next instance 011. Axiom (AS) states that if

I'.,',


there exists an almost surely finite stopping time N such that for each pathOJ with N = N( OJ) < CfJ, the event p will happen eventually almost surelyafter reaching OJN, then p will happen eventually almost surely. (In otherwords, the composition of a family of almost-surely finite stopping times onan almost-surely finite stopping time yields an almost-surely finite stoppingtime.) Axiom (A6) states that if p holds continuously until the first time (ifany) at which q holds, and if there exists an almost surely finite stoppingtime N at which p does not hold, then there exists another almost surelyfinite stopping time N' ~ N which q. holds. The soundness of this axiom isimmediate from the definitions.

Finally, the rule (R4) states that for r to imply that p will eventually hold(almost surely), it is sufficient to require that r implies that either p holdsnow, or that at least one succeeding state satisfies p, and at the same time rwill hold once more eventually a.s. after every succeeding state. To provethe soundness of this rule, we argue as follows. Let So denote the set of allstates sin S at which r holds, and which are reachable from the initial stateSo via paths along which p did not hold yet (except possibly at s itself).Assume SoE So (for otherwise there is nothing to prove). For each S E So let/3s denote the probability that p will hold eventually, given that we havereached s. The premise of (R4) implies that /3s~ a > 0 (the lower bound forthe positive transition probabilities) for each S E So. Let y - infs ESof3s ~ a.For every s E So we have

f3s~a'I+(I-a)'y

(with probability at least a, p holds next, and otherwise p will hold even-tually with probability at least y). Thus y ~ a + (I-a) y, implying y = 1, or/3s = 1 for all S E So.

Remark. It would be tempting to replace (R4) by the simpler soundrule

(R4') f-r ~ p v (\iXr /\ 3Xp) ~ f-r ~ \iFp.

However, the resulting axiomatic system will not be complete. In fact, (R4)cannot be deduced from the modified axiomatic system. We will show thisindirectly, by exhibiting an alternative interpretation for the modifieqaxiomatic system, with (R4) replaced by (R4'), for which (R4) does nothold.

Consider the interpretation of the modified system under models Mwhich are defined as in PTLb, except that their associated transitionprobabilities are not required to be bounded away from O. Instead werequire that for each state S at the ith level of M we have P(s, t) ~ Iii, foreach nonzero transition probability P(s, f). It is easy to see that all axiomsand rules of the modified system are sound under this interpretation.Indeed, everything except (R4') is either nonprobabilistic or holds in

108 HART AND SHARIR'

general unbounded models. Concerning (R4'), suppose that a model Msatisfies the premise of (R4'), and that r holds at the initial state of M.Then the probability that p still does not hold after n levels of M is at most

TI7= 2 (1 - Iii) ~ 0 as n ~ 00. Nevertheless, it is easy to construct a modelM of this new kind for which the antecedent of (R4) holds, whereas its con-sequent does not. To obtain M, take a sequence {i,} of levels for which

TI~1 (1- Iii,) > 0, and define M so that r holds at the root and at eachnode in each of the levels it. For each node n at the i, level, p holds atexactly one son m of n, with P(n, m) = Iii/. It is then easy to check that Msatisfies the antecedent of (R4) but not its consequent.

Hence, the "essence" of the bounded-model interpretation of PTLb is <

captured by the rule (R4).Returning to PTLl' the discussion in (4) of the preceding section implies

that the above axiomatic system is complete for PTLJ' This follows fromthe fact that each valid formula p of PTLJ can be reduced, using (A3), toanother valid formula involving only logical connectives and the operatorsVX, 3X, VU, and 3U. This reduced formula, considered as a formula ofCTL, is also valid, and, since CTL is complete (Emerson and Halpern,1982; Emerson and Clarke, 1982), the reduced p is provable from thecorresponding axiomatic system of CTL, hence also from the remainder ofthe above system for PTLl' Similar arguments show that PTLJ isdecidable, by first reducing a given formula p of PTLJ by (A3) and then byapplying a decision procedure for CTL (cf. Emerson and Halpern, 1982;Emerson and Clarke, 1982) to the reduced formula. These properties ofPTLr will also follow as special cases of the completeness and decidabilityof PTLb, which will be established in the two following sections.

Theorems Common to PTLl and PTLb

We next list a few basic theorems provable from the core set of axiomsand inference rules common to both logics. Some of these will be used inthe sequel (in particular, see Sect. 5), while others are provided so as toillustrate the properties of the various operators of our logics:

(T1) VX(p /\ q) ==VXp /\ VXq

(T2) VXp v VXq~ VX(p v q)

(T3) pVUq ==q v (p /\ VX(pVUq))

(T4) pVUq /\ (("-'q)VUr):=>pVUr

(T5) (p v q)VUr~pVU(q V r)

(T6) (pVUr) /\ (qVUr) ==(p /\ q) VUr

(T7) (p~ VXp)VUq~(p:=>(pVUq))

(T8) VFp~ true 3Up

(T9) VXp ~ VFp. /(

. ~i..


We can also deduce a few additional inference rules:

(Rl') I-p::::J q ~ I-VXp =>VXq

(R2') I-p ~ I-pVUq for any q

(RS') I-p~I-VFp

(R6) I-p =>q ~ I-VFp =>VFq

(R7) I-r::::JVF(p v (VXVFr 1\ 3Xp))~l-r::::JVFp.

Here are the proofs of these theorems and rules:

Proof of (Rl'). By (Rl) we have I-VX(p=>q), so that by (AI) and (RO)we have I-VXp ::::JVXq. Q,E.D.

Proof of (R2') By (AO) we have I- true, so that by (Rl) I-VX true.Sincel-p is given, we have also I-p 1\ VX true. It follows by (RO) that

I-true ::::Jq v (p 1\ VX true)

so that by (R2) we have I- true => p VUq, or I-p VUq. Q.E.D.

Proof of (Tl). That the left-hand side implies the right-hand sidefollows from (Rl'). To prove the other implication, we begin with thetautology

I-p => (q::::J(p 1\ q)).

From it we obtain by (Rl')

I-VXp =>VX(q => (p 1\ q)).

Now (AI) gives

I-VX( q ::::J(p 1\ q)) ::::J(VXq => VX(p 1\ q)).

Hence, using (RO),

I-VXp 1\ VXq::::J VX(p 1\ q). Q.E.D.

Proof of (T2). From the tautology I-p => P V q, we deduce, using (Rl'),

I-VXp => VX(p V q)

and symmetrically

I-VXq => VX(p V q)

from which two statements the theorem follows immediately. Q.E.p.


> Proof of (T3). The left-hand side implies the right-hand side by (A2).To prove the converse implication, let r denote the right-hand side of (T3).Th us we have

f-pVUq => r

so that, by (R1'),

f-VX(pVUq) => VXr

or

f-q V (p 1\ VX(pVUq)) =>q v (p 1\ VXr)

which is to say,

f-r => q v (p 1\ VXr)

so that, by (R2), we conclude

f-r => p VUq

which is what we wanted to show. Q.E.D.

Proof of (T4). Put s = pVUq, t = ( '" q )VUr, and w = S 1\ t. Then weha ve by (T3)

f-W== (q V (p 1\ VXs));\ (r v ("'q 1\ VXt))

or

f-W == (q 1\ r) v (p 1\ VXs 1\ r) v (p 1\'"

q 1\ VXs 1\ VXt).

Hence (recall (T1)),

f-w=>r v r v (p 1\ "'q 1\ VX(s 1\ f))

or

f-W =>r v (p 1\ VXw)

so that, by (R2), we deduce the required implication

f-W => pVUr.

Proof of (T5). Put w=(p v q)VUr. Then by (A2)

f-W =>r v ((p v q) 1\ VXw,)

Q.E.D.


so that, by (RG),

~W:=J r v (q J\ VXw) V (p J\ VXw)

or

~w::=J (r v q) v (p J\ VXw)

so that, by (R2), we conclude

~w::=JpVU(q v r). Q.E.D.

Proof of (T6). Put w = (pVUr) J\ (qVUr). By (A2) we have

~w::=J(r v (p J\ VX(pVUr)) J\ (r v (q J\ VX(qVUr))

so that, by (RG)),

~w:=Jr v (p J\ q J\ VX(pVUr) J\ VX(qVUr)).

Hence, by (Tl) and (RG);

~w ::=Jr v ((p J\ q) J\ VXW)

which implies, using (R2),

~w::=J (p J\ q) VUr.

For the converse implication, put z = (p J\ q) VUr. Then, by (A2),

~Z:=J r v ((p J\ q) J\ VXz)

so that, by (RG),

~Z:=J r v (p J\ VXz).

Thus, by (R2), we have ~z::=JpVUr, and in a completely symmetricfashion, we also have ~Z::=J qVUr, from which the desired implicationreadily follows by (RG). Q.E.D.

Proof of (T7). Put w=p J\ ((P::=JVXp)VUq). By (A2), we have

~W::=Jp J\ (q V ((P:=JVXp) J\ VX((P:=JVXp)VUq)))-.---

,.; ..

so that, by (RG),

~W:=J q V (p J\ VXp J\ VX((p::=J VXp) VUq) )).--

,

112, HART AND SHARIR

Hence, using (Tl),

f-W:=) q V (p 1\ \iXW)

from which we conclude, using (R2), that f-W =:JP \iUq. Q.E.D.

Proof of (T8). By (A6), with rv p instead of p and false instead of q, we

have

f-( ( rv p) VVfalse) 1\ VFp:) VF false,

or

f-\iFp 1\ ( rv (\iF false)) :=) true3Up.

From f-true we have by (R3) f- rv (\iF false), which completes the proofby (RO). Q.E.D.

Proof 0/(T9). By (A4),

f-p =:J\iFp,

and

f-\iX\iFp :=) \iFp.

Applying (Rl') to the first implication, we obtain

f-\iXp =:J\iX\iFp,

and (RO) completes the proof.

Proof of (R5). Immediate by (A4) and (RO).

Q.E.D.

Proof of (R6). f-p =:Jq, or f-rv p V q; implies by (R2')

f-( rv p V q )\iU false.

By (T5), we have

f-( rv p V q) \iU false:=) rv p\iUq,

hence (RO) gives

f- rv p\iUq.

By (A6),

f-( rv p\iUq) 1\ \iFp =:J\iFg,

,','


and (RO) again gives

f VFp ~ VFq.

Remark. Note that the statement

Q.E.D.

VF(p ~ q) ~ (VFp ~ VFq)

is not valid in our logics!

Proof of (R7). Put s = P v (VXVFr 1\ :3Xp). The premise of (R 7) isf r ~ VFs. Hence, by (R6), f VFr ~ VFVFs, and by (AS) and (RO) weobtain f VFr::::>VF s. Using (R1') and (RO), we obtain

f S ~ P v (VXVFS 1\ :3Xp),

so that (R4) gives f S ~ 'rIFf. Arguing as above, this implies

f VFs ~ VFp,

and together with the premise f r ~ VFS of (R 7), we obtain

f r ~ VFp. Q.E.D.

4. THE TABLEAU METHOD

,-p

In this section we modify the tableau method of Ben-Ari, Pnueli, andManna (1983) and Emerson and Clarke (1982) to obtain a deterministic,exponential time-decision procedure for testing satisfiablity in PTLb. Thesame technique also applies to PTLJ, as will be noted at the end of this sec-tion. The construction presented below is similar to that of Ben-Ari,Pnueli, and Manna (1983) and Emerson and Clarke (1982), but differs incertain aspects with reflect the probabilistic context of our interpretation.

(Note that another competing technique for testing satisfiability is themaximal model technique (d. Emerson and Halpern, 1982). We have notchecked whether this technique can also be modified to yield a probabilisticmodel of the form required by our interpretation, although we believe thatthis is indeed possible:.) .

Given a formula Po of PTLb which we wish to test for satisfiability, weconstruct from it a finite directed graph T called tableau, each of whosenodes n is labeled by a set Fn of formulae (intuitively, formulae that are.true at n), some of which have already been "expanded," while others arestill "unexpanded." Initially T contains a single node no (the root), and

Fno= {Po}, with Po unexpanded. T is then constructed inductively asfollows. At each step we pick 'a node n having no successors, and a formula";.'

TABLEII

fJ-Expansions

" J '2

pvq P q

VFp p VX VFp A 3X VFp~(pA q) ~p ~q

3Fp P 3X3Fpp.VUq q p A VX(pVUq)p3Uq pAq P A 3X(p3Uq)

r r

114 HART AND SHARIR

TABLEI

(X-expanslOns

," '2 ,)

pAq3Gp

~ (p v q)~ (p VUq)~ (p 3Up)

~ (VFp)~ (3Gp)~ (VXp)~ (3Xp)

VGp

q3X3Gp

~q

pp

~p(~q) 3U( ~p)

(~q)VU(~p)

3G~pVF~p3X~p

VX~pp

VX (true v 3Gp)

VX VGp

1

P E F" which has not yet been expanded. We then expand p by' one of therules stated below, thereby creating outgoing edges from. n, some of whichmay lead to newly created nodes of T while others may point back atnodes already present in T.

Let n be a node of T and p an unexpanded formula in F,,; n can beexpanded by one of the following rules:

a-expansion. If F" contains a formula r having one of the forms in thefirst column of Table I, then we create one successor nl of n and put

F"I =F"u {rl, r2""}' where rl, r2,'" are the corresponding formulae in theother columns of the table.

fJ-expansion. If Fn contains a formula r having one of the forms in thefirst column of Table II, then we create two successors n 1 and n2 of n, andput F"I = FH u {rl}' and FH2= Fn U {r2}' where rl and r2 are thecorresponding formulae in the other two columns of the table.


X-expansion. If none of the preceding rules apply to n, then n iscalled a state; each unexpanded formula in Fn is either a proposition, thenegation of a proposition, or a formula preceded by VX or 3X. The follow-ing X-expansion rule is then applied to node n. Let VXp1"", VXpa be all theformulae in Fn preceded by VX, and let 3Xq 1"", 3Xq b be all the formulae in

Fn preceded by 3X. Then we create b sons n 1"", nb of n with

Fnk= {P1,...,Pa, qk}

for each k = 1,..., b; the kth son will be identified as the qk-son of n. (Ifb = 0, we create one son no of n and put

Fno= {p,...,Pa}.)

Each successor of n under this expansion is called a pre-state (since from ita new state will be eventually reached). The root no of the tableau is alsocalled a pre-state.

H"

Remarks. (1) Comparing the expansion rules listed in Tables I and IIwith the corresponding expansion rules used in the nonprobabilistic cases,we see that the only rules which have changed are those corresponding toformulae of the form VFp and 3Gp. The expansion rules that we use forthese formulae involve clauses which are logically redundant; they areneeded however to ensure proper development of the tableau, as willbecome apparent from the foregoing analysis and from the examples givenin Appendix A. Note also that since the connectives of our logic are notindependent of one another, some of the expansion rules given in Tables Iand II are redundant, but are given there for exposition sake.

(2) The j3-expansion rules concerning formulae of the forms p3D q orVFp are given special treatment in portions of the sequel. To prepare forthis treatment we call the edge from n to n1 an essential 3D (resp. VF)-edge,and n 1 the essential 3D (resp. VF )-son of n.

The construction of T is terminated by using the following terminationrules (cf. Ben-An, Pnueli, and Manna, 1983): '

(1) We do not expand any further nodes n for which F n' containsboth a proposition and its negation. Such nodes are called closed meaningthat they represent an inconsistent set of conjuncts; these nodes will beerased from the final form of the tableau by the marking rule (M1) given,below.

(2) At an X-expansion of a state n, we do not create new succeedingprestates if their set of formulae is identical to the set of formulae of some

7

ancestor pre-state m of n; in this case the corresponding outgoing edgefrom n points back to m... '


These termination rules ensure that the resulting graph T is finite, and as amatter of fact, its size is singly exponential in the size of the given formulaPo.

Having thus created T we proceed to mark some of its nodes usingseveral marking rules (some coincide with similar rules .of Ben-Ari, Pnueli,and Manna, 1983, while others are special to the probabilistic case).Roughly speaking, a node is marked if its set of formulae cannot besatisfied by a model that can be obtained from "unwinding" the tableaufrom that node. Such nodes will eventually be deleted from the tableau.Before stating these rules, we need certain technical preparations.

Let S denote the set of states in T and let II denote the set of pre-statesin T. For every SE S, let X(s) be the set of al successor pre-states of s(obtained by the X-expansion rule); for each pre-state ~E II, let T(0denote the set of all states in S which are reachable from ( via paths con-sisting of (X and fJ-expansions only. We will also use the inverse relations:X-J(O denotes the set of all predecessor states of ~ (there may be more

than one such state according to rule (2) for terminating the tableau con-struction), and T-J(s) is the (unique) pre-state preceding s. Essentially, allintermediate nodes of T which are neither states nor pre-states are ignoredin the sequel. See Fig. 1 for an example illustrating these notions.

We now deal with formulae of theform 3Gp, whose treatment require acertain structural decomposition of the tableau, which we now proceed todescribe. Given r=3Gp and nES with rEF", let Sr= {SES: rEFs}, andlet Y c II be the set of all pre-states ( which are reachable from n alongpaths whose states all belong to Sr- We~will obtain a decomposition of Ywhich is closely related to the decomposition of the state-space of a (finite-state) concurrent probabilistic program given in Hart, Sharir, and Pnueli(1983). The purpose of this decomposition is to find ergodic sets E of states,all of which contain r, and for which there exists an "unwinding" of the

/ \~/ \

/ \/ \

I \

Dt'

X(s) = { L ~' }

T(~) = { t, t' }T-l(t) = ~X-l(~) = { s, t}

FIG. 1. A fragmentary tableau and the X ~hd T relations.

.


tableau starting at any SEE and visiting from then on only states of E.Such an unwinding will enable us to show that r is satisfied in a model con-structed from this unwinding and whose initial state is either in E or fromwhich E can be reached via some finite path of states in S.

More precisely, define

.10= {SE T(Y): r1=Fs}..

We will construct inductively a sequence of (disjoint) subsets {Hm}m;'1 ofY, as follows. We begin by constructing a directed graph G, whose nodesare the pre-states of Y, and whose edges are given by the relation v - X 0 Trestricted to Y (i.e., 17E v(~) if th~re exists S E S r such that S E T(~) and17EX(S); it is helpful to label each such edge by the corresponding state s);note that G may contain loops (i.e., edges of the form (~, 0) and multipleedges. Let HI be a terminal strongly connected component of G, includingthe degenerate case of a singleton HI = {~}, in which case it is not requiredthat (~, ~) be an edge of G. Thus, for each ~E HI and each t E T( ~), eitherX(t)cHI or tEla. Next, suppose that HI"", Hm-I have already beendefined, and put Km-I = Ui<m Hi, We first update G by erasing all nodes

~E H m - I' together with all edges (17,17') for which there exists S E T( 17)suchthat both ~ and 17' belong to X( s) (thus, besides edges (17,~) we also eraseedges (17,17')with the s.ame label S as (17,~)). Hm is then defined to be a ter-minal strongly connected component of the (updated) graph G (includingthe degenerate case of a singleton, as above). Thus, H m has the followingproperty: For each ~E H m and each t E T( ~), either

(1) tEla; or

(2) X(t) n Km-I # 0; or

(3) X(t)cHm.

(Note that this holds for m = 1 too.) We continue with this process untilG becomes empty.

Having obtained this decomposition, we next define, for each m ~ 1,

1m =={s E S: T-I(s) E Hm and Xes) c Hm}.

Lm =={s E S: T-I(S) E Hm, S 1=10 and Xes) <tHm}.

.-0-

LEMMA 4.1. If ~, 17E Hm

f E T(~) n X-I(17)) then t Elm,

Proof The edge (~, 17) has not been erased at the time H m was con-structed, and thus we must have X( t) c H m' i.e., t E 1m by definition.

and 17EV(~) VIa the state t (i.e.,

-,: . COROLLARY4.2. 1m = 0 if and only if Hm is not strongly connected (and


thus Hm is a singleton, say H~ = {~}, and each t E T( 0 is either in 10 orsatisfies X(t) II Km-l '" 0).

COROLLARY4.3. If 1m '" 0 then:

(El) T(~) II 1m'" 0, for each tE 1m and each ~ E XU).

(E2) For each s, t Elm, S i=t, there exists a chain s = so, SI ,..., sf = t ofstates in 1m, such that S;+1 E N(s;) for i=O, l,...,j-l, where N= Tax.

Proof (El) ~ E H m which is strongly connected, thus there exists anedge (~, 1]) with 1]E H m too; the corresponding state s through which thisedge materializes then belongs to T(~) II [m.

(E2) Let 1]=T-1(t), and let ~ be an arbitrary pre-state in %(s). Sinceboth ~, 1]E H m and H m is strongly connected, there exists a chain~=~O, ~1"'" ~j-l=1] of pre-states in Hm such that ~;+l EV(~;) for alli=O, 1,...,j-2. Let S;+1 be the state corresponding to the edge (~;, ~;+d;then S;+1 Elm by Lemma 4.1, and S=SO,S1,...,Sj-l,Sj=t is the requiredchain of states. Q.E.D.

COROLLARY4.4. IfX- t(~) II 1m i= 0.

Proof By Corollary 4.2, Hm is strongly connected, thus ~ is connectedto itself via a nonempty chain of edges (Tl, T2)' (T2, T3)"'" (Tn-I' Tn), whereT 1 = TII =~. But then it follows from Lemma 4.1 that the state throughwhich the last edge (T11- 1, 0 has materialized belongs to X-I (~) II 1m.

Q.E.D.

1m i= 0 then for each ~EHm we have

Suppose that 1m'" 0. Intuitively, this means that, 'starting at some s Elm,

one can "unwind" the tableau into an infinite tree which consists only ofstates in 1m, by choosing at each pre-state ~E H m a state t E T( ~) II 1m, andby noting that all successor pre-states of t are contained in H

m'Since the

formula 3Gp is contained in Fs, we could potentially use such anunwinding of T as a model for the satisfiability of 3Gp. This, however,depends on our ability to satisfy other formulae of Fs by that same unwin-ding. As will be seen below, it suffices to require from 1m that its unwindingcan satisfy every formula of the form VFq which appears at some of itsstates.

DEFINITION. A set E of states in S is called an ergodic set if it satisfiesthe following properties (the first two of which are as in Corollary 4.3):

(El) T(~)nE",0, for each tEE and each ~EX(t).

(E2) For each s, tEE, s",t, there exists a chaIn S=SO,SI"",Sj=t ofstates in E, such that S;+1 EN(s;) for i=O; l,...,j:--l, where N= Tax.

" '


(E3) For each formula of the form \lFq which appears in Fs for somesEE, there exists tEE such that q EFt.

Consequently, we distinguish between three subcases:

(I) 1m = 0.

(II) 1m =1=0 is not ergodic. That is, there exists SE 1m and a formula(\IF q) E Fs such that q rjF( for all t E 1m' (It is easily seen, by the rule of \IF-expansion, that in this case the formula \lFq belongs to Ft for every t Elm.)

(III) 1m=1=0 is ergodic (we will call it an ergodic set for the formular, or an r-ergodic set for short).

Marking Rules

We are now in a position to state our marking rules:

(M1) Mark every closed node (i.e., a node containing both aproposition and its negation).

(M2) If n is a node at which an a-expansion has been applied and itsson n 1 has been marked then mark n.

(M3) If n is a node at which a fj-expansion has been applied andboth its sons n1 and n2 have been marked then mark n.

(M4) If n is a state and one of its succeeding pre-states has beenmarked then mark n.

(M5) Let r = p :JUq or r = \IFf, and let Nr denote the set of allunmarked nodes n of T whose set of formulae Fn contains r; assume t~is setis nonempty. A path n in T is r-acceptable if it visits only nodes in No andat every state s along n (at which an X-expansion takes place), n continueswith that son of s generated by the formula :JXr in,Fs-

'A node n E Nr will be marked if there exists no r-acceptable path from n

to a node mE Nr with p, q E Fm if r = p :JUq or with p E Fm if r = \IFf. (Theintuitive meaning of this rule is clear for r = p :JUq; as for r = \lFq this ruleis justified by yet another application of the 0-1 law-see below fordetails. )

To implement this rule, one may use a straightforward backwardspropagation technique, starting from those nodes where r is "fulfilled" (i.e.,contains p, q in the case r = p :JUq or p in the case r = \lFp).

We come now to the last and most complex marking rule (M6), whichuses the machinery of ergodic sets developed above:

(M6) Let r = :JGp be a formula appearing in the set Fn of someunmarked state n. Without loss of generality, assume all marked nodeshave been deleted from T. As above, let Sr = {s E S: rEFs}, and let Y c:.IIbe the set of all pre-states ~ which are reachable from n along paths whosestates all belong to Sr. Decompose Y into sets {Hm}m~l as above, fro~

120 HART AND SHARIR

which the sets {/m} m;;'1 are obtained. If all non-empty 1m are not ergodic(i.e., for each m either case (I) or case (II) above holds), then mark n.Otherwise, n remains unmarked.

Remark. For efficiency, we could mark all nodes of Sr simultaneously ifits decomposition contains no ergodic set. Better still, even if an ergodic setexists, we can still mark all nodes m of Sr for which there does not exist apath contained in S r and leading from m to such an ergodic set.

The marking process proceeds in phases; in each such phase we eitherapply one of the rules (M1 )-(M4) to a single node of T or apply rule (M5)to a formula VFp or p3Uq at some node of T which may cause severalnodes of T to be marked simultaneously, or apply rule (M6) to a formhla3Gp and a node containing it, which again can result in marking morethan one node. This marking process terminates when- no new nodes can bemarked.

As to the complexity of the marking procedure just described, note thateach marking phase marks at least one additional node of the tableau.Moreover, each such phase requires time polynomial in the size of thetableau. Indeed, phases involving rules (Ml )-(M4) are performed bystraightforward linear-time scanning of T; phases involving (M5) are per-formed by a linear-time graph propagation procedure. Finally, phasesinvolving (M6) apply the procedure described above for decomposition ofthe tableau into the sets H,n' This procedure is based on repeated graphdecomposition into strongly connected components. Since each suchdecomposition requires linear time, and removes at least one node from thetableau, the overall procedure runs in time quadratic in the size of thetableau. Overall we conclude that the marking procedure runs in timepolynomial in the size of the tableau, hence singly exponential in the size ofthe given formula.

The main result Of this paper isJ

THEOREM4.5. Po is satisfiable if and only if the root no of T has not beenmarked. Moreover, if the root has been marked then rv Po is provable inPTLb (i.e., the axiomatization of PTLb given in Sect. 3 is complete). In thislatter case the proof of rv Po can be obtained mechanically off the tableau T.

ProQf The proof of completeness of the axiomatic system of Section 3is postponed to the following section. Here we show that if no has not beenmarked, then we can construct a model of PTLb for Po from the unmarkednodes of T. This is achieved by first constructing from the unmarked nodesof T a Hintikka structure (defined below), and then transforming this struc-ture into a model for Po.

DEFINITION. A Hintikka structure H for a' formula Po of PTLb is an


infinite tree with a root Sosuch that the number of sons of any node in Hisbounded, and such that with each node s E H there is associated a set Fs offormulae of PTLb. Given such a tree H, we can associate with each edge(m, n) of H a transition probability equal to 1/d, where d is the out-goingdegree of m (note tha( these probabilities are bounded away from 0). Thisprobability assignment allows us to regard H as a stochastic process, andinduces, for each node s EH, a probability measure J.ls,H on the set Q s of allinfinite paths in H starting at s, in. the standard manner as in Section 2. Inaddition, H must have the following properties (p E Fs is abbreviated aspES):

(HO) Po ESo.(H 1) '" pES implies p ttS (i.e., H is consistent).

(H2) Let r be a formula to which an a-expansion is applicable (seeTable I); then rES implies rj E S for all corresponding subconjuncts rj of r(appearing in the 'other columns of the table).

(H3) Let r be a formula to which a JJ-expansion is applicable (seeTable II); then rES implies r1 ES or r2 ES (where r1, r2 are the twocorresponding disjuncts appearing in the other columns of the table).

(H4a) If 'iXp ES then pEt for all succeeding nodes t of s in H.

(H4b) If 3Xp E S then pEt for at least one succeeding node t of Sin H.

(H4c) If p3Uq E s then there exists a path from S all of whose nodes'containp, and its last node also contains q.

(H4d) If p'iUq E s then every path starting at s either contains p in allits nodes, or contains p at all its initial nodes (possibly none) beforereaching a node which contains q.

(H4e) If 'iFp ES then there exists a stopping time N, defined on Q s(the subtree of H rooted at s), which is ,us,H-almost-surely finite, and. forwhich p E OJN(w) , for each ill E Qs with N( OJ)< 00.

(H4f) If 3Gp E s then

,us,H{OJEQs:pEOJnfor all n~l}>O.

.--"

LEMMA4.6. If Po has a Hintikka structure, then it has a model, i.e., it issatisfiable.

. Proof Let H be a Hintikka structure for Po. We construct from H amodel M = (8, P, so, p), where 8 is the set of nodes of H, P is theprobability mapping defined above on the set of edges of H, and p isdefined as follows: for a proposition a and a node s, a E p(s) if a E Fs or"'attFs, whereas attp(s) if ",aEFs'

122 HART AND SHARIR

M is clearly a PTLb-model. To show that it is a model for Po, we prove,using simultaneous induction on the length of formulae r appearing in Fs,that

rES E S ==>1= Ms r;

'" rES E S ==>1= Ms '" r,.

where M.r is the model M with initial state s.The proof of this claim proceeds as in Ben-Ari, Pnueli, and Manna

(1983), except for the treatment of formulae involving 'v'U, 3U, 'v'F, and 3G,which are handled as follows:

Suppose that p3Uq E s. Then by (H4c) there exists a (simple) pathw= (w, =S, W2,"" roll)' such that pEWj for all j= 1,..., nand qEW,t' Itfollows by induction that 1= MP, j = 1,..., n, and that 1= M q, thus

~ ~.1= M.tP3Uq.

-,

Similarly, if p'v'Uq E s, then every path from S contains p at all its nodesuntil the first occurrence of q, if any. Again, by induction, it follows fromthe definition of 'v'U that 1=Ms p'v'Uq.

Next, suppose that 3Gp E s. Then by (H4f) the /is,H measure of pathsWE Dr for which p E WIIfor each n? 1, is positive. By induction hypothesis,for each such w, and each n? 1, we have F Mrn p, so that by definition ofvalidity of 3Gp it follows immediately that 1= M: 3Gp.

Finally, suppose that 'v'Fp E s. Then there exists a /is,H-almost surely finitestopping time N on Ds such that p E WN(w) for every W E Ds, for whichN(w) < 00. Again, by induction hypothesis, this implies that 1= M P for

WN(w)

each such w, so that, by definition of validity of 'v'Fp, we conclude that

1= M.t 'v'Fp.

These inductive arguments imply in particular that 1= M Po, so that Po issatisfiable. Q.E.D.

It therefore remains to construct a Hintikka structure H for Po from theunmarked nodes of T. For this, we use the following construction, in whichwe assume, for simplicity, that all nodes of T are unmarked. The followingobservations, which have already appeared implicity in the markingrule (M6), will be useful in motivating and explaining the construction ofthe required Hintikka structure. As before, we let S(resp. II) denote the setof all (unmarked) states (resp. pre-states) of T. The nodes of the Hintikkastructure H we are about to construct from T will be states in S. The num-ber of sons of a node S E H is the same as the number of pre-states in X(s).

.

For each such ~E X(s) there will correspond a son of sin H which will bean element of T(O. The decisions as to which state in T(~) to choose as thecorresponding son of s can be thought of as being' taken by some"scheduler," and we will refer to them as a schedule of T. This notation isvery similar to the modelling of the execution of a concurrent probabilisticprogram, as described, e.g., in Hart, Sharir, ajId Pnueli (1983). In this


analogy, the "program states" are our pre-states II; at each such ( EOII, theschedule assigns a process to execute the next program state, which, in ourcase, corresponds to choosing a state t EOT( (), and then "execute" the X-transitions from t to new pre-states (i.e., new program states). Thus"program execution" corresponds to the construction of H, in which wejust record the states in S chosen by the scheduler.

It is instructive to note that, unlike the finite-model interpretation ofPTLj, in the case of bounded models we can let the schedule be quitearbitrary, and depend upon the entire path in H from the root to thecurrent node. In contrast, in the case of PTLj, in order to ensure that theresulting structure be finite, we have to require that the schedule be"finitary," i.e., use only finite memory in determining the next state to bechosen at the current pre-state. .

The preceding remarks imply that to construct H it suffices to define thecorresponding schedule (J. (J is a function defined on the set of all finiteexecution histories, each such history being a sequence of the form

hn = (~o, Sl, (1' S2"'" Sn, ~n)

with ~o the root ofT and where for each i= 1,..., n we have Si EOT(~i-1) and

~i EOX(sJ (Thus, for convenience, we label each node of H also by the pre-state ( of its corresponding state s. Each such hn corresponds to a path coof length n in H in which the schedule's decisions at the first n - 1 nodesare already recorded; a(hn) is to be the state Sn+1 in T((n) that the schedulewill choose at the terminal node of ill.) Figure 2 illustrates these notations.

Before defining (J, we first modify T slightly to eliminate any partialoverlapping between ergodic sets. Let E 1 ,..., Ed be the ergodic sets of T (forall formulae). Suppose that s EOS belongs to more than one ergodic set, saysEOE1nE2n ... nEe' We then replace s bye new nodes (s, 1), (s,2),...,(s, e) such that, for j = 1, 2,..., e we have

F(sj) = Fs; X((s,j)) = X(s); T-1((s,j)) = T-1(s).

Sn

prob~1J2 / \ prob~1J2

~n+l ~~+l X(sn) = {~n+l' ~~+l

}

I II II II I\ II II

Sn+ 1

schedule's choice

Sn+l

',; .. FIG. 2. Tableau unwinding by a schedule.


Define

E;= (Ej- {S})U Us,})},

for j = 1, 2,..., e. Since the internal structure of E; is isomorphic to the struc-ture of Ej for j = 1, 2,..., e, it follows that all these new sets are ergodic.Furthermore, if we apply the marking procedure to the new tableauobtained by this splitting, then no new nodes will be marked because theduplication of states in the above manner cannot cause any of the markingrules (M 1)-(M6) to become applicable if it were not applicable before.

Repeating the splitting procedure just .described for each original S E S asneeded, we obtain an equivalent but larger tableau T' together withassociated ergodic sets E~, E;,...,_,E~, with each state belonging to at mostone of these ergodic sets. Without loss of generality, we will assume thatthe original ergodic sets E1 ,..., Ed in T itself already have this property.Then each set S E S either belongs to a unique ergodic set Ee, or else is".

. ". b 1 E (Ud E )ctransIent, I.e., e ongs to <0 == e = 1 e .

For every S E Sand (E Xes), we define

V(S ~)={

T(()nEe,

T(~)

if S\EEe, e>O,

if S E Eo.

Note that V(s,O is always nonempty. For each such sand ( let (tL..., t~)be a fixed enumeration of the elements of T( 0, and let (v{s.o"'" v~s.o) be afixed enumeration of the elements of V(s, 0 (note that k = k( 0 and1==1(8,0). Let

hn = ((0' 81' (1' S2"'" Sn, (n)

be a finite history in H; we will define u(hn) = Sn+ 1 as follows. Let r be thenumber of occurrences of S ==Sn in hn (up to and including n) i.e.,r = I{i: 1 ~ i ~ n, Si = sn} I. Two possible cases can arise:

(a) All the following three conditions hold:

(i) r = V2for some V? 3.

(ii) IX(s)! > 1.

(iii) ~1111=~1112='" = (I11v' where n>m1>m2>'" >mvplaces in h" of the last v occurrences of s (before the nth place).

are the

(b) At least one of these conditions does not hold.

If case (a) occurs, letj==v(modk(~n)) and define u(hn)=t~n.lfcase(b)occurs, letj==(r-L~J) (modl(8'~I1)) and define u(hn) = v{sn,l;n)'

Let us call a visit at s for which r is a perfect square? 9 a square visit.Thus case (a) occurs only at pre-states ~ followi~ga square visit (of order

.~;


V2) at a state s which has more than one succeeding pre-state, and forwhich s is followed in hn by the same pre-state ~ at each of the last v visitsat s. When this case applies, the schedule iterates through T( ~) in a roundrobin fashion (stepping through the elements of T(~) once per each suchspecial square visit). Similarly, case (b) occurs when the visit at the laststate s in hn is either non-square, or is square but not all last ~ visits at shave been followed by th~ same succeeding pre-state. In these cases theschedule iterates through V(s,~) in a round robin fashion, in which thesquare visits at s are not counted.

The reason( s) for the peculiar definition of this schedule will becomeapparent below. Intuitively, it is due to the fact that one has to make surethat ergodic sets which are entered are also eventually exited when needed.

We next show that the unwinding of the tableau T by the schedule (J'justdefined yields a Hintikka structure H for Po. The proof that H satisfies con-ditions (H4c), (H4e), and (H4f) is somewhat involved and technical. Wehave to show the existence of a path (or, in the case of (H4f), a set of pathshaving positive measure) passing only through nodes containing thecorresponding subformula r = q:JUp,VFp or :JGp and (in the cases of (H4c)and (H4e)) ending at a node containing p; in showing this, difficulties canarise because as such a path is being constructed, it can enter variousergodic sets, some of which may be irrelevant to the "fulfillment" of r~ andso must be exited in order for r to be fulfilled. We construct a path bychoosing at each state along the way a corresponding succeeding pre-state;the schedule then chooses which state will follow (according to thedefinition above).

DEFINITION. A function p defined on a subset Sp C S and having non-negative integer values, is called an existential ranking function if thefollowing conditions hold:

(i) S~ ==p -1(0) =I0.(ii) For each SESp-S~ there exists 11EX(S) such that T(l1)cSp.

(iii) For each SESp-S~ there exists tE T(X(s)) such that p(t)<p(s).

(iii') For each s ESp -S~ with IX(s)1 = 1 there exists t E V(s, ~) suchthat p(t) < pes), where Xes) = g}.

""_H

DEFINITION. A function p defined on a subset Sp C S and having a non-negative integer values, is called a universal ranking function if the followingconditions hold: "

",; .

(i) S~==p-\0)=l0.

(iv) For each SESp-S~ and for each ~EX(S) we have V(s, ~)cSp".

126 HART AND SHARIR

(v) For each s ESp - S~ there exists ( E X(s) and t E V(s, 0 such thatp(t) < p(s).

Note an essential difference between the two definitions: "there exists ason in X(s)" in (ii) vs. "for all sons in X(s)" in (iv); this explains our choiceof names.

PROPOSITION4.7. Let p be an existential ranking function, and let hIt be ahistory (which we take, here and in the sequel, as h/l= ((,0' SI"'" ~1t-l,SIt))with Sl!ESp' Then there exists a finite path in H from Sit to some state in S~,which visits only states in S

P'

Proof Assume the contrary, and construct inductively the followinginfinite path, w in H, starting at S,p which stays forever in Sp. For eachm? n, let sm be the current state, which we assume to belong to S p'

If thereexists ~EX(Sm) such that t=a(hm-l,Sm'~) satisfies p(t)<p(s), then con-tinue the path OJ with any such ~ as the following (,m. Otherwise choose

~m= y/, where y/ is one of the pre-states in X(s) as given by condition (ii) fors = Sm (if there is more than one such y/, fix one and always choose it). In allcases, Sm+1ESp' (Note that in order to define the path w, we have tochoose for each (hm- l' sm) the next ~m E X(sm)' i.e., the outcome of therandomization at S/1l; a will then define Sm+l') .

We have thus defined an infinite path w in Sp' Let Po be the minimalvalue of p appearing along w infinitely often, and let S be a state whichappears infinitely often along OJ with p(s)= Po. Note that Po> 0 byassumption, so that by condition (iii) there exists some ~ E X(s) and somet E T(~) such that p(t) < p(s). Since Po is minimal, t cannot be visitedinfinitely often in OJ,so that, for some m ? n, the path never visits t after themth place.

Let r be the number of visits at s in hm (i.e., up to and including the mthplace on the path). Let V? 3 be the smallest integer satisfying V2> r. Sup-pose first that IX(s)I> 1, and consider the sequence of visits at s along wnumbered (v+ 1)2, (v+2f, etc. Then at each one of these visits at s,

.Case (a) applies to the scheduler, since at all preceding visits the succeedingpre-state of s is '1 by definition of w. Therefore, after at most IT(~)I of thesevisits we would have reached a visit at s, with a preceding history h, suchthat a(h, s, ~) = t, so that ( should follow s after that visit, by definition ofOJ-a contradiction. Finally, if IX(s)1 = 1, then condition (iii') implies thatthe state tET(X(s)) with p(t)<p(s) belongs to the appropriate V(s,().Here only case (b) applies, and after at most IV(s, ~)I non-square visits at sthe schedule would have to choose t after the pre-state (, so that w wouldcontain t after the mth place, again a contradiction. This establishes theproposition. Q.E.D.

,..;.' .

. -<"


PROPOSITION4.8. There exists Ci.> 0 (depending only on ISI), such thatfor every universal ranking function p, and for each finite history hlJ with

SIJESp, the probability of reaching S~from Sn via states' in Sp only, is ~ Ci..

Proof Consider the following path OJ(which is defined inductively, asin the preceding proposition, by specifying the pre-state which follows eachstate along the path): At each state s E OJ,let r be the total number of visitsat s, and assume IX(s)1 > 1 (otherwise OJmust continue with the sole suc-cessor pre-state of s). If r =1=V2- 1, for all v ~ 3, then choose the pre-state ~given by condition (v) (if there is more than one such ~, fix one and alwayschoose it); ifr=v2-1, choose any rJEX(S) which is different from the pre-state chosen at visit number r-1 =v2-2 (this is possible since IX(s)! > 1;it guarantees that condition (a)(iii) in the definition of the scheduler willnot be satisfied at r = V2). Note that by condition (iv), OJnever leaves S

P'Indeed, the only possibility of leaving Sp is at square visits for whichcase (a) applies; but our choice of pre-states along OJguarantees that thisnever happens (this also holds for states s with IX(s)! = 1, by definition).Hence OJvisits only states in Sp' and at each such state on OJ,the scheduleoperates according to case (b). For each s ESp - S~ appearing along OJ,let

~E Xes) be the chosen pre-state given by (v), and let t E V(s, ~) be a statefor which pet) < pes). Since at each visit at s along OJcase (b) applies, itfollows that if we disregard square visits at s and also visits numberedV2 - 1, then by definition of 0', after every 1V(s, ~)I consecutive visits at s, OJ

would contain one visit at t (following one of those visits at s). If we alsotake into account the disregarded visits. at s, then a visit at t would beguaranteed during every sequence of at least IV(s, 01 + 2 )1 V(s, 01 ~ 31S1consecutive visits at s. If t is not yet in S~, we can repeat this argumentwith (' E X(t) and t' E V(s, t) for which pet') < pet). We would then con-clude that during every sequence of at least

31SI' 3151 =91512

consecutive visits at s, at least one visit at t' is guaranteed along OJ.Continuing in this manner, we conclude that every (31S1y(s) consecutive

.

visits at s along OJgenerate at least one visit at some state u E S~. Thus, ifwe terminate OJat the first time it reaches 5~, it follows that the total lengthof OJis at most

I (31S1 )p(sJ~ I (3 ISl)maxp~ (31SI )maxp. ISI ~ (3lSl)maxp + 1.

SESp SESp

It therefore follows that the probability of OJis at least

((l/ISI)«3ISl)maxP+l)

". .


(here we have used the very crude estimate that the probability of a singleedge in H is at least 1/ISI). We can even sharpen the bound just obtained,by noting that any ranking function p can have at most ISI-1 differentnonzero values. We can therefore use the preceding inductive argument atmost ISI- 1 times, and thus we can rephice max p + 1 in the above formulaby ISI. Thus, if we define

rt.= ISI(-(3ISIJISIJ>O,

it follows that, for any universal ranking function p, the probability ofreaching S~ from any p-ranked state in H, is at least rt.,as asserted. Q.E.D.

The two preceding propositions 4.7 and 4.8 will next be used to showthat the tree H generated by oui'schedule (J is indeed a Hintikka structurefor the formula Po. This will be a consequence of the following sequence oflemmas:

LEMMA4.9. Let hn be a finite history in H such that r ==p3Uq E Sn' Thenthere exists a finite path from Sn to some state t with q E t which visits onlystates s with rES (and thus also pES).

Proof Define an existential ranking function p on the setSp = {s ES: rEs} as follows. If q Es then put p(s) = 0; otherwise, for eachs ESp, let p(s) be the length of the shortest path from s to S~ which con-tains only states in S p (by the length of such a path we mean the number ofstates lying on it, excluding the last such state). Note that all states s ESpwill get a finite rank, for otherwise they would have been marked by rule(M5). It is easily checked that p is indeed an existential ranking function.Indeed, condition (i) is trivial. To satisfy condition (ii), note that ifs ESp - S~, then q ~s, so that s must contain the formula 3Xr and con-

. sequentIy X(s) will contain a pre-state 11inheriting r. It follows that this 11satisfies condition (ii). Condition (iii) is immediate (because all states in Sphave finite rank). Concerning (iii/), note that if s E Sp and IX(sJI = 1 thenthe only 3X formula in s is 3Xr, hence in particular no formula of the form3Gw belongs to s; thus s E Eo, which implies that for the sale member~EX(S) we have V(s, ~)= T(~), so that (iii/) holds. The lemma is then animmediate corollary of Proposition 4.7. Q.E.D.

LEMMA4.10. Let hn be a finite history in H such that r = 3Gp E Sn- Then

there exists a finite path (j) from s n to some state t E E(r) ==U {Ee: Ee anr-ergodic set}, which visits only states s with rES (and thus also pES).

Proof As in the preceding lemma, we define an existential rankingfunction p on the set S p = {s E S: rEs}, so that, for each such s, p(s) is thelength of the shortest path which never leaves $p, from s to some state

.


t E E(r) (in particular all states in E(r) get rank 0). As in the precedinglemma, one easily checks that conditions (i), (ii), and (iii) are satisfied.Concerning condition (iii '), note that if s ESp is such that X( s) contains asingle pre-state ~, then either s E Eo, in which case V(s, () = T( ~), or sbelongs to some r-ergodic set, in which case p(s) = 0, or s belongs to someEe which is w-ergodic for some w i=r but not r-ergodic. But then s containsthe two 3G formulae rand w, so that it must have at least two succeedingpre-states, contrary to assumption. As before, the lemma now followsimmediately from Proposition 4.7. Q.E.D.

LEMMA4.11. Let hn be a finite history in H such that r = 3Gp E Sn' Thenthere exists a finite path w from Sn to some state t E Eeo where Ee is some r-ergodic set, which visits only states s with rES (and thus also pES), and suchthat the probability of never leaving Ee after t is positive.

Proof Consider the set A of all paths w starting at sn and satisfying(1) If w has reached a state t following a case (a) action of the

schedule, such that t does not belong to an r-ergodic set, apply thepreceding Lemma 4.10 to obtain a path w' leading from t to some r-ergodicset and visiting only states containing r. Then w continues after t as w',until such an ergodic set is reached.

(2) If w has reached some state t E Ee, for some r-ergodic set Ee,such that the visit at t is the first square visit after Sn, then w continueswith the prestate in X( t) corresponding to 3Xr. Call this visit the "special"visit at t.

----

(3) For each state t as in (2) which also satisfies IX(t)[ > 1, and ateach subsequent square visit (of order '[2) at t following the "special" visit,the last 1: prec~ding visits at t along ware such that they are not allfollowed by the same pre-state.

Note that A is not empty (in cases (1) and (2), the continuation after tisexplicitly stated; in case (3) choose, for example, at visit number v at t thepre-state number v (mod 2)- in XU)). Moreover, each path w EA neverleaves the set R = {s E S: rEs}. Indeed, suppose that for some m ~ n, Sm E wbelongs to R. Assume first that SmE Ee for some r-ergodic set Ee. If theschedule choice of a state at the pre-state following Sm along w is oftype (b), then by definition sm

+ 1 will also belong to E e'hence to R. If, on

the other hand, the schedule's choice at ( is of type (a), then condition (2)above ensures that Sm+l ER if the current visit at Sm is the first visit (i.e.,the, special one), and condition (3) above ensures that a case (a) choicecannot occur later on along w for the pair s, (. Finally, if 8m does notbelong to any r-ergodic set, then it must lie on a subpath w' as in con-dition (1) above, and the preceding Lemma 4.10 guarantees that Sm + 1

belongs to R too.'-


(The reason for distinguishing the firstj special) square visit at a state sfrom subsequent square visits, is that the schedule's choice at the pre-statefollowing the special visit may depend on part of the past history hn (i.e.,before reaching sn), over which we have no control. We therefore choose a"safe" pre-state following the special visit, thus ensuring that we remain inR. After that special visit we are in full control over the construction of apath in A, as reflected in condition (3)).

The number of special visits as in condition (2) is at most I81 (at mostone such visit per state), so that there exists WE A containing the maximalnumber of such special visits. Thus, after advancing some finite number ofsteps along w, we reach a state u such that all paths in A which continuefrom u onwards do not contain a special visit beyong that point. Let t bethe first state along one of these p,aths which belongs to some r-ergodic setEe (which exists by condition (1)). Then, after reaching that t, we have, foreach sEE e :

.

Prob (Ee is left (immediately) following a visit at s)00

~ L Prob (Ee is left immediately after visit number v2 at s)v=vO+l

(where v~~ 9 is the special visit at s after sn)

~V~4

d' (~)V

(where d= IX(s)l; note that (1jd)V is the probability that the same pre-statein X(s) has been chosen at the last v preceding visits at s)

= f (~)v-I

~ f (~)v - 1

= ~.v=4 v=4

(The last inequality follows since d~ 2, because only at states having morethan one succeeding pre-state can Ee be left.) The estimate just given isvalid because the only way to exit Ee after t is to choose at some stateS E Ee the same pre-state for v consecutive visits preceding a square visit oforder V2 at s; this is because no special visits of type (2) can occur after t.

Thus, after reaching t, the probability of never leaving Ee immediatelyafter a particular s E Ee is at least l Moreover, the events of leaving Eeimmediately after visits at different states S E Ee are independent, becausethey depend on disjoint sets of randomizations, thus 'their complementingevents are also independent, leading to

Prob (Ee never left after t) ~ Ci)IEel~ G)ISI > 0

and this proves the lemma. Q.E.D.


LEMMA4.12. Let hn be a finite history in H such that r = VFp E Sn' Thenthe probability of reaching after s n a state in R = {s E S: pES} U E'O is ~ Ct,where ct is the positive constant given in Proposition 4.8.

Proof We define a universal ranking function p. on the setSp={sES:rEs}, so that, for each SESp we let pes) be the length of theshortest path from S ~o a state in R which visits only states in Sp (such apath exists since rule (MS) did not mark s). To see that p is indeed auniversal ranking function, note that Sp - S~ c Eo, hence for all s ESp - S~and all ~ EX(S) we have r EFi; and V(s,~) = T(~) c Sp' The lemma nowfollows immediately from Proposition 4.8. Q.E.D.

LEMMA4.13. Let hn be a finite history in H such that r = VFp E Sn, andsuppose that SnEE efor some e> O. Then the probability of reaching after Sn

"a state in Ee containing p is ;?: 0:.

Proof As in the preceding lemma, we define a universal rankingfunction p on the set Sp= {sEEe: rEs}, SOthat, for each SESp we let pes)be the length of the shortest path from s to a state containing pwhich onlyvisits states in Ee (recall condition (E3) in the definition of ergodic sets).The definition of V(s, ~) = T(O n Ee together with the fact that Ee is anergodic set, readily imply that p is indeed a universal ranking function. Thelemma then follows from Proposition 4.8. . Q.E.D.

LEMMA4.14. Let hn be a finite history in H such that r = VFp E Sn- Then

the probability of reaching after sn a state in Q = {sE S: pES} is at least 0:2.

Proof Let Ct1 be the probability of reaching after Sn an ergodic setbefore reaching Q. Now

Prob (Q reached)

= Prob (Q reached before an ergodic set)

+ Prob (Q reached after an ergodic set).

. By Lemma 4.12, the first term is at least 0:- 0:1, and by Lemma 4.13, thesecond term is at least 0:10:. Thus the total probability is~(0:-0:1)+0:10:;?:0:2. Q.E.D.

..."

~OROLLARY4.15. Let hn be a finite history in H such that t - VFPESn.Then the probability of reaching after s n a state in Q = {s E S: pES} is 1.

Proof This is a direct consequence of the zero-one law applied to thepreceding Lemma 4.14 (see, e.g., Theorem 2.3 in Hart and Sharif, 1985).We will sketch the argument here. Let 0 < {3"<0:2;Lemma 4.14 implies that.


there exists. an integer m (depending. on hn) such that a state in Q isreached within no more than m steps from hn, with probability at least [3.The current state after these m steps, if Q has not been reached, must con-tain our formula r; we can continue from it by applying the sameargument, and so on. The total probability of reaching Q will thus be noless than

p+(1-[3)[3+(1-[3)2[3+ ...

which equals 1. Q.E.D.

As a result of the preceding sequence of lemmas, we finally conclude

THEOREM4.16. H is a Hintik~a structure for Po. Thus Po is satisfiable.

Proof It is easily seen that H satisfies conditions (HO)-(H3), (H4a),(H4b), and (H4d). Lemma 4.9 implies that it satisfies condition (H4c);Corollary 4.15 implies that it satisfies condition (H4e); and Lemma 4.11implies that H satisfies condition (H4f). Q.E.D.

. We have thus shown that if the root of T has not been marked then P issatisfiable. The converse statement is proven in the following section.

Remark. The tableau construction and its associated decisionprocedure described in this section is for the more complex logic PTLb. Asargued in Sections 2 and 3, we can obtain a decision procedure for for-mulae Po of PTLf, by first rewriting Po as a nonprobabilistic formula,replacing all terms of Po of the form 'iFp and 3Gp by the appropriate right-hand side of the axiom (A3) or of its contrapositive form, and continuingthis process until Po is reduced to an equivalent formula PI involving onlythe modalities 'iX, 3X, 'iU, and 3U. Then, to decide satisfiability of PI, usethe tableau method described above (which in this case would essentiallycoincide with the tableau techniques for the non-probabilistic logics CTLand VB).

.

5. COMPLETENESS

In this section we prove the second part of Theorem 4.5, namely that ifthe root no of the tableau T constructed for a formula Po of PTLb ismarked by the procedure described in the preceding section, then", Po isprovable from the axioms of PTLb given in Section 3. This, together withthe proof of the first part of Theorem 4.5, will establish the completeness ofour deductive system. In the case of PTLj, the same arguments to be w~edbelow still apply (they become simpler, -since one does not have to dealwith 'iF and 3G). Of course, as noted above, an ,alternative proof df 'com~


pleteness will follow from the fact that formulas of PTLf may be re-expressed in terms of the non-probabilistic logics CTL, VB, and from thecorresponding completeness proofs for these logics.

As in Ben-Ari, Pnueli, and Manna (1983) we define, for each node nET,the associated formula afn of n to be v, {

'"p: p E Fn}; note that Gino= "'Po.

The proof proceeds by showing, using induction on the phases of the mark-ing procedure, that if n is a marked node, then afn is provable. Since weassume that no is marked, it follows that", Po is provable.

The basis for our induction are phases which mark nodes n using therule (M1). In these cases we obtain, using "dilution" as in Lemma 5.1 ofBen-Ari, Pnueli, and Manna (1983), that f---afn' Similarly, for phases whichmark nodes n using one of the rules (M2)--(M4), we -can show, as inLemma 5.2 of Ben-Ari, Pnueli, and Manna (1983), that f---afn' For therules (M2) and (M3) (corresponding respectively to IXand [3 expansions)this follows from simple propositional reasoning and from the fact thateach of the expansions listed in Tables I and II of Section 4 is a theorem ofPTLb. For the rule (M4) (corresponding to X-expansions) the proofproceeds exactly as in Ben-Ari, Pnueli, and Manna (1983), using rule (R1')and theorem (T1).

Next consider a marking phase which has applied rule (M5) to a formular = p3Uq. Let t be a state in T which has been marked by (M5). (Note thatit suffices to consider states only. Indeed, let n be any node which ismarked by this application of (M5). Suppose first that n is a node where ris expanded. Then the' non-essential son of n must have already beenpreviously marked-otherwise (M5) would not apply to n. It therefore -follows that every state t reachable from n by IXand [3expansions only mustalso have been marked by the present application of (M5). But then,assuming we have already shown f---aft for each such state t, then theproperties of rules (Ml )--(M3) stated above make it plain that one also hasf---afn' This remark also applies to the remaining cases of marking by (M5)and by (M6).) .

.

In what follows we will ignore the marked portion of T (before thecurrent application of (M5)), and assume that each node we refer to ispresently unmarked. Let us introduce the f{)llowing terminology: For eachstate UE S such that r E Fu, denote the r-son of U by 1]u, and putR(u) = T(1]J (i.e., the states following 1]J. Also put R;f<

= R*(t) =U~=o Rm(t); in other words, R*(t) is the set of all states reachable from talong an r-acceptable path. Note that each state in R* will be marked bythe current application of (M5) (otherwise t would not have been markedeither); the same argument also shows that we have 3Xr E Fu for each stateu in R *, and thus 1]u is well defined. For each U E R * define V(u) to be theset of (presently unmarked) nodes at which r is expanded, which arereachable from 1]uby IXand [3 expansions only (i.e., before a state in R(u)).

.


Note that the essential son VI of any V E V(u) has already been marked, forotherwise v, and consequently also u and t, would not have been markedby (M5). For each VE V(u), define Q(v) to be the set of unmarked statesreachable from v (or from the nonessential son V2 of v) by rx~nd f3 expan-sions only. Note that Q a V = R for all u ER*. Also denote, for each stateuER*,

Yu= {k: VXkEFu}

and

WI = V (/\ Yu ) ,UER*

"

where we will always write 1\ Y = 1\ {k: kEY} for any set of formulas Y.These formulae have the following properties, generalizing Lemmas 5.3 and5.4 of Ben-Ari, Pnueli, and Manna (1983):

LEMMA5.1. f-WI:::J '" P V'"

q.

Proof Let uER*. Note that F'1u= {r} u Yu. Let VE V(u). Since none ofthe rx or f3 expansiQns performed between flu and v did involve r, we canwrite Fv = {r} u Z", where Zv is the set of formulae in Fv into which for-mulae in Yu have expanded. Moreover, since each of these expansionscorresponds to a theorem of PTLb, it follows that

f- /\ Yu:::J V (/\ Zv ).VE V(u)

(VI)

However, as already noted, for each v E V(u), the essential 3D-son VI of vmust have been marked by a previous marking phase, so that, by ourinduction on the marking steps, it follows that f-afvl' or

f-('"

p) v ('"

q) v ('" /\ Z v)or

f- /\ Zv:::J ("'p) V ("'q),

for each VE V(u). Thus also

f-"e~")(1\ z"):o (~p) V (~q),


and by (VI) we obtain that

~/\ Yu~('"'-'p) v ('"'-'q)

holds for each U E R*, thus

~u~* (/\ Yu)~('"'-'P) v ('"'-'q),

as asserted. Q.E.D.

LEMMA5.2. ~p 1\ Wt ~ VX Wi.

Proof Let UE R *. By the implication (V 1) given in the preceding proof,we have

~p A (A y.):op A CYeu) (A2u)) (V2)

that is,

>-p A (II Yu)=ou"~U)

(p A (IIZu)) (V2')

Let v E V(u). The nonessential 3D-son V2 of v satisfies

FV2 = {p, 3Xr} u Zv'

Since 3Xr is not expanded at any of the nodes connecting V2 to Q(v), itfollows, as in (VI), that

~p 1\ (/\ Zv ) ~ V ( /\ VXk) ,WE Q(v) kE Yw

because these formulae are part of FW'

Hence

~ V ( p 1\ (/\ Zv )) ~ V ( /\ VXk)VEV(U) WER(u) kEYw

so that, by (TI) and (RO), we have

~ V (p 1\ (/\ Zv )) ~ V VX (/\ Yw).VE V(u) WER(u)

--" Combining this with (V2'), we get

.', -~pA (/\ y.)=o wxJvx(/\ Yw)).


Since this holds for each Y E.R*, we obtain

~p ACX.

(/\ Yu))~ uX.(Vx(/\ Yw))

(

WE R(u)

~W~. (

VX(/\ Yw)) ~ VX(W~. (/\ Yw))

(the final implication being a consequence of (T2)). We have thus shown

~p A WI~VXWI

as asserted. Q.E.D.

We can now show that ~aft> as follows. Note that FIJI= {r} u YI. Thus

aflJl= ""'r v ""'( A YJ We have, by Lemmas 5.1 and 5.2,

~WI ~""'

p v""'

q,

~WI ~""'

p v (VXWI).

Hence

~WI ~""'

p v (""'

q A VXWI),

or, using (R2),

~WI ~ (""' q) VU( ""'F).I

Hence we also have

~ /\ Y/ ~ ""'(p3Uq)

or

~""' (/\ YI)v""'

r

that is, ~af~I' Hence aft too, as follows from the inductive step of ourproof corresponding to the marking rule (M4).

Next consider a marking phase which has applied rule (M5) to a formular = VFp, and let t be a state which has been marked by this phase. In asimilar manner to what we did above for formulae involving 3U, we denoteby R* = R*(t) the set of all (presently unmarked) states reachable from talong r-acceptable paths (i.e., by choosing at each state u the r-son of u,also to be denoted as 1JJ. Again, since t has been ~arked at this phase, no

. :"c'.I

--,',


state in R* has been ranked, so that it must contain both \:IXr and 3Xr. Inother words, at each node v where r has been expanded, the essential \:IF-son of v must have been previously marked. We will also use the notationsR(u), V(u), Q(v) as above, each of which is defined in an obviouslymodified manner. Also put

Yu = {k: \:IXkEFu and k # r}

WI= V (/\Yu )UER*

These formulae have the following properties:

LEMMA 5.3. f-- WI:::) "" p.

Proof Let u E R*. Note that F'Iu= {r} u Yu. As before, for each v E V(u)we can write Fv = {r} u Zv, where Zv is the set of formulae in Fv into whichformulae in Yu have expanded. Moreover, since each of the expansions per-formed along the path from Y/uto v corresponds to a theorem of PTLb, itfollows that

f-- /\ Yu:::) V (/\ ZV).VEVu

(Fl)

However, at each v E V(u), the formula r was expanded. Since the essential\:IF-son VI of v has been marked by a previous marking phase, it followsfrom our induction on the marking steps that f--afvl' or

f--(""

p) v ( "" /\ Z v)

or

f-- /\ Zv:::)"" P,

for each v E Vu. Thus also

f-- V (/\ Zv )=:J""

p,VE V(u)

or, using (Fl),

f-- /\ Yu:::)""

p.

138 HART AND SHARIR

This however implies that

~uX*(/\ YU)~ ~p

from which we obtain

~Wt::J '~p

as asserted. Q.E.D.

LEMMA5.4. ~ WI ::J \iX WI.

Proof Let UE R*. At each VE V(u) the formula r is expanded, and theessential \iF -son v 1 of v has been marked in a previous stage, but v is yetunmarked. Thus its nonessential son V2 is unmarked, and we have

FV2 = Zv u {\iXr, 3Xr}.

Continuing with these expansions until we reach a state w (in Q(v)cR(u)),and observing that \iXr and 3Xr will not be expanded any more, we obtain,using (Fl),

~ /\ Yu::J V ( /\ (F w - {\iXr, 3Xr} )).WER(u)

But

~ /\ (Fw - {\iXr, 3Xr})::J /\ VXk.,kE Yw

Hence, using (Tl),

~ /\ (Fw - {\iXr, 3Xr} )~::J\iX (/\ Yw).

Thus

~ /\ Yu::J V VX( /\ Yw )WER(u)

or, taking disjunction,

~ WI::Jw~ *

VX( /\ Y w)

-


and finally, using (T2), we obtain

r-wt ~ VX(w~* (J\ Yw))::J VXwc

as asserted. Q.E.D.

Lemmas 5.3 and 5.4 together imply

r-wt ~ ('" p) A VXWt

which, using (R2), imply that

r-wt ~ ('"

p) VD false

which in turn implies (using the contrapositive form of (T8) and (RO))

r-wt ~ 3G'" P

that is

r-'" (( J\ Yt) A VFP).

In other words, we have shown that r-afrrt' from which, using theargument corresponding to the marking rule (M4 )," it follows also thatr-afp which is what was to be shown.

Finally, we need to consider nodes at which the marking rule (M6) hasbe.en applied to some formula r = 3Gp. This portion of the proof is themost complex, and is special to PTLb, in the sense that all the other relatedlogics (VB, CTL, PTLj) have no similar marking rule for 3Gp.

Let t E S be a state that has been marked by (M6) for the formula r. LetT(t) denote the set of all pre-states reachable from t along paths each ofwhose states contain r. Let R*(t) = {t} u T[r(t)]. (Recall the notationsintroduced when (M6) was defined at Section 4; for a state s, X(s) is the setof its sons (pre-states); for a pre-state ~, T( ~) is the set of states reachablefrom ~ by ix and p expansions only.)

Applying rule (M6) for t and r, we decompose r(t) into finitely manydisjoint sets H1 u H2'" U Hm, and obtain a similar decomposition ofR*(t) into IouI1u ... uImuL1'" uLmwhereIoisthe set of all states inR*(t) which do not contain r, where each of the sets 11"", 1m is eitherempty or a communicating but nonergodic set of states (ie., satisfies (El)aI)d (E2), but not (E3)), and where L1,..., Lm are "transition sets" of statessatisfying

.. .

sELja T-1(S) E Hi'

(recall that L1 = 0).

s~Io, and X(s) (1 Kj-1 =1=0

140 HART AND SHARIR

As already noted, since t has been marked by (M6), we must have, foreach J = 1,...,m either

(I) Ii = 0; or ..(II) Ij =1=0 and there exists some formula q such that for each S E Ij,

VFqEF" but q~F".

Before investigating both these cases, we begin with a few general obser-vations and notations. For each ~E r(t) we denote

ZI', = 1\ FI',

and for each S E R*(t) we denote

Q" ==1\ F".

Let X(S) = {tJl,"" tJk}' and Y,,= {y:VXYEF,,}, This means that Q" is a con-junction involving, among others, formulae of the form 3X{3tJj"'" 3X{3tJk'and also formulae of the form VXy, where Y E Yp in the sense that for eachJ=1,...,k we have .

FtJj = Y" u {{3tJj}'

Note also that we must have one J for which {3tJj= 3Gp; we may assumeJ = 1. We have

f-Q,,::::JVX(l\y,,)/\3X{3tJj/\ ... /\3X{3tJk

which leads to (using (A 1))

(G1)

f-Q,,::::J "IX [((1\ y,,) /\ {3,11)v ((1\ y,,) /\ {3tJ2)V ...

v ( (1\ y,,) /\ {3t]k) V( ( 1\ y,,) /\

V 3X ( (1\ y,,) /\ {3'lk).

",-,{3t]j/\'" /\ "'-'{3t]k)J

(G2)

But "'-'{3tJl== ",-,3Gp, so that we can write (G2) as

f-Qs::::J VX(ZtJl V ZtJ2'" V ZtJk v 3Gp) /\ 3XZtJj'" /\ 3XZtJk' (G3)

Let us define, for each J= 1,...,m,

Aj= V ZI',;I',EHj

B.= VA .}I'

i,;;;j ,

'. .


Let us fix some) = 1,..., m, and consider both cases (1) and (II) listed above:

(1) Ij = 0. In this case Hj must contain a single element ~, andT(~) c 10u Lj'

LEMMA5.5. If Ij satisfies condition (I) "then

f-Aj=Z-;=> V Qsv[ V (Qsl\"'3GP)

J.

. SET(.;)nLj sET(-;)nlo

Proof Consider any node n lying between ~ and T(~). If Fn contains3Gp, then all nodes following n up to T( 0 must contain 3Gp, so that allstates in T(O following n must belong to Lj' By construction of r(t), Fe;must contain either 3Gp itself, or else the disjunction true v 3Gp. In thefirst case, T(~)nIo is empty, so that (G4) follows "from the fact that each!:J.or /3 expansion done betwee~ ( and T( ~) corresponds to a theorem ofPTLb. In the second case, for each node n between ( and T(~) at which(true v 3Gp) has been expanded, let n 1 be the son of n which "inherits"3Gp and let nz be the other son of n. It follows that 1\ Fnl = ( 1\ Fn) 1\ 3Gp,

and 1\ Fn2 = ( 1\ Fn) 1\ true = 1\ Fn, thus

(G4)

f- 1\ Fn =>(J\ Fnl) v ( (J\ Fn2)1\ '" 3GP);

these implications are then easily seen to imply (G4). Q.E.D.

Remark. The above proof is the main place in wpich the redundantexpansion rule for 3Gp is used. The intuitive reason for -this redundancy isto make sure that for each pre-state ( in the tableau which contains 3Gp,this subfoImula is propagated to all its succeeding pre-states, so that eachof them "gets a chance" to fulflll 3Gp. Without this provision, we could runinto situations in which the unwinding of the tableau from ( may notgenerate a set of paths having positive probability on which p is alwayssatisfied (although this set will not be empty). This case is illustrated inExample 3 given in Appendix A below.

For each SE T(~)nLj there exists 1'fEX(s}nKj-l' and moreover, bydefinition of r(t) we have Xes) c r(t). Thus, using (G3), we can write

f-QS:::J '<iX(Bm v'"

3Gp) 1\ 3XBj-l' (G5)

It. therefore follows from (G4) and (G5) that for I/s satisfying (I) we have

f-Aj:::J [VX(Bm v'"

3Gp) 1\ 3XBj-1J v '" 3Gp. (G6)

(II) Ij i= 0 and there exists a formula q for which '<iFq E Fs and q rtFsfor each S E Ij'


Let ( E:Hi be any pre-state. As in case (I) we claim

LEMMA 5.6. If Ij satisfies condition (II) then

f-Z~=> V (Qs 1\ "-'q) V ( V Qs )s E T( 0 n Ij S E T( 0 n Lj

V ( V (Qs 1\ "-' 3Gp )) .S E T( 0 n 10

(G7)

This is shown as in the proof of (G4). The appearance of "-' q in con-junction with Qs for s E:Ii follows from the fact that at the node n along thepath from ( to s at which the \,fF-expansion of \,fFq has taken place, q wasinherited by the other son of n. Since one has \,fFq=>q v ( "-'q 1\ \,fX\,fFq), itfollows that it is logically consistent to add "-' q to the nonessential.F-sonof n, and hence eventually also to s (by a similar argument to that used for

"-' 3Gp in the proof of Lemma 5.5).

It follows from (G7) that

f-Aj=> V (Qs 1\ "-'q) V (V Qs) v (,,-,3Gp).s E Ij S E Lj

Using (G 5), we can write this as

f-Aj=> V (Qs 1\ "-'q) V W

S E Ij

where

w= [VX(Bm v ,,-,3Gp) 1\ 3X.Bj-l] v ,,-,3Gp.

(G8)

(G9)

(Note that the term in square brackets drops out for j = 1, since L1 = 0 bydefinition.) Moreover, for each s E Ij we have X(s) c Hj, so that by (G3) wehave for each such s

f-Qs => \,fX(Aj v "-' 3Gp).

By the definition of w, we have "-' 3Gp=> w; from (G1G),

f-Qs=> \,fX(A j v w)

for all s E:Ii, Substituting in (G9), we get

f-Aj=>w v (\,fX(Aj v w) 1\ "-'q)

from which, using (R2), it is easy to obtain

f-Aj v w=> (,,-, q) VUw

" '

(G 10)

(G11)


so that, in particular,

~Aj=> ('" q) VUw. (G12)

However, since VXVFq E Fs for each S E Ij, and since each ~E Hj satisfiesX-I (~) n ~. =I0 (d. Corollary 4.4), it follows that VFq E Fi;,for each ~E Hj,

hence~Aj=> VFq (G13)

which, together with (G12), implies by (A6)

~Aj=>VF(",3Gpv [VX(Bm v ",3Gp) A :JXBj-I])' (G14)

Finally, since (G6) is a special case of (G14) by (A4), we conclude that(G14) holds for eachj= 1,..., m. This implies

j .

~Bj=> V {VF(",3Gp v [VX(Bm v ",3Gp) A 3XBi-I])}' (G1S)i= 1

But for each i ~j we have ~Bi-l -:::;Bj-l' It follows from the contrapositiveform of rule (R1') and from rule (R6) that

~Bj=>VF(",:JGp v [VX(Bm v ",3Gp) A 3XBj-I]) (G16)

for each 1 <j ~ m. For j = 1, the term in square brackets disappears,because LI is empty; in this case (G16) reduces to

~B I=> VF('"

3Gp) = VFVF('"

p) => VF( '"p) (G17)

by (AS).

LEMMA 5.7.

~Bm =>liFe", p). (G18)

Proof Put v ='"

3Gp and for each j = 1,..., m put Cj = Bj v v. Since- Bj => Cj it follows from (G 16) that

~Cj-:::;.VF(Cj-1 V [VXCm A 3XCj-I])' (G19)

We will show, using induction on j, that

~Cj => VFCj- 1 (G20)

."., from which, by repeated applications of (AS) and finally (G17), we easilyobtain (G18). We begin to prove (G20) for j=m. From (G19) we obtain

~Cm -:::;VF(Cm-l v [VXCm A 3XCm-I]).. .

144 '-HAR T AND SHARIR

which, by (R 7), yields (G20) for j = m. Suppose next that (G20) hasalready been established for all k > j; then it follows from (A5) thatCm:=J\lFCj, so that (019) becomes

f-Cj :=J \IF ( Cj- 1 v [\lX\lF Cj 1\ ::JXCj - 1] )

from which we obtain, using (R7) again, that Cj:=J\lFCj-l, as required.This proves our lemma. Q.E.D.

Ha ving established (G 18), let us next choose any pre-state ~E T(t) suchthat 3Gp E F~ (there are many such pre-states: for example, for eachS EOR'(t) = R(t) - 10, the son 11sof s corresponding to ::JX::JGpEOFs is such apre-state). For each such ~we have-'

f-Z~ :=J Bm :=J \I~( '"p)

and also

f-Z~:=J 3Gp

both of which formulae imply that

f- '" Z~

so that, by dilution,

f-af~ .

Thus, by the portion of the completeness proof corresponding to the mark-ing rule (M4), it follows that f-afs for each s EOR'(t), and in particular

f-aft. Q.E.D.

This concludes our proof of completeness, for we have shown that theassociated formula of each marked node is provable, and in particular

a/no == '" Po is provable, which is what we wanted to show. Q.E.D.

6. DISCUSSION

We have presented a probabilistic temporal logic for bounded modelswhich, syntactically, is quite similar to nonprobabilistic temporal logics forbranching time (VB, CTL). We have also given a deterministic single-exponential decision procedure for satisfiability in PTLb, and have presen-ted a complete axiomatization of this logic. Several additional consequen-ces of our results deserve comment:

First, the arguments of Section 4 actually imply that PTLb has the


FINITEPRE-MODELPROPERTY: If a formula p of PTLb is satisfiable, thenthere exists a finite set of states I (actually pre-states of the associatedtableau), and for each s E I there is a finite collection K(s) of probabilitydistributions over I (one for each tableau state in T(s)) suchthat a modelfor p can be obtained by some "strategy" of choosing at each model state s,one of the distributions in K(s); this adds all states (in I) in the support ofthat distribution as successors of s in the model.

This observation implies

PROPOSITION6.1. Let p be a formula of PTLb. If P is satisfiable, thenthere exists an execution of a finite probabilistic concurrent program (i.e.,having a finite state space and finitely many processes) which serves as amodel for p (in the sense described in remark (6) of Sect. 2).

Proof Consider the tableau for p: For each pre-state ~, let 1(0 be thenumber of states in T( ~); put I = max~ I(~), and K = f1, 2,..., l}. For each ~,let rP ~: K ~ T(~) be an arbitrary map onto T( 0 (thus, with each 1 ~ k ~ Iwe associate one transition from ~ to a state t E T(~)). The program is nowdefined as follows. The program states are the pre-states of the tableau; andthere are I processes; for each process k EK and each program state ~,execution of k at ~ results in the randomization (i.e., X-transitions) at thetableau state rP~(k). The specific execution of this program which satisfies pis obtained in a manner similar to the unwinding of the tableau into a Hin-tikka structure for p in Section 4-whenever the tableau scheduler in Sec-tion 4 chooses a state s in T( 0 for some pre-state ~, the correspondingprogram scheduler chooses a process k E K for which rPl;(k) = s. It is clearthat the resulting finite concurrent probabilistic program and its scheduleyield an execution of the program which serves as a model for p. Q.E.D.

Together with the remarks made in. Section 2 (see (6) there), this resultimplies that PTLb serves as a proper tool to argue about executions offinite concurrent probabilistic programs. Indeed, it p is a formula of PTLbwhich asserts some property about concurrent probabilistic programs, theneither p is indeed provable in PTLb, or else, by Proposition 6.1 applied to

'"p, we can construct a finite concurrent probabilistic program and

produce a certain scheduling of its processes for which execution p does nothold. This observation also implies the following

COROLLARY. Consider the class of concurrent probabilistic programs with(possibly) infinitely many states, finitely many processes and positive transi-tion probabilities bounded away from zero. Let p be a property of anexecution of such a program. If p is expressible in PTLb and is satisfied byan execution of such a program, then p must also be satisfied by an executionof a finite (i.e., finite-state) program in this class. .

"


A second observation is that PTLb does not have the finite modelproperty. By this we mean that there exist satisfiable formulas of PTLb,which however are not satisfied by any model of PTLf' An example of sucha formula is

r3 = VG3Fp /\ 3G '"p,

which is analyzed in the Appendix (see Example 3' there for the tableauconstruction and a proof of satisfiability of r3 in PTLb); In contrast, if oneexpands r3 in PTLr (using axiom (A3)), then it is easily checked that r3becomes unsatisfiable (in PTLf, or, equivalently, in the corresponding non-probabilistic logics CTL and VB). ".!

A third observation on the results developed so far concerns the struc-ture of the "schedule" used in Section 4 to construct a model from thetableau of a satisfiable formula p of PTLb. As noted there, that schedule isgenerally not finitary. However, a close inspection of its definition showsthat it needs to be nonfinitary only in cases where it enters some ergodic setE corresponding to some formula 3Gr, and it has to ensure that it gets outof E at every possible "exit" from E with positive probability. However,' theschedule really needs to exit E only if some states in E contain formulae ofthe form 3Gq (resp. p3Uq) which are not fulfilled inside E. In these casesthe schedule must make sure that for each occurrence of such a node in themodel there exists a path from that occurrence which reaches an ergodicset for 3Gq (resp. a state fulfilling g). In all other cases, there is no need forthe schedule to leave E once it had been entered, and the schedule can thenbe replaced by a finitary schedule. When this is the case, the model thatresults from unwinding the tableau of p in this finitary fashion is equivalentto a finite Markov chain, so that although p is a formula of PTLb, it is alsosatisfiable by a model of PTLr.

The precise condition that p has to satisfy for this property to hold issomewhat complicated to state, since it depends on properties of thetableau of p. Nevertheless, a simple sufficient condition can be given:

DEFINITION. (a) A formula of PTLb is said to be written in canonicalform if it is either a proposition, the negation of a proposition, or has oneof the forms q v r, q /\ r, 3Xq, VXq, q3Ur, q VUr, VFq, 3Gq, where q and rthemselves are written in canonical form (in other words, negations are"pushed" inside arguments of logical operators as much as possible).

(b) A formula p of PTLb is said to be finitary, if, when written incanonical form, it contains at most one subformula of the form 3Gq, and, ifit contains such a subformula, then it contains no subformulae of the formr 3Us.

Note that any formula p of PTLb can be writtep in equivalent canonical


form, using some of the expansion rules given in Tables I and II of Sec-tion 4.

)

THEOREM6.2. Let p be a finitary formula of PTLb. Then the followingare equivalent:

(a) p is satisfiable by a model of PTLb;

(b) p is satisfiable by a model of PTLf;

(c)'" P is not provable in PTLb;

(d)'"

p is not provable in PTLf'

Proof From the completeness of PTLb and of PTLf it follows that(a)<::>(c), and (b)<::> (d). It is also always the case that (d)~(a). If pisfinitary, then it is easily seen that only subformulae of the form 3Gq orq 3V r which appear in the canonical form of p, can appear in nodes of thetableau. It then follows from the' preceding remarks that if p is PTLb-satisfiable, then one can construct a PTLrmodel for p from its tableau,which shows that (a) ~ (b). Q.E.D.

As an application of this theorem, consider an assertion p about the ter-mination of a finite probabilistic concurrent program. It will generally havethe form (2.1) given in Section 2. It is easy to check that the negation of pcontains in canonical form only one occurrence of an 3G subformula, andno 3V subformulae. Hence, Theorem 6.2 applies to rv p, and implies that p

Iis provable in PTLb iff it is provable in PTLf' This in turn implies that theprogram terminates almost surely under any fair schedule iff it terminatesalmost surely under any fair and finitary schedule. Although this propertycould be deduced directly from the results of Hart, Sharir, and Pnueli(1983), it is interesting to obtain it as a special case of a purely syntacticcondition on formulae of our logics.

ApPENDIX A: EXAMPLES

"

In this Appendix we present four examples of the application of' ourdecision procedures to formulae of PTLb. To display the correspondingtableaux in more compact and readable form, we use the following conven-tions and shortcuts.: Only unexpanded formulae are shown at each node ofthe tableau; several successive a expansions are combined into a singleexpansion; closing of nodes is marked by X; pre-states are given numericallabels enclosed in circles, and states are given alphabetical labels enclosedin boxes; a and {3expansions are denoted by dashed edges, while X expan-sions are denoted by solid edges (we use the convention that an essential'..

148 HAR T AND' SHARIR

son is drawn as the left son). Several intermediate nodes are also givenlabels, when their associated set of formulae coincides with a set of apreviously constructed node. In this case further expansion of the tableaupast such a node is not shown, since it completely parellels the expansionof the preceding node. A node whose set of formulae coincides with that ofa preceeding node is given a label of the form a', where a is the label given

01: p VUq, VF-p, 3G-qI .....

I ""'I ""

~q, VF-p, 3G-q p, VX(p VU g), 3G-q, VF-p

I I ,, I"I "I ,

p ,-p, ., . p, VX(p VU g), VXVF-p, 3XVF-p, 3G-qq,-q, ...

q, VF-p,.\

/I' \,. \,.

Od : q,-p

/'/'

/'".,. ,

La : p, VX(p VUq), VXVF-p, 3XVF-p, -q, 3X3G-q, VX(trueV3G-q)

1 : p VU q, VF-p, 3G-q".. VF-p, (true V 3G-q)[true V 3G-q] ,/,/

,..,..

,..,..,..~,: p VU q, VF-p

/ "" '......

I ,, " "p, VX(p VU g), VF-p, ", ......., ", ', ' 0c: q, VXVF-p, 3XVF-p p,-p,'" b: p, VX(pVUq),

VX'v'F-p, 3XVF-p, PYlJ q. "F-p

>< x

xI

II

1

o'f : -p

4 . VF- p\ ', , , ,

l: VXVF-p, 3XItF-p

FIG. A.I. Construction of T I' .

" '


to that preceeding node. Finally each tableau is displayed in two figures,the first of which gives the full construction, whereas the second figure givesa condensed form of the tableau, involving only pre-states and states andtheir X and T-relationships. (For convenience, we will label states s in thissecond compact representation of the tableau by propositions and theirnegations appearing in Fs, and also by VF and 3G subformulae appearingin Fs.)

EXAMPLE1. '1 = (p VUq) 1\ VF'"

p 1\ 3G'"

q. This is the negation of theaxiom (A6), and will be shown indeed to be unsatisfiable. The constructionof the tableau T 1 for '1 is shown in Fig. AI, and the condensed form of T 1

is shown in Fig. A2. Applying the marking rule (M5) to VF'"

p, we notethat this formula is "fulfilled" at states d, d', and f, and that from any othernode of T 1 one of these states can be reached. Hence, no node is marked bythis rule. Next we apply rule (M6) to k = 3G

'"q. The relevant nodes are

Sk = {a, a'} and Y= {l, 2}. The decomposition yields

10 = {b, c, d}; HI = {I, 2}; Ii = {a, a'}.

However, II is not ergodic, because \iF", P is contained in Fa = Fa" but

'" p is not contained in these sets. Hence, (M6) will mark the nodes a, ai,1,2. Since the root of T 1 has been marked, we conclude that '1 isunsatisfiable.

EXAMPLE2. r2 = VF\ip 1\ 3G'"

p. This is the negation of axiom (AS),and will be shown to be unsatisfiable. The construction of the

91III

ja :p, -g, (3G-g) (\IF-p)

1 ~2' --,' ',--, ,---,,' "

,Od:--p, g

/c: g, (\IF-p)

?b:p, (\IF-P)-~'

.

a' :p, -g, (3G-g) (\IF-p)

q: 6~- cf 62, , , ',----" "

"", -----

d;,-p l"(""-p) dd' ,-p'l" "'(YF1",p,(YF-p)

FIG. A.2. Compact fonn of T 1.0- .


,01 : 'v'FYFp, :3G~p

",

" '" "

".....

".....

OS~'v'Fp,:3G~p """"",, , .....

I , ""',I , ""',, ,

"p,:3G-p b : 'v'XVB', :3XVFp, -p, LJa : vXVFYFp, :3XVFYFp,-c!1'

><

p,~>..~-p, VX(trueV:3G-~)\~

~X3G-P' 'X(b-~,v3 -p)

6 : VFp, trueV:=3G~S : 'v'Fp, :3G-p \2: 'v'FYFp, 1: 'v'FYFp,

""'... /true-::3G-p _G-p

I ...'

,I , , ,

I ..."04 : VFp Ds: vFp, :=3G-p ~.Q3 : VFYFp '01

'"~ ~"

,~ ,

,..C(4~: vFp,

",.. ... ~I. "

0;', p

t'

vxYFp.3XVpp

1"'X'I~Pp.3X'P'Fp

FIG. A.3. Construction of T2.

corresponding tableau T 2 is shown in Fig. A.3, and its condensed form isshown in Fig. AA. The subformula VFp is contained in nodes

4,5,6, b, b1, b', b~, d, d1, d2, d', e, e1' e2, e'

and is fulfilled at states e, e1, e2, e'. It easily follows that rule (M5) appliedto VFp does not result in any marking. Similarly, the subformula VFVFp isfulfilled at all the states of the b, d, or e "type." Again, no node is,markedfrom application of (M5) to this subformula.

Finally, consider rule (M6) applied to k = 3G .-vp. It is contained in thenodes

.

1,2,5,6,a,a1,b,b1,b',b~.

,OJ..."...

""

,

".....

Ib"q, '~01,':',

"1,',",,---

0;':;1:1~5 ~:J~'13\~~1

...'" ,.." ",'0;; '1;' 0::

1d' l'

Cl

64 04 3FIG. AA. Compact form of T2. .

c .


~2

(a) (b)

FIG. AS The transitions graphs used in (M6).

We first have

10 = {c, d, d', e, e'}.

The initial value of the transition graph used by the decompositionalgorithm of (M6) is shown in Fig. A.5(a). It follows that

H1={5,6}; II = {h', b~}.

The reduced transition graph used in the second decomposition step isshown in Fig. A.5(b), from which it follows that

Hz={1,2}; 1z= {a, ad; Lz= {b, bd.

But neither of 11, 1z is ergodic, the first because of the nonfulfillment ofVFp, and the second because of the nonfulfillment of VFVFp. Hence, (M6)causes the root 1 to be marked, so that 'z is unsatisfiable.

EXAMPLE3. '3 = 'v'G3Fp1\ 3G '"p (for simplicity we shall use the

auxiliary operators 'v'G, 3F explicitly, instead of their implicit represen-

~,,'"

81 : '�a=3Fp, 3G-pl' : 3Fp, '�X'la=3Fp, -p, 3EG-p, '�X(truev3G-p), \

.." \, \'

P-;i'/"~P'

'3JGG- P , YXYG'3Fp, yX(tnIDGG- p)

02,: 3Fp.;, '�a=3Fp, trueV3G-=;---Ol : '�G3Fp, 3G-p, [trueV3G-p], --, --, --

Q3:".:.~FP' '�X'IG3Fp- -

--01'I -------

1c: p, '�X'IG3Fp -'jb: 3EFp, '�X'IG3Fp

~3 : '�a=3Fp 63',II

03',

FIG. A.6. Construction of T3'":.:


Q1II

?\ -p,3G~p

~ D2 .

" '-:..- -A':'-P'3G~;-:f~--~C :p

~ b2 Q3 03, ,I ,

o~ Dc

FIG. A.7. Compact form of T3'

tations by means of the operators \lU, 3U). The construction of thecorresponding tableau 1'3 is given in Fig. A.6, and the condensed form ofl' 3 is given in Fig. A.7. Since the subformula 3Fp is "fulfilled" at state c, andsince c is reachable from any other node of l' 3, application of the markingrule (M5) results in no marking. Application of the rule (M6) to the sub-formula q = :3Gr..JP proceeds as follows: The set of relevant nodes is{1, 2, a, a'}. The decomposition as specified in (M6) gives

10= {b, c}; HI={1,2}; 11={a,a'}.

Since no subformulae of the form \IF appear in r3, the set II is ergodic, andso no node needs to be marked by this rule. Hence r3 is satisfiable. Toobtain a model for r3 from T 3 we can use the following "scheduling"strategy for the unwinding of 1'3 (this scheduling is simpler than that givenin Sect. 4, but has the disadvantage that it requires assignment of unequalprobabilities to edges emerging from a common state):

At the pre-state 1, schedule the (only possible) state a.

FIG. A.8. Unwinding T 3 into a mod~i for r3'

:."t

nO<

.'; -


01 : p, liCBXp, liF-pI,.

p, 3M, liXliCBXp,liF-p,, ~ ~

"

P>i::~' ~"~x=3Xp'V""F-P'3""F-P

~, liCBXp, liF-p 92 : vCBXp, liF-p..3:Xp, vxvCBXp, vF-p---,- - - "-

ie-:-::p~3Xp, vXvCBXp

J\:3Xp, vXliCBXp,liXliF-p, 3XVF-p

I3 : p, liG3Xp ~ ~2

III.

t'p,3Xp, "'<CBXp

FIG. A.9. Construction of T4'

At the pre-state 2, schedule the state a' until the first time in which thenumber of visits at the pre-state 2 equals the number of visits at the pre-state 1, in which case schedule the state c.

At the pre-state 3 always schedule the state c.

The resulting model is shown in Fig. A8. It essentially coincides with thebehavior of a random walk on the non-negative integers with absorption at

.O. This model will satisfy '3 provided that we assign a probability>! tothe edges from a to 1 and from a' to 1. The reader is invited to check that ifone expands subformulae of the form :JGq as in the nonprobabilistic case(Ben-An, Pnueli, and Manna, 1983) as q 1\ 3X3Gq, then the modifiedtableau for '3 would be such that no model for '3 could be obtained by itsunwinding.

91

~2 ,/ ,

t> 1\2rI.b:P

FIG. A.IO. Compact form of T4'

154 HART AND SHARIR

FIG. All. Unwinding T4 into a model for'4'

Remark. The formula r) is also satisfiable in the nonprobabilistic logicUB of Ben-Ari, Pnueli, and Manna .,(1983) (with the standard non-probabilistic interpretation of the operator 3G) by a smaller and simplertableau. However, as noted in Section 6, r) is unsatisfiable in PTLf' Thus,rewriting it using axiom (A3), we obtain a formulai which is unsatisfiable inany of the logics PTL/, CTL, UB.

EXAMPLE4. r 4 = P 1\ \lG3Xp 1\ \IF", p. This formula is chosen todemonstrate the different treatment of \IF formulae in our logic PTLb andin the nonprobabilistic logics UB, CTL. In fact r4 is shown below to besatisfiable as a formula of PTLb, but is unsatisfiable as a formula of UB.The construction of the corresponding tableau T 4 is shown in Fig. A.9, andthe condensed form of T 4 is shown in Fig. A.1a. The formula \IF", P isfulfilled at state c, and every node containing \IF", P can reach c. Hence,the rule (M5) does not cause any node to be marked, and r4 is con-sequently satisfiable. To obtain a model for r4 from T4 simply choose at thepre-state 2 always the state c (again, this is a simpler schedule than thegeneral one given in Sect. 4). The resulting model is shown in Fig. A.11(note that it certainly does not satisfy r 4 as a model of UB).

ACKNOWLEDGMENT

The authors would like to thank Amir Pnueli for suggesting the problem, and for severaluseful discussions concerning our logics. In particular, certain simplifications of the axiomaticsystems of Section 3 are due to him. We also wish to thank our anonymous referees whosecritical comments were very helpful in improving the presentation of this paper.

RECEIVEDJune 27, 1983; ACCEPTEDApril 18, 1985

REFERENCES

BEN~ARI, M., PNUELI, A., AND MANNA, Z. (1983), The temporal logic of branching time, ActaInj(mn. 20, 207-226.

.

;,'


EMERSON, E. A., AND CLARKE, E. M. (1982), Using branching time logic to synthesize syn-chronization skeletons, Sci. Comput. Program. 2, 241-266.

EMERSON, E. A., AND HALPERN, J. Y. (1982), Decision procedures and expressiveness in thetemporal logic of branching time, in "Proceedings 14th ACM Sympos. Theory of Com-put.," pp.169-179.

EMERSON, E. A., AND HALPERN, J. Y. (1983), "Sometimes" and "not never" revisited: Onbranching vs. linear time, in "Proceedings 10th ACM Sympos. Principles of Program.Lang," pp. 127-140.

FELDMAN, Y., AND HAREL, D. (1982). A probabilistic dynamic logic, in "Proceedings, 14thACM Sympos. Theory of Comput.," pp. 181-195.

FELDMAN, Y. (1983), A decidable propositional probabilistic dynamic logic, in "Proceedings15th ACM Sympos. Theory of Comput.," pp.298-309.

HART, S., SHARIR, M., AND PNUELI, A. (1983), Termination of concurrent probabilisticprograms, ACM Trans. Program. Lang. Systems 5, 356-380.

HART,. S., AND SHARIR, M. (1985), Concurrent probabilistic programs, or: How to Schedule ifYou Must, SIAM J. Comput.14, 991-1012; in "Proceedings, 10th Int. Colloq. Automata,Lang. & Program.," 1983, pp.304-318, Lecture Notes in Computer Science Vol. 154,Springer-Verlag, New York/Berlin, 1983.

KazEN, D. (1983), A probabilistic PDL, in "Proceedings 15th ACM Sympos. Theory of Com-put.," pp. 291-297.

KRAus, S. (1983), M. Sc. thesis, Computer Science Dept., Hebrew University, Jerusalem.KRAUS, S., AND LEHMANN, D. (1983), Decision procedures for time and chance, in

"Proceedings 24th IEEE Sympos. on Found. Comput. Sci.," pp.202-209.LEHMANN, D., AND SHELACH, S. (1982), Reasoning with time and chance, Inform. Control 53,

pp.165-198.PNUELI,. A. (1983), On the extremely fair treatment of probabilistic algorithms, in

"Pro~eedings 15th ACM Sympos. Theory of Comput.," pp.278-290.SHARIR, M., PNUELI, A., AND HART, S. (1984), The verification of probabilistic programs,

Siam 1. Comput.13, 292-314.

. Printed by the 81. Catherine Press Ltd., Tempelhof 41, Bruges, Belgium'

Documents

Probabilistic Propositional Temporal Logics*hart/papers/pr-logic.pdf · 2004. 12. 11. · PROBABILISTIC PROPOSITIONAL TEMPORAL LOGICS 99 Oftheselogics,thelastthreelogicsareextended