@@ -15,13 +15,193 @@ they are equisatisfiable (they denote the same set of configurations).
1515
1616### All-path finally
1717
18- Given a formula ` φ ` , let ` AFφ ` denote the formula “all-path finally” ` φ ` ,
19- defined by:
18+ Given a formula ` φ ` , let ` AFφ ` denote the formula “all-path finally” ` φ ` , whose
19+ intended semantics is: "the set of configurations for which on all paths,
20+ in a finite number of steps, ` φ ` holds".
2021
22+ Let us will first show that ` AFφ ` can be described by the formula
2123```
2224AFφ := μX.φ ∨ (○X ∧ •⊤)
2325```
2426
27+ Let ` Top ` be the set of all configurations, and let ` Prev ` be the pointwise
28+ extension of the function mapping a configuration to the set of all
29+ configurations which can reach the given configuration in one step.
30+ and ` ∁ ` be the complement operator on sets.
31+
32+ The semantics of ` μX.φ ∨ (○X ∧ •⊤) ` is ` LFP(G) ` where
33+ ```
34+ G(X) := ⟦φ⟧ ∪ ( ∁(Prev(∁(X))) ∩ Prev(Top) )
35+ ```
36+ Note that, since ` X ` is positively occuring in the scope of ` μ ` , ` G ` is
37+ monotone, so the ` LFP(G) ` exists and can be defined according to the
38+ Knaster-Tarski result, as the intersection of all pre-fixpoints of ` G ` ,
39+ that is, all ` A ` such that ` G(A) ⊆ A ` .
40+
41+ Let us also note that ` x ∈ G(A) ` iff ` φ ` holds for ` x ` or ` ∅ ⊂ Prev⁻¹({x}) ⊆ A ` ,
42+ i.e., iff ` φ ` holds for ` x ` or ` x ` is not stuck and all its transitions lead
43+ into ` A ` . Indeed,
44+ ```
45+ x ∈ G(A) ⟺ × ∈ ⟦φ⟧ ∪ ( ∁(Prev(∁(A))) ∩ Prev(Top)
46+ ⟺ × ∈ ⟦φ⟧ or (x ∈ ∁(Prev(∁(A))) and x ∈ Prev(Top))
47+ ⟺ × ∈ ⟦φ⟧ or (¬ x ∈ Prev(∁(A)) and ∅ ⊂ Prev⁻¹({x}))
48+ ⟺ × ∈ ⟦φ⟧ or (¬ (∃y y ∈ ∁(A) ∧ x ∈ Prev(y)) and ∅ ⊂ Prev⁻¹({x}))
49+ ⟺ × ∈ ⟦φ⟧ or (¬ (∃y ¬y ∈ A ∧ x ∈ Prev(y)) and ∅ ⊂ Prev⁻¹({x}))
50+ ⟺ × ∈ ⟦φ⟧ or ((∀y y ∈ A ∨ ¬ x ∈ Prev(y)) and ∅ ⊂ Prev⁻¹({x}))
51+ ⟺ × ∈ ⟦φ⟧ or ((∀y x ∈ Prev(y) ⟹ y ∈ A) and ∅ ⊂ Prev⁻¹({x}))
52+ ⟺ × ∈ ⟦φ⟧ or (Prev⁻¹({x}) ⊆ A and ∅ ⊂ Prev⁻¹({x}))
53+ ⟺ × ∈ ⟦φ⟧ or (∅ ⊂ Prev⁻¹({x}) ⊆ A)
54+ ```
55+
56+ Let ` stuck x ` be defined as ` Prev⁻¹(x) = ∅ ` and let ` x τ y ` be defined
57+ as ` y ∈ Prev⁻¹({x}) ` .
58+ We can also express ` ∅ ⊂ Prev⁻¹({x}) ⊆ A ` in terms
59+ of stuck and transitions, as ` ¬ stuck x ∧ ∀y x τ y → y ∈ A ` .
60+ Hence, ` x ∈ G(A) ` if either ` x ` matches ` ϕ ` , or ` x ` is not stuck and all
61+ its transitions go into ` A ` .
62+
63+ We can coinductively define (the possibly infinite) complete traces of the
64+ transition system determined by ` Prev⁻¹ ` starting in an element ` a ` as being:
65+ either just ` a ` , if ` stuck a ` , or ` a ` followed by a trace starting in ` b ` for
66+ some ` b ` such that ` a τ b ` .
67+ Given this definition, the trace semantics for ` AF ϕ ` is
68+ ```
69+ ⟦AF ϕ⟧ ::= { a | forall tr trace starting in a, exists b in tr such that b ∈ ⟦ϕ⟧ }
70+ ```
71+
72+ Let us first argue that ` ⟦AF ϕ⟧ ` is a pre-fixpoint of ` G ` , i.e., that
73+ ` G(⟦AF ϕ⟧) ⊆ ⟦AF ϕ⟧ ` .
74+ Take ` a ∈ G(⟦AF ϕ⟧) ` . Then either ` a ∈ ⟦ϕ⟧ ` or ` ¬ stuck a ` and for all ` b `
75+ such that ` a τ b ` , ` b ∈ ⟦AF ϕ⟧ ` .
76+ Let ` tr ` be a complete trace starting in ` a ` .
77+ If ` a ∈ ⟦ϕ⟧ ` , then we can choose precisely ` a ` as the witness on that trace
78+ for which ` ϕ ` holds.
79+ Otherwise, ` ¬ stuck a ` and for all ` b ` such that ` a τ b ` , ` b ∈ ⟦AF ϕ⟧ ` .
80+ Since ` ¬ stuck a ` it must be that ` tr ` cannot be just ` a ` (it's complete), so
81+ there must exist a ` b ` such that ` a τ b ` and ` b ` is the start of a trace ` tr' `
82+ such that ` tr = a ⋅ tr' ` . However, since ` a τ b ` , it follows that` b ∈ ⟦AF ϕ⟧ ` ,
83+ so ` tr' ` must contain a witness for which ` ϕ ` holds; that witness is also a
84+ witness for ` tr ` .
85+
86+ Let us now argue that ` ⟦AF ϕ⟧ ` is a post-fixpoint of ` G ` , i.e., that
87+ ` ⟦AF ϕ⟧ ⊆ G(⟦AF ϕ⟧) ` .
88+ Take ` a ∈ ⟦AF ϕ⟧ ` . We need to prove that either ` a ∈ ⟦ϕ⟧ ` or ` ¬ stuck a ` and
89+ for all ` b ` such that ` a τ b ` , ` b ∈ ⟦AF ϕ⟧ ` ,
90+ If ` ϕ ` holds for ` a ` then we're done. Assume ` a ∉ ⟦ϕ⟧ ` .
91+ Then it must be that ` ¬ stuck a ` , since otherwise ` a ` would be a complete trace
92+ starting in ` a ` with no witness for which ` ϕ ` holds.
93+ Let now ` b ` be such ` a τ b ` . We need to show that ` b ∈ ⟦AF ϕ⟧ ` . Let ` tr ` be a
94+ complete trace starting in ` b ` . Then ` a ⋅ tr ` is a complete trace starting in ` a ` .
95+ Since ` a ∈ ⟦AF ϕ⟧ ` , there must be a witness in ` a ⋅ tr ` for which ` ϕ ` holds.
96+ However, since ` ϕ ` doesn't hold for ` a ` , the witness must be part of ` tr `
97+ Since ` tr ` was chosen arbitrarily, it must be that ` a ∈ ⟦AF ϕ⟧ ` .
98+
99+ Therefore, ` ⟦AF ϕ⟧ ` is a fixpoint for ` G ` . To show that it is the LFP of ` G ` it
100+ suffices to prove that it is included in any pre-fixpoint of ` G ` .
101+ Let ` A ` be a pre-fixpoint of ` G ` , i.e., ` G(A) ⊆ A ` . That means that
102+ (1) ` A ` contains all configurations matching ` ϕ ` ; and
103+ (2) ` A ` contains all configurations which are not stuck and transition on all
104+ paths into ` A `
105+ Assume by contradiction that there exists ` a ∈ ⟦AF ϕ⟧ ` such that ` a ∉ A ` .
106+ We will coinductively construct a complete trace starting in ` a ` with no
107+ witness in ` A ` . Since ` A ` contains all configurations for which ` ϕ ` holds,
108+ this would contradict the fact that ` a ∈ ⟦AF ϕ⟧ ` .
109+ - if ` stuck a ` is stuck, then take the complete trace ` a `
110+ - if ` ¬ stuck a ` , since ` a ∉ A ` , it means that (2) is false; hence it exists
111+ a transition ` a τ b ` such that ` b ∉ A ` . Then take the complete trace
112+ ` a ⋅ tr ` where ` tr ` is obtained by applying the above process for ` b ∉ A ` .
113+
114+ Hence, ` ⟦AF ϕ⟧ ` is the LFP of ` G ` . Let us now study when this LFP can be
115+ expressed according to Kleene's formula, i.e., when ` LFP(G) = ⋃ₙGⁿ(∅) ` .
116+
117+ Given a complete trace ` tr ` , let ` trₙ ` be the ` n ` th element of the trace, if
118+ it exists.
119+
120+ Let us now argue that for any natural ` n ` , ` Gⁿ⁺¹(∅) ` denotes the set of
121+ configurations for which in at most ` n ` steps, on all paths, ` φ ` holds, i.e.,
122+ ```
123+ Gⁿ⁺¹(∅) = { a | forall tr trace starting in a, exists k ≤ n such that trₖ ∈ ⟦ϕ⟧ }
124+ ```
125+ We do that by induction on ` n ` :
126+ - Base case:
127+ ```
128+ G(∅) = ⟦φ⟧ ∪ ( ∁(Prev(∁(∅))) ∩ Prev(Top) )
129+ = ⟦φ⟧ ∪ ( ∁(Prev(Top)) ∩ Prev(Top) )
130+ = ⟦φ⟧ ∪ ∅
131+ = ⟦φ⟧
132+ = {a | a ∈ ⟦ϕ⟧}
133+ = { a | forall tr trace starting in a, exists k ≤ 0 such that trₖ ∈ ⟦ϕ⟧}
134+ ```
135+ - Induction case.
136+ `a ∈ Gⁿ⁺²(∅) = G(Gⁿ⁺¹(∅))` iff `φ` holds for `a` or `¬ stuck a` and forall b
137+ such that `a τ b`, `b ∈ Gⁿ⁺¹(∅)`.
138+ Let `tr` be a complete trace starting in `a`. If the trace is just `a`,
139+ then it must be that `a` is stuck, therefore `\phi` holds for `a` and since
140+ `0 ≤ n+1` we are done. Otherwise assume `tr = a ⋅ tr'` such that `tr'` is a
141+ complete trace starting in a configuration `b`. Then `a τ b`, hence `b ∈ Gⁿ⁺¹(∅)`.
142+ By the induction hypothesis, there exists `k ≤ n` such that `tr'ₖ ∈ ⟦ϕ⟧`, hence
143+ `trₖ₊₁ ∈ ⟦ϕ⟧`.
144+ Conversely, let `a` be such that forall `tr` trace starting in a, there exists
145+ `k ≤ 0` such that `trₖ ∈ ⟦ϕ⟧`. If `a ∈ ⟦ϕ⟧`, then `a ∈ G(Gⁿ⁺¹(∅))`. Suppose
146+ `a ∉ ⟦ϕ⟧`. Then `¬ stuck a` (otherwise `a` would be a trace starting in `a`
147+ for which the hypothesis would not hold). Let `b` be such `a τ b`.
148+
149+ Since `G` is monotone, we can deduce that `Gⁿ(∅) ⊆ Gⁿ⁺¹(∅)`
150+ (obviously `∅ ⊆ G(∅)` and then by applying monotone G `n` times).
151+ Therefore, the limit `⋁ₙGⁿ(∅)` exists.
152+
153+ By the characterization of `Gⁿ(∅)` presented above, it follows that `⋁ₙGⁿ(∅)`
154+ denotes the set of configurations for which there exists `n` sucht that in at
155+ most `n` steps, on all paths, `φ` holds.
156+
157+ However, in order for it to be expressible as the ML formula `μX.φ ∨ (○X ∧ •⊤)`
158+ it would have to be the `LFP(G)`, which would be true if `G(⋁ₙGⁿ(∅)) = ⋁ₙGⁿ(∅)`.
159+
160+ First, for all `n`, `Gⁿ(∅) ⊆ ⋁ₙGⁿ(∅)` and since `G` is monotone,
161+ `Gⁿ⁺¹(∅) ⊆ G(⋁ₙGⁿ(∅))`. Also, obviously `G⁰(∅) = ∅ ⊆ G(⋁ₙGⁿ(∅))`.
162+ Therefore, `⋁ₙGⁿ(∅) ⊆ G(⋁ₙGⁿ(∅))`.
163+
164+ Hence, to have equality, we would need that `G(⋁ₙGⁿ(∅)) ∖ ⋁ₙGⁿ(∅) = ∅`.
165+ We have that:
166+ ```
167+ x ∈ G(⋁ₙGⁿ(∅)) ∖ ⋁ₙGⁿ(∅)
168+ ⟺ x ∈ G(⋁ₙGⁿ(∅)) and x ∉ ⋁ₙGⁿ(∅)
169+ ⟺ (x ∈ ⟦φ⟧ or ∅ ⊂ Prev⁻¹({x}) ⊆ ⋁ₙGⁿ(∅)) and x ∉ ⋁ₙGⁿ(∅)
170+ ⟺ ∅ ⊂ Prev⁻¹({x}) ⊆ ⋁ₙGⁿ(∅) and x ∉ ⋁ₙGⁿ(∅) (since ⟦φ⟧ ⊆ ⋁ₙGⁿ(∅))
171+ ```
172+
173+ Given the above relation, we deduce that a sufficient condition ensuring that
174+ `G(⋁ₙGⁿ(∅)) ∖ ⋁ₙGⁿ(∅) = ∅` is that the transition system is finitely branching,
175+ i.e., that `Prev⁻¹({x})` is finite for any `x`. Indeed, suppose
176+ there exists `x ∈ G(⋁ₙGⁿ(∅)) ∖ ⋁ₙGⁿ(∅)`. Then, it must hold that
177+ `∅ ⊂ Prev⁻¹({x}) ⊆ ⋁ₙGⁿ(∅)` and `x ∉ ⋁ₙGⁿ(∅)`
178+ Let `k`, `y₁`, ..., `yₖ` be such that `Prev⁻¹({x}) = {y₁, ..., yₖ}`.
179+ Since `∀y x ∈ Prev(y) ⟹ ∃n y ∈ Gⁿ(∅)`, it must be that there exist
180+ `n₁`, ..., `nₖ` such that `yᵢ ∈ Gⁿⁱ(∅)` for any `1≤i≤k`.
181+ Let `m = 𝐦𝐚𝐱 {n₁, ... , nₖ}`. Since `(Gⁿ(∅))ₙ` is an ascending chain,
182+ it follows that `yᵢ ∈ Gᵐ(∅)` for any `1≤i≤k`, therefore `Prev⁻¹({x}) ⊆ Gᵐ(∅)`,
183+ whence `x ∈ Gᵐ⁺¹(∅)`, contradiction with the fact that `x ∉ ⋁ₙGⁿ(∅)`.
184+
185+ In what follows we will assume that the transition system generated by the
186+ theory of interest is finitely branching. Nevertheless, before continuing, let
187+ us give an example of a system and property for which the above construction is
188+ not a fixpoint.
189+
190+ #### CTL allways-finally `φ` vs. `μX.φ ∨ (○X ∧ •⊤)`
191+
192+ Consider the following K theory
193+
194+ ```
195+ syntax KItem ::= "x"
196+
197+ rule Y: Int => Y -Int 1 requires Y>0
198+ rule x => ?Y: Int ensures Y >= 0
199+ ```
200+
201+ and the claim `x → AF 0`
202+
203+ According to the CTL understanding of `AF`, the claim does not hold, as
204+
25205#### Semantics of `AFφ`
26206
27207By the definition above, `AFφ` is semantically defined as `LFP(G)`, the
@@ -38,26 +218,11 @@ possible transitions lead into `X`.
38218Since `AFφ` is a fixed-point of `G`, the identity `G(AFφ) = AFφ` holds, whence
39219`AFφ = φ ∨ (○AFφ ∧ •⊤)`.
40220
41- Moreover, ` G ` is monotone (` X ` occurs in a positive position) and we can show
42- that the conditions of Kleene's fixed-point theorem are satisfied:
43- ` Gⁿ(⊥) ⊆ Gⁿ⁺¹(⊥) ` , because ` Gⁿ(⊥) ` denotes the set of configurations for which
44- on all paths, in at most ` n-1 ` steps, ` φ ` holds.
45-
46- Let us argue the above by induction on ` n-1 ` .
47- - Base case: ` G(⊥) = φ ∨ (○⊥ ∧ •⊤) = φ ∨ (¬•¬⊥ ∧ •⊤) = φ ∨ (¬•⊤ ∧ •⊤) = φ ∨ ⊥ = φ ` ,
48- so ` G(⊥) ` is the set of configurations for which ` φ ` holds.
49- - Induction case: Assuming ` Gⁿ(⊥) ` denotes the set of configurations for which
50- on all paths, in at most ` n-1 ` steps, ` φ ` holds, ` Gⁿ⁺¹(⊥) = G(Gⁿ(⊥)) ` will be
51- the union between the set of configurations for which ` φ ` holds and those
52- which are not stuck and whose all possible transitions lead into the set of
53- configurations for which on all paths, in at most ` n-1 ` steps, ` φ ` holds, but
54- these are precisely the configurations for which on all paths, in at most ` n `
55- steps, ` φ ` holds.
56-
57- From Kleene's theorem, ` AFφ = ⋁ₙGⁿ(⊥) ` , whence, a configuration is in ` AFφ ` iff
58- it is in ` Gⁿ(⊥) ` for some positive integer ` n ` . By the characterization of
59- ` Gⁿ(⊥) ` presented above, it follows that ` AFφ ` denotes the set of configurations
60- for which on all paths, in a finite number of steps, ` φ ` holds.
221+ Moreover, since `⊥ ⊆ LFP(G)`, by iteratively applying monotone `G` and since
222+ `LFP(G)` is a fixpoint, we get that for all `n`, `Gⁿ(⊥) ⊆ LFP(G)`, whence
223+ `⋁ₙGⁿ(⊥) ⊆ LFP(G)`.
224+
225+ For the formula
61226
62227### Total corectness all-path reachability claims
63228
0 commit comments