A Safety and Liveness, Weakness and Strength, and the ...fisman/documents/EFH_TOCL14.pdfSafety and...

A

Safety and Liveness, Weakness and Strength, and the UnderlyingTopological Relations

Cindy Eisner, IBM Research - Haifa

Dana Fisman, Weizmann Institute of Science

John Havlicek, Freescale Semiconductor

We present a characterization that shows what it means for a formula to be a weak or strong version of

another formula. We show that the weak version of a formula is not the same as Alpern and Schneider’s

safety component, but can be achieved by taking the closure in the Cantor topology over an augmentedalphabet in which every formula is satisfiable. The resulting characterization allows us to show that the set

of semantically weak formulas is exactly the set of non-pathological safety formulas. Furthermore, we use

the characterization to show that the original versions of the ieee standard temporal logics psl and svaare broken, and we show that the source of the problem lies in the semantics of the sere intersection and

fusion operators. Finally, we use the topological characterization to show the internal consistency of thealternative semantics adopted by the latest version of the psl standard.

Categories and Subject Descriptors: F.4 [Theory of Computation]: Mathematical Logic and Formal

Languages; F.4.1 [Mathematical Logic and Formal Languages]: Mathematical Logic—Temporal Logic

General Terms: Verification, Theory, Languages, Standardization

Additional Key Words and Phrases: Temporal Logic, Safety, Liveness, Topology, Regular Expressions, PSL,

SVA

ACM Reference Format:ACM Trans. Comput. Logic V, N, Article A (January YYYY), 45 pages.

DOI:http://dx.doi.org/10.1145/0000000.0000000

1. INTRODUCTION

In recent years, model checking has become a mainstream tool for verification of hardware,with most industrial tools supporting one or both of the ieee standard temporal logicspsl [Eisner and Fisman 2006; IEEE c; d] and sva [Cerny et al. 2010; IEEE a; b]. In theselogics, as in ltl [Pnueli 1981], temporal logic operators come in weak and strong versions.Intuitively, a strong operator includes an eventuality requirement, while a weak operatordoes not. For instance, the ltl formula [p U q] (read p strong-until q) holds if p holds until qholds, and in addition, q eventually holds. The weak version, [p W q] (read p weak-until q),does not require that q eventually hold – it holds if the strong version holds, or if p holdsforever.

Most users of model checking have an intuitive understanding that formulas containingonly weak operators are easier to check than formulas containing also strong operators, andthat furthermore, before checking a formula ϕ, it can be beneficial to check a weak version

Authors addresses: Cindy Eisner, IBM Research - Haifa, Haifa University Campus, Mount Carmel, Haifa,31905, Israel, [email protected]; Dana Fisman, University of Pennsylvania, 3330 Walnut Street, Philadelphia,PA 19104-6389, USA, [email protected]; John Havlicek, Cadence Design Systems, 12515-7 ResearchBoulevard, Suite 250, Austin, TX 78759, USA, [email protected]

Permission to make digital or hard copies of part or all of this work for personal or classroom use isgranted without fee provided that copies are not made or distributed for profit or commercial advantageand that copies show this notice on the first page or initial screen of a display along with the full citation.Copyrights for components of this work owned by others than ACM must be honored. Abstracting withcredit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use anycomponent of this work in other works requires prior specific permission and/or a fee. Permissions may berequested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA,fax +1 (212) 869-0481, or [email protected]© YYYY ACM 1529-3785/YYYY/01-ARTA $15.00DOI:http://dx.doi.org/10.1145/0000000.0000000

ACM Transactions on Computational Logic, Vol. V, No. N, Article A, Publication date: January YYYY.

A:2

of it, obtained from a formula in positive normal form by weakening all operators. The userjustifies this based on her intuitive understanding of the relation between weak and strongversions of a temporal operator. However, until now the relation between the weak versionof a temporal operator and its strong counterpart has not been well understood.

We present a characterization that shows what it means for an operator to be the weakor strong version of another operator, or more generally for a formula to be a weak orstrong version of another formula. Our motivating example will be the pair of ltl operatorsweak-until (W) and strong-until (U). That is, we present a characterization that lets us saythat two formulas, ϕ and ϕ′, are related in the same way as the pair ψ = [p W q] andψ′ = [p U q], and furthermore, that the weak version of any new temporal operator in someextension of ltl is related to its strong version in the same way that W is related to U.

Although our work is theoretical, our motivation is practical. We use the characterizationto show that the original versions of the ieee standard temporal logics psl and sva arebroken in the sense that they have temporal operators that, intuitively, are expected toform a weak/strong pair, but that are not related semantically in the same way that Wis related to U. We show that the source of the problem lies in the semantics of the sereintersection and fusion operators. Finally, we use the topological characterization to showthat an alternative semantics, proposed in [Eisner and Fisman 2008] and adopted by thelatest version of the psl standard [IEEE d], restores the internal consistency of the logic inthe sense that all the expected weak/strong pairs are related in the same way.

We begin by noting that the weak/strong dichotomy is related to another dichotomy intemporal logic, that of safety vs. liveness formulas. Loosely speaking, a safety formula claimsthat “something bad” does not happen, while a liveness formula claims that “somethinggood” eventually happens. Some formulas are neither safety nor liveness. For instance, theformula [p W q] is a safety formula, the formula [true U q] is a liveness formula, and theformula [p U q] is neither.

A safety property is a set of words that can be described by a safety formula, and aliveness property is a set of words that can be described by a liveness formula. Alpern andSchneider [Alpern and Schneider 1985] showed that any property can be decomposed into asafety property and a liveness property whose intersection is the original. They work withthe Cantor topology on infinite words, and their proof is based on the observation thatthe safety properties are the closed sets and the liveness properties the dense sets in thistopology. In [Alpern and Schneider 1987], they refer to the safety property obtained bytaking the closure in the Cantor topology as the safety component. Intuitively, we expectthe safety component to give a property equivalent to the one obtained by weakening theoperators (i.e., replacing U with W, etc.), and usually it does. For example, let p and q beatomic propositions. Then [pW q] describes the safety component of the property describedby [p U q]. However, replacing q by false breaks the relation between the safety componentand weakening the operators. The safety component of the property described by [p U false]is the empty set, which is described not by [p W false] but by false.

We show that weakening of a formula can be achieved by taking the closure in the Cantortopology over an augmented alphabet in which all formulas are satisfiable. The resultingframework allows us to show interesting relationships between weak and strong operatorsand formulas. For example, we show that the set of semantically weak formulas is exactlythe set of non-pathological safety properties, thus strengthening the result in [Kupfermanand Vardi 1999].

Because many verification methods can examine only a finite prefix of an infinite execu-tion [Eisner et al. 2003], we are interested in a characterization that includes finite as wellas infinite words. Therefore we will start by generalizing Alpern and Schneider’s topologicalideas to the set of finite and infinite words.


A:3

2. PRELIMINARIES

2.1. Notation

We denote a letter from a given alphabet Γ by `, and an empty, finite, or infinite word fromΓ by u, v, or w. The concatenation of u and v is denoted by uv. If u is infinite, then uv = u.The empty word is denoted by ε, so that wε = εw = w. If w = uv, we define w/u = v andwe say that u is a prefix of w, denoted u � w, that v is a suffix of w, and that w is anextension of u, denoted w � u.

We denote the length of word v as |v|. The empty word ε has length 0, a finite non-empty word v = (`0`1`2 · · · `n) has length n + 1, and an infinite word v = (`0`1`2 · · · )has length ω, where ω denotes the first transfinite ordinal number. We use i, j, and k todenote non-negative integers. For i < |v| we use vi to denote the (i+ 1)st letter of v (sincecounting of letters starts at zero). We denote by vi.. the suffix of v starting at vi. Thatis, vi.. = ìì+1 · · · `n or vi.. = ìì+1 · · · . We use vi..j to denote the finite word starting atposition i and ending at position j. That is, vi..j = ìì+1 · · · `j .

We denote a set of finite/infinite words by U , V or W and refer to them as properties. Theset of finite prefixes of W , denoted fpref (W ), is the set {finite u | ∃w ∈W such that u � w}.The concatenation of U and V , denoted UV , is the set {uv | u ∈ U, v ∈ V }. The fusion of Uand V , denoted U ◦V , is the set {u`v | u` ∈ U, `v ∈ V }. Define V 0 = {ε} and V k = V V k−1

for k ≥ 1. The Kleene closure of V , denoted V∗, is the set V

∗=

⋃k<ω V

k. The notation V +

is used for the set⋃

0<k<ω Vk. The infinite concatenation of V to itself is denoted V ω. The

union V ∗ ∪ V ω is denoted V∞. For a letter ` we use `k, `∗, `+, `ω, and `∞ as abbreviationsof {`}k, {`}∗, {`}+, {`}ω, and {`}∞, respectively.

We use P to denote a set of atomic propositions, and B to denote a set of Booleanexpressions (propositional formulas) over P . We use p and q to denote elements of P and

a, b, and c to denote elements of B. We use Σ to denote 2P , and we use Σ to denote theaugmented alphabet Σ ∪ {>,⊥}, where > and ⊥ are special letters that we will define inthe sequel.

The semantics of Boolean expressions over Σ is assumed to be given as a relation ⊆Σ × B relating letters in Σ with Boolean expressions in B. If (`, b) ∈ we say that the

letter ` satisfies the Boolean expression b and denote it ` b. For a proposition p ∈ P and

a letter ` ∈ Σ, we assume that ` p iff p ∈ `. We assume that otherwise the relationbehaves in the usual manner, and in particular that Boolean disjunction, conjunction andnegation behave as usual. Finally, true and false are the Boolean expressions such that trueis satisfied by every letter in Σ and false is satisfied by no letter.

For b ∈ B, we sometimes abuse notation and use b to denote the property {` ∈ Σ | ` b},and ab to denote the property ab. For p ∈ P , we use 〈p〉 to denote the letter ` ∈ Σ such

that ` p and ∀q ∈ P s.t. q 6= p, ` / q. Since an atomic proposition p is also a Booleanexpression, we have that p signifies the set of letters on which p holds, whereas 〈p〉 signifiesthe single letter on which p and only p holds.

We use ϕ and ψ to denote formulas, |= to denote formula satisfaction, JϕK to denote

{w ∈ Σ∞ | w |= ϕ}, and J〈ϕ〉K to denote {w ∈ Σ∞ | w |= ϕ}. The language of ϕ over Σ

is the property JϕK, and the language of ϕ over Σ is the property J〈ϕ〉K. We use ϕ ≡ ψ todenote that JϕK = JψK, and ϕ ≡ ψ to denote that J〈ϕ〉K = J〈ψ〉K.

Let v be a finite word and L ⊆ Σ∞ a property. We say that v is a bad prefix of L if forevery w ∈ Σ∞ such that w � v we have w /∈ L.

We use the term positive normal form for formulas in which negation is applied only toBoolean expressions.

We use cl(·), int(·) and bd(·) for topological closure, interior, and boundary, respectively.These topological concepts are defined in Section 2.3.


A:4

Definition 1 ELTL FormulasLet b be a Boolean expression. The set of eltl formulas is recursively defined as follows:

ϕ ::= b! | b | ¬ϕ | ϕ ∧ ϕ | ϕ ∨ ϕ | X! ϕ | X ϕ | [ϕ U ϕ] | [ϕ W ϕ]

Definition 2 Semantics of eltlLet v ∈ Σ∞ be a word.

• v |= b! ⇐⇒ |v| > 0 and v0 bv |= b ⇐⇒ either v |= b! or |v| = 0

• v |= ¬ϕ ⇐⇒ v |=/ ϕv |= ϕ ∨ ψ ⇐⇒ v |= ϕ or v |= ψv |= ϕ ∧ ψ ⇐⇒ v |= ϕ and v |= ψ

• v |= X! ϕ ⇐⇒ |v| > 1 and v1.. |= ϕv |= X ϕ ⇐⇒ either v |= X! ϕ or |v| ≤ 1

• v |= [ϕ U ψ] ⇐⇒ ∃k < |v| : vk.. |= ψ and ∀j < k : vj.. |= ϕv |= [ϕ W ψ] ⇐⇒ either v |= [ϕ U ψ] or ∀j < |v| : vj.. |= ϕ

Definition 3 Additional Syntactic Operators

• F ϕ def= [true U ϕ] • G ϕ

def= [ϕ W false]

2.2. ELTL

We use a simple extension of ltl over finite as well as infinite and empty as well as non-empty words, shown in Definition 1, that we denote eltl. To do so, the syntax of ltl isextended to include two next-time operators, one weak (X) and one strong (X!) [Mannaand Pnueli 1992, pp. 272-273]. The semantics distinguishes between the weak and strongversions only on the last letter of a finite word: X ϕ holds on the last letter of any finiteword for any ϕ, and X! ϕ does not. Similarly, since we interpret the logic over the emptyword as well, we define weak and strong Boolean expressions. A strong Boolean expressionis satisfied over a word if it is not empty and the first letter satisfies the Boolean expression,and the weak Boolean expression is satisfied also if there is no first letter, i.e. if the word isempty.

The semantics of eltl is defined inductively as shown in Definition 2. Additional syntacticoperators are defined as shown in Definition 3.

2.3. Topology on Finite and Infinite Words

In this section we present the topology that we use in this paper. We assume that thereader has some familiarity with elementary topology and refer to [Kelley 1975] for topo-logical background, or [Hoogeboom and Rozenberg 1986, Section 5] for an overview of thetopological characterization of finite and infinite languages.

Given a set S, a topology on S is defined by specifying a family U of subsets of S satisfyingthe following conditions: (1) ∅ ∈ U ; (2) S ∈ U ; (3) an arbitrary union of elements of U isin U ; and (4) a finite intersection of elements of U is in U . The elements of U are calledthe open sets of S under this topology. Let A be a subset of S. If S \ A is an open set,then A is said to be a closed set. The closure of A in this topology, denoted cl(A), is theintersection of all closed sets containing A. Similarly, the interior of A, denoted int(A), isthe union of all open sets contained within A. The closure of A is the smallest superset of


A:5

Definition 4 The Cantor Topology on Γ∞

The Cantor topology on Γ∞ is defined by letting the family of open sets be the collectionof all languages of the form WΓ∞, where W ⊆ Γ ∗.

Definition 5 Prefix and Extension Closed SetsLet V ⊆ Γ∞.

• V is prefix closed if u � v ∈ V implies u ∈ V .• V is extension closed if w � v ∈ V implies w ∈ V .

Definition 6 Limit Closed and Finite WitnessesLet V ⊆ Γ∞.• V has finite witnesses if ∀w ∈ V , there exists finite u � w such that u ∈ V .• V is limit closed if ∀w ∈ Γ∞, if all finite prefixes of w are in V then w ∈ V .

A that is a closed set, while the interior of A is the largest subset of A that is an open set.The boundary of A in this topology, denoted bd(A), is the difference cl(A) \ int(A).

Let Γ be an arbitrary alphabet. The Cantor topology on Γω (see, e.g., [Thomas 1990]) isdefined by letting the family of open sets be the collection of all ω-languages of the formWΓω, where W ⊆ Γ ∗. We are interested in extending this topology to finite as well asinfinite words over Γ . Replacing Γω by Γ∞, we get as candidate family of open sets thecollection of all languages of the form WΓ∞, where W ⊆ Γ ∗. The following propositionconfirms that this family satisifies the conditions for a topology.

Proposition 1. The collection of languages WΓ∞ such that W ⊆ Γ ∗ forms a familyof open sets for a topology on Γ∞.

We are therefore justified in using this family as the collection of open sets of the Cantortopology extended to Γ∞ as shown in Definition 4.

It is possible to characterize the Cantor topology on Γ∞ in terms of prefix/extension/limitclosed sets and sets that have finite witnesses. These sets are defined in Definitions 5 and 6.We observe that prefixed closed sets and extension closed sets are dual to each other. Thatis, V is prefix closed iff Γ∞ \ V is extension closed. Similarly, V is limit closed iff Γ∞ \ Vhas finite witnesses. We also note that the notions of prefix/extension closed are strongerthan the notions of limit closed and finite witnesses in the following sense: If V is prefixclosed then V has finite witnesses, and if V is extension closed then V is limit closed. Weare now ready to characterize the closed and open sets in terms of these concepts.

Proposition 2 (Closed and Open Sets in Γ∞). Let V ⊆ Γ∞.

• V is closed in the Cantor topology iff V is both prefix closed and limit closed.• V is open in the Cantor topology iff V is extension closed and has finite witnesses.

Finally, we will in the sequel make use of a direct characterization of the closure andinterior operators in the Cantor topology.

Proposition 3 (Closure and Interior in Γ∞). Let V ⊆ Γ∞.

• cl(V ) = {w ∈ Γ∞ | ∀ finite u � w : ∃v � u : v ∈ V }.• int(V ) = {w ∈ Γ∞ | ∃ finite u � w : ∀v � u : v ∈ V }.

2.3.1. Examples. We consider the set of properties shown in Table I, which are slight mod-ifications of Rem’s examples [Rem 1990] (see also [Manolios and Trefler 2003]). In theseexamples, expressions, a, b, and c denote particular Boolean expressions in B \{true, false}.


A:6

i Pi ϕi p.c. e.c. l.c. f.w.

0 The empty set ∅ false! X X X X1 The empty word {ε} false X X X2 The set of non-empty finite

wordsΣ+ F X false X X

3 The set of finite words Σ∗false ∨F X false

X X

4 The set of infinite words Σω true! ∧G X! true

X X

5 The set of finite and infinitewords

Σ∞ true X X X X

6

There are at most 3 let-ters. The first (resp., second,third) letter, if it exists, sat-isfies a (resp., b, c).

abc ∪ ab ∪ a ∪ {ε}

a ∧X b ∧XX c ∧XXX false

X X X

7There are at least 3 letters.The first and third letterssatisfy b and the second sat-isfies c

bcbΣ∞b! ∧X! c ∧X!X! b

X X X

8 The first letter satisfies aand there exists a letter thatdoes not satisfy a

aΣ∗(Σ \ a)Σ∞ a! ∧ F ¬a X X X

9 The number of letters satis-fying a is finite

Σ∗(Σ \ a)∞ ϕ3 ∨ F G ¬a X X

10 The number of letters satis-fying a is infinite

(Σ∗a)ω ϕ4 ∧ G F a X X

11 There is a letter satisfying band every prior letter satis-fies a

a∗bΣ∞ [a U b] X X X

12 Either every letter satisfies aor there is a letter satisfyingb and every prior letter sat-isfies a

a∗bΣ∞ ∪ a∞ [a W b] X X X

Table I. Rem’s examples [Rem 1990; Manolios andTrefler 2003]

For each property Pi we give an eltl formula ϕi such that Pi = JϕiK. A X in the appropri-ate column indicates that the property has the characteristic, while lack of a X indicatesthat it does not. We use p.c. to indicate prefix closed, e.c. for extension closed, l.c. for limitclosed, and f.w. for has finite witnesses.

2.4. Safety and Liveness, a Topological Characterization

Roughly speaking, a formula ϕ is said to define a safety property iff any word violating ϕcontains a finite prefix all of whose extensions violate ϕ. A formula ϕ is said to define aliveness property iff any arbitrary finite word has an extension satisfying ϕ. The traditionaldefinitions for safety and liveness in the literature concentrate on infinite words alone.Definition 7 extends that of [Manna and Pnueli 1992] to finite words as well. The safetycomponent of an arbitrary set of infinite words is defined in [Alpern and Schneider 1987] tobe its closure in the Cantor topology. Definition 7 extends this notion of safety component


A:7

Definition 7 Safety, Liveness, Safety Component

Let W ⊆ Σ∞.•W is a safety property if ∀w ∈ (Σ∞ \W ): ∃ finite u � w s.t. ∀v: uv ∈ (Σ∞ \W ).•W is a liveness property if ∀ finite u: ∃ v s.t. uv ∈W .•The safety component of W is its closure, cl(W ), in the Cantor topology on Σ∞.

to the space of finite and infinite words. A formula is said to be a safety (liveness) formulaif its language is a safety (liveness) property. Some formulas are neither safety nor liveness.For instance, the formula [p W q] is a safety formula, the formula F q is a liveness formula,and the formula [p U q], equivalent to [p W q] ∧ F q, is neither.

In [Alpern and Schneider 1985], Alpern and Schneider showed that any property oninfinite words can be decomposed into a safety property and a liveness property whoseintersection is the original. Their proof is based on the observation that the safety propertiesare the closed sets of the Cantor topology on Σω and the liveness properties are the densesets in this topology. The following proposition asserts that the same decomposition existswhen considering the space Σ∞ of finite and infinite words, with the above definitions ofsafety and liveness.

Proposition 4. The safety properties are the closed sets of the Cantor topology on Σ∞,and the liveness properties are the dense sets in this topology. Furthermore, every propertyin Σ∞ can be decomposed into a safety property and a liveness property whose intersectionis the original.

Recall from elementary topology that a set U ⊆ Σ∞ is closed iff cl(U) = U , and it isdense iff cl(U) = Σ∞ or equivalently, int(Σ∞ \ U) = ∅. Referring back to our examples, wehave by Proposition 2 that P0, P1, P5, P6 and P12 are closed and P0, P5, P7, P8 and P11

are open. It follows from Proposition 4 that ϕ0, ϕ1, ϕ5, ϕ6, ϕ12 are safety. The closure ofproperties P2, P3, P4, P5, P9, and P10 is Σ∞ and thus by Proposition 4, ϕ2, ϕ3, ϕ4, ϕ5, ϕ9

and ϕ10 are liveness. Properties ϕ7, ϕ8 and ϕ11 are neither safety nor liveness (the closureof P7 is {ε} ∪ b ∪ bc ∪ P7, the closure of P8 is {ε} ∪ aΣ∞, and the closure of P11 isa∞ ∪ P11). Note that P0 and P5 are both open and closed, and that ϕ0 and ϕ5 are bothsafety and liveness.

3. CHARACTERIZING WEAKNESS AND STRENGTH

3.1. The Characterization

Our goal is to define the weak version of an eltl formula, such that [ϕ W ψ] is the weakversion of [ϕ U ψ], X ϕ is the weak version of X! ϕ, and such that the weak version of anyeltl formula χ is related to χ in the same way that [ϕ W ψ] is related to [ϕ U ψ].

First we note that Alpern and Schneider’s safety component does not achieve our goal.For example, the safety component of the property defined by [p U false] ≡ false! is theempty set, but we would like the weak version of [p U false] to be [p W false], whoselanguage is non-empty. Eliminating Boolean expressions equivalent to false does not solvethe problem. For example, let ϕ = [true U Gp]∧ [true U G¬p] ≡ false!. The safety componentof the language of ϕ is the empty set, but we would like the weak version of ϕ to be[true W Gp] ∧ [true W G¬p] ≡ true.

Furthermore we note that it is not possible to define the weak version of a property in a waythat meets our goal. The reason is that [p U false] ≡ X! false (that is, both formulas definethe same property), but our goal dictates that their weak versions be different. Nonetheless,we would like to obtain a semantic rather than syntactic characterization, so that it willcapture the essence of the relation between weak and strong formulas and so that it can beapplied to any new temporal operator.


A:8

Definition 8 Boolean Satisfaction for > and ⊥Let b be a Boolean expression.

•> b • ⊥ / b

Definition 9 Semantics of eltl over the Augmented Alphabet

Let v ∈ Σ∞ be a word. The semantics of eltl over the augmented alphabet is exactly asin Definition 2, but using the augmented Boolean satisfaction relation and using the dualword in the semantics of negation as follows:

• v |= ¬ϕ⇐⇒ v |=/ ϕ.

Definition 10 Weak and Strong Components of eltl Formulas

Let ϕ be an eltl formula. Its weak and strong components, denoted weak(ϕ) and strong(ϕ)respectively, are defined as follows:

• weak(ϕ) = cl(J〈ϕ〉K) • strong(ϕ) = int(J〈ϕ〉K)

On the one hand, we want a characterization that distinguishes between two formulaswhich are syntactically distinct, but semantically equivalent. On the other hand, we want acharacterization that is semantic, rather than syntactic. It seems that we have set ourselvesan impossible task. Our approach is to enhance the set of models over which formulas areinterpreted so that previously equivalent formulas for which our goal dictates different weakversions are no longer equivalent, but also in a way that such formulas remain equivalentwhen restricted to the original set of models.

Our solution is based on noticing that the “problem” with Alpern and Schneider’s safetycomponent is that the property described by [p U false] is the empty one. We thereforeaugment the set of models of a formula in such a way that no formula describes the emptyproperty, while ensuring that the satisfiability over the original set of models Σ∞ is notchanged. We accomplish this by augmenting the alphabet with two special letters > and ⊥,such that >ω models every formula and ⊥ω models no formula.

Formally, we define the semantics of eltl over the augmented alphabet Σ = Σ ∪{>,⊥}.We use w to denote the word obtained by replacing every > with a ⊥ and vice versa. For aproperty W , we use W to denote the property {w | w ∈W}. We call w (W ) the dual word

(property) of w (W ). For a property W , we denote by W c the property Σ∞ \W . We refer to

W c as the complement property of W .1 We augment the Boolean satisfaction relation to

all of Σ as shown in Definition 8, and the formula satisfaction |= as shown in Definition 9.

Note that > |= false! and ⊥|=/ true. By induction, we get the following:

Proposition 5. Let ϕ be an eltl formula. Then >ω |= ϕ and ⊥ω |=/ ϕ.

The safety component of [Alpern and Schneider 1987] is obtained by taking the closurein the Cantor topology on the set of infinite words over the alphabet Σ, where the closedsets are the safety properties. As shown in Definition 10, our weak component is obtainedby taking the closure in a topology on both finite and infinite words over the augmented

alphabet Σ. Dually, the strong component is obtained by taking the interior in the sametopology. From basic results in topology, we observe:

1Do not confuse W and W c with the topological closure of W , denoted cl(W ).


A:9

Definition 11 Syntactically Weak and Strong eltl Formulas

Let b be a Boolean expression.

• The set of syntactically weak eltl formulas is recursively defined as follows:

ϕ ::= b | ϕ ∧ ϕ | ϕ ∨ ϕ | X ϕ | [ϕ W ϕ]

• The set of syntactically strong eltl formulas is recursively defined as follows:

ϕ ::= b! | ϕ ∧ ϕ | ϕ ∨ ϕ | X! ϕ | [ϕ U ϕ]

Definition 12 Semantically Weak and Strong eltl Formulas

Let ϕ be an eltl formula.

• ϕ is semantically weak iff weak(ϕ) = J〈ϕ〉K.• ϕ is semantically strong iff strong(ϕ) = J〈ϕ〉K.

Observation 6. Let ϕ be an eltl formula.

• strong(ϕ) ⊆ J〈ϕ〉K ⊆ weak(ϕ)

To see that Definition 10 captures our intuition, we would like to state that the weakoperators are the weak versions of their strong counterparts. The following propositionshows that for each formula in positive normal form, weakening/strengthening each of theoperators results in a formula describing the weak/strong component, respectively.

Proposition 7. Let ϕ be an eltl formula in positive normal form. Let ϕw be theformula obtained by weakening all operators (replacing b! with b, X! with X and U with W).Let ϕs be the formula obtained by strengthening all operators. Then

• J〈ϕw〉K = weak(ϕ) • J〈ϕs〉K = strong(ϕ)

For example, let ϕ,ψ be eltl formulas in positive normal form. Then[ϕ U ψ]w = [ϕw W ψw],and so by Definition 10 and Proposition 7,

cl(J〈[ϕ U ψ]〉K) = weak([ϕ U ψ]) = J〈[ϕw W ψw]〉K

By working over the augmented alphabet Σ we have obtained the desired correspondencebetween closure in the Cantor topology (our weak component) and weakening of the oper-ators. As observed in the introduction, this correspondence breaks down over the originalalphabet Σ using Alpern and Schneider’s safety component. From another perspective,Proposition 7 shows that what is syntactically weak (strong) is also semantically weak(strong), where syntactically/semantically weak/strong are defined in Definitions 11 (simi-lar to [Sistla 1994]) and 12. The converses do not hold. For example, (Gp)∧(Fq∨F¬q∨ false)is semantically, but not syntactically, weak. And (Fp) ∨ (Gq ∧ G¬q ∧ true!) is semantically,but not syntactically, strong.

We say that word w is finitely consistent with ϕ if for every finite prefix u � w, u>ωsatisfies ϕ. For finite w, it follows that w is finitely consistent with ϕ iff w>ω |= ϕ. Forexample, bc is finitely consistent with ϕ7 of Table I, and both aaa and aω are finitelyconsistent with ϕ11. Similarly we say that word w finitely establishes ϕ if w has a finiteprefix u such that u⊥ω, satisfies ϕ. For example bcb and bcbaa finitely establish ϕ7, and aabfinitely establishes ϕ11.

In analogy with the notions of weak and strong satisfaction in [Eisner et al. 2003], thefollowing proposition shows that the weak component of a formula ϕ consists of all wordsthat are finitely consistent with ϕ, and the strong component consists of all words thatfinitely establish ϕ.


A:10

Definition 13 Informative Bad Prefix

Let v ∈ Σ∗ be a finite word and ϕ an eltl formula. Then v is an informative bad prefixfor ϕ iff v⊥ω |= ¬ϕ.

Proposition 8. Let ϕ be an eltl formula.

• weak(ϕ) = {w ∈ Σ∞ | ∀ finite u � w : u>ω ∈ J〈ϕ〉K}• strong(ϕ) = {w ∈ Σ∞ | ∃ finite u � w : u⊥ω ∈ J〈ϕ〉K}

As an additional check on our intuition, we have that if a word is a counterexample of astrong property but not its weak counterpart, then its entirety is needed – in other words noproper prefix of it is a finite counterexample of its weak counterpart. This is stated formallyby the following proposition.

Proposition 9. Let ϕ be an eltl formula. Then

fpref ((Σ∞ \ strong(ϕ)) \ (Σ∞ \ weak(ϕ))) ∩ (Σ∞ \ weak(ϕ)) = ∅

The following propositions, the proofs of which are topological, show how weakness andstrength interplay with negation and complementation. Proposition 10 can be thought ofas generalizing duality relations involving negation and strength, such as the equivalencesX¬ϕ ≡ ¬(X! ϕ) and F¬ϕ ≡ ¬(Gϕ). Proposition 11 states that semantically weak and strongformulas are dual to each other.

Proposition 10. Let ϕ be an eltl formula. Then

• weak(¬ϕ) = (strong(ϕ))c • strong(¬ϕ) = (weak(ϕ))c

Proposition 11. Let ϕ be an eltl formula. Then ϕ is semantically strong iff ¬ϕ issemantically weak.

3.2. The Relation to Classification of Safety Formulas

It follows from Proposition 2 and Definition 10 that weak(ϕ) is both prefix closed and limitclosed and strong(ϕ) is both extension closed and has finite witnesses. The finite witnessesquality of strong(ϕ) can be understood in terms of the definitive prefix of [Eisner et al.2003] and the informative bad prefixes of [Kupferman and Vardi 1999]. The definitive prefixof a word w with respect to a formula ϕ is the shortest finite prefix u � w such that eitheru and all its extensions satisfy ϕ or u and all its extensions fail to satisfy ϕ. Such a finiteprefix need not exist.

The concept of an informative bad prefix is defined syntactically in [Kupferman and Vardi1999]. In [Eisner et al. 2003] we gave a semantic definition, which, as shown in [Eisner et al.

2006], can be restated in terms of the alphabet Σ as shown in Definition 13. It follows thatthe finite words in strong(¬ϕ) are exactly the informative bad prefixes for ϕ. It is shownin [Eisner et al. 2003] that the definitive prefix of w with respect to ϕ (if it exists) is theshortest informative bad prefix for either ϕ or ¬ϕ.

The relation to informative bad prefixes is interesting since it helps us show that se-mantically weak formulas are not only safety formulas, but are also of a good kind in thesense of admitting efficient model checking. Kupferman and Vardi [Kupferman and Vardi1999] use the notion of informative bad prefixes as the base for a classification of safetyproperties into three distinct levels. A formula is intentionally safe if all of its bad prefixesare informative. For example, the formula Gp is intentionally safe. A formula is accidentallysafe if every computation that violates it has an informative bad prefix. For example, theformula G(p ∨ (Xq ∧ X¬q)) is accidentally safe. A formula is pathologically safe if there is a


A:11

Definition 14 Weak and Strong Satisfaction

Let ϕ ∈ ltlsere.

• w |=− ϕ denotes w>ω |= ϕ and J〈ϕ〉K− denotes the set {w ∈ Σ∞ | w>ω |= ϕ}• w |=+

ϕ denotes w⊥ω |= ϕ and J〈ϕ〉K+ denotes the set {w ∈ Σ∞ | w⊥ω |= ϕ}

computation that violates it and has no informative bad prefix. For example, the formula(G(p1 ∨ FGq) ∧ G(p2 ∨ FG¬q)) ∨ Gp1 ∨ Gp2 is pathologically safe.

It is shown in [Kupferman and Vardi 1999] that for non-pathologically safe formulas(the set of formulas that are intentionally or accidentally safe), it is sufficient to limitthe search for bad prefixes to informative bad prefixes, and searching for informative badprefixes is exponentially easier than searching for any bad prefix (2O(n) for only informative

bad prefixes and 22O(n)

for all bad prefixes). Furthermore, [Kupferman and Vardi 1999]show that a syntactically safe formula is non-pathologically safe. The proposition belowstrengthens this result by showing that the same and the converse hold for semanticallyweak formulas.

Proposition 12. Let ϕ be an eltl formula.

• ϕ is semantically weak iff ϕ is non-pathologically safe.• ϕ is semantically strong iff ¬ϕ is non-pathologically safe.

Thus the notion of weakness captures semantically exactly the set of “good” safety proper-ties − that is, those that are computationally easy to verify.

Looking for informative bad prefixes of safety formula ϕ is easier or as hard as modelchecking ϕ. Based on that, and on the assumption that no one intentionally writes a patho-logically safe formula, [Kupferman and Vardi 1999] propose the following methodology formodel checking safety formulas: First search for informative bad prefixes, and only if noneare found, check whether the formula ϕ is pathologically safe (a decision which is PSPACE-complete [Kupferman and Vardi 1999]). If it is not, then return that ϕ holds, otherwisenotify the user that ϕ is pathologically safe. This ignores the fact that in order to usethe method, we must first determine whether ϕ is safety, a decision that is also PSPACE-complete [Sistla 1994]. Using the notion of weakness, we can generalize [Kupferman andVardi 1999]’s methodology for any formula: First search for informative bad prefixes, andonly if none are found check whether the formula ϕ is safety. If it is, it must be patholog-ically safe (otherwise we would have found an informative bad prefix), so notify the userthat ϕ is pathologically safe, otherwise model check ϕ.

Automating our generalization depends on a method of searching for informative badprefixes of ϕ, even if ϕ is not a safety formula. The following proposition gives us a methodto do that by checking the formula ϕ′ obtained from ϕ by converting to positive normalform and weakening all operators.

Proposition 13. Let ϕ be an eltl formula, and let M ⊆ Σ∞. Searching for words inM that have informative bad prefixes for ϕ is equivalent to searching for words in M thatare not in weak(ϕ).

3.3. The Relation to Weak and Strong Satisfaction of psl and sva

Psl and sva define weak and strong satisfaction (|=− and |=+, respectively – see also [Eisner

et al. 2003]) and as shown in [Eisner et al. 2006], those definitions are equivalent to thatof Definition 14. The sets of words in J〈ϕ〉K− and cl(J〈ϕ〉K) are closely related (and indeed thepresent work was inspired in large part by [Eisner et al. 2003]), but they are not necessarilythe same. For example, let ϕ = [p U q], and let w = 〈p〉ω. Then w ∈ cl(J〈ϕ〉K) because for


A:12

every finite prefix u � w, uq |= ϕ (also u> |= ϕ). However, w>ω = w, which does not satisfyϕ. Therefore w 6∈ J〈ϕ〉K−. Similarly, 〈p〉ω ∈ J〈¬ϕ〉K+, but 〈p〉ω 6∈ int(J〈¬ϕ〉K).

Note that if ϕ is semantically weak, then J〈ϕ〉K = cl(J〈ϕ〉K) and thus by Theorem 14 wehave that J〈ϕ〉K = J〈ϕ〉K− = cl(J〈ϕ〉K). Similary, if ϕ is semantically strong, then J〈ϕ〉K = J〈ϕ〉K+ =int(J〈ϕ〉K). The following propositions state the relationship between J〈ϕ〉K, J〈ϕ〉K−, and cl(J〈ϕ〉K)and between J〈ϕ〉K, J〈ϕ〉K+, and int(J〈ϕ〉K) in the general case.

Proposition 14. Let ϕ ∈ eltl. Then

1. J〈ϕ〉K ⊆ J〈ϕ〉K− ⊆ cl(J〈ϕ〉K)2. J〈ϕ〉K ⊇ J〈ϕ〉K+ ⊇ int(J〈ϕ〉K)

Proposition 15. Let ϕ in eltl. The sets of finite words in J〈ϕ〉K− and cl(J〈ϕ〉K) are thesame, i.e.,

J〈ϕ〉K− ∩ Σ∗ = cl(J〈ϕ〉K) ∩ Σ∗

By Proposition 15, the difference between the set of words weakly (strongly) satisfiedby ϕ and the weak (strong) component of ϕ contains only infinite words. This stems fromthe differing motivations of [Eisner et al. 2003] and the present paper. In [Eisner et al.2003], the motivation was to examine the use of temporal logic in incomplete verificationmethods. In such methods (e.g., simulation or bounded model checking), we are presentedwith a truncated word, a finite word that is not necessarily maximal. The purpose of weak(strong) satisfaction is to characterize what can be known about the validity of ϕ on themaximal word from the validity of ϕ on a prefix of it. In the present paper our motivationis different. We have the maximal word, but we would like to use a computationally lessexpensive verification method on it. Thus we want to understand the relation between weakand strong operators in order to characterize what can be known about the validity of ϕ ona maximal word from the validity of weak(ϕ) on it.

4. AN APPLICATION

Our motivation is to provide a characterization of weakness that allows us to check whethera proposed weak version of some new temporal operator is related to its strong versionin a way that maintains the internal consistency of the logic. In this section, we use thecharacterization to show that the original versions of the ieee standard temporal logicspsl [Eisner and Fisman 2006; IEEE c] and sva [Cerny et al. 2010; IEEE a; b] are broken inthe sense that they have temporal operators that are expected to form a weak/strong pair,but that are not related semantically in the same way as W/U. We show that the source ofthe problem lies in the semantics of the sere intersection and fusion operators. We then usethe topological characterization to show that the alternative semantics proposed in [Eisnerand Fisman 2008] and adopted by the latest version of the psl standard [IEEE d] restoresthe internal consistency of the logic in the sense that all the expected weak/strong pairs arerelated in the same way.

4.1. The Logic ltlsere

The logic ltlsere lies at the core of the standard temporal logics psl and sva. It extendseltl with semi-extended regular expressions (seres). Seres in turn extend regular expres-sions with intersection and fusion (a kind of overlapping concatenation). Seres and ltlsere

formulas are defined inductively as shown in Definitions 15 and 16.Note that every Boolean expression is a sere, thus the weak and strong Booleans of eltl

and of [IEEE c] are included by means of r and r!, which form the base of the inductivedefinition. As previously, we also make use of F ϕ and G ϕ, defined to be [true U ϕ] and[ϕ W false], respectively.


A:13

Definition 15 Semi-Extended Regular Expressions (seres)

Let b ∈ B be a Boolean expression. The set of seres is recursively defined as follows:

r ::= λ | b | r · r | r ◦ r | r+ | r ∪ r | r ∩ r

Definition 16 ltlsere FormulasLet r be a sere. The set of ltlsere formulas is recursively defined as follows:

ϕ ::= r! | r | ¬ϕ | ϕ ∧ ϕ | ϕ ∨ ϕ | X! ϕ | X ϕ | [ϕ U ϕ] | [ϕ W ϕ]

Definition 17 The Language of sere r

L(λ) = {ε} L(r1 · r2) = L(r1)L(r2) L(r1 ∪ r2) = L(r1) ∪ L(r2)L(b) = {` ∈ Σ | ` b} L(r1 ◦ r2) = L(r1) ◦L(r2) L(r1 ∩ r2) = L(r1) ∩ L(r2)

L(r+) = L(r)+

4.2. The >,⊥ Approach to the Semantics of ltlsere

Because of their use of the special letters > and ⊥, we term the semantics as in the originalversions of the psl [Eisner and Fisman 2006; IEEE c] and sva [Cerny et al. 2010; IEEE a;b] standards the >,⊥ approach to the semantics of ltlsere (usually we say simply the >,⊥approach). The >,⊥ approach is defined inductively, using as the base case the semantics

of Boolean expressions over letters in Σ. We augment the Boolean relation as before, so

that > b and ⊥ / b for any Boolean expression b.The language of sere r (the words on which r holds tightly [IEEE c], or is tightly satis-

fied [IEEE a; b]), denoted L(r), is defined formally as shown in Definition 17.We use w |=

>⊥ϕ to denote that w models ϕ under the >,⊥ approach. The semantics is given

in Definition 18. The semantics of the eltl operators are exactly that used in Section 3.The semantics of r! is straightforward: r! holds on a word w if there exists a non-emptyfinite prefix of w that is in L(r). For example, (p · q+ · p)! holds on the word u = 〈p〉〈q〉〈p〉⊥.

Intuitively, r is intended to be a weak version of r!. Thus, if we do not find a prefix ofw that is in L(r), then at least we never reach the point where things have gone so wrongthat appending some number of >’s won’t get us there. For example, (p · q+ · p) holds on theword v1 = 〈p〉〈q〉〈p〉⊥, and also on the “too short” word v2 = 〈p〉〈q〉 and on the “too long”word v3 = 〈p〉〈q〉ω, in which we “get stuck” in the starred sub-expression q. In a similarmanner, the semantics of [ϕ W ψ] can be understood intuitively (and only intuitively, seebelow) as w |=

>⊥[ϕ W ψ] ⇐⇒ ∀j < |w|, w0..j>ω |=

>⊥[ϕ U ψ].

The intuitive explanation is not accurate, however. While it is what we are striving for,and holds for the semantics of eltl given in Definition 2, it does not hold for the >,⊥approach due to the issues to be discussed in the next section.

4.3. Structural Contradictions

In [Eisner and Fisman 2008] we argued that the >,⊥ approach to the semantics of ltlsere is“broken” because of the presence of structural contradictions, seres that are unsatisfiable(i.e., whose language is empty) due to their structure. That is, for any replacement of thepropositions in the sere, the language of the sere remains empty. For example, p ∩ (p · q)is a structural contradiction, while (p · q) ∩ (p · ¬q) is a contradiction, but not a structuralone. The ∩ operator is not the only source of structural contradictions in the >,⊥ approach.A structural contradiction can also be formed from the fusion operator ◦ . The sere λ ◦ pis a structural contradiction formed without the ∩ operator.

Our argument in [Eisner and Fisman 2008] was intuitive, and we did not provide topolog-ical evidence. Using a topological characterization, we can make a stronger case, as follows:


A:14

Definition 18 The >,⊥ Approach to the Semantics of ltlsere

Let w ∈ Σ∞ be a word.• w |=

>⊥r! ⇐⇒ ∃j < |w| s.t. w0..j ∈ L(r)

w |=>⊥r ⇐⇒ ∀j < |w|, w0..j>ω |=

>⊥r!

• w |=>⊥¬ϕ ⇐⇒ w |=

>⊥/ ϕ

w |=>⊥ϕ ∧ ψ ⇐⇒ w |=

>⊥ϕ and w |=

>⊥ψ

w |=>⊥ϕ ∨ ψ ⇐⇒ w |=

>⊥ϕ or w |=

>⊥ψ

• w |=>⊥X! ϕ ⇐⇒ |w| > 1 and w1.. |=

>⊥ϕ

w |=>⊥X ϕ ⇐⇒ either w |=

>⊥X! ϕ or |w| ≤ 1

• w |=>⊥

[ϕ U ψ] ⇐⇒ ∃k < |w| such that wk.. |=>⊥ψ and ∀j < k, wj.. |=

>⊥ϕ

w |=>⊥

[ϕ W ψ] ⇐⇒ either w |=>⊥

[ϕ U ψ] or ∀j < |w|, wj.. |=>⊥ϕ

Although r is intended to be a weak verison of r!, our topological characterization showsthat it is not. The proposition for |=

>⊥analogous to Proposition 5 fails for the >,⊥ ap-

proach. For example, the formula [p U ({q}∩{q · q})] does not hold on w = >ω. As a result,the proposition analogous to Proposition 7 fails, and we get, for instance, that the weakcomponent of [p U ({q}∩{q · q})] is the empty set rather than J〈[p W ({q}∩{q · q})]〉K.

In a preliminary version of this paper [Eisner et al. 2005], we conjectured that unsatisfia-

bility of structural contradictions could be fixed by defining L(b) to be {` ∈ Σ | ` b}∪>+.The problem with this approach is that it leaves the formula r formed from the structuralcontradiction r = λ ◦ p unsatisfiable.

In a similar approach, called the flexible letter approach in [Eisner and Fisman 2008], we

define that L(λ) = >∗ and that L(b) = {` ∈ Σ | ` b}>∗. The problem with the flexibleletter approach is that it changes the semantics of formulas that do not contain structuralcontradictions. Let r1 = (p · p · p), let r2 = (q · q · q), and let ϕ = r1 ◦ r2. Let w = 〈p〉〈p〉〈p〉.Then under the >,⊥ approach, using the original semantics of L(r) as in Definition 17, we

have that ϕ does not hold on w. To see this, note that |w| = 3. Thus w |=>⊥ϕ iff ∀j < 3 we

have that w0..j>ω |=>⊥

(r1 ◦ r2)!. Taking j = 2 we get that w0..2>ω |=>⊥/ (r1 ◦ r2)!, because that

requires one letter overlap between (p · p · p) and (q · q · q), but we do not have that q holdson the third letter.

Under the flexible letter approach, using its modified definition of L(b), we can use morethan three letters to form a word in the language of (p · p · p). So take the first four lettersof w0..2>ω to be in L(p · p · p), and then, starting from the last letter of those four (whichis >), take some number of letters to be in L(q · q · q). We can take three >s for that. Thenthe overlap happens on a >, and thus under the flexible letter approach we get that ϕ holdson w.

In [Eisner and Fisman 2008] we proposed instead an alternative semantics based on thenatural alphabet Σ = 2P , thus relegating the special letters > and ⊥ back to a supportingrole in the topological characterization. Following [Eisner and Fisman 2008], we term thesethe truncated semantics of ltlsere. In the next section, we present the truncated semanticsof ltlsere, adopted by the latest version of psl [IEEE d], and use our topological charac-terization to show that in it, r is a weak version of r! and that the semantics behaves asintuitively expected with respect to the topological characterization.


A:15

Definition 19 F(r) and I(r)

The language of finite proper prefixes of sere r, denoted F(r), and the loop language ofsere r, denoted I(r), are defined as follows:

• F(λ) = ∅ • I(λ) = ∅F(b) = ε I(b) = ∅

• F(r1 · r2) = F(r1) ∪ (L(r1)F(r2)) • I(r1 · r2) = I(r1) ∪ (L(r1)I(r2))F(r1 ◦ r2) = F(r1) ∪ (L(r1) ◦F(r2)) I(r1 ◦ r2) = I(r1) ∪ (L(r1) ◦ I(r2))F(r+) = L(r)∗F(r) I(r+) = (L(r)∗I(r)) ∪ (L(r) \ {ε})ω

• F(r1 ∩ r2) = F(r1) ∩ F(r2) • I(r1 ∩ r2) = I(r1) ∩ I(r2)F(r1 ∪ r2) = F(r1) ∪ F(r2) I(r1 ∪ r2) = I(r1) ∪ I(r2)

Definition 20 Truncated Semantics of ltlsere

Let w ∈ Σ∞ be a word.

• w |= r! ⇐⇒ ∃j < |w| s.t. w0..j ∈ L(r)w |= r ⇐⇒ either w |= r! or w ∈ I(r) ∪ F(r) ∪ {ε}

• v |= ¬ϕ ⇐⇒ v |=/ ϕv |= ϕ ∨ ψ ⇐⇒ v |= ϕ or v |= ψv |= ϕ ∧ ψ ⇐⇒ v |= ϕ and v |= ψ

• v |= X! ϕ ⇐⇒ |v| > 1 and v1.. |= ϕv |= X ϕ ⇐⇒ either v |= X! ϕ or |v| ≤ 1

• v |= [ϕ U ψ] ⇐⇒ ∃k < |v| : vk.. |= ψ and ∀j < k : vj.. |= ϕv |= [ϕ W ψ] ⇐⇒ either v |= [ϕ U ψ] or ∀j < |v| : vj.. |= ϕ

4.4. The Truncated Semantics of ltlsere

In addition to the language of a sere, L(r) (Definition 17), the truncated semantics ofltlsere makes use of two additional languages. Intuitively, the language of proper prefixesof a sere consists of finite proper prefixes of words in L(r), except that logical and structuralcontradictions are considered satisfiable. The loop language of a sere extends the loop(·)of [Harel and Sherman 1982] to the intersection and fusion operators. Intuitively, it consistsof infinite words in which we get stuck forever in a starred sub-expression of r. Formally,these languages are given in Defintion 19.2

The truncated semantics of ltlsere is shown in Definition 20. It uses the language L(r)to define the semantics of r!, and uses the languages F(r) and I(r) to define the semanticsof r. Other than that, it is identical to the semantics of eltl given in Definition 2.

Note that the truncated semantics of ltlsere is defined over Σ, while L(r) is defined over

Σ. We will make use of the extra words in L(r), those not relevant for Definition 20, later,in the topological characterization. Furthermore, do not confuse L(r)∩Σ∞ with Jr!K or JrK.From Definition 20,

Jr!K = ((L(r) ∩Σ∞) \ {ε})Σ∞

JrK = Jr!K ∪ (I(r) ∩Σ∞) ∪ (F(r) ∩Σ∞) ∪ {ε}

2In [IEEE d], the loop language of r+ is defined as I(r+) = (L(r)∗I(r)) ∪ L(r)ω . If ε ∈ L(r), then thisdefinition admits the empty word to I(r) and thus admits finite words through the recursive definition.This was not the intent and is corrected here.


A:16

Definition 21 L(r)

L(r) = L(r) ∪ (F(r)>+) ∪ >+

Definition 22 Lw(r)

Lw(r) = L(r) ∪ I(r) ∪ (F(r)>∞) ∪ >∞

Definition 23 Truncated Semantics of ltlsere over the Augmented Alphabet

Let w ∈ Σ∞ be a word. The semantics of ltlsere over the augmented alphabet is exactlyas in Definition 20, except that the semantics of r! and ¬ϕ are as follows:

• w |= r! ⇐⇒ ∃j < |w| s.t. w0..j ∈ L(r)

• w |= ¬ϕ ⇐⇒ w |=/ ϕ

4.5. A Topological Characterization of the Proposed Semantics

As previously, our topological characterization will be based on the augmented alphabet Σ,

and we augment the Boolean relation as before, so that > b and ⊥ / b for any Booleanexpression b.

We must extend the semantics of ltlsere to the alphabet Σ in such a way that (1) the se-mantics of Definition 20 is preserved on the original alphabet Σ and (2) the characterizationof Section 3 holds for ltlsere using the semantics on the augmented alphabet. The heart ofthe topological characterization of weakness and strength in eltl is Proposition 7, whichstates that the denotation of the syntactic weakening of a formula in positive normal formis the topological closure of the denotation of the formula, and dually that the denotation ofthe syntactic strengthening of a formula in positive normal form is the topological interiorof the denotation of the formula. The key to establishing this relationship for ltlsere isproving it for the base case of sere formulas, namely that

• J〈r〉K = cl(J〈r!〉K) • J〈r!〉K = int(J〈r〉K) (1)

These equalities are therefore primary goals of the extension of the semantics of ltlsere to

Σ.We accomplish the extension and proof of the topological characterization using two

auxiliary languages, L(·) and Lw(·), shown in Definitions 21 and 22. L(·) replaces L(·) in

defining the semantics of ltlsere over the alphabet Σ, shown in Definition 23, while Lw(·)is used in the proof of the topological characterization.

It is easy to see that Definition 23 preserves the semantics of Definition 20 when restricted

to the original alphabet Σ. L(r) is obtained from L(r) by adding (F(r)>+) ∪ >+, whichconsists of non-empty finite words that either are proper prefixes of words in L(r) followedby at least one letter > or are made up entirely of letters >. These additions are to eliminate

structural contradictions and ensure that all ltlsere formulas are satisfiable over Σ, whichis key to proving the Equalities (1). This fact is established by the following generalizationof Proposition 5, the proof of which is by induction.

Theorem 16. Let ϕ be an ltlsere formula. Then >ω |= ϕ and ⊥ω |=/ ϕ.

For the topological characterization we extend the definitions of weak and strong com-ponents and syntactically and semantically weak and strong formulas in the obvious ways,shown in Definitions 24, 25 and 26. Proof of the topological relationship of sere formulas asexpressed in the Equalities (1) proceeds from analysis of the relationships of the auxiliary


A:17

Definition 24 Weak and Strong Components of ltlsere Formulas

Let ϕ be an ltlsere formula. Its weak and strong components, denoted weak(ϕ) andstrong(ϕ) respectively, are defined as follows.

• weak(ϕ) = cl(J〈ϕ〉K) • strong(ϕ) = int(J〈ϕ〉K)

Definition 25 Syntactically Weak and Strong ltlsere Formulas

Let r be a sere.

•The set of syntactically weak ltlsere formulas is recursively defined as follows:

ϕ ::= r | ϕ ∧ ϕ | ϕ ∨ ϕ | X ϕ | [ϕ W ϕ]

•The set of syntactically strong ltlsere formulas is recursively defined as follows:

ϕ ::= r! | ϕ ∧ ϕ | ϕ ∨ ϕ | X! ϕ | [ϕ U ϕ]

Definition 26 Semantically Weak and Strong ltlsere Formulas

Let ϕ be an ltlsere formula.

• ϕ is semantically weak iff weak(ϕ) = J〈ϕ〉K• ϕ is semantically strong iff strong(ϕ) = J〈ϕ〉K

languages L(r) and Lw(r). We first show that Lw(r) is prefix closed and that if a word

w ∈ Σ∞ has infinitely many prefixes in F(r) then it is in I(r), from which it is proved thatLw(r) is limit closed.

Theorem 17. Lw(r) is prefix closed.

Theorem 18. Let w ∈ Σω and assume that w has infinitely many prefixes in F(r).Then w ∈ I(r).

Theorem 19. Lw(r) is limit closed.

These results are used to prove the following:

Theorem 20 (Recursive Characterization of cl(L(r))). Let r be a sere. Then

cl(L(r)) = Lw(r).

From Definition 20 (and 23, which points to it), satisfaction of the weak sere formular is defined in terms of satisfaction of the strong sere formula r! and the language I(r) ∪F(r) ∪ {ε}. Straightforward manipulation shows that:

Theorem 21. w |= r iff w |= r! or w ∈ Lw(r).

Using Proposition 3, Theorems 20, 21, and some properties resulting from the fact that

L(r) is closed under switching letters to >, we get that:

Theorem 22. Let r be a sere and w ∈ Σ∞. The following are equivalent:

(1 ) For every finite u � w : u>ω |= r!.(2 ) w |= r.

Theorems 16 and 22 and induction yield the Strength Relation Theorem for ltlsere, sonamed for the analogous theorem for ltl appearing in [Eisner et al. 2003]; the term strengthrefers to [Eisner et al. 2003]’s weak and strong satisfaction, discussed in Section 3.3.


A:18

Theorem 23 (Strength Relation). Let f ∈ ltlsere and let w ∈ Σ∞. Then

1 . w |= f =⇒ w>ω |= f2 . w⊥ω |= f =⇒ w |= f

Using this result, we obtain a representation of closure and interior of the denotation ofan ltlsere formula in terms of > and ⊥:

Theorem 24 (>,⊥ Characterization of cl(J〈f〉K), int(J〈f〉K)). Let f ∈ ltlsere. Then

1. cl(J〈f〉K) = {w ∈ Σ∞ | ∀ finite u � w : u>ω ∈ J〈f〉K}2. int(J〈f〉K) = {w ∈ Σ∞ | ∃ finite u � w : u⊥ω ∈ J〈f〉K}

From these pieces the Equalities (1) then follow as part of:

Theorem 25 (Topological Relationship of sere Formulas). Let r be a sere.Then:

• J〈r〉K = cl(J〈r〉K) = cl(J〈r!〉K)• J〈r!〉K = int(J〈r〉K) = int(J〈r!〉K)In particular, r is semantically weak and r! is semantically strong.

With the topological relationships of sere formulas established, proofs of the remainderof the results of Section 3 carry over in a straightforward way from those for eltl. Inparticular, the generalization of Proposition 7 provides the main result of the topologicalcharacterization for ltlsere:

Theorem 26. Let ϕ be an ltlsere formula in positive normal form. Let ϕw be theformula obtained by weakening all operators (replacing X! with X, U with W, and r! withr.). Let ϕs be the formula obtained by strengthening all operators. Then


We state the generalizations to ltlsere of the remaining results of Section 3 below.

Theorem 27. Let ϕ be an ltlsere formula.

• weak(ϕ) = {w ∈ Σ∞ | ∀ finite u � w : u>ω ∈ J〈ϕ〉K}• strong(ϕ) = {w ∈ Σ∞ | ∃ finite u � w : u⊥ω ∈ J〈ϕ〉K}

Theorem 28. Let ϕ be an ltlsere formula. Then

fpref ((Σ∞ \ strong(ϕ)) \ (Σ∞ \ weak(ϕ))) ∩ (Σ∞ \ weak(ϕ)) = ∅



Theorem 30. Let ϕ be an ltlsere formula. Then ϕ is semantically strong iff ¬ϕ issemantically weak.


• ϕ is semantically weak iff ϕ is non-pathologically safe.• ϕ is semantically strong iff ¬ϕ is non-pathologically safe.

Theorem 32. Let ϕ be an ltlsere formula, and let M ⊆ Σ∞. Searching for words inM that have informative bad prefixes for ϕ is equivalent to searching for words in M thatare not in weak(ϕ).


A:19

Theorem 33. Let ϕ ∈ ltlsere. Then

1. J〈ϕ〉K ⊆ J〈ϕ〉K− ⊆ cl(J〈ϕ〉K)2. J〈ϕ〉K ⊇ J〈ϕ〉K+ ⊇ int(J〈ϕ〉K)

Theorem 34. Let ϕ in ltlsere. The sets of finite words in J〈ϕ〉K− and cl(J〈ϕ〉K) are thesame, i.e.,

J〈ϕ〉K− ∩ Σ∗ = cl(J〈ϕ〉K) ∩ Σ∗

5. DISCUSSION

We have achieved a topological characterization of weakness (strength) by moving to anextended domain that adds solutions that do not exist in the original domain, then takingclosure (interior) in the extended domain. Taking closure in the extended domain can addnot only solutions from the extended domain, but also solutions from the original domain.For example, the closure of [p U false] in the original domain is the empty set, but in theextended domain it includes words from the original domain, such as 〈p〉〈p〉〈p〉 and 〈p〉ω.

A similar effect happens in the move from the real numbers R to the complex numbers C,and the behavior of our special letters > and ⊥ is analogous to the behavior of the imaginarynumber i. Intuitively, ≤ is a weak form of <. But over R, the topological characterizationusing closure does not work, because cl({x ∈ R | x2 < 0}) = ∅, which is not the sameas {x ∈ R | x2 ≤ 0} = {0}. As in our observation that the “problem” with Alpern andSchneider’s safety component is that the property described by [p U false] is the emptyone, the “problem” here is that x2 < 0 has no solution for x ∈ R. Moving to the extendeddomain C, we get that cl({x ∈ C | x2 < 0}) = i · R = {x ∈ C | x2 ≤ 0}. Taking closure inthe extended domain adds the solution 0, which belongs to the original domain R.

Many techniques for the analysis of programs and specifications rely on checking languageemptiness, while our topological characterizaton uses an augmented alphabet over whichany ltlsere formula is satisfiable. Our approach does not preclude those techniques. Theaugmented alphabet is needed only to provide a suitable domain in which topological closureachieves the full set of intuitively desired models for the weak component, including modelsover the original alphabet. Analyses can proceed as usual, restricted to the original alphabet,where the satisfiability question remains non-trivial. In particular, as long as the modelsbeing analyzed do not use the special letters > and ⊥, existing algorithms stand.

The usual definitions of safety and liveness (e.g., [Alpern and Schneider 1985; 1987; Hareland Sherman 1982]) typically use an alphabet such that some ltl formulas describe theempty property, and those are the definitions that we have used here. Alternatively, it ispossible to define safety and liveness with respect to an arbitrary alphabet. In that case,whether or not a formula is safety or liveness depends on the alphabet under which it isbeing examined. For example, the formula [p U false] is a safety formula for the alphabet

Σ, but is not a safety formula for the alphabet Σ. Similarly, the formula F false is a liveness

formula for the alphabet Σ, but not for Σ.If we define safety and liveness with respect to an arbitrary alphabet, then our weak

component is exactly the safety component over the extended alphabet Σ, but our strongcomponent is not Alpern and Schneider’s liveness component in that alphabet. The strongcomponent of ϕ consists of all words that finitely establish ϕ, whereas the liveness compo-nent is formed from the union of the original property with the complement of its safetycomponent.

6. RELATED WORK

The finite acceptance of [Wolper et al. 1983; Vardi and Wolper 1994] is analogous to ourstrong component. However, the analogy between their looping acceptance and our weak


A:20

component is imperfect. At the level of automata, both Alpern and Schneider’s safety com-ponent and our weak component can be achieved by considering all states of a Buchi au-tomaton to be accepting. Looping acceptance does exactly this, and [Vardi and Wolper1994] observes that an automaton with looping acceptance defines a safety property. How-ever, the particular safety property that results from applying looping acceptance dependson the form of the automaton, not just on its original language. For instance, consider theBuchi automaton consisting of a single (not final) state and no transitions. Obviously, itslanguage is empty. Now add a single transition on the letter `. Since the single state is notfinal, we have not changed the language of the automaton, which remains empty. However,applying the looping acceptance condition of [Vardi and Wolper 1994] to the original andthe modified automata will result in different languages. Thus looping acceptance can bemade equivalent to Alpern and Schneider’s safety component, or to our weak component,for logics which associate a specific Buchi automaton with each temporal operator, thatis, for logics whose semantics are presented in the form of automata construction (and ofcourse the automaton used to get the safety component will be equivalent to but struc-turally different than the one used to get the weak component). The topological approacheliminates the need to specify the particular automaton associated with each operator, andthus allows the characterization of weakness to be applied to logics without regard to theform in which their semantics are presented, as we have done above for the denotationalsemantics of eltl and ltlsere.

By considering the augmented alphabet Σ, our weak component distinguishes betweenformulas such as ϕ = [p U false] and ψ = false!, which are equivalent under the orignalalphabet Σ, while the safety component of [Alpern and Schneider 1987] does not. In asimilar manner, ϕ and ψ are not equivalent in Armoni et al.’s reset semantics [Armoniet al. 2003]. As we showed in [Eisner et al. 2006], their reset semantics for ltl are exactlythose of Definition 9, which we use in our topological characterization of eltl. Thus thedifference between Alpern and Schneider’s safety component, the closure over alphabet Σ,

and our weak component, the closure over alphabet Σ, is reminiscent of the differencebetween the abort semantics and the reset semantics, examined in [Armoni et al. 2003].Their goal was a complexity analysis, whereas ours is a characterization of weakness.

In [Eisner and Fisman 2008], we argue that the problem with the current semantics ofltlsere is that it treats structural contradictions such as {p ∪ {p · p}} differently than logicalcontradictions such as false. In this paper, we provide topological evidence in support ofthat argument, and in support of the logical consistency of the fix proposed by [Eisner andFisman 2008] and adopted by [IEEE d].

The ideas of weakness and strength examined in this paper are very closely related to theideas of weak and strong satisfaction that we first examined in [Eisner et al. 2003]. In thatpaper, we were concerned with the problem of reasoning on truncated paths, that is, overpaths that are finite, but not necessarily maximal. In this paper, we are concerned withproviding a semantic characterization of weakness for the purposes of verifying the internalconsistency of a logic with weak and strong operators.

In [Maier 2004] Maier gives a characterization of intuitionistic safety and liveness proper-ties for ltl interpreted over finite as well as infinite words. Maier works with prefix closedsets of non-empty words. His safety properties are the subsets of Σ+ ∪Σω that are closedin the Scott topology defined from the prefix partial order. The Scott topology coincideswith our topology on Σ∞, and so Maier’s characterization of safety for properties over Σ isobtained from ours by eliminating the empty word. Since Maier’s properties are all prefixclosed, his notion of liveness is distinct from ours. Maier does not consider the relationship ofweakness to safety, and his framework of prefix closed properties is not suited to discussionof the dual notion of strength.


A:21

In [Manolios and Trefler 2003] Manolios and Trefler gave an elegant characterizationof safety and liveness using lattices, which unifies previous results on safety and liveness,including the results for the linear time and the branching time frameworks and for ω-regular string and tree languages. Our Proposition 4 can be proved by observing that cl(·)is a lattice closure on 〈Σ∞,∩,∪〉. Thus, it conforms with the uniform characterization.

The particular extension of ltl with regular expressions that we present in Section 4 is in-tended only to illustrate the utility of our characterization of weakness. Previous works [Ar-moni et al. 2002; Bustan et al. 2005; Bustan and Havlicek 2006; Lange 2007; Wolper et al.1983; Vardi and Wolper 1994; Wolper 1983] have examined the complexity and expressivityissues of extending ltl with regular expressions in various manners.

A preliminary version of this work (considering regular expressions rather than semi-extended regular expressions) appeared in [Eisner et al. 2005].

7. CONCLUSIONS

We have been concerned with finding a semantic characterization that relates weak andstrong linear temporal operators. We have shown that the weak version of a strong temporaloperator is not the same as Alpern and Schneider’s safety component. We have shown thatthe desired weak component can be obtained by taking closure in an alphabet augmentedwith two special letters > and ⊥ in the Cantor topology on the set of finite and infinitewords.

The resulting framework establishes a convenient way to study relations between weak andstrong operators, and syntactically and semantically weak/strong formulas. For example, wehave shown that semantically weak formulas characterize exactly the set of “good” safetyproperties, thus strengthening the result in [Kupferman and Vardi 1999].

The practical importance of our work lies in the fact that users of temporal logic typ-ically assume the relation between weak and strong versions of an operator that we havecharacterized here, thus it is important that any new pair of operators maintain the samerelation. We have used our characterization to demonstrate that the extensions of eltl usedby the original versions of the ieee standards psl and sva are broken with respect to weakand strong semi-extended regular expressions r and r!. We have shown that the semanticsproposed by [Eisner and Fisman 2008] and adopted by the latest version of psl [IEEE d]fix this problem, and that it is sound in the sense that r is the weak version of r!.

Acknowledgments

We thank the anonymous reviewers for their helpful comments. The first author wouldlike to thank Alexander Ivrii for many helpful discussions. Thanks also to Scott Little forenabling communication between the authors under challenging circumstances.

REFERENCES

Bowen Alpern and Fred B. Schneider. 1985. Defining liveness. Inform. Process. Lett. 21 (1985), 181–185.

Bowen Alpern and Fred B. Schneider. 1987. Recognizing Safety and Liveness. Distributed Computing 2, 3(1987), 117–126. citeseer.ist.psu.edu/alpern86recognizing.html

Roy Armoni, Doron Bustan, Orna Kupferman, and Moshe Y. Vardi. 2003. Aborts vs Resets in LinearTemporal Logic. In Proc. 9th International Conference on Tools and Algorithms for the Constructionand Analysis of Systems (TACAS).

Roy Armoni, Limor Fix, Alon Flaisher, Rob Gerth, Boris Ginsburg, Tomer Kanza, Avner Landver, SelaMador-Haim, Eli Singerman, Andreas Tiemeyer, Moshe Y. Vardi, and Yael Zbar. 2002. The ForSpecTemporal Logic: A New Temporal Property-Specification Language. In Proc. 8th International Confer-ence on Tools and Algorithms for the Construction and Analysis of Systems (LNCS 2280). Springer,296–211.

Doron Bustan, Dana Fisman, and John Havlicek. 2005. Automata Construction for PSL. Technical ReportMCS05-04. The Weizmann Institute of Science.


A:22

Doron Bustan and John Havlicek. 2006. Some Complexity Results for SystemVerilog Assertions. In 18thInternational Conference on Computer Aided Verification (CAV’06) (Lecture Notes in Computer Sci-ence), Thomas Ball and Robert B. Jones (Eds.), Vol. 4144. Springer, 205–218.

Eduard Cerny, Surrendra Dudani, John Havlicek, and Dmitry Korchemny. 2010. The Power of Assertionsin SystemVerilog. Springer.

Cindy Eisner and Dana Fisman. 2006. A Practical Introduction to PSL. Springer.

Cindy Eisner and Dana Fisman. 2008. Structural Contradictions. In Proc. Fourth International Haifa Ver-ification Conference (HVC) (Lecture Notes in Computer Science), Vol. 5394. Springer.

Cindy Eisner, Dana Fisman, and John Havlicek. 2005. A topological characterization of weakness. In PODC’05: Proceedings of the twenty-fourth annual ACM symposium on Principles of distributed computing.ACM, New York, NY, USA, 1–8. DOI:http://dx.doi.org/10.1145/1073814.1073816

C. Eisner, D. Fisman, J. Havlicek, Y. Lustig, A. McIsaac, and D. Van Campenhout. 2003. Reasoningwith Temporal Logic on Truncated Paths. In The 15th International Conference on Computer AidedVerification (CAV) (LNCS 2725). Springer-Verlag, 27–40.

C. Eisner, D. Fisman, J. Havlicek, and J. Martensson. 2006. The >,⊥ approach for truncated semantics.Technical Report 2006.01. Accellera.

D. Harel and R. Sherman. 1982. Looping vs. Repeating in Dynamic Logic. Information and Control 55,1–3 (Oct./Nov./Dec. 1982), 175–192.

Hendrik Jan Hoogeboom and Grzegorz Rozenberg. 1986. Infinitary Languages: Basic Theory an Applicationsto Concurrent Systems. In Current Trends in Concurrency. Springer, 266–342.

IEEE. Annex E of IEEE Standard for SystemVerilog Unified Hardware Design, Specification, and Verifi-cation Language. IEEE Std 1800TM-2005.

IEEE. Annex F of IEEE Standard for SystemVerilog Unified Hardware Design, Specification, and Verifi-cation Language. IEEE Std 1800TM-2009.

IEEE. IEEE Standard for Property Specification Language (PSL). IEEE Std 1850TM-2005.

IEEE. IEEE Standard for Property Specification Language (PSL). IEEE Std 1850TM-2010.

J.L. Kelley. 1975. General Topology. Van Nostrand Reinhold, 1955. Springer.

Orna Kupferman and Moshe Y. Vardi. 1999. Model Checking of Safety Properties. In Proc. 11th Interna-tional Conference on Computer Aided Verification (CAV) (LNCS 1633). Springer-Verlag, 172–183.

Martin Lange. 2007. Linear Time Logics Around PSL: Complexity, Expressiveness, and a Little Bit ofSuccinctness. In 18th International Conference on Concurrency Theory (CONCUR’07) (Lecture Notesin Computer Science), Luıs Caires and Vasco Thudichum Vasconcelos (Eds.), Vol. 4703. Springer,90–104.

Patrick Maier. 2004. Intuitionistic LTL and a New Characterization of Safety and Liveness. In Computer Sci-ence Logic, 18th International Workshop, CSL 2004, 13th Annual Conference of the EACSL; Karpacz,Poland, September 20-24, 2004; Proceedings (Lecture Notes in Computer Science), Jerzy Marcinkowskiand Andrzej Tarlecki (Eds.), Vol. 3210. Springer, 295–309.

Z. Manna and A. Pnueli. 1992. The Temporal Logic of Reactive and Concurrent Systems: Specification.Springer-Verlag, New York.

Panagiotis Manolios and Richard Trefler. 2003. A lattice-theoretic characterization of safety and liveness.In PODC ’03: Proceedings of the Twenty-Second Annual Symposium on Principles of DistributedComputing. ACM Press, 325–333. DOI:http://dx.doi.org/10.1145/872035.872083

A. Pnueli. 1981. A Temporal Logic of Concurrent Programs. Theoretical Computer Science 13 (1981), 45–60.

Martin Rem. 1990. A personal perspective of Alpern-Schneider characterization of safety and liveness. InBeauty is our business: a birthday salute to Edsger W. Dijkstra, W. H. J. Feijen (Ed.). Springer-Verlag,365–372.

A. Prasad Sistla. 1994. Safety, Liveness and Fairness in Temporal Logic. Formal Asp. Comput. 6, 5 (1994),495–512.

Wolfgang Thomas. 1990. Automata on infinite objects. In Handbook of Theoretical Computer Science, Vol-ume B: Formal Models and Semantics, J. van Leeuwen (Ed.). Elsevier and The MIT Press, Chapter 4,133–191.

Moshe Y. Vardi and Pierre Wolper. 1994. Reasoning About Infinite Computations. Information and Com-putation 115, 1 (15 1994), 1–37. citeseer.ist.psu.edu/vardi94reasoning.html

P. Wolper. 1983. Temporal Logic Can be More Expressive. Information and Control 56, 1/2 (1983), 72–99.

Pierre Wolper, Moshe Y. Vardi, and A. Prasad Sistla. 1983. Reasoning about Infinite Computation Paths(Extended Abstract). In FOCS. IEEE Computer Society, 185–194.


A:23

A. PROOF STRUCTURE

Propositions 1-4 are proved in Section B. In Section C we show that Propositions 5 and 7-15are subsumed by Theorems 16 and 26-34. Therefore providing independent proofs of themis superfluous. In Section D we prove some lemmas about seres. Starting from Section E,we prove Theorems 16-34, one or two per section.

B. PROOFS OF PROPOSITIONS 1-4

Proposition 1. The collection of languages WΓ∞ such that W ⊆ Γ ∗ forms a family ofopen sets for a topology on Γ∞.

Proof.

(1) ∅ = WΓ∞ for W = ∅ ⊆ Γ ∗.(2) Γ∞ = WΓ∞ for W = {ε} ⊆ Γ ∗.(3) Let Wα ⊆ Γ ∗. Then

⋃(WαΓ

∞) = WΓ∞ for W =⋃Wα ⊆ Γ ∗.

(4) Let U, V ⊆ Γ ∗. Define V U = {u ∈ U | ∃v ∈ V : v � u}, and let UV be defined similarly.Clearly V U ⊆ U and UV ⊆ V . Now,

w ∈ UΓ∞ ∩ V Γ∞iff w = ux = vy for some u ∈ U , v ∈ V , and x, y ∈ Γ∞iff [u � v or v � u] w ∈ UV Γ∞ or w ∈ V UΓ∞

This shows that UΓ∞ ∩ V Γ∞ = UV Γ∞ ∪ V UΓ∞. Since UV ⊆ U ⊆ Γ ∗ and similarlyV U ⊆ V ⊆ Γ ∗, we have that UΓ∞ ∩ V Γ∞ = WΓ∞ for W = UV ∪ V U ⊆ Γ ∗.

Lemma B.1. L ⊆ Γ∞ is closed iff the following condition holds for all w ∈ Γ∞:

(*) If for every finite u � w there exists v � u such that v ∈ L, then w ∈ L.

Proof. (⇒) Assume that L ⊆ Γ∞ is closed. Then there exists M ⊆ Γ ∗ such thatL = Γ∞ \MΓ∞. Let w ∈ Γ∞. We prove the contrapositive of (*). Assume w 6∈ L. Thenw ∈MΓ∞, so there is a finite prefix u � w such that u ∈M . Then every extension of u isin MΓ∞, hence not in L.

(⇐) Assume (*) holds for all w ∈ Γ∞. Let M = {u ∈ Γ ∗ | ∀v � u : v 6∈ L}. Then MΓ∞ ⊆Γ∞ \ L. Suppose w ∈ Γ∞ \ L. Then w 6∈ L and by (*), there exists finite u � w such that∀v � u : v 6∈ L. Therefore u ∈ M , hence w ∈ MΓ∞. We have that MΓ∞ ⊆ Γ∞ \ L andalso that Γ∞ \L ⊆MΓ∞. Thus Γ∞ \L = MΓ∞, and hence L = Γ∞ \MΓ∞. Since MΓ∞

is open by Definition 4, we have that its complement, L, is closed.

Lemma B.2. L ⊆ Σ∞ is safety iff L is closed.

Proof. Let L ⊆ Σ∞.

L is safetyiff ∀w ∈ Σ∞ \ L : ∃ finite u � w : ∀v : uv ∈ Σ∞ \ Liff ∀w ∈ Σ∞ \ L : ∃ finite u � w : ∀u′ � u : u′ ∈ Σ∞ \ Liff ∀w ∈ Σ∞ : w 6∈ L⇒ ∃ finite u � w : ∀u′ � u : u′ ∈ Σ∞ \ Liff [contrapositive] ∀w ∈ Σ∞ : (∀ finite u � w : ∃u′ � u : u′ ∈ L)⇒ w ∈ Liff [Lemma B.1] L is closed.

Lemma B.3. L ⊆ Σ∞ is a liveness property iff L is dense in Σ∞.


A:24

Proof. (⇒) Let L be a liveness property and let M ⊆ Σ∞ be a closed set containingL. Suppose there exists w ∈ Σ∞ \M . Then w 6∈M and by Lemma B.1, there exists a finiteprefix u of w such that for all v � u, v 6∈M . However, since L is a liveness property, thereexists v � u such that v ∈ L ⊆ M , a contradiction. Therefore, M = Σ∞. This proves thatL is dense.

(⇐) Let L be dense in Σ∞. Suppose L is not a liveness property. Then there exists finiteu such that for all v, uv 6∈ L. Therefore uΣ∞ ⊆ Σ∞ \ L, and so L ⊆ Σ∞ \ uΣ∞. SinceΣ∞ \ uΣ∞ is closed by Definition 4 and L is dense, Σ∞ \ uΣ∞ = Σ∞, and therefore uΣ∞

is empty, a contradiction.

Lemma B.4. Let X be a topological space and let P ⊆ X. Then X \(cl(P )\P ) is dense.Furthermore,

P = cl(P ) ∩ (X \ (cl(P ) \ P )) .

Proof. Let Y be a closed set containing X \ (cl(P ) \ P ). We must show that Y = X.Consider the open set X \ Y . Since Y contains X \ (cl(P ) \ P ),

X \ Y ⊆ cl(P ) \ PSince P ⊆ cl(P ),

P ⊆ cl(P ) \ (X \ Y )

and since cl(P ) \ (X \ Y ) is closed, we must have X \ Y empty. The proof of the equalityis exactly as in [Alpern and Schneider 1985].

Proposition 2. Let V ⊆ Γ∞.

(1) V is closed in the Cantor topology iff V is both prefix closed and limit closed.

(2) V is open in the Cantor topology iff V is extension closed and has finite witnesses.

Proof.

(1) By Lemma B.1, X is closed iff the following property holds for all w ∈ Γ∞:

(*) If for every finite u � w there exists x � u such that x ∈ X, then w ∈ X.

(⇒) Assume that X is closed, so that (*) holds for all w ∈ Γ∞. Suppose that w ∈ Γ∞and that all finite prefixes of w are in X. By (*), it follows that w ∈ X. This proves thatX is limit closed. Suppose now that u � v ∈ X. Then for all finite u′ � u, u′ � v ∈ X.From (*), u ∈ X. This proves that X is prefix closed.(⇐) Assume that X is both prefix closed and limit closed. We will show that (*) holdsfor all w ∈ Γ∞. Let w ∈ Γ∞ and assume that for every finite u � w there exists x � usuch that x ∈ X. Since X is prefix closed, it follows that for every finite u � w, u ∈ X.Since X is limit closed, w ∈ X.

(2) Follows from Part (1) by duality.

Proposition 3.

(1) cl(V ) = {w ∈ Γ∞ | ∀ finite u � w : ∃v � u : v ∈ V }.(2) int(V ) = {w ∈ Γ∞ | ∃ finite u � w : ∀v � u : v ∈ V }.

Proof.

(1) Let C(X) = {w ∈ Γ∞ | ∀ finite u � w : ∃v � u : v ∈ X}. First we show that C(X) isclosed. Let w ∈ Γ∞. Assume that ∀ finite u � w : ∃v � u : v ∈ C(X). Using thedefinition of C(X), it follows that ∀ finite u � w : ∃x � u : x ∈ X. Therefore w ∈ C(X).By Lemma B.1, C(X) is closed.


A:25

Suppose now that X ⊆ L ⊆ Γ∞ and L is closed. We show that C(X) ⊆ L. Letw ∈ C(X). Then ∀ finite u � w : ∃x � u : x ∈ X ⊆ L. Since L is closed, Lemma B.1implies that w ∈ L.

(2) Let I(X) = {w ∈ Γ∞ | ∃ finite u � w : ∀v � u : v ∈ X}. First, we show that I(X) isopen. Let w ∈ I(X). Then ∃ finite u � w : ∀x � u: x ∈ X. From the definition of I(X),it follows that ∀v � u, v ∈ I(X). Therefore w ∈ uΓ∞ ⊆ I(X). Since uΓ∞ is open byDefinition 4, this shows that I(X) is open.Suppose now that M is open and M ⊆ X. We show that M ⊆ I(X). Let w ∈M . SinceM is open, there exists U ⊆ Γ ∗ such that w ∈ UΓ∞ ⊆ M ⊆ X. Then ∃ finite u �w (u ∈ U) : ∀v � u : v ∈ UΓ∞ ⊆ X, hence w ∈ I(X).

Proposition 4. The safety properties are the closed sets of the Cantor topology on Σ∞,and the liveness properties are the dense sets in this topology. Furthermore, every propertyon Σ∞ can be decomposed into a safety property and a liveness property whose intersectionis the original.

Proof. It follows from Lemma B.2 that the safety properties are the closed sets of theCantor topology on Σ∞. It follows from Lemma B.3 that the liveness properties are thedense sets. Finally, Lemma B.4 shows that any property can be decomposed into a safetyproperty and a liveness property whose intersection is the original.

C. PROOFS OF PROPOSITIONS 5 AND 7-15

Lemma C.1 shows that eltl is faithfully embedded as a sublogic of ltlsere. Thus thestatements of Theorems 16 and 26-34 are generalizations of Propositions 5 and 7-15 andthe proofs of Theorems 16 and 26-34 imply Propositions 5 and 7-15.

Lemma C.1. Let ϕ be an eltl formula, let w ∈ Σ∞ and let |=9 and |=23 denote thesatisfaction relations of Definitions 9 and 23, respectively. Then w |=9 ϕ iff w |=23 ϕ.

Proof. The statement of the semantics for all eltl operators except for strong andweak Booleans is identical in Definitions 9 and 23. It remains to prove the equivalence inthe cases of strong and weak Booleans. Recall that in ltlsere, a Boolean expression is asere, thus the semantics of b! and b are obtained through those of r! and r, respectively.

•w |=23 b!

iff ∃j < |w| s.t. w0..j ∈ L(b)iff ∃j < |w| s.t. w0..j ∈ L(b) ∪ (F(b)>+) ∪ >+

iff ∃j < |w| s.t. w0..j ∈ {` ∈ Σ | ` b} ∪ (ε>+) ∪ >+

iff ∃j < |w| s.t. either (j = 0 and w0 b) or (w0..j ∈ >+)

iff |w| > 0 and w0 biff w |=9 b!

•w |=23 b

iff either w |=23 b! or w ∈ I(b) ∪ F(b) ∪ {ε}iff either w |=9 b! [first bullet] or w ∈ ∅ ∪ {ε} ∪ {ε}iff either w |=9 b! or w = εiff either w |=9 b! or |w| = 0iff w |=9 b


A:26

D. LEMMAS ABOUT SERES

Lemma D.1. Every word in I(r) is infinite.

Proof. By induction on the structure of r.

λ: I(λ) = ∅.b: I(b) = ∅.r · s: I(r · s) = I(r)∪(L(r)I(s)). By induction, I(r) and L(r)I(s) consist only of infinitewords.r ◦ s: I(r ◦ s) = I(r) ∪ (L(r) ◦ I(s)). By induction, I(r) and L(r) ◦ I(s) consist only ofinfinite words.r+: I(r+) = (L(r)∗I(r))∪(L(r)\{ε})ω. By induction, L(r)∗I(r) consists only of infinitewords. Also, the exclusion of ε ensures that (L(r)\{ε})ω consists only of infinite words.r ∪ s: I(r ∪ s) = I(r)∪I(s). By induction, I(r) and I(s) consist only of infinite words.r ∩ s: I(r ∩ s) = I(r)∩I(s). By induction, I(r) and I(s) consist only of infinite words.

Lemma D.2. L(·), F(·), I(·) and L(·) are all closed under switching (0 or more) lettersto >.

Proof.

(1) L(·): Assume that L(r) and L(s) are closed under switching letters to >. Let u resultfrom v by switching letters to >.

λ: L(λ) = {ε}, which is closed under switching letters to >.

b: L(b) = {` ∈ Σ | ` b}, which is closed under switching letters to >.r · s: Let v ∈ L(r · s) = L(r)L(s). Then v = xy, where x ∈ L(r) and y ∈ L(s).Then u = x′y′, where x′, y′ result from x, y (resp.) by switching letters to >. Byinduction, x′ ∈ L(r), y′ ∈ L(s), hence u ∈ L(r · s).r ◦ s: Let v ∈ L(r ◦ s) = L(r) ◦L(s). Then v = x`y, where x` ∈ L(r) and `y ∈ L(s).Then u = x′`′y′, where x′, `′, y′ result from x, `, y (resp.) by switching letters to>. By induction, x′`′ ∈ L(r), `′y′ ∈ L(s), hence u ∈ L(r ◦ s).r+: Let v ∈ L(r+) = L(r)+. Then v = x1 · · ·xn, where each xi ∈ L(r). Thenu = x′1 · · ·x′n, where x′i results from xi by switching letters to >. By induction,x′i ∈ L(r), hence u ∈ L(r+).r ∪ s: Let v ∈ L(r ∪ s) = L(r) ∪ L(s). Without loss of generality, v ∈ L(r), so byinduction u ∈ L(r) ⊆ L(r ∪ s).r ∩ s: Let v ∈ L(r ∩ s) = L(r)∩L(s). Then v ∈ L(r) and v ∈ L(s), so by inductionu ∈ L(r) and u ∈ L(s), hence u ∈ L(r ∩ s).

(2) F(·): Assume that F(r) and F(s) are closed under switching letters to >. Let u resultfrom v by switching letters to >.

λ: F(λ) = ∅, which is closed under switching letters to >.b: F(b) = {ε}, which is closed under switching letters to >.r · s: Let v ∈ F(r · s) = F(r) ∪ (L(r)F(s)). If v ∈ F(r), then by induction u ∈F(r) ⊆ F(r · s). Otherwise, v = xy, where x ∈ L(r) and y ∈ F(s). Then u = x′y′,where x′, y′ result from x, y (resp.) by switching letters to >. By induction, x′ ∈L(r), and y′ ∈ F(s), hence u ∈ F(r · s).r ◦ s: Let v ∈ F(r ◦ s) = F(r) ∪ (L(r) ◦F(s)). If v ∈ F(r), then by inductionu ∈ F(r) ⊆ F(r ◦ s). Otherwise, v = x`y, where x` ∈ L(r) and `y ∈ F(s). Thenu = x′`′y′, where x′, `′, y′ result from x, `, y (resp.) by switching letters to >. Byinduction, x′`′ ∈ L(r), and by induction, `′y′ ∈ F(s), hence u ∈ F(r ◦ s).


A:27

r+: Let v ∈ F(r+) = L(r)∗F(r). Then v = x1 · · ·xn, where n ≥ 1 and xi ∈ L(r)for 1 ≤ i < n and xn ∈ F(r). Then u = x′1 · · ·x′n, where x′i results from xi byswitching letters to >. By induction, x′i ∈ L(r) for 1 ≤ i < n, and by inductionxn ∈ F(r), hence u ∈ F(r+).r ∪ s: Let v ∈ F(r ∪ s) = F(r) ∪ F(s). Without loss of generality, v ∈ F(r), so byinduction u ∈ F(r) ⊆ F(r ∪ s).r ∩ s: Let v ∈ F(r ∩ s) = F(r)∩F(s). Then v ∈ F(r) and v ∈ F(s), so by inductionu ∈ F(r) and u ∈ F(s), hence u ∈ F(r ∩ s).

(3) I(·): Assume that I(r) and I(s) are closed under switching letters to >. Let u resultfrom v by switching letters to >.

λ: I(λ) = ∅, which is closed under switching letters to >.b: I(b) = ∅, which is closed under switching letters to >.r · s: Let v ∈ I(r · s) = I(r)∪ (L(r)I(s)). If v ∈ I(r), then by induction u ∈ I(r) ⊆I(r · s). Otherwise, v = xy, where x ∈ L(r) and y ∈ I(s). Then u = x′y′, where x′,y′ result from x, y (resp.) by switching letters to >. By induction, x′ ∈ L(r), andy′ ∈ I(s), hence u ∈ I(r · s).r ◦ s: Let v ∈ I(r ◦ s) = I(r) ∪ (L(r) ◦ I(s)). If v ∈ I(r), then by induction u ∈I(r) ⊆ I(r ◦ s). Otherwise, v = x`y, where x` ∈ L(r) and `y ∈ I(s). Then u =x′`′y′, where x′, `′, y′ result from x, `, y (resp.) by switching letters to >. Byinduction, x′`′ ∈ L(r), and by induction, `′y′ ∈ I(s), hence u ∈ I(r ◦ s).r+: Let v ∈ I(r+) = (L(r)∗I(r))∪ (L(r) \ {ε})ω. Suppose first that v ∈ L(r)∗I(r).Then v = x1 · · ·xn, where n ≥ 1 and xi ∈ L(r) for 1 ≤ i < n and xn ∈ I(r). Thenu = x′1 · · ·x′n, where x′i results from xi by switching letters to >. By induction,x′i ∈ L(r) for 1 ≤ i < n, and by induction xn ∈ I(r), hence u ∈ I(r+). Suppose nowthat v ∈ (L(r)\{ε})ω. Then v = x1 · · · , where each xi ∈ L(r)\{ε}. Then u = x′1 · · · ,where x′i results from xi by switching letters to >. By induction, x′i ∈ L(r) \ {ε},so u ∈ (L(r) \ {ε})ω.r ∪ s: Let v ∈ I(r ∪ s) = I(r) ∪ I(s). Without loss of generality, v ∈ I(r), so byinduction u ∈ I(r) ⊆ I(r ∪ s).r ∩ s: Let v ∈ I(r ∩ s) = I(r) ∩ I(s). Then v ∈ I(r) and v ∈ I(s), so by inductionu ∈ I(r) and u ∈ I(s), hence u ∈ I(r ∩ s).

(4) L(·): Follows from Definition 21 and Parts (1) and (2).

Lemma D.3. Let r be a sere. If L(r) 6= ∅ and L(r) 6= {ε}, then ε ∈ F(r).


λ: L(λ) = {ε}, so there is nothing to show.b: ε ∈ F(b) by the definition of F(b).r · s: If L(r · s) 6= ∅ and L(r · s) 6= {ε}, then L(r) 6= ∅ and L(s) 6= ∅ and either L(r) 6= {ε}or L(s) 6= {ε}. If L(r) 6= {ε}, then ε ∈ F(r) by induction and F(r) ⊆ F(r · s) by thedefinition of F(r · s), and thus ε ∈ F(r · s). If L(r) = {ε} but L(s) 6= {ε}, then ε ∈ F(s)by induction and thus ε ∈ L(r)F(s). L(r)F(s) ⊆ F(r · s) by the definition of F(r · s),thus ε ∈ F(r · s).r ◦ s: By the definition of fusion, L(r ◦ s) 6= {ε}. If L(r ◦ s) 6= ∅, then L(r) 6= ∅, L(s) 6= ∅,L(r) 6= {ε} and L(s) 6= {ε}. Then ε ∈ F(r) by induction and F(r) ⊆ F(r ◦ s) by thedefinition of F(r ◦ s). Thus ε ∈ F(r ◦ s).r+: If L(r+) 6= ∅ and L(r+) 6= {ε}, then L(r) 6= ∅ and L(r) 6= {ε}. Then by induction,ε ∈ F(r) and thus ε ∈ L(r)∗F(r) = F(r+).


A:28

r ∪ s: If L(r ∪ s) 6= ∅ and L(r ∪ s) 6= {ε}, then either (L(r) 6= ∅ and L(r) 6= {ε}) or(L(s) 6= ∅ and L(s) 6= {ε}). Then by induction, either ε ∈ F(r) or ε ∈ F(s) and thusε ∈ F(r) ∪ F(s), which is the definition of F(r ∪ s).r ∩ s: If L(r ∩ s) 6= ∅ and L(r ∩ s) 6= {ε}, then L(r) 6= ∅, L(s) 6= ∅, L(r) 6= {ε} andL(s) 6= {ε}. Then by induction ε ∈ F(r) and ε ∈ F(s) so ε ∈ F(r)∩F(s), and thereforeby definition, ε ∈ F(r ∩ s).

Lemma D.4. Let w ∈ L(r), and u ≺ w. Then u ∈ F(r).


λ: w ∈ L(λ) = {ε}, and there is no relevant u.

b: w ∈ L(b) = {` ∈ Σ | ` b}, thus u = ε, which is in F(b).r · s: w ∈ L(r · s) = L(r)L(s). Thus w = w′w′′ s.t. w′ ∈ L(r) and w′′ ∈ L(s). If u ≺ w′,then by induction u ∈ F(r) ⊆ F(r · s). If u � w′, then u = w′u′′ s.t. u′′ ≺ w′′. Byinduction, u′′ ∈ F(s), thus u ∈ L(r)F(s) ⊆ F(r · s).r ◦ s: w ∈ L(r ◦ s) = L(r) ◦L(s). Thus w = w′ ◦w′′ s.t. w′ ∈ L(r) and w′′ ∈ L(s). Ifu ≺ w′, then by induction u ∈ F(r) ⊆ F(r ◦ s). If u � w′, then u = w′ ◦u′′ s.t. u′′ ≺ w′′.By induction, u′′ ∈ F(s), thus u ∈ L(r) ◦F(s) ⊆ F(r ◦ s).r+: w ∈ L(r+) = L(r)+. Thus w = w1 · · ·wn s.t. each wi ∈ L(r), and there are twocases:• u = w1 · · ·wku′ s.t. k < n and ε ≺ u′ ≺ wk+1. By induction, u′ ∈ F(r). Thusu ∈ L(r)∗F(r) = F(r+).• u = w1 · · ·wk s.t. k < n. We know that L(r) 6= ∅ (otherwise there is no w) andL(r) 6= {ε} (otherwise there is no u ≺ w), thus by Lemma D.3 we know that ε ∈ F(r).Thus u ∈ L(r)∗F(r) = F(r+).

r ∪ s: If w ∈ L(r ∪ s) then w ∈ L(r) ∪ L(s) and by induction u ∈ F(r) or u ∈ F(s),thus u ∈ F(r ∪ s).r ∩ s: If w ∈ L(r ∩ s) then w ∈ L(r) ∩ L(s) and by induction u ∈ F(r) and u ∈ F(s),thus u ∈ F(r ∩ s).

Lemma D.5. Let w ∈ I(r), and u ≺ w. Then u ∈ F(r).


λ: I(λ) = ∅, thus @w ∈ I(λ).b: I(b) = ∅, thus @w ∈ I(b).r · s: w ∈ I(r · s) = I(r)∪(L(r)I(s)). If w ∈ I(r) then by induction u ∈ F(r) ⊆ F(r · s).Otherwise, w = w′w′′ s.t. w′ ∈ L(r) and w′′ ∈ I(s). If u ≺ w′, then by Lemma D.4,u ∈ F(r). If u � w′, then u = w′u′′ s.t. u′′ ≺ w′′. By induction, u′′ ∈ F(s), thusu ∈ L(r)F(s) ⊆ F(r · s).r ◦ s: w ∈ I(r ◦ s) = I(r) ∪ (L(r) ◦ I(s)). If w ∈ I(r) then by induction u ∈ F(r) ⊆F(r ◦ s). Otherwise, w = w′ ◦w′′ s.t. w′ ∈ L(r) and w′′ ∈ I(s). If u ≺ w′, then byLemma D.4, u ∈ F(r) ⊆ F(r ◦ s). If u � w′, then u = w′ ◦u′′ s.t. u′′ ≺ w′′. Byinduction, u′′ ∈ F(s), thus u ∈ L(r) ◦F(s) ⊆ F(r ◦ s).r+: w ∈ I(r+) = (L(r)∗I(r)) ∪ (L(r) \ {ε})ω.There are two cases:• If w ∈ L(r)∗I(r), then w = w′w′′ s.t. w′ ∈ L(r)∗ and w′′ ∈ I(r). If u ≺ w′, thenw′ 6= ε and thus w′ ∈ L(r)+ = L(r+) and by Lemma D.4, u ∈ F(r+). If u � w′, thenu = w′u′′ s.t. u′′ ≺ w′′, thus by induction u′′ ∈ F(r) and so u ∈ L(r)∗F(r) = F(r+).


A:29

• If w ∈ (L(r) \ {ε})ω, then ∃w′ ≺ w s.t. w′ ∈ L(r)+ = L(r+) and u ≺ w′. Thus byLemma D.4, u ∈ F(r+).

r ∪ s: If w ∈ I(r ∪ s) then w ∈ I(r) ∪ I(s) and by induction u ∈ F(r) or u ∈ F(s),thus u ∈ F(r ∪ s).r ∩ s: If w ∈ I(r ∩ s) then w ∈ I(r) ∩ I(s) and by induction u ∈ F(r) and u ∈ F(s),thus u ∈ F(r ∩ s).

Lemma D.6. Let w ∈ F(r), and u ≺ w. Then u ∈ F(r). In other words, F(r) is prefixclosed.


λ: F(λ) = ∅, thus @w ∈ F(λ).b: w ∈ F(b) = {ε}, thus there is no relevant u.r · s: w ∈ F(r · s) = F(r) ∪ (L(r)F(s)). If w ∈ F(r) then by induction u ∈ F(r) ⊆F(r · s). Otherwise, w = w′w′′ s.t. w′ ∈ L(r) and w′′ ∈ F(s). If u ≺ w′, then byLemma D.4, u ∈ F(r) ⊆ F(r · s). If u � w′, then u = w′u′′ s.t. u′′ ≺ w′′. By induction,u′′ ∈ F(s), thus u ∈ L(r)F(s) ⊆ F(r · s).r ◦ s: w ∈ F(r ◦ s) = F(r) ∪ (L(r) ◦F(s)). If w ∈ F(r) then by induction u ∈ F(r) ⊆F(r ◦ s). Otherwise, w = w′ ◦w′′ s.t. w′ ∈ L(r) and w′′ ∈ F(s). If u ≺ w′, then byLemma D.4, u ∈ F(r) ⊆ F(r ◦ s). If u � w′, then u = w′ ◦u′′ s.t. u′′ ≺ w′′. Byinduction, u′′ ∈ F(s), thus u ∈ L(r) ◦F(s) ⊆ F(r ◦ s).r+: w ∈ F(r+) = L(r)∗F(r). Thus w = w′w′′ s.t. w′ ∈ L(r)∗ and w′′ ∈ F(r). Ifu ≺ w′, then w′ 6= ε and so w′ ∈ L(r)+ = L(r+). By Lemma D.4, u ∈ F(r+).Otherwise, u � w′, thus u = w′u′′ s.t. u′′ ≺ w′′, thus by induction u′′ ∈ F(r) and sou ∈ L(r)∗F(r) = F(r+).r ∪ s: If w ∈ F(r ∪ s) then w ∈ F(r) ∪ F(s) and by induction u ∈ F(r) or u ∈ F(s),thus u ∈ F(r ∪ s).r ∩ s: If w ∈ F(r ∩ s) then w ∈ F(r) ∩ F(s) and by induction u ∈ F(r) and u ∈ F(s),thus u ∈ F(r ∩ s).

E. PROOF OF THEOREM 16

Lemma E.1. Let r be a sere.

(1) >+ ⊆ L(r).(2) No letter of any word in L(r), F(r), or I(r) is ⊥.

(3) No letter of any word in L(r) is ⊥.

Proof.

(1) Immediate from Definition 21.(2) By straightforward induction.(3) Follows from Part (2) by Definition 21.

NOTE: In proofs by induction over the structure of ltlsere formulas, we may omit thecases for the derived forms f ∨ g and X f , as justified by the following lemma. We alsoassume that the forms r and [g W h] have greater inductive weight than r! and [g U h],respectively, so that we may make inductive appeals to the latter forms in the proofs forthe cases of the former forms.


A:30

Lemma E.2 (Derived Operators in ltlsere). Let f , g ∈ ltlsere and let v ∈ Σ∞.Then• v |= f ∨ g iff v |= ¬(¬f ∧ ¬g)• v |= X f iff v |= ¬(X! ¬f)

Proof.

• v |= ¬(¬f ∧ ¬g)

iff v |=/ ¬f ∧ ¬giff not(v |= ¬f and v |= ¬g)

iff not(v |=/ f and v |=/ g)iff v |= f or v |= giff v |= f ∨ g

• v |= ¬(X! ¬f)

iff v |=/ X! ¬fiff not(|v| > 1 and v1.. |= ¬f)

iff either |v| ≤ 1 or v1.. |=/ ¬fiff either |v| ≤ 1 or v1.. |= fiff v |= X f

Theorem 16. Let f ∈ ltlsere. Then

(1) >ω |= f .

(2) ⊥ω |=/ f .

Proof. By induction.

f = r!:

(1) By Lemma E.1, >+ ⊆ L(r). This proves that >ω |= r!.

(2) ⊥ω |= r! iff ∃k ≥ 1 s.t. ⊥k ∈ L(r) iff [Lemma E.1] FALSEf = r:(1) >ω |= r ⇐ >ω |= r! iff [>ω |= r! from the case f = r!] TRUE(2) ⊥ω |= r

iff either ⊥ω |= r! or ⊥ω ∈ I(r) ∪ F(r) ∪ {ε}iff [⊥ω |=/ r! from the case f = r!]⊥ω ∈ I(r) ∪ F(r) ∪ {ε}iff [F(r), {ε} consist of finite words]⊥ω ∈ I(r)iff [By Lemma E.1, no letter of a word in I(r) is ⊥] FALSE

f = ¬g:

(1) >ω |= ¬g iff ⊥ω |=/ g iff [induction] TRUE

(2) ⊥ω |= ¬g iff >ω |=/ g iff [induction] FALSEf = g ∧ h:(1) >ω |= g ∧ h iff >ω |= g and >ω |= h iff [induction] TRUE(2) ⊥ω |= g ∧ h iff ⊥ω |= g and ⊥ω |= h iff [induction] FALSEf = g ∨ h: Omitted as a derived form.f = X! g:(1) >ω |= X! g iff >ω |= g iff [induction] TRUE(2) ⊥ω |= X! g iff ⊥ω |= g iff [induction] FALSEf = X g: Omitted as a derived form.f = [g U h]:(1) >ω |= [g U h] iff >ω |= h iff [induction] TRUE(2) ⊥ω |= [g U h] iff ⊥ω |= h iff [induction] FALSEf = [g W h]:(1) >ω |= [g W h] iff either >ω |= [g U h] or >ω |= g iff [induction] TRUE(2) ⊥ω |= [g W h] iff either ⊥ω |= [g U h] or ⊥ω |= g iff [induction] FALSE


A:31

F. PROOF OF THEOREM 17

Theorem 17. Lw(r) is prefix closed.

Proof. Let w ∈ Lw(r), and u ≺ w. Then w ∈ L(r) ∪ I(r) ∪ (F(r)>∞) ∪ >∞ and wehave to show that u ∈ L(r) ∪ I(r) ∪ (F(r)>∞) ∪ >∞.

• If w ∈ L(r), then by Lemma D.4, u ∈ F(r).• If w ∈ I(r), then by Lemma D.5, u ∈ F(r).• If w ∈ F(r)>∞, then w = w′w′′ s.t. w′ ∈ F(r) and w′′ ∈ >∞. If u ≺ w′, then by

Lemma D.6, u ∈ F(r). If u � w′, then u ∈ (F(r)>∞).• If w ∈ >∞, then u ∈ >∞.

G. PROOF OF THEOREM 18

Theorem 18. Let w ∈ Σω and assume that w has infinitely many prefixes in F(r). Thenw ∈ I(r).

Proof. By induction over the structure of r.

λ: F(λ) = ∅, contradicting the assumption that w has infinitely many prefixes in F(λ).b: F(b) = {ε}, contradicting the assumption that w has infinitely many prefixes in F(b).r · s: F(r · s) = F(r) ∪ (L(r)F(s)).•Case: w has infinitely many prefixes in F(r) ∪ L(r). Then by Lemma D.4, there are

infinitely many prefixes in F(r). By induction, w ∈ I(r) ⊆ I(r · s).•Case: w has only finitely many prefixes in F(r) ∪ L(r). Then w has infinitely many

prefixes in L(r)F(s). In particular, w has prefixes in L(r), so let them be u1, . . . , uk.Then for some i, w has infinitely many prefixes in uiF(s). Let w = uiw

′. Then w′

has infinitely many prefixes in F(s). By induction, w′ ∈ I(s), hence w ∈ L(r)I(s) ⊆I(r · s).

r ◦ s: F(r ◦ s) = F(r) ∪ (L(r) ◦F(s)).•Case: w has infinitely many prefixes in F(r) ∪ L(r). Then by Lemma D.4, there are

infinitely many prefixes in F(r). By induction, w ∈ I(r) ⊆ I(r ◦ s).•Case: w has only finitely many prefixes in F(r) ∪ L(r). Then w has infinitely many

prefixes in L(r) ◦F(s). In particular, w has non-empty prefixes in L(r), so let thembe u1, . . . , uk. Then for some i, w has infinitely many prefixes in ui ◦F(s). Let w =ui ◦w′. Then w′ has infinitely many prefixes in F(s). By induction, w′ ∈ I(s), hencew ∈ L(r) ◦ I(s) ⊆ I(r ◦ s).

r+: F(r+) = L(r)∗F(r). Define an r-chain of w to be a sequence u1, u2, . . . (finite orinfinite) such that:

(1) Each ui is a prefix of w(2) Each ui ∈ (L(r) \ {ε})∗(3) ui+1 = uiv for some v ∈ L(r) \ {ε}.

The prefix of w associated with the r-chain is the limit limui. For a finite r-chainu1, . . . , uk, this limit is just uk.

The finite r-chains of w can be assembled into a forest in the following way: r-chain V is a descendant of r-chain U iff U is a sequential prefix of V . To see that thisdefines a forest, note that two distinct successors of a node represent different choicesof the next substring of w in L(r)\{ε} to concatenate to obtain the next element of thechain, and this difference is always preserved in descendants. Hence, paths following


A:32

different successors of a node never meet afterward.

Note that infinite r-chains correspond to infinite paths in the forest.

There are two cases:(1) There is an infinite path in the forest. Then there is an infinite r-chain of w, hence

w ∈ (L(r) \ {ε})ω, hence w ∈ I(r+).(2) Every path in the forest is finite. There are two cases:

(a) Either there are infinitely many root nodes or there is a node in the forestwith infinitely many successors. Then w can be written in the form uw′, whereu ∈ (L(r) \ {ε})∗ and w′ has infinitely many prefixes in L(r). By Lemma D.4,w′ has infinitely many prefixes in F(r), so by induction w′ ∈ I(r). Then w ∈(L(r) \ {ε})∗I(r) ⊆ I(r+).

(b) There are only finitely many root nodes and each node is finitely branching. ByKonig’s Lemma, the forest itself is finite (because otherwise we would have aninfinite path). Therefore w has only finitely many prefixes in (L(r) \ {ε})∗. Letthem be U1, . . . , Uk. Since w has infinitely many prefixes in L(r)∗F(r), for somei, w has infinitely many prefixes in UiF(r). Let w = Uiw

′. Then w′ has infinitelymany prefixes in F(r). By induction w′ ∈ I(r), hence w ∈ (L(r) \ {ε})∗I(r) ⊆I(r+).

r ∪ s: F(r ∪ s) = F(r)∪F(s). Without loss of generality, w has infinitely many prefixesin F(r). By induction, w ∈ I(r) ⊆ I(r ∪ s).r ∩ s: F(r ∩ s) = F(r)∩F(s). Therefore w has infinitely many prefixes in F(r) and inF(s). By induction, w ∈ I(r) ∩ I(s) = I(r ∩ s).

H. PROOF OF THEOREM 19

Lemma H.1.

• Lw(r) ∩ Σ∗ = L(r) ∪ (F(r)>∗) ∪ >∗.• Lw(r) ∩ Σω = I(r) ∪ (F(r)>ω) ∪ >ω.

Proof. By induction, L(r) and F(r) consist only of finite words and by Lemma D.1,I(r) consists only of infinite words. The rest follows from the definition of Lw(r).

Theorem 19. Lw(r) is limit closed.

Proof. Assume that w ∈ Σ∞ and that every finite prefix of w is in Lw(r). We mustshow that w ∈ Lw(r). If w is finite, then w ∈ Lw(r) by assumption. Therefore, we assumew is infinite in the argument below.

•Case: w = u>ω, where u is finite. Assume without loss of generality that the last letterof u is not > (u may be empty). Now, u ∈ Lw(r) by assumption, and since u is finite andits last letter is not >, we have that u ∈ L(r)∪F(r)∪{ε}. If u ∈ F(r)∪{ε}, then clearlyu>ω = w ∈ Lw(r) and we are done. Otherwise we have by assumption that u> ∈ Lw(r)thus by Lemma H.1 we have that u> ∈ L(r) ∪ (F(r)>∗) ∪>∗. But u 6∈ F(r) ∪ {ε}, thusu> ∈ L(r) and by Lemma D.4, u ∈ F(r), thus u>ω = w ∈ Lw(r).•Case: w cannot be written in the form u>ω, where u is finite. This means that w

has infinitely many non-empty finite prefixes whose last letter is not >. According toLemma H.1, we must show that w ∈ I(r). Let u be a non-empty finite prefix of w whoselast letter is not >. Then u ∈ Lw(r), so by Lemma H.1, u ∈ L(r)∪F(r). Let u ≺ v wherev is also a finite prefix of w whose last letter is not >. Then also v ∈ L(r) ∪ F(r). By


A:33

Lemmas D.4 and D.6, it follows that u ∈ F(r). Therefore, w has infinitely many prefixesin F(r). By Theorem 18, w ∈ I(r), as desired.

I. PROOF OF THEOREM 20

Lemma I.1.

Lw(r) = L(r) ∪ I(r) ∪ (F(r)({ε} ∪ {>ω})) ∪ ({ε} ∪ {>ω}).Proof. Note that >∞ \ >+ = {ε} ∪ {>ω}. The result then follows from Definitions 21

and 22.

Observation I.2. L(r) ⊆ Lw(r).

Lemma I.3. Let r be a sere. Then Lw(r) is closed and cl(L(r)) ⊆ Lw(r).

Proof. Theorems 17 and 19 show that Lw(r) is prefix closed and limit closed. By

Proposition 2, Lw(r) is closed. By Observation I.2, L(r) ⊆ Lw(r). Since Lw(r) is closed,

cl(L(r)) ⊆ Lw(r).

Lemma I.4. fpref (Lw(r)) = fpref (L(r)).

Proof. Since L(r) ⊆ Lw(r) (Observation I.2), fpref (L(r)) ⊆ fpref (Lw(r)). By Theo-

rem 17, Lw(r) is prefix closed, so fpref (Lw(r)) = Lw(r) ∩ Σ∗ = [By Lemma H.1]

L(r) ∪ (F(r)>∗) ∪ >∗ ⊆ fpref (L(r)), the last since L(r) = L(r) ∪ (F(r)>+) ∪ >+.

Theorem 20. Let r be a sere. Then cl(L(r)) = Lw(r).

Proof.

cl(L(r)) = {w ∈ Σ∞ | ∀ finite u � w : ∃v � u : v ∈ L(r)}= {w ∈ Σ∞ | fpref (w) ⊆ fpref (L(r))}= [fpref (L(r)) = fpref (Lw(r)) by Lemma I.4]

{w ∈ Σ∞ | fpref (w) ⊆ fpref (Lw(r))}= {w ∈ Σ∞ | ∀ finite u � w : ∃v � u : v ∈ Lw(r)}= cl(Lw(r))= [Lw(r) is closed by Lemma I.3]Lw(r)

J. PROOF OF THEOREM 21

Lemma J.1.

((L(r) \ {ε})Σ∞) ∪ I(r) ∪ F(r) ∪ {ε} = ((L(r) \ {ε})Σ∞) ∪ Lw(r).

Proof. Clearly, I(r)∪F(r)∪{ε} ⊆ Lw(r), so the inclusion ⊆ holds. Suppose w ∈ Lw(r).

By Lemma I.1, w ∈ L(r)∪I(r)∪ (F(r)({ε}∪ {>ω}))∪ ({ε}∪ {>ω}) = L(r)∪I(r)∪F(r)∪(F(r)>ω) ∪ {ε} ∪ {>ω}.

• If w ∈ L(r), then w ∈ (L(r) \ {ε}) ∪ {ε} ⊆ ((L(r) \ {ε})Σ∞) ∪ {ε}.•The cases w ∈ I(r) and w ∈ F(r) are trivial.

• If w ∈ F(r)>ω, then w = u>ω, where u ∈ F(r). Then by Definition 21, u> ∈ L(r) \ {ε},hence u>ω ∈ (L(r) \ {ε})Σ∞.


A:34

•The case w ∈ {ε} is trivial.

• If w ∈ {>ω}, then w ∈ (L(r) \ {ε})Σ∞ because >+ ⊆ L(r) by Definition 21.

Theorem 21. w |= r iff w |= r! or w ∈ Lw(r).

Proof.

w |= r iff [Definition 23] either w |= r! or w ∈ I(r) ∪ F(r) ∪ {ε}iff [Definition 23] w ∈ (L(r) \ {ε})Σ∞ ∪ I(r) ∪ F(r) ∪ {ε}iff [Lemma J.1] w ∈ (L(r) \ {ε})Σ∞ ∪ Lw(r)iff [Definition 23] either w |= r! or w ∈ Lw(r)

K. PROOF OF THEOREM 22

Lemma K.1. Let X ⊆ Σ∞ be a set of words that contains an element of the form >k,

k ≥ 1, and that is closed under switching letters to >. Let w ∈ Σ∞. The following areequivalent :

(1) For every finite u � w, there exists a nonempty finite prefix of u>ω that is in X.(2) Either there exists a nonempty finite prefix of w that is in X or w ∈ cl(X).

Proof. By Proposition 3, cl(X) is the set

{w ∈ Σ∞ | ∀ finite u � w : ∃v � u : v ∈ X}.

(⇒) Assume (1). Suppose there is no nonempty finite prefix of w that is in X. Let u � wbe finite. By (1), there exists nonempty finite v � u>ω such that v ∈ X. We cannot havev � u because w has no such prefix. Therefore, v � u. This shows that w ∈ cl(X).

(⇐) Assume (2). Let u � w be finite.Suppose first that there exists nonempty finite v � w such that v ∈ X. If u � v, then

u>|v|−|u| ∈ X \ {ε}, which shows that u>ω has a nonempty finite prefix in X. Otherwise,v � u � u>ω, hence v is a nonempty finite prefix of u>ω that is in X.

Suppose now that w ∈ cl(X). Then there exists v � u such that v ∈ X. If u is nonemptythen v is nonempty. Otherwise, we may select v nonempty by choosing v = >k for somek ≥ 1. Then u>|v|−|u| ∈ X \ {ε}, which shows that u>ω has a nonempty finite prefix thatis in X.

Lemma K.2. Let r be a sere and w ∈ Σ∞. The following are equivalent :

(1) For every finite u � w : u>ω |= r!.

(2) w |= r! or w ∈ cl(L(r)).

Proof. Follows from Definition 23, Lemmas E.1 and D.2, and Lemma K.1.

Theorem 22. Let r be a sere and w ∈ Σ∞. The following are equivalent :

(1) For every finite u � w : u>ω |= r!.(2) w |= r.

Proof. Follows from Theorems 20 and 21 and Lemma K.2.


A:35

L. PROOF OF THEOREM 23

Theorem 23. Let f ∈ ltlsere and let w ∈ Σ∞. Then

(1) w |= f ⇒ w>ω |= f.(2) w⊥ω |= f ⇒ w |= f.

Proof. If w is infinite, then w>ω = w = w⊥ω, so both (1) and (2) hold trivially.Assume therefore that w is finite. The proof is by induction over the structure of f . Thecases f = g ∨ h and f = X g are omitted as derived forms.

f = r!:

w |= r! iff ∃u � w : u ∈ L(r) \ {ε}⇒ ∃u � w>ω : u ∈ L(r) \ {ε}iff w>ω |= r!

w⊥ω |= r! iff ∃u � w⊥ω : u ∈ L(r) \ {ε}⇒ [Lemma E.1] ∃u � w : u ∈ L(r) \ {ε}iff w |= r!

f = r:w |= r iff [Theorem 22] ∀ finite u � w, u>ω |= r!

⇒ [w is finite, let u = w] w>ω |= r!⇒ w>ω |= r

w⊥ω |= r iff [Theorem 22] ∀ finite u � w⊥ω, u>ω |= r!⇒ ∀ finite u � w, u>ω |= r!iff [Theorem 22] w |= r

f = ¬g:

w>ω |=/ ¬g iff w⊥ω |= g ⇒ [induction] w |= g iff w |=/ ¬gw |=/ ¬g iff w |= g ⇒ [induction] w>ω |= g iff w⊥ω |=/ ¬g

f = g ∧ h:w |= g ∧ h iff w |= g and w |= h

⇒ [induction] w>ω |= g and w>ω |= hiff w>ω |= g ∧ h

w⊥ω |= g ∧ h iff w⊥ω |= g and w⊥ω |= h⇒ [induction] w |= g and w |= hiff w |= g ∧ h

f = X! g:w |= X! g iff |w| > 1 and w1.. |= g

⇒ [induction] |w| > 1 and w1..>ω |= g⇒ [w1..>ω = (w>ω)1..] |w>ω| > 1 and (w>ω)1.. |= giff w>ω |= X! g

w⊥ω |= X! g iff |w⊥ω| > 1 and (w⊥ω)1.. |= giff [|w⊥ω| = ω, (w⊥ω)1.. = w1..⊥ω(w1.. = ε if |w| ≤ 1)] w1..⊥ω |= g

iff [⊥ω |=/ g by Theorem 16] |w| > 1 and w1..⊥ω |= g⇒ [induction] |w| > 1 and w1.. |= giff w |= X! g

f = [g U h]:w |= [g U h]


A:38

(2) (⇒) Assume that w⊥ω |= f . By Prefix/Extension (Corollary M.2), ∀v � w : v⊥ω |=f . Then by Strength Relation (Theorem 23), ∀v � w : v |= f .(⇐) Trivial.


(1) cl(J〈f〉K) = {w ∈ Σ∞ | ∀ finite u � w : u>ω ∈ J〈f〉K}.(2) int(J〈f〉K) = {w ∈ Σ∞ | ∃ finite u � w : u⊥ω ∈ J〈f〉K}.

Proof.

cl(J〈f〉K) = [Proposition 3] {w ∈ Σ∞ | ∀ finite u � w : ∃v � u s.t. v ∈ J〈f〉K}= [Lemma M.3] {w ∈ Σ∞ | ∀ finite u � w : u>ω ∈ J〈f〉K}

This proves (1). A dual argument proves (2).

N. PROOF OF THEOREM 25

Theorem 25. Let r be a sere. Then

• J〈r〉K = cl(J〈r!〉K) = cl(J〈r〉K).• J〈r!〉K = int(J〈r〉K) = int(J〈r!〉K).In particular, r is semantically weak and r! is semantically strong.

Proof. The cl and int operators are idempotent, so in each case the second equalityfollows from the first. From Definitions 24 and 26, the outer equality J〈r〉K = cl(J〈r〉K) impliesr is semantically weak and the outer equality J〈r!〉K = int(J〈r!〉K) implies r! is semanticallystrong. It remains to prove the first equalities.

•w ∈ cl(J〈r!〉K)iff [Theorem 24] ∀ finite u � w : u>ω |= r!iff [Theorem 22] w ∈ J〈r〉K

•w ∈ int(J〈r〉K)iff [Theorem 24] ∃ finite u � w : u⊥ω |= r

iff [Definition 23] ∃ finite u � w : u⊥ω ∈ ((L(r) \ {ε})Σ∞) ∪ I(r) ∪ F(r) ∪ {ε}iff [F(r) ∪ {ε} ⊆ Σ∗; no letter of any word in I(r) is ⊥ by Lemma E.1]

∃ finite u � w : u⊥ω ∈ (L(r) \ {ε})Σ∞iff [no letter of any word in L(r) is ⊥ by Lemma E.1]

∃ finite u � w : ∃v � u : v ∈ L(r) \ {ε}iff ∃ finite v � w : v ∈ L(r) \ {ε}iff w ∈ J〈r!〉K


A:39

O. PROOF OF THEOREM 26

Lemma O.1. Let g, h ∈ ltlsere.

• cl(J〈g ∧ h〉K) = cl(J〈g〉K) ∩ cl(J〈h〉K) • int(J〈g ∧ h〉K) = int(J〈g〉K) ∩ int(J〈h〉K)• cl(J〈g ∨ h〉K) = cl(J〈g〉K) ∪ cl(J〈h〉K) • int(J〈g ∨ h〉K) = int(J〈g〉K) ∪ int(J〈h〉K)• cl(J〈X g〉K) = cl(J〈X! g〉K) • int(J〈X g〉K) = int(J〈X! g〉K)• cl(J〈[g W h]〉K) = cl(J〈[g U h]〉K) • int(J〈[g W h]〉K) = int(J〈[g U h]〉K)

Proof.

•w ∈ cl(J〈g ∧ h〉K)iff [Theorem 24] ∀ finite u � w : u>ω |= g ∧ hiff ∀ finite u � w : u>ω |= g and u>ω |= hiff (∀ finite u � w : u>ω |= g) and (∀ finite u � w : u>ω |= h)iff [Theorem 24] w ∈ cl(J〈g〉K) ∩ cl(J〈h〉K)A dual argument shows that int(J〈g ∨ h〉K) = int(J〈g〉K) ∪ int(J〈h〉K).

• int(J〈g ∧ h〉K) = int(J〈g〉K) ∩ int(J〈h〉K) because int(X ∩ Y ) = int(X) ∩ int(Y ) in anytopological space. A dual argument shows that cl(J〈g ∨ h〉K) = cl(J〈g〉K) ∪ cl(J〈h〉K).

•w ∈ cl(J〈X g〉K)iff [Theorem 24] ∀ finite u � w : u>ω |= X giff [|u>ω| > 1] ∀ finite u � w : u>ω |= X! giff [Theorem 24] w ∈ cl(J〈 X! g〉K)

•w ∈ int(J〈X g〉K)iff [Theorem 24] ∃ finite u � w : u⊥ω |= X giff [|u⊥ω| > 1] ∃ finite u � w : u⊥ω |= X! giff [Theorem 24] w ∈ int(J〈X! g〉K)

•w ∈ cl(J〈[g W h]〉K)iff [Theorem 24] ∀ finite u � w : u>ω |= [g W h]iff ∀ finite u � w : either u>ω |= [g U h] or ∀i ≥ 0 : ui..>ω |= giff ∀ finite u � w : either (∃k ≥ 0 : uk..>ω |= h and ∀j, 0 ≤ j < k : uj..>ω |= g) or ∀i ≥0 : ui..>ω |= giff [ (⇒) Let u � w be finite. Suppose that ∀i ≥ 0 : ui..>ω |= g. Pickk = |u|. Then uk.. = ε, so uk..>ω = >ω, which satisfies h by Theorem 16. ]∀ finite u � w : ∃k ≥ 0 : uk..>ω |= h and ∀j, 0 ≤ j < k : uj..>ω |= giff ∀ finite u � w : u>ω |= [g U h]iff [Theorem 24] w ∈ cl(J〈[g U h]〉K)

•w ∈ int(J〈[g W h]〉K)iff [Theorem 24] ∃ finite u � w : u⊥ω |= [g W h]iff ∃ finite u � w : either u⊥ω |= [g U h] or ∀i ≥ 0 : ui..⊥ω |= giff ∃ finite u � w : either (∃k ≥ 0 : uk..⊥ω |= h and ∀j, 0 ≤ j < k : uj..⊥ω |= g) or (∀i ≥0 : ui..⊥ω |= g)iff [ (⇒) Let u � w be finite. Pick i = |u|. Then ui.. = ε so ui..⊥ω = ⊥ω, which doesnot satisfy g by Theorem 16. ] ∃ finite u � w : ∃k ≥ 0 : uk..⊥ω |= h and ∀j, 0 ≤ j < k :uj..⊥ω |= giff ∃ finite u � w : u⊥ω |= [g U h]iff [Theorem 24] w ∈ int(J〈[g U h]〉K)


A:40

Lemma O.2. Let g, h ∈ ltlsere. Let u ∈ Σ∗, w ∈ Σ∞.

• u>ω |= [g U h] iff ∀i ≥ 0 : either ui..>ω |= g or ∃j, 0 ≤ j ≤ i : uj..>ω |= h.•w |= [g W h] iff ∀i, 0 ≤ i < |w| : either wi.. |= g or ∃j, 0 ≤ j ≤ i : wj.. |= h.

Proof.

• u>ω |= [g U h]iff ∃k ≥ 0 : uk..>ω |= h and ∀j, 0 ≤ j < k : uj..>ω |= giff [ (⇒) Let 0 ≤ i. If k ≤ i, then ∃j, 0 ≤ j ≤ i (namely j = k): uj..>ω |= h. Otherwise,i < k, so ui..>ω |= g.(⇐) u|u|..>ω = >ω |= h, so pick k minimal such that uk..>ω |= h. Let 0 ≤ j < k.

There is no 0 ≤ j′ ≤ j such that uj′..>ω |= h, so we must have uj..>ω |= g. ] ∀i ≥ 0 :

either ui..>ω |= g or ∃j, 0 ≤ j ≤ i : uj..>ω |= h•w |= [g W h]

iff either(A): ∃k ≥ 0 : wk.. |= h and ∀j, 0 ≤ j < k : wj.. |= gor(B): ∀i, 0 ≤ i < |w| : wi.. |= giff [ (⇒) Let 0 ≤ i < |w|. Suppose (A) holds. If i < k, then wi.. |= g. Otherwise k ≤ i,so, taking j = k, ∃j, 0 ≤ j ≤ i : wj.. |= h. Suppose now that (B) holds. Then wi.. |= g.

(⇐) Suppose that (B) fails. Choose k minimal such that wk.. |=/ g. Then ∀j, 0 ≤ j <

k : wj.. |= g. From below, ∃k′, 0 ≤ k′ ≤ k : wk′.. |= h. Therefore, (A) is satisfied. ]

∀i, 0 ≤ i < |w| : either wi.. |= g or ∃j, 0 ≤ j ≤ i : wj.. |= h

Lemma O.3. Let g, h ∈ ltlsere be semantically weak and let g′, h′ ∈ ltlsere besemantically strong.

• J〈X g〉K = cl(J〈X g〉K) = cl(J〈X! g〉K).• J〈X! g′〉K = int(J〈X g′〉K) = int(J〈X! g′〉K).

• J〈[g W h]〉K = cl(J〈[g W h]〉K) = cl(J〈[g U h]〉K).• J〈[g′ U h′]〉K = int(J〈[g′ W h′]〉K) = int(J〈[g′ U h′]〉K).In particular, X g and [g W h] are semantically weak, and X! g′ and [g′ U h′] aresemantically strong.

Proof.

• From Lemma O.1 we have that cl(J〈X g〉K) = cl(J〈X! g〉K). Clearly, w ∈ J〈X g〉K ⇒ w ∈cl(J〈X g〉K). It remains to show the other direction:

w ∈ cl(J〈X g〉K)iff w ∈ cl(J〈X! g〉K)iff [Theorem 24] ∀ finite u � w : u>ω |= X! giff [|u>ω| > 1] ∀ finite u � w : u1..>ω |= giff ∀ finite v � w1.. : v>ω |= giff [Theorem 24] w1.. ∈ cl(J〈g〉K)iff [g is semantically weak] w1.. ∈ J〈g〉K⇒ w ∈ J〈X g〉K


A:41

• From Lemma O.1 we have that int(J〈X g′〉K) = int(J〈X! g′〉K). Clearly, w ∈ int(J〈X! g′〉K) ⇒w ∈ J〈X! g′〉K. It remains to show the other direction:

w ∈ int(J〈X! g′〉K)iff [Theorem 24] ∃ finite u � w : u⊥ω |= X! g′

iff [|u⊥ω| > 1] ∃ finite u � w : u1..⊥ω |= g′

iff ∃ finite v � w1.. : v⊥ω |= g′

iff [Theorem 24] w1.. ∈ int(J〈g′〉K)iff [g′ is semantically strong] w1.. ∈ J〈g′〉K⇐ w ∈ J〈X! g′〉K

• From Lemma O.1 we have that cl(J〈[g W h]〉K) = cl(J〈[g U h]〉K). Clearly,w ∈ J〈[g W h]〉K⇒ w ∈ cl(J〈[g W h]〉K). It remains to show the other direction:

w ∈ cl(J〈[g W h]〉K)iff w ∈ cl(J〈[g U h]〉K)iff [Theorem 24] ∀ finite u � w : u>ω |= [g U h]iff [Lemma O.2]∀ finite u � w : ∀i ≥ 0 :either ui..>ω |= gor ∃j, 0 ≤ j ≤ i : uj..>ω |= h

⇒ [ Let 0 ≤ i < |w|. Assume that (A) below fails, so that ∀j, 0 ≤ j ≤ i :

∃ finite vj � wj.. : vj>ω |=/ h. Let ui � wi.. be finite. Then ui = wi..i+|ui|−1 and

vj = wj..j+|vj |−1. Let m be the maximum of i+ |ui| − 1 and the j + |vj | − 1, 0 ≤ j ≤ i.Let u = w0..m. Then ui � ui.. and for all j, 0 ≤ j ≤ i, vj � uj... By Lemma M.1,

uj..>ω |=/ h. From above, ui..>ω |= g, and so by Lemma M.1, ui>ω |= g. ]

∀i, 0 ≤ i < |w| :either ∀ finite u � wi.. : u>ω |= gor (A) : ∃j, 0 ≤ j ≤ i : ∀ finite u ≤ wj.. : u>ω |= h

iff [Theorem 24]∀i, 0 ≤ i < |w| :either wi.. ∈ cl(J〈g〉K)or ∃j, 0 ≤ j ≤ i : wj.. ∈ cl(J〈h〉K)

iff [g, h are semantically weak]∀i, 0 ≤ i < |w| :either wi.. |= gor ∃j, 0 ≤ j ≤ i : wj.. |= h

iff [Lemma O.2] w ∈ J〈[g W h]〉K

• From Lemma O.1 we have that int(J〈[g′ W h′]〉K) = int(J〈[g′ U h′]〉K).Clearly, w ∈ int(J〈g′ U h′〉K)⇒ w ∈ J〈g′ U h′〉K. It remains to show the other direction:

w ∈ int(J〈[g′ U h′]〉K)iff [Theorem 24] ∃ finite u � w : u⊥ω |= [g′ U h′]iff∃ finite u � w : ∃k ≥ 0 :both uk..⊥ω |= h′

and ∀j, 0 ≤ j < k : uj..⊥ω |= g′


A:42

⇐ [ Let k be given from below, so that ∃ finite uk � wk.. : uk⊥ω |= h′ and∀j, 0 ≤ j < k : ∃ finite vj � wj.. : vj⊥ω |= g′. Then uk = wk..k+|uk|−1 and

vj = wj..j+|vj |−1. Let m be the maximum of k + |uk| − 1 and the j + |vj | − 1, 0 ≤ j < k.Let u = w0..m. Then uk � uk.. and for all j, 0 ≤ j < k, vj � uj... By Lemma M.1,uk..⊥ω |= h′ and uj..⊥ω |= g′ for all j, 0 ≤ j < k. ]

∃k, 0 ≤ k < |w| :both ∃ finite u � wk.. : u⊥ω |= h′

and ∀j, 0 ≤ j < k : ∃ finite u � wj.. : u⊥ω |= g′

iff [Theorem 24]∃k, 0 ≤ k < |w| :both wk.. ∈ int(J〈h′〉K)and ∀j, 0 ≤ j < k : wj.. ∈ int(J〈g′〉K)iff [g′, h′ are semantically strong]∃k, 0 ≤ k < |w| :both wk.. |= h′

and ∀j, 0 ≤ j < k : wj.. |= g′

iff w ∈ J〈[g′ U h′]〉K

Lemma O.4 (Top. Characterization of Syntactically Weak/Strong Formulas).Let f ∈ ltlsere.

(1) If f is syntactically weak, then f is semantically weak.(2) If f is syntactically strong, then f is semantically strong.

Proof.

(1) By induction (assume that f is syntactically weak):f = r: By Theorem 25, r is semantically weak.f = g ∧ h: cl(J〈g ∧ h〉K) = [Lemma O.1] cl(J〈g〉K) ∩ cl(J〈h〉K) = [induction] J〈g〉K ∩ J〈h〉K= J〈g ∧ h〉K.f = g ∨ h: cl(J〈g ∨ h〉K) = cl(J〈g〉K ∪ J〈h〉K) = cl(J〈g〉K) ∪ cl(J〈h〉K) = [induction] J〈g〉K ∪ J〈h〉K= J〈g ∨ h〉K.f = X g, f = [g W h]: g, h are syntactically weak, hence semantically weak by in-duction. By Lemma O.3, f is semantically weak.

(2) The arguments are dual to those for Part (1).

Lemma O.5 (Weakening/Strengthening a Formula). Let f ∈ ltlsere be aformula in positive normal form. Let fw be the formula obtained from f by weakening alloperators (replacing X! with X, U with W, and r! with r for a regular expression r). Let fsbe the formula obtained from f by strengthening all operators. Then

• J〈fw〉K = cl(J〈f〉K).• J〈fs〉K = int(J〈f〉K).

Proof. Using Theorem 25, Lemma O.1, and induction, cl(J〈f〉K) = cl(J〈fw〉K). fw is syn-tactically weak, so by Lemma O.4, cl(J〈fw〉K) = J〈fw〉K. This proves the first item. The proofof the second item is similar.


A:43

Theorem 26. Let ϕ be an ltlsere formula in positive normal form. Let ϕw be theformula obtained by weakening all operators (replacing X! with X, U with W, and r! withr.). Let ϕs be the formula obtained by strengthening all operators. Then


Proof. Follows from Lemma O.5 and Definition 24.

P. PROOF OF THEOREM 27


• weak(ϕ) = {w ∈ Σ∞ | ∀ finite u � w : u>ω ∈ J〈ϕ〉K}.• strong(ϕ) = {w ∈ Σ∞ | ∃ finite u � w : u⊥ω ∈ J〈ϕ〉K}.

Proof. Follows from Theorem 24 and Definition 24.

Q. PROOF OF THEOREM 28


fpref ( (Σ∞ \ strong(ϕ)) \ (Σ∞ \ weak(ϕ)) ) ∩ (Σ∞ \ weak(ϕ)) = ∅.

Proof. (Σ∞ \ strong(ϕ)) \ (Σ∞ \ weak(ϕ)) = weak(ϕ) \ strong(ϕ)=bd(J〈ϕ〉K). Sinceweak(ϕ) is closed, it follows that bd(J〈ϕ〉K) ⊆ weak(ϕ) and hence also that fpref (bd(J〈ϕ〉K)) ⊆weak(ϕ). Therefore, fpref (bd(J〈ϕ〉K)) ∩ (Σ∞ \ weak(ϕ)) = ∅.

R. PROOF OF THEOREM 29

Lemma R.1. · : Σ∞ → Σ∞ is a homeomorphism.

Proof. Clearly, · is bijective, and · is its own inverse. Therefore, it remains to showthat · is continuous.

V ⊆ Σ∞ is topologically closediff [Proposition 2] V is both prefix closed and limit closediff V is both prefix closed and limit closediff [Proposition 2] V is topologically closed

Remark R.2. Note that by definition, for ϕ ∈ ltlsere, J〈¬ϕ〉K = J〈ϕ〉Kc. Note also that

W cc = Σ∞ \W c = Σ∞ \ (Σ∞ \W ) = Σ∞ \ (Σ∞ \W ) = W = W .

Lemma R.3. Let f ∈ ltlsere. Then

(1) cl(J〈¬f〉K) = (int(J〈f〉K))c.(2) int(J〈¬f〉K) = (cl(J〈f〉K))c.

Proof.


A:44

(1)cl(J〈¬f〉K)

= cl(J〈f〉Kc)= cl(Σ∞ \ J〈f〉K)= [if X is a space and A ⊆ X, then cl(X \A) = X \ int(A) ]

Σ∞ \ int(J〈f〉K)= [ · is a homeomorphism by Lemma R.1]

Σ∞ \ int(J〈f〉K)= (int(J〈f〉K))c

(2)int(J〈¬f〉K)

= (int(J〈¬f〉K))cc= [Part (1)] (cl(J〈¬¬f〉K))c= (cl(J〈f〉K))c



Proof. Follows from Lemma R.3 and Definition 24.

S. PROOF OF THEOREM 30

Theorem 30. Let ϕ be an ltlsere formula. Then ϕ is semantically strong iff ¬ϕ is se-mantically weak.

Proof.

¬ϕ is semantically weakiff cl(J〈¬ϕ〉K) = J〈¬ϕ〉Kiff cl(J〈ϕ〉Kc) = J〈ϕ〉Kciff [ · is bijective]

cl(J〈ϕ〉Kc) = J〈ϕ〉Kciff [ · is a homeomorphism by Lemma R.1]

cl(J〈ϕ〉Kc) = J〈ϕ〉Kc

iff cl(Σ∞ \ J〈ϕ〉K) = Σ∞ \ J〈ϕ〉Kiff Σ∞ \ cl(Σ∞ \ J〈ϕ〉K) = J〈ϕ〉Kiff [if X is a space and A ⊆ X, then int(A) = X \ cl(X \A)]

int(J〈ϕ〉K) = J〈ϕ〉Kiff ϕ is semantically strong

T. PROOF OF THEOREM 31


(1) ϕ is semantically weak iff ϕ is non-pathologically safe.(2) ϕ is semantically strong iff ¬ϕ is non-pathologically safe.

Proof.

(1) Follows from Theorem 30 and the second part.


A:45

(2) ϕ is semantically strong⇔w |= ϕ iff ∃ finite u � w such that u⊥ω ∈ J〈ϕ〉K⇔w |= ϕ iff ∃ an informative bad prefix of w for ¬ϕ⇔¬ϕ is non-pathologically safe

U. PROOF OF THEOREM 32

Theorem 32. Let ϕ be an ltlsere formula, and let M ⊆ Σ∞. Searching for words in Mthat have informative bad prefixes for ϕ is equivalent to searching for words in M that arenot in weak(ϕ).

Proof.

∃w ∈M s.t. w 6∈ weak(ϕ)

iff ∃w ∈M s.t. w 6∈ {v ∈ Σ∞ | ∀u � v : u>ω |= ϕ}iff ∃w ∈M s.t. not(∀u � w : u>ω |= ϕ)iff ∃w ∈M s.t. ∃u � w : u>ω 6|= ϕiff [u = u since M ⊆ Σ∞]

∃w ∈M s.t. ∃u � w : u⊥ω |= ¬ϕiff ∃w ∈M s.t. w has an informative bad prefix of ϕ

V. PROOFS OF THEOREMS 33 AND 34


(1) J〈f〉K ⊆ J〈f〉K− ⊆ cl(J〈f〉K).(2) J〈f〉K ⊇ J〈f〉K+ ⊇ int(J〈f〉K).Proof.

(1) The first containment is by Strength Relation (Theorem 23). Suppose that w ∈ J〈f〉K−.Then w>ω |= f . By Prefix/Extension (Corollary M.2), ∀u � w : u>ω |= f , so byTheorem 24, w ∈ cl(J〈f〉K).

(2) The first containment is by Strength Relation (Theorem 23). Suppose w ∈ int(J〈f〉K).By Theorem 24, ∃ finite u � w : u⊥ω |= f . By Prefix/Extension (Corollary M.2),∀v � u : v⊥ω |= f . In particular, w⊥ω |= f , so w ∈ J〈f〉K+.

Theorem 34. Let ϕ in ltlsere. The sets of finite words in J〈f〉K− and cl(J〈f〉K) are thesame, i.e.,

J〈f〉K− ∩ Σ∗ = cl(J〈f〉K) ∩ Σ∗.

Proof. From Theorem 33 we have that J〈f〉K− ⊆ cl(J〈f〉K). Let w ∈ cl(J〈f〉K) be finite.Then there exists v � w s.t. v ∈ J〈f〉K, and by Theorem 23, v ∈ J〈f〉K−, so v>ω |= f . Now, byLemma M.1, it follows that w>ω |= f , hence w ∈ J〈f〉K−.


A Safety and Liveness, Weakness and Strength, and the ...fisman/documents/EFH_TOCL14.pdfSafety and...

Documents

Transcript of A Safety and Liveness, Weakness and Strength, and the ...fisman/documents/EFH_TOCL14.pdfSafety and...