Linear temporal logic

In logic, linear temporal logic or linear-time temporal logic^[1][2] (LTL) is a modal temporal logic with modalities referring to time. In LTL, one can encode formulae about the future of paths, e.g., a condition will eventually be true, a condition will be true until another fact becomes true, etc. It is a fragment of the more complex CTL*, which additionally allows branching time and quantifiers. LTL is sometimes called propositional temporal logic, abbreviated PTL.^[3] In terms of expressive power, linear temporal logic (LTL) is a fragment of first-order logic.^[4][5]

LTL was first proposed for the formal verification of computer programs by Amir Pnueli in 1977.^[6]

LTL is built up from a finite set of propositional variables AP, the logical operators ¬ and ∨, and the temporal modal operators X (some literature uses O or N) and U. Formally, the set of LTL formulas over AP is inductively defined as follows:

• if p ∈ AP then p is an LTL formula;
• if ψ and φ are LTL formulas then ¬ψ, φ ∨ ψ, X ψ, and φ U ψ are LTL formulas.^[7]

X is read as next and U is read as until. Other than these fundamental operators, there are additional logical and temporal operators defined in terms of the fundamental operators, in order to write LTL formulas succinctly. The additional logical operators are ∧, →, ↔, true, and false. Following are the additional temporal operators.

• G for always (globally)
• F for finally
• R for release
• W for weak until
• M for mighty release

An LTL formula can be satisfied by an infinite sequence of truth valuations of variables in AP. These sequences can be viewed as a word on a path of a Kripke structure (an ω-word over alphabet 2^AP). Let w = a₀,a₁,a₂,... be such an ω-word. Let w(i) = a_i. Let wⁱ = a_i,a_i+1,..., which is a suffix of w. Formally, the satisfaction relation ⊨ between a word and an LTL formula is defined as follows:

• w ⊨ p if p ∈ w(0)
• w ⊨ ¬ψ if w ⊭ ψ
• w ⊨ φ ∨ ψ if w ⊨ φ or w ⊨ ψ
• w ⊨ X ψ if w¹ ⊨ ψ (in the next time step ψ must be true)
• w ⊨ φ U ψ if there exists i ≥ 0 such that wⁱ ⊨ ψ and for all 0 ≤ k < i, w^k ⊨ φ (φ must remain true until ψ becomes true)

We say an ω-word w satisfies an LTL formula ψ when w ⊨ ψ. The ω-language L(ψ) defined by ψ is {w | w ⊨ ψ}, which is the set of ω-words that satisfy ψ. A formula ψ is satisfiable if there exist an ω-word w such that w ⊨ ψ. A formula ψ is valid if for each ω-word w over alphabet 2^AP, we have w ⊨ ψ.

The additional logical operators are defined as follows:

• φ ∧ ψ ≡ ¬(¬φ ∨ ¬ψ)
• φ → ψ ≡ ¬φ ∨ ψ
• φ ↔ ψ ≡ (φ → ψ) ∧ ( ψ → φ)
• true ≡ p ∨ ¬p, where p ∈ AP
• false ≡ ¬true

The additional temporal operators R, F, and G are defined as follows:

• ψ R φ ≡ ¬(¬ψ U ¬φ) ( φ remains true until and including once ψ becomes true. If ψ never becomes true, φ must remain true forever. ψ releases φ.)
• F ψ ≡ true U ψ (eventually ψ becomes true)
• G ψ ≡ false R ψ ≡ ¬F ¬ψ (ψ always remains true)

Some authors also define a weak until binary operator, denoted W, with semantics similar to that of the until operator but the stop condition is not required to occur (similar to release).^[8] It is sometimes useful since both U and R can be defined in terms of the weak until:

• ψ W φ ≡ (ψ U φ) ∨ G ψ ≡ ψ U (φ ∨ G ψ) ≡ φ R (φ ∨ ψ)
• ψ U φ ≡ Fφ ∧ (ψ W φ)
• ψ R φ ≡ φ W (φ ∧ ψ)

The strong release binary operator, denoted M, is the dual of weak until. It is defined similar to the until operator, so that the release condition has to hold at some point. Therefore, it is stronger than the release operator.

• ψ M φ ≡ ¬(¬ψ W ¬φ) ≡ (ψ R φ) ∧ F ψ ≡ ψ R (φ ∧ F ψ) ≡ φ U (ψ ∧ φ)

The semantics for the temporal operators are pictorially presented as follows.

Textual	Symbolic	Explanation	Diagram
Unary operators:
X φ	${\displaystyle \bigcirc \varphi }$	neXt: φ has to hold at the next state.
F φ	${\displaystyle \Diamond \varphi }$	Finally: φ eventually has to hold (somewhere on the subsequent path).
G φ	${\displaystyle \Box \varphi }$	Globally: φ has to hold on the entire subsequent path.
Binary operators:
ψ U φ	${\displaystyle \psi \;{\mathcal {U}}\,\varphi }$	Until: ψ has to hold at least until φ becomes true, which must hold at the current or a future position.
ψ R φ	${\displaystyle \psi \;{\mathcal {R}}\,\varphi }$	Release: φ has to be true until and including the point where ψ first becomes true; if ψ never becomes true, φ must remain true forever.
ψ W φ	${\displaystyle \psi \;{\mathcal {W}}\,\varphi }$	Weak until: ψ has to hold at least until φ; if φ never becomes true, ψ must remain true forever.
ψ M φ	${\displaystyle \psi \;{\mathcal {M}}\,\varphi }$	Strong release: φ has to be true until and including the point where ψ first becomes true, which must hold at the current or a future position.

Let φ, ψ, and ρ be LTL formulas. The following tables list some of the useful equivalences that extend standard equivalences among the usual logical operators.

All the formulas of LTL can be transformed into negation normal form, where

• all negations appear only in front of the atomic propositions,
• only other logical operators true, false, ∧, and ∨ can appear, and
• only the temporal operators X, U, and R can appear.

Using the above equivalences for negation propagation, it is possible to derive the normal form. This normal form allows R, true, false, and ∧ to appear in the formula, which are not fundamental operators of LTL. Note that the transformation to the negation normal form does not blow up the length of the formula. This normal form is useful in translation from an LTL formula to a Büchi automaton.

LTL can be shown to be equivalent to the monadic first-order logic of order, FO[<]—a result known as Kamp's theorem—^[9] or equivalently to star-free languages.^[10]

Computation tree logic (CTL) and linear temporal logic (LTL) are both a subset of CTL*, but are incomparable. For example,

• No formula in CTL can define the language that is defined by the LTL formula F(G p).
• No formula in LTL can define the language that is defined by the CTL formulas AG( p → (EXq ∧ EX¬q) ) or AG(EF(p)).

Model checking and satisfiability against an LTL formula are PSPACE-complete problems. LTL synthesis and the problem of verification of games against an LTL winning condition is 2EXPTIME-complete.^[11]

Automata-theoretic linear temporal logic model checking

LTL formulas are commonly used to express constraints, specifications, or processes that a system should follow. The field of model checking aims to formally verify whether a system meets a given specification. In the case of automata-theoretic model checking, both the system of interest and a specification are expressed as separate finite-state machines, or automata, and then compared to evaluate whether the system is guaranteed to have the specified property. In computer science, this type of model checking is often used to verify that an algorithm is structured correctly.

To check LTL specifications on infinite system runs, a common technique is to obtain a Büchi automaton that is equivalent to the model (accepts an ω-word precisely if it is the model) and another one that is equivalent to the negation of the property (accepts an ω-word precisely it satisfies the negated property) (cf. Linear temporal logic to Büchi automaton). In this case, if there is an overlap in the set of ω-words accepted by the two automata, it implies that the model accepts some behaviors which violate the desired property. If there is no overlap, there are no property-violating behaviors which are accepted by the model. Formally, the intersection of the two non-deterministic Büchi automata is empty if and only if the model satisfies the specified property.^[12]

Expressing important properties in formal verification

There are two main types of properties that can be expressed using linear temporal logic: safety properties usually state that something bad never happens (G¬ϕ), while liveness properties state that something good keeps happening (GFψ or G(ϕ →Fψ)).^[13] For example, a safety property may require that an autonomous rover never drives over a cliff, or that a software product never allows a successful login with an incorrect password. A liveness property may require that the rover always continues to collect data samples, or that a software product repeatedly sends telemetry data.

More generally, safety properties are those for which every counterexample has a finite prefix such that, however it is extended to an infinite path, it is still a counterexample. For liveness properties, on the other hand, every finite path can be extended to an infinite path that satisfies the formula.

Specification language

One of the applications of linear temporal logic is the specification of preferences in the Planning Domain Definition Language for the purpose of preference-based planning.^{[citation needed]}

Parametric linear temporal logic extends LTL with variables on the until-modality.^[14]

Wikimedia Commons has media related to Linear temporal logic.

• Action language
• Metric temporal logic
• Safety and liveness properties

• A presentation of LTL
• Linear-Time Temporal Logic and Büchi Automata
• LTL Teaching slides of professor Alessandro Artale at the Free University of Bozen-Bolzano
• LTL to Buchi translation algorithms a genealogy, from the website of Spot a library for model checking.