Extended bounded response LTL: a new safety fragment for efficient reactive synthesis

Abstract

Reactive synthesis is a key technique for the design of correct-by-construction systems, which has been thoroughly investigated in the last decades. It consists of the synthesis of a controller that reacts to environment’s inputs satisfying a given temporal logic specification. Common approaches are based on the explicit construction of automata and on their determinization, which limits their scalability. In this paper, we introduce a new safety fragment of Linear Temporal Logic (LTL), called Extended Bounded Response LTL (\({\textsf {LTL}}_{{\textsf {EBR}}}\)), which allows one to combine bounded and universal unbounded temporal operators (thus covering a large set of practical cases). We show that reactive synthesis from \({\textsf {LTL}}_{{\textsf {EBR}}}\) specifications can be reduced to solving a safety game over a deterministic symbolic automaton built directly from the specification. We prove the correctness of the approach and study the complexity of the fragment showing that the proposed solution is optimal. Finally, we evaluate it on various benchmarks showing better performance of other approaches for general LTL or larger safety fragments.

Appendices

A Proofs

Proposition A.1

(Soundness of pastification) Let \(\varphi \) be a \({\mathsf {LTL}}_{\mathsf {BF}}{+}{\mathsf {P}}\) formula. For all state sequences \(\sigma \in (2^\varSigma )^\omega \), all \(i \in \mathbb {N}\), and all \(d\ge D(\phi )\), it holds that:

$$\begin{aligned} \sigma ,i \models \varphi&{\Leftrightarrow }\ \sigma ,i \models {{\mathsf {X} }^d \varPi (\varphi ,d)} \end{aligned}$$

Proof

The proof goes by structural induction over \(\varphi \). As the base case, consider a \(\textsf {LTL}_{\textsf {P}}\) formula \(\psi \), and since \(D(\psi )=0\), consider any \(d\ge 0\). It holds that \(\sigma ,i\models \psi \) if and only if \(\sigma ,i\models {\mathsf {X}^d \mathsf {Y}^d \psi }\), hence \(\sigma ,i+d \models {\mathsf {Y}^d \psi }\), which by definition of \(\varPi (\cdot )\) is equivalent to \(\sigma ,i+d\models \varPi (\psi ,d)\). For the inductive case, we consider multiple cases. The case for the negation and the conjunction operators are straightforward. Consider now the case \(\phi \equiv {\mathsf {X}\,\phi _1}\). We prove first the left-to-right direction. It holds that:

$$\begin{aligned} \begin{array}{llr} &{}\sigma ,i \models {\mathsf {X}\,\phi _1} \\ {\leftrightarrow }\; &{}\sigma ,i+1 \models \phi _1 \\ &{}&{}{ semantics\, of}\,\text {next} \\ {\leftrightarrow }\; &{}\forall d_1 \ge D(\phi _1) .\sigma ,i+1+d_1 \models \varPi (\phi _1,d_1) \\ &{}&{}{ inductive\, hypothesis\, on}\,\phi _1 \\ {\leftrightarrow }\; &{}\forall d \ge D(\phi _1)+1 .\sigma ,i+d \models \varPi (\phi _1,d-1) \\ &{}&{}{ with}\,d = d_1 + 1 \\ {\leftrightarrow }\; &{}\forall d \ge D(\phi ) .\sigma ,i+d \models \varPi (\phi _1,d-1) \\ &{}&{}{ since}\,D(\phi ) = D(\phi _1) + 1 \\ {\leftrightarrow }\; &{}\forall d \ge D(\phi ) .\sigma ,i+d \models \varPi ({\mathsf {X}\phi _1},d) \\ &{}&{}{ by\, definition\, of}\,\varPi (\cdot ) \\ {\leftrightarrow }\; &{}\forall d \ge D(\phi ) .\sigma ,i \models {\mathsf {X}^d}\varPi (\phi ,d) \end{array} \end{aligned}$$

Consider now the case \(\phi \equiv {\phi _1 \mathcal {U}^{[a,b]} \phi _2}\). The following equivalences hold:

$$\begin{aligned} \begin{array}{llr} &{}\sigma ,i\models \phi _1 \mathcal {U}^{[a,b]} \phi _2 \\ {\leftrightarrow }\; &{} \exists j_2 .\bigl ( (a \le j_2 \le b) \wedge \sigma ,i+j_2 \models \phi _2 \wedge \\ &{}\qquad \qquad \forall j_1 .( (0 \le j_1< j_2) \rightarrow \sigma ,i+j_1 \models \phi _1) \bigr ) \\ &{}&{}\!\!\!\!\!\!\!\!\!\!\!\! { semantics\, of}\,{\hbox {bounded until}} \\ {\leftrightarrow }\; &{} \forall d_1 \ge D(\phi _1) .\forall d_2 \ge D(\phi _2) .\Bigl ( \\ &{}\quad \exists j_2 .\bigl ( (a \le j_2 \le b) \wedge \sigma ,i+j_2+d_2 \models \varPi (\phi _2,d_2) \wedge \\ &{}\qquad \qquad \forall j_1 .( (0 \le j_1 < j_2) \rightarrow \sigma ,i+j_1+d_1 \models \varPi (\phi _1,d_1)) \bigr ) \Bigr ) \\ &{}&{} \!\!\!\!\!\!\!\!\!\!\!\! { by\, the\, inductive\, hypothesis} \end{array} \end{aligned}$$

Since \(D(\phi ) = b + \max \{D(\phi _1),D(\phi _2)\}\), it holds that \(D(\phi _1) \le D(\phi )-b\) and \(D(\phi _2) \le D(\phi )-b\). Therefore, for any first-order formula \(\phi (d_1,d_2)\) where \(d_1\) and \(d_2\) are free variables, it holds that if \(\forall d_1 \ge D(\phi _1) .\forall d_2 \ge D(\phi _2) .\phi (d_1,d_2)\) then \(\forall d \ge D(\phi ) .\phi [d_1 \mapsto (d-b), d_2 \mapsto (d-b)]\). And thus:

$$\begin{aligned} \begin{aligned}&\Rightarrow \, \forall d \ge D(\phi ) .\\&\quad \Bigl (\exists j_2 .\bigl ( (a \le j_2 \le b) \wedge \sigma ,i+j_2+d-b \models \varPi (\phi _2,d-b) \wedge \\&\qquad \forall j_1 .( (0 \le j_1< j_2) \rightarrow \sigma ,i+j_1+d-b \models \varPi (\phi _1,d-b)) \bigr ) \Bigr )\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { since}\,D(\phi ) = b + \max {D(\phi _1),D(\phi _2)} \\&{\Leftrightarrow }\, \forall d \ge D(\phi ) .\\&\quad \Bigl (\exists k_2 .\bigl ( (a \le b-k_2 \le b) \wedge \sigma ,i+d-k_2 \models \varPi (\phi _2,d-b) \wedge \\&\qquad \forall j_1 .( (0 \le b-k_1 < b-k_2) \rightarrow \sigma ,i+d-k_1 \models \varPi (\phi _1,d-b)) \bigr ) \Bigr )\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { with}\,k_2 = b - j_2\,{ and}\,k_1 = b - j_1 \\&{\Leftrightarrow }\, \forall d \ge D(\phi ) .\\&\quad \Bigl (\exists k_2 .\bigl ( (0 \le k_2 \le b-a) \wedge \sigma ,i+d-k_2 \models \varPi (\phi _2,d-b) \wedge \\&\qquad \forall j_1 .( (0 \le k_1 \le b-k_2-1) \rightarrow \sigma ,i+d-k_1-1 \models \varPi (\phi _1,d-b)) \bigr ) \Bigr ) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { simple\, arithmetic} \\&{\Leftrightarrow }\, \forall d \ge D(\phi ) .\bigl ( \sigma ,i+d \models \bigvee _{k_2=0}^{b-a} {\mathsf {Y}^{k_2}}(\varPi (\phi _2, d-b) \wedge {\mathsf {H}^{[0,b-k_2-1]}\mathsf {Y}} \varPi (\phi _1,d-b)) \bigr ) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { definition\, of}\,yesterday \,{ and}\,bounded\, historically \, { operators} \\&{\Leftrightarrow }\, \forall d \ge D(\phi ) .\bigl ( \sigma ,i \models {\mathsf {X}^{d}} \varPi ({\phi _1 \mathcal {U}^{[a,b]} \phi _2},d) \bigr ) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { definition\, of}\,\varPi (\cdot ) \end{aligned} \end{aligned}$$

We now prove the right-to-left direction. It holds that:

$$\begin{aligned}&\forall d \ge D(\phi ) .\bigl ( \sigma ,i \models {\mathsf {X}^d}\left( \bigvee _{t=0}^{b-a}{\mathsf {Y}^t}(\varPi (\phi _2,d-t) \wedge {\mathsf {H}^{[0,b-t-1]} \mathsf {Y}\,\varPi (\phi _1,d-b)})\right) \bigr ) \\&{\Leftrightarrow }\, \forall d \ge D(\phi ) .\\&\qquad \bigl (\exists k_2 .( (0 \le k_2 \le b-a) \wedge \pi ,i+d-k_2 \models \varPi (\phi _2,d-b) \wedge \\&\qquad \qquad \forall k_1 .( (0 \le k_1 \le b-k_2-1) \wedge \pi ,i+d-k_2-k_1-1 \models \varPi (\phi _1,d-b))) \bigr ) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { semantics\, of}\,yesterday \,{ and}\,bounded until \\&{\Leftrightarrow }\, \forall d \ge D(\phi ) .\\&\qquad \bigl (\exists k_2 .( (0 \le k_2 \le b-a) \wedge \pi ,i-k_2 \models {\mathsf {X}^d}\varPi (\phi _2,d-b) \wedge \\&\qquad \qquad \forall k_1 .( (0 \le k_1 \le b-k_2-1) \wedge \pi ,i-k_2-k_1-1 \models {\mathsf {X}^d}\varPi (\phi _1,d-b))) \bigr ) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { semantics\, of}\,next \\&{\Leftrightarrow }\, \forall d_1 \ge D(\phi )-b .\forall d_2 \ge D(\phi )-b .\\&\qquad \bigl (\exists k_2 .( (0 \le k_2 \le b-a) \wedge \pi ,i-k_2 \models {\mathsf {X}^{d_2+b}}\varPi (\phi _2,d_2) \wedge \\&\qquad \qquad \forall k_1 .( (0 \le k_1 \le b-k_2-1) \wedge \pi ,i-k_2-k_1-1 \models {\mathsf {X}^{d_1+b}}\varPi (\phi _1,d_1))) \bigr ) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { with}\,d_1=d-b\,{ and}\,d_2=d-b \\&{\Leftrightarrow }\, \forall d_1 \ge D(\phi )-b .\forall d_2 \ge D(\phi )-b .\\&\qquad \bigl (\exists k_2 .( (0 \le k_2 \le b-a) \wedge \pi ,i-k_2+b \models {\mathsf {X}^{d_2}}\varPi (\phi _2,d_2) \wedge \\&\qquad \qquad \forall k_1 .( (0 \le k_1 \le b-k_2-1) \wedge \pi ,i-k_2-k_1-1+b \models {\mathsf {X}^{d_1}}\varPi (\phi _1,d_1))) \bigr ) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { semantics\, of}\,next \\ \end{aligned}$$

Since \(D(\phi _1) \le D(\phi )-b\) and \(D(\phi _2) \le D(\phi )-b\), the inductive hypothesis applies in particular for all \(d_1 \ge D(\phi _1)-b\) and forall \(d_2 \ge D(\phi _2)-b\), and thus we have:

$$\begin{aligned} \begin{aligned}&\Rightarrow \, \exists k_2 .( (0 \le k_2 \le b-a) \wedge \pi ,i-k_2+b \models \phi _2 \wedge \\&\qquad \forall k_1 .( (0 \le k_1 \le b-k_2-1) \wedge \pi ,i-k_2-k_1-1+b \models \phi _1)) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { by\, inductive\, hypothesis} \\&{\Leftrightarrow }\, \exists j_2 .( (0 \le b-j_2 \le b-a) \wedge \pi ,i+j_2 \models \phi _2 \wedge \\&\qquad \forall j_1 .( (0 \le b-j_1 \le b+j_2-b-1) \wedge \pi ,i+j_2-b+j_1-1 \models \phi _1)) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { with}\,j_2=b-k_2\,{ and}\,k_1=b-j_1 \\&{\Leftrightarrow }\, \exists j_2 .( (a \le j_2 \le b) \wedge \pi ,i+j_2 \models \phi _2 \wedge \\&\qquad \forall j_1 .( (b+1-j_2 \le j_1 \le b) \wedge \pi ,i+j_2-b+j_1-1 \models \phi _1)) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { by\, simple\, arithmetics} \\&{\Leftrightarrow }\, \exists j_2 .( (a \le j_2 \le b) \wedge \pi ,i+j_2 \models \phi _2 \wedge \\&\qquad \forall l .( (b+1-j_2 \le l-j_2+1+b \le b) \wedge \pi ,i+l \models \phi _1)) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { with}\,l=j_1+j_2-b-1 \\&{\Leftrightarrow }\, \exists j_2 .( (a \le j_2 \le b) \wedge \pi ,i+j_2 \models \phi _2 \wedge \\&\qquad \forall l .( (0 \le l < j_2) \wedge \pi ,i+l \models \phi _1)) \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { by\, simple\, arithmetics} \\&{\Leftrightarrow }\, \sigma ,i \models {\phi _1 \mathcal {U}^{[a,b]} \phi _2} \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad { by\, the\, semantics\, of}\,bounded until \\ \end{aligned} \end{aligned}$$

This concludes the proof. \(\square \)

Lemma A.1

(Strong equivalence for the rules) Let \(\psi \), \(\psi _1\), \(\psi _2\) and \(\psi _3\) be \(\textsf {LTL}_{\textsf {P}}\) formulas. For all state sequences \(\sigma \) and for all positions \(i \in \mathbb {N}\), it holds that:

• \(R_1\): \({\sigma ,i\models {\mathsf {X} }(\psi _1 \wedge \psi _2) {\leftrightarrow }\sigma ,i \models {\mathsf {X} }\psi _1 \wedge {\mathsf {X} }\,\psi _2 }\)

• \(R_2\): \({\sigma ,i \models \psi {{\mathcal {R}}}\,(\psi _1 \wedge \psi _2) {\leftrightarrow }\sigma , i \models \psi {{\mathcal {R}}}\,\psi _1 \wedge \psi {{\mathcal {R}}}\,\psi _2 }\)

• \(R_3\): \({\sigma ,i \models ({\mathsf {X} }^i \psi _1) {{\mathcal {R}}}\,({\mathsf {X} }^j \psi _2)} {\leftrightarrow }\)

  $$\begin{aligned} \sigma ,i \models {\left\{ \begin{array}{ll} {{\mathsf {X} }^i(\psi _1 {{\mathcal {R}}}\,({\mathsf {Y} }^{i-j}\psi _2))} &{} \hbox { if } i>j \\ {{\mathsf {X} }^j(({\mathsf {Y} }^{j-i}\psi _1) {{\mathcal {R}}}\,\psi _2)} &{} \hbox { otherwise} \end{array}\right. } \end{aligned}$$

• \(R_4\): \(\sigma ,i \models {({\mathsf {X} }^i \psi _1){{\mathcal {R}}}({\mathsf {X} }^j(\psi _2 {{\mathcal {R}}}\,\psi _3))} \Leftrightarrow \)

  

• \(R_5\): \({\sigma ,i \models {\mathsf {G} }\,{\mathsf {X} }^i {\mathsf {G} }\psi {\leftrightarrow }\sigma , i \models {\mathsf {X} }^i {\mathsf {G} }\psi }\)

• \(R_6\): \({\sigma ,i \models {\mathsf {G} }\,{\mathsf {X} }^i(\psi _1 {{\mathcal {R}}}\,\psi _2){\leftrightarrow }\sigma , i \models {\mathsf {X} }^i {\mathsf {G} }\,\psi _2}\)

• \(R_7\): \({({\mathsf {X} }^i\psi _1) {{\mathcal {R}}}\,({\mathsf {X} }^j {\mathsf {G} }\,\psi _2 )} {\leftrightarrow }\)

  $$\begin{aligned} \sigma ,i \models {\left\{ \begin{array}{ll} {{\mathsf {X} }^i {\mathsf {G} }\,{\mathsf {Y} }^{i-j} \psi _2} &{} \hbox { if } i>j \\ {{\mathsf {X} }^j {\mathsf {G} }\,\psi _2} &{} \hbox { otherwise} \end{array}\right. } \end{aligned}$$

• \(R_{flat}\):

Proof

Before starting the proof, we remark that the claim of this lemma not only asks for proving the equivalence between the left- and the right-hand side of the rules, but requires to prove the strong equivalence between the two, i.e.,that for all the state sequences \(\sigma \) and for all the positions i, \(\sigma \) is a model starting from position i of the left-hand formula iff \(\sigma \) is a model starting from position i of the right-hand formula. Equivalence is a special case of strong equivalence by considering only \(i=0\). In our case, the necessity of considering strong equivalence is due to the fact that the left-hand side of the rules (except for \(R_{flat}\), for which we require only the equivalence) can appear as subformulas of the original \(\phi \) on which we apply the canonize algorithm, and thus it can be interpreted potentially on any position i. Since we want to maintain the equivalence between \(\phi \) and \({\textsf {canonize}} (\phi )\), we have to make sure that each subformulas is strongly equivalent to the one by which it is replaced during the applications of the rules. The only exception is the \(R_{flat}\) rule, which is applied only to top-level conjuncts or disjuncts, and thus we can require for it to maintain only the equivalence.

Initially we prove the first two points (i.e., \(R_1\) and \(R_2\)). For the \(R_1\) rule, the following steps hold:

$$\begin{aligned}&\sigma ,i \models {\mathsf {X}(\psi _1 \wedge \psi _2)} \\ \Leftrightarrow&\sigma ,i+1 \models \psi _1 \wedge \psi _2 \\ \Leftrightarrow&\sigma ,i+1 \models \psi _1 \wedge \sigma ,i+1 \models \psi _2 \\ \Leftrightarrow&\sigma ,i \models {\mathsf {X}\,\psi _1} \wedge \sigma ,i \models {\mathsf {X}\,\psi _2} \\ \Leftrightarrow&\sigma ,i \models {\mathsf {X}\,\psi _1 \wedge \mathsf {X}\,\psi _2} \end{aligned}$$

Consider rule \(R_2\). We first prove that \(\sigma , s \models {\psi \mathcal {R}\,(\phi _1 \wedge \phi _2)}\) implies \(\sigma ,s \models {\psi \mathcal {R}\,\phi _1 \wedge \psi \mathcal {R}\, \phi _2}\), for all state sequences \(\sigma \) and for all positions s. Let \(\sigma \) be a state sequence and let \(s \in \mathbb {N}\) be a position such that \(\sigma ,s \models {\psi \mathcal {R}\,(\phi _1 \wedge \phi _2)}\). We divide in cases:

1. 1.

   if \(\forall i\ge s. (\sigma ,i \models \phi _1 \wedge \phi _2)\), then \(\forall i\ge s. \sigma ,i \models \phi _1\) and \(\forall i\ge s. \sigma ,i \models \phi _2\). Thus, \(\sigma ,s \models {\psi \mathcal {R}\,\phi _1}\) and \(\sigma ,s \models {\psi \mathcal {R}\,\phi _2}\), that is \(\sigma ,s \models {\psi \mathcal {R}\,\phi _1 \wedge \psi \mathcal {R}\, \phi _2}\).

2. 2.

   if \(\exists i \ge s. (\sigma ,i \models \psi \wedge \forall s \le j \le i. \sigma ,j \models (\phi _1 \wedge \phi _2))\) then

   $$\begin{aligned}&\Leftrightarrow \exists i \ge s. (\sigma ,i \models \psi \wedge \forall s \le j \le i. (\sigma ,j \models \phi _1) \wedge \\&\qquad \qquad \forall s \le k \le i. (\sigma ,k \models \phi _2)) \\&\Rightarrow \exists i \ge s. (\sigma ,i \models \psi \wedge \forall s \le j \le i. (\sigma ,j \models \phi _1)) \wedge \\&\qquad \exists i \ge s. (\sigma ,i \models \psi \wedge \forall 0 \le j \le i. (\sigma ,j \models \phi _2)) \\&\Leftrightarrow \sigma ,s \models {\psi \mathcal {R}\,\phi _1 \wedge \psi \mathcal {R}\, \phi _2} \end{aligned}$$

We now prove the opposite direction, that is \(\sigma ,s \models {\psi \mathcal {R}\,\phi _1 \wedge \psi \mathcal {R}\,\phi _2}\) implies \(\sigma ,s \models {\psi \mathcal {R}\,(\phi _1 \wedge \phi _2)}\), for all state sequences \(\sigma \) and for all positions s. Let \(\sigma \) be a state sequence and let \(s \in \mathbb {N}\) such that \(\sigma ,s \models {\psi \mathcal {R}\,\phi _1 \wedge \psi \mathcal {R}\, \phi _2}\). We divide again in cases:

1. 1.

   if \(\forall i \ge s. (\sigma ,i \models \phi _1) \wedge \forall i\ge s. (\sigma ,j \models \phi _2)\), then \(\forall i \ge s. (\sigma ,i \models \phi _1 \wedge \phi _2)\) and thus \(\sigma ,s \models {\psi \mathcal {R}\,(\phi _1 \wedge \phi _2)}\).

2. 2.

   if \(\forall i \ge s. (\sigma ,i \models \phi _1)\) and \(\exists i \ge s. (\sigma ,i \models \psi \wedge \forall s \le j \le i. \sigma ,j \models \phi _2)\), then \(\exists i \ge s (\sigma ,i \models \psi \wedge \forall s \le j \le i . \sigma ,j \models (\phi _1 \wedge \phi _2))\), that is \(\sigma ,s \models {\psi \mathcal {R}\,(\phi _1 \wedge \phi _2)}\).

3. 3.

   if \(\exists i \ge s. (\sigma ,i \models \psi \wedge \forall s \le j \le i . \sigma ,j \models \phi _1)\) and \(\forall i \ge s. (\sigma ,i \models \phi _2)\), then \(\exists i\ge s. (\sigma ,i \models \psi \wedge \forall s \le j \le i. \sigma ,k \models \phi _1 \wedge \phi _2)\), that is \(\sigma ,s \models {\psi \mathcal {R}\,(\phi _1 \wedge \phi _2)}\).

4. 4.

   consider the case such that \(\exists l \ge s .(\sigma ,l \models \psi \wedge \forall s \le j \le l . \sigma ,j \models \phi _1)\) and \(\exists k \ge s. (\sigma ,k \models \psi \wedge \forall s \le j \le k . \sigma ,j \models \phi _2)\). Let \(i = \min (l,k)\): then \(\sigma ,i \models \phi \) and \(\forall s \le j \le i.(\sigma ,j \models \phi _1 \wedge \phi _2)\), that is \(\sigma ,s \models {\psi \mathcal {R}\,(\phi _1 \wedge \phi _2)}\).

This concludes the proof for the \(R_2\) rule.

Before proving the cases of the remaining rules, we define and prove the following auxiliary strong equivalences. For all state sequences \(\sigma \) and for all positions i, it holds that:

• \(\bar{R_1}\): \({\sigma ,i \models \psi _1 \mathcal {R}\,(\mathsf {X}^i \psi _2) \ {\leftrightarrow }\ \sigma ,i \models \mathsf {X}^i((\mathsf {Y}^i\psi _1) \mathcal {R}\,\psi _2)}\)

• \(\bar{R_2}\): \({\sigma ,i \models (\mathsf {X}^i\psi _1)\mathcal {R}\psi _2 \ {\leftrightarrow }\ \sigma ,i \models \mathsf {X}^i(\psi _1 \mathcal {R}\,(\mathsf {Y}^i\psi _2))}\)

• \(\bar{R_3}\):

• \(\bar{R_4}\): \({\sigma ,i \models \mathsf {Y}^i(\psi _1 \mathcal {R}\,\psi _2) \ {\leftrightarrow }\ \sigma ,i \models (\mathsf {Y}^i\psi _1) \mathcal {R}\,(\mathsf {Y}^i \psi _2)}\)

• \(\bar{R_5}\): \({\sigma ,i \models \mathsf {G}\,\mathsf {G}\,\psi \ {\leftrightarrow }\ \sigma ,i \models \mathsf {G}\,\psi }\)

• \(\bar{R_6}\): \({\sigma ,i \models \mathsf {G}(\psi _1 \mathcal {R}\,\psi _2) \ {\leftrightarrow }\ \sigma ,i \models G \psi _2}\)

• \(\bar{R_7}\): \({\sigma ,i \models \psi _1 \mathcal {R}\,(\mathsf {G}\psi _2) \ {\leftrightarrow }\ \sigma ,i \models \mathsf {G}\,\psi _2}\)

These will help proving the cases for \(R_3\)-\(R_7\).

Consider the case for rule \(\bar{R_1}\). We first prove that \({\sigma ,s \models \psi _1 \mathcal {R}\,(\mathsf {X}^i\psi _2)}\) implies \(\sigma ,s \models \mathsf {X}^i((\mathsf {Y}^i\psi _1) \mathcal {R}\,\psi _2)\), for all state sequences \(\sigma \) and all positions s. Let \(\sigma \) be a state sequence and let \(s \in \mathbb {N}\) such that \(\sigma , s \models {\psi _1 \mathcal {R}\,(\mathsf {X}^i\psi _2)}\). We divide in cases:

1. 1.

   if \(\forall j \ge s. \sigma ,j \models {\mathsf {X}^i\psi _2}\), then

   $$\begin{aligned}&\Leftrightarrow \forall j \ge s+i . \sigma ,j \models \psi _2 \\&\Rightarrow \sigma ,s+i \models {(\mathsf {Y}^i\psi _1) \mathcal {R}\,\psi _2} \\&\Leftrightarrow \sigma ,s \models {\mathsf {X}^i((\mathsf {Y}^i \psi _1)\mathcal {R}\,\psi _2)} \end{aligned}$$
2. 2.

   if \(\exists j \ge s. (\sigma ,j \models \psi _1 \wedge \forall s \le k \le j . \sigma ,k \models {\mathsf {X}^i\psi _2})\), then \(\exists j \ge s. (\sigma ,j+i \models {\mathsf {Y}^i\psi _1} \wedge \forall s+i \le k \le j+i. \sigma ,k \models \psi _2)\), which in turn means that \(\sigma ,s+i \models {(\mathsf {Y}^i\psi _1) \mathcal {R}\,\psi _2}\), that is \(\sigma ,s \models {\mathsf {X}^i((\mathsf {Y}^i\psi _1) \mathcal {R}\,\psi _2)}\).

We now prove the opposite direction, that is \(\sigma ,s \models {\mathsf {X}^i((\mathsf {Y}^i\psi _1) \mathcal {R}\,\psi _2)}\) implies \(\sigma ,s \models {\psi _1 \mathcal {R}\,(\mathsf {X}^i\psi _2)}\), for all state sequences \(\sigma \) and all positions s. Let \(\sigma \) be a state sequence and let \(s \in \mathbb {N}\) such that \(\sigma , s \models {\mathsf {X}^i((\mathsf {Y}^i \psi _1) \mathcal {R}\,\psi _2)}\). We divide again in cases:

1. 1.

   if \(\forall j \ge s+i. (\sigma ,j \models {\psi _2})\), then \(\forall j \ge s. (\sigma ,j \models {\mathsf {X}^i\psi _2})\) and thus \(\sigma \models {\psi _1 \mathcal {R}\,(\mathsf {X}^i\psi _2)}\).

2. 2.

   if \(\exists j \ge s+i. (\sigma ,j \models {\mathsf {Y}^i\psi _1} \wedge \forall s+i \le k \le j. \sigma ,k \models \psi _2)\), then:

   $$\begin{aligned}&\Leftrightarrow \exists j \ge s+i . (\sigma ,j-i \models {\mathsf {X}^i\mathsf {Y}^i\psi _1} \wedge \forall s \le k \le j-i. \sigma ,k \models {\mathsf {X}^i\psi _2}) \\&\Leftrightarrow \exists j \ge s+i . (\sigma ,j-i \models {\psi _1} \wedge \forall s \le k \le j-i. \sigma ,k \models {\mathsf {X}^i\psi _2}) \\&\Leftrightarrow \sigma ,s+i \models {\mathsf {Y}^i(\psi _1 \mathcal {R}\,(\mathsf {X}^i\psi _2))} \\&\Leftrightarrow \sigma ,s \models {\psi _1 \mathcal {R}\,(\mathsf {X}^i\psi _2)} \end{aligned}$$

This concludes the proof for the rule \(\bar{R_1}\). The proof for the \(\bar{R_2}\) rule is specular.

Consider the \(\bar{R_3}\) case. We first prove that \(\sigma ,s \models {\mathsf {Y}^i\mathsf {X}^i\psi }\) implies , for all state sequences \(\sigma \) and all positions s. Let \(\sigma \) be a state sequence such that \(\sigma ,s \models {\mathsf {Y}^i\mathsf {X}^i\psi }\) for a given \(s \in \mathbb {N}\). We divide in cases:

1. (i)

   if \(s<i\), then \(\sigma ,s \not \models {\mathsf {Y}^i\mathsf {X}^i\psi }\), but this is a contradiction with our hypothesis;

2. (ii)

   then it has to be the case that \(s \ge i\). It holds that:

   

We prove the opposite direction, that is implies \(\sigma ,s \models {\mathsf {Y}^i\mathsf {X}^i\psi }\), for all state sequences \(\sigma \) and all positions s. Let \(\sigma \) be a state sequence such that for a given \(s \in \mathbb {N}\). We divide in cases:

1. (i)

   if \(s<i\), then , but this is a contradiction with our hypothesis;

2. (ii)

   then it has to be the case that \(s \ge i\). It holds that:

   

This concludes the proof for \(\bar{R_3}\).

Consider now the \(\bar{R_4}\) case. We first prove the left-to-right direction, that is \(\sigma ,s \models {\mathsf {Y}^i(\psi _1 \mathcal {R}\, \psi _2)}\) implies \(\sigma ,s \models {(\mathsf {Y}^i\psi _1) \mathcal {R}\,(\mathsf {Y}^i\psi _2)}\), for all state sequences \(\sigma \) and all positions s. Let \(\sigma \) be a state sequence such that \(\sigma ,s \models {\mathsf {Y}^i(\psi _1 \mathcal {R}\,\psi _2)}\) with \(s \ge i\) (obviously, it can’t be that \(s < i\)). It holds that \(\sigma , s-i \models \psi _1 R \psi _2\). Now, we divide in cases:

1. 1.

   if \(\forall k \ge s-i. \sigma ,k \models \psi _2\), then \(\forall k \ge s. \sigma ,k \models {\mathsf {Y}^i \psi _2}\) and thus \(\sigma ,s \models {(\mathsf {Y}^i\psi _1) \mathcal {R}\,(\mathsf {Y}^i\psi _2)}\).

2. 2.

   if \(\exists k \ge s-i. (\sigma ,k \models \psi _2 \wedge \forall s-i \le l \le k. \sigma ,l \models \psi _1)\), then \(\exists k \ge s. (\sigma ,k \models {\mathsf {Y}^i\psi _2} \wedge \forall s \le l \le k. \sigma ,l \models {\mathsf {Y}^i\psi _1})\), and thus \(\sigma ,s \models {(\mathsf {Y}^i\psi _1) \mathcal {R}\,(\mathsf {Y}^i\psi _2)}\).

Now we prove the opposite direction. Suppose that \(\sigma ,s \models {(\mathsf {Y}^i \psi _1) \mathcal {R}\,(\mathsf {Y}^i \psi _2)}\) where \(s \ge i\). We divide in cases:

1. 1.

   if \(\forall k \ge s. \sigma ,k \models {\mathsf {Y}^i\psi _2}\), then:

   $$\begin{aligned} \forall k \ge s-i. \sigma ,k \models \psi _2 \Leftrightarrow&\sigma ,s-i \models {\psi _1 \mathcal {R}\,\psi _2} \\ \Leftrightarrow&\sigma ,s \models {\mathsf {Y}^i(\psi _1 \mathcal {R}\,\psi _2)} \end{aligned}$$
2. 2.

   if \(\exists k \ge s. (\sigma ,k \models {\mathsf {Y}^i\psi _1} \wedge \forall k \le l \le k. \sigma ,l \models {\mathsf {Y}^i\psi _2})\), then:

   $$\begin{aligned} \exists k \ge s-i. (\sigma ,k \models \psi _1 \wedge \forall s-i \le l \le k. \sigma ,l \models \psi _2) \Leftrightarrow&\sigma ,s-i \models {\psi _1 \mathcal {R}\,\psi _2} \\ \Leftrightarrow&\sigma ,s \models {\mathsf {Y}^i(\psi _1 \mathcal {R}\,\psi _2)} \end{aligned}$$

This concludes the proof for the \(\bar{R_4}\) case.

The case for \(\bar{R_5}\) is simple, and it consists in the following steps. For all state sequences \(\sigma \) and for all positions s, it holds that:

$$\begin{aligned} \sigma ,s \models {\mathsf {G}\, \mathsf {G}\,\psi } \Leftrightarrow&\forall i \ge s. \sigma ,i \models {\mathsf {G}\,\psi } \\ \Leftrightarrow&\forall i \ge s. \forall j \ge i. \sigma ,j \models \psi \\ \Leftrightarrow&\forall i \ge s. \sigma ,i \models \psi \\ \Leftrightarrow&\sigma ,s \models {\mathsf {G}\, \psi } \end{aligned}$$

Consider the \(\bar{R_6}\) strong equivalence. We first prove the left-to-right direction. Suppose that \(\sigma ,s \models {\mathsf {G}\,(\psi _1 \mathcal {R}\,\psi _2)}\), for a given state sequence \(\sigma \) and a given position s. It holds that \(\forall i \ge s. \sigma ,i \models {\psi _1 \mathcal {R}\,\psi _2}\). We divide in cases, depending on the semantics of the release operator:

1. 1.

   if \(\forall i \ge s. \forall j \ge i. \sigma ,j \models \psi _2\). In this case we have that \(\forall i \ge s. \sigma ,i \models \psi _2\), that is \(\sigma ,s \models {\mathsf {G}\,\psi _2}\).

2. 2.

   otherwise, \(\forall i \ge s. \exists j \ge i. ( \sigma ,j \models \psi _1 \wedge \forall i \le k \le j. \sigma ,k \models \psi _2)\). In particular, for \(k=i\), we have that \(\forall i \ge s. \sigma ,i \models \psi _2\), that is \(\sigma ,s \models {\mathsf {G}\,\psi _2}\).

We prove the right-to-left direction for the \(\bar{R_6}\) case. Suppose that \(\sigma ,s \models {\mathsf {G}\,\psi _2}\), for a given state sequence \(\sigma \) and position s. It holds that:

$$\begin{aligned} \sigma ,s \models {\mathsf {G}\,\psi _2} \Leftrightarrow&\forall i \ge s. \sigma ,i \models \psi _2 \\ \Leftrightarrow&\forall i \ge s. \forall j \ge i. \sigma ,j \models \psi _2 \\ \Rightarrow&\forall i \ge s. \sigma ,i \models {\psi _1 \mathcal {R}\,\psi _2} \\ \Leftrightarrow&\sigma ,s \models {\mathsf {G}\,(\psi _1 \mathcal {R}\,\psi _2)} \end{aligned}$$

Finally, consider the case for the \(\bar{R_7}\) strong equivalence. We first prove the left-to-right direction. Suppose that \(\sigma ,s \models {\psi _1 \mathcal {R}\,(\mathsf {G}\,\psi _2)}\) for a given state sequence \(\sigma \) and position s. We divide in cases, depending on the semantics of the release operator:

1. 1.

   if \(\forall i \ge s. \sigma ,i \models {\mathsf {G}\,\psi _2}\), then for \(i=s\) we have that \(\sigma ,s \models {\mathsf {G}\,\psi _2}\).

2. 2.

   otherwise, \(\exists i \ge s.(\sigma ,i \models \psi _1 \wedge \forall s \le j \le i . \sigma ,j \models {\mathsf {G}\,\psi _2})\). In particular, for \(j=s\), \(\sigma ,s \models {\mathsf {G}\,\psi _2}\).

Therefore, in both cases we have that \(\sigma ,s \models {\mathsf {G}\,\psi _2}\). For the right-to-left direction, suppose that \(\sigma ,s \models {\mathsf {G}\,\psi _2}\). Then, \(\forall i \ge s. \sigma ,i \models {\mathsf {G}\,\psi _2}\). This implies that \(\sigma ,s \models {\psi _1 \mathcal {R}\,(\mathsf {G}\,\psi _2)}\). This concludes the proof of all the auxiliary strong equivalences.

We can now prove the remaining rules \(R_3\)-\(R_7\). Consider first \(R_3\) in the case \(i>j\): we have to prove that \(\sigma ,s \models {(\mathsf {X}^i \psi _1) \mathcal {R}\,(\mathsf {X}^j \psi _2) \ {\leftrightarrow }\ \sigma ,s \models \mathsf {X}^i(\psi _1 \mathcal {R}\,(\mathsf {Y}^{i-j}\psi _2))}\), for all states sequences \(\sigma \) and all positions s. This can be simply done by means of the auxiliary rules \(\bar{R_2}\) and \(\bar{R_3}\):

Consider now the rule \(R_3\) in the case \(i \le j\). We have to prove that \(\sigma ,s \models {(\mathsf {X}^i \psi _1) \mathcal {R}\,(\mathsf {X}^j \psi _2) \ {\leftrightarrow }\ \sigma ,s \models \mathsf {X}^j((\mathsf {Y}^{j-i}\psi _1) \mathcal {R}\,\psi _2)}\). This can be done using the auxiliary equivalences \(\bar{R_1}\) and \(\bar{R_3}\):

Consider the \(R_4\) rule in the case \(i>j\). It holds that:

Finally, consider the \(R_4\) rule in the case \(i \le j\). It holds that:

Consider the \(R_5\) rule. It can be proven by means of the rules \(R_4\) and \(\bar{R_5}\) as follows. For all state sequences \(\sigma \) and all positions s, it holds that:

Consider the \(R_6\) rule. It can be prove by means of the rules \(R_4\) and \(\bar{R_6}\) as follows. For all state sequences \(\sigma \) and positions s it holds that:

Consider the \(R_7\) rule. It can be proven by means of the rules \(R_4\) and \(\bar{R_7}\) as follows. Let \(\sigma \) be a state sequence and let s be a position. We divide in cases. If \(i>j\), then:

Otherwise, it holds that \(i \le j\) and:

This concludes the case for the rules \(R_1\)-\(R_7\).

It remains the case for the \(R_{flat}\) rule, for which we have to prove only equivalence. We first prove the left-to-right direction, for all \(n \ge 3\). Suppose that:

$$\begin{aligned}&\sigma ,0 \models {\mathsf {X}^i( \psi _1 \mathcal {R}\,(\psi _2 \mathcal {R}\,( \dots (\psi _{n-1} \mathcal {R}\,\psi _n) \dots )) )} \\ \Leftrightarrow&\sigma ,i \models { \psi _1 \mathcal {R}\,(\psi _2 \mathcal {R}\,( \dots (\psi _{n-1} \mathcal {R}\,\psi _n) \dots ))} \end{aligned}$$

This formula contains exactly n release operators. Each of these can be satisfied in two ways: (i) universally, that is if for all the future positions the right-hand side formula holds, or (ii) existentially, if there exists a position in the future where the left-hand side formula holds and the right-hand side formula holds until then. Therefore, we have a total of \(2^{n-1}\) cases.

We consider first the cases in which there exists a release operator that is universally satisfied. These correspond to \(2^{n-1}-1\) cases. Let m be the index of the outermost between these operators. Let \(k_1 = i\). We have that:

$$\begin{aligned}&\exists j_1 \ge k_1. ( \sigma ,j_1 \models \psi _1 \wedge \forall k_1 \le k_2 \le j_1. \\&\exists j_2 \ge k_2. ( \sigma ,j_2 \models \psi _2 \wedge \dots \wedge \forall k_{m-1} \le k_{m-1} \le j_{m-2} . \\&\forall k_m \ge k_{m-1}. (\sigma ,k_m \models {\psi _m \mathcal {R}\,(\dots (\psi _{n-1} \mathcal {R}\,\psi _n)\dots )}) )\dots ) \end{aligned}$$

Which is equivalent to:

$$\begin{aligned}&\exists j_1 \ge k_1. ( \sigma ,j_1 \models \psi _1 \wedge \forall k_1 \le k_2 \le j_1. \\&\exists j_2 \ge k_2. ( \sigma ,j_2 \models \psi _2 \wedge \dots \wedge \forall k_{m-1} \le k_{m-1} \le j_{m-2} . \\&(\sigma ,k_{m-1} \models {\mathsf {G}\, (\psi _m \mathcal {R}(\dots (\psi _{n-1} \mathcal {R}\, \psi _n) \dots ))} )\dots )) \end{aligned}$$

By the repeated application of the \(\bar{R_6}\) auxiliary rule \(n-m\) times, we have that:

$$\begin{aligned}&\exists j_1 \ge k_1. ( \sigma ,j_1 \models \psi _1 \wedge \forall k_1 \le k_2 \le j_1. \\&\exists j_2 \ge k_2. ( \sigma ,j_2 \models \psi _2 \wedge \dots \wedge \forall k_{m-1} \le k_{m-1} \le j_{m-2} . (\sigma ,k_{m-1} \models {\mathsf {G}\, \psi _n} )\dots )) \end{aligned}$$

that is:

$$\begin{aligned}&\exists j_1 \ge k_1. ( \sigma ,j_1 \models \psi _1 \wedge \forall k_1 \le k_2 \le j_1. \\&\exists j_2 \ge k_2. ( \sigma ,j_2 \models \psi _2 \wedge \dots \wedge \forall k_{m-1} \le k_{m-1} \le j_{m-2} . \\&\forall k \ge k_{m-1}.(\sigma ,k \models \psi _n )\dots )) \end{aligned}$$

In particular, for \(k_1 = k_2 = \dots = k_{m-2} = k_{m-1}\), we have that:

$$\begin{aligned} \forall k \ge k_1. \sigma ,k \models \psi _n \end{aligned}$$

Since by definition \(k_1 = i\), we have that \(\forall k \ge i. \sigma ,k \models \psi _n\), and thus . The remaining case is when all the release operators are existentially satisfied. Suppose that:

$$\begin{aligned}&\exists j_1 \ge k_1. ( \sigma ,j_1 \models \psi _1 \wedge \forall k_1 \le k_2 \le j_1. \\&\exists j_2 \ge k_2. ( \sigma ,j_2 \models \psi _2 \wedge \dots \wedge \forall k_{n-1} \le k_{n-1} \le j_{n-2} . \\&\exists j_{n-1} \ge k_{n-1}. ( \sigma , j_{n-1} \models \psi _{n-1} \wedge \forall k_{n-1} \le k_n \le j_{n-1}. \sigma ,k_n \models \psi _n ) )\dots ) \end{aligned}$$

where \(k_1 = i\). This implies that:

$$\begin{aligned}&\exists j_1 \ge i. ( \sigma ,j_1 \models \psi _1 \wedge \\&\exists j_2 \ge j_1. ( \sigma ,j_2 \models \psi _2 \wedge \dots \wedge \\&\exists j_{n-1} \ge j_{n-2}. ( \sigma , j_{n-1} \models \psi _{n-1} \wedge \forall i \le k \le j_{n-1}. \sigma ,k \models \psi _n ) \dots )) \end{aligned}$$

This is equivalent to:

$$\begin{aligned}&\exists j_{n-1} \ge i. ( \sigma ,j_{n-1} \models \psi _{n-1} \wedge \\&\exists i \le j_{n-2} \le j_{n-1}. ( \sigma ,j_{n-2} \models \psi _{n-2} \wedge \dots \wedge \\&\exists i \le j_1 \le j_2. ( \sigma , j_1 \models \psi _1 ) \dots ) \wedge \forall i \le k \le j_{n-1}. \sigma ,k \models \psi _n) \end{aligned}$$

This in turn is equivalent to:

This is the definition of the existential semantics of the formula , starting from position i. Therefore, .

We now prove the right-to-left direction for \(R_{flat}\). Suppose that . Therefore, . We divide in cases:

1. 1.

   if \(\forall j \ge i. \ \sigma ,j \models \psi _n\), then \(\sigma ,0 \models {\mathsf {X}^i( \psi _1 \mathcal {R}(\psi _2 \mathcal {R}(\dots (\psi _{n-1} \mathcal {R}\,\psi _n) \dots )) )}\)

2. 2.

   otherwise, .

With the former case, we are done. Instead, the latter is equivalent to:

In turn, this is equivalent to:

$$\begin{aligned}&\exists j_{n-1} \ge i. ( \sigma ,j_{n-1} \models \psi _{n-1} \wedge \\&\exists i \le j_{n-2} \le j_{n-1}.( \sigma ,j_{n-2} \models \psi _{n-2} \wedge \dots \\&\exists i \le j_1 \le j_2.(\sigma ,j_1 \models \psi _1 ) \dots ) \wedge \forall i \le k \le j_{n-1}. \sigma ,k \models \psi _n ) \end{aligned}$$

This is equivalent to:

$$\begin{aligned}&\exists j_{1} \ge i. ( \sigma ,j_{1} \models \psi _{1} \wedge \\&\exists j_2 \ge j_1. ( \sigma ,j_{2} \models \psi _{2} \wedge \dots \\&\exists j_{n-1} \ge j_{n-2}. (\sigma ,j_{n-1} \models \psi _{n-1} ) \dots ) \wedge \forall i \le k \le j_{1}. \sigma ,k \models \psi _n ) \end{aligned}$$

which implies that:

$$\begin{aligned}&\exists j_{1} \ge i. ( \sigma ,j_{1} \models \psi _{1} \wedge \forall i \le k_1 \le j_1. \\&\exists j_2 \ge j_1. ( \sigma ,j_{2} \models \psi _{2} \wedge \dots \wedge \forall k_{n-2} \le k_{n-1} \le j_{n-1} . \\&\exists j_{n-1} \ge j_{n-2}. (\sigma ,j_{n-1} \models \psi _{n-1} \wedge \forall k_{n-1} \le k \le j_{n-1}. \sigma ,k \models \psi _n ) \dots )) \end{aligned}$$

This is the definition of the existential semantics of the formula \({\psi _1 \mathcal {R}\,(\psi _2 \mathcal {R}\,(\dots (\psi _{n-1} \mathcal {R}\,\psi _n) \dots ))}\), starting from position i. Therefore, \(\sigma ,0 \models {\mathsf {X}^i( \psi _1 \mathcal {R}\,(\psi _2 \mathcal {R}\,(\dots (\psi _{n-1} \mathcal {R}\,\psi _n) \dots )) )}\). This concludes the proof of Lemma A.1. \(\square \)

Lemma A.2

Let \(\psi _1\), \(\psi _2\) and \(\psi _3\) be \(\textsf {LTL}_{\textsf {P}}\) formulas. Let \(\phi \) be a formula of type \({{\mathsf {X} }^j\psi _2}\), \({{\mathsf {X} }^j{\mathsf {G} }\psi _2}\) or \({{\mathsf {X} }^j(\psi _2 \mathcal {R}\psi _3)}\). For each state sequence \(\sigma \) and position i, it holds that:

1. 1.

   \(\sigma ,i \models {{\mathsf {G} }\,\phi } \ {\leftrightarrow }\ \sigma ,i \models \texttt {resolve\_globally}(\phi )\)

2. 2.

   \(\sigma ,i \models {({\mathsf {X} }^i\psi _1)\mathcal {R}\phi } \ {\leftrightarrow }\ \sigma ,i \models \texttt {resolve\_release}({{\mathsf {X} }^i\psi _1, \phi })\)

Proof

We prove the second point, for the release operator. The subroutine resolve_release divides in cases, depending on the structure of \(\phi \):

• if \(\phi = {\mathsf {X}^j\psi _2}\) and \(i>j\), then:

  $$\begin{aligned} \texttt {resolve\_release}({\mathsf {X}^i\psi _1,\mathsf {X}^j\psi _2}) :={\mathsf {X}^i(\psi _1 \mathcal {R}\,(\mathsf {Y}^{i-j}\psi _2 ))} \end{aligned}$$

  By rule \(R_3\) of Lemma A.1, we have that \(\sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\phi } {\leftrightarrow }\sigma ,i \models {} \texttt {resolve\_release}({\mathsf {X}^i\psi _1, \phi })\).

• if \(\phi = {\mathsf {X}^j\psi _2}\) and \(i\le j\), then

  $$\begin{aligned} \texttt {resolve\_release}({\mathsf {X}^i\psi _1,\mathsf {X}^j\psi _2}) :={\mathsf {X}^j((\mathsf {Y}^{j-i}\psi _1)\mathcal {R}\psi _2)} \end{aligned}$$

  By rule \(R_3\) of Lemma A.1, we have that \(\sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\phi } {\leftrightarrow }\sigma ,i \models \texttt {resolve\_release}({\mathsf {X}^i\psi _1, \phi })\).

• if \(\phi = {\mathsf {X}^j(\psi _2 \mathcal {R}\,\psi _3)}\) and \(i>j\), then

  $$\begin{aligned} \texttt {resolve\_release}({\mathsf {X}^i\psi _1,\mathsf {X}^j(\psi _2 \mathcal {R}\,\psi _3)}) :={\mathsf {X}^i( \psi _1 \mathcal {R}\,((\mathsf {Y}^{i-j}\psi _2) \mathcal {R}\,(\mathsf {Y}^{i-j} \psi _3) ) )} \end{aligned}$$

  By rule \(R_4\) of Lemma A.1, we have that \(\sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\phi } {\leftrightarrow }\sigma ,i \models \texttt {resolve\_release}({\mathsf {X}^i\psi _1, \phi })\).

• if \(\phi = {\mathsf {X}^j(\psi _2 \mathcal {R}\, \psi _3)}\) and \(i\le j\), then

  $$\begin{aligned} \texttt {resolve\_release}({\mathsf {X}^i\psi _1,\mathsf {X}^j(\psi _2 \mathcal {R}\, \psi _3)}) :={\mathsf {X}^j( (\mathsf {Y}^{j-i}\psi _1 ) \mathcal {R}\,(\psi _2 \mathcal {R}\,\psi _3) )} \end{aligned}$$

  By rule \(R_4\) of Lemma A.1, we have that \(\sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\phi } {\leftrightarrow }\sigma ,i \models \texttt {resolve\_release}({\mathsf {X}^i\psi _1, \phi })\).

• if \(\phi = {\mathsf {X}^j \mathsf {G}\, \psi _2 }\) and \(i>j\), then

  $$\begin{aligned} \texttt {resolve\_release}({\mathsf {X}^i\psi _1,\mathsf {X}^j \mathsf {G}\, \psi _2 }) :={\mathsf {X}^i \mathsf {G}\,\mathsf {Y}^{i-j} \psi _2} \end{aligned}$$

  By rule \(R_7\) of Lemma A.1, we have that \(\sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\phi } {\leftrightarrow }\sigma ,i \models \texttt {resolve\_release}({\mathsf {X}^i\psi _1, \phi })\).

• if \(\phi = {\mathsf {X}^j \mathsf {G}\,\psi _2 }\) and \(i\le j\), then

  $$\begin{aligned} \texttt {resolve\_release}({\mathsf {X}^i\psi _1,\mathsf {X}^j \mathsf {G}\,\psi _2 }) :={\mathsf {X}^j \mathsf {G}\,\psi _2} \end{aligned}$$

  By rule \(R_7\) of Lemma A.1, we have that \(\sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\,\phi } {\leftrightarrow }\sigma ,i \models \texttt {resolve\_release}({\mathsf {X}^i\psi _1, \phi })\).

The case for \(\texttt {resolve\_globally}(\phi )\) is analogous. \(\square \)

Lemma A.3

(Soundness of \({\textsf {applyR1R7}} (\cdot )\)) For any \({\mathsf {Pastified}}{\textsf {LTL}}_{{\textsf {EBR}}}\) formula \(\phi \), for any state sequence \(\sigma \) and for any position i, it holds that \(\sigma ,i \models \phi \) iff \(\sigma ,i \models {\textsf {applyR1R7}} (\phi )\).

Proof

Consider the pseudo-code of \({\textsf {applyR1R7}} (\cdot )\) as described in Fig. 2. We prove this claim by induction on the complexity of formula \(\phi \).

The base case corresponds to the case when \(\phi \) is a \(\textsf {LTL}_{\textsf {P}}\) formula. In this case, the \({\textsf {applyR1R7}} (\cdot )\) algorithm returns \(\phi \) it self. Obviously, \(\phi \) is strongly equivalent to \({\textsf {applyR1R7}} (\phi )\)

For the inductive step, we divide in cases. If \({\phi := \mathsf {X}\phi _1}\), then \(\sigma ,i+1 \models \phi _1\). By inductive hypothesis \(\sigma ^\prime ,i^\prime \models \phi _1\) iff \(\sigma ^\prime ,i^\prime \models {\textsf {applyR1R7}} (\phi _1)\), for all state sequences \(\sigma ^\prime \) and positions \(i^\prime \). Therefore:

$$\begin{aligned} \sigma ,i \models {\mathsf {X}\phi _1} \Leftrightarrow&\sigma ,i+1 \models \phi _1 \\ \Leftrightarrow&\sigma ,i+1 \models {\textsf {applyR1R7}} (\phi _1) \qquad \hbox {by inductive hypothesis} \\ \Leftrightarrow&\sigma ,i \models {\mathsf {X}\,({\textsf {applyR1R7}} (\phi _1))} \end{aligned}$$

In general, \({\textsf {applyR1R7}} (\phi _1)\) is a conjunction of formulas of type \({\mathsf {X}^j\psi }\), \({\mathsf {X}^j\mathsf {G}\,\psi }\), \({\mathsf {X}^j((\mathsf {X}^k\psi _1) \mathcal {R}\, \psi _2)}\), that is:

$$\begin{aligned} {\textsf {applyR1R7}} (\phi _1) :=\phi ^c_2 \wedge \dots \wedge \phi ^c_n \end{aligned}$$

and thus:

$$\begin{aligned} \sigma ,i \models {\mathsf {X}\phi _1} \ \Leftrightarrow&\sigma ,i \models {\mathsf {X}\,(\phi ^c_2 \wedge \dots \wedge \phi ^c_n)} \end{aligned}$$

Using rule \(R_1\) of Lemma A.1, we have that:

$$\begin{aligned} \sigma ,i \models {\mathsf {X}\phi _1}&\Leftrightarrow \sigma ,i \models {\mathsf {X}\,(\phi ^c_2 \wedge \dots \wedge \phi ^c_n)} \\&\Leftrightarrow \sigma ,i \models {\mathsf {X}\phi ^c_2 \wedge \dots \wedge \mathsf {X}\phi ^c_n} \qquad \hbox {by rule } R_1 \hbox { of Lemma}~A.1 \\ \sigma ,i \models \phi&\Leftrightarrow \sigma ,i \models {\textsf {applyR1R7}} (\phi ) \end{aligned}$$

This concludes the case for \(\phi :={\mathsf {X}\phi _1}\). Consider the case \({\phi := (\mathsf {X}^i\psi _1)\mathcal {R}\phi _1}\). Since by inductive hypothesis \(\sigma ^\prime , i^\prime \models \phi _1\) iff \(\sigma ^\prime , i^\prime \models {\textsf {applyR1R7}} (\phi _1)\), for all state sequences \(\sigma ^\prime \) and positions \(i^\prime \), we have that:

$$\begin{aligned} \sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\phi _1} \Leftrightarrow&\sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}({\textsf {applyR1R7}} (\phi _1))} \\&\sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}(\phi ^c_2 \wedge \dots \wedge \phi ^c_n)} \end{aligned}$$

where \(\phi ^c_i\) is a formula of type \({\mathsf {X}^j\psi }\), \({\mathsf {X}^j\mathsf {G}\,\psi }\), \({\mathsf {X}^j((\mathsf {X}^k\psi _1) \mathcal {R}\psi _2)}\), for each \(1 < i \le n\). By rule \(R_2\) of Lemma A.1, we have that:

$$\begin{aligned} \sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\phi _1}&\Leftrightarrow \sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}(\phi ^c_2 \wedge \dots \wedge \phi ^c_n)} \\&\Leftrightarrow \sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}(\phi ^c_2)} \wedge \dots \wedge {(\mathsf {X}^i\psi _1)\mathcal {R}(\phi ^c_n)} \end{aligned}$$

Let \(\phi ^r_i \equiv \texttt {resolve\_release}({\mathsf {X}^i\psi _1},\phi ^c_i)\), for all \(1 < i \le n\). By Lemma A.2:

$$\begin{aligned} \sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}\phi _1}&\Leftrightarrow \sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}(\phi ^c_2)} \wedge \dots \wedge {(\mathsf {X}^i\psi _1)\mathcal {R}(\phi ^c_n)} \\&\Leftrightarrow \sigma ,i \models {(\mathsf {X}^i\psi _1)\mathcal {R}(\phi ^r_2)} \wedge \dots \wedge {(\mathsf {X}^i\psi _1)\mathcal {R}(\phi ^r_n)} \qquad \hbox {by Lemma}~A.2 \\&\Leftrightarrow \sigma ,i \models {\textsf {applyR1R7}} (\phi ) \qquad \hbox {by definition of}\,{\textsf {applyR1R7}} \end{aligned}$$

This concludes the case for \(\phi :={\phi := (\mathsf {X}^i\psi _1)\mathcal {R}\phi _1}\). The case for the globally operator is analogous to the proof for the release one. \(\square \)

Lemma A.4

(Soundness of \({\textsf {flatten}} (\cdot )\)) For any \({\mathsf {Pastified}}{\textsf {LTL}}_{{\textsf {EBR}}}\) formula \(\phi \), it holds that \(\phi \equiv {\textsf {flatten}} (\phi )\).

Proof

We prove this lemma by induction on the number n of top-level conjucts or disjuncts. The base case corresponds to the case of \(n=0\). We divide in cases:

• if \(\phi :={\mathsf {X}^i(\psi _1 \mathcal {R}\, (\psi _2 \mathcal {R}\, (\dots (\psi _{n-1} \mathcal {R}\, \psi _n)\dots )))}\), then . By the \(R_{flat}\) rule of Lemma A.1, \(\phi \equiv {\textsf {flatten}} (\phi )\).

• otherwise, the \({\textsf {flatten}} \) algorithm falls in the default case. In this case, \({\textsf {flatten}} (\phi ) :=\phi \), and obviously \(\phi \equiv {\textsf {flatten}} (\phi )\).

For the inductive step, we divide in cases as well.

• if \(\phi :=\phi _1 \wedge \phi _2\), then by inductive hypothesis \(\phi _1 \equiv {\textsf {flatten}} (\phi _1)\) and \(\phi _2 \equiv {\textsf {flatten}} (\phi _2)\). Thus \(\phi \equiv {\textsf {flatten}} (\phi _1) \wedge {\textsf {flatten}} (\phi _2)\), that is \(\phi \equiv {\textsf {flatten}} (\phi )\).

• if \(\phi :=\phi _1 \wedge \phi _2\), then by inductive hypothesis \(\phi _1 \equiv {\textsf {flatten}} (\phi _1)\) and \(\phi _2 \equiv {\textsf {flatten}} (\phi _2)\). Thus \(\phi \equiv {\textsf {flatten}} (\phi _1) \vee {\textsf {flatten}} (\phi _2)\), that is \(\phi \equiv {\textsf {flatten}} (\phi )\).

\(\square \)

Lemma A.5

(Soundness of \({\textsf {canonize}} (\cdot )\)) For any \({\mathsf {Pastified}}{\textsf {LTL}}_{{\textsf {EBR}}}\) formula \(\phi \), it holds that \(\phi \) and \({\textsf {canonize}} (\phi )\) are equivalent and \({\textsf {canonize}} (\phi )\) is a Canonical \({\mathsf {Pastified}}{\textsf {LTL}}_{{\textsf {EBR}}}\) formula.

Proof

Recall that \({\textsf {canonize}} (\phi )\) is defined as the formula \({\textsf {flatten}} ({\textsf {applyR1R7}} (\phi ))\), where applyR1R7 is the algorithm in Fig. 2 and flatten is the algorithm in Fig. 4. By Lemma A.3, for each state sequence \(\sigma \) and position i, we have that \(\sigma ,i \models \phi \) iff \(\sigma ,i \models {\textsf {applyR1R7}} (\phi )\). In particular, for \(i=0\), this means that \(\phi \equiv {\textsf {applyR1R7}} (\phi )\). By Lemma A.4, we have that \({\textsf {flatten}} ({\textsf {applyR1R7}} (\phi )) \equiv {\textsf {applyR1R7}} (\phi )\), and thus \(\phi \equiv {\textsf {flatten}} ({\textsf {applyR1R7}} (\phi ))\), and by definition \(\phi \equiv {\textsf {canonize}} (\phi )\).

Finally, it is easy to see that all the rules of Lemma A.1, except for \(R_4\), replace a formula with a one in Canonical \({\mathsf {Pastified}}{\textsf {LTL}}_{{\textsf {EBR}}}\). Thus \({\textsf {canonize}} (\phi )\) would be a Canonical \({\mathsf {Pastified}}{\textsf {LTL}}_{{\textsf {EBR}}}\) formula if we did not consider the nested release operators. Since this is exactly the case solved by the \(R_{flat}\) rule and thus by the flatten algorithm (which produces a formula in canonical form), we have that \({\textsf {flatten}} ({\textsf {applyR1R7}} (\phi ))\), which by definition is \({\textsf {canonize}} (\phi )\), is in Canonical \({\mathsf {Pastified}}{\textsf {LTL}}_{{\textsf {EBR}}}\). \(\square \)

Proposition 7.1

(Complexity of \({\textsf {canonize}} (\cdot )\)) For any \({\mathsf {Pastified}}{\textsf {LTL}}_{{\textsf {EBR}}}\) formula \(\phi \), \({\textsf {canonize}} (\phi )\) can be built in \(\mathcal {O}(n)\) time, and the size of \({\textsf {canonize}} (\phi )\) is \(\mathcal {O}(n)\), where \(n = |\phi |\).

Proof

Since \({\textsf {canonize}} (\phi ) :={\textsf {flatten}} ({\textsf {applyR1R7}} (\phi ))\), we study the complexity of both applyR1R7 and flatten. At each iteration, algorithm \({\textsf {applyR1R7}} (\phi )\) makes at most one recursive call on a formula \(\phi ^\prime \) of size \(|\phi ^\prime | < |\phi |\) and thus it stop at most after \(\mathcal {O}(n)\) iterations. The same holds for flatten. At each iteration, applyR1R7 and flatten produce a formula of constant size with respect to the size of the formula produced by the recursive call; therefore the recurrence equation describing the size of the formula produced by \({\textsf {canonize}} (\phi )\) is:

$$\begin{aligned} S(n)= {\left\{ \begin{array}{ll} \mathcal {O}(1) &{} \text {if}\ n=1 \\ S(n-1) + \mathcal {O}(1) &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

Therefore:

$$\begin{aligned} S(n)&= S(n-1-i) + i \cdot \mathcal {O}(1) \\&= S(1) + \mathcal {O}(n)&\text {for } i=n-2 \\&\in \mathcal {O}(n) \end{aligned}$$

\(\square \)

B Pseudocodes

See Fig. 23.

Fig. 23

toPastLtlEbr algorithm