3. Linear Temporal Logic - fanghuixing · Linear Temporal Logic 17 / 48. Outline 1 Syntax 2 Semantics 3 Specifying Properties 4 Equivalence of LTL Formulae 5 Weak Until, Release,

3. Linear Temporal Logic

Huixing Fang

School of Information EngineeringYangzhou University

Outline

1 Syntax

2 Semantics

3 Specifying Properties

4 Equivalence of LTL Formulae

5 Weak Until, Release, and Positive Normal Form

6 Fairness in LTL

7 Automata-Based LTL Model Checking

Huixing Fang (SIE, Yangzhou University) 3. Linear Temporal Logic 2 / 48

1 Syntax

Definition 1 (Syntax of LTL)

ϕ ::= true | a | ϕ1 ∧ ϕ2 | ¬ϕ | #ϕ | ϕ1 Uϕ2

where a ∈ AP. Precedence order: ¬ = # > U > ∧.

atomic prop.a s0

as1 s2 s3 ...

next operator#a s0 s1

as2 s3 ...

until operatoraUb s0

as1a

s2b

s3 ...

eventually ♦b s0 s1 s2 s3b

...

always �a s0a

s1a

s2a

s3a

...

The until operator allows toderive modalities:

1 ♦(“eventually”)♦ϕ = trueUϕ

2 � (“always”)�ϕ = ¬♦¬ϕ


1 Syntax

Example 2mutual exclusion: �(¬crit1 ∨ ¬crit2) (1)railroad-crossing: �(train is near → gate is closed) (2)progress property: �(request → ♦response) (3)traffic light: �(yellow ∨#¬red) (4)infinitely often: �♦ϕ (5)eventually forever: ♦�ϕ (6)unconditional fairness: �♦criti (7)strong fairness: �♦waiti → �♦criti (8)weak fairness: ♦�waiti → �♦criti (9)


Outline

1 Syntax

2 Semantics




6 Fairness in LTL



2 Semantics

Definition 3 (Semantics of LTL over Infinite Words)The satisfaction relation between interpretation σ = A0A1A2... ∈ (2AP)ωand LTL formula is defined as follows:

1. σ |= true

2. σ |= a iff A0 |= a, i.e., a ∈ A0

3. σ |= ϕ1 ∧ ϕ2 iff σ |= ϕ1 and σ |= ϕ2

4. σ |= ¬ϕ iff σ 6|= ϕ

5. σ |= #ϕ iff suffix(σ, 1) = A1A2A3... |= ϕ

6. σ |= ϕ1 Uϕ2 iff there exists j ≥ 0 such thatsuffix(σ, j) = AjAj+1Aj+2... |= ϕ2 andsuffix(σ, i) = Ai Ai+1Ai+2... |= ϕ1, for 0 ≤ i < j

LT property of LTL formula ϕ: Words(ϕ) = {σ ∈ (2AP)ω | σ |= ϕ}.


2 Semantics

Review of execution, paths and tracesFor transition system TS with labeling function L : S → 2AP ,

1 execution: states + actions, s0α1−→ s1

α2−→ s2α3−→ ...

2 paths: sequences of states, π = s0 s1 s2 ...

3 traces: sequences of sets of atomic propositionstrace(π) = L(s0)L(s1)L(s2)... ∈ (2AP)ω

Semantics of ♦ and � over Infinite WordsFor σ = A0A1A2... ∈ (2AP)ω, and LTL formula ϕ

1. σ |= ♦ϕ iff there exists j ≥ 0 such that AjAj+1Aj+2... |= ϕ

2. σ |= �ϕ iff for all j ≥ 0 we have AjAj+1Aj+2... |= ϕ


2 Semantics

Definition 4 (Semantics of LTL over Paths and States)Let TS = (S,Act,→, S0,AP, L) without terminal states, and let ϕ be anLTL formula over AP.

1 For infinite path fragment π of TS, the |= relation is defined byπ = s0s1s2... |= ϕ iff trace(π) |= ϕ

iff trace(π) ∈Words(ϕ) = {σ ∈ (2AP)ω | σ |= ϕ}

2 For state s ∈ S, the |= relation is defined bys |= ϕ iff ∀π ∈ Paths(s). π |= ϕ

iff s |= Words(ϕ)iff Traces(s) ⊆Words(ϕ)

Paths(s) = set of all maximal path fragments starting in state sTraces(s) = {trace(π) | π ∈ Paths(s)}


2 Semantics

Example 5 (LTL-semantics over paths)

s0

{a}

s1

∅

s2

{a, b}

AP = {a, b}π = s0s1s2s2...

trace(π)= L(s0)L(s1)L(s2)...= {a}∅{a, b}ω

π |= a, π 6|= bπ |= #(¬a ∧ ¬b)π |= ##(a ∧ b)π |= (¬b)U(a ∧ b)


2 Semantics

Example 6 (LTL-semantics over paths)

s0

{a}

s1

∅

s2

{a, b}

AP = {a, b}π = s0s1s0s1...

trace(π)= L(s0)L(s1)L(s0)L(s1)...= {a}∅{a}∅

π |= aUb, (?)π |= ♦b → (aUb), (?)π |= ##¬b, (?)π |= �a, (?)π |= �♦a, (?)π |= ♦�a, (?)


2 Semantics

Definition 7 (Interpretation of LTL formulas over TS)Let TS = (S,Act,→, S0,AP, L) without terminal states, and let ϕ be anLTL formula over AP.

TS |= ϕ iff s0 |= ϕ for all s0 ∈ S0

iff trace(π) |= ϕ for all π ∈ Paths(TS)iff Traces(TS) ⊆Words(ϕ)iff TS |= Words(ϕ)

Review-1: An LT property over AP is a language E of infinite words overthe alphabet Σ = 2AP , i.e., E ⊆ (2AP)ω.Review-2: Satisfaction relation |= for TS and LT property E , TS |= E iffTraces(TS) ⊆ E .


Outline

1 Syntax

2 Semantics




6 Fairness in LTL




LTL-formulas for MUTEX protocols, AP = {wait1, crit1,wait2, crit2}1 the mutual exclusion property

ϕm = �(¬crit1 ∨ ¬crit2)

2 every process enters the critical section infinitely often

ϕ` = �♦crit1 ∧�♦crit2

3 every waiting process finally enters its critical section

ϕf = �(wait1 → ♦crit1) ∧�(wait2 → ♦crit2)


Outline

1 Syntax

2 Semantics




6 Fairness in LTL




Definition 8 (Equivalence of LTL formulas)LTL formulae ϕ1, ϕ2. ϕ1 ≡ ϕ2 iff Words(ϕ1) = Words(ϕ2) iff for alltransition systems T , T |= ϕ1 ⇔ T |= ϕ2.

Duality Rule: ¬#ϕ ≡ #¬ϕProof:

A0A1... |= ¬#ϕ

iff A0A1... 6|= #ϕ

iff A1A2... 6|= ϕ

iff A1A2... |= ¬ϕiff A0A1A2... |= #¬ϕ



The expansion laws describe the temporal modalities U, ♦, and � bymeans of a recursive equivalence.

1 until: ϕUψ ≡ ψ ∨ (ϕ ∧# ϕUψ ) least fixed point2 eventually: ♦ψ ≡ ψ ∨# ♦ψ least fixed point3 always: �ψ ≡ ψ ∧# �ψ greatest fixed point

Expansion laws are fixed point equations



Until is the Least Solution of the Expansion Law (Lemma 5.18)For LTL formuae ϕ and ψ, Words(ϕUψ) is the least LT propertyP ⊆ (2AP)ω such that:

Words(ψ) ∪ {A0A1A2... ∈Words(ϕ) | A1A2... ∈ P} ⊆ P (∗)

Moreover, Words(ϕUψ) agrees with the set

Words(ψ) ∪ {A0A1A2... ∈Words(ϕ) | A1A2... ∈Words(ϕUψ)}

The formulation “least LT property satisfying condition (*)” means thatthe following conditions hold:

1 P = Words(ϕUψ) satisfies (∗)2 Words(ϕUψ) ⊆ P for all LT properties P satisfying (∗)


Outline

1 Syntax

2 Semantics




6 Fairness in LTL




The weak until operator W:

ϕWψ = (ϕUψ) ∨�ϕ

Deriving “always” and “until” from “weak until”:�ϕ ≡ ϕWfalse

ϕUψ ≡ (ϕWψ) ∧ ♦ψ

Duality of U and W:

¬(ϕUψ) ≡ (¬ψ)W(¬ϕ ∧ ¬ψ)¬(ϕWψ) ≡ (¬ψ)U(¬ϕ ∧ ¬ψ)



Expansion laws for U and W:

ϕUψ ≡ ψ ∨ (ϕ ∧#(ϕUψ))ϕWψ ≡ ψ ∨ (ϕ ∧#(ϕWψ))

Weak-Until is the Greatest Solution of the Expansion Law (Lemma 5.19)

Words(ϕUψ) is the smallest LT-property P such that

Words(ψ) ∪ {A0A1A2... ∈Words(ϕ) | A1A2... ∈ P} ⊆ P

Words(ϕWψ) is the largest LT-property P such that

P ⊆Words(ψ) ∪ {A0A1A2... ∈Words(ϕ) | A1A2... ∈ P}



Positive Normal Form for LTL (Weak-until PNF)For a ∈ AP, the set of LTL formulae in weak-until positive normal form(weak-until PNF) is given by:

ϕ ::= true | false | a | ¬a|ϕ1 ∧ ϕ2 | ϕ1 ∨ ϕ2 | #ϕ | ϕ1 Uϕ2 | ϕ1 Wϕ2

PNF also sometimes called negation normal form (NNF)

♦ and � can be derived:

♦ϕ = trueUϕ�ϕ = ϕWfalse

Each LTL formula can be transformed into an equivalent LTL formula inPNF



Each LTL formula can be transformed into an equivalent LTL formula inPNF by using the following transformations:

¬true false

¬false true

¬¬ϕ ϕ

¬(ϕ ∧ ψ) ¬ϕ ∨ ¬ψ¬#ϕ #¬ϕ

¬(ϕUψ) (ϕ ∧ ¬ψ)W(¬ϕ ∧ ¬ψ)...


Outline

1 Syntax

2 Semantics




6 Fairness in LTL



6 Fairness in LTL

Fairness Constraints1 Unconditional fairness: e.g.,“Every process gets its turn infinitely

often.”2 Strong fairness: e.g., “Every process that is enabled infinitely often

gets its turn infinitely often.”3 Weak fairness: e.g., “Every process that is continuously enabled from

a certain time instant on gets its turn infinitely often.”


6 Fairness in LTL

Definition 9 (Unconditional, Strong, and Weak Fairness)For transition system TS = (S,Act,→, I,AP, L) without terminal states,A ⊆ Act, and infinite execution fragment ρ = s0

α0−→ s1α1−→ ... of TS:

1 ρ is unconditionally A-fair whenever∞∃ j . αj ∈ A.

2 ρ is strongly A-fair whenever (∞∃ j . Act(sj) ∩ A 6= ∅)⇒ (

∞∃ j . αj ∈ A).

3 ρ is weakly A-fair whenever (∞∀ j . Act(sj) ∩ A 6= ∅)⇒ (

∞∃ j . αj ∈ A).

∞∃ j : there are infinitely many j .∞∀ j : for nearly all j , for all, except for finitely many j .The variable j ranges over the natural numbers.

For state s, let Act(s) denote the set of actions that are executable instate s,

Act(s) = {α ∈ Act | ∃s ′ ∈ S. s α−→ s ′}


6 Fairness in LTL

Definition 10 (Fairness Assumption)A fairness assumption for Act is a triple

F = (Fucond ,Fstrong ,Fweak)

with Fucond ,Fstrong ,Fweak ⊆ 2Act . Execution ρ is F-fair if1 it is unconditionally A-fair for all A ∈ Fucond ,2 it is strongly A-fair for all A ∈ Fstrong , and3 it is weakly A-fair for all A ∈ Fweak .

Remark: A is a set of actions.

1 FairPathsF (s) : the set of F-paths of s (i.e., infinite F-fair pathfragments that start in state s).

2 FairPathsF (TS) : set of F-fair paths that start in some initial stateof TS.

3 FairTracesF (s) = trace(FairPathsF (s))Huixing Fang (SIE, Yangzhou University) 3. Linear Temporal Logic 26 / 48

6 Fairness in LTL

Definition 11 (Fair Satisfaction Relation for LT Properties)Let P be an LT property over AP and F a fairness assumption over Act.Transition system TS = (S,Act,→, I,AP, L) fairly satisfies P, notationTS |=F P, iff FairTracesF (TS) ⊆ P.

In case a transition system has traces that are not F-fair, then in generalwe are confronted with a situation

TS |=F P whereas TS 6|= P

By restricting the validity of a property to the set of fair paths, theverification can be restricted to “realistic” executions.


6 Fairness in LTL

Definition 12 (LTL Fairness Constraints and Assumptions)Let Φ and Ψ be propositional logic formulae over AP.

1 An unconditional LTL fairness constraint is an LTL formula of theform

ufair = �♦Ψ.2 A strong LTL fairness condition is an LTL formula of the form

sfair = �♦Φ→ �♦Ψ.

3 A weak LTL fairness constraint is an LTL formula of the form

wfair = ♦�Φ→ �♦Ψ.

An LTL fairness assumption is a conjunction of LTL fairness constraints(of any arbitrary type).


6 Fairness in LTLNotations:

1 LTL fairness assumptions are a conjunction of unconditional, strong,and weak fairness assumptions: fair = ufair ∧ sfair ∧ wfair .

2 Set of all fair paths starting in s,FairPaths(s) = {π ∈ Paths(s) | π |= fair}

3 Set of all traces induced by fair paths starting in s,FairTraces(s) = {trace(π) | π ∈ FairPaths(s)}

Definition 13 (Satisfaction Relation for LTL with Fairness)For state s in transition system TS (over AP) without terminal states,LTL formula ϕ, and LTL fairness assumption fair let

s |=fair ϕ iff ∀π ∈ FairPaths(s). π |= ϕ andTS |=fair ϕ iff ∀s0 ∈ I.s0 |=fair ϕ.

TS satisfies ϕ under fair if ϕ holds for all fair paths that originate fromsome initial state.


6 Fairness in LTL

Theorem 14 (Reduction of |=fair to |=)For transition system TS without terminal states, LTL formula ϕ, and LTLfairness assumption fair :

TS |=fair ϕ iff TS |= fair → Φ.


Outline

1 Syntax

2 Semantics




6 Fairness in LTL




For transition system TS and LTL formula ϕ, let A be an NBA(Nondeterministic Buchi Automaton) with Lω(A) = Words(¬ϕ) :

TS |= ϕ iff Traces(TS) ⊆Words(ϕ)iff Traces(TS) ∩ ((2AP)ω \Words(ϕ)) = ∅iff Traces(TS) ∩Words(¬ϕ) = ∅iff Traces(TS) ∩ Lω(A) = ∅



Algorithm 1: Automaton-based LTL model checkingInput: finite transition system TS and LTL formula ϕ (both over AP)Output: “yes” if TS |= ϕ; otherwise, “no” plus a counterexample

1 Construct an NBA A¬ϕ such that Lω(A¬ϕ) = Words(¬ϕ)2 Construct the product transition system TS ⊗ A¬ϕ3 if ∃π ∈ Pahts(TS ⊗ A¬ϕ) satisfying the accepting condition of A then4 return “no” and an expressive prefix of π5 else6 return “yes”7 end



TS |= LTL-formula ϕiff Traces(TS) ∩ Lω(A¬ϕ) = ∅iff there is NO path 〈s0, q0〉〈s1, q1〉〈s2, q2〉...

in TS ⊗ A¬ϕ s.t. qi ∈ F for infinitely many i ∈ Niff TS ⊗ A¬ϕ |= ♦�¬F



Definition 15 (Nondeterministic Buchi Automaton (NBA))A Buchi automaton (NBA) A is a tuple A = (Q,Σ, δ,Q0,F ) where

Q is a finite set of states,Σ is an alphabet,δ : Q × Σ→ 2Q is a transition function,Q0 ⊆ Q is a set of initial states, andF ⊆ Q is a set of accept states, called the acceptance set.

A run for σ = A0A1A2... ∈ Σω denotes an infinite sequence q0q1q2...

of states in A such that q0 ∈ Q0 and qiAi−→ qi+1 for i ≥ 0.

Run q0q1q2... is accepting if qi ∈ F for infinitely many indices i ∈ N.The accepted language of A isLω(A) = {σ ∈ Σω | there exists an accepting run for σ in A}



Definition 16 (Nonblocking NBA)Let A = (Q,Σ, δ,Q0,F ) be an NBA. A is called nonblocking ifδ(q, a) 6= ∅ for all states q and all symbols a ∈ Σ.

Remark: For each NBA A there exists a nonblocking NBA trap(A) with|trap(A)| = O(|A|) and A ≡ trap(A).In nonblocking NBA trap(A),

δ′(q,A) =

δ(q,A) if q ∈ Q and δ(q,A) 6= ∅{qtrap} otherwise

trap(A) is obtained from A by inserting a nonaccept trapping state qtrapequipped with a self-loop for each symbol of Σ.



Definition 17 (Product of Transition System and NBA)Let TS = (S,Act,→, I,AP, L) be a transition system without terminalstates and A = (Q, 2AP , δ,Q0,F ) a nonblocking NBA. Then, TS ⊗A isthe following transition system:

TS ⊗A = (S × Q,Act,→′, I ′,AP ′, L′)

where →′ is the smallest relation defined by the rule

s α−−→ t ∧ p L(t)−−→ q〈s, p〉 α−−→′ 〈t, q〉

andI ′ = {〈s0, q〉 | so ∈ I ∧ ∃q0 ∈ Q0. q0

L(s0)−−−→ q},AP ′ = Q and L′ : S × Q → 2Q is given by L′(〈s, q〉) = {q}.


7.1 From LTL to NBA

Construction of an NBA Aϕ satisfying Lω(Aϕ) = Words(ϕ) for the LTLformula ϕ

LTL formula ϕ↓

Generalized Nondeterministic Buchi automaton Gϕ↓

Nondeterministic Buchi Automaton Aϕ


7.1 From LTL to NBA

Definition 18 (Generalized NBA (GNBA))A generalized NBA is a tuple G = (Q,Σ, δ,Q0,F) where Q,Σ, δ,Q0 aredefined as for an NBA, and F is a (possibly empty) subset of 2Q.

The elements F ∈ F are called acceptance sets. The infinite runq0q1q2... ∈ Qω is called accepting if

∀F ∈ F . (∞∃ j ∈ N. qj ∈ F ) .

The accepted language of G is:

Lω(G) = {σ ∈ Σω | there exists an accepting run for σ in G}

Review: infinite words can be defined as functions σ : N→ Σ and thenotation σ = A1A2A3... means that σ(i) = Ai for all i ∈ N.


7.1 From LTL to NBA

Let infinite word σ = A0A1A2... ∈Words(ϕ), an infinite words−σ= B0B1B2... satisfies

ψ ∈ Bi iff Ai Ai+1Ai+2... |= ψ (ψ ∈ closure(ϕ))

Example 19If ϕ = aU(¬a ∧ b), σ = {a}{a, b}{b}... then

closure(ϕ) = {a, b,¬a,¬b,¬a ∧ b,¬(¬a ∧ b), ϕ,¬ϕ}B0 = {a,¬b,¬(¬a ∧ b), ϕ}B1 = {a, b,¬(¬a ∧ b), ϕ}B2 = {¬a, b,¬a ∧ b, ϕ}...

The GNBA Gϕ is constructed such that the sets Bi constitute its statesHuixing Fang (SIE, Yangzhou University) 3. Linear Temporal Logic 40 / 48

7.1 From LTL to NBA

Definition 20 (Closure of ϕ)The closure of LTL formula ϕ is the set closure(ϕ) consisting of allsubformulae ψ of ϕ and their negation ¬ψ (where ψ and ¬¬ψ areidentified).

Definition 21 (Elementary Sets of Formulae)B ⊆ closure(ϕ) is elementary if it is consistent with respect topropositional logic, maximal, and locally consistent with respect to theuntil operator.


7.1 From LTL to NBA

Properties of elementary sets of formulae1 B is consistent with respect to propositional logic, for allϕ1 ∧ ϕ2, ψ ∈ closure(ϕ):

ϕ1 ∧ ϕ2 ∈ B ⇔ ϕ1 ∈ B and ϕ2 ∈ Bψ ∈ B ⇒ ¬ψ 6∈ Btrue ∈ closure(ϕ)⇒ true ∈ B.

2 B is locally consistent with respect to the until operator, for allϕ1 Uϕ2 ∈ closure(ϕ):

ϕ2 ∈ B ⇒ ϕ1 Uϕ2 ∈ Bϕ1 Uϕ2 ∈ B and ϕ2 6∈ B ⇒ ϕ1 ∈ B.

3 B is maximal, for all ψ ∈ closure(ϕ):ψ 6∈ B ⇒ ¬ψ ∈ B.


7.1 From LTL to NBA

Theorem 22 (GNBA for LTL Formula)For any LTL formula ϕ (over AP) there exists a GNBA Gϕ over thealphabet 2AP such that

1 Words(ϕ) = Lω(Gϕ).2 Gϕ can be constructed in time and space 2O(|ϕ|).3 The number of accepting sets of Gϕ is bounded above by O(|ϕ|).


7.1 From LTL to NBA

Let ϕ be an LTL formula over AP. Let Gϕ = (Q, 2AP , δ,Q0,F) :Q : set of all elementary sets of formulae B ⊆ closure(ϕ),Q0 = {B ∈ Q | ϕ ∈ B},F = {Fϕ1 Uϕ2 | ϕ1 Uϕ2 ∈ closure(ϕ)}, whereFϕ1 Uϕ2 = {B ∈ Q | ϕ1 Uϕ2 6∈ B or ϕ2 ∈ B}.

The transition relation δ : Q × 2AP → 2Q is given by:If A 6= B ∩ AP, then δ(B,A) = ∅If A = B ∩ AP, then δ(B,A) is the set of all elementary sets offormulae B′ satisfying

1 for every #ψ ∈ closure(ϕ): #ψ ∈ B ⇔ ψ ∈ B′, and2 for every ϕ1 Uϕ2 ∈ closure(ϕ):ϕ1 Uϕ2 ∈ B ⇔ (ϕ2 ∈ B ∨ (ϕ1 ∈ B ∧ ϕ1 Uϕ2 ∈ B′)).


7.1 From LTL to NBA

Theorem 23From each GNBA G there exists an NBA A with Lω(G) = Lω(A).

Proof. Let G = (Q,Σ, δ,Q0,F), with F = {F1, ...,Fk} and1 If k = 1 then G is an NBA2 If k ≥ 2 then NBA A results from k copies of G :A = (Q′,Σ, δ′,Q′0,F ′) where:

Q′ = Q × {1, ..., k},Q′

0 = Q0 × {1} = {〈q0, 1〉 | q0 ∈ Q0}, andF ′ = F1 × {1} = {〈qF , 1〉 | qF ∈ F1}.

The transition function δ′ :

δ′(〈q, i〉,A) =

{〈q′, i〉 | q′ ∈ δ(q,A)} if q 6∈ Fi

{〈q′, i + 1〉 | q′ ∈ δ(q,A)} otherwise (i = k back)

size(A) = O(Size(G) · |F|)Huixing Fang (SIE, Yangzhou University) 3. Linear Temporal Logic 45 / 48

7.2 Complexity of LTL to NBA

For each LTL formula ϕ, there is an NBA A s.t. Lω(A) = Words(ϕ) andsize(A) ≤ 2cl(ϕ) · |ϕ| = 2O|ϕ|

1 From LTL formula ϕ to GNBA G of size 2cl(ϕ)

2 From GNBA G to NBA A of size size(G) · |F|3 |F|: number of acceptance sets in G , |F| ≤ |ϕ|


7.3 Complexity of LTL Model Checking

Theorem 24The LTL model-checking problem is PSPACE-complete (PSPACE andPSPACE-hard).

1 PTIME (or briefly P) denotes the class of all decision problems thatcan be solved by a deterministic polytime algorithm

2 NP denotes the class of all decision problems that can be solved by anondeterministic polytime algorithm.

3 PSPACE denotes the class of all decision problems that can besolved by a deterministic polyspace algorithm.

4 Decision problem P is PSPACE-hard if all problems in PSPACE arepolynomially reducible to P.


Summary

1 LTL is a logic for formalizing path-based properties2 LTL formulae can be transformed algorithmically into

nondeterministic Buchi automata (NBA). This transformation cancause an exponential blowup.

3 The LTL model-checking problem can be solved by a nesteddepth-first search in the product of the given transition system and anNBA for the negated formula.

4 The time complexity of the automata-based model-checkingalgorithm for LTL is linear in the size of the transition system andexponential in the length of the formula


Documents

3. Linear Temporal Logic - fanghuixing · Linear Temporal Logic 17 / 48. Outline 1 Syntax 2 Semantics 3 Specifying Properties 4 Equivalence of LTL Formulae 5 Weak Until, Release,