Co-safe LTL: Finite Witness Temporal Logic
- Co-safe LTL is a fragment of Linear Temporal Logic characterized by its finite witness property, where satisfaction is determined by a finite 'good prefix'.
- It employs temporal operators like X, wX, and U to specify eventualities, facilitating efficient automata-based verification and synthesis.
- Applications include control synthesis, runtime monitoring, and learning temporal specifications, where deterministic finite automata capture system behaviors.
Co-safe Linear Temporal Logic (LTL) formulas form a well-studied syntactic and semantic fragment of Linear Temporal Logic, distinguished by the property that satisfaction can always be established by a finite prefix—termed a "good prefix"—of a computation trace. This fragment plays an essential role in formal verification, model checking, and synthesis, especially where temporal specifications focus on reachability or eventuality rather than invariance or perpetuity. Co-safe LTL is foundationally distinct from the safety fragment and is directly relevant to automata-theoretic constructions as well as algorithmic complexity considerations in system synthesis and runtime monitoring (Artale et al., 2022, Cimatti et al., 2022, Gol et al., 2012, Bisoffi et al., 2020, Walke et al., 2021).
1. Syntax and Syntactic Characterization
Co-safe LTL (coSafetyLTL) formulas are defined over a finite set of atomic propositions . The standard syntax in negation normal form (NNF) is:
where is the (strong) next-time operator, the weak next operator, and the until operator. Disjunction, conjunction, literals, and only future temporal operators , , and are allowed. Derived operators include eventually and, for finite traces, weak next and until appropriately handle end-of-trace semantics (Artale et al., 2022, Walke et al., 2021).
A formula is co-safe if it can be constructed without universal temporal operators (global or release 0) in its NNF: coSafetyLTL = LTL[X, wX, U]. Thus, any formula whose semantics depend only on the existence of a finite witness, and not on perpetual satisfaction, is co-safe (Cimatti et al., 2022).
2. Semantics on Finite and Infinite Traces
Let 1 (infinite) or 2 (finite). The satisfaction relation 3 is defined inductively:
- 4 iff 5
- 6 iff 7 and 8
- 9 iff 0 or 1
- 2 iff 3
For finite-trace semantics, the critical distinction is that temporal operators handle trace ends explicitly; the "weak next" is true at the last position (Artale et al., 2022, Cimatti et al., 2022, Bisoffi et al., 2020, Walke et al., 2021).
3. Good Prefixes and the Semantics of Co-safety
A key semantic property of co-safe formulas is the existence of a finite "good prefix." Formally, for 4, 5 is co-safety if
6
That is, for any accepted trace, a finite prefix exists such that all its infinite extensions also satisfy the formula. This is the essence of "finite witness" semantics: co-safe formulas are those whose satisfaction can be irrevocably established after witnessing a finite sequence (Artale et al., 2022, Cimatti et al., 2022, Walke et al., 2021).
4. Expressiveness, Characterizations, and Automata Correspondence
Proposition 2 in (Artale et al., 2022) (also Kupferman & Vardi 2001, Thomas 1988) establishes that for any pure-future LTL formula, the following are equivalent:
- The language defined by 7 is a co-safety language (membership by finite witness)
- 8 for some past-only 9
- 0 is equivalent to some formula in coSafetyLTL
A first-order logic characterization is given by the coSafetyFO fragment. Over the FO-TLO signature 1, formulas of the form 2 with existential temporal structure (via quantification over positions) characterize exactly the co-safety subset of FO (Cimatti et al., 2022).
Every co-safe (finite or infinite trace) LTL formula is effectively translatable to a deterministic finite automaton (DFA) that recognizes its good prefixes. In practical terms, model checking and membership reduce to reachability or emptiness checking of this automaton product with the system (Artale et al., 2022, Gol et al., 2012, Bisoffi et al., 2020, Walke et al., 2021).
5. Representative Examples and Non-Examples
Examples
| Formula | English Description | Good Prefix Condition |
|---|---|---|
| 3 | "Eventually 4 holds" | First position where 5 holds |
| 6 | "7 until 8," with 9 eventually required | Prefix ends at first 0 |
| 1 | "2 at next, 3 two steps ahead" | Prefix of length 3 suffices |
| 4 | "Both 5 and 6 occur at least once (any order)" | Prefix with at least one 7, 8 |
Non-examples include safety formulas such as 9 ("always 0") or liveness beyond eventuality, e.g., 1 ("infinitely often 2"), which require reasoning about infinite future and thus are not co-safe (Artale et al., 2022, Cimatti et al., 2022, Walke et al., 2021).
6. Algorithmic Considerations and Complexity
Algorithmic analysis shows that the complexity of key decision problems for coSafetyLTL matches that of full LTL for most tasks, despite its syntactic restrictions:
| Problem | Infinite Traces | Finite Traces |
|---|---|---|
| Satisfiability | PSPACE-complete | PSPACE-complete |
| Validity | PSPACE-complete | coNP-complete |
| Realizability | 2EXPTIME-complete | 2EXPTIME-complete |
For the co-safety fragment (LTL[3, 4, 5]), satisfiability and validity do not decrease in complexity on finite traces, contrasting with the marked drop for safety fragments. Algorithmically, translation of co-safe LTL to automata enables straightforward monitoring and synthesis without need for Safra determinization or complicated automata; subset construction for good-prefix NFAs suffices (Artale et al., 2022, Walke et al., 2021, Gol et al., 2012, Cimatti et al., 2022).
7. Applications and Synthesis
Co-safe LTL is central in temporal logic control, system synthesis, runtime monitoring, and learning of temporal logic specifications:
- Control synthesis: Co-safe LTL formulas specify reachability-based objectives and are used in synthesis of controllers for continuous, hybrid, or discrete systems, often via product constructions of a system abstraction and a co-safe LTL automaton. The key property is that satisfaction can always be guaranteed in finite time, aligning with practical control goals (Gol et al., 2012, Bisoffi et al., 2020).
- Learning temporal specifications: In data-driven contexts, co-safe LTL (especially on finite traces, LTL6) enables interpretable extraction of behavior from system traces. Neural architectures can learn temporal patterns by encoding temporal filters subsuming standard LTL7 operators and extracting symbolic formulas equivalent to co-safe LTL specifications (Walke et al., 2021).
- Barrier certificates: For hybrid or continuous systems, the eventuality property of co-safe LTL can be verified via hybrid barrier certificates that guarantee reachability of "good" automaton states within finite hybrid time (Bisoffi et al., 2020).
Co-safe formulas are thus a preferred formalism when finite-witness guarantees, reachability, or expressible eventualities are central to system specification, learning, or monitoring.
References:
- (Artale et al., 2022, Cimatti et al., 2022, Gol et al., 2012, Bisoffi et al., 2020, Walke et al., 2021)