Model checking discounted temporal properties

Abstract

Temporal logic is two-valued: formulas are interpreted as either true or false. When applied to the analysis of stochastic systems, or systems with imprecise formal models, temporal logic is therefore fragile: even small changes in the model can lead to opposite truth values for a specification. We present a generalization of the branching-time logic C TL which achieves robustness with respect to model perturbations by giving a quantitative interpretation to predicates and logical operators, and by discounting the importance of events according to how late they occur. In every state, the value of a formula is a real number in the interval [0,1], where 1 corresponds to truth and 0 to falsehood. The boolean operators and and or are replaced by min and max, the path quantifiers ∃ and ∀ determine sup and inf over all paths from a given state, and the temporal operators ⋄ and □ specify sup and inf over a given path; a new operator averages all values along a path. Furthermore, all path operators are discounted by a parameter that can be chosen to give more weight to states that are closer to the beginning of the path. We interpret the resulting logic D CTL over transition systems, Markov chains, and Markov decision processes. We present two semantics for D CTL: a path semantics, inspired by the standard interpretation of state and path formulas in C TL, and a fixpoint semantics, inspired by the μ -calculus evaluation of C TL formulas. We show that, while these semantics coincide for C TL, they differ for D CTL, and we provide model-checking algorithms for both semantics.