On the Satisfiability of Metric Temporal Logics over the Reals


Electronic Communications of the EASST
Volume 66 (2013)

Proceedings of the
Automated Verification of Critical Systems

(AVoCS 2013)

On the Satisfiability of Metric Temporal Logics over the Reals

Marcello M. Bersani, Matteo Rossi and Pierluigi San Pietro

15 pages

Guest Editors: Steve Schneider, Helen Treharne
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

On the Satisfiability of Metric Temporal Logics over the Reals

Marcello M. Bersani1, Matteo Rossi1 and Pierluigi San Pietro12

1 [marcellomaria.bersani,matteo.rossi,pierluigi.sanpietro]@polimi.it
Dipartimento di Elettronica Informazione e Bioingegneria, Politecnico di Milano

2 CNR IEIIT-MI

Abstract: We show that there is a satisfiability-preserving translation of QTL for-
mulae interpreted over finitely variable behaviors into formulae of the CLTL-over-
clocks logic. The satisfiability of CLTL-over-clocks can be determined through a
suitable encoding into the input logics of SMT solvers, so it constitutes an effective
decision procedure for QTL. Although decision procedures for determining satisfia-
bility of QTL (and for the expressively equivalent logics MITL and QMLO) already
exist, the automata-based techniques they employ appear to be very difficult to re-
alize in practice, and, to the best of our knowledge, no implementation currently
exists for them. A prototype tool for QTL based on the encoding presented here
has, instead, been implemented and is publicly available.

Keywords: Metric Temporal Logic, Satisfiability Modulo Theories, Continuous-
time systems, Formal Verification

1 Introduction

The need for continuous-time models arises naturally and often when describing the dynamics of
physical quantities, such as position, speed and acceleration of a moving body, or such as temper-
ature and pressure of a fluid. When developing computer systems that monitor and control such
quantities, then, the classic discrete-time models used in the computer science domain are no
longer enough. Many notations [FMMR12] have been developed to address these shortcomings;
the most successful ones, those that are the most used in practice and with the most developed
tools, are based on operational mechanisms, e.g., Timed Automata [AD94].

Descriptive notations, e.g., temporal logics, however, provide many benefits, such as allowing
for an abstract, concise and convenient expression of the required properties of a system. This is
mostly exploited in the verification of finite-state models, e.g., through model checking [BK08].
Temporal logics, however, also allow designers to pursue a descriptive approach to the specifi-
cation and modeling of reactive systems (e.g., [MP94, FMMR12]), where the system is defined
by its general properties, rather than by a machine behavior (e.g., a Timed Automaton). In this
case, verification typically consists of satisfiability checking of the conjunction of the model and
of the (negation of) its desired properties.

In general, tool support for verification of continuous-time temporal logics is not as well-
developed as for discrete-time models, especially when the logic is endowed with metric opera-
tors. Decision procedures for determining the satisfiability of continuous-time metric temporal
logic mostly rely on timed automata-based techniques [AFH96, MNP06], but they appear to be
very difficult to realize in practice, and, to the best of our knowledge, no implementation exists

1 / 15 Volume 66 (2013)

mailto:[marcellomaria.bersani,matteo.rossi,pierluigi.sanpietro]@polimi.it


On the Satisfiability of Metric Temporal Logics over the Reals

for them. An alternative proof to the one in [AFH96] for the satisfiability of Metric Interval Tem-
poral Logic (MITL) formulae is provided in [SRH02]. Though the aim of the paper was that of
proving the soundness and completeness of the axiomatization for the Event-Clock logic (therein
proved to be equivalent to MITL), they devise an ad-hoc procedure for building an automaton
corresponding to a formula, motivating it since the known one for MITL [AFH96] can not be
used directly for their purposes.

We study the satisfiability of the Quantitative Temporal Logic (QTL) [HR99, HR05], using a
purely logic-based approach. QTL is an interesting logic: it is known to be decidable over the
real line, and its satisfiability problem is PSPACE-complete; it has a very simple syntax, with
only one metric operator; despite this, it is expressively equivalent with other very interesting
logics, and in particular with the Quantitative Monadic Logic of Order (QMLO), and with the
Metric Interval Temporal Logic (MITL). In fact, a translation has been defined that, from a QTL
formula, produces an equivalent QMLO (resp. MITL) formula, and vice-versa. Since QMLO
can be used to provide semantics to a variety of existing metric temporal logics, our approach can
be used in principle to decide the satisfiability of a wide range of logics, including for example
the popular MITL.

More precisely, in this paper we introduce a linear satisfiability-preserving translation from
QTL formulae to formulae of CLTL-over-clocks (CLTL-oc), a decidable logic [BRS] whose
satisfiability problem is also PSPACE-complete, for which it is possible to define a decision pro-
cedure based on Satisfiability Modulo Theories (SMT) solving techniques that are implemented
in a variety of tools (such as [Mic]). This is the basis for a prototype tool, available from [qtl].

Although QTL is decidable over unrestricted models, we will focus on models that are finitely
variable, i.e. such that in every bounded time interval there can only be a finite number of
changes. This is a very common requirement for continuous-time models, which only rules out
pathological behaviors (e.g., Zeno [FMMR12]) which do not have much practical interest.

The paper is organized as follows: Sect. 2 defines QTL and CLTL-oc, and Sect. 3 defines a re-
duction from the former to the latter; Sect. 4 shows that the translation is satisfiability-preserving,
and discusses its complexity. Sect. 5 presents some experimental results carried out with our
prototype tool. Sect. 6 concludes, describing also tool support. All proofs can be found in the
extended version of this paper that is available from the tool website [qtl].

2 Languages

Let AP be a finite set of atomic propositions. The syntax of (well-formed) QTL formulae over
AP is defined by the grammar (where p P AP):

φ :“ p | φ ^φ | φ | φ Up0,8qφ | Fp0,1qφ | φ Sp0,8qφ | Pp0,1qφ.

The semantics of QTL may be defined with respect to a generic linear order, but in what
follows we will focus on the nonnegative real line, i.e., the linear order pRě0,ăq. A structure M
for QTL over alphabet AP is a pair M “ xRě0,BMy, where BM is a valuation mapping every
propositional variable p P AP to a set BMppq Ď Rě0. Hence, a structure may be considered as
providing continuous-time Boolean signals over the set AP. Satisfaction of a QTL formula over

Proc. AVoCS 2013 2 / 15



ECEASST

M,t |ù p ô t P BMppq

M,t |ù φ ô M,t ­|ù φ

M,t |ù φ ^ψ ô M,t |ù φ and M,t |ù ψ

M,t |ù φ Up0,8qψ ôDt
1
ą t, M,t1 |ù ψ and @t2,t ă t2 ă t1, M,t2 |ù φ

M,t |ù Fp0,1qφ ôDt
1,t ă t1 ă t `1 M,t1 |ù φ

M,t |ù φ Sp0,8qψ ôDt
1
ă t, M,t1 |ù ψ and @t2,t1 ă t2 ă t, M,t2 |ù φ

M,t |ù Pp0,1qφ ôDt
1,t ´1 ă t1 ă t, M,t1 |ù φ.

Table 1: Semantics of QTL.

M at a point t P Rě0 is a relation |ù defined inductively as in Table 1. Given a QTL formula φ ,
we indicate by subpφq the set of all subformulae occuring in φ .

In this paper, we will assume signals to have finite variability, i.e., in any bounded time interval
there can only be a finite number of changes. Nevertheless, the following result holds.

Theorem 1 ([HR05]) Satisfiability of QTL over pRě0,ăq is PSPACE-complete, even without
the finite variability assumption.

Constraint LTL (CLTL [DD07, BFRS11]) formulae are defined with respect to a finite set V of
variables and a structure D “pD,Rq where D is a specific domain of interpretation for variables
and constants and R is a family of relations on D, with the set AP of atomic propositions being
the set R0 of 0-ary relations. An atomic constraint is a term of the form Rpx1,...,xnq, where R is
an n-ary relation of R on D and x1,...,xn P V . A valuation is a mapping v : V Ñ D. A constraint
is satisfied by v, written v |ùD Rpx1,...,xnq, if pvpx1q,...,vpxnqqP R.

Temporal terms α are defined by the syntax α :“ c | x | Xα , where c is a constant in D and
x P V . CLTL formulae are defined as follows:

φ :“ Rpα1,...,αnq | φ ^φ | φ | Xpφq | Ypφq | φ Uφ | φ Sφ

where αi’s are temporal terms, R P R, X, Y, U and S are the usual “next”, “previous”, “until” and
“since” operators of LTL, with the same meaning. Operator X is similar to X, but it only applies
to temporal terms, with the meaning that Xα is the value of temporal term α in the next time
instant. Operators “globally” G and “release” R are introduced as customary as abbreviations:
φ1Rφ2 “ p φ1U φ2q, Gpφq“KRφ .

The depth |α| of a temporal term is the total amount of temporal shift needed in evaluating α :
|x| “ 0 when x is a variable, and |Xα| “ |α|` 1. The semantics of CLTL formulae is defined
with respect to a strict linear order representing time pN,ăq. Truth values of propositions in AP
and values of variables belonging to V are defined by a pair pπ,σq, where π : N Ñ℘pAPq and
σ : NˆV Ñ D, which define a subset of AP and the value of variables for each element of N.
The value of terms is defined with respect to σ as follows:

σpi,αq“ σpi`|α|,xαq

3 / 15 Volume 66 (2013)



On the Satisfiability of Metric Temporal Logics over the Reals

pπ,σq,i |ù p ô p P πpiq for p P AP

pπ,σq,i |ù Rpα1,...,αnqôpσpi`|α1|,xα1q,...,σpi`|αn|,xαnqqP R

pπ,σq,i |ù Xpφqôpπ,σq,i`1 |ù φ
pπ,σq,i |ù Ypφqôpπ,σq,i´1 |ù φ ^i ą 0
pπ,σq,i |ù φ Uψ ôD j ě i : pπ,σq, j |ù ψ ^@ i ď n ă j,pπ,σq,n |ù φ
pπ,σq,i |ù φ Sψ ôD0 ď j ď i : pπ,σq, j |ù ψ ^@ i ď n ă j,pπ,σq,n |ù φ

Table 2: Semantics of CLTL (propositional connectives are omitted for brevity).

assuming that xα is the variable in V occurring in term α . The semantics of a CLTL formula φ
at instant i ě 0 over a pair pπ,σq is defined as in Table 2, where xαi is the variable that appears in
temporal term αi, and R P RzR0 (recall that R0 “ AP). A formula CLTL φ is satisfiable if there
exists a pair pπ,σq such that pπ,σq,0 |ù φ ; in this case, we say that pπ,σq is a model of φ .

In this paper, we restrict the set of models where variables in V are evaluated as clocks. A
clock “measures” the time elapsed since its last “reset” (i.e., the variable was equal to 0). Each
position i P N is associated with a “time delay” δpiq, where δpiq ą 0 for all i, corresponding to
the “time elapsed” between the current position i and the next one i`1. For a clock xα ,

σpi`1,xαq“

#

σpi,xαq`δpiq, time elapsing
0 reset xα .

The set R is restricted to tă,“u because CLTL-oc formulae need only to measure the time
elapsing among events, as later explained. Under these two restrictions, CLTL-oc is decidable
[BRS], and an effective decision procedure can be devised by encoding CLTL-oc formulae into
formulae in the decidable theory of Quantifier-free Uninterpreted Functions with Equality com-
bined with Linear Real Arithmetic (QF-EUF Y LRA), which is solved by SMT solvers such as,
for example, Z3 [Mic]. A prototype solver for CLTL-oc formulae is available as part of the Zot
tool [ae2].

QTL is closely related to other metric temporal logics, and in particular QMLO [HR05] and
the popular MITL [AFH96], through the following result.

Theorem 2 ([HR05]) QMLO, QTL and MITL are expressively equivalent.

Hence, a satisfiability-preserving translation of QTL formulae into CLTL-oc ones can be the
basis for an effective decision procedure to solve the satisfiability (over finitely-variable behav-
iors) of all above-mentioned logics.

3 Reduction of QTL to CLTL-over-clocks

Reducing QTL to CLTL-oc requires a way to represent models of QTL formulae, i.e., continuous-
time signals over a finite set of atomic propositions, by means of CLTL-oc models where time

Proc. AVoCS 2013 4 / 15



ECEASST

p p p p

¬p ¬p ¬p

p

p

p
p

p
p

p
p

p
p

p
p

p
p

p
p

p¬
¬

¬ ¬
¬ ¬

¬

¬p

0 1 2 3 4 5 6 7

QTL signal

CLTL-oc model

Figure 1: Example of QTL signal and a corresponding CLTL-oc model (clocks not shown).

is discrete. CLTL-oc variables behaving as clocks represent time progress, while discrete posi-
tions in CLTL-oc models represent, for each subformula occurring in QTL formula φ , whether a
change of truth value (an “event”) occurs or not for the subformula at that point. Time progress
between two discrete points is measured by CLTL-oc clocks; between events, the truth value of
formulae is stable (i.e., there is no change). In every (discrete) position CLTL-oc models embed,
through suitable fresh propositional letters (q and �), the information defining the truth value
of all the subformulae occurring in QTL formula φ and, through clock variables, the informa-
tion about the time progress between two consecutive changing points. Then, every position in
a CLTL-oc model captures the configuration of one of the intervals in which the continuous-
time signal is partitioned by considering the QTL “events”. Therefore, our reduction defines, by
means of CLTL-oc formulae, the semantics of every subformula occurring in φ . Fig. 1 shows an
example of QTL signal and a corresponding CLTL-oc model.

Consider a QTL formula φ . For each subformula θ of φ we introduce two predicates, qθ and
�

θ , which represent the value of θ in, respectively, the first instant and the rest of the interval
between two events (hence, qθ represents the value of θ exactly when the event occurs). We also
introduce two clocks, z0

θ
and z1

θ
, which measure the time elapsed since the last two “events”.

Let θ P subpφq. We say that the event “θ becomes true” eu
θ

occurs at instant t ě 0 of signal M
when θ holds right after t, but not before it, or t is the origin:

Dε ą 0,@t1 Ppt,t `εq it is M,t1 |ù θ and either t “ 0 or Dε1 ą 0,@t1 Ppt ´ε1,tq it is M,t1 |ù θ .

The opposite event “θ becomes false” ed
θ

is simply given by the property above with  θ instead
of θ . QTL events eu

θ
and ed

θ
are represented in the CLTL-oc formula through combinations of

the basic predicates qθ and
�

θ that are abbreviated by  θ and !θ , respectively, whose definitions
are shown in Table 3.

We do not impose any restrictions on signals other than they be finitely variable. In particular,
subformulae θ can have singularities, i.e., instants in which the value of θ is different than in
their neighborhood. More precisely, we say that a formula θ has an “up-singularity” su

θ
in instant

t if the following holds:

t ą 0, M,t |ù θ and Dε ą 0 s.t. @t1 ‰ t Ppt ´ε,t `εq it is M,t1 |ù θ .

5 / 15 Volume 66 (2013)



On the Satisfiability of Metric Temporal Logics over the Reals

qξ “ ξ holds in the first instant of the current interval
�

ξ “ ξ holds in the current interval (except possibly for its first instant)

 ξ “ Yp
�

ξq^
�

ξ "ξ “ Yp 
�

ξq^qξ ^ 
�

ξ

!ξ “ Yp 
�

ξq^ 
�

ξ #ξ “ Yp
�

ξq^ qξ ^
�

ξ

ξ

ê “!ξ _#ξ _porig^ qξq
ξ

ë “!ξ _"ξ
ξè

“ ξ _"ξ _porig^qξq
ξ

é “ ξ _#ξ
r

ξ “qξ ^
�

ξ ξ
r

“ qξ ^ 
�

ξ

orig “ YpJq

Table 3: CLTL-oc predicates and abbreviations used in the encoding. Note that Yp
�

ξq and Yp 
�

ξq

are false in the origin, no matter ξ , and elsewhere  Yp 
�

ξq ” Yp
�

ξq; hence,  ξ holds in 0 if,

and only if,
�

ξ holds there, "ξ does not hold in 0, and so on.

We say that θ has a “down-singularity” sd
θ

if the formula above holds with  θ instead of θ . Note
that singularities do not occur in the origin. In CLTL-oc, we represent up- and down-singularities
with combinations of basic propositions abbreviated by "θ and #θ , respectively, as shown in
Table 3.

Table 3 summarizes the CLTL-oc predicates used here. In a nutshell,
ξ

ê (resp.
ξè

) indicates that
formula ξ held (resp. did not hold) in an interval before the current one, and now it switches; the
switch can be singular (in which case ξ immediately takes the same value it held before now),

or not, in which case ξ stays false (resp. true) for some time after the switch. Formula
ξ

é (resp.
ξ

ë), instead, holds if ξ becomes true (resp. false) in the current instant, and it holds in an interval

after now. Also, formula
r

ξ (resp. ξ
r

) states that ξ is true (resp. false) throughout the current

interval. In addition, we abbreviate by orig formula  YpJq, which holds only in 0.
In the rest of this section we define the translation from QTL to CLTL-oc formulae which is

the main contribution of this paper. First, Section 3.1 introduces a set of general formulae, which
are written for any subformula θ of φ , defining constraints that guarantee that clock resets occur
at suitable points. Then, in Section 3.2, we provide the operator-specific CLTL-oc formulae that
capture the semantics of QTL connectives and temporal operators.

3.1 General Constraints on Clocks and Events

This section describes the behavior of clocks and events. We introduce clocks z0
θ

and z1
θ

for each
subformula θ of φ to measure the time elapsing between two consecutive events of θ . In each
discrete position of a CLTL-oc model, the value of z0

θ
and z1

θ
is, intuitively, the time elapsed since

the last two events of θ , which is set to 0 (reset) only when an event (of θ ) occurs. Resets of z0
θ

Proc. AVoCS 2013 6 / 15



ECEASST

and z1
θ

alternate because, when one of the two clocks is reset to start measuring the time elapsing
from the current event, the time elapsed since the previous event (which is needed in CLTL-oc
formulae to model the semantics of QTL modalities) is measured by the other clock. In other
words, one can not “read” the value of a clock and, at the same time, reset it to start measuring
the elapsed time anew.

For any θ P subpφq, the following CLTL-oc formula holds at position 0, simply stating that in
0 the z0

θ
clock of every subformula θ is reset (while z1

θ
can have any value):

z0
θ
“ 0 (1)

The other formulae of this section must hold at each discrete instant; for simplicity, the globally
operator G is inserted explicitly only at the end of the section.

Whenever subformula θ switches its value (it becomes true or false, possibly in a singular
way), one of its associated clocks z0

θ
and z1

θ
is reset:

θè

_
θ

ê ô z
0
θ
“ 0_z1

θ
“ 0. (2)

The clocks associated with a subformula θ are reset in an alternate way: between any two resets
of clock z0

θ
there must be a reset of clock z1

θ
, and vice-versa:

ľ

iPt0,1u

pzi
θ
“ 0qñ X

´

pzpi`1q mod 2
θ

“ 0qRpzi
θ
‰ 0q

¯

. (3)

In the following, genconstrθ denotes the formula (1)^Gp(2)^(3)q.

3.2 Semantics of QTL temporal modalities

This section presents the definition of mpθq, the translation of every subformula θ of a QTL
formula into a suitable CLTL-oc formula encoding its semantics. Essentially, mpθq describes
how θ becomes true and false depending on the value of its own subformulae.
‚ θ “ ψ : The predicates related to θ are exactly the opposite ones of ψ , so mpθq is the

following:

mpθq“pqθô qψq^p
�

θô 
�
ψq. (4)

‚ θ “ γ ^ ψ : The semantics of γ ^ ψ is simply the conjunction of the basic predicates
for γ and ψ .

mpθq“pqθôqγ ^qψq^p
�

θô
�
γ ^

�
ψq (5)

‚ θ “ γ Up0,`8qψ : The following lemma holds for formulae of this form.

Lemma 1 Let θ “ γ Up0,`8qψ and M be a non-Zeno signal. For each t P R` there is ε P Rą0
such that M,t |ù θ if, and only if, for all t1 Ppt,t `εs it is M,t1 |ù θ .

7 / 15 Volume 66 (2013)



On the Satisfiability of Metric Temporal Logics over the Reals

Then, U formulae can not have singularity points, as they would violate Lemma 1. In addition,
when a U formula changes its value, it must do so in a left-closed manner (i.e., the value at the
change point is the same as the one after the change point) or, again, Lemma 1 is violated. Then,
we have (6) below.

mpθq“
ˆ

qθô
�

θ

˙

^

ˆ

�

θô
�
γ ^

ˆ

�
ψ _X

ˆ

r
γ U

ˆ

p
r
γ ^

�
ψq_qψ

˙˙˙˙

(6)

In particular, the second conjunct of Formula (6) states that θ holds in an interval if, and only if,
either both ψ and γ hold in it, or there is a future interval in which ψ holds (either throughout the
interval, or in its first instant), and γ holds throughout all intervals (including their first instants)
in between.
‚ θ “ Fp0,1qγ : For formulae Fp0,1qγ we have the following result.

Lemma 2 Let θ “ Fp0,1qγ be a QTL formula. If M,t |ù θ then there is ε P Rą0 such that, for
all t1 P rt,t `εs it is M,t1 |ù θ and, when t ą 0, there is also ε P Rą0 such that ε ă t and for all
t1 P rt ´ε,ts it is M,t1 |ù θ .

Because of Lemma 2, an up-singularity "θ can never occur for a formula of the form Fp0,1qγ .
In addition, if θ holds at the beginning of an interval (i.e., qθ holds), then it must hold also in
the rest of the interval and, if t ą 0, it must also hold in the interval before. Then, the following
constraint holds in every instant:

qθñ
�

θ ^pYp
�

θq_origq (7)

Formula (8) states that, when θ becomes true with a raising edge  θ , in an instant other than

the origin, a clock z j
θ

is reset, and
γè

will eventually be true after 1 instant; if θ becomes true
in the origin, then either it does so in a left-closed manner, and γ becomes true before clock z0

θ

becomes 1, or it becomes true in a left-open manner, and γ becomes true exactly at 1. Fig. 2(a)
gives a graphical depiction of one of the conditions for having a raising edge in t ą 0.

 θ ô

¨

˚

˚

˚

˚

˚

˚

˚

˚

˚

˝

orig^

¨

˚

˚

˝

qθ ^

ˆ

 γ _X
ˆ

z0
θ
ą 0 U

ˆ

γè

^p0 ă z0
θ
ă 1q

˙˙̇

_

 qθ ^!γ ^X
ˆ

pz0
θ
ą 0^

γ

­

è

qU
ˆ

γè

^z0
θ
“ 1

˙˙

˛

‹

‹

‚

_

 orig^ qθ ^
ł

jPt0,1u

¨

˝z j
θ
“ 0^X

¨

˝z j
θ
ą 0 U

¨

˝

γè

^z j
θ
“ 1^

ł

iPt0,1u

zi
γ
ą 1

˛

‚

˛

‚

˛

‚

˛

‹

‹

‹

‹

‹

‹

‹

‹

‹

‚

(8)

We also add a constraint, which is captured by Formula (9), which states that, if γ becomes
true in an instant t, and it was false in the interval of length 1 preceding t, then in t one of the
clocks associated with θ has value 1, since Fp0,1qγ started holding 1 time unit before t.

¨

˝

γè

^
ł

iPt0,1u

zi
γ
ě 1

˛

‚ñ
ł

jPt0,1u

z j
θ
“ 1 (9)

Proc. AVoCS 2013 8 / 15



ECEASST

�

z
j
✓ = 10 < z

j
✓ < 1

    θ

z
j
✓ = 0

(a) θ “ Fp0,1qpγq

    θ�

zi� = 10 < zi� < 1
zi� = 0

(b) θ “ Pp0,1qpγq

Figure 2: Depiction of some conditions for raising and falling edges in metric operators.

When θ becomes false with either a falling edge (!θ ) or in a singular manner (#θ ), γ becomes
false, so a clock zi

γ
is reset. If θ becomes false with a falling edge (10), then γ can not become

true again as long as the clock that is reset with
γ

ë is ď 1. If θ becomes false in a singular manner

(11), instead, γ must become true again exactly when the clock that is reset with
γ

ë is 1.

!θ ô
γ

ë ^ X

¨

˝

γ

­

è

Up
γè

^
ł

iPt0,1u

0 ă zi
γ
ď 1q

˛

‚ (10)

#θ ô
γ

ë ^X

¨

˝

γ

­

è

Up
γè

^
ł

iPt0,1u

zi
γ
“ 1q

˛

‚^ orig (11)

Then, for θ “ Fp0,1qγ , mpθq is (7)^(8)^(10)^(11).

Case θ “ γ Sp0,`8qψ

In this case, we have a result that is similar to Lemma 1:

Lemma 3 If θ “ γ Sp0,`8qψ and M is a non-Zeno signal, then, for each t P R` there is ε P Rą0
such that M,t |ù θ if, and only if, for all t1 P rt ´ε,tq it is also M,t1 |ù θ .

Note that in t “ 0 γ Sp0,`8qψ is false, and, for any ε P Rą0, r´ε,0q is not an interval of R`,
so the proposition is trivially true.

Then, S formulae can not have singularity points, as they would violate Lemma 3. In addition,
when a S formula changes its value after the origin, it must do so in a left-open manner (i.e.,
the value at the changing point is the same as the one before the changing point). In the origin,
instead, θ is false. Then, we have

mpθq“
ˆ

qθô Yp
�

θq

˙

^

ˆ

�

θô
r
γ Sppqψ _

�
ψq^

�
γ q

˙

(12)

Case θ “ Pp0,1qγ

For formulae Pp0,1qγ we have the following result.

9 / 15 Volume 66 (2013)



On the Satisfiability of Metric Temporal Logics over the Reals

Lemma 4 Let θ “ Pp0,1qγ be a QTL formula; if θ holds for a signal M in an instant t (i.e.,
M,t |ù θ ), then there is ε P Rą0 such that, for all t1 P rt ´ε,t `εs it is also M,t1 |ù θ .

Note that Pp0,1qγ is false in t “ 0, no matter γ . As for F formulae, Lemma 4 implies that "θ
can never occur for θ . In addition, by Lemma 4, if θ holds in the first instant of an interval t (i.e.,
qθ ), it must also hold in the intervals before and after t. Then, the following constraint holds:

qθñ
�

θ ^Y
ˆ

�

θ

˙

(13)

Formula (14) states that for θ to become true with a raising edge in t, γ must also become true
(possibly in a singular manner). This is sufficient if t “ 0. If t ą 0, there are two cases: either γ
was never true before t (so it was false in the origin and it stayed so), or the last changepoint of
γ before t was before t ´1, so the clock associated with γ that is not reset in t is ą 1.

 θ ô
γè

^

¨

˝orig_Y
ˆ

γ

­
è

S porig^ γ
r
q

˙

_
ł

iPt0,1u

zi
γ
ą 1

˛

‚ (14)

Formula (15) states that θ has a falling edge in t if and only if either t “ 0 and there is ε
such that γ is false in r0,εq, or the last time γ became true was at t ´1. This corresponds to the
condition (depicted in Fig. 2(b)) that there is a zi

γ
that is 1 in t, and the last time γ had a change

point it was zi
γ
“ 0 and γ became false. γ can not become true in t, or θ would not have a falling

edge; if γ becomes true in t, then θ has a down-singularity, as specified by Formula (16).

!θ ô
ł

iPt0,1u

ˆ

zi
γ
“ 1^

ˆ

γ

­

è

S
ˆ

γ

ë ^zi
γ
“ 0

˙˙˙

_porig^ γ
r
q (15)

#θ ô
γè

^
ł

iPt0,1u

ˆ

zi
γ
“ 1^Y

ˆ

γ

­

è

S
ˆ

γ

ë ^zi
γ
“ 0^ porig^ γ

r
q

˙˙˙

(16)

Finally, we introduce the analogous for the eventuality in the past of Formula (9). More
precisely, Formula (17) specifies that if γ becomes false and there are no events associated with
γ for at least 1 time unit, the CLTL-oc model includes a position in which the clock that is reset
with the falling edge of γ hits value 1. Formula (17) is necessary to make sure that, if γ becomes
false (and it does not become true again for 1 time unit, hence θ must also become false after 1),
eventually the right hand side of Formulae (15) and (16) holds.

ľ

iPt0,1u

γ

ë ^zi
γ
“ 0 ñ pzi

γ
ă 1qU

ˆ

zi
γ
“ 1_p

γè

^0 ă zi
γ
ă 1q

˙

(17)

Then, for θ “ Pp0,1qpγq, mpθq is (13)^(14)^(15)^(16)^(17).

Proc. AVoCS 2013 10 / 15



ECEASST

Finally, QTL formula φ is initially satisfiable if, and only if, it holds in the first instant of the
interval starting at 0, i.e., initφ “qφ . Then, for a QTL formula φ , the corresponding CLTL-oc
formula φCLTL is:

φCLTL “ initφ ^
ľ

θPsubpφq

pgenconstrθ ^Gpmpθqqq. (18)

The next section shows the correctness of the translation.

4 Correctness and complexity of the reduction

To complete the results of this paper, we need to show that a QTL formula φ is satisfiable if, and
only if, there exists a pair pπ,σq that satisfies φCLTL defined by (18).

First of all, we define a correspondence between QTL signals and CLTL-oc interpretations.
Let us consider a finitely variable signal M that is an interpretation for a QTL formula θ ; we call
rθpMq the set of CLTL-oc interpretations pπ,σq built according to the rules presented below.

Since M is finitely variable, the set of “events” in M for formula θ is denumerable. Let
T “ttkukPN Ă R` be a denumerable set of time instants such that tk ă t j ô k ă j, for all t1 P R`
there is tk P T such that tk ą t1, and if t is an instant when at least one event for θ occurs in M,
then t P T . In the following we say that a clock v is reset at position k when σpk,vq“ 0.

If one event among eu
θ
,ed

θ
,su

θ
or sd

θ
occurs at tk P T , the event marker captured by the cor-

responding formula  θ ,!θ ,"θ ,#θ holds in πpkq; that is, if M,tk |ù euθ , then  θ holds in

πpkq (hence
�

θR πpk ´ 1q,
�

θP πpkq), and so on. In addition, if M,tk |ù euθ and M,tk |ù θ (resp.
M,tk ­|ù θ ), then qθP πpkq (resp. qθR πpkq); similarly for the falling edge. By the definition of
events given in Sect. 3, θ has an event in t “ 0, so t0 “ 0. If in tk P T no events for θ occur, then

none of t θ ,!θ ,"θ ,#θu holds in πpkq (so
�

θP πpk ´1q iff qθ ,
�

θP πpkq).
For each tk P T where an event for θ occurs, either z0θ or z

1
θ

is reset at k. z0
θ

is reset in 0;
after 0, clocks are reset modulo 2, i.e., if σpk,zi

θ
q “ 0, and σpk1,zi

θ
q “ 0, where i P t0,1u and

k1 ą k, then there is a k ă j ă k1 s.t. σp j,zpi`1q mod 2
θ

q“ 0. For each clock zi
θ

it is σpk `1,zi
θ
q“

σpk,zi
θ
q`tk`1 ´tk unless ziθ is reset.

Note that for a given signal M there is more than one possible compatible set T “ ttkukPN,
and each one corresponds to a different CLTL-oc interpretation (for example, a signal in which
AP “tpu and p is always true is compatible with a set in which tk “ k, with one in which tk “ 2k,
and so on). However, one can show that if two signals M1 ‰ M2 differ for θ in at least one instant
t P R`, rθpM1qX rθpM2q “ H. Then, given a CLTL-oc interpretation pπ,σq, there is at most
one singla M such that pπ,σq P rθpMq; hence, we define r

´1
θ
ppπ,σqq as the function that, given

a CLTL-oc interpretation, returns the corresponding QTL signal, if any.
Consider a set F of formulae; with an abuse of notation denote with rFpMq the set of CLTL-

oc interpretations built as above, but considering every event related to the formulae in F . Given
a formula φ , we focus on rsubpφqpMq.

Not all CLTL-oc interpretations pπ,σq represent QTL signals, so there are pairs pπ,σq such
that r´1

θ
ppπ,σqq“K (where K represents that the function is not defined). However, we have the

following results.

11 / 15 Volume 66 (2013)



On the Satisfiability of Metric Temporal Logics over the Reals

Lemma 5 Let θ be a QTL formula and M a signal. For all interpretations pπ,σq such that
pπ,σqP rθpMq it is pπ,σq,0 |ù genconstrθ .

Lemma 6 Let θ be a QTL formula and pπ,σq a CLTL-oc interpretation over qθ ,
�

θ where time
diverges (i.e., where

ř

iPN δpiq “ 8). Then, there is exactly one signal M such that pπ,σq P
rθpMq.

From the above results we have that, given a QTL formula φ , formula
Ź

θPsubpφqgenconstrθ

captures exactly all CLTL-oc interpretations such that r´1subpφqppπ,σqq ‰K. Then, we have the
following result.

Lemma 7 Let M be a signal, and φ a QTL formula. For any pπ,σqP rsubpφqpMq it is pπ,σq,0 |ù
Ź

θPsubpφqgenconstrθ and for all k P N,θ P subpφq it is
pπ,σq,k |ù mpθq. Conversely, if pπ,σq,0 |ù

Ź

θPsubpφqgenconstrθ ^ Gpmpθqq and
M “ r´1subpφqppπ,σqq, then pπ,σq,k |ù φ if, and only if, M,tk |ù e

u
φ

(similarly for the other events),
and qφP πpkq if, and only if, M,tk |ù φ .

Finally, from Lemma 7 the following theorem descends by observing that signal M is model
for φ if, and only if, M,0 |ù φ , which means that in 0 qφ holds.

Theorem 3 Let φ be a QTL formula. φ is satisfiable if, and only if, φCLTL defined by (18) is
satisfiable.

Consider a QTL formula φ . The translation provided in Sect. 3 introduces, for each θ P

subpφq, 2 atomic propositions qθ ,
�

θ and 2 variables z0θ ,z
1
θ

. All CLTL-oc formulae mpθq have
fixed size. Hence, the size of Formula (18) linearly depends on the size of φ . [BRS] shows that
satisfiability for a CLTL-oc formula φCLTL is PSPACE in the number of subformulae of φCLTL
and the maximum constant occurring in it (which is 1 in the case of QTL). Then our translation
preserves the PSPACE complexity of the satisfiability of QTL [HR05].

5 Some Experimental Results

The reduction of Sect. 3 is implemented in the qtlsolver tool, available from [qtl] and de-
scribed in some further detail in [BRS]. The tool translates QTL into CLTL-oc, which can be
checked for satisfiability by ae2zot, a plugin of the Zot bounded satisfiability checking tool
available from [ae2].

The current implementation of qtlsolver supports various reductions. In particular, it im-
plements a translation from a generalized version of QTL to CLTL-oc. This translation does not
assume any special shape for signals, except that they be finitely variable; it natively supports
operators Fp0,bq and Gp0,bq (and their past counterparts). These operators allow us to define con-
cisely MITL operators [AFH96] Fxa,by and Gxa,by as abbreviations, where bounds can be either
included or excluded. For instance, Gp3,6qpφq is equivalent to Gp0,3q

`

Fp0,3q
`

Gp0,3qpφq
˘˘

.
We used the qtlsolver tool to perform satisfiability checks on some examples (see also the

Proc. AVoCS 2013 12 / 15



ECEASST

tool website [qtl]). Let us briefly introduce a pair of them, the first one taken from an LTL
specification of [PMS12].

Consider a lamp controlled by two buttons, labeled ON and OFF respectively, which can not
be pressed simultaneously. The lamp itself can be either on or off. When ON is pressed the lamp
is immediately turned on, regardless of its current state, while if OFF is pushed then the lamp
is immediately turned off, also regardless of its current state. However, to save energy there is
also a timeout: after ON is pressed, the lamp will not stay on forever, but, if no more buttons are
pressed, it will automatically turn off with a delay ∆, a positive real constant. Notice that, from
this definition, it follows that by pressing the ON button before the timeout expiration then the
timeout is extended by a new delay ∆.

We built a QTL specification of the timed lamp that uses atomic propositions on,off and l
representing, respectively, events “push button ON” and “push button OFF” and the state “light
is on”. We introduced constraints that specify that predicates on and off are constrained to be
true only in isolated instants.

On this specification we have carried out three experiments: a check of the satisfiability of the
specification, to show that it is consistent (sat); the (dis)proof of property “the light never stays
on for more than ∆ time units” (p1); the proof of property “if at some point the light stays on for
more than ∆ time units, then there is an instant in which the on button is pressed, and then it is
pressed again before ∆ time units” (p2).1

The behavior of the timed lamp can be captured by the following QTL formula (we write G
for Gr0,8q, and S for Sr0,8q):

G
``

l ôp off S onq^Pr0,∆qponq
˘

^pon ñ offq
˘

. (19)

As mentioned above, we force on to hold only in isolated instants by adding the following QTL
constraint (similarly for off):

G
`

 pon Up0,`8qJq^ pon Sp0,`8qJq
˘

. (20)

Properties p1 and p2 are captured by the following QTL formulae (where F stands for Fr0,`8q):

G
`

Fr0,∆sp lq
˘

(21)

F
`

Gr0,∆splq
˘

ñ F
`

on^Fp0,∆sponq
˘

. (22)

Table 4 reports the time and space required for the checks outlined above.2 All bounded
satisfiability checks have been performed using a bound k “ 20. The first line of each row shows
the total processing time (i.e., parsing and solving) and the time taken by the SMT-solver (both
times in seconds). The second line reports the heap size (in Mbytes) required by Z3. The results
of the checks are the following: the specification is satisfiable, property p1 does not hold (the
tool returns a counterexample), while property p2 holds (“unsat” is returned).

Finally, we present a behavior that highlights some interesting features of the tool. The behav-
ior is captured by the following formulae, which state that p and q only occur in isolated instants,

1 In all experiments it is ∆ “ 5.
2 All tests have been done using the Common Lisp compiler SBCL 1.1.2 on a 2.13GHz Core2 Duo MacBook Air
with MacOS X 10.7 and 4GB of RAM. The solver was z3 4.0.

13 / 15 Volume 66 (2013)



On the Satisfiability of Metric Temporal Logics over the Reals

Problem Satisfiable? Time (Total/SMT only) Memory

sat Yes 4.24/3.04 27.12

p1 Yes 17.2/14.86 63.5

p2 No 257.1/240.88 58.66

Table 4: Experimental results with the timed lamp, reporting Time (sec) and heap size (MB).

with p occurring exactly every 80 time units, and q occurring within 80 time units in the past
from each p (origin excluded).

G

˜

Gp0,80qp pqñ Gp80,160qp pq ^
pp ñ Fp0,160qpq ^ pq ñp qqUJq

¸

^ p ^ Gp0,80qp pq ^ Gp0,8qpp ñ Pp0,80qqq (23)

In this case, the bound k “ 10 is enough to prove that the formula is satisfiable and a model is pro-
duced in about 40 secs. In around the same time the solver shows that property Gpp ñ Fp0,80qpqqq
holds for model (23) (up to the considered bound), whereas property Gpq ñ Fp0,80qpqqq does not.

Note that, in Formula (23), the constants involved in the temporal modalities are significantly
larger than the bound k required to obtain a model satisfying the formula. In fact, any value is
possible in principle for the increments of the clocks between two consecutive discrete instants,
controlled by the (nondeterministic) variable δ . This highlights that the length of the intervals
described by a CLTL-oc model is independent of the bound k, as long as this is big enough to
capture all changepoints that are necessary to build a periodic sequence of clock regions.

6 Conclusions

This paper presents a satisfiability-preserving translation from QTL formulae to formulae of the
CLTL-oc logic, which can be solved through SMT solvers. As formulae of other logics such as
QMLO and MITL can be in turn translated into equivalent QTL formulae, our encoding can be
the basis for an effective decision procedure for several interesting logics.

The encoding presented in this paper has been implemented in a prototype tool [qtl]. Pre-
liminary experiments are promising as we were able to solve some simple, yet conceptually
significant, temporal behaviors in a reasonable amount of time. All these examples can be re-
alized by discrete CLTL-oc models of short length, even when the time constants are quite big
(provided the ratio among them is small). The outcome of the procedure is not only sat/unsat,
but also (when applicable) a concrete model satisfying the formula.

Acknowledgements: Work supported by the Programme IDEAS-ERC, Project 227977-SMScom.

Bibliography

[AD94] R. Alur, D. L. Dill. A theory of timed automata. Theoretical Computer Science
126(2):183–235, 1994.

Proc. AVoCS 2013 14 / 15



ECEASST

[ae2] Zot: a Bounded Satisfiability Checker. available from zot.googlecode.com.

[AFH96] R. Alur, T. Feder, T. A. Henzinger. The Benefits of Relaxing Punctuality. Journal of
the ACM 43(1):116–146, 1996.

[BFRS11] M. M. Bersani, A. Frigeri, M. Rossi, P. San Pietro. Completeness of the Bounded
Satisfiability Problem for Constraint LTL. In Reachability Problems. LNCS 6945,
pp. 58–71. 2011.

[BK08] C. Baier, J.-P. Katoen. Principles of Model Checking. MIT Press, 2008.

[BRS] M. M. Bersani, M. Rossi, P. San Pietro. A Tool for Deciding the Satisfiability of
Continuous-time Metric Temporal Logic. To appear at TIME 2013.

[DD07] S. Demri, D. D’Souza. An automata-theoretic approach to constraint LTL. Inf. Com-
put. 205(3):380–415, 2007.

[FMMR12] C. A. Furia, D. Mandrioli, A. Morzenti, M. Rossi. Modeling Time in Computing.
EATCS Monographs in Theoretical Computer Science. Springer, 2012.

[HR99] Y. Hirshfeld, A. Rabinovich. Quantitative Temporal Logic. In Computer Science
Logic. LNCS 1683, pp. 172–187. 1999.

[HR05] Y. Hirshfeld, A. Rabinovich. Timer formulas and decidable metric temporal logic.
Information and Computation 198(2):148 – 178, 2005.

[Mic] Microsoft Research. Z3: An Efficient SMT Solver. http://research.microsoft.com/en-
us/um/redmond/projects/z3/.

[MNP06] O. Maler, D. Nickovic, A. Pnueli. From MITL to Timed Automata. In Proc. of FOR-
MATS. LNCS 4202, pp. 274–289. 2006.

[MP94] A. Morzenti, P. S. Pietro. Object-Oriented Logical Specification of Time-Critical Sys-
tems. ACM TOSEM 3(1):56–98, 1994.

[PMS12] M. Pradella, A. Morzenti, P. San Pietro. Bounded Satisfiability Checking of Metric
Temporal Logic Specifications. ACM TOSEM, 2012. To appear.

[qtl] qtlsolver. available from qtlsolver.googlecode.com.

[SRH02] P.-Y. Schobbens, J.-F. Raskin, T. A. Henzinger. Axioms for real-time logics. Theor.
Comput. Sci. 274(1-2):151–182, 2002.

15 / 15 Volume 66 (2013)

http://zot.googlecode.com
http://qtlsolver.googlecode.com

	Introduction
	Languages
	Reduction of QTL to CLTL-over-clocks
	General Constraints on Clocks and Events
	Semantics of QTL temporal modalities

	Correctness and complexity of the reduction
	Some Experimental Results
	Conclusions