Algorithms for Model-checking Flat Counter Systems

Université Paris Diderot
Laboratoire
d’Informatique
Algorithmique:
Fondements et
Applications
Sorbonne Paris Cite
École Doctorale Paris Centre
Thése de doctorat
Discipline : Informatique
présentée par -
Amit Kumar Dhar
Algorithms For Model-Checking
Flat Counter Systems
(Algorithmes pour le model-checking de systèmes à compteurs plats)
Dirigée par -
Stéphane Demri et Arnaud Sangnier
Soutenue le 11 Decembre 2014 devant un jury composé de:
Alain Finkel
Professor, ENS de Cachan
Président
Ranko Lazić
Associate Professor, The University of Warwick
Rapporteur
Anca Muscholl
Professor, Université Bordeaux
Rapporteur
Radu Iosif
CNRS Researcher, Verimag
Examinateur
Stéphane Demri
Senior Researcher, CNRS, ENS Cachan
Directeur de thése
Arnaud Sangnier
Assistant Professor, Université Paris Diderot
Directeur de thése
ii
iii
iv
ABSTRACT (ENGLISH)
Keywords: Formal verification, Model-checking, Infinite state systems,
Flat counter systems, Temporal logics, Presburger arithmetic, Stuttering theorem, Complexity bounds.
Automated systems have become a part and parcel of our daily
life with increasingly more of our daily activities being controlled or
dependent on one or more automated systems. These systems being
increasingly sophisticated and complicated, a relevant question to ask
is about the reliability of such systems. Formal verification provides
us with a better way to show reliability of such system compared to
simulation or manual testing due to large number of possible scenarios that can occur during the execution of the system.
One of the ways to perform formal verification of automated system is by model-checking. It consists of developing algorithm to check
whether a suitably expressive model, representing the executions of
the automated system satisfies a specification or not. For expressing
the specification we use specific logics suitable in expressing the specification. With increasing expressiveness of model, model-checking
problem quickly approaches undecidability even for simple properties like whether the system can reach a bad state or not.
In the thesis, we deal with models called “Flat Counter Systems”
which can be seen as programs manipulating integer variables (also
called counters) whose control structure is restricted. Regarding the
logic for specifications, we extend traditional temporal logic (like LTL,
FO, CTL etc.) with the ability to express properties on the values of
the counters during the execution. This results in specifications that
can state more expressive properties.
We provide, for each class of specifications, algorithms with optimal complexity for solving the problem of model-checking flat counter
systems. Our approach is based on a more general methodology and
thus allows reuse of the results for other specifications.
v
ABSTRACT (FRENCH)
Mots-clefs: Vérification formelle, Model-checking, Systéme à états
infinis, Systèmes à compteurs plats, Logiques temporelles, Arithmétique de Presburger, Théorème de ‘bégaiement’, Borne de complexité
Les systèmes automatisés font désormais partie intégrante de notre
vie quotidienne et une grande partie de nos activités dépendent de
leur bon fonctionnement. Ces systèmes devenant de plus en plus sophistiqués et complexes, démontrer leur bon fonctionnement s’avère
être une tâche ardue. Parmi les approches permettant de garantir la
fiabilité de ces systèmes, les méthodes de vérification formelles consistent en une meilleure alternative que la simulation ou le test qui
doivent prendre en compte un nombre toujours plus important de
possibles scénarios qui peuvent se produire lors de l’exécution du
système.
La méthode par model-checking est une des techniques développés pour la vérification formelle de systèmes. Elle consiste à proposer
des algorithmes permettant de vérifier si un modèle représentant les
exécutions possibles du système vérifie une spécification donnée sous
la forme de formules logiques. Un des problèmes du model-checking
vient du fait que lorsque les modèles sont trop expressifs, les problème de vérification deviennent indécidables, il est alors impossible
de proposer des algorithmes et ce même pour des propriétés spécifiant des comportement très simple comme la non-accessibilité d’un
état d’erreur.
Dans cette thèse, nous nous intéressons au problème du modelchecking pour le modèle des systèmes à compteurs plats qui peuvent être vus comme des programmes manipulant un nombre fini de
variables entières (appelées aussi compteurs) et dont la structure de
contrôle est restreinte. En ce qui concerne les logiques pour les spécifications, nous prenons en compte les logiques temporelles traditionnelles (comme LTL, FO, CTL, etc) tout en les étendant afin d’exprimer
également des propriétés sur la valeur prise par les compteurs lors
des exécutions. Nous obtenons ainsi des spécifications plus expressives.
Nous fournissons, pour chaque classe de spécifications, des algorithmes avec une complexité optimale permettant de résoudre le problème du model-checking des systèmes à compteurs plats. Notre approche se base de plus sur une méthodologie générale autorisant ainsi
une possible réutilisation des résultats pour d’autres spécifications.
vii
ACKNOWLEDGEMENTS
First of all I would like to thank the jury members for honouring me
with their participation: many thanks to Anca Muscholl and Ranko
Lazić for agreeing to review my work and to Alain Finkel, Radu Iosif
for taking time to examine my defense. Thanks to Morgan Deters for
his valuable comments on the manuscript.
I would like to thank with my whole heart, Stéphane Demri and Arnaud Sangnier, without whose help and guidance in every respect,
this thesis would not have been possible. I had the chance to learn
as well as to appreciate many things - from doing research to writing
easily understandable proofs, to writing papers. I am grateful to them
for all the things I learned for last 4 years. I express my deep gratitude to both of them for all the patience and support they showed for
me.
I would also like to thank my professors and teachers whose teachings helped me all along the way. I would specially like to thank K.
Narayan Kumar for introducing me to the field of verification.
For last three years, LIAFA and its members have been very helpful
in all respect. The administrative stuff, especially Nathalie Rousseau
and Noëlle Delgado have been very efficient and helpful.
I thank all my friends for being there for me whenever needed. Many
thanks to Venkat and Vinod for their advices and company for the last
three years. I also thank Raghav, Jamie, Prakash, and all my friends
from India House for the many enjoyable moments we shared.
I thank my parents for their unending love, affection and prayers for
me. I am thankful to my sister and her husband for their support and
encouragement in all my endeavours.
ix
CONTENTS
1
introduction
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1 Counter Systems and Its Subclasses . . . . . . .
1.1.2 Solving Presburger Arithmetic . . . . . . . . . .
1.1.3 Model-Checking . . . . . . . . . . . . . . . . . .
1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Structure of the thesis . . . . . . . . . . . . . . . . . . .
2 definitions/preliminaries
2.1 Counter Systems . . . . . . . . . . . . . . . . . . . . . .
2.1.1 Flat Counter Systems . . . . . . . . . . . . . . . .
2.1.2 Flat Kripke Structures . . . . . . . . . . . . . . .
2.2 Presburger Arithmetic . . . . . . . . . . . . . . . . . . .
2.3 Linear-Time Temporal Logics . . . . . . . . . . . . . . .
2.3.1 Linear Temporal Logic with Past . . . . . . . . .
2.3.2 First Order Logic . . . . . . . . . . . . . . . . . .
2.3.3 Büchi Automata . . . . . . . . . . . . . . . . . . .
2.3.4 Alternating Büchi Automata . . . . . . . . . . .
2.3.5 Linear µ-Calculus . . . . . . . . . . . . . . . . . .
2.3.6 Extended Temporal Logic . . . . . . . . . . . . .
2.4 Branching Time Temporal Logics . . . . . . . . . . . . .
2.5 Verification Problems . . . . . . . . . . . . . . . . . . . .
2.5.1 Related Works on Model-checking . . . . . . . .
2.5.2 Global Model-Checking Problem . . . . . . . . .
3 reduction to simpler problems
3.1 Constrained Path Schema . . . . . . . . . . . . . . . . .
3.2 Decomposition of Flat Counter Systems . . . . . . . . .
3.2.1 Characterizing Infinite Runs with Quantifier-Free
Presrburger Formula . . . . . . . . . . . . . . . .
3.2.2 From One Path Schema to Several Path Schemas
3.2.3 From Several Path Schemas to Constrained Path
Schemas . . . . . . . . . . . . . . . . . . . . . . .
3.3 Reduction to New and Simpler Problems . . . . . . . .
3.3.1 Reduction From Intersection Non-Emptiness to
Membership . . . . . . . . . . . . . . . . . . . . .
3.3.2 Reduction From Model-Checking to Intersection
Non-Emptiness . . . . . . . . . . . . . . . . . . .
3.3.3 General algorithm to solve Model-Checking of
flat counter system . . . . . . . . . . . . . . . . .
4 linear temporal logic with past
4.1 Stuttering Theorem . . . . . . . . . . . . . . . . . . . . .
4.2 Model-Checking PLTL is NP-Complete . . . . . . . . .
4.3 Global Model-Checking . . . . . . . . . . . . . . . . . .
1
1
2
4
5
6
7
9
9
13
18
19
21
22
24
26
28
28
30
31
32
33
34
37
38
39
39
46
60
65
67
68
69
71
72
76
79
xi
xii
contents
5
6
7
8
9
4.4 The Curious Case of Fixed Number of Loops . . . . . . 80
4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
first order logic
85
5.1 FO on Constrained Alphabet . . . . . . . . . . . . . . . 86
5.2 Ehrenfeucht-Fraïssé Games . . . . . . . . . . . . . . . . 86
5.3 Stuttering Theorem using EF Games . . . . . . . . . . . 87
5.4 Model-Checking FO is PSPACE-Complete . . . . . . . . 94
5.5 Global Model-Checking . . . . . . . . . . . . . . . . . . 97
5.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
ω-regular properties
101
6.1 Stuttering Theorem Variant . . . . . . . . . . . . . . . . 102
6.2 Model-Checking Büchi Specification is NP-Complete . 104
6.2.1 NP Algorithm for Model-Checking BS . . . . . 108
6.3 Translation to BA . . . . . . . . . . . . . . . . . . . . . . 109
6.4 Complexity of Model-Checking ABA, ETL, µTL . . . . 114
6.4.1 Upper Bounds . . . . . . . . . . . . . . . . . . . . 114
6.4.2 Lower Bounds . . . . . . . . . . . . . . . . . . . . 115
6.5 Global Model-Checking . . . . . . . . . . . . . . . . . . 124
6.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
ctl ∗ and related branching-time temporal logics 127
7.1 Blocking and Non-Blocking Systems . . . . . . . . . . . 128
7.2 Lower Bound . . . . . . . . . . . . . . . . . . . . . . . . 131
7.3 Upper Bound . . . . . . . . . . . . . . . . . . . . . . . . 134
7.3.1 Encoding Iterated Path Schemas . . . . . . . . . 135
7.3.2 An Example . . . . . . . . . . . . . . . . . . . . . 139
7.3.3 Encoding Runs Using Vectors . . . . . . . . . . . 139
7.3.4 Encoding CTL∗ Formulae Using PA . . . . . . . 147
7.4 Global Model-Checking . . . . . . . . . . . . . . . . . . 150
7.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
algorithms for model-checking
153
8.1 Challenges with Previous Algorithm . . . . . . . . . . . 154
8.1.1 Implementation Challenges . . . . . . . . . . . . 155
8.2 Enumerating Path schemas . . . . . . . . . . . . . . . . 155
8.3 First Approach . . . . . . . . . . . . . . . . . . . . . . . . 157
8.3.1 Encoding Runs Using Quantifiers . . . . . . . . 157
8.3.2 Encoding PLTL Using Presburger Formula . . . 159
8.4 Second Approach . . . . . . . . . . . . . . . . . . . . . . 160
8.5 Third Approach . . . . . . . . . . . . . . . . . . . . . . . 161
8.6 Implementation . . . . . . . . . . . . . . . . . . . . . . . 163
8.6.1 SMT Solvers . . . . . . . . . . . . . . . . . . . . . 164
8.6.2 Benchmarks . . . . . . . . . . . . . . . . . . . . . 165
8.6.3 Results . . . . . . . . . . . . . . . . . . . . . . . . 167
8.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
conclusion
171
9.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
9.2 Open Problems and Future Work . . . . . . . . . . . . . 173
contents
a appendix
175
a.1 A Zone Classification for Proving (Claim 1) – (Claim 5) 175
bibliography
187
xiii
1
INTRODUCTION
Automated systems are now a part and parcel of our daily lives. Starting from our homes to transport and offices we rely on a daily basis
over a lot of automated systems. Their influences are growing and
along with that, their complexity. As they grow more sophisticated
and complicated, they are becoming more and more prone to errors.
In a world where dependence on such system is growing at an alarming rate, even most innocuous mistakes might have the ability to affect our lives in a substantial way. Hence, with this growing trend
of incorporating automated systems in almost everything, there is a
growing need of making sure that the systems are bug-free. Due to
their structure and complexity, manual methods of bug-finding are
not enough now. Moreover, they are not very rigorous and often overlook or ignore a few extreme cases. One solution could be automated
verification of systems.
Automated verification methods try to find bugs or errors in the
semantics of the system automatically. More specifically given a system and a specification which the system is supposed to follow, automated verification methods try to find whether there are executions
of the system, which deviate from the given specification or whether
every possible execution of the system follows the given specification.
1.1
motivation
There are many approaches proposed for automated verification. For
example there are “Abstract Static Analysis” based on abstract interpretation [CC77] which tries to interpret the values of variables in a
program in an abstract manner and then tries to analyse the behavior of the program. Model-checking is one of such approaches which
has found some success in verification [CHV14]. The central idea of
model-checking is to extract out the necessary details of the program
to an abstract model. At the same time the desired behaviour is specified in a logical formulation using a specification language which is
suitably expressive. Thus, now the problem is translated to finding
out whether the “runs” in the model satisfy the specified behaviour
or not. Model-checking deals with finding suitable algorithm for such
problems. In this thesis, we will look mostly into model-checking
problems.
There are many such models and specification languages that have
been studied in context of model-checking. A particularly common
structure used to model executions of systems is called “Kripke struc-
1
2
introduction
ture” [Kri63]. Here, the structure of the system is represented as a
graph whose nodes are program points. From the model-checking
perspective, Kripke structures are quite widely studied and as a result decidabilty and complexity of the model-checking problem for
various logics are known. Tight complexity bounds for the modelchecking problem with Kripke structures as model and specification
in various languages are known. For example, among linear time
specifications (specifications expressing properties about a specific
run in the system), optimal complexity is known for LTL [SC85],
first order logic [Sto74], linear µ-caluclus [Var88], ETL [VW94]. On
the other hand, among branching time specifications (specifications
which can express properties about all executions of a system), optimal complexity is known for logics like CTL [CE81], CTL∗ [EH85],
Modal µ-calculus [EJS93]. Though the structure has been used for
many studies and is quite well understood, there are some drawbacks in using this structure to model systems. At any position, the
model can express only propositional characteristics about the system (i.e. whether some Boolean property is true or not). This is quite
constraining, in particular, if one tries to represent programs that
manipulate counters and variables. For these systems, at any position, the value of the counters also belongs to the state of the system
and it is hard to express such states using only propositional properties. For this reason, many different models with more resources are
proposed. There are automata based representations used for modelling systems like pushdown graphs [MS85] where the system is
equipped with a stack which is manipulated using specified rules
while transitioning from one configuration to another and another
model generalizing the notion of pushdown graphs with e transitions is called prefix-recognizable graphs [Cau03]. Model-checking
problems over such systems are also studied [CGK12]. Moreover, for
model-checking communication systems, properties of “Message Sequence Charts”, giving the communication skeleton of the system,
are studied to find mistakes in the system [MPS98, GMP03]. Similarly, there are other ways of representing systems like algebraic
equations or operations [Cou90]. A particularly useful class of models commonly used for these purposes, come equipped with counters.
These are called “counter systems”.
1.1.1 Counter Systems and Its Subclasses
Counter systems are models that are equipped with counters [Min67].
The counters are manipulated or accessed while transitioning from
one state to another state of the model. These models and others
(like pushdown systems), can be seen as more closer to operational
model rather than labelled transition systems or Kripke structures.
For example a program with integer variable can be seen as a counter
1.1 motivation
system. In general programs with integer variables consist of statements which access and manipulate variables and at any point of
execution, the configuration of the program can be described by the
position of the statement being excuted and the values of all variables. For encoding such a program using counter system, we can denote each statement as a transition in counter system and the type of
modification or access performed on the variables by the statement
is shown by labels on the transitions manipulating the counters of
the system. The statement positions can be represented as states of
the counter systems. In this way any execution of the program can
be simulated by the counter system with the same configurations being visited while executing. Counter systems are quite powerful and
can be used to model many practical systems. Inspite of this property,
their use as a model for model-checking puposes can cause problem.
This is because even simple questions in verification, like whether a
state is reachable or not, is undecidable for counter systems [Min67].
The good news is that we can restrict the counter system to a subclass where these problems are decidable. Over the years many such
restrictions have been studied.
One restriction that has been studied widely is called vector addition systems with states (VASS). In these systems the counter values
are only allowed to be non-negative. The transitions are labelled with
vectors of integers, which are added to the respective counters when
the transition is taken. Note that there are no tests on counters. Another model equivalent to VASS is called “Petri Nets”. Both these
systems are quite useful is modelling parallel processes. For such systems, reachability is shown to be decidable [Kos82, Ler11, May81].
The reachability problem for these systems are central since many
computational problems (even outside the parallel processes) reduce
to the reachability problem.
Another restriction, called one-counter automata, deals with systems with only one allowed counter. These systems also has decidable
reachability properties. In fact, reachability problem for such systems
was shown to be NP-complete [HKOW09]. Counter systems allowing only “Gap-order constraints”(comparing the differences of two
counters with a constant) as guards are studied in [BP12].
These restrictions are based on the syntax of the counter systems,
i.e. restrictions on what resources are allowed and how they can
be accessed. Another type of restriction is based on the semantics
of the counter system. For example, a subclass of counter systems
called “Reversal-bounded counter systems”, considers only the systems where, in every run, the value of any counter can change its
“phase” only a bounded number of times [Iba78]. A phase with respect to counter values is a part of the run where the counter value
is only increasing or decreasing. The reachability problem of such
3
4
introduction
systems are shown to be decidable by showing that the reachable
configurations are effectively semilinear [Iba78].
Another type of restriction that can be imposed, is on the structure
of the counter systems, for example, flat counter systems. Flat counter
systems are counter systems where no two cycles in the structure of
the system intersect each other. These systems have been studied in
quite details [Boi98, CJ98, CC00, FL02, LS05, BIL09, DFGvD10, BIK10,
BIK14]. Flat counter systems are shown to model some of the practical cases (e.g. broadcast protocols [FL02]). Moreover, it was shown
in [LS05] that many other subclasses of counter systems are “flattable”. In other words for every flattable system, one can construct a
flat system by systematically unfolding loops, such that the set of configurations that can be reached in both the systems are same. This allows us to employ any method for computing the set of reachable configuration of a flat system in the context of flattable (but non-flat) systems. Important results about the decidability of the reachability and
safety property are shown in [CJ98, FL02]. However, there have been
only few work on model-checking expressive logical specifications
on flat counter systems. In [BIK14], safety property of such system
is studied and shown to be NP-complete. Although in [DFGvD10],
it was shown that model-checking properties specified in a quite expressive fragment of CTL∗ , called Presburger CTL∗ is decidable. The
decidability is shown by encoding the formula into a Presburger arithmetic formula. This automatically gives decidability for less expressive logics. But the complexity of the decision procedure is quite high
and is at least 5ExpTime in the size of the input. We aim to find optimal complexity for the model-checking problem for most well-known
logical specifications over flat counter systems.
1.1.2
Solving Presburger Arithmetic
Presburger arithmetic is the first order theory over natural numbers
with addition. As seen before, decidability of many verification problems are based on the fact that Presburger arithmetic is decidable and
the corresponding problem can be reduced to satisfiability of Presburger arithmetic [Sho79, SJ80]. A very well-known idea in the modelchecking community is to encode the problem of model-checking in
suitable formulas over different theories and then check for satisfiability of such formulas. This is where SMT solvers and their recent developments have been useful in model-checking. SMT solvers in particular have been found to be extremely useful when used in context with
“Bounded model-checking”. A practical way to solve bounded modelchecking problem was shown by using SAT/SMT solvers [CKY03,
CKL04]. The amazing effectiveness of SMT solvers in real life examples make the procedures for bounded model-checking very scalable
and practical. There are many tools built for bounded model check-
1.1 motivation
ing like “CBMC” [KT14], “ESBMC” [CMNF12] etc. Of late, there have
been many model-checking procedures based on SAT and SMT techniques. Moreover, progresses in SMT techniques allows for these procedures to scale easily for models with high number of states. Most
SMT solvers like Z3 [dMB08], CVC4 [BCD+ 11], Alt-Ergo [Con12] etc.
deal quite well with quantifier-free fragment of Presburger arihmetic.
In fact for this fragment they can decide the satisfiability of large sized
formula (100 clauses) very fast. Whereas, dealing with quantifiers is
still a difficult task for SMT solvers that are better tailored to theory
reasoning. Many of the well-known SMT solvers (including CVC4,
Z3, Yices, Alt-Ergo) do accept formulas with quantifiers and handle
them in roughly the same way, through heuristic instantiation. Z3,
among them, first tries several quantifier-elimination procedures. Another direction in solving Presburger arithmetic is by using automata
based tools such as MONA [BKR96], LASH [BJW01] or TAPAS [LP09].
Even though Presburger arithmetic admits quantifier elimination, it is
known that eliminating quantifiers can be computationally expensive
(see e.g., [RL78, Grä88]). Recent developments propose a promising,
lazy approach for quantifier elimination [Mon10].
1.1.3 Model-Checking
Till now there have been many studies on model-checking procedures
over propositional structures (like Kripke structures) for the obvious
advantage of having finite number of states. Decidability as well as
optimal complexity results for the model-checking problem for various specification languages are known. This is not true in particular
for counter systems or its subclasses. Most of the studies over subclasses of counter systems goes to show decidability or complexity of
reachability problem. Model-checking problem with various specification languages over subclasses of counter systems are rarely studied
and even then in most of the cases the result deals with decidability
of the problem and not optimal complexity.
Even though the problem whether a particular state or configuration of a system is reachable or not (reachability problem) is the
most basic question in verification, often we need to verify properties that specify property about paths or executions followed by the
system. For example LTL was introduced as a specification which
can express both safety and liveness property [Pnu77]. The modelchecking problem for LTL over Kripke structures were shown to be
PSpace-complete in [SC85]. LTL on the other hand was not able to
express regular properties over executions of system, e.g. there exists a run which visits a state of the system exactly even number
of times. An attempt to express such properties using the LTL semantics, lead to the specification language ETL [VW94] where at the
same time, it was shown to have a PSpace-complete model-checking
5
6
introduction
procedure over Kripke structures. Another extension towards specifying more expressive features about the execution of a system lead
to the development of branching-time logics (CTL, CTL? etc.). In the
branching counterpart, CTL and CTL? and modal µ-calculus were
shown to have model-checking procedures with complexity bounds
PTime [CE81], PSpace-complete [EH86] and NP∩ co-NP [EJS93] respectively.
Regarding the subclasses of counter systems most work as pointed
out earlier deal with the problem of computing the reachable set of a
system [CJ98, FL02, LS05, HKOW09]. For one counter automata, the
model-checking problem with various logics like LTL, CTL and their
fragments have been studied [HKOW09, GHOW10, GL13, GMT09,
Ser06]. LTL and CTL were shown to have PSpace-complete modelchecking over one-counter automata in [GHOW10, GL13] whereas a
PSpace upperbound was obtained for µ-calculus in [Ser06]. Recently
there have been some works dealing with more expressive properties of counter systems. For example in [BIK14] safety properties of
special type of counter system is shown to be NP-complete. A more
powerful subclass of counter system is studied in [DFGvD10], where
they show that model-checking problem for a very expressive variant of CTL? is decidable. Even though this result instantaneously
gives us decidability for model-checking less expressive logic over
such counter systems, it does not in any way give us the optimal
complexity of the model-checking procedures.
1.2
contributions
Our aim is to design algorithms for the verification of flat counter
systems that meet the best complexity upperbounds. To this end, we
study a wide variety of specification languages and the complexity of
their model-checking problem over flat counter systems. The specification languages studied varys in both expressiveness and succinctness. We obtain optimal complexity bounds for the model-checking
problem for logics like LTL with past, first order logic, Büchi automata, alternating Büchi automata, linear µ-calculus. We provide
NP algorithms for model-checking LTL with past and Büchi automata
and PSpace algorithm for model-checking FO, alternating Büchi automata, ETL and linear µ-caluclus. An interesting phenomenon observed with the optimal complexity of model-checking these logical
specification over flat counter systems is that many time we obtain
either same or lower complexity bounds than the corresponding case
with Kripke structures. As an extension, we observe that we obtain
the improved complexity bounds with only flat Kripke structures and
addition of counters to the system, does not cause any change in the
complexity bounds. Not only linear-time specifications but we also
studied branching-time specifications. We show that in case of flat
1.3 structure of the thesis
counter systems, branching-time specifications does not follow the
usual hierarchy of expressiveness as is there for Kripke structures.
In addition to showing optimal complexity of various specification
languages, our results have the nice feature of applying the same
method to different specifications and obtain optimal complexity characterization of the respective model-checking problem. The general
algorithm applies to a quite large class of specification languages and
only need a few specific parts which are customized to the specific
instance.
The procedure itself employs a range of classical methods to obtain
tight complexity characterization. Moreover, the use of SMT solvers
as an important part of the procedure might allow to improve the performance of model-checking algorithm with advances in SMT solvers.
The SMT solving techniques and regular tools and techniques are
combined in a clever way to reduce complexity blowups.
This work also presents a new way to encode runs of a flat counter
system using vector of integers and Presburger formula. This plays an
important role is obtaining a reduction from model-checking branchingtime specifications to Presburger arithmetic satisfiability in log space.
1.3
structure of the thesis
In Chapter 2, we start with some basic definitions and the concepts
that will be used throughout the thesis. This consists in formalizing
flat counter systems and its subclasses that will be manipulated and
also to state the problem that we aim to solve. Chapter 3 provides
an important reduction of the general model-checking problem over
flat counter system to model-checking problems involving simpler
structure. This in turn gives us a general road map that will followed
for different logics in later chapters for finding out the complexity of
the model-checking procedure for various different logics. Chapter 4
deals with the specification language, LTL with past and shows that
the complexity of model-checking problem is NP-complete. Chapter 5
looks at first order logic and goes to show that model-checking such
specifications is PSpace-complete. In Chapter 6, we try to address
the model-checking problem for many specifications which can express ω-regular properties. We show that model-checking specifications in the form of Büchi automata is NP-complete whereas for other
specification languages like Alternating Büchi automata and linear µcalculus are PSpace-complete. Branching-time logics are investigated
in Chapter 7 and provides a logarithmic space reduction to satisfiability problem for Presburger arithmetic. Chapter 8 aims at showing
various way to implement the algorithms in the previous chapters. It
also gives the result obtained by a prototype implementation of the
model-checking algorithm for LTL with past.
7
2
DEFINITIONS/PRELIMINARIES
In this chapter we define formally the concepts and notations that
are used later on. Model-checking problems, that we are going to
solve subsequently, require modelling real life systems into suitable
models and expressing the property that we want to verify in a suitable logic. In the following first section we define the models that
we will be using later in the model-checking problems. In the next
section we define the specification languages that are used to express
the properties in the model-checking problem. Presburger arithmetic,
the first-order theory of natural numbers, plays an important role in
the model-checking procedure for various different logics. We will
introduce its syntax and semantics in the third section. In the next
section we define formally the model-checking problem and present
the known model-checking results in the last section. First we will fix
some standard notations that will be used all throughout the document.
We write N [resp. Z] to denote the set of natural numbers [resp. integers] and [i, j] to denote the set {k ∈ Z : i ≤ k and k ≤ j} (i, j ∈ Z).
We assume that integers are always encoded with a binary representation. For v ∈ Zn , v[i ] denotes the ith element of v for every i ∈ [1, n].
For a finite alphabet Σ, Σ∗ represents the set of finite words over Σ,
Σ+ the set of finite non-empty words over Σ and Σω the set of infinite
words or ω-words over Σ. For a finite word w = a1 . . . ak over Σ, we
write len(w) to denote its length k. For every 0 < i ≤ len(w), w[i ] represents the i-th letter of the word (for this case, ai ). For i ≤ j ∈ [1, k ],
we write w[i, j] to denote the subword ai . . . a j . Accordingly, we say
w≤i , for the word a1 . . . ai for any 1 ≤ i ≤ len(w). For a given n-tuple
h a1 , a2 , · · · , an i we define the projection operator proji as projecting
def
the ith component of the tuple. Thus, proji (h a1 , a2 , · · · , an i) = ai for
every i ∈ [1, n]. For a given set X, we denote by card( X ) as the cardinality/number of elements of the set.
Now we will define the models and its variants that are used subsequently. All our models can be seen as subclasses of a very general
class of counter systems. We start by defining formally, what we will
call as a counter system and introduce the subclasses as restrictions
on the general model.
2.1
counter systems
Model-checking usually consists of abstracting out an automated system or programs to a suitable theoretical model. A model is cho-
9
10
definitions/preliminaries
sen in a way which is expressive enough to represent the properties of the system that one wished to verify. The models used in
literature can be broadly classified into two types: finite state systems (e.g. Kripke structures, finite labelled transition systems) and
infinite state systems (counter systems, Petri nets, timed automata
etc.). Infinite state systems in particular are more expressive and verifying their properties pose an important challenge. Many practical
systems like operating systems, communication protocols, programs
with variables etc. can have potentially infinitely many states and
are easier to model using infinite state systems. Here, we will first
look at a very general class of infinite state systems, called counter systems. From an automata theoretic view, counter systems are automata
equipped with counters where the transitions define the operations
on counters. Whereas, from a more pragmatic view counter systems
are programs with variables where each statement is a transition between states of the program, which are basically values of all variables
at any specific instant. To formally define a counter system, let us first
start by defining some basic definitions which will be subsequently
used in the definition of counter systems.
Let C = {x1 , x2 , · · ·} be a countably infinite set of counters which
can also be thought as variables interpreted over non-negative integers. Similarly, let AT = {p1 , p2 , · · ·} be a finite set of propositional
variables or abstract properties about program points. First let us define how the guards are defined formally. Counter constraints are defined as a subclass of Presburger formulae (defined later) whose free
variables are understood as counters. We write Cn to denote the restriction of C to {x1 , x2 , · · · , xn }. The set of guards g using the counters
from Cn , written G(Cn ), is made of Boolean combinations of atomic
guards of the form ∑in=1 ai · xi ∼ b where the ai ’s are in Z, b ∈ N
and ∼ ∈ {=, ≤, ≥, <, >}. Note that even though negation is allowed
in the guards from G(Cn ) we can remove negation with linear size
blowup, as the allowed set of operators are complementary. Given a
guard g ∈ G(Cn ) and a tuple v ∈ Nn , we say that v satisfies g, written
v |= g, if the formula obtained by replacing each xi by v[i ] holds.
Definition 1 (Counter system). For a natural number n ≥ 1, a counter
system of dimension n, S is a tuple h Q, Cn , ∆, li where:
• Q is a finite set of control states.
• l : Q → 2AT is a labeling function.
• ∆ ⊆ Q × G(Cn ) × Zn × Q is a finite set of edges labeled by guards
and updates of the counter values (transitions).
Related to a transition δ = hq, g, u, q0 i in ∆, we will use the following notations:
• source(δ) = q,
• target(δ) = q0 ,
2.1 counter systems
• guard(δ) = g and
• update(δ) = u.
Corresponding to a counter system S = h Q, Cn , ∆, li, we associate a
labeled transition system T(S) = hC, →i where C = Q × Nn is the set
of configurations and →⊆ C × ∆ × C is the transition relation such that
hhq, vi, δ, hq0 , v0 ii ∈ → (also written hq, vi −
→ hq0 , v0 i) iff the conditions
below are satisfied:
δ
• q = source(δ) and q0 = target(δ),
• v |= guard(δ) and v0 = v + update(δ).
The transition system encodes the behavior of the counter systems.
Since the properties to be verified are about executions of system,
they are interpreted over the transition system corresponding to a
counter system. Note that in such a transition system, the counter
values are non-negative since C = Q × Nn . We extend the transition relation → to finite words of transitions in ∆+ as follows. For
w
→ hq0 , v0 i if there are
each w = δ1 δ2 . . . δα ∈ ∆+ , we have hq, vi −
δi+1
c0 , c1 , · · · , cα ∈ C such that ci −−→ ci+1 for all i ∈ [0, α − 1], c0 = (q, v)
and cα = hq0 , v0 i. We say that an ω-word w ∈ ∆ω is fireable in S from a
configuration c0 ∈ Q × Nn if for all finite prefixes w0 of w there exists
w0
a configuration c ∈ Q × Nn such that c0 −
→ c. We write trans(c0 ) to denote the set of ω-words (labels) which are fireable from c0 in S. Note
that from a given configuration there could be multiple transitions
fireable and hence counter systems are inherently non-deterministic.
Given an initial configuration c0 ∈ Q × Nn , a run ρ starting from
c0 in S is an infinite path in the associated transition system T(S)
denoted as:
δm+1
δ1
δm
ρ : = c0 −
→
· · · −→
cm −−→ · · ·
where ci ∈ Q × Nn and δi ∈ ∆ for all i ∈ N. Let trans(ρ) be the
ω-word δ1 δ2 . . . associated to the run ρ. Thus, for every i ≥ 0 we will
denote ρ[i ] = ci and for i ≥ 1, trans(ρ)[i ] = δi . Note that by definition
we have trans(ρ) ∈ trans(c0 ). Given an expression E of the form E =
p1 l1+ . . . pk lkω where pi and li are words over the alphabet ∆, we denote
n
the language defined by E as L( E) = { p1 l1n1 . . . lk−k−11 pk lkω |n1 , n2 , · · · ,
nk−1 ∈ N}. For an expression E over the finite alphabet ∆ and an
initial configuration c0 , trans( E, c0 ) is defined as the set of labels of infinite runs ρ starting at c0 such that trans(ρ) ∈ L( E). So trans( E, c0 ) ⊆
trans(c0 ).
Note that, one can define other types of counter systems. A range
of different classes of counter systems can be obtained by using different types of guards and updates. For example, we get different
classes of counter systems by allowing more general guards and updates. In [CJ98], counter systems with difference bound guards are
introduced, where the guards are conjuncts of the form x − c ∼ x0
11
12
definitions/preliminaries
q2
2
x2 > 1,
!
q7
4
x2 ≥ 5,
q1
x1 ≥ 0,
!
1
q5
0
x1 ≥ 1,
7
2
!
q6
x1 ≥ 8,
!
1
3
!
1
q8
5
Figure 1: A 2-dimensional counter system
with ∼∈ {≥, ≤, =, <, >} and c ∈ Z. The variables (x, x0 ) considered
in the guards here are separated into two parts, one representing the
counter values at present configuration and the other representing
the counter values at the next configuration. Note that, this allows
to specify the updates also as a guard. While the updates allowed
in our definition of counter system, are less general than these updates (e.g. assignment of counter values), our definition allows more
expressive guards than difference bound guards. Moreover, our updates are deterministic even though the counter system could be nondeterministic. In [BIK14], counter systems with similar guards are
used for verifying properties. In [FL02] on the other hand a special
type of update called affine updates are used where, the counters
values are updated by taking a linear sum of the values of all the
counters.
To make the definition more clear, let us show an example of a
counter system. Consider a 2-dim counter system as shown in Figure 1. In the figure, the label of the transitions are tuples consisting
of a guard and an update. For instance, the edge from q1 to q5 has as
guard the formula x1 ≥ 0 and as as update the vector (1, 0).
Counter systems are very expressive and can be used to model
various types of systems like broadcast protocols [FL02], programs
with pointers [BBH+ 06] etc. But with their expressivity and usability, comes the disadvantage that verifying even simple properties like
reachability (is a specific state reachable from a given initial configuration?), termination (is there an infinite run in the model?) is undecidable. Indeed, this computational model can simulate Turing machines.
In particular, we can consider a Minsky machine as a counter system.
A Minsky machine [Min67] can be viewed as 2-dim counter system. It
is defined formally as a set of n instructions on two counters x1 and
x2 where the l-th instruction is of one of the following forms :
l: xi = xi + 1; goto l 0 ,
l: if x j = 0 then goto l 0 else x j = x j − 1; goto l 00 ,
2.1 counter systems
for some i, j ∈ {1, 2}, and some l 0 , l 00 ∈ {1, · · · , n}.
It is clear to see that a Minsky machine can be easily translated to
a counter system with n states and 2 counters. Given a Minsky machine with n instructions, the reachability problem asks that whether
it is possible to reach some instruction l ∈ {1, · · · , n} when it starts
from instruction 1 and counter values 0. It was shown in [Min67] that
reachability problem in Minsky machine is undecidable. This lets us
conclude that, the reachability problem is also undecidable in counter
systems.
While this is a setback in using the model of counter systems for
verification, we can actually consider subclasses of counter systems
admitting only a subset of runs from the counter systems. Moreover, a
subclass can be used to under-approximate the runs and behaviors of
counter systems. There are numerous such subclasses of counter systems that have been studied in the literature depending on whether
the restriction is placed on the type of operations allowed on the
counters or the structure of the system or the type of runs allowed.
These subclasses are obtained by imposing restrictions on the structure, operations on counters or semantics of allowed runs. In [KM69,
Rac78], vector addition systems with states have been studied, which
are basically counter systems without guards. An equivalent model
of Petri nets and its verification properties are studied in [Pet81].
For both of these models reachability of a configuration is shown
to be decidable [KM69, Pet81]. In [Iba78], verification of properties
of reversal-bounded systems are studied. Reversal-bounded systems
only allow the runs which change between incrementing and decrementing a counter only a fixed number of times. The reachability
set of such system is shown to be computable and finitely representable using formulas Presburger arithmetic. Thanks to the decidability of satisfiability of Presburger arithmetic formula, reachability problem for reversal-bounded system is decidable [Pre30, Iba78].
In [FL02, DFGvD10], a counter system with richer updates like affine
updates are studied. Choosing a subclass of counter systems is always a trade-off between the strictness of constraint applied on the
counter system and the complexity of verifying properties over the
class of systems. We will study one such subclass of counter systems
known as flat counter systems.
2.1.1 Flat Counter Systems
As noted earlier, general counter systems are very expressive and verifying even simple properties like reachability, termination is undecidable. Herein, we study a subclass of counter systems with constraints
on the structural property of the counter system. From the definition
and the representation in the example, it is clear that the underlying
structure of a counter system can be considered as a graph with nodes
13
14
definitions/preliminaries
q2
2
x2 > 1,
!
q7
4
x2 ≥ 5,
q1
x1 ≥ 0,
!
1
0
q5
x1 ≥ 1,
7
2
!
q6
x1 ≥ 8,
!
1
3
!
1
q8
5
Figure 2: A 2-dimensional flat counter system
as states and transitions as edges. The restriction on flat counter systems are defined on this graph structure of the counter system. A
closed loop in the structure of the counter system is called a cycle or
simply a loop. We call a cycle, simple if no edge is repeated twice in
it.
Definition 2 (Flat Counter System). A counter system is called flat if
every state in the structure of the counter system belongs to at most one
simple cycle.
In other words, the cycles in a flat counter system are mutually exclusive, that is, they don’t share any state or edge. In this case we say
that the cycles or loops are non-intersecting. Whereas loops or cycles
sharing same edge or state in a counter system are called intersecting loops. In a flat counter system, simple cycles can be organized as
a DAG where two simple cycles are in the relation whenever there
is path between a node of the first cycle and a node of the second
cycle. We denote by FlatCS the class of flat counter systems. The
term ‘flat’ in that sense has been introduced in [FO96, CJ98]. In recent works [Kuh10, KF11], with Kripke structures (defined later), flat
Kripke structures are also identified as weak Kripke structures.
The example presented before in Figure 1 is not a flat counter system due to the following reasons:
• Loop between q6 and q7 is not simple as there are two parallel
edges from q6 to q7 .
• q1 is an intersection between the self-loop around q1 and the
loop between q1 and q2 .
In Figure 2 we show a flat counter system – a system obtained by
eliminating the non-exclusive edges between loops from the counter
system in Figure 1.
Flat systems albeit in different forms have been studied in many
places. Flatness as a property was first introduced by [FO96]. First it
2.1 counter systems
was shown that the set of reachable configurations (reachability set)
of a flat counter system is semilinear, i.e. can be represented using a
Presburger arithmetic formula when only conjunction in the guards
are allowed [CJ98, BIL09]. It was shown in [LS05], that there are many
non-flat subclasses of counter systems which can be “unfolded” to a
flat counter system such that the reachability set of non-flat counter
system is equal to the reachability set of the unfolded flat counter
system. These type of systems are called flattable. On the other hand,
it is also evident that we can underapproximate the runs of general
counter systems by taking unfolding of intersecting loops for a given
number of time. Existential properties satisfied in a flat counter system is also satisfied in the corresponding general counter system. All
this makes flat counter systems an interesting subclass to study. It was
recently shown in [DDS12], that verifying safety and liveness properties over flat counter systems is NP-complete. In [DFGvD10], for a
more powerful model but still flat, it was shown that model-checking
of a quite expressive logic called Presburger CTL∗ (see Section 2.4) is
decidable. Not only flat counter systems, but flat Kripke structures
are also considered as the topic of study in places like [KF11].
2.1.1.1
Path Schema
A useful property of flat counter systems allowing ease of analysis
is that they can be decomposed into what we will call path schemas.
Intuitively, since loops of a flat counter system can be arranged in a
DAG, a run in a flat counter system visits loops in a fixed order and
hence can be said to follow a schema represented as the sequence
of loops and states/edges visited in between. Before defining path
schemas formally, we will introduce some related notations. Let S =
h Q, Cn , ∆, li be a counter system. A path segment p of S is a finite
sequence of transitions from ∆ such that target( p[i ]) = source( p[i + 1])
for all 1 ≤ i < len( p). We extend the definition of source and target
states to path segment as source( p) [resp. target( p)] to denote the first
[resp. last] control state of a path segment, in other words source( p) =
source( p[1]) and target( p) = target( p[len( p)]). We also write
effect( p) =
∑
update( p[k ])
1≤k≤len( p)
representing the sum of the updates of all transition along the path
segment p. A path segment p is said to be simple if len( p) > 0 and
for all 1 ≤ i, j ≤ len( p), p[i ] = p[ j] implies i = j (i.e. no repetition of transitions). A loop is a simple path segment p such that
source( p) = target( p). If a path segment is not a loop it is called a nonloop segment or simply a path segment. A path schema P is an ω-regular
expression built over the alphabet of transitions ∆ such that its language represents an over-approximation of the set of labels obtained
from infinite runs following the transitions of P.
15
16
definitions/preliminaries
Definition 3 (Path Schema). A path schema P is an ω-regular expression
over ∆ and of the form p1 l1+ p2 l2+ . . . pk lkω verifying the following conditions:
1. l1 , · · · , lk are loops,
2. p1 l1 p2 l2 . . . pk lk is a (non-loop) path segment.
We write len( P) to denote len( p1 l1 p2 l2 . . . pk lk ) and nbloops( P) as
its number k of loops. Let L( P) denote the set of infinite words in ∆ω
which belong to the language defined by P. Note that some elements
of L( P) may not correspond to any run because of counter constraints
on the counter values appearing on the transitions. Given w ∈ L( P),
we write iterP (w) to denote the unique tuple in (N \ {0})k−1 such
iter (w)[1]
iter (w)[2]
that w = p1 l1 P
p 2 l2 P
. . . pk lkω . So, for every i ∈ [1, k − 1],
iterP (w)[i ] is the number of times the loop li is taken. Then, for a
configuration c0 , the set iterP (c0 ) is defined as
iterP (c0 ) = {iterP (w) ∈ (N \ {0})k−1 | w ∈ trans( P, c0 )}
For a path schema P, the set iterP (c0 ) denotes the set of vectors, which
specifies the number of times each loop can be taken to obtain a run
starting from c0 and following the transitions according to P. Finally,
we say that a run ρ starting in a configuration c0 respects a path schema
P if trans(ρ) ∈ trans( P, c0 ) and for such a run, we write iterP (ρ) to
denote iterP (trans(ρ)). Note that by definition, if ρ respects P, then
each loop li is visited at least once, and the last one infinitely many
times.
As defined above, a flat counter system may have an infinite set of
path schemas. To see this, it is sufficient to unroll loops and consider
the unrolling as an alternating sequence of path and loop segments.
However, we can impose minimality conditions on path schemas
without sacrificing completeness. A path schema p1 l1+ p2 l2+ . . . pk lkω is
minimal whenever
1. p1 · · · pk is either the empty word or a simple non-loop segment,
2. l1 , . . . , lk are loops with disjoint sets of transitions.
Lemma 1. Given a flat counter system S = h Q, Cn , ∆, li, the total number
of minimal path schemas of S is finite and is smaller than card(∆)(2×card(∆)) .
Proof. Since minimal path schemas restrict the maximum number of
time a transition can occur in a path schema to 2 times, we have that
the sum of all the segments in the longest path schema is at most
2 × card(∆). Since at each of these positions in the path schema can
be any transition from ∆, it is easy to see that the number of possible
such path schema is card(∆)2×card(∆) .
The above lemma in turn gives us the following corollary.
Corollary 1. The number of possible minimal path schemas for a given flat
counter system S is bounded by an exponential in size(S).
2.1 counter systems
q7
x2 > 1,
q1
x1 ≥ 0,
1
0
! q5
x1 ≥ 1,
2
!
3
x2 ≥ 5,
4
7
2
! q6
x1 ≥ 8,
!
1
1
! q8
5
Figure 3: A path schema
In Figure 3, we present one of the minimal path schemas of the
flat counter system presented in Figure 2. The minimal path schema
shown in Figure 3 corresponds to the ω-regular expression δ1 (δ2 δ3 )+ δ4
δ5 (δ6 δ5 )ω . Note that in the representation of path schemas, a state may
occur several times, as it is the case for q3 (this cannot occur in the
representation of counter systems).
Minimal path schemas play a crucial role in the sequel, mainly because of the properties stated below.
Lemma 2. Let P be a path schema. There is a minimal path schema P0 such
that every run respecting P respects P0 too.
Proof. Consider any non-minimal path schema P = p1 (l1 )+ · · · pk (lk )ω .
P is non-minimal because some edge δ occurs more than twice in P.
First, by definition, it is not possible that δ occurs more than once
in any segment of P. Thus, δ occurs in at least three segments. Assume that δ occurs once in σi , σj and σk for some path segments
σi , σj , σk in P. Without loss of generality, let us assume that i <
j < k. We can write the word σi . . . σj . . . σk as w1 δw2 δw3 δw4 and
thus source(δ) = target(w2 ) = target(w3 ). Similarly, it is clear that
target(δ) = source(w2 ) = source(w3 ). Since P is from a flat counter
system, we know that there could only be one cycle having δ. In this
case, clearly there are two loops δw2 and δw3 starting and ending at
source(δ) and hence both δw2 and δw3 are iterations of the same loop.
Thus there exists a loop segment l 0 such that δw2 = l 0α and δw3 = l 0 β
for some α, β ∈ N and target(l 0 ) = source(l 0 ) = source(δ). Let P1 be
the path schema obtained by replacing σi . . . σj . . . σk by w1 (l 0 )+ δw4 in
P. Clearly, P1 is a valid path schema and L( P1 ) = L( P). Note that
the above transformation reduces the number of times δ appear by at
least one. Performing the above construction repeatedly for any edge
appearing more than once in P, we get a minimal path schema P0 .
Since, the set of accepted words is preserved in the transformation,
L( P) = L( P0 ) and hence for every run respecting P there is a run
respecting P0 .
17
18
definitions/preliminaries
Note that the path schemas ending with the expression (lk )ω is
well-suited for encoding infinite runs in flat counter systems. Furthermore we can actually decompose a flat counter system into many
path schemas such that every run respects one of the path schemas.
This is a very crucial property of flat counter systems that we will
utilise for solving various problems on them.
Theorem 1. Given a flat counter system S and configuration c0 , for every
infinite run ρ starting from c0 there exists a minimal path schema P such
that ρ respects P.
Proof. Consider any infinite run ρ in S starting with c0 . Consider the
infinite word of transitions w = trans(ρ). Due to the structural restriction on flat counter systems, notice that the different loops visited by
ρ can be ordered as l1 , l2 , · · · , lk . Moreover, since ρ is infinite, the infinitely recurring part must be repetition of the last loop lk . It is easy
to see that by the properties of flat counter systems, w ∈ L( P) for
some path schema P. Hence, by Lemma 2, we know that ρ respects a
minimal path schema.
2.1.1.2
Ultimately Periodic Path
Given a path schema P = p1 l1+ p2 l2+ . . . pk lkω with loops l1 , l2 , · · · , lk
and v ∈ (N \ {0})k−1 denoting the number of times each loop is
taken except lk , the pair h P, vi defines the ω-regular expression of a
v[1]
v[2]
v[ k −1]
special type denoted as p1 l1 p2 l2 . . . lk−1 pk lkω . An ultimately periodic path is a path schema of the form p · l ω where p and l are finite
words over transitions ∆. As shown before, h P, vi gives us an ultiv[ k −1]
v[1]
v[2]
mately periodic path where p = p1 l1 p2 l2 . . . lk−1 pk and l = lk .
Using the notations introduced before, there can be potentially infinitely many runs ρ in S such that trans(ρ) ∈ trans( P, c0 ) for some
configuration c0 . Whereas extending the notations for the ultimately
periodic path h P, vi, there exists at most one run ρ in S, such that
trans(ρ) = trans(h P, vi, c0 ). We also denote h P, vi[i ] as the transition
w[i ] for i > 0 such that w ∈ L(h P, vi). Note that for the ultimately
periodic path h P, vi, w is unique.
Ultimately periodic paths are of special interest for us, as we will
see later that it would be used in the model-checking procedure for
flat counter systems. This kind of structure, but without counters,
have been studied separately in [MS03].
2.1.2 Flat Kripke Structures
A further subclass of flat counter systems called flat Kripke structure, is also considered in literature. We will start by defining the
subclass of general counter systems and well studied model Kripke
structures. A Kripke structure S is a tuple h Q, ∆, li where Q is a finite
2.2 presburger arithmetic
set of states, ∆ ⊆ Q × Q and l : Q → 2AT is the labelling function. It
can be viewed as a degenerate form of counter systems without counters. More specifically, they can be seen as counter systems with zero
counters and all the edges labelled with the atomic guard >. All standard notions on counter systems naturally apply to Kripke structures
too. The set of configurations of a Kripke structure is same as the set
of states Q. Similarly, the transition system T(S) is the Kripke structure itself. Also, a run in the Kripke structure is defined as sequence
of states from Q such that it forms a path in the Kripke structure.
Note that Kripke structures with infinite set of states have also been
studied, but for our case, we will only focus on finite Kripke structures.
Definition 4 (Flat Kripke Structure). A Kripke structure is called flat if
every state in the structure belongs to at most one simple cycle.
The set of flat Kripke structures are denoted as FlatKS.
Kripke structures, introduced in [Kri63], is a very well studied class
of systems. They have been widely used for model-checking problems in [CGP01, VW94, SC85] to name a few. Even model-checking
problems of flat Kripke structures are studied in [Kuh10, KF11].
2.2
presburger arithmetic
An important concept used in the model-checking procedure again
and again, specially for flat counter systems, is Presburger arithmetic.
Presburger arithmetic is the first order theory of integers with addition,
that is, the structure (N, +, <, =). It was shown decidable by Presburger in 1929 [Pre30]. A Presburger Arithmetic (PA) formula φ is
defined as following:
φ := t < t | t = t | ¬φ | φ1 ∨ φ2 | φ1 ∧ φ2 | ∃zφ | ∀zφ
where the terms t is defined as following,
t := a ∈ N | a.z | t1 + t2
where z is variable from an infinite set of variables VAR. Any variable in a PA formula φ, which does not occur within the scope of
any quantifier is called free. For a given PA formula φ, the set of
free variables of φ is denoted by free(φ). When possible, we will also
denote a PA formula as φ(z1 , z2 , · · · , zn ) to specify explicitely that
free(φ) ⊆ {z1 , z2 , · · · , zn }. For a given PA formula φ with free(φ) =
{z1 , z2 , · · · , zn }, a valuation f : {z1 , z2 , · · · , zn } → Z assigns a value
to the variables and we write f |= φ iff φ evaluates to true when the
free variables are replaced by their respective values given by f . Let
us assume that any valuation f is also extended to the terms (in a
19
20
definitions/preliminaries
conservative way). The satisfiability of a PA formula φ with respect
to a valuation function f : free(φ) → N is defined as:
def
f |= t1 < t2 ⇔
def
f |= t1 = t2 ⇔
f |= ¬φ
def
f ( t1 ) < f ( t2 )
f ( t1 ) = f ( t2 )
⇔
f 2φ
def
⇔
f |= φ or f |= φ0
def
f |= φ and f |= φ0
φ ∨ φ0
f |= φ ∧ φ0
⇔
f |= ∃zφ
⇔ there exists n ∈ N such that f [z 7→ n] |= φ
f |= ∀zφ
⇔ for all n ∈ N, f [z 7→ n] |= φ
f |=
def
def
Correspondingly, we can consider the valuation function as a vector
of values from N with some ordering over variables. Thus, we say
that for such a vector, v ∈ Nn , v |= φ iff for a valuation function f we
have f (xi ) = v[i ] and f |= φ.
Presburger arithmetic allows enough expressibility to encode important properties like loop updates in a counter system and still is
constrained enough to have a decidability procedure. In fact it was
shown in [CJ98] that the set of reachable configurations of a flat
counter system, without disjunction in guard, is definable by a formula in Presburger arithmetic. Below we show a path schema and
show how Presburger arithmetic formulas can be used to take care
of the counters, guards and updates to check different conditions of
runs. Consider the path schema presented in Figure 3. Ignoring the
unlabelled edges, we can construct the following formulas:
E1= 0 ≥ 0 ∧ 0 + 1 ≥ 1 ∧ 0 + 2 > 1 ∧ 0 + 2 + 4 ≥ 5.
E2= (z1 ≥ 1 ∧ 1 + 7 + 5.z1 ≥ 8 ∧ 1 + 7 + 5.z1 ≥ −1 ∧ ∀z2 .(z2 < z1 ∧
z2 > 0 ∧ 0 + 2 + 5.z2 > 1 ∧ 0 + 2 + 5.z2 + 4 ≥ 5)).
E1 ensures that all the edges except q6 to q8 can be taken at least
once. Remember that edges cannot be taken if the counter values do
not satisfy the guards or the updates on the transition result in a
negative counter value. Hence, in E1 we check for each of the edges,
that the summation of all the previous updates satisfy the guards. In
E2 we check that even after the loop (q6 , q7 ) is taken z1 times, the
accumulated counter values allows to take the edge between q6 to q8 .
E2 also checks that for all z1 iterations of the loop (q6 , q7 ), the guards
on the edges of the loop are satisfied, that is, the loop can indeed
be taken z1 times. Thus E1∧E2 characterizes the number of times the
loop (q6 , q7 ) can be taken by any valid run.
The decidability of Presburger arithmetic was shown by using a
quantifier-elimination procedure. The complexity of Presburger arithmetic was shown to be exactly double exponential in time with linear number of alternations [Ber77]. Though the lower bound was derived from a reduction of the halting problem of a 2ExpTime Turing machine to validity of a Presburger arithmetic formula [FR74].
2.3 linear-time temporal logics
For upper bound, the quantifier elimination procedure given by Presburger was not enough as it had non-elementary complexity. However, in [FR79], it was shown that there exists a non-deterministic
algorithm to solve Presburger arithmetic with optimal complexity.
In [Büc60], Büchi showed that deciding validity of a Presburger arithmetic formula could be reduced to deciding emptiness of an automaton. [WB95, BC96] provided a purely automata-based algorithm to
decide Presburger arithmetic.
The automata based decision procedure has been implemented in
tools like Lash, PresTAF, Lira [Tap]. Another way to solve Presburger arithmetic is by using integer linear programming (ILP). There
are many efficient implementations of ILP solvers available too, like
LP_SOLVE [lps] and OMEGA. Recently, with the advent and advancement [smt] of SMT solvers, we can use tools like CVC4 [CVC], Z3 [Z3]
to decide fragments of Presburger arithmetic. Though SMT solvers
do not use the automata based algorithm, the performance obtained
from them are better than the automata-based approaches for the
fragments.
2.3
linear-time temporal logics
Now that we have defined the models that will be used for modelchecking problems, let us introduce the logical specifications that we
will use to specify the properties. We consider properties from various specification languages with varying expressiveness and succinctness. We classify the logical specifications considered here, broadly
into two parts, linear time specifications and branching time specifications. Whereas a linear time specification formula states a property
about the runs of a counter system, a branching time specification
formula states a property about the transition system of the counter
system as a whole. In this section we will introduce the linear time
specifications which will be used to specify temporal properties about
runs of counter systems. For each such specification, we provide the
syntax and semantics of the instances of the specification. Consider a
run ρ in a n-dimensional counter system of the form.
δ
δ
δm+1
m
1
ρ := hq0 , v0 i −
→
· · · −→
hqm , vm i −−→ · · ·
We will define the satisfaction relation |= for each of the specifications such that for an instance of the specification A, we say ρ, 0 |= A
iff ρ satisfies the property expressed by A. In general, specifications
traditionally allow only propositional variables as atomic formulas.
A propositional variable p only represents an abstract property about
the current configuration of the system. A more satisfactory solution is to include in the logical language the possibility to express
directly constraints between variables of the program, and doing so
refining the standard abstraction made with propositional variables.
21
22
definitions/preliminaries
When the variables are typed, they may be interpreted in some specific domain like integers, strings and so on; reasoning in such theories can be performed thanks to satisfiability modulo theories proof
techniques, see e.g., [GNRZ08] in which SMT solvers are used for
model-checking infinite-state systems. Since the specifications are interpreted over runs of counter systems, it makes sense to include
counter constraints or guards as atomic formulas. All our specifications allow counter constraints as atomic formulas alongwith the
usual propositional variables. Note that, if the allowed guards in the
specification are from G(Cn ) then the specification is also interpreted
over runs of counter systems with n counters. For a given instance of
specification A, when represented as a formula, we denote by size( A)
as the number of subformulas in A which themselves are instances of
the specification. In the case that A is represented as an automaton,
size( A) denotes the sum of the number of states and edges in A.
Since, we interpret the formulas over runs of a counter system
which has a finite set of guards and propositional variables appearing
as labels, we will need to introduce the notion of constrained alphabet whose letters should be understood as Boolean combinations of
atomic formulae (details follow). A constrained alphabet is a triple of
the form h at, agn , Γi where
• at is a finite subset of AT,
• agn is a finite subset of atomic guards from G(Cn ),
• Γ is a subset of 2at∪agn .
The size of a constrained alphabet is given by size(h at, agn , Γi) =
card( at) + card( agn ) + card(Γ). Of course, any standard alphabet (finite set of letters) can be easily viewed as a constrained alphabet. An
important feature to evaluate the size of h at, agn , Γi is to notice that at,
agn and Γ are finite sets and Γ is not necessarily equal to the power
set 2at∪agn .
Given an infinite run ρ := hq0 , v0 i → hq1 , v1 i · · · from a counter system h Q, Cn , ∆, li with n counters and an ω-word over a constrained
alphabet h at, agn , Γi, w = a1 a2 . . . ∈ Γω , we say that ρ satisfies w, written ρ |= w, whenever for every i ≥ 0, we have
1. for every p ∈ (ai ∩ at) [resp. p ∈ ( at \ ai )], p ∈ l(qi ) [resp. p 6∈
l(qi )],
2. for every g ∈ (ai ∩ agn ) [resp. g ∈ ( agn \ ai )], vi |= g [resp.
vi 6|= g].
2.3.1 Linear Temporal Logic with Past
Linear temporal logic for verification, was introduced in [Pnu77] to
express properties about execution of programs. Since then LTL has
2.3 linear-time temporal logics
been used in numerous examples and also to model various different types of properties about systems. Model-checking problem for
Past LTL over finite state systems (Kripke structures) is known to
be PSpace-complete [SC85]. As stated earlier, we define below a version of linear-time temporal logic, LTL dedicated to counter systems
in which the atomic formulae are linear constraints over the counter
and atomic propositions alongwith the temporal operators of standard LTL. Note that capacity constraints from [DFK07] are arithmetical constraints different from those defined below. The formulae of
the logic PLTL are defined as follows:
φ ::= p | g | ¬φ | φ ∧ φ | Xφ | φUφ | X−1 φ | φSφ
where p ∈ AT and g ∈ G(Cn ) for some n. We may use the following
standard abbreviations
• > = p ∨ ¬p
• ⊥= p ∧ ¬p
• Fφ = >Uφ,
• Gφ = ¬F¬φ
Given a well-formed formula in Past LTL a related parameter of importance to our result is the temporal depth of a formula φ, written
td(φ). It is defined as the maximal number of nesting of temporal
operators in φ. More formally, the temporal depth of a formula φ is
defined inductively as following:
td(p)
= 0
td(g)
= 0
td(¬φ)
td(φ1 ∧ φ2 )
td(Xφ)
td(φ1 Uφ2 )
td(X−1 φ)
td(φ1 Sφ2 )
= td(φ)
= max (td(φ1 ), td(φ2 ))
= td(φ) + 1
= max (td(φ1 ), td(φ2 )) + 1
= td(φ) + 1
= max (td(φ1 ), td(φ2 )) + 1
Note that for a formula φ, td(φ) can at most be size(φ). Given a run
ρ of a counter system and a position i ∈ N, the satisfaction relation
|= for Past LTL is defined as follows:
def
ρ, i |= p
⇔ p ∈ l ( qi )
ρ, i |= g
⇔ vi |= g
ρ, i |= ¬φ
⇔ ρ, i 2 φ
ρ, i |= φ1 ∧ φ2
def
def
def
⇔ ρ, i |= φ1 and ρ, i |= φ2
23
24
definitions/preliminaries
ρ, i |= Xφ
ρ, i |= φ1 Uφ2
def
⇔ ρ, i + 1 |= φ
def
⇔ ρ, j |= φ2 for some i ≤ j
such that ρ, k |= φ1 for all i ≤ k < j
ρ, i |= X−1 φ
ρ, i |= φ1 Sφ2
def
⇔ i > 0 and ρ, i − 1 |= φ
def
⇔ ρ, j |= φ2 for some 0 ≤ j ≤ i
such that ρ, k |= φ1 for all j < k ≤ i
Given a run ρ of a counter system and a formula φ in Past LTL, we
say ρ |= A iff ρ, 0 |= A. As an example of a Past LTL formula, consider
the formula (x1 < 15 ∧ p)U(x1 + 2 ≥ x2 ) which states that the value
of counter 1 is less than 15 and p holds in every state till the value of
counter 1 plus 2 is greater than the value of counter 2. Note that the
past-time operators S and X−1 included in the specification, do not
add expressive power to the logic itself [Gab87], but it is known that
it helps a lot to express properties succinctly, see e.g. [LS00, LMS02].
We denote by PLTLΣ , the version of PLTL where the only type of
atomic formula allowed, is p for any p ∈ Σ admitting only models of
the form of infinite words from Σω .
As another example consider the Past LTL formula (>Uq7 ) ∧ Xq6 ∧
x1 > 5. Note that even though propositional constant > (true) is not
included in the set of guards, we can easily represent it using guards
of the form x1 = x1 . The given formula is satisfied by any run that at
some point reaches a configuration with state label q7 and have value
of counter 1 greater than 5 and the next configuration has state label
q6 . In particular the formula is satisfied by the following run
hq1 , (0, 0)i → hq5 , (1, 0)i → hq6 , (8, 2)i → hq7 , (10, 6)i → hq6 , (13, 7)i · · ·
from the flat counter system S given in Figure 2. Thus S, hq1 , (0, 0)i |=
(>Uq7 ) ∧ Xq6 ∧ x1 > 5.
2.3.2 First Order Logic
First-order logic is a classical logical formalism that has been studied
extensively, see e.g. [Sto74, Var82, Daw07]. First-order logic admits a
natural variant to express properties of runs. In terms of expressivity
or the type of properties that can be expressed using first-order logic,
it is shown by Kamp’s Theorem [Kam68], that first-order logic has
the same expressive power as Past LTL. But in terms of conciseness,
it was shown in [Kam68, Sto74] that there are properties which can be
expressed using exponentially small formula in first-order logic compared to the size of the formula in Past LTL required to express the
same. In fact, it is known that the satisfiability problem for first-order
logic formulae is non-elementary [Sto74] whereas that of LTL formulas without counter constraints are in PSpace [SC85]. Consequently
the translation into Past LTL leads to a significant blow-up in the size
of the formula. For defining first-order logic formulae, we consider a
2.3 linear-time temporal logics
countably infinite set of variables VAR. The syntax of first-order logic
FO is then given by the following grammar:
φ := p(z) | g(z) | succ(z, z0 ) | z < z0 | z = z0 | ¬φ | φ ∧ φ0 | ∃z φ(z)
where p ∈ AT and z, z0 ∈ VAR. Intuitively, p(z) and g(z) represents
that p or g holds at position pointed by z in the model. A variable
z is free in a FO formula φ iff z does not occur within the scope of
any quantifiers (∃) in φ. As usual, we write f ree(φ) to denote the set
of free variables in the formula φ. A formula with no free variable is
called a sentence. We define the quantifier height qh(φ) of a formula φ
as the maximum nesting depth of the operators ∃ in φ. More formally
it is defined as following:


qh(φ0 ) + 1




max (qh(φ1 ), qh(φ2 ))
qh(φ) =

 qh(φ0 )



0
if φ = ∃z φ0
if φ = φ1 ∧ φ2
if φ = ¬φ0
Otherwise
Variables are interpreted over positions in the run. A position assignment is a partial function f : VAR → N. Given a run ρ of a counter system, a FO formula φ and a position assignment f such that f (z) ∈ N
for every variable z ∈ f ree(φ), the satisfaction relation |= f is defined
as follows:
def
ρ |= f p(z)
⇔ p ∈ l(q f (z) ) where qi is the ith state in ρ
ρ |= f g(z)
⇔ v f (z) |= g
ρ |= f succ(z, z0 )
⇔
def
f (z0 ) = f (z ) + 1
ρ |= f z < z0
⇔
def
f (z ) < f (z0 )
ρ |= f z = z0
def
⇔
f (z ) = f (z0 )
ρ |= f ¬φ
⇔ ρ 2f φ
ρ |= f φ ∧ φ0
⇔ ρ |= f φ and ρ |= f φ0
ρ |= f ∃z φ(z)
⇔ there exists j ∈ N such that ρ |= f [z→ j] φ(z)
def
def
def
def
Given a FO sentence φ, we write ρ |= φ (or equivalently ρ, 0 |= φ)
when ρ |= f φ for an arbitrary position assignment f . The reason that
we can consider any arbitrary position assignment is that, for a sentence, since all the variables are bounded by some quantifiers, all
assignment for the variables will be rewritten while interpreting over
a run as explained in the definition of the satisfaction relation. Note
that by the semantics of the formula, any arithmetical constraint appearing in the formula expresses a property about the counter values
at a specific position in the run and cannot compare values from two
different positions. Stating properties about values from two different positions can be done by other logics like FO over words with
data [BMS+ 06], LTL with freeze operator [DLS08, DL09] and LTL
25
26
definitions/preliminaries
with constraints [DD02]. We denote by FOΣ , the version of FO whose
only type of allowed atomic formula is p for any p ∈ Σ admitting only
models of the form of infinite words from Σω .
As an example consider the FO formula ∀x∃y q7 (x) ⇒ q6 (y) ∧
succ(x, y) ∧ gx2 <15 (y). It is satisfied by any run in which every configuration with state label q7 and have value of counter 2 in the next
position is less than 5 and the next configuration has state label q6 .
Again this formula is satisfied by the run
hq1 , (0, 0)i → hq5 , (1, 0)i → hq6 , (8, 2)i → hq7 , (10, 6)i → hq6 , (13, 7)i · · ·
from the flat counter system S given in Figure 2. Thus S, hq1 , (0, 0)i |=
∀x∃y q7 (x) ⇒ q6 (y) ∧ succ(x, y) ∧ gx2 <15 (y).
2.3.3
Büchi Automata
Büchi automata is a more expressive formalism than that of Past LTL
and first order logic and it is known to be equivalent to monadic
second order logic [Büc60]. Traditionally, Büchi automata are defined
over letters from an alphabet which can be thought of as propositional
variables. But for our case, due to the fact that we consider runs of
counter systems as models, we allow the labels on the transitions of
Büchi automata to include guards from a finite set.
Definition 5 (Büchi automaton). A Büchi automaton B is a structure
B = h Q, Σ, δ, q0 , F i such that
• Q is a non-empty finite set of states,
• Σ is a finite alphabet,
• q0 ∈ Q is the initial state and
• F ⊆ Q is the set of final states.
The set of transitions is defined as δ ⊆ Q × Σ × Q. An accepting run
ρ in B for a word w ∈ Σω is defined as an infinite sequence of states
ρ ∈ Qω such that for every i ∈ N, hρ[i ], w[i + 1], ρ[i + 1]i ∈ δ and
ρ[ j] ∈ F for infinitely many j’s. For our case, we define the alphabet
over which the specification is defined as Σ = 2at∪agn where at is a
finite subset of AT and agn is a finite subset of G(Cn ). We denote these
specification as EBS (standing for ’Explicit Büchi Specifications’) and
they are simply Büchi automata over the alphabet 2at∪agn .
In order to be a bit concise, we allow that transitions are labelled
by Boolean combinations of atoms from at ∪ agn , leading to the specifications in BS (standing for ’Büchi Specifications’). In that way, a
specification A in BS is of the form h Q, E, q0 , F i where Q is a finite set
of states, q0 ∈ Q is the initial state, F ⊆ Q is the set of accepting states
and E is a finite subset of Q × B( at ∪ agn ) × Q where B( at ∪ agn )
2.3 linear-time temporal logics
>
p ∧ (x1 − x2 = 2)
p ∧ (x1 − x2 = 2)
start
>
Figure 4: A Büchi automaton specification
denotes the set of formulas obtained by Boolean combinations over
at ∪ agn where each formula ψ is obtained as
ψ := at | agn | ¬ψ0 | ψ0 ∧ ψ00
Specification A in BS is just a concise representation for the Büchi automaton B A = h Q, 2at∪agn , δ, q0 , F i where δ is a subset of Q × 2at∪agn ×
a
def
ψ
Q and q −
→ q0 ∈ δ ⇔ there is q −
→ q0 ∈ E such that a |= ψ in
the propositional sense (an atom in ( at ∪ agn ) \ a is interpreted by
false). We say that A is over the constrained alphabet h at, agn , Γi with
ψ
Γ = 2at∪agn , whenever for all edges q −
→ q0 ∈ E, ψ holds at most
for valuations/letters from Γ. Hence, the language L( A) ⊆ Γω is
defined as the language L(B A ) with the standard notion for Büchi
automata. Note also that B A is indeed a specification in EBS over
the constrained alphabet h at, agn , 2at∪agn i. So, strictly speaking, Büchi
specifications and Büchi automata are not identical objects but specifications in BS are concise representations of Büchi automata (an edge
in A can lead to an exponential number of transitions in B A ). Note
also that any Büchi automaton built over the alphabet Σ = 2at∪agn
can be transformed in polynomial time into a specification in BS. For
each letter a, transitions with a in the Büchi specification are labelled
by the Boolean formula ϕa defined as a conjunction made of positive
literals from a and negative literals from ( at ∪ agn ) \ a. Note that by
definition, a run ρ satisfies a specification in BS or EBS, A (ρ, 0 |= A)
only when there exists an infinite word w such that w ∈ L( A) and
ρ |= w.
As an example consider the Büchi automaton given in Figure 4. The
Büchi automata accepts all runs where after some position i, all future
even positions j (i.e. i ≡2 j) satisfy that p holds and the difference
between first counter and second counter is equal to 2. Note that in
particular the following run
hq1 , (0, 0)i → hq5 , (1, 0)i → hq6 , (8, 2)i → hq8 , (9, 7)i → hq8 , (9, 7)i · · ·
from the flat counter system S given in Figure 2, satisfies the property. Thus, S, hq1 , (0, 0)i |= B where S is the flat counter system from
Figure 2 with l(q8 ) = {p} and B is the specification given in Figure 4.
Note that the same property is not expressible in PLTL of FO.
27
28
definitions/preliminaries
2.3.4
Alternating Büchi Automata
Alternating Büchi automata were introduced in [CKS81]. The formalism adds more power to Büchi automata by allowing branching of
execution over a word. Here we extend the standard definition of alternating Büchi automata with counter constraints from a finite set of
constraints. To define it, we start with the definition of B+ ( Q) for a
finite set Q, to denote the set of positive Boolean formulae built over Q.
Elements of B+ ( Q) respect the following grammar:
B ::= ⊥ | > | q | ( B ∨ B) | ( B ∧ B)
where q ∈ Q. Every subset Y ⊆ Q can be viewed as a propositional
def
valuation such that q ∈ Y ⇔ q is interpreted as true. We write Y |= B
with B ∈ B+ ( Q) to denote that A holds true under the propositional
valuation induced by the subset Y. An alternating Büchi automaton B
is a structure h Q, Σ, q0 , δ, F i such that Q is the finite set of states, Σ is
a finite alphabet, q0 ∈ Q is the initial state, F ⊆ Q and δ : Q × Σ →
B+ ( Q) is the transition function. A run ρ on the ω-word a0 a1 a2 . . . ∈
Σω is a (possibly infinite) directed acyclic graph (DAG) for which
nodes are labelled by elements from Q:
• ρ = hV, Ri where V ⊆ Q × N and hq0 , 0i ∈ V.
• R⊆
S
l ≥0 ( Q
× {l }) × ( Q × {l + 1}),
• For every hq, l i ∈ V \ {hq0 , 0i}, there is a state q0 ∈ Q such that
hhq0 , l − 1i, hq, l ii ∈ R.
• For every hq, l i ∈ V, {q0 : hhq, l i, hq0 , l + 1ii ∈ R} |= δ(q, al ).
A run ρ is accepting whenever every infinite path through that run
defines an ω-word in Qω such that a state from F is visited infinitely
often. Similarly to BS, a specification A in ABS over the constrained
alphabet h at, agn , 2at∪agn i is of the form h Q, E, q0 , F i where Q is a finite
set of states, q0 ∈ Q is the initial state, F ⊆ Q is the set of accepting
states and E is the partial finite transition function E : Q × B( at ∪
agn ) → B+ ( Q). Following the same reasoning as for BS, a specification A in ABS is only a concise representation for an alternating
Büchi automaton B A = h Q, 2at∪agn , δ, q0 , F i where δ : Q × 2at∪agn →
def
B+ ( Q) and δ(q, a) = B ⇔ there is E(q, ψ) = B with B ∈ B+ ( Q)
such that a |= ψ in the propositional sense (an atom in ( at ∪ agn ) \ a
is interpreted by false). The language L( A) is here as well exactly
L(B A ). Similar to the case of BS/EBS, we say that a run ρ satisfies the
property represented by a ABA/ABS A (ρ, 0 |= A) iff there exists a
word w such that w ∈ L( A) and ρ |= w.
2.3.5
Linear µ-Calculus
Linear µ-calculus (or µTL), introduced first in [Var88] allows fixpoint
operators along with the temporal operators in the logic. In [Var88],
2.3 linear-time temporal logics
it was shown that they are expressively similar to Büchi automata,
but can be more succinct in representing properties. Formulae of the
linear µ-calculus are defined by the grammar below
φ := z | p | g | ¬φ | φ ∧ φ | Xφ | X−1 φ | µz · φ
where z is a propositional variable from VAR such that VAR is a countably infinite set of variables that is disjoint from AT. A formula φ is
well-formed iff for all µz · ψ in φ,
1. for all subformulae µz · ψ0 , we have ψ = ψ0 ,
2. z is not free in φ and
3. every occurrence of z in the syntax tree of ψ is under an even
number of negation symbols in ψ.
Note that, given any µTL formula, we can easily transform it to satisfy
the first two conditions. We include these conditions in the definition
of “well-formed” formula to be precise about the form of the formula.
In the rest of the document we only consider well-formed µTL formulas. As usual νz · φ is defined as ¬µ · ¬φ[z ← ¬z].
Satisfaction relation |= is parameterized by maps of the form f :
VAR → 2N assigning set of positions to a variable.
def
ρ, i |= f z
⇔ i ∈ f (z)
ρ, i |= f p
⇔ p ∈ l ( qi )
ρ, i |= f g
⇔ vi |= g
ρ, i |= f ¬φ
⇔ ρ, i 2 f φ
ρ, i |= f φ ∧ φ0
⇔ ρ, i |= f φ and ρ, i |= f φ0
ρ, i |= f Xφ
⇔ ρ, i + 1 |= φ
ρ, i |= f X−1 φ
⇔ i > 0 and ρ, i − 1 |= φ
def
def
def
def
def
def
It remains to define the relation for formulae whose outermost connective is the fixpoint operator. Fixpoints in linear µ-calculus are
considered as monotone functions over the complete lattice h2N , ⊆i.
Given a run ρ of a counter system and a µTL formula φ, we first define
the least fixpoint of the monotone function F f ,ρ : 2N → 2N defined
def
by F f ,ρ (Y ) = Y 0 where Y 0 = {i0 ∈ N : ρ, i0 |= f [z←Y ] φ}. This can be
computed iteratively as a sequence of sets of positions as following:
def
• Z0 = ∅ and
def
• Zi+1 = F f ,ρ ( Zi ) for all i ≥ 0.
and define the least fixpoint as Z = i Zi . It is well-known, by KnasterTarski’s Theorem [Kna28, Tar55, PBW06], that the least fixed point Z
exists. So, the satisfaction relation is defined as follows. Given a run
S
29
30
definitions/preliminaries
def
ρ, we have ρ, i |= f µz · φ ⇔ i ∈ Z where Z is the least fixpoint of the
monotone function F f ,ρ .
Given a well-formed µTL formula φ, we write ρ |= φ when ρ, 0 |= f
φ for an arbitrary map f .
As an example consider the µTL formula µx(νy(q7 ∧ x1 ≥ 10 ∧
XXy) ∨ x). Here, νyφ(y) is used as an abbreviation for the formula
¬µx¬φ(¬x). It is satisfied by any run in which every even position
configuration starting from some position has state label q7 and have
value of counter 1 greater than or equal to 10 Again this formula is
satisfied by the run
hq1 , (0, 0)i → hq5 , (1, 0)i → hq6 , (8, 2)i → hq7 , (10, 6)i → hq6 , (13, 7)i · · ·
from the flat counter system S given in Figure 2. Thus S, hq1 , (0, 0)i |=
µx(νy(q7 ∧ x1 ≥ 10 ∧ XXy) ∨ x).
Note that this formula is satisfied by the flat counter system in
Figure 2.
2.3.6
Extended Temporal Logic
The Extended Temporal Logic (ETL) defined below extends LTL with
new temporal connectives, based on regular languages defined with
the help of finite-state automata and was first introduced in [Wol83].
Equivalence in expressiveness of ETL and Büchi automata was shown
in [Wol83]. ETL formulae are defined by the following abstract grammar:
φ ::= g | p | ¬φ | φ ∧ φ | A(φ1 , . . . , φk )
where A is a finite-state automaton built over an alphabet Σ = {a1 , . . . ,
ak } and we assume that the letters in Σ are linearly ordered. We assume an unbounded supply of finite-state automata and each finitestate automaton can define a temporal operator. To understand more
about how the finite state automata in a formula are interpreted over
a run, let us define the satisfaction relation for the finite state automata operator A(φ1 , . . . , φk ) formally. Intuitively, the relation ρ, i |=
A(φ1 , . . . , φk ) holds when a finite pattern induced from L(A) exists
from position i. Formally, ρ, i |= A(φ1 , . . . , φk ) iff one of the following
holds
• There is al1 al2 . . . al N ∈ L(A) such that for j ∈ [0, N − 1], ρ, i +
j |= φl j+1 ,
• ε ∈ L(A).
Observe that in the condition above, the index of the jth letter (with
j ∈ [0, N − 1]) determines which argument must hold at the jth next
position, namely φl j+1 and hence we require the alphabet to be ordered. ETL without counter constraints is shown to be expressively
2.4 branching time temporal logics
equivalent to regular languages and its satisfiability is shown to be
PSpace-complete in [VW94]. In view of these results, without counter
constraints, ETL can be seen to be equivalent to linear µ-calculus.
2.4
branching time temporal logics
Branching time logics are used to specify properties about the execution trees of counter systems. Recall that we denote the transition
system corresponding to a counter system S as T(S) = hC, →i and a
run ρ is a path in T(S). Also, note that we denote the ith configuration in a run ρ as ρ[i ] assuming that ρ is a sequence of configurations.
We will interprete the formulas in different branching time logics,
over these structures. As is the case with linear time specifications,
we study different branching time specification which differ among
each other in expressivity and succinctness. First we consider a wellknown and expressive logic called CTL∗ . We consider many of its
subclasses that have been studied before. CTL∗ was first introduced
in [EH86] as logic with unconstrained use of both branching and linear temporal operator. We define a CTL∗ formula in the following
way.
φ = p | ψ(x1 , . . . , xn ) | ¬φ | φ ∨ φ | Xφ | φUφ | Eφ
where p ∈ AT and ψ(x1 , . . . , xn ) is a Presburger formula. Note that
contrary to the previous definitions of linear specifications, here as
atomic formula, we allow constraints from full Presburger arithmetic.
As we will see later in Chapter 7, that allowing quantifiers in the
counter constraints does not affect the complexity bound of the modelchecking procedure of the logic here. For a given CTL∗ formula φ, the
satisfaction relation |= at a position i in an infinite run ρ in the transition system T(S), is defined as following:
ρ, i |= p
⇔
def
p ∈ l(q), where ρ(i ) = hq, vi
ρ, i |= ψ(x1 , . . . , xn )
def
⇔
v |= ψ(x1 , . . . , xn ), where ρ(i ) = hq, vi
ρ, i |= ¬φ
def
⇔
ρ, i 2 φ
def
⇔
ρ, i |= φ or ρ, i |= φ0
def
ρ, i |= φ and ρ, i |= φ0
φ ∨ φ0
ρ, i |= φ ∧ φ0
⇔
ρ, i |= Xψ
def
ρ, i |=
⇔ ρ, i + 1 |= ψ
def
ρ, i |= ψ1 Uψ2
⇔ ρ, j |= ψ2 for some i ≤ j such that
ρ, i |= Eφ
def
j < |ρ| and ρ, k |= ψ1 for all i ≤ k < j
⇔
there exists a run ρ0 such that
ρ0 (0) = ρ(i ) and ρ0 , 0 |= ψ
Given a CTL∗ formula φ, a run ρ from a counter system S, we say
that ρ |= φ iff ρ, 0 |= φ.
31
32
definitions/preliminaries
As an example, the CTL∗ formula F(q6 ∧ A(x1 ≥ 8U ⊥)) where Fφ
and Aφ is a short form for CTL∗ formulas >Uφ and ¬E¬φ respectively.
It is satisfied by any run in which after reaching state q6 on every
path of execution, value counter 1 remains greater than or equal to 8
always. Again this formula is satisfied by the run
hq1 , (0, 0)i → hq5 , (1, 0)i → hq6 , (8, 2)i → hq7 , (10, 6)i → hq6 , (13, 7)i · · ·
from the flat counter system S given in Figure 2. Thus S, hq1 , (0, 0)i |=
F(q6 ∧ A(x1 ≥ 8U ⊥)).
There are many subclasses of CTL∗ that are studied in the literature, mainly CTL [EH85], CTL+ [Wil99], ECTL and ECTL+ [EH86].
One of the particular weak subclass of CTL∗ which is of particular interest to us is CTLEF in which the only (unary) temporal operator is EF
def
(EFφ = E (> U φ)). This fragment has been studied in [EH85] without
counter constraints. Moreover in [GHOW12], model-checking problem of CTLEF without counters is studied over parametric one-counter
automata. Later in Chapter 7, we show an equivalence for complexity
of model-checking procedure of CTL∗ and CTLEF which in turn will
prove the equivalence for all intermediate subclasses of CTL∗ .
2.5
verification problems
A specification is any formula or automata describing a property of a
system. A specification language L over a constrained alphabet is a set
of specifications A. In the following, we also call as linear specification
languages, the specification languages which specify properties about
runs of a counter systems like for our case, Past LTL and first-order
logic over ω-sequences, nondeterministic Büchi automata, alternating Büchi automata, linear µ-calculus, ETL. For linear specification
languages, each of the specifications A defines a set L( A) of ω-words
over the constrained alphabet and for a given counter system S, as
L( A) = {w ∈ 2at∪agn |ρ, 0 |= φ and ρ |= w, for any run ρ of S}
Here our working specification languages are related to Past LTL
(Chapter 4) and first-order logic over ω-sequences (Chapter 5), nondeterministic Büchi automata (Section 6.2.1), alternating Büchi automata, linear µ-calculus, ETL (Section 6.3), CTL∗ and its subclasses
(Chapter 7). Note that we explicitly introduce the notions of specification languages and specifications for the sake of clarity in later
usages. We will also consider specification languages over (unconstrained) standard finite alphabets (as usually defined) when showing model-checking procedure for various logics.
For a specification A, given a counter systems S and a configuration c in S, we say S, c |= A iff there exists a path (or a run) ρ in T(S)
starting with c such that ρ, 0 |= A. Now that we have defined the
2.5 verification problems
models and the specification languages to be used, we will now define the model checking problem itself formally. The model-checking
problem is parameterized by two parameters :
• a specification language L and
• a class of counter systems C .
Now, we define the Model-Checking problem, written as MC(L, C), where
L is a specification languages and C is a class of counter systems, as:
input: a counter system S, a configuration c and a specification A
from L
output: Whether S, c |= A?
It is a well-known result for general counter systems that reachability
problem is undecidable. This is due to the fact that reachability of
a control state is undecidable for counter systems manipulating at
least two counters [Min67]. Thus, the model-checking problem for
any specification language expressive enough to specify reachability
is undecidable with general counter systems. Restrictions like flatness
leads to decidability of this problem. The following theorem gives
us the decidability of model-checking problem for a very expressive
logic,
Theorem 2. [DFGvD10] MC(CTL∗ , FlatCS) is decidable.
Unfortunately the decision procedure proposed in [DFGvD10] involves an exponential reduction to the satisfiability problem for some
formulae of the Presburger arithmetic and as a consequence has a
high complexity. Herein the main classes of counter systems we will
consider are flat counter systems and flat Kripke structures. The specification languages considered are all of the above defined.
2.5.1 Related Works on Model-checking
For the specification languages that we consider here, the modelchecking problem over Kripke structures and some of its subclasses
are already studied. Regarding Past LTL, MC(PLTL, KS) is known to
be PSpace-complete [SC85]. Restricting Kripke structures with the
flatness constraint does yield a better complexity. For flat Kripke
structures (also known as weak Kripke structures), MC(LTL, FlatKS)
is known to be NP-complete [KF11]. Similarly, with respect to first order logic, the complexity bounds are higher, as MC(FO, KS) is shown
to be non-elementary [Sto74]. Even for this case, constrained structure
seems to give a much better complexity bound. It was shown that
MC(FO, Ultimately periodic path) is PSpace-complete in [MS03]. For
linear µ-calculus, along with its introduction in [Var88], it was shown
that MC(µTL, KS) is PSpace-complete. Similarly, it was shown that
33
34
definitions/preliminaries
both MC(ABA, KS) and MC(ETL, KS) are both PSpace-complete
in [MH84] and [Wol83] respectively. For the branching time specifications, the complexity bounds for different subclasses are not known.
For Kripke structures, MC(CTL, KS) is shown to be in PTime [CES86]
and MC(CTL∗ , KS) is shown to be PSpace-complete [EL87]. On the
other hand, for CTLEF , a weak fragment of CTL∗ , MC(CTLEF , KS) is
shown to be LOGCFL-complete in [BMT+ 11] (i.e. logspace reducible
to membership problem for context-free languages [Sud78]). Note
that all the results are only about Kripke structures and the specification do not have counter constraints. Compared to these, both the
models and the specification we investigate are more expressive.
2.5.2
Global Model-Checking Problem
We can also define the global model-checking problem over flat counter
systems with specification language L (written GMC(L, FlatCS)):
input: a flat counter system S of dimension n, a control state q, a
specification A from L,
output: compute a Presburger formula φ(z1 , . . . , zn ) whose solutions are exactly the counter values v such that there is a run
ρ starting at hq, vi and such that ρ |= A?
Being able to compute such a formula φ(z1 , . . . , zn ) amounts to have
a powerful symbolic representation of an infinite set of configurations sharing the same non-trivial property. Let us consider also the
variant problem known as the existential global model-checking problem over flat counter systems with specification language L (written
EGMC(L, FlatCS)):
input: a flat counter system S, a control state q, a specification A
from L;
question: are there counter values v such that there is a run ρ starting at hq, vi verifying ρ |= A?
As apparent from the definition, existential global model-checking
problem amounts to check whether the Presburger formula computed
by the global model-checking problem is satisfiable or not. Moreover, existential global model-checking problem is a decision problem
roughly equivalent to model-checking problem as stated below.
Lemma 3. Let L be a specification language. Then, there is a logspace reduction from EGMC(L, FlatCS) to MC(L, FlatCS) [resp. from MC(L,
FlatCS) to EGMC(L, FlatCS)].
Proof. Let S = h Q, Cn , ∆, li be a counter system of dimension n, q and
A be an instance of EGMC(L, FlatCS). Notice that the only difference
between instances of model checking problem and existential global
2.5 verification problems
model checking problem is that in the instance of model checking
problem we specify the counter values with which we start a run. In
order to build an instance of MC(L, FlatCS) for the reduction, we
construct a new counter system S0 = h Q0 , Cn , ∆0 , l0 i. We have Q0 =
new
new ∈
Q ∪ {qnew
/ Q for i ∈ [1, n]. Also, ∆0 =
1 , · · · , qn } such that qi
∆ ∪ {hqnew
, qnew
, >, xi i|i ∈ [1, n]} ∪ {hqnew
, qnew
i
i
i
i +1 , >, 0i|i ∈ [1, n − 1]} ∪
new
)=
{hqn , q, >, 0i}. where xi [ j] = 0 for all j 6= i and xi [i ] = 1. l0 (qnew
i
∅ and l0 (q) = l(q) for all q ∈ Q. Informally, we add a sequence of n
loops leading to q such that each loop increment only the ith counter.
0
0
The instance of MC(L, FlatCS) that we get is S0 , hqnew
1 , 0i, A where A
is the specification in L stating that A holds from q. The specification
A0 is obtained from A as following:
• PLTL : A0 = > U(q ∧ A).
• FO : A0 = ∃xq(x) ∧ A≥x ∧ (∀yy < x ∧ ¬q(y)) where A≥x is the
relativised version of A with every bounded variable z in A has
the clause z ≥ x.
• BS/ABS : Let A = h Q, ∆, qi , F i. We construct A0 = h Q0 , ∆0 , qi0 , F i
where Q0 = Q ∪ {q10 }, ∆0 = ∆ ∪ {hqi0 , >, qi0 i, hqi0 , q, qi i}.
• µTL : A0 = µx · (q ∧ A) ∨ Xx.
• CTL∗ : A0 = E(> U(q ∧ A)).
It is easy to see that there exists a vector v of counter values such that
there is a run ρ starting at hq, vi in S verifying ρ |= A iff there exists a
new , v[i ] + 1 times for
run ρ0 in S0 starting from hqnew
1 , 0i and visiting qi
0
0
i ∈ [1, n] before reaching q and ρ |= A .
For the reduction in the other direction, let S = h Q, Cn , ∆, li of dimension n, hq, vi and A be an instance of MC(L, FlatCS). We build
a new flat counter system S0 = h Q0 , Cn , ∆0 , l0 i with Q0 = Q ∪ {qnew },
∆0 = ∆ ∪ {hqnew , q0 , g ∧i∈[1,n] xi = v[i ], ui|hq, q0 , g, ui ∈ ∆} and l0 (qnew )
= ∅. The instance of EGMC(L, FlatCS) that we get is S0 , qnew and A.
Again it is obvious that for any run ρ0 in S0 starting from qnew must
start with the counter values v due to the guards on the transition
from qnew . Notice that the rest of S0 is same as S. Thus, if there exists
a run ρ in S starting from hq, vi then there exists a run ρ0 in S0 starting
with configuration hqnew , vi with the rest of the configurations same
as ρ. Hence, ρ |= A iff ρ0 |= A.
Thus, in the later chapters any complexity bounds obtained on the
model-checking problem can be considered as the complexity bound
for the existential model-checking problem. We will show the procedure for global model-checking for each of the specification seperately.
35
3
REDUCTION TO SIMPLER PROBLEMS
In the previous chapter we introduced minimal path schemas for
flat counter systems. To recall, a minimal path schema P is an ωregular expression over the alphabet of transitions and of the form
p1 (l1 )+ · · · pk−1 (lk−1 )+ pk (lk )ω where each pi is a finite path and each
li is a simple cycle of the given flat counter system and none of the
transitions appear more than twice. Minimal path schemas are important for us, as any given flat counter system can be decomposed
into a collection of a finite (exponential) number of minimal path
schemas such that every run in the counter system respects some
path schema [LS05]. As shown before, transitions from minimal path
schemas consists of guards and updates and hence can be considered
as a restricted flat counter system.
Due to the properties of minimal path schemas, an often-used technique is to encode the updates and guards appearing in a path schema
in a Presburger arithmetic formula. This gives us an effective way to
compute the set of reachable configurations in a flat counter system
using formulas from Presburger arithmetic. As we are not only interested in reachable sets of configurations, but rather on checking properties of possible runs of the flat counter system, it is still known to
be possible to compute a Presburger arithmetic formula encoding the
model checking problem. In fact, this method is used to show decidability of model-checking problems for quite expressive logics on flat
counter systems [DFGvD10]. Unfortunately, translating to Presburger
arithmetic does not always give us tight complexity bounds for the
problem. For the purpose of obtaining a model-checking procedure
with an optimal complexity bound, we decompose further a minimal path schema. We decompose a minimal path schema to a finite
(exponential) number of objects consisting of a path schema without
counter constraints and a quantifier-free Presburger arithmetic formula. It is easier to perform model-checking on such object as they do
not contain guards or updates in path schema and hence the known
model-checking algorithms, for Kripke structure and the likes, can
be applied. In this chapter, we will introduce constrained path schemas
that are more abstract than path schemas and finally show that flat
counter systems can be decomposed into a finite set of constrained
path schemas.
37
38
reduction to simpler problems
3.1
constrained path schema
A constrained path schema is a tuple consisting of an ω-regular expression of specific type (see definition below) over a constrained alphabet and a quantifier free Presburger arithmetic formula characterizing the number of times each loop of the path schema can be taken.
Recall, that a constrained alphabet h at, agn , Γi, consists of a finite set
of propositional variables at, a finite set of guards agn and the alphabet Γ ⊆ 2at∪agn . More formally, a constrained path schema cps over a
constrained alphabet h at, agn , Γi is a pair
h p1 (l1 )+ · · · pk−1 (lk−1 )+ pk (lk )ω , φ(y1 , . . . , yk−1 )i
where the first component is an ω-regular expression with pi ∈ Γ∗ ,
li ∈ Γ+ , and φ(y1 , . . . , yk−1 ) ∈ G(y1 , . . . , yk−1 ) is an arithmetic constraint specifying the number of times each loop li in the expression
can be taken. Such a constrained path schema defines a language
L(cps) ⊆ Γω that is a subset of the language defined by the ω-regular
expression obtained by taking into account the constraints on the repetition of the li ’s. More specifically, this language is defined as follows:
def
L(cps) = { p1 (l1 )n1 · · · (lk−1 )nk−1 pk (lk )ω ∈ Γω |φ(n1 , . . . , nk−1 ) is true
and n1 , n2 , . . . , nk > 0}
The size of cps, written size(cps), is equal to len( p1 l1 · · · lk−1 pk lk ) +
size(φ(y1 , . . . , yk−1 )). In the sequel, whenever we will define a constrained path schema cps over a constrained alphabet h at, agn , Γi,
we will assume, without loss of generality, that the size of Γ is linear in the size of cps (if it is not the case, one can remove the letters of Γ which do not appear in cps). Similar to a path schema,
given w ∈ L(cps), we write itercps (w) to denote the unique tuple in
iterP (w)[1]
(N \ {0})k−1 such that w = p1 l1
iterP (w)[2]
p 2 l2
. . . pk lkω . Moreover,
Definition 6. For a run ρ from a flat counter system and a constrained path
schema cps, we say that ρ respects cps iff there exists a word w ∈ L(cps)
such that ρ |= w.
Note that since the path schemas from a counter system were specified over transitions of counter system, the notion of a run ρ respecting a path schema P was defined as the ω-word of transitions followed by ρ belonging to the language associated with P. Whereas
constrained path schemas are defined over a constrained alphabet
Γ ⊆ 2at∪agn . A run ρ from a counter system can only satisfy any alphabet a ∈ Γ only at some configuration in ρ. Hence, the definition for ρ
respecting a constrained path schema cps is presented in above way.
Intuitively, a constrained path schema can be seen as a path schema
from a Kripke structure. The difference in this case is that the nodes
in the constrained path schema have as labels, not only propositional
3.2 decomposition of flat counter systems
variables but also atomic guards. There are no labels on transitions
but the number of times the loops are taken is restricted by an arithmetic constraint. We will clarify more about how constrained path
schemas are connected with minimal path schemas in the following
sections.
3.2
decomposition of flat counter systems
In this section, we will show how flat counter systems and constrained
path schemas are related. In fact we will show that we can construct
a set X of constrained path schemas corresponding to the given flat
counter system S, such that for every run ρ in S, there is a constrained
path schema cps ∈ X which is respected by ρ and vice-versa. By Theorem 1, we know that every run in a flat counter system respects
some minimal path schema from a finite set of path schemas. Here,
we will show the construction of an equivalent set X of constrained
path schemas from a given path schema P (equivalent in terms of the
runs respecting both).
The second component of any constrained path schema cps ∈ X
corresponding to a path schema P, is a quantifier-free Presburger formula φ characterizing the number of times each loop of cps can be
taken by a run respecting cps. As we will see in the next section it
suffices to allow formulas from only quantifier-free fragment of Presburger arithmetic to characterize the number of times each loop is
taken for any run respecting a constrained path schema. φ is constructed by taking into consideration the guards and updates appearing in the transitions of P. First we will show how to construct the
quantifier-free formula φ that characterizes all the infinite runs in a
path schema and then we will show how it is used for constrained
path schema.
3.2.1 Characterizing Infinite Runs with Quantifier-Free Presrburger Formula
In this section, we show how to build a quantifier-free Presburger formula from a path schema P and an initial configuration c0 such that
the formula encodes the set of all runs respecting P and starting from
c0 . This can only be done for path schemas without disjunctions in
guards that satisfy an additional infinitness property. A path schema
P = p1 l1+ p2 l2+ . . . pk lkω is said to have the infinitness property whenever
it satisfies the conditions below:
1. effect(lk )[i ] ≥ 0 for all i ∈ [1, n],
2. if all the guards in transitions in lk are conjunctions of atomic
guards, then for each guard occurring in the loop lk of the form
∑i ai xi ∼ b we have
39
40
reduction to simpler problems
• ∑i ai × effect(lk )[i ] ≤ 0 if ∼∈ {≤, <},
• ∑i ai × effect(lk )[i ] = 0 if ∼∈ {=},
• ∑i ai × effect(lk )[i ] ≥ 0 if ∼∈ {≥, >}.
It is easy to check that these conditions are necessary to visit the last
loop lk infinitely. More specifically, the conditions characterizes the
path schemas where it is possible to have a run respecting the path
schema, as stated in the following lemma,
Lemma 4. Given a path schema P, we have that,
1. if there exists a run ρ from S such that ρ respects P, then P is infinite,
2. checking whether P is infinite can be done in PTime in the size of P.
Proof.
1. Consider ρ respecting a path schema P from S. Since, any run
respecting P, takes lk , the last loop, infinitely many times, there
exists a position i ∈ N, such that trans(ρ>i ) = lkω . For Condition
1. of infinitness, let ρ[i ] = hq, vi where q ∈ Q and v[ j] ≥ 0 for
all j ∈ [1, n]. Assuming effect(lk )[ j] < 0 for some j ∈ [1, n], after
d(v[ j]/|effect(lk )[ j]|)e + 1 iterations of lk we will reach a configuration of the form hq0 , v0 i where v0 [ j] < 0. This contradicts our
assumption that ρ is a run of S. Hence, effect(lk )[ j] ≥ 0 for all
j ∈ [1, n].
Similarly, for Condition 2. of infinitness, consider a guard g =
∑m am xm ≤ b such that g is a guard occurring in guard(lk [ p])
for some p ∈ [1, len(lk )]. Let ρ[i + p] = hq, vi where q ∈ Q and
v[ j] ≥ 0 for all j ∈ [1, n]. Assuming, ∑m am × effect(lk )[m] > 0, after it = d(b − ∑m am × v[m])/(∑m am × effect(lk )[m])e iterations
of lk , it is clear that we will reach the configuration ρ[i + (it +
1) ∗ len(lk )] = hq0 , v0 i such that ∑m am × v0 [m] > b and hence
not satisfiying guard(lk [ p]) which will lead to a deadlock. This
contradicts our assumption that ρ, being a run in S, is an infinite sequence of configurations. Thus, ∑m am × effect(lk )[m] ≤ 0.
The proof for rest of the comparison operators in guards follows
similarly.
2. Note that checking Condition 1. amounts to computing effect(lk )
and checking condition 2. amounts to compute effect(lk ) and for
each guard of the form ∑i ai xi ∼ b, the value ∑i ai effect(lk )[i ].
Computation of effect(lk ) can be done in linear time, in the
size(lk ) which is bounded by size( P). Similarly, computing the
values ∑i ai effect(lk )[i ] for all guards can be done in linear time
in size( P). Hence checking whether a path schema is infinite or
not, can be done in linear time in size( P).
3.2 decomposition of flat counter systems
Now, let us consider a (not necessarily minimal) infinite path schema
P = p1 l1+ p2 l2+ . . . pk lkω (k ≥ 1) obtained from a flat counter system
S such that all the guards on transitions are conjunctions of atomic
guards of the form ∑i ai xi ∼ b where ai ∈ Z, b ∈ Z and ∼ ∈ {=, ≤,
≥, <, >}. Note that for the present construction of formula, we do
not allow disjunctions in guards. The case where disjunction occurs
in guard and their subsequent elemination is handled in Section 3.2.2.
The goal of this section (see Lemma 5 below) is to characterize the
set iterP (c0 ) ⊆ Nk−1 for some initial configuration c0 as the set of
solutions of a quantifier-free Presburger formula. For each loop li ,
we introduce a variable yi , whence the number of variables of the
system/formula is precisely k − 1. The quantifier-free Presburger formula Φ over the set of variables {y1 , . . . , yk−1 } is defined as a conjunction of atomic formulas of the form ∑i ai yi ∼ b where ai , b ∈ Z and
∼∈ {=, ≤, ≥, <, >}.
Let us build a formula Φ defined from P that characterizes the set
iterP (c0 ) included in Nk−1 for some initial configuration c0 = hq0 , v0 i.
First we will define some shorthand notations used in the formula
that follows. For all α ∈ [1, k ] and all i ∈ [1, n], we write effect< (lα )[i ]
to denote the term below:
v0 [i ]+(effect( p1 ) + · · · + effect( pα ))[i ]
+effect(l1 )[i ].y1 + . . . + effect(lα−1 )[i ].yα−1
It corresponds to the value of the counter i just before entering in the
loop lα taking into account that each loop li is taken yi times. Similarly,
for all α ∈ [1, k ] and all i ∈ [1, n], we write effect< ( pα )[i ] to denote
v0 [i ]+(effect( p1 ) + · · · + effect( pα−1 ))[i ]
+effect(l1 )[i ].y1 + . . . + effect(lα−1 )[i ].yα−1
It corresponds to the value of the counter i just before entering in
the segment pα . For each segment p in P (where p is either pα or lα
for α ∈ [1, k ]) and for each β ∈ [1, len( p)] the term below refers to
the value of counter i just before entering for the first time in the
transition after the βth transition of p:
effect< ( p)[i ] + effect( p[1] · · · p[ β])[i ]
Similarly, the value of counter i just before entering for the last time
in the transition after the βth transition of lα is represented by the
term below:
effect< (lα )[i ] + effect(lα )[i ](yα − 1) + effect(lα [1] · · · lα [ β])[i ]
where β ∈ [1, len(lα )]. The set of conjuncts in Φ is defined as follows.
Each conjunct corresponds to a specific constraint in runs respecting P.
41
42
reduction to simpler problems
Φ1 : Each loop is visited at least once:
y1 ≥ 1 ∧ · · · ∧ y k − 1 ≥ 1
Φ2 : Counter values are non-negative. We consider the conjunction of
the following constraints.
• For each segment p (loop or non-loop segment) and each
β ∈ [1, len( p)], the value of counter i just before entering
for the first time in the transition after the βth transition of
p is non-negative:
effect< ( p)[i ] + effect( p[1] · · · p[ β])[i ] ≥ 0
The segment p can be either a loop or a non-loop segment.
• For each α ∈ [1, k − 1] and each β ∈ [1, len(lα )], the value
of counter i just before entering for the last time in the
transition after the βth transition of lα is non-negative:
effect< (lα )[i ] + effect(lα )[i ](yα − 1) + effect(lα [1] · · · lα [ β])[i ] ≥ 0
Φ3 : Counter values should satisfy the guards the first time when a
transition is visited. For each segment p in P, each β ∈ [1, len( p)]
and each atomic guard ∑i ai xi ∼ b occurring in guard( p[ β]), we
add the atomic constraint:
∑ ai (effect< ( p)[i] + effect( p[1] · · · p[ β])[i]) ∼ b
i
Φ4 : Counter values should satisfy the guards the last time when a
transition is visited. This applies to loops only. For each α ∈
[1, k − 1], each β ∈ [1, len(lα )] and for each atomic guard ∑i ai xi ∼
b occurring in guard(lα [ β]), we add the atomic constraint:
<
∑i ai (effect (lα )[i ]+effect(lα )[i ](yα − 1)
+effect(lα [1] · · · lα [ β])[i ]) ∼ b
As will be seen later, it is enough to check the validity of the
guards for the first and last iteration of the loop to ensure the
validity in all the intermediate iterations. This follows due to
the monotonocity of the guards and their conjunctions. No condition is needed for the last loop since the path schema P is
infinite.
We denote Φ as the conjunction of all the equalities or inequalities obtained from Φ1 , Φ2 , Φ3 and Φ4 . First note that Φ is a quantifier-free
Presburger formula over the set of variables {y1 , · · · , yk−1 }. Hence
solutions of Φ is a vector v ∈ Nk−1 denoting the number of times
each internal loop in P can be taken in a run. Now we would like to
3.2 decomposition of flat counter systems
bound the size of Φ in terms of the size of P. Two important measures in computing the size of the constructed formula is to compute
the total number of conjuncts in Φ and the value of the maximum
constant appearing in the conjuncts. First, let us bound the number
of equalities or inequalities in Φ. To do so, we write N1 to denote the
number of atomic guards in P.
• The number of conjuncts in Φ1 is k.
• The number of conjuncts in Φ2 is bounded by
len( P) × n + len( P) × n = 2n × len( P).
where n is the number of counters in P.
• The number of conjuncts in Φ3 [resp. Φ4 ] is bounded by len( P)
× N1 .
So, the number of conjuncts in Φ is bounded by 2 × len( P) × (1 + n +
N1 ) ≤ 2 × len( P) × n(1 + N1 ). Since n, 1 + N1 ≤ size( P), we get that
this number is bounded by len( P) × 2 × size( P)2 .
Let K be the maximal absolute value of constants occurring in either
in P or in v0 . Let us bound the maximal absolute value of constants
in Φ. To do so, we start by a few observations.
• A path segment p has at most len( P) transitions and therefore
the maximal absolute value occurring in effect( p) is at most K ×
len( P).
• The maximal absolute value occurring in effect< ( p) is at most
K + K × len( P) = K (1 + len( P)). The first occurence of K comes
from the counter values in the initial configuration.
Consequently, we can make the following conclusions.
• The maximal absolute values of constants in Φ1 is 1.
• The maximal absolute values of constants in the first part of Φ2
is bounded by K (1 + len( P)) + Klen( P) ≤ (K + 1)(len( P) + 1).
• The maximal absolute values of constants in the second part of
Φ2 is bounded by K (1 + len( P)) + Klen( P) + Klen( P) ≤ 2(K +
1)(len( P) + 1). So, the maximal absolute values of constants in
Φ2 is bounded by 2(K + 1)(len( P) + 1).
• The maximal absolute values of constants in Φ3 or Φ4 is bounded
by n × K × 2(K + 1)(len( P) + 1) + K. The last occurrence of K
is due to the constant b in the atomic constraint.
Consequently, the maximal absolute value of constants in Φ is
bounded by 2n × K (K + 2) × (len( P) + 1). When P is a minimal path
schema, note that len( P) ≤ 2 × card(∆) ≤ 2 × size(S) and k ≤
card( Q) ≤ size(S).
43
44
reduction to simpler problems
Lemma 5. Let S = h Q, Cn , ∆, li be a flat counter system without disjunctions in guards, P = p1 l1+ p2 l2+ . . . pk lkω be one of its infinite path schemas
and c0 be a configuration. One can compute a quantifier-free Presburger
formula Φ such that
• the set of solutions of Φ is equal to iterP (c0 ),
• Φ has k − 1 variables,
• Φ has at most len( P) × 2 × size( P)2 conjuncts,
• the greatest absolute value from constants in Φ is bounded by 2n ×
K (K + 2) × (len( P) + 1) where K is the maximum absolute value of
constants appearing in P and v0 .
Proof. We consider the formula Φ as the one built above.
(?) Let ρ = hq0 , v0 ihq1 , v1 ihq2 , v2 i · · · be an infinite run respecting
the path schema P with c0 = hq0 , v0 i. We write f : {y1 , . . . , yk−1 } → N
to denote the valuation such that for every α ∈ [1, k − 1], we have
f (yα ) = iterP (ρ)[α]. f is extended naturally to terms built over variables in {y1 , . . . , yk−1 }, the range becoming Z. Let us check that indeed f |= Φ.
1. Since ρ respects P, each loop li is visited at least once and therefore f |= Φ1 .
2. We have seen that by definition, the value below
f (effect< ( pα )[i ] + effect( pα [1] · · · pα [ β])[i ])
is equal to the value of counter i just before entering for the first
time in the transition after the βth transition of p. Similarly, the
value below
f (effect< (lα )[i ] + effect(lα )[i ](yα − 1) + effect(lα [1] · · · lα [ β])[i ])
is equal to the value of counter i before entering for the last time
in the transition after the βth transition of lα . Since ρ is a run,
these values are non-negative, whence f |= Φ2 .
3. Since ρ is a run, whenever a transition is fired, all its guards are
satisfied. Hence, for each segment p in P, for each β ∈ [1, len( p)]
and each atomic guard ∑i ai xi ∼ b ∈ guard( p[ j]), we have
∑ ai f (effect< ( p)[i] + effect( p[1] · · · p[ β])[i]) ∼ b
i
Similarly, for each α ∈ [1, k − 1], each β ∈ [0, len(lα ) − 1] and
each atomic guard ∑i ai xi ∼ b ∈ guard(lα ( β)), we have
<
∑i ai f (effect (lα )[i ] +effect(lα )[i ](yα − 1)
+effect(lα [0] · · · lα [ β − 1])[i ]) ∼ b
Consequently, f |= Φ3 ∧ Φ4 .
3.2 decomposition of flat counter systems
(??) It remains to show the property in the other direction.
Let f : {y1 , . . . , yk−1 } → N be a solution of Φ. Let
f (y1 )
w = p 1 l1
f (yk −1 )
· · · p k −1 l1
pk lkω ∈ ∆ω
We define a pseudo-run corresponding to a word w0 ∈ ∆ω as an ωsequence ρ0 = hq0 , x0 ihq1 , x1 ihq2 , x2 i · · · ∈ ( Q × Zn )ω where:
def
• For every i ≥ 0, qi = source(w0 [i + 1]),
def
def
• x0 = v0 and for every i ≥ 1, we have xi = xi−1 + update(w0 [i ]).
In order to show that the pseudo-run ρ0 corresponding to w defined
above, is indeed an infinite run respecting P, we have to check three
main properties.
1. Since f |= Φ2 , for each path segment pα for α ∈ [1, k] in P and
each β ∈ [2, len( pα )], counter values just before entering for the
first time in the transition after the βth transition of pα are nonnegative.
Moreover, for each α ∈ [1, k − 1] and each β ∈ [1, len(lα )], in
addition to the non-negativity of counter values just before entering the first time in the transition after βth transition of lα
we also ensure that counter values just before entering for the
last time in the transition after the βth transition of lα are nonnegative too. We have also to guarantee that for j ∈ [2, f (yα ) − 1],
counter values just before entering for the jth time in the transition after the βth transition of lα are non-negative. To see this,
note that effect(lα ) is fixed for every iteration of lα and that the
guards are convex combinations of the counter values. It is easy
to see that the function f (i ) = ∑ j a j (k + i × effect(lα )[ j]) for any
guard g = ∑i ai xi ∼ b and some constant k is a monotonic function. By definition Φ2 ensures f (1) ≥ 0 and f (yα ) ≥ 0 and
hence ensures for j ∈ [2, f (yα ) − 1], f ( j) ≥ 0. Consequently, for
all i ≥ 0, we have xi ≥ 0.
2. Similarly, counter values should satisfy the guards for each fired
transition. Since f |= Φ3 , for each segment p in P, each β ∈
[1, len( p)] and each atomic guard ∑i ai xi ∼ b ∈ guard( p[ j]),
counter values satisfy it the first time the transition is visited.
Moreover, since f |= Φ3 , for each α ∈ [1, k − 1], each β ∈
[1, len(lα )] and each atomic guard ∑i ai xi ∼ b ∈ guard(lα ( β))
occurs, counter values satisfy it the first time the transition is
visited. However, we have also to guarantee that for every j ∈
[2, f (yα ) − 1], counter values just before entering for the jth time
in the transition after the βth transition of lα , all the guards are
satisfied. This is a consequence of the fact that if ∑i ai z[i ] ∼ b
and ∑i ai (z + f (yα )effect(lα ))[i ] ∼ b, then for j ∈ [2, f (yα ) − 1],
we have ∑i ai (z + j × effect(lα ))[i ] ∼ b (convexity). Hence, ρ0 is a
run starting at c0 .
45
46
reduction to simpler problems
3. It remains to show that ρ0 respects P. Since ρ0 is a run (see (1)
and (2) above), by construction of ρ0 , it respects P thanks to
f |= Φ1 . Indeed, by definition, each loop has to be visited at
least once.
Thus, we showed that we can construct a polynomial size quantifierfree Presburger formula corresponding to a given path schema with
only conjunctive guards such that it characterizes the number of times
each loop in the path schema can be taken by a run respecting the
path schema.
3.2.2
From One Path Schema to Several Path Schemas
The problem with arithmetical constraints as built in the last section,
is that they can only characterize runs in a path schema where the
guards appearing on the transitions do not contain disjunction. Having disjunction in the guards is not a problem though, if we allow
quantifiers in the constructed formula. On one hand we would like
to allow disjunction in the guards in our definition of guards in flat
counter systems and on another hand we would like to solve only
quantifier-free fragment of Presburger arithmetic. This leaves us with
two ways to encode the runs using quantifier-free Presburger formula.
1. Encode the runs in a path schema (with disjunctive guards) using quantified Presburger formula and perform quantifier elimination procedure to obtain a quantifier-free Presburger formula,
2. Transform the path schema with disjunctive guards to a path
schema without disjunction in guards and encode the runs in
the transformed path schema using quantifier-free Presburger
formula.
The quantifier elimination procedure in the first method may involve
at least an exponential blow-up in the size of the formula and hence
is computationally expensive. This in fact undermines the reason
why we would like to solve only quantifier-free Presburger formula.
Whereas with the second method, as we will show in the rest of
the chapter, we obtain a polynomial size formula with some nondeterministic guesses. To obtain a better complexity for the modelchecking procedure we will in fact follow the second method of first
translating a path schema into another with no disjunction in guards.
Note that disjunction again, can be easily eliminated by translating
the guard in disjunctive normal form and splitting the edge with disjunctive guard into parallel edges, where each of the parallel edges
are labelled with one of the disjuncts and same update as the original one. Unfortunately, this procedure does not always preserve the
3.2 decomposition of flat counter systems
flatness of the system, specifically when the operation is done for an
edge inside a loop. Moreover, there could be a potential blowup in
the size of the system while converting the guard with disjunction
into disjunctive normal form. Thus, our aim is to eliminate disjunction from the guards of the system and still preserve the flatness of
the system. This is done in the present section.
Given a flat counter system S = h Q, Cn , ∆, li, a configuration c0 =
hq0 , v0 i and a minimal path schema P starting from the configuration
c0 , we build a finite set YP of extended path schemas such that
1. each extended path schema in YP has transitions without disjunctions in guards,
2. existence of a run respecting P is equivalent to the existence of
an extended path schema in YP having a run respecting it,
3. each extended path schema in YP is obtained from P by unfolding loops so that the terms in each loop satisfy the same atomic
guards.
Intuitively, the set of extended path schemas contains no disjunction
in the guards on the transitions and yet effectively allows the same
set of runs as allowed by P. This is obtained by unfolding the loops in
P and labelling the states with guards that are satisfied at each place.
A loop l of P unfolded i times results in the structure of the form
l1+ ll2+ · · · lli+ , i.e. the loop l is copied i times, l1 , · · · , li with a copy
of the same loop connecting two adjacent copies. In the subsequent
sections we will describe how to construct the set YP more formally.
Moreover, we shall see that the cardinality of YP is at most exponential
in the size of P.
3.2.2.1 Term maps
Before defining YP , let us introduce a few definitions and concepts
which will be helpful in the construction of YP . Let B be a finite
non-empty set of integers containing all the constants b occurring in
guards of S of the form t ∼ b and T be a finite set of terms containing
all the terms t occurring in guards of S of the form t ∼ b. Assuming
that B = {b1 , . . . , bm } with b1 < · · · < bm , we write I to denote the
finite set of intervals
I = {(−∞, b1 − 1], [b1 , b1 ], [b1 + 1, b2 − 1], · · · , [bm , bm ], [bm + 1, ∞)}
Note that [b j + 1, b j+1 − 1] = ∅ if b j+1 = b j + 1. In that case, we remove
such intervals from I. Moreover, I contains at most 2m + 1 intervals
and at least m + 2 intervals. We consider the natural linear ordering
≤ on intervals in I that respects the standard relation ≤ on integers.
In other words,
(−∞, b1 − 1] ≤ [b1 , b1 ] ≤ [b1 + 1, b2 − 1] ≤ · · · ≤ [bm , bm ] ≤ [bm + 1, ∞)
47
48
reduction to simpler problems
~ is a map m
~ : T → I that abstracts term values. We
A term map m
denote as size(~
m) the sum of sizes size(~
m(t)) for all terms t ∈ T.
Definition 7. Given a loop effect u ∈ Zn , we define the relation u such
def
~ u m
~ 0 ⇔ for every term t = ∑i ai xi ∈ T, we have
that m
~ (t) ≤ m
~ 0 (t) if ∑i ai u[i ] ≥ 0,
• m
~ (t) ≥ m
~ 0 (t) if ∑i ai u[i ] ≤ 0,
• m
~ (t) = m
~ 0 (t) if ∑i ai u[i ] = 0.
• m
~ 0 and m
~ 6= m
~ 0.
~ 0 whenever m
~ u m
~ ≺u m
We write m
Intuitively, for a loop l, at any position β ∈ [1, len(l )], if the term
~ and m
~ 0 respecmaps at the iteration i and j of l at position β is m
0
~ effect(l ) m
~ iff i ≤ j. In other words, within a run, the
tively, then m
term maps evolve according to the order specified by effect(l ) . We
can in fact show that sequences of strictly increasing term maps have
bounded length.
~ 1 ≺u m
~ 2 ≺u · · · ≺u m
~ L . Then, L ≤
Lemma 6. Let u ∈ Zn and m
card( I ) × card( T ) ≤ 2 × card( T ) × card( B) + card( T ).
~ and a term t, m
~ (t) can obviously take
Proof. Given a term map m
one of the card( I ) values from I. For each term t,
~ 1 (t) ≤ · · · ≤ m
~ L (t)
(increasing) either m
~ L (t) ≤ · · · ≤ m
~ 1 (t).
(decreasing) or m
Since there are card( T ) terms, the number of different maps that
are either decreasing or increasing can be card( T ) × card( I ). Again,
we know that card( I ) ≤ 2 × card( B) + 1. Hence, L, the number of
different term maps in a sequence which is either increasing or decreasing, can be at most card( I ) × card( T ) ≤ 2 × card( T ) × card( B) +
card( T ).
Given a guard g using the syntactic resources from T, B, and a term
~ , we write m
~ ` g with the following inductive definition:
map m
~ `t=b
m
⇔
def
~ (t) = [b, b]
m
~ `t≤b
m
def
⇔
~ (t) ⊆ (−∞, b]
m
~ `t≥b
m
def
⇔
~ (t) ⊆ [b, +∞)
m
~ `t<b
m
def
⇔
~ (t) ⊆ (−∞, b)
m
~ `t>b
m
def
⇔
~ (t) ⊆ (b, +∞)
m
~ ` ¬g1
m
def
⇔
~ 0 g1
m
~ ` g1 ∧ g2
m
def
⇔
~ ` g1 and m
~ ` g2
m
~ ` g1 ∨ g2
m
def
~ ` g1 or m
~ ` g2
m
⇔
The relation ` is nothing else than the symbolic satisfaction relation
between term values and guards. The relation 0 is defined similarly
3.2 decomposition of flat counter systems
as ` but it is satisfied not by inclusion of the term map in the respective interval but by empty intersection of the term map and the
def
~ 0t≤b ⇔ m
~ (t) ∩ (−∞, b] = ∅.
respective interval. For example m
Since term maps and guards are built over the same sets of terms and
constants, completeness is obtained as stated in Lemma 7(II) below.
Furthermore, Lemma 7(I) states that the relation ` is easy to check.
Lemma 7.
~ ` g can be checked in PTime in size(~
(I) m
m) + size(g).
~ ` g iff for all v : {x1 , x2 , · · · , xn } → N such that for all t ∈ T,
(II) m
~ (t) we have v |= g.
v (t) ∈ m
~ 0 g iff for all v : {x1 , x2 , · · · , xn } → N such that for all t ∈ T,
(III) m
~ (t) we have v 2 g.
v (t) ∈ m
It is worth noting that size(~
m), denoting the space required to en~ , is bounded by O(card( I ) × card( T )).
code m
Proof.
(I) For the polynomial time algorithm we follow the steps below.
First, for each constraint t ∼ b appearing in g, we replace it
~ ` t ∼ b or
either > (true) or ⊥ (false) depending whether m
not. After replacing all constraints, we are left with a positive
Boolean formula whose atomic formulae are either > or ⊥. It
can be evaluated in logarithmic space in the size of the resulting
formula (less than size(g)), see e.g. [Lyn77].
~ and a constraint t ∼ b, checkNote that given a term map m
~ ` t ∼ b amounts to checking the containement of intering m
~ (t) in a specified interval depending on ∼. This can be
val m
achieved by comparing the end-points of the intervals, which
can be done in polynomial time in size(t) + size(~
m). As the
number of constraints is also bounded by size(g), the replacement of atomic constraints can be performed in polynomial
time in size(~
m) + size(g). Thus, the procedure completes in time
polynomial in size(~
m) + size(g).
~ ` g and some v : {x1 , x2 , · · · , xn } → N such
(II)& (III) Consider that m
~ (t) for each term t ∈ T. Now we
that v(t) lies in the interval m
prove inductively on the structure of g that v |= g.
– Base Case: As base case we have arithmetical constraints
of the guard. Consider the constraint is of the form t ≤ b.
~ ` g, we have that m
~ (t) ⊆ (−∞, b]. Since, v(t) lies
Since, m
~ (t), v(t) ∈ (−∞, b]. Note that, in this case
in the interval m
v |= t ≤ b. Similarly, for other constraints t ∼ b, observe
~ (t) then v(t) lies in the interval specified
that if v(t) ∈ m
in the definition of ` and thus, v |= t ∼ b.
49
50
reduction to simpler problems
– Inductive step: For a given guard g, we assume that for
~ ` g0 iff for any v :
all subformula g0 of g, we have that m
~ (t)
{x1 , x2 , · · · , xn } → N such that for all t ∈ T, v(t) ∈ m
0
~ 0 g0
we have v |= g . Alternatively, we also assume that m
iff for any v : {x1 , x2 , · · · , xn } → N such that for all t ∈ T,
~ (t) we have v 2 g0 .
v (t) ∈ m
~ ` g iff
Consider the case that g = ¬g0 . By definition, m
~ 0 g0 . By induction hypothesis, m
~ 0 g0 iff for any v :
m
~ (t)
{x1 , x2 , · · · , xn } → N such that for all t ∈ T, v(t) ∈ m
we have v 2 g0 . By definition of 2, for any v : {x1 , x2 , · · · , xn }
~ (t), v 2 g0 iff v |= ¬g0 .
→N such that for all t ∈ T, v(t) ∈ m
Hence, v |= g for any v : {x1 , x2 , · · · , xn } → N where for
~ (t).
all t ∈ T, v(t) ∈ m
The induction step for ∧ and ∨, follows easily.
On the other hand, consider all valuations v such that for each
~ (t) we have v |= g. Similar to above, we will use
t ∈ T, v(t) ∈ m
~ `g
inductive argument to show that m
– Base Case: Again consider arithmetical constraints of the
guard. Specifically, we consider constraints of the form t ≥
b. As v |= t ≥ b, we know that v(t) ∈ [b, +∞). Since,
~ (t), we have that, v(t) ∈ m
~ (t) ∩ [b, +∞). Morev (t) ∈ m
over, since b appears in g, by construction of I, b is a bound~ (t) = [i, j] either
ary of two intervals. By construction, if m
~ (t) ∩ [b, +∞) 6= ∅, we have
i, j ≥ b or i, j ≤ b. Since, m
~ (t) ⊆ [b, +∞), which implies that
that i, j ≥ b. Thus, m
~ ` t ≥ b. Similarly, for constraints of other forms t ∼ b,
m
v(t) lies in the interval exactly specified in the definition
~ (t) is a subset of it. Thus, m
~ ` t ∼ b.
of ` and m
– Inductive step: As induction hypothesis we assume that
~ , all subformulas g0 of
for a given guard g and term map m
g have the property that for all valuations v such that for
~ (t) we have v |= g iff m
~ ` g0 . Also, for
each t ∈ T, v(t) ∈ m
~ (t) we
all valuations v such that for each t ∈ T, v(t) ∈ m
~ 0 g0 .
have v 2 g iff m
Consider the guard g = ¬g0 satisfied by for all valuation v
~ (t). Thus, for all such
such that for each t ∈ T, v(t) ∈ m
0
~ 0 g0 and
valuations v 2 g . By induction hypothesis, m
~ ` ¬g0 .
hence by definition of `, we have m
Consider the guard g1 ∧ g2 sattisfied by valuation v. As
~ ` g1 and
v |= g1 and v |= g2 , by induction hypothesis, m
~ ` g2 . Hence, m
~ ` g1 ∧ g2 .
m
The case for ∨ proceeds similarly.
3.2 decomposition of flat counter systems
3.2.2.2
Unfolding
Our aim in introducing term maps was to be able to identify and label each position in a path schema, with the intervals. One can draw
similarity between this technique of labelling states with intervals for
satisfiability of guards with the technique of construction of region
automata for timed automata in [AD94]. In fact the intervals used
here are similar to clock regions of timed automata. The labelling is
done in a way such that the configuration of any run at that position
satisfies the property that the valuation of the terms with the counter
values of the configuration lies in the specified interval. A close inspection will reveal that positions in a loop can have different term
maps depending on the iteration of the loop. To label the loops consistently, we will need to unfold the loops accordingly. In effect, the
extended path schemas in YP will have additional labels which are
term maps and possibly unfolding of loops. In this section we show
how extended path schemas in YP are constructed and prove several
properties about the path schemas which will be useful subsequently.
A resource R is a triple h X, T, Bi such that X ⊆ AT is a finite set of
propositional variables, T is a finite set of terms and B is a finite set
of integers. Without any loss of generality, we assume that all these
sets are non-empty in order to avoid treatments of (easy) particular
cases. A footprint is an abstraction of a run from a counter system
where labels are restricted to elements from the resource R. More
precisely, a fooprint ft is of the form ft : N → 2X × I T where I is
the set of intervals built from B, whence the first element of ft(i ) is a
propositional valuation and the second one is a term map.
Definition 8. Let R = h X, T, Bi be a resource and ρ = hq0 , v0 i, hq1 , v1 i · · ·
be an infinite run of S. The footprint of ρ with respect to R is the footprint
def
~ i i where for every
ftρ such that for i ≥ 0, we have ftρ (i ) = hl(qi ) ∩ X, m
~ i (t).
term t = ∑ j a j x j ∈ T, we have ∑ j a j vi [ j] ∈ m
Note that due to the shape of constraints and since I is a partition
of Z, ∑ j a j ~vi [ j] belongs to a unique element of I. Hence, Definition 8
makes sense. The footprint of a run consists of the set of only the
atomic propositions satisfied at any position and the interval in which
each of the term lies at the position. We will in fact later show the
equivalence of footprints of the runs respecting P and the footprints
of the runs respecting path schemas from YP . Let R = h X, T, Bi be
a resource and P = p1 l1+ p2 l2+ . . . pk lkω be a minimal path schema. In
order to define the set of path schemas YP , we need to define other
objects such as new set of guards, control states, transitions and other
objects from P.
51
52
reduction to simpler problems
Let ∆ P be the set of transitions occurring in P and Q0 be Q ×
~ , we write
I T . Given t = ∑ j a j x j ∈ T, u ∈ Zn and a term map m
~ (t)) to denote the formula below (with b ≤ b0 and [b, b0 ] ∈ I):
ψ(t, u, m
def
ψ(t, u, (−∞, b])=∑ j a j .x j ≤ (b − ∑ j a j u[ j])
def
ψ(t, u, [b, +∞))=∑ j a j .x j ≥ (b − ∑ j a j u[ j])
ψ(t, u, [b, b0 ])
def
=∑ j a j .x j ≤ (b0 − ∑ j a j u[ j]) ∧ ∑ j a j .x j ≥ (b − ∑ j a j u[ j])
The formulae of the form ψ(t, u, int), where int ∈ I have been
designed to satisfy the property that whenever there is a valuation
v satisfying ψ(t, u, int), the values after applying the update u lies
within the specified interval int. Intuitively, these are the guards that
ensure that the term maps are followed by the runs respecting the
path schema.
Lemma 8. Let v : {x1 , . . . , xn } → N and v0 : {x1 , . . . , xn } → N be such
that for every i ∈ [1, n], v0 (xi ) = v(xi ) + u[i ]. For every interval int ∈ I,
for every term t ∈ T, we have v |= ψ(t, u, int) iff v0 (t) ∈ int.
Proof. Given the valuations v and v0 as defined in the statement, first
we assume that for any term t = ∑ j a j .x j , where v |= ψ(t, u, int). Let
k = ∑ j a j .v(x j ) We consider the three cases based on int,
• int = (−∞, b]: By definition of ψ(t, u, (−∞, b]), we know that
k ≤ (b − ∑ j a j u[ j]). Thus, ∑ j a j .(v(x j ) + u[ j]) ≤ b which by definition of v0 gives us that ∑ j a j .v0 (x j ) ≤ b. Hence, v0 (t) ≤ b or
v0 (t) ∈ (−∞, b].
• int = [b, +∞): By definition of ψ(t, u, [b, +∞)), we know that
k ≥ (b − ∑ j a j u[ j]). Thus, ∑ j a j .(v(x j ) + u[ j]) ≥ b which by definition of v0 gives us that ∑ j a j .v0 (x j ) ≥ b. Hence, v0 (t) ≥ b or
v0 (t) ∈ [b, +∞).
• int = [b, b0 ]: By definition of ψ(t, u, [b, b0 ]), we know that k ≤
(b0 − ∑ j a j u[ j]) and k ≥ (b − ∑ j a j u[ j]). Thus, ∑ j a j .(v(x j ) + u[ j]) ≤
b0 and ∑ j a j .(v(x j ) + u[ j]) ≥ b which by definition of v0 gives us
that ∑ j a j .v0 (x j ) ≤ b0 and ∑ j a j .v0 (x j ) ≥ b. Hence, v0 (t) ≤ b0 and
v0 (t) ≥ b which in turn implies that v0 (t) ∈ [b, b0 ].
For the other side assume that for any term t = ∑ j a j .x j , where v0 (t) ∈
int. We will show that v |= ψ(t, u, int). Depending on int, we again
have three cases.
• int = (−∞, b]: Since, v0 (t) ∈ (−∞, b], where ∑ j a j .v0 (x j ) ≤ b
which again gives us ∑ j a j .(v(x j ) + u[ j]) ≤ b by definition of v
and v0 . By simplification, we have ∑ j a j .v(x j ) ≤ (b − ∑ j a j u[ j]).
By definition of the satisfaction relation and definition of ψ(t, u,
(−∞, b]) we get v |= ψ(t, u, (−∞, b]).
3.2 decomposition of flat counter systems
• int = [b, +∞): Since, v0 (t) ∈ [b, +∞), where ∑ j a j .v0 (x j ) ≥ b
which again gives us ∑ j a j .(v(x j ) + u[ j]) ≥ b by definition of v
and v0 . By simplification, we have ∑ j a j .v(x j ) ≥ (b − ∑ j a j u[ j]).
By definition of the satisfaction relation and definition of ψ(t, u,
[b, +∞)) we get v |= ψ(t, u, [b, +∞)).
• int = [b, b0 ]: Since, v0 (t) ∈ [b, b0 ], where ∑ j a j .v0 (x j ) ≥ b and
∑ j a j .v0 (x j ) ≤ b0 which again gives us ∑ j a j .(v(x j ) + u[ j]) ≥ b
and ∑ j a j .(v(x j ) + u[ j]) ≤ b0 , by definition of v and v0 . By simplification, we have ∑ j a j .v(x j ) ≥ (b − ∑ j a j u[ j]) and ∑ j a j .v(x j ) ≤
(b0 − ∑ j a j u[ j]). By definition of the satisfaction relation and definition of ψ(t, u, [b, b0 ]) we get v |= ψ(t, u, [b, b0 ]).
In order to be able to restrict runs to satisfy the term map labels
at each position, we are going to introduce guards which are conjunction of atomic constraints checking that the terms belong to the
intervals specified by the term maps. We write G? ( T, B, U ) to denote
~ (t)) where t ∈ T, u ∈ U with
the set of guards of the form ψ(t, u, m
~ : T → I. Note that by
U being the finite set of updates from P and m
~ (t)), each guard in G? ( T, B, U ) is of polynoconstruction of ψ(t, u, m
mial size in the size of P.
We define ∆0 as a finite subset of Q0 × ∆ P × G? ( T, B, U ) × U ×
Q0 with ∆ P being the set of transitions from P such that for every
δ,hg 0 ,ui
~
m
~ i −−−−
~ 0 i ∈ ∆0 , the conditions below are satisfied:
hq, m
→ hq0 , m
• q = source(δ) and q0 = target(δ),
• gm
~ 0 is a guard that states that after the update u, for each t ∈ T,
V
~ 0 (t ). gm
~ 0 (t))
its value belongs to m
~ 0 is equal to t∈ T ψ (t, u, m
~ `
• Term values belong to intervals that make true guard(δ), i.e. m
guard(δ).
• u = update(δ).
δ,hg 0 ,ui
~
m
~ i −−−−
~ 0i ∈
We extend the definition of source(δ) to δ0 = hq, m
→ hq0 , m
~ i and target(δ0 ) = hq0 , m
~ 0 i. Similarly,
∆0 . We define source(δ0 ) = hq, m
for a finite word w ∈ (∆0 )∗ , we define source(w) = source(w[1]) and
target(w) = target(w[len(w)]).
A skeleton sk (compatible with path schema P and hq0 , v0 i), say
δ1 ,hg1 0 ,u1 i
δK ,hgK 0 ,uK i
δ2 ,hg2 0 ,u2 i
~
~
~
m
m
m
~ 1 i −−−−−
~ 2 i −−−−−
~ 3 i · · · −−−−−
~ K +1 i,
h q1 , m
→ h q2 , m
→ h q3 , m
→ h q K +1 , m
0
is a finite word over ∆ such that
~ 1 (t)
(init) For every term t = ∑ j a j x j ∈ T, we have ∑ j a j v0 [ j] ∈ m
where v0 is the initial vector.
(schema) Let f : (∆0 )∗ → ∆∗ be the map where f (ε) = ε, f (w · w0 )
δ,hg 0 ,ui
~
m
~ i −−−−
~ 0 i) = δ. We require
= f (w) · f (w0 ) and f (hq, m
→ hq0 , m
+
+
+
that f (sk) ∈ p1 l1 p2 l2 . . . pk lk .
53
54
reduction to simpler problems
δI ,hg I 0 ,u I i
~
m
~ I i −−−−→
~ I +1 i · · ·
(minimality) For every factor w = hq I , m
h q I +1 , m
J −1
δ J −1 , hgm
,u J −1 i
~0
~ J i of sk such that f (w) = l 3 for some loop l
−−−−−−−→ hq J , m
of P (therefore J = I + 3 × len(l )), there is α ∈ [1, len(l )] such
~ I +α ≺effect(l ) m
~ I +α+2×len(l ) .
that m
(last-loop) For the unique suffix w of sk of length len(lk ), we have
f (w) = lk and source(w) = target(w).
The property (init) states that the valuation of any term given by
~ 1 . Property
the initial configuration lies in the interval defined by m
(schema) states that the skeleton actually follows the path schema.
The (minimality) ensures the minimality of the skeleton, that is a
loop is unfolded in the skeleton only when the term map on some
position changes from one copy to another. Note that, unfolding of a
loop once produces a structure of the form l + .l.l + where first and last
copy of the loop is considered again as loops and the second copy as a
path connecting the loops. This is due to the fact that the structure of
a path schema dictates alternation between path and loop segments.
Thus, for unfolded loops we should have at least 3 copies of the loop
in the skeleton. Finally (last-loop) states that the skeleton ends with
a loop.
Lemma 9. For a skeleton sk, len(sk) ≤ (len( p1 ) + · · · + len( pk )) + 2 ×
(2 × card( T ) × card( B) + card( T )) × (len(l1 ) + · · · + len(lk )).
Proof. Since f (sk) ∈ p1 l1+ p2 l2+ . . . pk lk+ , let f (sk) = p1 l1n1 p2 l2n2 . . . pk lknk
for some n1 , . . . , nk ≥ 1. We have len(sk) ≤ (len( p1 ) + · · · + len( pk )) +
max (ni ) × (len(l1 ) + · · · + len(lk )). It remains to bound the values
n1 , . . . , nk . For each factor w of sk such that f (w) = (li )ni with i ∈
[1, k], by the (minimality) condition the number of different copies of
li is bounded by 2 times the number of different possible term map labels to any node of li . By Lemma 6, the maximum number of different
possible term maps for any loop li is 2 × card( T ) × card( B) + card( T ).
From these, we can conclude that ni ≤ 2 × (2 × card( T ) × card( B) +
card( T )). Consequently, len(sk) ≤ (len( p1 ) + · · · + len( pk )) + 2 ×
(2 × card( T ) × card( B) + card( T )) × (len(l1 ) + · · · + len(lk )).
From skeletons, we shall define path schemas built over the alphabet Q0 × G? ( T, B, U ) × U × Q0 (transitions are not anymore formally labelled by elements in ∆ P ; though sometimes we keep these
labels for convenience). Note that the new extended path schemas
are built with respect to a given resource R and path schema P. As
˜ be a finite subset of Q0 × G? ( T, B, U ) ×
for the definition of f , let ∆
˜ )∗ be the map such that h(ε) = ε,
U × Q0 and let h : (∆0 )∗ → (∆
δ,hg 0 ,ui
hg 0 ,ui
~
~
m
m
~ i −−−−
~ 0 i) = hq, m
~ i −−−
→
h(w · w0 ) = h(w) · h(w0 ) and h(hq, m
→ hq0 , m
~ 0 i. This time, elements of ∆ P are removed instead of being kept
hq0 , m
as for f . Given a skeleton sk, we shall define a path schema Psk =
p10 (l10 )+ p20 (l20 )+ . . . p0k0 (lk0 0 )ω such that h(sk) = p10 l10 p20 l20 . . . p0k0 lk0 0 . Hence,
3.2 decomposition of flat counter systems
skeletons slightly differ from the path schemas. It remains to specify
how the loops in Psk are identified.
δI ,hg I 0 ,u I i
δ J −1 ,hg J −0 1 ,u J −1 i
~
~
m
m
~ I i −−−−→
~ I +1 i · · · −−−−−−−
Every factor w = hq I , m
h q I +1 , m
→
~ J i of sk represents a loop (any loop except the last) iff the folhq J , m
lowing conditions hold,
1. f (w) = l for some loop l of P
2. w is not the suffix of sk of length len(lk ),
3. the sequence of the α × len(l ) previous elements before w is also
equal to wα , for some even number α ≥ 0,
Intuitively, the conditions state that w should be a copy of a loop, w
should not be the last copy of last loop and starting from the first, every alternate copy of l should be loop. Thus, the odd position copies
of the loop from P is also considered a loop in a skeleton and hence
Condition 3 specifies that a copy of loop is considered a loop in skeleton only when there are even number of copies of loop before it. Finally, lk0 0 is equal to h(w) where w is the unique suffix of sk of length
len(lk ). Note that the path schema Psk is unique by the condition
(minimality). Indeed, there is no factor of sk of the form w3 such
that f (w) = l for some loop l of P. As far as the labelling function is
~ i are identical with respect to the
concerned, the labels of q and hq, m
def
~ i) = l(q) ∩ X. Hence,
set X, i.e. l0 (hq, m
1. k0 ≤ k × (2 × card( T ) × card(K ) + card( T )),
2. len( Psk ) ≤ (len( p1 ) + · · · + len( pk )) + 2(2 × card( T ) × card(K ) +
card( T )) × (len(l1 ) + · · · + len(lk )),
3. Psk has no guards with disjunctions.
Note that construction of a path schema from a skeleton, cannot be
done by simply taking the path segments as before and the copies of
the loop segments as alternating path and loop segments in the new
path schema. For example consider this system with one counter x,
I = {(−∞, −1], [0, 0], [1, 1], [2, 2], [3, ∞)} and T = {x + 1}.
In Figure 5,
• p1 (l11 )+ l12 (l13 )+ l14 (l15 )+ p2 (l2 )ω does not have any run respecting it
as a path schema, as the loops l11 , l13 cannot be taken even once
in any run.
• p1 l12 l14 (l15 )+ p2 (l2 )ω has a run respecting it as a path schema. But,
here all the unfoldings of the loop l1 are taken as path segments.
A skeleton is compatible with P whenever its corresponding path
schema belong to YP .
Lemma 10. Checking whether a word w ∈ ( Q0 × ∆ × G? ( T, B, U ) × U ×
Q0 )∗ is a skeleton compatible with P and hq0 , v0 i assuming that len(w) ≤
55
56
reduction to simpler problems
q0
>, (1)
>, (0)
q1
q2
>, (1)
>, (1)
P
x+1=1,(1)
x+1=2,(1)
q1 , [1, 1]
q1 , [2, 2]
q0 , [0, 0]
x + 1 = 1, (1)
x+1>2,(1)
>, (0)
q1 , [3, ∞)
q2 , [3, ∞)
x + 1 ≥ 3, (1)
x + 1 = 2, (1)
x + 1 ≥ 3, (1)
P0
q0 , [0, 0]
q1 , [1, 1]
x + 1 = 1, (1)
x+1>2,(1)
>, (0)
q1 , [3, ∞)
q2 , [3, ∞)
q1 , [2, 2]
x + 1 ≥ 3, (1)
x + 1 = 2, (1)
x + 1 ≥ 3, (1)
P00
Figure 5: A path P and two unfolded path schemas in YP
(len( p1 ) + · · · + len( pk )) + 2(2 × card( T ) × card( B) + card( T )) ×
(len(l1 ) + · · · + len(lk )) can be done in polynomial time in the size of
hq0 , v0 i, len( P), len(w), card( T ) and card( B).
Proof. Let w be a word over Q0 × ∆ P × G? ( T, B, U ) × U × Q0 whose
length is bounded by (len( p1 ) + · · · + len( pk )) + 2 × (2 × card( T ) ×
card( B) + card( T )) × (len(l1 ) + · · · + len(lk )). Let N be the sum of
the respective sizes of hq0 , v0 i, P, T and B. Since the length of w is
bounded, its size is also polynomial in N.
Checking whether an element in Q0 × ∆ P × G? ( T, B, U ) × U × Q0 belongs to ∆0 can be done in polynomial time in N thanks to Lemma 7(I).
Hence, checking whether w belongs to (∆0 )∗ can be done in polynomial time in N too since its length is also polynomial in N. It remains
to check the conditions for skeletons.
• Condition (schema) can be checked by building first f (w) (this
requires linear time in N) and then by checking whether it belongs to p1 l1+ p2 l2+ . . . pk lk+ (requires also linear time in N).
• Condition (last-loop) can be checked by extracting the suffix
of w of length len(lk ).
• Condition (minimality) can be checked by considering all the
factors w0 of w (there are less than len(w)2 of them) and whenever f (w0 ) = l 3 for some loop l, we verify that the condition is
3.2 decomposition of flat counter systems
satisfied. All these operations can be done in polynomial time
in N.
• Finally, condition (init) is also easy to check in polynomial time
in N.
We write YP to denote the set of unfolded path schemas obtained
from P with respect to R. More precisely, for a given resource R, an
initial configuration c0 and a path schema, P0 ∈ YP iff there exists a
skeleton sk starting with c0 and compatible with P such that h(sk) =
P0 . Note that the labels on P0 ∈ YP are restricted to the given finite
resource R. The main property about YP is stated below.
Theorem 3.
(i) Let ρ be an infinite run respecting P and starting at hq0 , v0 i. Then, there
is a path schema P0 in YP and an infinite run ρ0 respecting P0 such
that ftρ = ftρ0 .
(ii) Let ρ be an infinite run respecting P0 for some P0 ∈ YP . Then, there is
an infinite run ρ0 respecting P such that ftρ = ftρ0 .
Proof.
δ
δ0
1
(I) Let ρ = hq0 , v0 i −
→ hq1 , v1 i −
→
· · · be an infinite run respecting
AT
T
~ i i to denote ftρ [i ].
P with footprint ftρ : N → 2 × I . We write h Zi , m
0
0
In order to build ρ and P , first we enrich the structure ρ and then we
define a skeleton from the enriched structure that allows us to define
P0 . The run ρ0 is then defined from ρ so that the sequences of counter
values are identical. From ρ, we consider the infinite sequence below:
δ0 ,hgm
~ ,update( δ0 )i
δ1 ,hgm
~ ,update( δ1 )i
2
1
~ 0 i −−−−−−−−−
~ 1 i −−−−−−−−−
w = h q0 , m
→ h q1 , m
→ ···
?
where gm
~ 1 is a guard from G ( T, B, U ) with respect to the resource
R and path schema P. It is easy to check that w can be seen as
an element of (∆0 )ω where ∆0 is defined as a finite subset of Q0 ×
∆ P × G? ( T, B, U ) × U × Q0 where U is the finite set of updates from
P = p1 (l1 )+ p2 (l2 )+ · · · (lk−1 )+ pk (lk )ω . Moreover, we have f (w) ∈
L( P), that is f (w) = p1 (l1 )n1 p2 (l2 )n2 · · · (lk−1 )nk−1 pk (lk )ω for some
n1 , . . . , nk−1 ≥ 1. From w, one can build a skeleton sk compatible
with P and hq0 , v0 i. sk is formally a subword of w such that
0
0
0
0
f (sk) = p1 (l1 )n1 p2 (l2 )n2 · · · (lk−1 )nk−1 pk (lk )nk
with 1 ≤ ni0 ≤ min(ni , 2 × (2 × card( T ) × card( B) + card( T )) for every
i ∈ [1, k − 1] and 1 ≤ n0k ≤ 2 × (2 × card( T ) × card( B) + card( T )).
We have w = w0 · w0 · w0 · (w0 )ω with f (w0 ) = lk . The skeleton sk
is obtained from w0 · w0 · w0 by deleting copies of loops as soon as
two copies are consecutive. More precisely, every maximal factor of
57
58
reduction to simpler problems
w0 · w0 · w0 of the form (w? ) N with N > 2 such that f (w? ) = li for
some loop li of P, is replaced by (w? )2 . This type of replacement can
be done at most k × (2 × (2 × card( T ) × card( B) + card( T ))) times.
One can check that sk is indeed a skeleton compatible with P and
hq0 , v0 i. Let us consider that sk can be written as
δ0 ,hg0m
,u i
~0 0
K −1
δK −1 ,hgm
,uK −1 i
~0
δ1 ,hg1m
,u i
~0 1
~ 0 i −−−−−→ hq1 , m
~ 1 i −−−−−→ hq2 , m
~ 2 i · · · −−−−−−−−→ hqK , m
~ Ki
h q0 , m
Considering the path schema Psk built from sk, one can show that the
sequence ρ0 below is an infinite run respecting Psk :
hgm
~ ,update( δ0 )i
hgm
~ ,update( δ1 )i
1
2
~ 0 i, v0 i −−−−−−−→
~ 1 i, v1 i −−−−−−−→
~ 2 i, v2 i · ·
hhq0 , m
hhq1 , m
hhq2 , m
~ i i and ρ0 [i ] =
so that ftρ = ftρ0 . Indeed, if we consider ftρ [i ] = h Zi , m
0
~ i i, vi i, by construction of sk and Psk , it is easy to see that
hhqi , m
~ i is same as m
~ i0 . When entering in the last loop
Zi = l(qi ) ∩ X and m
of Psk , counter values still evolve but the sequence of control states
forms a periodic word made of the last len(lk ) control states of sk. By
construction of sk and Psk , it is clear that ρ and ρ0 have the same sequences of counter values (they have actually the same sequences of
updates) and by definition of the labellings, they have also the same
sequences of sets of atomic propositions. It remains to check that ρ0
is indeed a run, which amounts to verify that guards are satisfied but
this is guaranteed by the way guards are defined and by the completeness result in Lemma 7(II).
(II) Let ρ be some run respecting some P0 ∈ YP of the form below:
δ0 ,hgm
~ ,update( δ0 )i
δ1 ,hgm
~ ,update( δ1 )i
1
2
~ 0 i, v0 i −−−−−−−−−
~ 1 i, v1 i −−−−−−−−−
~ 2 i, v2 i · ·
hhq0 , m
→ hhq1 , m
→ hhq2 , m
In the above run, we have decorated the steps by transitions from P
as P0 is defined from a skeleton in which transitions are decorated by
such transitions. Let the skeleton sk be written as
δ0 ,hg0 0 ,u0 i
1
δK −1 ,hgK −
0 ,uK −1 i
δ1 ,hg1 0 ,u1 i
~
~
~
m
m
m
~ 0 i −−−−−
~ 1 i −−−−−
~ 2 i · · · −−−−−−−−
~ Ki
h q0 , m
→ h q1 , m
→ h q2 , m
→ hqK , m
such that Psk = P0 . By conditions in the definition of a skeleton, we
know that f (sk) ∈ L( P). Now consider the run ρ0 below with ρ0 [i ] =
~ i i , vi i .
hqi , vi i when ρ[i ] = hhqi , m
1
ρ0 = hq0 , v0 i −
→ hq1 , v1 i −
→
···
δ0
δ
By construction of ρ0 from ρ, we know that ftρ = ftρ0 . Moreover, since
ρ respects Psk and f (sk) ∈ L( P), one can show that trans(ρ0 ) ∈ L( P).
Equivalence of footprint of runs is the essential property. As we
will show later that a formula from any linear specification language
3.2 decomposition of flat counter systems
allowing atomic propositions and counter constraints as atomic formula, is satisfied by runs of same footprints. Now, we can state the
main theorem about removing disjunctions in the guards by unfolding of loops. It entails the main properties we expect from YP .
Theorem 4. Given a flat counter system S, a minimal path schema P, a
resource R = h X, T, Bi with the set of terms T including those in P, the
set of constants B including those in P and an initial configuration hq0 , v0 i,
there is a finite set of path schemas YP over the set of transitions Q0 ×
G? ( T, B, U ) × U × Q0 , with Q0 = Q × I T and U is the finite set of updates
appearing in P such that:
1. No path schema in YP contains guards with disjunctions in it.
2. For every path schema P0 ∈ YP , its length len( P0 ) is polynomial in
len( P) + card( T ) + card( B).
3. Checking whether a path schema P0 belongs to YP can be done in
polynomial time in len( P) + card( T ) + card( B).
4. For every run ρ respecting P and starting at hq0 , v0 i, we can find a
run ρ0 respecting some P0 ∈ YP such that ftρ = ftρ0 .
5. For every run ρ0 respecting some P0 ∈ YP with initial counter values
v0 , we can find a run ρ respecting P such that ftρ = ftρ0 .
Proof. Let YP be the set of path schemas defined from the minimal
path schema P and resource R = h X, T, Bi.
1. For every path schema in YP , the guards on transitions are of the
V
~ (t)) and each guard ψ(t, u, m
~ (t)) is itself an
form t∈T ψ(t, u, m
atomic guard and a conjunction of two atomic guards. Hence,
no path schema in YP contains guards with disjunctions in it.
2. By Lemma 9, every skeleton defining a path schema in YP has
polynomial length in len( P) + card( T ) + card( B). Each path
schema in YP has a linear length in the length of its corresponding skeleton. Consequently, for every P0 ∈ YP , its length len( P0 )
is polynomial in len( P) + card( T ) + card( B).
3. Given a path schema P0 = p10 (l10 )+ · · · p0k (lk0 )ω in YP , one can
easily identify its underlying skeleton sk by removing iteration
operators as p10 l10 · · · p0k lk0 (easy at the cost of keeping track of
transitions from ∆ P ). By Lemma 10, checking whether sk is compatible with P and hq0 , v0 i can be done in polynomial time in
size( P) + card( T ) + card( B). In particular, if sk is too long, this
can be checked in polynomial time too.
4. By Proposition 3(I), for every run ρ respecting P and starting at
hq0 , v0 i, there are P0 ∈ YP and a run ρ0 respecting P0 such that
ftρ = ftρ0 .
5. Similarly by Proposition 3(II) for every run ρ0 respecting P0 ∈ YP
and with initial counter values v0 , there is a run ρ respecting P
such that ftρ = ftρ0 .
59
60
reduction to simpler problems
Finally, we have that given a resource R and a path schema P, we
can build a set of exponentially many path schemas YP , such that the
runs respecting P have similar footprints as the runs respecting path
schemas from YP and each of the path schema in YP is of polynomial size. This gives us a way to decompose a path schema with
guards and updates over transitions to an exponential number of
path schemas where the states are labelled with intervals in which
the terms exist and without disjunction in the guards.
3.2.3 From Several Path Schemas to Constrained Path Schemas
In the previous section, Theorem 4 provides us with a useful decomposition of a path schema P to a set YP of specialised path schemas
where the states are labelled with intervals and, guards are augmented
with additional constraints enforcing the intervals at the specific states.
In this section, we show how to construct a constrained path schema
equivalent to a path schema P0 from YP . This would allow us to get
the formal relationship between flat counter system and constrained
path schemas.
For translating a path schema P0 ∈ YP to a constrained path schema,
we first define a simple map. Recall that path schemas in YP are actually defined over a resource R which is a triple h X, T, Bi such that X is
a finite set of propositional variables, T is a finite set of terms and B is
a finite set of integers. We define our constrained alphabet h at, agn , Γi
depending on the resource R. We take at = X and agn ⊂ G(Cn ) such
that t ∼ b ∈ agn iff t ∈ T and b ∈ B. The constrained alphabet
Γ ⊆ 2at∪agn is defined for a given extended path schema P0 is defined
as follows
~ i is a state in P0 }∪
Γ = {l(q)|hq, m
~ i is a state in P0 }
{g ∈ agn |~
m ` g and hq, m
To see that the constrained alphabet is at most polynomial in the size
of R and P0 , note that card( agn ) = card( T ) × card( B). Moreover, by
the definition of Γ it is clear that card(Γ) could be at most card( at) +
(card( agn ) × len( P0 )) which is again bounded by card( X ) + (card( T ) ×
card( B) × len( P0 )). First we will define a map that translates a footprint of a run ρ to a word w ∈ Γω for a given resource R and the
corresponding constrained alphabet. The map h : 2X × I T → Γ is
defined as h(ftρ (i )) = γ for any i ∈ N where,
• for every p ∈ X, p ∈ γ iff p ∈ π1 (ftρ (i )).
• for any t ∈ T, any constant b ∈ B and t ≤ b ∈ agn , t ≤ b ∈ γ
iff π2 (ftρ (i )(t)) ⊆ (−∞, b].
3.2 decomposition of flat counter systems
• for any t ∈ T, any constant b ∈ B and t < b ∈ agn , t < b ∈ γ
iff π2 (ftρ (i )(t)) ⊆ (−∞, b).
• for any t ∈ T, any constant b ∈ B and t ≥ b ∈ agn , t ≥ b ∈ γ
iff π2 (ftρ (i )(t)) ⊆ [b, +∞).
• for any t ∈ T, any constant b ∈ B and t > b ∈ agn , t > b ∈ γ
iff π2 (ftρ (i )(t)) ⊆ (b, +∞).
• for any t ∈ T, any constant b ∈ B and t = b ∈ agn , t = b ∈ γ
iff π2 (ftρ (i )(t)) ⊆ [b, b].
For a any given run ρ, we extend the definiton of h to infinite sequence
as h(ftρ ) = h(ftρ (0))h(ftρ (1))h(ftρ (2)) · · · .
Lemma 11. Let R = h X, T, Bi be a resource, h at, agn , Γi be the corresponding constrained alphabet and ρ = hq0 , v0 ihq1 , v1 i · · · be a run. Then, for
any word w ∈ Γω , ρ |= w iff h(ftρ ) = w.
Proof. First assume that for any word w ∈ Γω , ρ |= w. For any position
i ∈ N, by definition of |= we have,
• For any p ∈ at, p ∈ (w[i ] ∩ at) [resp. p ∈ ( at \ w[i ])] iff p ∈ l(qi )
[resp. p 6∈ l(qi )]. By definition of footprint, π1 (ftρ (i )) = l(qi ) ∩ X.
Since, X = at and by definition p ∈ X, p ∈ h(ftρ (i )) iff p ∈
π1 (ftρ (i )), for every p ∈ X, p ∈ h(ftρ (i )) iff p ∈ w[i ].
• For any g ∈ agn , g = (∑ j a j x j ∼ b) ∈ (w[i ] ∩ agn ) [resp. g ∈
( agn \ w[i ])] iff vi |= g [resp. vi 6|= g]. By definition of footprint,
for every term t = ∑k ak xk ∑k ak vi [k] ∈ π2 (ftρ (i ))(∑k ak xk ). Thus,
by Lemma 7(II), vi |= g iff π2 (ftρ (i )) ` g. Notice that the definition of map h, is similar to the definition of ` relation for term
maps. Hence, g ∈ h(ftρ (i )) iff ftρ (i ) ` g which is true iff g ∈ w[i ].
Thus, for any i ∈ N, h(ftρ (i )) = w[i ] and hence, h(ftρ ) = w.
For the other side, assume h(ftρ ) = w and thus for any i ∈ N,
h(ftρ (i )) = w[i ].
• For any p ∈ X, by definition of h, p ∈ h(ftρ (i )) iff p ∈ π1 (ftρ (i )).
By definition of footprint, this is the case iff p ∈ l(qi ). By construction at = X. Thus, we have p ∈ w[i ] ∩ at iff l(qi ).
• For any g = t ∼ b where t ∈ T and b ∈ B, by definition of h,
g ∈ h(ftρ (i )) implies that g ∈ agn . By definiton of footprint for
every term t = ∑k ak xk , ∑k ak vi [k ] ∈ π2 (ftρ (i ))(∑k ak xk ). Matching the conditions in the definition of h to those of the definition of `, we get that π2 (ftρ (i )) ` g since g ∈ h(ftρ (i )). This
with Lemma 7(II), gives us that vi |= g. Thus, for any guard g,
g ∈ (w[i ] ∩ agn ) iff vi |= g.
Thus, we get that ρ |= w.
61
62
reduction to simpler problems
hgm
~ ,u1 i
1
~ 1 i −−−
Now we define the map f cps : (∆0 )+ → (Γ)+ for w = hq1 , m
→
hgm
~ ,u2 i
hgm
~ i −1 ,ui −1 i
2
~ 2 i −−−
~ i i as f cps (w) = w0 where w0 , a word
h q2 , m
→ · · · −−−−−→ hqi , m
of length i − 1, with p0 ( j) = γ j ∈ Γ for j ∈ [1, i − 1] and the following
conditions hold:
• a propositional variable p ∈ at (equivalently p ∈ X), p ∈ γ j iff
p ∈ l(q j ) where l is the labelling function of the original path
schema P.
~ j (t) ⊆
• a guard g = t ≤ b ∈ agn (t ∈ T and b ∈ B), g ∈ γ j iff m
(−∞, b].
~ j (t) ⊆
• a guard g = t < b ∈ agn (t ∈ T and b ∈ B), g ∈ γ j iff m
(−∞, b).
~ j (t) ⊆
• a guard g = t ≥ b ∈ agn (t ∈ T and b ∈ B), g ∈ γ j iff m
[b, +∞).
~ j (t) ⊆
• a guard g = t > b ∈ agn (t ∈ T and b ∈ B), g ∈ γ j iff m
(b, +∞).
Given a path schema P0 = p1 l1+ p2 · · · pk lkω ∈ YP we construct a constrained path schema cps = h P00 , ψi where P00 = f cps ( p1 ) f cps (l1 )+
f cps ( p2 ) · · · f cps ( pk ) f cps (lk )ω and ψ is the quantifier-free Presburger
arithmetic formula constructed for the extended path schema as shown
in Section 3.2.1. Note that this is possible since by construction P0 does
not contain any disjuction in the guards appearing on the transitions.
Lemma 12. Given a path schema P0 ∈ YP defined over the resource R, and a
corresponding constrained path schema cps = h P00 , ψi constructed as above
from P0 over the constrained alphabet h at, agn , Γi obtained from R,
1. for every run ρ respecting P0 , there exists w ∈ L(cps) such that
h(ftρ ) = w.
2. for every word w ∈ L(cps), there exists a run ρ respecting P0 such
that h(ftρ ) = w.
Proof.
1. Consider any run ρ respecting the path schema P0 ∈ YP .
We construct the word w = h(ftρ ) and will prove that w ∈
L(cps). Note that the map f cps preserves both the length of
segments and the sequence of segments for P and that w ∈ Γω .
For any segment p from P0 , consider any subsequence of ρ such
that trans(ρ[i, j]) = p. Notice that for any position a ∈ [1, len( p)],
by definition of f and h, we have, f ( p)[ a] = h(ftρ [ a]). Thus, w ∈
L( P00 ). Since ρ respects P0 , by construction iterP0 (trans(ρ)) |= ψ
and hence, iterP00 (w) |= ψ. Thus, w ∈ L(cps).
2. Now suppose there exists a word w ∈ L(cps), we will show
that w = h(ftρ ) for some run ρ respecting P0 . Since w ∈ L(cps),
3.2 decomposition of flat counter systems
we can write w as w = p100 (l100 )n1 · · · (lk00−1 )nk−1 p00k (lk00 )ω . By definition of f , we can construct a pseudo run ρ such that trans(ρ) =
p10 (l10 )n1 · · · (lk0 −1 )nk−1 p0k (lk0 )ω and f ( p0α ) = p00α , f (lα0 ) = lα00 . Since,
iterP00 (w) |= ψ, ρ is a run respecting P0 . By definition, of footprint, f and h, one can show that h(ftρ (i )) = w[i ] for any i ∈ N.
Thus, w = h(ftρ ).
The above lemmas alongwith Theorem 4 give us the following theorem which states the relation between flat counter systems and constrained path schemas. Note that the following theorem is exactly
similar to Theorem 4 with the exception that here the decomposition
is done from flat counter systems to constrained path schemas.
Theorem 5. Let at be a finite set of atomic propositions, agn be a finite
set of atomic guards from G(Cn ), S be a flat counter system, whose atomic
propositions and atomic guards are from at ∪ agn , and c0 = hq0 , v0 i be
an initial configuration. One can construct in exponential time a set X of
constrained path schemas such that:
• Each constrained path schema cps in X has an alphabet of the form
h at, agn , Γi and cps is of polynomial size.
• Checking whether a constrained path schema belongs to X can be done
in polynomial time.
• For every run ρ from c0 , there is a constrained path schema cps in X
and w ∈ L(cps) such that ρ |= w.
• For every constrained path schema cps in X and for every w ∈
L(cps), there is a run ρ from c0 such that ρ |= w.
Proof. Given a flat counter system S, from Theorem 1 we get that
there is a set Z of exponentially (exponential in size(S)) many path
schemas such that for every infinite run ρ starting from c0 in S, there
exists a minimal path schema P ∈ Z such that ρ respects P. From Theorem 4, we know that for every path schema P ∈ Z and a resource
R such that P is compatible with R, we can construct a set YP of exponentially many (exponential in len( P) and size( R)) extended path
schemas such that:
• the length of each path schema P0 ∈ YP is polynomial in len( P)
and size( R).
• checking whether a path schema P0 belongs to YP can be done
in polynomial time in len( P) and size( R).
• for every run ρ starting from c0 and respecting P, there exists a
run ρ0 respecting some P0 ∈ YP such that ftρ = ftρ0 .
• for every run ρ0 respecting some P0 ∈ YP , there exists a run ρ
starting from c0 and respecting P such that ftρ = ftρ0 .
63
64
reduction to simpler problems
Note that the resource R, for YP can be different for each P ∈ X
depending on the compatibility of P with R. By the definition of the
mapping h and Lemma 12 we get that for every path schema P0 ∈ YP
and the corresponding resource R, we can construct a constrained
alphabet h at, agn , Γi and a constrained path schema cps, such that
ρ is a run respecting P0 iff there exists a word w ∈ L(cps) such
that h(ftρ ) = w. Combining these two we get that for every path
schema P ∈ X and a resource R such that P is compatible with R, we
can construct a set ZP of exponentially many (exponential in len( P)
and size( R)) of constrained path schemas over a constrained alphabet
h at, agn , Γi such that:
• the length of each constrained path schema cps ∈ ZP is polynomial in len( P) and size( R).
• checking whether a constrained path schema cps over Γ, belongs to ZP can be done in polynomial time in len( P) and
size( R).
• for every run ρ starting from c0 and respecting P, there exists a
word w ∈ L(cps) for some cps ∈ ZP such that ftρ = w.
• for every word w ∈ L(cps) for some cps ∈ ZP , there exists a
run ρ starting from c0 and respecting P such that ftρ = w.
This combined with the property from Lemma 11, gives us the statement of the theorem.
Note that all previous bounds about the size of the constraint system and maximum constant appearing in it and the size of path
schemas in YP remains same for the set X of constrained path schemas.
Thus, intuitively, we have a decomposition of flat counter systems
to an exponential set of constrained path schemas. This decomposition helps a lot in the model-checking procedure by simplifying the
problem. In fact we will show in the next section, how it is enough
for the model-checking procedure to decide some simpler problems
over constrained path schemas and various logics.
For the purpose of global model-checking problem we will also define a new model called parameterized constrained path schema. Let S
be a flat counter system of dimension n built over atomic constraints
in at ∪ agn , q be a control state. A parameterized constrained path
schema (PCPS) is defined as a constrained path schema except that
the second argument (a guard) has also the free variables z1 , . . . ,zn
dedicated to the initial counter values. Remember that a constrained
path schema has already a constraint about the number of times loops
are visited. In its parameterized version, this constraint expresses also
a requirement on the initial counter values. Following the proof of
Theorem 5, one can construct in exponential time a set X of parameterized constrained path schemas with following properties:
3.3 reduction to new and simpler problems
• Each parameterized constrained path schema pcps in X has an
alphabet of the form h at, agn , Γ0 i (Γ0 may vary) and pcps is of
polynomial size.
• Checking whether a parameterized constrained path schema belongs to X can be done in polynomial time.
• For every run ρ from hq, vi, there is a parameterized constrained
path schema pcps and w ∈ L(pcps[v]) such that ρ |= w where
pcps[v] is the contrained path obtained from pcps by replacing
the variables z1 , . . . ,zn by the counter values from v.
• For every parameterized constrained path schema pcps, for every counter values v, for every w ∈ L(pcps[v]), there is a run ρ
from hq, vi such that ρ |= w.
3.3
reduction to new and simpler problems
Now that we have a decomposition of a flat counter system to a set
of constrained path schemas, we will define various decision problems over constrained path schemas and show later a reduction of
the model checking problem of flat counter systems to one of the
decision problems on constrained path schemas. Later on, we will
actually solve this particular decision problem and then deduce the
result for flat counter system using the reduction. Let us consider below the three decision problems on constrained path schemas that are
useful in the rest of the document.
The first problem amounts to check whether the language defined
by a constrained path schema is empty or not. We call it the Consistency problem and define it as follows:
input: a constrained path schema cps
question: Is L(cps) 6= ∅?
Note that consistency amounts to check that the second argument
of the constrained path schema is satisfiable. Let us first recall simple
consequences of the classical result [Pot91, Corollary 1] which will
be useful to state the complexity of the consistency problem but also
that we will be useful later.
Theorem 6. [Pot91] There exist polynomials pol1 (·), pol2 (·) and pol3 (·)
such that for every guard g in G(Cn ), guards over n counters, of size N, we
have:
(I) there exist B ⊆ [0, 2pol1 ( N ) ]n and P1 , . . . , Pα ∈ [0, 2pol1 ( N ) ]n with
α ≤ 2pol2 ( N ) such that for every y ∈ Nn , y |= g iff there are b ∈ B
and a ∈ Nα such that y = b + a[1]P1 + · · · + a[α]Pα ;
(II) if g is satisfiable, then there is y ∈ [0, 2pol3 ( N ) ]n such that y |= g.
65
66
reduction to simpler problems
Note that Theorem 6(II) is an immediate consequence of Theorem 6(I). Now, we can obtain the NP upper bound for the consistency
problem (the lower bound being obtained directly by reducing SAT
for instance). Indeed, a constrained path schema defines a non-empty
language iff its formula can be satisfied by a tuple in [0, 2pol3 ( N ) ]k−1
where N is its size. This allows us to state the next obvious lemma.
Lemma 13. Consistency problem is NP-complete.
Another problem of interest is the intersection non-emptiness problem
for the linear specification language L with specifications over constrained alphabet. It is later shown to be related to model-checking
problem. This problem is defined as follows:
input: a constrained path schema cps over a constrained alphabet
h at, agn , Γi and a specification A ∈ L over the constrained alphabet h at, agn , 2at∪agn i.
question: Is L(cps) ∩ L( A) 6= ∅ ?
As we shall see, for the linear specification languages L we consider (Past LTL, first-order logic, Büchi specifications, etc.), given a
constrained path schema cps = h p1 (l1 )+ · · · pk−1 (lk−1 )+ pk (lk )ω , φ(y1 ,
. . . , yk−1 )i and a specification A ∈ L, it is possible to establish a
bound (at most exponential) B such that whenever L(cps) ∩ L( A) 6=
∅ there is a witness word p1 (l1 )n1 · · · pk−1 (lk−1 )nk−1 pk (lk )ω belonging
to the intersection and for which each ni is bounded by B. Hence
a way to solve an instance of the intersection non-emptiness problem is to guess n1 , . . . , nk−1 bounded by the corresponding bound B,
and then to test that p1 (l1 )n1 · · · pk−1 (lk−1 )nk−1 pk (lk )ω indeed belongs
to L(cps) ∩ L( A). This motivates the introduction of the last decision problem over constrained path schemas. This is the Membership
problem for a linear specification language L and constrained path
schemas:
input: a constrained path schema cps = h p1 (l1 )+ · · · pk−1 (lk−1 )+ pk
(lk )ω , φ(y1 , . . . , yk−1 )i, a specification A ∈ L and n1 , . . . , nk−1 ∈
N
question: Does p1 (l1 )n1 · · · pk−1 (lk−1 )nk−1 pk (lk )ω ∈ L( A) ∩ L(cps)?
We point out that here the ni ’s are encoded in binary. Also note that
the problem whether p1 (l1 )n1 · · · pk−1 (lk−1 )nk−1 pk (lk )ω ∈ L(cps) is
easy to solve since it amounts to check whether (n1 , . . . , nk−1 ) |= φ(y1 ,
. . . , yk−1 ). Since both (n1 , . . . , nk−1 ) and φ(y1 , . . . , yk−1 ) are provided
as input and φ is a quantifier-free Presburger formula, the check
amounts to performing multiplication, addition and comparison of
polynomially many bits, which can be done in polynomial time.
3.3 reduction to new and simpler problems
3.3.1 Reduction From Intersection Non-Emptiness to Membership
We will explain here a property regarding a linear specification language L which allows to reduce (efficiently) the Intersection NonEmptiness problem to the Membership problem.
Definition 9 (Exponentially bounded limiting loops map). A linear
specification language L is said to have an exponentially bounded limiting loops map if there exists a map f L , which takes as argument a specification in L, a constrained path schema, and a polynomial pol(·) such that for
all A ∈ L and all constrained path schema cps = h p1 (l1 )+ · · · pk−1 (lk−1 )+
pk (lk )ω , φ(y1 , . . . , yk−1 )i, we have the two following properties:
1. f L ( A, cps) is computable in PTime in the size of input and f L ( A, cps)
≤ 2pol(size( A)+size(cps)) ;
2. L(cps) ∩ L( A) 6= ∅ iff there is an infinite word p1 (l1 )n1 · · · pk−1
(lk−1 )nk−1 pk (lk )ω ∈ L(cps) ∩ L( A) verifying ni ≤ f L ( A, cps) for
all i ∈ [1, k − 1].
Consequently a way to solve an instance of the intersection nonemptiness problem for linear specification languages having an exponentially bounded limiting loops map consists in guessing n1 , . . . , nk−1
bounded by f L ( A, cps) and then to test that the word p1 (l1 )n1 · · · pk−1
(lk−1 )nk−1 pk (lk )ω indeed belongs to L(cps) ∩ L( A). This observation
leads to the following lemma which makes a connection between the
Intersection Non-Emptiness problem and the Membership problem.
Before we state the lemma, let us define a generalised complexity
class. This is necessary since, in the next part we will talk about a
range of complexity classes starting from PTime to PSpace. We consider C as a class of Turing machines characterizing a complexity
class including PTime. Also, let NC be its corresponding class of nondeterministic Turing machines. In other words if we take C to be equal
to the class PTime (or PSpace) then NC corresponds to exactly the
class NP (NPSpace resp.).
Lemma 14. If L is a linear specification language having an exponentially
bounded limiting loops map and such that its Membership problem is in C ,
then its Intersection Non-Emptiness problem in NC .
Proof. We consider a linear specification language L which has an exponentially bounded limiting loops map f L . Let A in L and let cps =
h p1 (l1 )+ · · · pk−1 (lk−1 )+ pk (lk )ω , φi be a constrained path schema. Following the definition of exponentially bounded limiting map, we
have L(cps) ∩ L( A) 6= ∅ iff there exists y ∈ [0, f L ( A, cps)]k−1 such
that p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk lkω ∈ L(cps) ∩ L( A) where f L ( A, L)
≤ 2pol(size(cps)+size(L)) . Hence our algorithm to solve Intersection NonEmptiness amounts to guess some y ∈ [0, f L ( A, cps)]k−1 and check
whether w = p1 (l1 )y[1] · · · pk−1 (lk−1 )y[k−1] pk (lk )ω ∈ L(cps) ∩ L( A).
67
68
reduction to simpler problems
The fact, that checking p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk lkω ∈ L(cps) can
be done in PTime, and that the Membership problem can be done in C
and since each y[i ] can be encoded in polynomial space in size(cps) +
size( A), allows us to deduce that the Intersection Non-Emptiness
problem for L having an exponentially bounded limiting loops map
is in NC .
3.3.2
Reduction From Model-Checking to Intersection Non-Emptiness
We will now see how Theorem 5 allows to reduce the model-checking
problem to the Intersection non-emptiness problem for linear specification language L. The reduction works as follows: given a flat
counter system S, an initial configuration c0 and a specification A ∈ L,
a way to solve this instance is to guess in polynomial time a constrained path schema cps from the set X (described in Theorem 5)
and then to solve L(cps) ∩ L( A) 6= ∅. Theorem 5 ensures the correctness of this non-deterministic procedure and also that the guess and
checking of cps can both be done in polynomial time.
Lemma 15. If the Intersection Non-Emptiness problem for a linear specification language L is in C , then MC(L, FlatCS) is in NC .
Proof. Let L be a linear specification language such that its Intersection Non-Emptiness problem is in C . We consider a flat counter system S, a configuration c and a specification instance A of L and over
h at, agn , Γi. Let X be the set of constrained path schemas mentioned
in Theorem 5 built from at, agn , S and c.
First, assume that there exists a run ρ starting at c and w ∈ L( A)
such that ρ |= w. Then, from Theorem 5, we know that there exists in
the set X a constrained path schema cps over h at, agn , Γi and a word
w0 ∈ L(cps) such that ρ |= w0 . Recall that size(Γ) is polynomial in
the size of S. Note that by definition of the relation |= between runs
and words for a given run ρ and the constrained alphabet 2at∪agn ,
there exists only one word w ∈ (2at∪agn )ω such that ρ |= w. Hence we
deduce that L(cps) ∩ L( A) 6= ∅.
We suppose now that there exists in the set X a constrained path
schema cps over h at, agn , Γi such that L(cps) ∩ L( A) 6= ∅. We consider w ∈ L(cps) ∩ L( A). Since, w ∈ L(cps), by Theorem 5 there
exists a run ρ starting at c such that ρ |= w, but then we can deduce
that ρ |= A.
Consequently, we have that there exists a run ρ starting at c such
that ρ |= A iff there exists in the set X a constrained path schema
cps over h at, agn , Γi such that L(cps) ∩ L( A) 6= ∅. Furthermore, we
know that such a cps is in polynomial size and that testing whether a
constrained path schema belongs to the X can also be done in polynomial time as well. Hence we can use the algorithm which consists in
guessing a constrained path schema cps from X and then in testing
3.3 reduction to new and simpler problems
whether L(cps) ∩ L( A) 6= ∅ to solve the Model-Checking problem
over input S, c and A. We conclude by observing that this algorithm
is in NC too.
3.3.3 General algorithm to solve Model-Checking of flat counter system
By combining the results presented in Lemma 14 and Lemma 15, we
can deduce a general reduction from the Model-Checking problem
over flat counter system with a linear specification language L to
the Membership Problem when the considered language L has an
exponentially bounded limiting loops map.
Theorem 7. If L is a linear specification language having an exponentially
bounded limiting loops map and such that its Membership problem is in C ,
then MC(L, FlatCS) is in NC where C is a class of Turing machine including PTime and NC the corresponding class of non-deterministic Turing
machine.
Note that the above result is quite general but holds for linear specification languages whose membership problem is in PTime or higher
complexity class and hence the condition PTime ⊆ C . This condition
is necessary, as the reduction uses non-deterministic guesses of polynomial sizes and hence would lead to a higher complexity class than
NC of MC(L, FlatCS) for any specification whose membership problem lies in a class less than PTime.
Hence the roadmap we will follow next to obtain complexity bounds
for the model-checking problem over flat counter systems with various specification languages will consist in proving that the considered languages admit an exponentially bounded limiting loop map
and also an associated membership problem either in PTime or in
PSpace.
Finally, from the proofs of Lemma 14 and Lemma 15 we can extract the general non-deterministic Algorithm 1 to solve the modelchecking problem of flat counter systems with languages specification having an exponentially bounded limiting loops. As explained,
Algorithm 1 Solving MC(L, FlatCS) for L with an exponentially
bounded limiting loop map f L
Inputs: A flat counter system S, a configuration c0 and a specification
A from L
Output: Is there a run ρ in S starting from c0 such that ρ |= A ?
1: Guess cps = h p1 (l1 )+ · · · pk−1 (lk−1 )+ pk (lk )ω , φ i in YP [see Theorem 5]
2: Guess y ∈ [0, f L ( A, cps)]k−1
3: Return p1 (l1 )y[1] · · · pk−1 (lk−1 )y[k−1] pk (lk )ω ∈ L( A ) ∩ L(cps).
the correctness of Algorithm 1 follows from Lemma 14 and Lemma
69
70
reduction to simpler problems
15 and the complexity characterization follows from Theorem 7 and
the complexity of the membership problem.
4
L I N E A R T E M P O R A L L O G I C W I T H PA S T
Model-checking problem for LTL with past (PLTL) over finite state
systems is known to be PSpace-complete [SC85]. Note that the logic
considered in this result consists of propositional variables as atomic
formulas. Since we deal with flat models, a result closer to the class of
systems we are studying, by [KF11], states that model checking LTL
with past over flat Kripke structures is NP-complete. But all these
results deal with specification where atomic formulas are propositional variables. Our definition of LTL as presented in Chapter 2, is
more expressive in stating properties about a particular configuration
of a system. As pointed out in the definition of the logic, we interpret the logic over runs of counter systems. Hence the variables are
typed as integers. In particular, for our case, we are interested in finding runs in flat counter systems which satisfy a particular property
expressed in PLTL. Though it can be shown from previous results
(see e.g. [DFGvD10]) that there exists a way to formulate the model
checking problem of PLTL over flat counter system as a formula in
Presburger arithmetic, the complexity for such a procedure is not optimal. We would like to find a procedure with optimal complexity
bounds. Incidentally, as we will show by the end of the chapter, that
the roadmap presented in Section 3.3.3 gives us a sharp complexity
bound on the model-checking procedure. The way to obtain the results proceed in the lines of [DDS12]. We show that model-checking
problem for LTL with past over flat counter system is NP-complete.
In fact we will show that flatness even with finite-state systems gives
us a much lower complexity bound than PSpace. Adding counters to
both the system and the logic does not alter the complexity bounds.
This is quite surprising as addition of counters allows us to specify
quite expressive properties about runs.
To be able to apply the algorithm in Section 3.3.3, we need to first
show that PLTL has an exponentially bounded limiting loops map.
Then, we present an algorithm to check membership problem for
PLTL. These two results with Theorem 7 (Chapter 3) allows us to get
a complexity bound for the model-checking procedure which turns
out to be sharp. To prove that PLTL admits an exponentially bounded
limiting map and obtain the bounds on the map, first we will prove
a general result called Stuttering theorem for PLTL over an unconstrained alphabet. This is done in the following sections.
71
72
linear temporal logic with past
4.1
stuttering theorem
Stuttering of finite words or single letters has been instrumental to
show several results about the expressive power of PLTL fragments,
see e.g. [PW97, KS05]; for instance, PLTL restricted to the temporal operator U characterizes exactly the class of formulae defining classes of
models invariant under stuttering. This is refined in [KS05] for PLTL
restricted to U and X, by taking into account not only the U-depth
(maximum number of nested U operator) but also the X-depth (maximum number of nested X operator) of formulae and by introducing
a principle of stuttering that involves both letter stuttering and word
stuttering. In this section, we establish another substantial generalization that involves the full logic PLTL (with its past-time temporal
operators).
For the generalized stuttering theorem, we consider the simpler
variant of PLTL defined over a fixed alphabet Σ. Recall that the simpler variant of PLTL defined over a fixed alphabet Σ and without
counter constraints is denoted as PLTLΣ . Essentially the atomic formulas of PLTLΣ are letters from Σ. For such a logic, we consider the
models as infinite words over the alphabet Σ. Given a formula φ in
PLTLΣ , we denote as L(φ) the set {w ∈ Σω |w, 0 |= φ}. The definiton of
PLTLΣ allows us to define and make the proof of the stuttering theorem much easier and keep the theorem more general. Roughly speaking, we show that if w1 s M w2 , 0 |= φ where w1 s M w2 is a PLTLΣ model
(w1 , s being finite words), φ ∈ PLTLΣ , td(φ) ≤ N for some N ∈ N and
M ≥ max(2N + 1, 5), then w1 s2N +1 w2 , 0 |= φ (and other related properties). Moreover, this turns out to be a key property (Theorem 8) to
establish the NP upper bound even in the presence of counters (but
additional work needs to be done). In effect, adapting the theorem for
our case requires considering the constrained alphabet Γ as the fixed
alphabet in PLTLΓ . Note that Theorem 8 below is interesting for its
own sake, independently of our investigation on flat counter systems.
For M, M0 , N ∈ N, we write M ≈ N M0 iff min( M, N ) = min( M0 , N ).
0
Given w = w1 u M w2 , w0 = w1 u M w2 ∈ Σω and i, i0 ∈ N, we define an
equivalence relation hw, i i ≈ N hw0 , i0 i (implicitly parameterized by
w1 , w2 and u) such that hw, i i ≈ N hw0 , i0 i means that the number of
copies of u before position i and the number of copies of u before
position i0 are related by ≈ N and the same applies for the number of
copies after the positions. Moreover, if i and i0 occur in the part where
u is repeated, then they correspond to identical positions in u. More
def
formally, hw, i i ≈ N hw0 , i0 i ⇔ M ≈2N M0 and either M, M0 ≤ 2N
and i = i0 or one of the following conditions holds true:
1. i, i0 < len(w1 ) + N · len(u) and i = i0 .
2. i ≥ len(w1 ) + ( M − N ) · len(u) and i0 ≥ len(w1 ) + ( M0 − N ) ·
len(u) and (i − i0 ) = ( M − M0 ) · len(u).
4.1 stuttering theorem
w1
w1
|
|
|
|
|
|
w2
w2
Figure 6: Two words w, w0 with u = and the relation ≈3
3. len(w1 ) + N · len(u) ≤ i < len(w1 ) + ( M − N ) · len(u) and
len(w1 ) + N · len(u) ≤ i0 < len(w1 ) + ( M0 − N ) · len(u) and
|i − i0 | = 0 mod len(u).
The conditions merely state that if M, M0 ≤ 2N then the positions in
the repective words have to be same. Notice that since M ≈2N M0 ,
M, M0 ≤ 2N implies that M = M0 , that is w = w0 . Otherwise, when
M, M0 > 2N, i and i0 should point to the corresponding “equivalent”
positions in the words w and w0 when i, i0 point to any position upto
the first N iterations of u and the from the last N iterations of u.
Otherwise, if i, i0 belong to any iteration of u in between the first and
last N iterations then the only condition is that i and i0 point to the
same letter of u.
Figure 6 presents two words w and w0 over the alphabet Σ =
{, } such that w is of the form w1 ()7 w2 and w0 is of the form
w1 ()8 w2 . The relation ≈3 is represented by edges between position: each edge from position i of w to positions i0 of w0 represents
the fact that hw, i i ≈3 hw0 , i0 i.
In order to prove our stuttering theorem for PLTL, we need to express some properties concerning the relation ≈ whose proofs can
be found in the subsequent subsections. Let w = w1 u M w2 , w0 =
0
w1 u M w2 ∈ Σω , i, i0 ∈ N and N ≥ 2 such that M, M0 ≥ max(2N + 1, 5)
and hw, i i ≈ N hw0 , i0 i. We can show the following properties (see Section A.1):
(claim 1) hw, i i ≈ N −1 hw0 , i0 i and w[i ] = w0 [i0 ].
(claim 2) i, i0 > 0 implies hw, i − 1i ≈ N −1 hw0 , i0 − 1i.
(claim 3) hw, i + 1i ≈ N −1 hw0 , i0 + 1i
(claim 4) For all j ≥ i, there is j0 ≥ i0 such that
hw, ji ≈ N −1 hw0 , j0 i and for all k0 ∈ [i0 , j0 − 1], there is k ∈ [i, j − 1]
such that hw, k i ≈ N −1 hw0 , k0 i.
(claim 5) For all j ≤ i, there is j0 ≤ i0 such that
hw, ji ≈ N −1 hw0 , j0 i and for all k0 ∈ [ j0 − 1, i0 ], there is k ∈ [ j − 1, i ]
such that hw, k i ≈ N −1 hw0 , k0 i.
The proofs for the claims are provided later in the appendix. For
now, given the claims, we can now state our stuttering theorem for
PLTL that is tailored for our future needs.
73
74
linear temporal logic with past
0
Theorem 8 (Stuttering). Let σ = w1 s M w2 , σ0 = w1 s M w2 ∈ Σω with σ ∈
Σ∗ , σ0 ∈ Σω , s ∈ Σ+ and i, i0 , N ∈ N such that M, M0 ≥ max(2N + 1, 5)
and hσ, i i ≈ N hσ0 , i0 i. Then, for every PLTLΣ formula φ with td(φ) ≤ N,
we have σ, i |= φ iff σ0 , i0 |= φ.
The theorem states that given a formula φ from PLTLΣ there exists a constant N such that a word σ with s repeated more than
max(2.N + 1, 5) times satisfies φ with td(φ) ≤ N iff the word σ0 with
s repeated exactly max(2.N + 1, 5) times satisfies φ. Before proving
the theorem we assign a pair of naturals for each PLTLΣ formula φ denoted as rank(φ) ∈ N × N and defined as rank(φ) = htd(φ), size(φ)i.
The natural ordering relation < is extended for rank as hm1 , n1 i <
hm2 , n2 i iff either m1 < m2 or (m1 = m2 and n1 < n2 ).
Proof. The proof is by induction on the pair of temporal depth of the
formula and the structure of the formula (i.e. on rank of formula),
assuming that (Claim 1) – (Claim 5) are true.
• Base case: As base case we have σ and σ0 such that M, M0 ≥ 5
and φ such that rank(φ) = h0, 1i. (i.e. formulas which are just
atomic propositions). Thus we have φ = a for some a ∈ Σ. Since,
hσ, i i ≈ N hσ0 , i0 i for some N ≥ 0 and by (Claim 1), w[i ] = w[i0 ],
either w[i ] = w[i0 ] = a or w[i ] = w[i0 ] 6= a. In any case, σ, i |= a
iff σ0 , i |= a.
• Inductive step: As induction hypothesis, for any given formula
φ, we assume that for all PLTLΣ formula ψ with rank(ψ) <
rank(φ) and any i, i0 such that hσ, i i ≈td(ψ) hσ0 , i0 i, we have
σ, i |= ψ iff σ0 , i |= ψ. We will prove the same for φ with rank(φ) =
h N, T i, using case analysis.
– φ = Xφ0 : By satisfaction relation, σ, i |= Xφ0 iff σ, i + 1 |= φ0 .
td(φ0 ) < td(φ) and hence rank(φ0 ) < rank(φ). By (Claim
3), hσ, i + 1i ≈ N −1 hσ0 , i0 + 1i. By induction hypothesis,
σ, i + 1 |= φ0 iff σ0 , i0 + 1 |= φ0 . Thus, σ, i |= Xφ0 iff σ0 , i0 |=
Xφ0 .
– φ = X−1 φ0 : By satisfaction relation, σ, i |= X−1 φ0 iff σ, i −
1 |= φ0 and i > 0. td(φ0 ) < td(φ) and hence rank(φ0 ) <
rank(φ). By (Claim 2), i, i0 > 0 implies hσ, i − 1i ≈ N −1
hσ0 , i0 − 1i. By definition of ≈ N , i > 0 iff i0 > 0. By induction hypothesis, σ, i − 1 |= φ0 iff σ0 , i0 − 1 |= φ0 . Thus,
σ, i |= X−1 φ0 iff σ0 , i0 |= X−1 φ0 .
– φ = φ1 Uφ2 : By satisfaction relation, σ, i |= φ1 Uφ2 iff there
is j ≥ i such that σ, j |= φ2 and for every k ∈ [i, j − 1], we
have σ, k |= φ1 . By definition, td(φ1 ), td(φ2 ) ≤ N − 1. Thus,
by (Claim 4), there is j0 ≥ i0 such that hσ, ji ≈ N −1 hσ0 , j0 i
and for all k0 ∈ [i0 , j0 − 1] there is k ∈ [i, j − 1] such that
hσ, ki ≈ N −1 hσ0 , k0 i. By induction hypothesis, σ, j |= φ2 iff
4.1 stuttering theorem
σ0 , j0 |= φ2 and for every k0 ∈ [i0 , j0 − 1] there is k ∈ [i, j − 1]
such that σ, k |= φ1 iff σ0 , k0 |= φ1 . Thus, if σ, i |= φ1 Uφ2 then
σ0 , i0 |= φ1 Uφ2 . For the other side, assume that σ0 , i0 |= φ1 Uφ2 .
Similarly as before, this is the case iff there is j0 ≥ i0 such
that σ0 , j0 |= φ2 and for every k0 ∈ [i0 , j0 − 1], σ0 , k0 |= φ1 .
Again, using (Claim 4) and the induction hypothesis, we
get that there exists j ≥ i such that σ0 , j0 |= φ2 iff σ, j |= φ2
and for every k ∈ [i, j − 1] there is k0 ∈ [i0 , j0 − 1] such
that σ, k |= φ1 iff σ0 , k0 |= φ1 . Thus, if σ0 , i0 |= φ1 Uφ2 then
σ, i |= φ1 Uφ2 .
– φ = φ1 Sφ2 : By satisfaction relation, σ, i |= φ1 Sφ2 iff there is
0 ≤ j ≤ i such that σ, j |= φ2 and for every k ∈ [ j + 1, i ], we
have σ, k |= φ1 . By definition, td(φ1 ), td(φ2 ) ≤ N − 1 and by
(Claim 5), there is 0 ≤ j0 ≤ i0 such that hσ, ji ≈ N −1 hσ0 , j0 i
and for all k0 ∈ [ j0 + 1, i0 ] there is k ∈ [ j + 1, i ] such that
hσ, ki ≈ N −1 hσ0 , k0 i. By induction hypothesis, σ, j |= φ2 iff
σ0 , j0 |= φ2 and for every k0 ∈ [ j0 + 1, i0 ] there is k ∈ [ j + 1, i ]
such that σ, k |= φ1 iff σ0 , k0 |= φ1 . Thus, if σ, i |= φ1 Sφ2 then
σ0 , i0 |= φ1 Sφ2 . For the other side, assume that σ0 , i0 |= φ1 Sφ2 .
Similarly as before, this is the case iff there is 0 ≤ j0 ≤ i0
such that σ0 , j0 |= φ2 and for every k0 ∈ [ j0 + 1, i0 ], σ0 , k0 |= φ1 .
Again, using (Claim 4) and the induction hypothesis, we
get there exists 0 ≤ j ≤ i such that σ0 , j0 |= φ2 iff σ, j |= φ2
and for every k ∈ [ j + 1, i ] there is k0 ∈ [ j0 + 1, i0 ] such
that σ, k |= φ1 iff σ0 , k0 |= φ1 . Thus, if σ0 , i0 |= φ1 Sφ2 then
σ, i |= φ1 Sφ2 .
– φ = ¬φ0 We know that, σ, i |= ¬φ0 iff σ, i 2 φ0 . Note that by
definition, td(φ0 ) = N and by assumption, hσ, i i ≈ N hσ0 , i0 i.
Moreover, size(φ0 ) = T − 1 and hence rank(φ0 ) < rank(φ).
Thus, by induction hypothesis, σ, i 2 φ0 iff σ0 , i0 2 φ0 . Thus,
σ, i |= ¬φ0 iff σ0 , i0 |= ¬φ0 .
– φ = φ1 ∨ φ2 : By satisfaction relation, σ, i |= φ1 ∨ φ2 iff either
σ, i |= φ1 or σ, i |= φ2 . There could be two cases:
(a) (td(φ1 ) ≤ N − 1 and td(φ2 ) = N) or (td(φ2 ) ≤ N − 1
and td(φ1 ) = N). Without loss of generality, let us assume,
td(φ1 ) ≤ N − 1 and td(φ2 ) = N. Note that size(φ2 ) ≤ T −
1. This implies that rank(φ1 ), rank(φ2 ) < rank(φ) and thus,
by induction hypothesis, σ, i |= ¬φ2 iff σ0 , i0 |= φ2 . For the
other case, note that by (Claim 1), hσ, i i ≈ N −1 hσ0 , i0 i and
size(φ1 ) ≤ T − 1. Thus, by induction hypothesis, σ, i |= ¬φ1
iff σ0 , i0 |= φ1 . Hence, σ, i |= φ1 ∨ φ2 iff σ0 , i0 |= φ1 ∨ φ2 .
(b) td(φj ) = N for every j ∈ [1, 2]. Also, size(φj ) ≤ T − 1
and hence rank(φj ) < rank(φ) for every j ∈ [1, 2]. In this
case, by induction hypothesis σ, i |= φj iff σ0 , i0 |= φj for
every j ∈ [1, 2]. Thus,σ, i |= φ1 ∨ φ2 iff σ0 , i0 |= φ1 ∨ φ2 .
75
76
linear temporal logic with past
– φ = φ1 ∧ φ2 : This case follows as the previous one.
Note that a similar proof can be found in [KS05]. Although our
proof follows along similar lines, it generalizes the result from [KS05]
to the case where past-time operators are allowed in the LTL specification. On the other hand, for our purpose of model-checking flat
counter systems, we need a much simpler property than what is established in [KS05]. The proof for stuttering theorem (as provide here
and in [KS05]), essentially amounts to designing a suitable strategy
in Ehrenfeucht-Fraïssé (EF) games. As a consequence, an alternative
proof can be obtained by using EF games [EW00]. This will not necessarily provide a shorter proof and it requires to use properties of the
game, as in [EW00]. In particular even though the above proof and
the proof of Theorem 4.4 from [EW00] are similar in nature, we nevertheless provided the proof which is tailored to our specific need, to
be self-contained. Moreover, as stated, the properties proved in both
of them are slightly different. For example, for our model-checking
procedure we need a polynomial bound on stuttering length. We provide a proof along the lines of [EW00], albeit for a different logic
(first order logic) involving EF Games in Chapter 5.
4.2
model-checking pltl is np-complete
In this section we will characterize the optimal complexity bound of
MC(PLTL, FlatCS). We will here again follow the general roadmap
dictated by Theorem 7. First we will show that Theorem 6 and Theorem 8 allows us to prove that PLTL over the constraint alphabet
h at, agn , 2at∪agn i admits an exponentially bounded limiting loops map
f PLTL . Before we prove this, we need an intermediate lemma in order
to be able to use the previous result which were considering PLTL
over an unconstrained alphabet. This result allows basically to translate efficiently a formula over a constrained alphabet into a formula
over unconstrained alphabet. The efficient translation in turn allows
us to apply the stuttering theorem over PLTL.
Lemma 16. From a formula ψ in PLTL over h at, agn , 2at∪agn i and an alphabet Γ ⊆ 2at∪agn , one can build a formula ψΓ in PLTLΓ whose size is
polynomial in the sizes of Γ, A and td(ψΓ ) = td(ψ) such that L(ψΓ ) =
L(ψ) ∩ Γω .
Proof. We build ψΓ from ψ by replacing every occurrence of p by
W
W
{a∈Γ|p∈a} a and every occurrence of g is replaced by {a∈Γ|g∈a} a. It is
easy to see that, by construction, L(ψΓ ) = L(ψ) ∩ (Γ)ω , that the size of
ψΓ is polynomial in the size of Γ and ψ and that td(ψΓ ) = td(ψ).
4.2 model-checking pltl is np-complete
Given the above lemma, we can now prove our first result concerning the specification language PLTL stating that it has the exponentially bounded limiting loops map.
Theorem 9. PLTL has an exponentially bounded limiting loops map f PLTL .
Proof. Let ψ be a PLTL formula over the constrained alphabet h at, agn ,
2at∪agn i and cps = h p1 (l1 )+ · · · pk−1 (lk−1 )+ pk (lk )ω , φ(y1 , . . . , yk−1 )i be
a constrained path schema over some constrained alphabet h at, agn , Γi
with Γ ⊆ 2at∪agn .
Suppose that there exists n ∈ Nk−1 such that:
p1 (l1 )n[1] · · · pk−1 (lk−1 )n[k−1] pk (lk )ω ∈ L(cps) ∩ L(ψΓ ).
Let b ⊆ [0, 2pol1 (size(cps)) ]k−1 and P1 , . . . , Pα ∈ [0, 2pol1 (size(cps)) ]k−1 defined for φ following Theorem 6 (Chapter 3). Since n |= φ, there are
b ∈ B and a ∈ Nα such that n = b + a[1]P1 + · · · + a[α]Pα . Let
a0 ∈ Nα defined from a as

a[ i ],
if a[i ] ≤ 2.td(ψΓ ) + 5
a0 [ i ] =
 0
a [i ] = 2.td(ψΓ ) + 5 otherwise
Note that n0 = b + a0 [1]P1 + · · · + a0 [α]Pα obviously still satisfies φ and
for every loop i ∈ [1, k − 1], n[i ] > 2.td(ψΓ ) + 5 iff n0 [i ] > 2.td(ψΓ ) + 5.
Note that in Theorem 8, we obtain the bound as max(2N + 1, 5)
where N ≥ td(ψΓ ). Thus, for any formula ψΓ , we can take the lower
0
bound of the theorem as 2td(ψΓ ) + 5. Thus, using Theorem 8, p1 (l1 )n [1]
0
0
· · · pk−1 (lk−1 )n [k−1] pk (lk )ω ∈ L(ψΓ ) and hence we have p1 (l1 )n [1] · · · pk−1
0
(lk−1 )n [k−1] pk (lk )ω ∈ L(ψ).
Now, let us bound the values in n0 .
• There are at most 2pol2 (size(cps)) periods.
• Each basis or period has values in [0, 2pol1 (size(cps)) ].
• Each period in n0 is taken at most 2.td(ψ) + 5 times.
Consequently, each n0 [i ] is bounded by
2pol1 (size(cps)) + (2.td(ψ) + 5)2pol1 (size(cps)) × 2pol2 (size(cps))
which is itself bounded by (2.td(ψ) + 5)2pol1 (size(cps))+pol2 (size(cps)) .
This allows us to conclude that PLTL has an exponentially bounded
limiting loops map f PLTL such that f PLTL (ψ, cps) has the value (2.td(ψ)
+ 5)2pol1 (size(cps))+pol2 (size(cps)) for any PLTL formulae ψ and any constrained path schema cps.
In order to show that MC(PLTL, FlatCS) can be achieved in NP,
thanks to Theorem 7, it remains to prove that the membership problem for PLTL over a constrained alphabet of the form h at, agn , 2at∪agn i
is in PTime. Given a constrained path schema cps = h p1 (l1 )∗ · · · pk−1
77
78
linear temporal logic with past
(lk−1 )∗ pk (lk )ω , φ(y1 , . . . , yk−1 )i over h at, agn , Γi, a specification ψ ∈ PLTL
and n1 , . . . , nk−1 ∈ N, the membership problem consists in verifying
whether the word w = p1 (l1 )n1 · · · pk−1 (lk−1 )nk−1 pk (lk )ω belongs to
L(ψ) (or equivalently L(ψΓ ) thanks to Lemma 16).
In [MS03, Theorem 3.2] it is shown that checking whether u · (v)ω |=
φ (where u · (v)ω ∈ Σω is an ultimately periodic word and φ is a PLTLΣ
formula) can be done in time O(size(uv)size(φ)2 ). Thus, checking
whether w ∈ L(ψΓ ) can be done in polynomial time in size(ψ) +
size(cps) by using [MS03, Theorem 3.2]. By Theorem 8, we only
0
0
need to check for w0 = p1 (l1 )n1 · · · pk−1 (lk−1 )nk−1 pk (lk )ω with ni0 =
min(ni , 2.td(ψ) + 5), whether w0 ∈ L(ψΓ ). Note that, in this case u =
0
0
p1 (l1 )n1 · · · pk−1 (lk−1 )nk−1 pk and v = lk and thus, size(uv)size(ψΓ )2 is
bounded by size(cps)size(ψΓ )2 . Hence, using [MS03, Theorem 3.2],
we get that membership problem for PLTLΓ can be done in time
O(size(cps)size(ψ)2 ). Since, cps is defined over the constrained alphabet h at, agn , Γi, we know that L(cps) ∩ L(ψ) ⊆ L(ψ) ∩ Γω = L(ψΓ )
by Lemma 16. This gives us the following theorem,
Theorem 10. The membership problem with PLTL is in PTime.
The above theorem alongwith Theorem 7, allows us to conclude
that the model-checking problem for PLTL over flat counter systems
is in NP.
Lemma 17. MC(PLTL, FlatCS) is in NP.
Note that from the above method, we also get the following corollary,
Lemma 18. [KF11] MC(PLTL, FlatKS) is in NP.
To show a matching lower bound for the problem, we provide an
easy reduction from the propositional satisfiability problem (SAT).
This is provided in the next theorem. Intuitively it is not hard to see
that the propositional formula can be seen as a guard and in the path
schema, one loop for each variable is used to guess the truth value
of the variables. We give the reduction in the proof of the following
lemma.
Lemma 19. MC(PLTL, FlatCS) is NP-hard.
Proof. The proof is by reduction from the SAT problem and a similar
proof also appears in [KF11]. Here we will consider a much more restrictive structure for the reduction. The constructed flat counter system is actually a path schema with no counters and hence no guards
or updates. Similarly, the PLTL formula we construct here, has no
counter constraints. Let φ be a Boolean formula built over the propositional variables AP = {p1 , · · · , pn }. We build a flat counter system
in the shape of a path schema P and a formula ψ such that φ is satisfiable iff there is a run in P and satisfying ψ. The flat counter system
4.3 global model-checking
q1
q2
q3
qn
Figure 7: A path schema without counters P
P is the one described in Figure 7 so that the truth of the propositional variable pi is encoded by the fact that the loop containing qi is
visited twice, otherwise it is visited once. The formula ψ is defined
as a conjunction ψ1∨2 ∧ ψtruth where ψ1∨2 states that each loop is visited at most twice and ψtruth establishes the correspondence between
the truth of pi and the number of times the loop containing qi is visV
ited. Formula ψ1∨2 is equal to [ i (G(qi ⇒ XG¬qi ))] whereas ψtruth is
defined from φ by replacing each occurrence of pi by F(qi ).
Let us check the correctness of the reduction. Let v : AP → {>, ⊥}
be a valuation satisfying φ. Let us consider the run ρ in P such that
if v(pi ) = > then the loop with qi is taken once, otherwise it is not
visited for all i ∈ [1, n]. It is easy to check that ρ, 0 |= ψ. Conversely,
if there is a run ρ in P such that ρ, 0 |= φ, the valuation v satisfies φ
where for all i ∈ [1, n], we have v(pi ) = > iff the loop with qi is taken
once.
From Lemma 18 and Lemma 19, we can now state the optimal
complexity bound for the model-checking problem of PLTL.
Theorem 11. MC(PLTL, FlatCS) is NP-complete.
Notice that the hardness proof does not use any counter or guards
in either the model or the formula constructed. Hence, NP-hardness
holds for the model-checking PLTL formula without counter constraints over flat Kripke structures. Furthermore, since flat Kripke
structures form a subclass of flat counter systems, we conclude this
new result for flat Kripke structures.
Corollary 2. Model-checking flat Kripke structures over PLTL formulae is
NP-complete.
4.3
global model-checking
Recall that by definition, the global model-checking problem for PLTL,
GMC(PLTL,FlatCS), asks for a Presburger formula whose solutions
are exactly the initial value of counters such that there exists a run
from the configuration satisfying the PLTL specification. Given a flat
counter system S, its decomposed set of parameterized constrained
79
80
linear temporal logic with past
path schemas X and the PLTL specification A, the existential Presburger formula φ(z1 , . . . , zn ) has the form below
_
_
h p1 (l1 )∗ ··· pk−1 (lk−1 )∗ pk (lk )ω ,ψi∈ X {~y : p l~y[1] p l~y[2] ...l~y[k−1] p l ω |= A0 }
2 2
1 1
k k
k −1
∃ y1 · · · yk−1 ψ(y1 , . . . , yk−1 , z1 , . . . , zn ) ∧ ψ1 ∧ · · · ∧ ψk−1
where
1. pcps = h p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω , ψ(x1 , . . . , xk−1 , z1 , . . . , zn )i,
2. h at, agn , Γ0 i is the alphabet of pcps and by Lemma 16, there is a
specification A0 such that L( A0 ) = L( A) ∩ (Γ0 )ω .
0
3. the second generalized disjunction deals with ~y ∈ [0, 2size( A )+1 +
1 ] k −1 .
def
4. For i ∈ [1, k − 1], ψi = (y1 = α) if ~y[i ] = α < 2.td( A0 ) + 5
def
otherwise ψi = (yi ≥ 2.td( A0 ) + 5).
The Presburger formula intuitively states that at least one of the parameterized constrained path schemas in X (first disjunction) satisfies
the condition that, we can find at least one vector ~y such that,
1. The parameterized constraint of the pcps is satisfied and
2. Satisfiability of A0 is preserved using stuttering theorem.
This ensures that there is an accepting run of A0 on some word w ∈
L( p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω ).
4.4
the curious case of fixed number of loops
The previous proof for NP-hardness uses a flat counter system with
n loops, where n is the number of variables in the propositional formula. One way to investigate further is to restrict the type of structure
allowed. In particular we would like to see what happens when the
number of loops allowed in the flat counter systems is a fixed integer. As we will see that the model-checking problem of PLTL over
flat counter systems turns out to be NP-hard even when only two
loops are allowed. The reduction is again done from the propositional satisfiability problem but differently than before. We will denote the class of flat counter systems with two loops as PS2 . Clearly,
the models used in the present proof and the proof before has similarity with structures of path schemas. Though a crucial difference is
that whereas every loop in a path schema is required to be taken at
least once by any run repecting the path schema, the same is not true
for runs in a flat counter systems.
Theorem 12. MC(PLTL, PS2 ) is NP-hard.
4.4 the curious case of fixed number of loops

x1 <
2n ,








1
1
.
.
.










>,
1

>,
q0








0
0
.
.
.
0
2n

 n −1
 2


.

.

.

21


















q1
Figure 8: Path schema P
Proof. The proof is by reduction from the problem SAT. Let φ be a
Boolean formula built over the propositional variables in {p1 , · · · , pn }.
We build a flat counter system P ∈ PS2 , an initial configuration (all
counters are equal to zero) and a formula ψ such that φ is satisfiable
iff there is a run in P and starting at the initial configuration such
that it satisfies ψ. The flat counter system P is the one described in
Figure 8; it has one internal loop and a second loop that is visited
infinitely. The guard x1 < 2n enforces that the first loop is visited α
times with α ∈ [0, 2n−1 ], which corresponds to guess a propositional
valuation such that the truth value of the propositional variable pi is
> whenever the ith bit of α is equal to 1. When α is encoded in binary
with n bits, we assume the first bit is the most significant bit.
Since the logical language does not allow to access to the ith bit of a
counter value, we simulate the test by arithmetical constraints in the
formula when the second loop of the path schema is visited. For every
α ∈ [0, 2n−1 ] and every i ∈ [1, n], we write αiu to denote the value in
[0, 2i − 1] corresponding to the i first bits of α. Similarly, we write αid
to denote the value in [0, 2n+1−i − 1] corresponding to the (n + 1 − i )
last bits of α. Observe that for all i ∈ [1, n], α = αiu × 2n−i+1 + αid . One
can show that the propositions below are equivalent:
1. ith bit of α is 1,
2. there is some k ≥ 0 such that k × 2n+1−i + α ∈ [2n + 2n−i , 2n +
2n +1− i − 1 ] .
Intuitively, ith bit in the representation of α remains 1 for a block of
2i−1 consecutive value. Hence, from any value of α if we continue
adding 2i , then the ith bit will remain in the same value. Notice from
the table, that the values for which ith bit is 1 after 2n lies in the interval [2n + 2n−i , 2n + 2n−i+1 ]. Since α < 2n , this fact allows us to check
the value of ith bit by checking whether addition of 2i forces it to have
a value in the interval [2n + 2n−i , 2n + 2n−i+1 ] or not. Exactly this is
checked by the PLTL formula using counter constraints. Actually, we
shall show that k is unique and the only possible value is 2i−1 − αiu .
81
82
linear temporal logic with past
Before showing the equivalence between (1.) and (2.), we can observe
that condition (2.) can be expressed by the following formula
F(q1 ∧ ((xi ) ≥ 2n + 2n−i ) ∧ ((xi ) ≤ 2n + 2n−i+1 − 1))
First, note that [2n + 2n−i , 2n + 2n+1−i − 1] contains 2n−i distinct
values and therefore satisfaction of (2.) implies unicity of k since
2n+1−i > 2n−i . Second, ith bit of α is equal to 1 iff αid ∈ [2n−i , 2n+1−i −
1]. Now, observe that (2i−1 − αiu )2n+1−i + (α) = 2n + αid . So, if (1.), then
αid ∈ [2n−i , 2n+1−i − 1] and consequently 2n + αid ∈ [2n + 2n−i , 2n +
2n+1−i − 1]. So, there is some k ≥ 0 such that k × 2n+1−i + (α) ∈
[2n + 2n−i , 2n + 2n+1−i − 1] (take k = 2i−1 − αiu ). Now, suppose that (2.)
holds true. There is k ≥ 0 such that k × 2n+1−i + (α) ∈ [2n + 2n−i , 2n +
2n+1−i − 1]. So, k × 2n+1−i + (α) − 2n ∈ [2n−i , 2n+1−i − 1] and therefore k × 2n+1−i + αid − (2i−1 − αiu ) × 2n+1−i ∈ [2n−i , 2n+1−i − 1]. Since
the expression denotes a non-negative value, we have k ≥ (2i−1 − αiu )
(indeed αid < 2n+1−i ) and since it denotes a value less or equal to
2n+1−i − 1, we have k ≤ (2i−1 − αiu ). Consequently, k = 2i−1 − αiu and
therefore αid ∈ [2n−i , 2n+1−i − 1], which is precisely equivalent to the
fact that the ith bit of α is equal to 1.
The formula ψ is defined from φ by replacing each occurrence of
pi by F(q1 ∧ ((xi ) ≥ 2n + 2n−i ) ∧ ((xi ) ≤ 2n + 2n−i+1 − 1)). Intuitively,
P contains one counter by propositional variable and all the counters
hold the same value after the first loop. Next, in the second loop, we
check that the ith bit of α − 1 is one by incrementing xi by 2n+1−i .
We had to consider n counters since the increments differ. In order
to check whether the ith bit of counter xi is one, we add repeatedly
2n+1−i to the counter. Note that this ensures that the bits at positions
i to n remain the same for the counter whereas the counter is incremented till its value is greater or equal to 2n . Eventually, we may deduce that the counter value will belong to [2n + 2n−i , 2n + 2n−i+1 − 1].
Let us check the correctness of the reduction. Let v : {p1 , . . . , pn } →
{>, ⊥} be a valuation satisfying φ. Let us consider the run ρ respecting P such that the first loop is taken α = (v( p1 )v( p2 ) · · · v( pn ))2 + 1
times and the initial counter values are all equal to zero. > is read
as 1, ⊥ as 0 and (v( p1 )v( p2 ) · · · v( pn ))2 denotes the value of the natural number made of n bits in binary encoding. Hence, for every
i ∈ [1, n], the counter xi contains the value α after the first loop. As
noted earlier, v( pi ) = 1 implies that adding 2n−i+1 repeatedly to xi in
the last loop, we will hit [2n + 2n−i , 2n + 2n−i+1 − 1]. Hence, the formula F(q1 ∧ ((xi − 1) ≥ 2n + 2n−i ) ∧ ((xi − 1) ≤ 2n + 2n−i+1 − 1)) will
be satisfied by ρ iff v(pi ) = 1. It is easy to check thus, that ρ, 0 |= ψ.
Conversely, if there is a run ρ respecting P such that ρ, 0 |= φ and the
initial counter values are all equal to zero, the valuation v satisfies
φ where for all i ∈ [1, n], we have v(pi ) iff the ith bit in the binary
encoding of α is 1, where α is the number of times the first loop is
taken.
4.5 summary
Even though for model-checking problem over flat Kripke structure and flat counter system are in the same complexity class, this
is not true when the structures are restricted to path schematic flat
counter system and a fixed number of loops. As we have shown in
Theorem 12, for path schemas from flat counter systems restricted
to even two loops, the model-checking problem for PLTL is NP-hard.
This is not the case for model-checking of path schemas from Kripke
structures over PLTL formulas without counter constraints. From the
stuttering theorem, we know that for model-checking a PLTL formula
φ without counter constraint over a path schema from Kripke structures, P with exactly k loops, we need to consider (2.td(φ) + 5)k possible ultimately periodic paths (taking each loop in all possible iterations i ∈ [1, 2.td(φ) + 5]). For a fixed k the value (2.td(φ) + 5)k
is polynomial in size(φ). Moreover, as observed earlier, each of the
(2.td(φ) + 5)k ultimately periodic paths can be checked in PTime.
Hence, we have the followin theorem
Theorem 13. The model-checking problem for PLTL over flat Kripke structures with constant number of loops is in PTime.
4.5
summary
In this chapter the main result is that the model-checking problem
MC(PLTL, FlatCS) is NP-complete (Theorem 11). To prove this, we
first show a stuttering theorem (Theorem 8) for an unconstrained alphabet allowing us to bound the maximum number of times required
to repeat any word to satisfy a PLTL formula to a polynomial in the
size of the formula. This in turn allowed us to obtain an exponentially bounded limiting loops map for PLTL (Theorem 9). Once we
have that, we followed results from [MS03] and Theorem 7 to deduce that MC(PLTL, FlatCS) is in NP (Lemma 18). A straightforward
reduction from the satisfiability problem of propositional logic shows
the NP-hardness of the model-checking problem (Lemma 19). Furthermore, we show that constraining the number of loops allowed
in the structure brings the complexity of model-checking for path
schemas from Kripke structure to PTime, whereas for path schemas
from counter systems, with the same restriction, the problem is still
NP-hard (Theorem 12). Thus, we obtain a sharp complexity bound
for the model-checking problem of PLTL over flat counter system.
83
5
FIRST ORDER LOGIC
First order logic quite naturally expresses properties of runs. Our
version of first order logic FO presented before, allows counter constraints as atomic propositions. This makes it quite suitable for naturally expressing the properties about runs in a counter system. Even
though PLTL can be shown to be expressively similar to FO [Kam68],
FO is exponentially more succinct in expressing properties than PLTL.
This leads to a known gap in the complexity of the model-checking
problem of finite state systems over these two logics. As stated in the
previous chapter, the model-checking problem for finite-state system
over PLTL is known to be PSpace-complete but the same problem
is known to be non-elementary for first order logic [Sto74]. Indeed,
the results from the previous chapter, can give us decidability of the
model-checking problem for first order logic over flat counter systems. This can be done by translating the given FO formula φ to
an equivalent PLTL formula φ0 using the results from [Kam68] and
then applying the algorithm for model-checking PLTL from previous
chapter. Even though this shows the decidability of the problem, this
does not give us a tight complexity bound for the problem as the
translation of formula can result in non-elementary blow-up. These
properties make it interesting to investigate the complexity bounds of
the model-checking problem. We will show that following the same
roadmap of Section 3.3.3, we also obtain a tight complexity bound of
PSpace for this problem. As with PLTL in the previous chapter, we
will also note here that the complexity of the model-checking problem
drops to PSpace, when we consider flat Kripke structures as models.
And, similar to before, the complexity does not change when we allow flat counter systems as models and counter constraints in the
logic.
To be able to apply the algorithm in Section 3.3.3, we need to first
show that FO has an exponentially bounded limiting loops map f FO .
Then, we present an algorithm to check membership problem for FO.
These two results with Theorem 7 allow us to get a complexity bound
for the model-checking procedure which turns out to be sharp. To
prove that FO admits an exponentially bounded limiting loop map
and obtain the bounds on the map, first we will prove a general result
called Stuttering theorem for FO over an unconstrained alphabet. The
stuttering theorem is proved for FO using Ehrenfeucht-Fraïssé Games.
Thus, in the following sections we will first start with defining these
games and then go on to utilise them to obtain necessary results.
85
86
first order logic
5.1
fo on constrained alphabet
As with PLTL, here we will first show the stuttering theorem for the
version of First order logic defined over only set of propositional alphabet Σ, denoted as FOΣ . Note that FOΣ does not allow counter constraints as atomic propositions in the formula. The models of FOΣ can
be seen as infinite words over Σ. In the following sections we will only
consider this kind of model and later apply shown on such models
over models over constrained alphabet. Given a FOΣ sentence φ, we
write w |= φ when w |= f φ for an arbitrary position assignment f .
The language of ω-words w over Σ associated to a sentence φ is then
L(φ) = {w ∈ Σω | w |= φ}. For every n ∈ N, we define the equivalence relation ≈n between ω-words over Σ as: w ≈n w0 when for every
sentence φ with qh(φ) ≤ n, w |= φ iff w0 |= φ.
5.2
ehrenfeucht-fraïssé games
Ehrenfeucht-Fraïssé (EF) game is a well-known technique to determine whether two structures are equivalent with respect to a set of
formulae. We recall here the definition of a EF game adapted to our
need (over first-order structures which are ω-words in Σω ). Given
N ∈ N and two ω-words w, w0 over Σ, the main idea of the corresponding EF game is that two players, the Spoiler and the Duplicator,
plays in a turn-based manner. The Spoiler begins by choosing a word
between w and w0 and a position in this word, then the Duplicator
aims at finding a position in the other word which is similar and this
continues for N rounds. At the end, the Duplicator wins if the set of
chosen positions respects some isomorphism. We now move to the
formal definition of such a game.
Let w and w0 be two ω-words over Σ. We define a play Π (w, w0 )
as a finite sequence of triples h p1 , a1 , b1 i · h p2 , a2 , b2 i · · · h pi , ai , bi i in
({0, 1} × N2 )∗ where for each triple the first element describes which
word among {w, w0 } has been chosen by the Spoiler (0 for the word
w), then the second element corresponds to the position chosen in w
and the third element the position chosen in w0 by the Spoiler or the
Duplicator according to the word chosen by the Spoiler. For instance
if p1 = 1, this means that at the first turn Spoiler has chosen the position b1 in w0 and Duplicator the position a1 in w. Such a play of size
i ∈ N is called an i-round play (a 0-round play being an empty sequence). A strategy for the Spoiler is a mapping σS : ({0, 1} × N2 )∗ →
{0, 1} × N which takes as input a play and outputs 0 or 1 for words w
or w0 respectively and a position in the word. Similarly, a strategy for
the Duplicator is a mapping σD : ({0, 1} × N2 )∗ × ({0, 1} × N) → N
with the difference being that Duplicator takes into account the word
chosen and the position played by the Spoiler in the current round.
For all i ∈ N, a strategy σS for the Spoiler and a strategy σD for the
5.3 stuttering theorem using ef games
Duplicator, the i-round play over w and w0 and following σS and σD ,
denoted as ΠiσS ,σD (w, w0 ), is defined inductively as follows:
• Π0σS ,σD (w, w0 ) = ε (i.e. the empty sequence);
0
D
• for all i > 1, ΠiσS ,σD (w, w0 ) = Πiσ−S ,σ
1 ( w, w )( p, a, b ) such that:
def
0
D
– if p = 0, then we have, (0, a) = σS (Πiσ−S ,σ
1 ( w, w )) and b =
0
D
σD (Πiσ−S ,σ
1 ( w, w ), (0, a ));
0
D
– if p = 1, then we have, (1, b) = σS (Πiσ−S ,σ
1 ( w, w )) and a =
σS ,σD
0
σD (Πi−1 (w, w ), (1, b)).
For every N ∈ N, a N-round play ( p1 , a1 , b1 )( p2 , a2 , b2 ) · · · ( p N , a N , b N )
over w and w0 is winning for Duplicator iff the following conditions
are satisfied for all i, j ∈ [1, N ]:
• ai = a j iff bi = b j ,
• ai + 1 = a j iff bi + 1 = b j ,
• ai < a j iff bi < b j ,
• w [ a i ] = w 0 [ bi ] .
A N-round EF game over the ω-words w, w0 , denoted as EFN (w, w0 ),
is said to be winning if there exists a strategy σD for Duplicator such
that for all strategies σS of Spoiler, the play ΠσNS ,σD (w, w0 ) is winning
for Duplicator. We write w ≡ N w0 iff the game EFN (w, w0 ) is winning.
Theorem 14 below states that given two ω-words, the associated Nround game is winning if and only if these two ω-words satisfy the
same set of first-order formulae of quantifier height smaller than N.
This last result is known as the Ehrenfeucht-Fraïssé Theorem, see for
instance [Lib04, Theorem 4.9].
Theorem 14. (EF Theorem) For all ω-words w, w0 in Σω , w ≡ N w0 iff
w ≈ N w0 .
We will use EF games to prove a stuttering theorem for formulas
from FOΣ , a variant of FO defined over the alphabet Σ. This would allow us to bound the number of times each loop needs to be taken in a
path schema in order to satisfy a FOΣ formula. Note that in [EW00],
EF games have been introduced for the specific case of LTL specifications, showing also small model properties. A proof for a similar
property for FO using EF games can be obtained from [Tho96] showing congruence of two words with repeating sequences with respect
to formulas with bounded quantifier depth. We provide the proof
tailored to our specific structure to be complete.
5.3
stuttering theorem using ef games
In this section, we prove that if in an ω-sequence w, a subword u is repeated consecutively a large number of times, then this ω-word and
87
88
first order logic
Two letter word u = ···
···
w1
a −3
a −2
b− 3
b− 2
w1
···
···
|
w2
a −1
· · · a0
b− 1
|
· · · b0
w2
Figure 9: Postions in two words
other ω-words obtained by removing some of the repetitions of u satisfy the same set of FOΣ sentences, this is what we call the stuttering
theorem for FOΣ . Such a result allows us to bound the repetition of iterations of loops in path schema and thus to obtain a model-checking
algorithm that is complexity-wise optimal. In order to prove the stuttering theorem for FOΣ , we will use EF games. We point out the fact
that this result is very similar to the one stating that two linear structures of size 2k cannot be distinguished by first-order formula of size
k [Lib04, Theorem 3.6]. The proof of this last result uses as well EF
games and is quite similar to the one we propose, however we wanted
to provide a dedicated proof based on EF games for our stuttering
theorem rather than giving an eventual reduction to this last result.
In the sequel we consider a natural N ≥ 1 and two ω-words over
Σ of the following form w = w1 u M w2 , w0 = w1 u M+1 w2 ∈ Σω with
M > 2 N +1 , w1 ∈ Σ∗ , u ∈ Σ+ and w2 ∈ Σω . We will now show that the
game EFN (w, w0 ) is winning. The strategy for Duplicator will work as
follows: at the i-th round (for i ≤ N), if the point chosen by the Spoiler
is close to another previously chosen position then the Duplicator will
choose a point in the other word at the exact same distance from the
corresponding position and if the point is far from any previously
chosen position then in the other word the Duplicator will chose a
position also far away from any previously chosen position.
Before providing a winning strategy for the Duplicator, we define
some invariants on any i-round play (with i ≤ N) that will be maintained by the Duplicator’s strategy. In order to define this invariant
and the Duplicator’s strategy, let us introduce a few notations that
will be useful in the sequel:
• a−3 = b−3 = 0; a−2 = b−2 = len(w1 );
• a−1 = len(w1 u M ) and b−1 = len(w1 u M+1 );
• a0 = b0 = ω.
Positions a−3 , a−2 , a−1 , a0 and b−3 , b−2 , b−1 , b0 are illustrated in Figure 9.
We extend the subtraction and addition operations in order to deal
with N ∪ {−ω, ω } such that: α − ω = −ω, ω − α = ω and ω + α = ω
if α ∈ N (no need to define the other cases for what follows). The
5.3 stuttering theorem using ef games
relation < on N ∪ {−ω, ω } is extended in the obvious way (for all
n ∈ N, −ω < n < ω). Given an i-round play Πi = h p1 , a1 , b1 i ·
h p2 , a2 , b2 i · · · h pi , ai , bi i, we say that Πi respects the invariant I iff the
following conditions are satisfied for all j, k ∈ [−3, i ]:
1. a j ≤ ak iff b j ≤ bk ,
2. | a j − ak | < 2 N +1−i len(u) iff | b j − bk |< 2 N +1−i len(u),
3. | a j − ak | < 2 N +1−i len(u) implies a j − ak = b j − bk ,
4. a j ≤ a−2 or b j ≤ b−2 implies b j = a j ,
5. a j ≥ a−1 or b j ≥ b−1 implies b j = a j + len(u),
6. a−2 < a j < a−1 or b−2 < b j < b−1 implies
| a j − b j |= 0 mod len(u).
First, we remark the invariant I is a sufficient condition for a play to
be winning as stated by the following lemma.
Lemma 20. If an N-round play over w and w0 respects I, then it is a
winning play for the Duplicator.
Proof. We consider the N-round play over w and w0 , Π N (w, w0 ) =
h p1 , a1 , b1 i · h p2 , a2 , b2 i · · · h p N , a N , b N i. We suppose that Π N (w, w0 ) respects I and we will prove that Π N (w, w0 ) is winning. Let i, j ∈ [1, N ].
• First using condition I.2, we have ai = a j iff bi = b j .
• We prove now that ai + 1 = a j iff bi + 1 = b j . Assume that
ai + 1 = a j , then | a j − ai | < 2 N +1− N and consequently using
condition I.3 for any value of len(u), we have a j − ai = b j −
bi = 1 from which we deduce bi + 1 = b j . Now if bi + 1 = b j ,
then |b j − bi | < 2 N +1− N , and using condition I.2, we also have
| a j − ai | < 2 N +1− N , hence condition I.3 allows us to deduce that
ai + 1 = a j .
• Condition I.1 also guarantees that ai < a j iff bi < b j .
• It remains to prove that w[ ai ] = w0 [bi ]. First we recall that w =
w1 u M w2 , w0 = w1 u M+1 w2 ∈ Σω , a−2 = b−2 = len(w1 ), a−1 =
len(w1 u M ) and b−1 = len(w1 u M+1 ). Now we perform a case
analysis on the value of ai .
– If ai ≤ a−2 , then by condition I.4 we have ai = bi , and since
a−2 = b−2 = len(w1 ), we deduce that that ai and bi points
at the same position in the word w1 , hence w[ ai ] = w0 [bi ];
– If ai ≥ a−1 , then by condition I.5 we have bi = ai + len(u),
and since a−1 = len(w1 u M ), b−1 = len(w1 u M+1 ) and w =
w1 u M w2 and w0 = w1 u M+1 w2 , we deduce that ai and bi
points at the same position in the word w2 , consequently
w [ a i ] = w 0 [ bi ] ;
89
90
first order logic
– If a−2 < ai < a−1 , then by condition I.1 we have b−2 < bi <
b−1 , consequently ai points at the ( ai − a−2 )-th letter in the
word u M and bi points at the (bi − b−2 )-th letter in the word
u M+1 ; since |( ai − a−2 ) − (bi − b−2 )| = | ai − bi | and since
by condition I.5 we have | ai − bi |= 0 mod len(u), then
at positions ai and bi we find the same letter of the word
u (namely the (( ai − a−2 )mod len(u))-th letter of u), hence
w [ a i ] = w 0 [ bi ] .
Given an (i − 1)-round play Πi−1 = h p1 , a1 , b1 i · h p2 , a2 , b2 i · · · h pi−1 ,
ai−1 , bi−1 i and ai ∈ N such that ai 6∈ { a−3 , a−2 , . . . , ai−2 , ai−1 }, we
def
def
define left( ai ) = max( ak | k ∈ [−3, i − 1] and ak < ai ) and right( ai ) =
min( ak | k ∈ [−3, i − 1] and ai < ak ) (i.e. left( ai ) and right( ai ) are the
closest neighbor of ai ). We define similarly left(bi ) and right(bi ).
We define now a strategy σ̂D for the Duplicator that respects at each
round the invariant I no matter what the Spoiler plays. By Lemma 20,
we can conclude that this strategy is winning for the Duplicator. Let
i ∈ [1, N ] and Πi−1 = h p1 , a1 , b1 i · h p2 , a2 , b2 i · · · h pi−1 , ai−1 , bi−1 i be
a (i − 1)-round play. First, we will define bi = σ̂D (Πi−1 , h0, ai i) that
is what Duplicator answers if the Spoiler chooses position ai in the
ω-word w. We have bi = σ̂D (Πi−1 , h0, ai i) defined as follows:
def
• If ai = a j for some j ∈ [−3, i − 1], then bi = b j ;
def
def
• Otherwise, let al = left( ai ) and ar = right( ai ):
def
– If ai − al ≤ ar − ai , we have bi = bl + ( ai − al )
def
– If ar − ai < ai − al , we have bi = br − ( ar − ai )
Similarly we have ai = σ̂D (Πi−1 , h1, bi i) defined as follows:
def
• If bi = b j for some j ∈ [−3, i − 1], then ai = a j ;
def
def
• Otherwise, let bl = left(bi ) and br = right(bi ):
def
– If bi − bl ≤ br − bi , we have ai = al + (bi − bl )
def
– If br − bi < bi − bl , we have ai = ar − (br − bi )
This strategy for the Duplicator works intuitively as follows: if the
Spoiler chooses a position which has already been proposed before
then the Duplicator will play the same associated position, otherwise
the Duplicator will look which is the previously played position the
closest to the newly played position by Spoiler and if for instance this
closest position has been chosen at round l, then he will play in his
word at the same distance from the corresponding l-th position.
Lemma 21. For any Spoiler’s strategy σS and for all i ∈ [0, N ], we have
that ΠiσS ,σ̂D (w, w0 ) respects I.
5.3 stuttering theorem using ef games
Proof. The proof proceeds by induction on i. The base case for i = 0
is obvious since the empty play respects I. However, we need to use
the fact that M > 2 N +1 (otherwise condition I.2 might not hold). Let
σS be a Spoiler’s strategy and for every i ∈ [1, N − 1], we assume that
Πiσ−S ,1σ̂D (w, w0 ) respects I. Suppose that σS (Πiσ−S ,1σ̂D (w, w0 )) = h0, ai i and
let bi = σ̂D (Πiσ−S ,1σ̂D (w, w0 ), h0, ai i). We will now prove that ΠiσS ,σ̂D (w, w0 )
respects the six conditions of I. In the sequel, we always assume that
al = left( ai ), ar = right( ai ), bl = left(bi ) and br = right(bi ).
• Condition (I.1) Let j, k ∈ [−3, i ]. If j, k ∈ [−3, i − 1], then by the
induction hypothesis, a j ≤ ak iff b j ≤ bk . Otherwise, let suppose
j = i and k 6= i (only remaining interesting case). If ai = a j0
for some j0 ∈ [−3, i − 1], then bi = b j0 and therefore ai ≤ ak iff
bi ≤ bk by the induction hypothesis. Otherwise, al < ai < ar .
First note that by induction hypothesis we have bl < br . We will
show that we also have bl < bi < br by a case analysis.
Case 1: ar − al < 2 N +2−i len(u). Then by induction hypothesis,
using I.3, we have ar − al = br − bl . If ai − al ≤ ar − ai , then
bi = bl + ( ai − al ) and consequently bl < bi < br . Similarly, if
ar − ai < ai − al then bi = br − ( ar − ai ), and in that case we also
have bl < bi < br .
Case 2: ar − al ≥ 2 N +2−i len(u). Then by induction hypothesis,
using I.3, we have br − bl ≥ 2 N +2−i len(u). But then if ai − al ≤
ar − ai , we have ai − al ≤ 2 N +1−i len(u), and since in that case
bi = bl + ( ai − al ), we deduce bl < bi < br . Similarly if ar −
ai < ai − al , then ar − ai < 2 N +1−i len(u), and since in that case
bi = br − ( ar − ai ), we also have bl < bi < br .
Hence if al < ai < ar , we have bl < bi < br which entails that
ai ≤ ak iff bi ≤ bk .
• Condition (I.4) The case j ∈ [−3, i − 1] is immediate from the
induction hypothesis. Now, suppose that a−3 ≤ ai ≤ a−2 . If
ai = a j for some j ∈ [−3, i − 1], then bi = b j and a−3 ≤ a j ≤ a−2 .
By induction hypothesis, bi = b j = a j = ai . Otherwise, al <
ai < ar and al = bl and ar = br by induction hypothesis. Either
ai − al ≤ ar − ai or ar − ai < ai − al implies that bi = ai .
• Condition (I.5) The case j ∈ [−3, i − 1] is immediate from the
induction hypothesis. Now, suppose that a−1 ≤ ai . If ai = a j for
some j ∈ [−3, i − 1], then bi = b j and a−1 ≤ a j . By induction
hypothesis, bi = b j = a j + len(u) = ai + len(u). Otherwise, al <
ai < ar and bl = al + len(u) and (br = ar + len(u) or br = ar =
ω) by induction hypothesis. If ar 6= ω, then we have either bi =
bl + ( ai − al ) = ai + len(u) or bi = br + ( ai − ar ) = ai + len(u).
Otherwise, if ar = ω, then we have bi = bl + ( ai − al ) = ai +
len(u).
91
92
first order logic
• Condition (I.6) The case j ∈ [−3, i − 1] is immediate from the
induction hypothesis. Now, let us deal with j = i. Satisfaction
of (I.4) and (I.5) implies that a−2 < ai < a−1 iff b−2 < bi <
b−1 . Suppose that a−2 < ai < a−1 . So, al < ai < ar and by
induction hypothesis | al − bl |= 0 mod len(u) and | ar − br |=
0 mod len(u). If ai − al ≤ ar − ai , then bi = bl + ( ai − al ) and
| ai − bi |=| al − bl |, whence | ai − bi |= 0 mod len(u). Similarly,
if ar − ai < ai − al , then bi = br − ( ar − ai ) and | ai − bi |=|
ar − br |, whence | ai − bi |= 0 mod len(u).
• Condition (I.2) and (I.3) Let j, k ∈ [−3, i ]. If j, k ∈ [−3, i − 1],
then by the induction hypothesis, it is easy to verify that
– | a j − ak |< 2 N +1−i len(u) iff | b j − bk |< 2 N +1−i len(u),
– | a j − ak |< 2 N +1−i len(u) implies a j − ak = b j − bk .
Indeed, it is a consequence of the stronger properties below satisfied by induction hypothesis:
– | a j − ak |< 2 N +2−i len(u) iff | b j − bk |< 2 N +2−i len(u),
– | a j − ak |< 2 N +2−i len(u) implies a j − ak = b j − bk .
Otherwise, let suppose j = i and k 6= i (only remaining interesting case). If ai = a j0 for some j0 ∈ [−3, i − 1], then by the
induction hypothesis, we have
– | a j0 − ak |< 2 N +2−i len(u) iff | b j0 − bk |< 2 N +2−i len(u),
– | a j0 − ak |< 2 N +2−i len(u) implies a j0 − ak = b j0 − bk .
Again, this implies that
(I) | ai − ak |< 2 N +1−i len(u) iff | bi − bk |< 2 N +1−i len(u),
(II) | ai − ak |< 2 N +1−i len(u) implies ai − ak = bi − bk .
Now, suppose that there is no j0 ∈ [−3, i − 1] such that ai = a j0 .
So in this case, we have either ak ≤ al or ar ≤ ak (by definition
of al and ar ). We proceed by a case analysis.
Case 1: ai − al ≤ ar − ai and bi = bl + ( ai − al ).
Case 1.1: ak ≤ al .
– If ak = al then | ai − ak |=| bi − bk | and therefore I.2 and
I.3 hold.
– Assume now ak < al .
If | al − ak |≥ 2 N +1−i len(u), by induction hypothesis | bl −
bk |≥ 2 N +1−i len(u) and bk < bl < bi (using Condition I.1).
So, | ai − ak |≥ 2 N +1−i len(u) and | bi − bk |≥ 2 N +1−i len(u).
If | ai − al |≥ 2 N +1−i len(u), by definition of bl , | ai − al |=|
bi − bl |≥ 2 N +1−i len(u) and bk < bl < bi (using Condition
I.1). So, | ai − ak |≥ 2 N +1−i len(u) and | bi − bk |≥ 2 N +1−i .
If | al − ak |≤ 2 N +1−i len(u) and | ai − al |≤ 2 N +1−i len(u),
then by induction hypothesis we have | bl − bk |=| al − ak |.
5.3 stuttering theorem using ef games
Furthermore since | ai − al |=| bi − bl | and ak < al < ai
and bk < bl < bi (using Condition I.1). We deduce that
| ai − ak |=| bi − bk |, whence I.2 and I.3 hold.
Case 1.2: ar ≤ ak .
– If | ak − ar |≥ 2 N +1−i len(u) then by induction hypothesis,
| bk − br |≥ 2 N +1−i len(u). So, | ak − ai |≥ 2 N +1−i len(u) and
| bk − bi |≥ 2 N +1−i len(u) since ai < ar ≤ ak and bi < br ≤
bk thanks to Condition I.1.
– Assume now | ak − ar |≤ 2 N +1−i len(u). By induction hypothesis we have | bk − br |=| ak − ar | and we have the
two following subcases.
Case 1.2.1. | ar − al |≤ 2 N +2−i len(u). By induction hypothesis, | ar − al |=| br − bl | and therefore | br − bi |=| ar − ai |.
Whence, | bk − bi |=| ak − ai | so I.2 and I.3 hold.
Case 1.2.2 | ar − al |≥ 2 N +2−i len(u). By induction hypothesis, | br − bl |≥ 2 N +2−i len(u). Moreover, since ai − al ≤ ar −
ai , then ar − ai ≥ 2 N +1−i len(u) and ai − al ≤ 2 N +1−i len(u).
Since bi − bl = ai − al and since bl < bi < bl by Condition
I.1 we deduce that br − bi ≥ 2 N +1−i len(u). Hence we have
ak − ai ≥ 2 N +1−i len(u) and bk − bi ≥ 2 N +1−i len(u), which
guarantees I.2 and I.3.
Case 2: ar − ai < ai − al and bi = br − ( ar − ai ).
Case 2.1: ar ≤ ak .
– If ak = ar then | ai − ak |=| bi − bk | and therefore I.2 and
I.3 hold.
– Assume now ar < ak .
If | ak − ar |≥ 2 N +1−i len(u), by induction hypothesis | bk −
br |≥ 2 N +1−i len(u) and bi < br < bk (using Condition I.1).
So, | ak − ai |≥ 2 N +1−i len(u) and | bk − bi |≥ 2 N +1−i len(u).
If | ar − ai |≥ 2 N +1−i len(u), by definition of bi , | ar − ai |=|
br − bi |≥ 2 N +1−i len(u) and bi < br < bk (using Condition I.1). So, | ak − ai |≥ 2 N +1−i len(u) and | bk − bi |≥
2 N +1−i len(u).
If | ak − ar |≤ 2 N +1−i len(u) and | ar − ai |≤ 2 N +1−i len(u),
then by induction hypothesis we have | bk − br |=| ak − ar |.
Furthermore since | ar − ai |=| br − bi | and ai < ar < ak
and bi < br < bk (using Condition I.1). We deduce that
| ak − ai |=| bk − bi |, whence I.2 and I.3 hold.
Case 2.2: ak ≤ al .
– If | al − ak |≥ 2 N +1−i len(u) then by induction hypothesis,
| bl − bk |≥ 2 N +1−i len(u). So, | ai − ak |≥ 2 N +1−i len(u) and
93
94
first order logic
| bi − bk |≥ 2 N +1−i len(u) since ak ≤ al < ai and bk ≤ bl < bi
thanks to Condition I.1.
– Assume now | al − ak |≤ 2 N +1−i len(u). By induction hypothesis we have | bl − bk |=| al − ak | and we have the two
following subcases.
Case 2.2.1. | ar − al |≤ 2 N +2−i len(u). By induction hypothesis, | ar − al |=| br − bl | and therefore | bi − bl |=| ai − al |.
Whence, | bi − bk |=| ai − ak | so I.2 and I.3 hold.
Case 2.2.2 | ar − al |≥ 2 N +2−i len(u). By induction hypothesis, | br − bl |≥ 2 N +2−i len(u). Moreover, since ar − ai < ai −
al , then ai − al ≥ 2 N +1−i len(u) and ar − ai < 2 N +1−i len(u).
Since br − bi = ar − ai an d since bl < bi < bl by Condition
(1) we deduce that bi − bl ≥ 2 N +1−i len(u). Hence we have
ai − ak ≥ 2 N +1−i len(u) and bi − bk ≥ 2 N +1−i len(u), which
guarantees I.2 and I.3.
Using Lemma 20 and 21, we deduce that Duplicator has a winning
strategy against any strategy of the Spoiler in EFN (w, w0 ), so by Theorem 14, we can conclude the main theorem of this subsection.
Theorem 15 (Stuttering Theorem). If w = w1 u M w2 , w0 = w1 u M+1 w2 ∈
Σω such that N ≥ 1, M > 2 N +1 and u ∈ Σ+ , then w ≈ N w0 .
5.4
model-checking fo is pspace-complete
Let us characterize the complexity of MC(FO, FlatCS). We will here
again follow the general roadmap dictated by Theorem 7 (Chapter 3).
First we will show that Theorem 6 and Theorem 15 allows to prove
that FO over the constraint alphabet h at, agn , 2at∪agn i admits an exponentially bounded limiting loops map f FO . Before to prove this, we
need an intermediate lemma in order to be able to use the previous
result which were considering FO over an unconstrained alphabet.
This result allows basically to translate efficiently a formula over a
constrained alphabet into a formula over unconstrained alphabet.
Lemma 22. From a formula ψ in FO2at∪agn over h at, agn , 2at∪agn i and an
alphabet Γ ⊆ 2at∪agn , one can build a formula ψΓ in FOΓ whose size is
polynomial in the sizes of Γ and A and qh(ψΓ ) = qh(ψ) and such that
L(ψΓ ) = L(ψ) ∩ Γω .
Proof. We build ψΓ from ψ by replacing every occurrence of p(z) by
W
W
{a∈Γ|p∈a} a(z) and every occurrence of g(z) is replaced by {a∈Γ|g∈a}
a(z). It is easy to see that, by construction, L(ψΓ ) = L(ψ) ∩ (Γ)ω ,
that the size of ψΓ is polynomial in the size of Γ and ψ and that
qh(ψΓ ) = qh(ψ).
5.4 model-checking fo is pspace-complete
We are now ready to prove our first result concerning the specification language FO.
Theorem 16. FO has an exponentially bounded limiting loops map f FO .
Proof. Let ψ be a first-order sentence over the constrained alphabet
h at, agn , 2at∪agn i and let cps = h p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω , φ(x1 , . . . ,
xk−1 )i be a constrained path schema over the constrained alphabet
h at, agn , Γi.
Suppose that there exists n ∈ Nk−1 such that:
p1 (l1 )n[1] · · · pk−1 (lk−1 )n[k−1] pk (lk )ω ∈ L(cps) ∩ L(ψΓ ).
Let b ⊆ [0, 2pol1 (size(cps)) ]k−1 and P1 , . . . , Pα ∈ [0, 2pol1 (size(cps)) ]k−1 defined for the guard φ following Theorem 6 (Chapter 3). Since n |= φ,
there are b ∈ B and a ∈ Nα such that
n = b + a[1]P1 + · · · + a[α]Pα
Let a0 ∈ Nα defined from a such that
(
a[ i ]
if a[i ] ≤ 2qh(ψΓ )+1 + 1
0
a [i ] =
2qh(ψΓ )+1 + 1 otherwise
Note that n0 = b + a0 [1]P1 + · · · + a0 [α]Pα still satisfies φ and for
every loop i ∈ [1, k − 1], n[i ] > 2qh(ψΓ )+1 iff n0 [i ] > 2qh(ψΓ )+1 . By
0
0
Theorem 15, p1 (l1 )n [1] · · · pk−1 (lk−1 )n [k−1] pk (lk )ω ∈ L(ψΓ ) and hence
0
0
p1 (l1 )n [1] · · · pk−1 (lk−1 )n [k−1] pk (lk )ω ∈ L(ψ).
Now, let us bound the values in n0 .
• There are at most 2pol2 (size(cps)) periods.
• Each basis or period has values in [0, 2pol1 (size(cps)) ].
• Each period in n0 is taken at most 2qh(ψ)+1 + 1 times.
Consequently, each n0 [i ] is bounded by
2pol1 (size(cps)) + (2qh(ψ)+1 + 1)2pol2 (size(cps)) × 2pol2 (size(cps))
which is itself bounded by 2(qh(ψ)+2)+pol1 (size(cps))+pol2 (size(cps)) .
This allows us to conclude that FO has an exponentially bounded
limiting loops map f FO and also obtain the bound on the value of
f FO (ψ, cps) as 2(qh(ψ)+2)+pol1 (size(cps))+pol2 (size(cps)) for any FO formulae ψ and any constrained path schema cps.
In order to show that MC(FO, FlatCS) can be solved in polynomial
space, thanks to Theorem 7, it remains to prove that the Membership
problem for FO over a constrained alphabet like h at, agn , 2at∪agn i is
in PSpace. Given a constrained path schema cps = h p1 (l1 )∗ · · · pk−1
(lk−1 )∗ pk (lk )ω , φ(x1 , . . . , xk−1 )i over h at, agn , Γi, a specification ψ ∈ FO
95
96
first order logic
and n1 , . . . , nk−1 ∈ N, the Membership problem consists in verifying
whether the word w = p1 (l1 )n1 · · · pk−1 (lk−1 )nk−1 pk (lk )ω belongs to
L(ψ) (or equivalently L(ψΓ ) thanks to Lemma 22).
Checking whether w ∈ L(ψ) can be done in exponential space in
size(ψ) + size(cps) by using [MS03, Proposition 4.2]. Indeed, checking whether u · (v)ω |= φ (where u · (v)ω is an ultimately periodic
word and φ is a first-order sentence) can be done in space bounded by
O(size(uv)size(φ)2 ). When the ultimately periodic word is w this provides a space bound in O(size(cps) × N × size(ψ)2 ) where N is equal
to max({n1 , . . . , nk−1 }). Since the values n1 , . . . , nk−1 are encoded in
binary, the bound we finally obtain on the size of ultimately periodic
path is O(size(cps) × 2size( N ) × size(ψ)2 ) Hence, applying directly the
result of [MS03, Proposition 4.2] leads to a nondeterministic exponential space decision procedure for the intersection non-emptiness
problem but it is possible to get down to nondeterministic polynomial space as stated by the next theorem. The trick is to check for the
satisfiability of a formula over an ultimately periodic path schema
without constructing it explicitly. Instead we store the polynomial
size representation of the exponential size ultimately periodic path as
a tuple of polynomial size path schema and a polynomial size vector
representing the number of times each loop is taken. This is done in
the following theorem.
Theorem 17. The Membership problem with FO is in PSpace.
Proof. We consider a constrained path schema cps = h p1 (l1 )∗ · · · pk−1
(lk−1 )∗ pk (lk )ω , φ(x1 , . . . , xk−1 )i over constrained alphabet h at, agn , Γi, a
FO formula ψ over h at, agn , 2at∪agn i and n ∈ Nk−1 . Let w = p1 (l1 )n[1]
· · · pk−1 (lk−1 )n[k−1] pk (lk )ω . In the sequel we consider the formula ψΓ
provided by Lemma 22. We know that we have w ∈ L(ψ) iff w ∈
L(ψΓ ).
Let us decompose w into u · (v)ω such that u = p1 (l1 )n[1] · · · pk−1
(lk−1 )n[k−1] pk and v = lk . Note that the length of u is exponential
in the size of the instance. We write ψ̂ to denote the formula ψΓ
in which every existential quantification is relativized to positions
less than len(u) + len(v) × 2qh(ψ) . This means that every quantification ’∃ x · · · ’ is replaced by ’∃ x < (len(u) + len(v) × 2qh(ψ) ) · · · ’.
By [MS03, Lemma 4.4], we know that w |= ψ iff w |= ψ̂. Now, checking w |= ψ̂ can be done in polynomial space by using a standard firstorder model-checking algorithm by restricting ourselves to positions
in [0, len(u) + len(v) × 2qh(ψ) ] for quantifiers [MS03]. Such positions
can be obviously encoded in polynomial space. Moreover, note that
given i ∈ [0, len(u) + len(v) × 2qh(ψ) ], one can compute in polynomial
time in len(u) + len(v) × 2qh(ψ) what is the ith letter of w. By way of
example, the ith letter of w is the first letter of lk iff i ≥ α and (i − α) =
0 mod len(lk )) with α = (∑ j∈[1,k−1] (len( p j ) + len(l j ) × n[ j])) + len( p j ).
Thus the algorithm FOSAT takes as input a constrained path schema
5.5 global model-checking
cps, a vector of integer n ∈ [0, 2qh(ψ)+1 + 1]k−1 representing the number of times each loop in cps is taken, a FO formula ψ where every
quantifier is relativized and a map f for assignment of positions to
atomic formulas. Polynomial space algorithm is obtained by computing FOSAT(cps, n, ψ, f 0 ) with the Algorithm 2 defined taking for f 0
the zero assignment function.
Algorithm 2 : FOSAT(cps, n, ψ, f )
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
if ψ = a(z) then
Calculate the f (z)th letter b of w and return a = b.
else if ψ is of the form ¬ψ0 then
Return not FOSAT(cps, n, ψ0 , f )
else if ψ = ψ1 ∧ ψ2 then
Return FOSAT(cps, n, ψ1 , f ) and FOSAT(cps, n, ψ2 , f ).
else if ψ is of the form ∃z < m ψ0 then
guess a position k ∈ [0, m − 1].
Return FOSAT(cps, n, ψ0 , f [z 7→ k]).
else if ψ is of the form R(z, z0 ) for some R ∈ {=, <, succ} then
Return R( f (z), f (z0 )).
end if
Note that the polynomial space bound is obtained since the recursion depth is linear in size(ψ) and positions in [0, len(u) + len(v) ×
2qh(ψ) ] can be encoded in polynomial space in size(cps) + size(ψ).
Furthermore, since model-checking ultimately periodic words with
first-order logic is PSpace-hard [MS03], we deduce directly the lower
bound for the membership problem with FO.
Applying Theorem 7, the results of Theorems 16 and 17 provide us
an upper bound for MC(FO, FlatCS). Since model-checking FO over
finite flat Kripke structures with two states is known to be PSpacehard (see [MS03, Theorem 4.1]), we can conclude the precise complexity of this problem
Theorem 18 ([DDS13]). MC(FO, FlatCS) is PSpace-complete.
Furthermore, since flat Kripke structures form a subclass of flat
counter systems, we conclude this new result for flat Kripke structures.
Corollary 3. Model-checking flat Kripke structures over FO formulae is
PSpace-complete.
5.5
global model-checking
Recal that by definition, the global model-checking problem for first
order logic (GMC(FO,FlatCS)), asks for a Presburger formula whose
solutions are exactly the initial value of counters such that there exists
a run from the configuration satisfying the FO specification. Given
97
98
first order logic
a flat counter system S, its decomposed set of parameterized constrained path schemas X and the FO specification A, the existential
Presburger formula φ(z1 , . . . , zn ) has the form below
_
_
pcps=h p1 (l1 )∗ ··· pk−1 (lk−1 )∗ pk (lk )ω ,ψi∈ X ~y s.t. p l~y[1] p l~y[2] ...l~y[k−1] p l ω |= A0
2 2
1 1
k k
k −1
∃ y1 · · · yk−1 ψ(y1 , . . . , yk−1 , z1 , . . . , zn ) ∧ ψ1 ∧ · · · ∧ ψk−1
where
1. pcps = h p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω , ψ(x1 , . . . , xk−1 , z1 , . . . , zn )i,
2. h at, agn , Γ0 i is the alphabet of pcps and by Lemma 22, there is a
specification A0 such that L( A0 ) = L( A) ∩ (Γ0 )ω .
0
3. the third generalized disjunction deals with ~y ∈ [0, 2size( A )+1 +
1 ] k −1 .
def
0
4. For i ∈ [1, k − 1], ψi = (y1 = α) if ~y[i ] = α < 2size( A )+1 + 1
0
def
otherwise ψi = yi ≥ 2size( A )+1 + 1.
The Presburger formula intuitively states that at least one of the parameterized constrained path schemas in X (first disjunction) satisfies
the condition that, we can find at least one vector ~y such that,
1. The parameterized constraint of the pcps is satisfied and
2. Satisfiability of A0 is preserved using stuttering theorem.
This ensures that there is an accepting run of A0 on some word w ∈
L( p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω ).
5.6
summary
The main result shown in this chapter is that the model-checking
problem of FO over flat counter systems is PSpace-complete (Theorem 18). To prove the upper bound of PSpace, we follow the same
roadmap laid in Section 3.3.3. We first show that FO has an exponentially bounded limiting map (Theorem 16). This in turn is proved
using EF games. In effect EF games give us a stuttering theorem for
FO (Theorem 15 and Theorem 22). Once equiped with an exponentially bounded limiting map for FO, we show that the membership
problem for FO can be done in PSpace (Theorem 17). This is done by
checking the FO formula on the fly over a constrained path schema
and the guessed vector of the number of times each loop is taken.
For the hardness, part we refer to the well-known result and also to
[MS03, Theorem 4.1] about the PSpace-hardness of model-checking
first-order logic over flat Kripke structures with two states. Since, flat
Kripke structures are a subclass of flat counter systems, we can deduce the hardness of the model-checking problem for flat counter
5.6 summary
systems too. Observing this, we also obtain the result that modelchecking flat Kripke structures over FO formula is PSpace-complete
too (Corollary 3).
99
6
ω - R E G U L A R P R O P E RT I E S
In previous chapters, we investigated complexity of model-checking
procedure for logics like LTL with past and first order logic over flat
counter systems. Even though they are of same expressive power and
can express various important properties, there are regular properties which are known to be not expressible in LTL [WVS83]. Since we
are interested in regular properties of infinite runs, we look at runs
as infinite words and properties as regular languages over infinite
words. In [Büc60], it was shown that regular languages over infinite
words are similar in expressive power with Büchi automata. Similarly,
in [MH84], it was shown that alternating Büchi automata has the
same expressive power as Büchi automata. In [VW94], it was shown
that there exists a Büchi automaton for any formula in ETL, showing
in turn that they are equivalent in expressive power. On the other
hand, similarity in expressiveness of µ T L and Büchi automata was
shown in [Var88]. All this goes to show that the properties expressed
by BA, ABA, ETL and µ T L are equivalent in expressive power and
can express regular properties. Note that for all these logics, even
though expressive power is same as BA, these specification languages
are more succinct than BA. This is evident in the fact that whereas
model-checking for BA without counter constraints over Kripke structure is known to be NLogSpace-complete, for ABA, ETL and µ T L,
it is PSpace-complete [VW94, Var88]. Herein, we would investigate
the complexity of the model-checking procedure for all these specfication languages with counter constraints as atomic formulae over
flat counter systems. For this, we will base the model-checking procedure for ABA, ETL and µ T L over finding an optimal procedure for
BA and then applying the translation of these specification languages
to BA. This provides us a uniform approach to do model-checking
of the three specification languages. As we will show later, the complexity bound obtained by this method is also optimal for most of the
specification languages. Moreover, the optimal complexity matches
with the model-checking problem for these logics without counters.
To be able to apply the algorithm in Section 3.3.3, we need to
first show that the specification language B S has an exponentially
bounded limiting loops map. Then, we present an algorithm to check
membership problem for B S. These two results with Theorem 7 allows us to get a complexity bound for the model-checking procedure
which turns out to be sharp. Similar to other specifications studied
before, we start by proving an equivalent of stuttering theorem for
BA based on pumping lemma of Büchi automata.
101
ω -regular properties
102
6.1
stuttering theorem variant
As for the previous specification languages, we will first try to prove
a stuttering theorem or its equivalent for the specifications we will
deal with. First we will prove a stuttering theorem for the specification language BS. As we will see, this is actually enough for other
specification languages like ABS, µ T L, ETL, as there exists a translations from all these specification languages to BS. In this section thus,
we will establish the function f B S . First, let us show that there exists
an exponentially bounded limiting loop map for (standard) Büchi automata (with unconstrained alphabet) that is mainly used in the proof
of Theorem 19. We show that an accepting word with a great amount
of repetitions of a given finite factor can be transformed into an accepting word with a small amount of repetitions of that same factor,
which leads us to a simple stuttering result.
Lemma 23. Let B = h Q, Σ, δ, q0 , F i be a Büchi automaton and let γ =
card( Q). If w ∈ L(B) be an ω-word in Σω such that w is of the form
k
w1 .u2.γ .w2 for some k ≥ 3 with w2 ∈ Σω , then there is K ∈ [1, γ] such that
k
for all N ∈ [1, γk−2 ], w1 .u2.γ −(K× N ) .w2 ∈ L(B).
k
Proof. Let w1 .u2.γ .w2 be in L(B) and ρ ∈ Qω be an accepting run for
w. In the ω-word w, the finite word u is repeated 2.γk times. Consider
the first γ + 1 iterations of u after the finite word w1 . Let m1 < m2 <
· · · < mγ+1 be the positions in N where those iterations of u start.
By the pigeon-hole principle, there is some state q ∈ Q such that for
some i < j ∈ [1, γ + 1], ρ[mi ] = ρ[m j ]. Let α1 = j − i, the distance
between two positions with same state.
Now, we consider γ + 1 iterations of u after the position m j . We
proceed as above to obtain α2 and so on. Since u is repeated 2.γk times,
we will obtain at least γk−1 (possibly different) values as αi ∈ [1, γ] for
all i ∈ [1, γk−1 ] because γk−1 × (γ + 1) ≤ 2.γk . Again, by the pigeonhole principle, we know that there are j1 , j2 , . . . , jγk−2 ∈ [1, γk−1 ] such
that
α j1 = α j2 = · · · = α jγk−2 = K
for some K ∈ [1, γ] because K × γk−2 ≤ γk−1 . Note that for each
j ∈ { j1 , j2 , . . . , jγk−2 }, we have a corresponding different loop structure
in ρ where we have positions Ij and Jj in w such that w[ Ij , Jj ] is equal
to uK and ρ( Ij ) = ρ( Jj ) = q j for some q j ∈ Q as shown in Figure 10.
Hence, the run ρ(1) . . . ρ( Ij ).ρ( Jj + 1) . . . is still an accepting run in
k
B for the ω-word w1 .u2.γ −(K) .w2 . Since, there are γk−2 such loops, it
is easy to see that for every N ∈ [1, γk−2 ], we can remove the loops
corresponding to α j1 , α j2 , . . . , α jN and have an accepting run for the
k
word w1 .u2.γ −(K× N ) .w2 in B .
We recall that a specification in EBS over a constrained alphabet
h at, agn , 2at∪agn i is simply a Büchi automaton over the alphabet 2at∪agn .
6.1 stuttering theorem variant
uK
q1
w1
q2
u m1
uK
uK
α1
α2
q j1
u m2
q j2
α γ k −2
q jγk−2
u mn
qn
w2
Figure 10: Shape of a sample run
From the Lemma 23, we can deduce our first result concerning the
specification language EBS.
Theorem 19. The specification language EBS has an exponentially bounded
limiting loops map f EBS .
Proof. We consider a constrained alphabet h at, agn , 2at∪agn i, a Büchi
automaton B = h Q, 2at∪agn , q0 , ∆, F i (note that B is a specification in
EBS) and a constrained path schema cps = h p1 (l1 )+ · · · pk−1 (lk−1 )+
pk (lk )ω , ψ(y1 , . . . , yk−1 )i over the constrained alphabet h at, agn , Γi. We
use γ = card( Q) and s for the size of ψ(y1 , . . . , yk−1 ). We first prove
that the following are equivalent:
(i) L(cps) ∩ L(B) 6= ∅,
(ii) there exists a vector y ∈ [0, γk · 2p(s) ]k−1 for some polynomial p(·)
such that p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk lkω ∈ L(B) ∩ L(cps).
It is sufficient to prove that (I) implies (II). So, suppose that L(cps) ∩
L(B) 6= ∅. Actually, we show that there is
y ∈ [0, 2pol1 (s) + 2.γk × 2pol1 (s)+pol2 (s) ]k−1
where polynomials pol1 (·) and pol2 (·) are those from Theorem 6.
Since L(cps) ∩ L(B) 6= ∅, there exist an infinite word w such
that w ∈ L(B) ∩ L(cps). Let y ∈ Nk−1 be the vector such that
w = p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk lkω . We will now prove that either
y ∈ [0, 2pol1 (s) + 2.γk × 2pol1 (s)+pol2 (s) ]k−1 or we can construct another
word
0
0
w0 = p1 (l1 )y [1] . . . pk−1 (lk−1 )y [k−1] pk lkω
such that y0 ∈ [0, 2pol1 (s) + 2.γk × 2pol1 (s)+pol2 (s) ]k−1 and w0 ∈ L(cps) ∩
L(B). Since y |= ψ(y1 , . . . , yk−1 ) and ψ(y1 , . . . , yk−1 ) is a quantifierfree Presburger formula, we know that there exist b, P1 , P2 , · · · , Pα ∈
[0, 2pol1 (s) ]k−1 and α ≤ 2pol2 (s) such that
y = b+
∑
i ∈[1,α]
for some a ∈ Nα (see Theorem 6).
a [ i ] · Pi
103
ω -regular properties
104
Let us assume that y ∈
/ [0, 2pol1 (s) + 2.γk × 2pol1 (s)+pol2 (s) ]k−1 and
hence there exists some j ∈ [1, α] such that a[ j] > 2.γk . We would like
to find a > 0 such that
y0 = b + ∑ a[i ].Pi + (a[ j] − a)P j +
∑ a[i].Pi
i ∈[1,j−1]
0
i ∈[ j+1,α]
0
and w0 = p1 (l1 )y [1] . . . pk−1 (lk−1 )y [k−1] pk lkω ∈ L(B) ∩ L(cps). We may
re-iterate this operation several times until we find a tuple within the
right interval. Let us now select a such that membership of the word
w0 in both L(cps) and L(B) is preserved.
1. For any a in [1, a[ j]], we have that w0 constructed with y0 =
b + ∑i∈[1,j−1] a[i ].Pi + (a[ j] − a)P j + ∑i∈[ j+1,α] a[i ].Pi and w0 ∈
L(cps).
2. We write i1 < · · · < i β to denote the elements i in [1, k − 1]
such that P j [i ] 6= 0. For the indices i different from {i1 , . . . , i β },
the value a[ j] has no real impact since P j [i ] is equal to zero.
def
For each m ∈ [1, β], we pose rm = (lim )Pj [im ] , i.e., rm is made of
P j [im ] copies of the loop lim . By assumption, the word w can be
decomposed as the word
w1 · ( r 1 ) a[ j ] · · · ( r β ) a[ j ] · w2
and a[ j] > 2.γk . By iterative application of Lemma 23, there are
K1 , . . . , K β ∈ [1, γ] such that for any N1 , . . . , Nβ ∈ [1, γk−2 ], we
have
w1 · (r1 )a[ j]− N1 K1 · · · (r β )a[ j]− Nβ Kβ · w2 ∈ L(B)
Let a = Πi=1 Ki and Ni = Kai (such that Ni · Ki = a) for all
i ∈ [1, β]. Each Ni is clearly less than or equal to γk−2 . For each
i ∈ [1, β], the number of iterations of ri we reduce is Ni × Ki = a.
We conclude that
β
w1 · (r1 )a[ j]−a · · · (r β )a[ j]−a · w2 ∈ L(B) ∩ L(cps)
We get the desired result by iterating this process until we get a such
that for every j ∈ [1, k − 1], we have a[ j] ≤ 2.γk . Finally by taking
f EBS (B , cps) = γk · 2p(s) , we deduce the result of the theorem.
6.2
model-checking büchi specification is np-complete
The goal of this section is to characterize the complexity of the modelchecking problem over flat counter systems with EBS. Thanks to Theorem 19, we have already established that EBS has an exponentially
bounded limiting loops map. Following the roadmap dictated by Theorem 7, we will first prove that the Membership problem for EBS can
be solved in PTime.
6.2 model-checking büchi specification is np-complete
Theorem 20. The Membership problem with EBS is in PTime.
Proof. We consider a constrained alphabet h at, agn , 2at∪agn i, a Büchi
automaton B = h Q, 2at∪agn , ∆, q0 , F i (note that B is a specification in
EBS) and a constrained path schema cps = h p1 (l1 )+ · · · pk−1 (lk−1 )+ pk
(lk )ω , Φi over the constrained alphabet h at, agn , Γi. Let n ∈ Nk−1 (encoded in binary) and w = p1 (l1 )n[1] · · · pk−1 (lk−1 )n[k−1] pk (lk )ω . Checking whether w ∈ L(B) can be done in polynomial time in size(B) +
size(cps) using the results from [MS03]. Indeed, w can be encoded
in polynomial time as a pair of straight-line programs and by [MS03,
Corollary 5.4] this can be done in polynomial time.
Let us be a bit more precise. A straight-line program is a contextfree grammar where the non-terminals N1 , . . . , Nk are ordered (say
N1 is the axiom) and every non-terminal Ni has a unique production
rule, either of the form Ni → a for a terminal a, or of the form Ni →
Nj · Nk with j, k > i. Given a straight-line program P, we write word(P)
to denote the unique word described by P. A compressed ultimately
periodic word is a pair hP1 , P2 i of straight line programs, representing
the ω-word word(P1 )word(P2 )ω . By [MS03, Corollary 5.4], checking
whether a compressed ultimately periodic word hP1 , P2 i is recognized
by a Büchi automaton B can be done in time O((len(P1 ) + len(P2 )) ×
len(B)3 ). Given n ∈ Nk−1 , we can construct hP1 , P2 i such that
word(P1 )word(P2 )ω = p1 (l1 )n[1] · · · pk−1 (lk−1 )n[k−1] pk (lk )ω
and hP1 , P2 i is built in polynomial-time in len(cps) + size(n) where
size(n) is the size of n when the natural numbers are encoded in
binary. By way of example, we explain how to encode the finite word
(a1 · · · ak )n by a straight-line program P in polynomial time in (k + α1 )
when n is encoded in binary with n = 2α1 + 2α2 + · · · + 2αs , α1 >
. . . > αs and k ≥ 2. In the definition of P below, the ordering of the
non-terminals (symbol N possibly decorated by a subscript and/or a
superscript) can be easily deduced from the production rules.
1. N1 → N0α1 N0α2 ,...,αs ,
N0α2 ,...,αs → N0α2 N0α3 ,...,αs ,
...,
α ,α
α
N0 s−1 s → N0 s−1 N0αs ,
2. N0αi → N0αi −1 N0αi −1 ,
N0αi −1 → N0αi −2 N0αi −2 ,
...,
N02 → N01 N01 ,
3. N01 → N 1 N [2,k] , N [2,k] → N 2 N [3,k] ,
...,
N [k−1,k] → N k−1 N k ,
105
106
ω -regular properties
4. N 1 → a1 ,
...,
N k → ak .
Note that by the previous straight-line program, N1 generates N0α1 · · ·
N0αs using the rules in the Item 1. Each of N0αi in turn generates
2αs copies of N01 using the rules in Item 2. Finally, N01 generates the
word a1 · · · ak using Item 3 and 4. Thus, at the end we can generate
(a1 · · · ak )n from N1 where n = 2α1 + 2α2 + · · · + 2αs , α1 > . . . > αs .
For w = p1 (l1 )n[1] · · · pk−1 (lk−1 )n[k−1] pk (lk )ω , we represent it as two
straight-line program hP1 , P2 i with P2 is a straight-line program as
explained before in the example with word(P2 ) = lk and P1 is defined
as,
[1,k]
1. N1 → N p1 N1
[1,k]
, N1
[2,k]
→ N l1 N0
[k−1,k]
, . . . , N1
→ N l k −1 N p k ,
2. N pi generates pi , for i ∈ [1, k ], as in Item 3 and 4 before
3. N li generates (li )n[i] , for i ∈ [1, k − 1], as in the the previous
example
Note that the encoding of P2 can be done in time len(lk ) and the encoding of P1 can be done in time len(cps) + size(n). Thus, we can construct a compressed representation of w as hP1 , P2 i in polynomial time
in the size of the instance of the membership problem. Furthermore,
as noted earlier, checking whether hP1 , P2 i is accepted by the given
Büchi automaton B , can be done in polynomial time in size(cps),
size(n) and size(B) thanks to the result from [MS03].
This, alongwith Theorem 7 allows us to give an NP upper bound
on the complexity of model-checking flat counter systems with EBS.
For lower bound we will prove the following:
Lemma 24. MC( EBS, FlatCS) is NP-hard.
Proof. The proof is by a reduction from the propositional satisfiability
problem. Given an instance of a 3SAT formula φ over the n propositional variables p1 , . . . , pn and of the form φ = C1 ∧ C2 ∧ · · · ∧ Cm
where each Ci is of the form Ci = l1 ∨ l2 ∨ l3 and each li is either p j
or ¬p j . We will construct a flat counter system with 2.n + 1 counters
y, x01 , x11 , x02 , x12 , · · · , x0n , x1n . To illustrate the relation between the propositional symbol and the counters we define the map f from literals to
counters for any i ∈ [1, n] as:
(
x0i l = ¬pi
f (l ) =
x1i l = pi
We write φ0 to denote the formula obtained from φ by replacing each
Ci = l1 ∨ l2 ∨ l3 in φ by y + f (l1 ) + f (l2 ) + f (l3 ) ≥ 4. Note that
φ0 ∈ G(C2n+1 ). For constructing the EBS specification we consider the
6.2 model-checking büchi specification is np-complete
(x01 = 1 ∨ x11 = 0),(x02 = 1 ∨ x12 = 0),
x01
x11
q0









>, 







0
=
=
x01
x11
 q1

1 


0 


1 

0 


··· 

1 

0
−1
+1
x02
x12
=
=
x02
x12
(x0n = 1 ∨ x1n = 0),
−1
x0n = x0n − 1
+1
x1n = x1n + 1
q2
qf
qn
>,
y = y+3
∅
start
Γ \ {∅}
Γ \ {∅}
Figure 11: A flat counter system Sn and the specification A
following sets at = {q0 , q1 , q2 , . . . , qn , q f }, agn = {y + f (l1 ) + f (l2 ) +
f (l3 ) ≥ 4|l1 ∨ l2 ∨ l3 is a clause in φ}. Our EBS specification will only
contain transitions for letters from a subset of 2at∪agn . In particular the
subset we will consider is Γ = ∅ ∪ {{g : g ∈ agn } ∪ {q f }} ⊂ 2at∪agn .
Note that Γ consists of only two sets : the empty set and the set with
all the guards in agn and q f and hence is at most polynomial in the
size of φ. In Figure 11, we present the flat counter system Sn (on the
left) and the specification A in EBS (on the right). Note that transitions in Figure 11 are labelled differently than in the definition of flat
counter system provided in Chapter 2 to improve readability. For any
transition δ in Figure 11, we assume that the update of any counter is
zero if not specified seperately in the label.
Clearly, the language accepted by A is L( A) = {(∅)? · (Γ \ ∅)ω }.
Consider any valuation v : {p1 , p2 , · · · , , pn } → { True, False} such
that φ holds true. In this case, we know that for the valuation f , every
clause C1 , · · · , Cm is true. We consider the run ρ through Sn such that
the loop on qi is taken once iff v(pi ) = True and the loop on q f is
taken infinitely many times. Clearly, at any position before ρ visits
q f , all the guards g ∈ agn of the form y + f (l1 ) + f (l2 ) + f (l3 ) ≥ 4 is
false as y = 0 and f (li ) ≤ 1 for i ∈ [1, 3]. Since v satisfies every clause
appearing in φ, for any clause Ci = l1 ∨ l2 ∨ l3 , we know that at least
one of l1 , l2 , l2 is true by the valuation v. By construction of Sn and ρ
from v, it is easy to see that y + f (l1 ) + f (l2 ) + f (l3 ) ≥ 4 at q f . Thus,
counter values at q f satisfy every guard g ∈ agn . Hence, ρ |= w for
some word w ∈ L( A).
For the other side, consider there exists a run ρ such that there
exists a word w ∈ L( A) with ρ |= w. By definition, in ρ, at q f every
guard g ∈ agn is satisfied by the counter values. We consider the
107
ω -regular properties
108
valuation v as v(pi ) = True iff x1i = 1 for i ∈ [1, n]. By construction
of guards in agn , we know that v satisfies every clause in φ. Thus, v
satisfies φ.
Hence, Sn |= A iff φ is satisfiable.
Hence, combining the previous two results, we get:
Theorem 21. MC( EBS, FlatCS) is NP-complete.
NP Algorithm for Model-Checking BS
6.2.1
We will show here that the result of Theorem 19 and Theorem 20
concerning EBS can be reused in order to obtain similar results for
the language specification BS. We recall that the main difference between EBS and BS lies in the fact that in a specification in BS over
the constrained alphabet h at, agn , 2at∪agn i, the transitions of the associated automaton are labelled with Boolean combinations of atoms
from at ∪ agn . Hence, as we have said in Section 2.3.3, any specification in BS can be translated into a specification in EBS but at a
possibly exponential cost. We will see here that for the problem we
are interested in, this exponential blowup can be avoided. In fact, in
our case a constrained path schema is over a constrained alphabet
h at, agn , Γi and consequently we can focus on the words accepted by
a specification A in BS which are over the alphabet Γ. As stated by
the next lemma, this consideration allows us to avoid the exponential
blowup.
Lemma 25. From a specification A in BS over h at, agn , 2at∪agn i and an
alphabet Γ ⊆ 2at∪agn , one can build a specification B A,Γ in EBS whose size
is polynomial in the sizes of Γ and A and such that L(B A,Γ ) = L( A) ∩ Γω .
Proof. Let A = h Q, E, q0 , F i be a specification in BS over h at, agn , 2at∪agn i
and let h at, agn , Γi be a constrained alphabet. We define B A,Γ as h Q, Γ, δ,
a
q0 , F i where δ is the subset of Q × Γ × Q such that q −
→ q0 ∈ δ iff there
ψ
is q −
→ q0 ∈ E such that a |= ψ in the propositional sense (an atom
in a is interpreted by true and atom in ( at ∪ agn ) \ a is interpreted by
false). It is then clear that the size B A,Γ is polynomial in the sizes of Γ
and A and that L(B A,Γ ) = L( A) ∩ Γω .
The above lemma allows us to build a specification in EBS from
a specification in BS and a constrained path schema in an efficient
way. This in turn allows us to reuse the results of Theorem 19 and
Theorem 20 to obtain properties for the specification language BS.
Theorem 22.
(i) BS has an exponentially bounded limiting loops map f BS .
(ii) The membership problem for BS is in PTime.
6.3 translation to ba
q0
x1 ++
x2 ++
xn ++
q1
q2
qn
qf
>
φ0
qf
start
>
Figure 12: A flat counter system Sn and the specification A
Proof. Let A be a specification in BS over h at, agn , 2at∪agn i and cps be a
constrained path schema over the constrained alphabet h at, agn , Γi. To
prove that BS has an exponentially bounded limiting loops map, it is
enough to define f BS ( A, cps) = f EBS (B A,Γ , cps) and we can conclude
using Theorem 19 and Lemma 25 (we recall that the size of Γ is linear
in the size of cps). Similarly to deduce that the membership BS is
in PTime, we translate A into B A,Γ and we solve the Membership
problem by taking as inputs the same naturals, cps and B A,Γ . Using
Theorem 20 and Lemma 25, we obtain the desired result.
This last theorem gives the answer to the main problems to consider, according to Theorem 7, to deduce an upper bound for the
model-checking of flat counter systems with a specification in BS.
Theorem 23. MC(BS, FlatCS) is NP-complete.
Proof. The upper bound is a direct consequence of Theorem 7 and
Theorem 22. In order to show NP-hardness, we can easily reduce SAT
to MC(BS, FlatCS). Let φ be a propositional formula built over the
propositional variables p1 , . . . , pn . We write φ0 to denote the formula
obtained from φ by replacing each pi by xi ≥ 1. In Figure 12, we
present the flat counter system Sn (on the left) and the specification A
in BS (on the right). In Sn , unlabelled edges correspond to transitions
with the guard true (>) and the update vector 0. It is easy to show that
φ is satisfiable iff there are a run ρ starting at hq0 , 0i and w ∈ L( A)
such that ρ |= w.
6.3
translation to ba
In the sequel, we will deal with different types of specifications that
express ω-regular properties like extended temporal logic, alternating
Büchi specification and linear µ-calculus. Since the treatment for all
these specifications are same, we will first provide a solution for a
general specification language L and then present the procedures for
each of the specifications underlining the differences for each.
We will consider in the rest of this section specification languages
respecting what we call the nice Büchiproperty. This property allows
us to translate a given specification into a Büchi automaton having
some characteristics from which we can then deduce a polynomialspace algorithm for the model-checking problem. We now provide
the formal definition of this property. A specification language L has
109
110
ω -regular properties
the nice Büchi property iff for every specification A from L, we can
build a specification in EBS (or equivalently a Büchi automaton) B A
over the alphabet 2at∪agn such that:
1. L( A) = L(B A ),
2. Size of each state of B A is polynomial in the size of A.
3. It can be checked if a state is initial [resp. accepting] in space
polynomial in the size of A,
4. The transition relation of B A can be decided in polynomial
space. That is, given a state q of B A and a letter a, we can decide
a
the state q0 of B A such that q −
→ q0 is a transition in polynomial
space.
Note that this means that B A is at most of exponential size in the
size of A and can be built in exponential time in the size of A. This
property is not new at all and it is often used to establish that satisfiability problem for a linear-time temporal logic is in PSpace [VW94,
Var88, MH84]; indeed non-emptiness of B A can then be checked onthe-fly in nondeterministic polynomial space and hence by Savitch’s
Theorem, in PSpace.
We can first show that specification languages respecting the nice
Büchi property have an exponentially bounded limiting loops map.
The idea is to use the translation of a specification belonging to these
languages into a Büchi automaton (which can have an exponential
number of states) and to use the fact that given a Büchi automaton
B and a constrained path schema cps, f EBS (B A , cps) is polynomial in
the number of states of B and exponential in the size of cps as stated
in the proof of Theorem 19. This allows us to obtain directly the next
theorem.
Theorem 24. If a specification language L satisfies the nice Büchi property,
it has an exponentially bounded limiting loops map.
Proof. Consider a specification language L with the nice Büchi property. By the nice Büchi property, for a specification A from L, one can
construct an exponential size Büchi automata B A such that L( A) =
L(B A ). By Theorem 19, we know that for a given Büchi automaton B
and a constrained path schema cps with k loops, if L(B) ∩ L(cps) 6=
∅, then there exists n ∈ Nk−1 such that for every i ∈ [1, k − 1], n[i ]
is bounded by a polynomial in the number of states of B and exponential in the size of cps. Since, L( A) = L(B A ) and the number of
states of B A is exponential in the size of A, we can conclude that for a
given constrained path schema cps, if L(cps) ∩ L( A) 6= ∅, then there
exists n ∈ Nk−1 such that for every i ∈ [1, k − 1], n[i ] is bounded by
an exponential in the size of both cps and A. This gives us that L has
an exponentially bounded limiting loops map.
6.3 translation to ba
Following the roadmap given by Theorem 7, we will now give an
algorithm for the membership problem, for specification languages
with the nice Büchi property. Note that this check can be done in
exponential space in size( A) + size(cps) by converting A to an exponential size Büchi automaton, B A using the nice Büchi property and
applying Theorem 20 about the membership problem of BS. Hence,
this leads to a nondeterministic exponential space decision procedure
for the intersection non-emptiness problem. But it is possible to get a
nondeterministic polynomial space decision procedure as explained
below.
Clearly, to obtain a nondeterministic polynomial space algorithm
we cannot construct B A explicitly since its size could be exponential.
Thus, we would need to do an “on-the-fly” construction of B A where
we need to store only polynomial size information at any point of the
construction while checking for membership. To facilitate this we use
the properties of B A described in the definition of the nice Büchi property. We now describe how this can be done.
We consider a specification language L with specifications over the
constrained alphabet h at, agn , 2at∪agn i and satisfying the nice Büchi
property. Let cps = h p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω , φ(x1 , . . . , xk−1 )i be
a constrained path schema over h at, agn , Γi, A be a specification from
L and y ∈ Nk−1 be a vector of naturals. Following is the “on-the-fly”
algorithm that we use to decide the membership problem for A. We
will actually check that p1 (l1 )y[1] · · · pk−1 (lk−1 )y[k−1] pk (lk )ω belongs to
L(B A ) for the Büchi automata B A corresponding to A. For this, we try
to find a “lasso” structure in the Büchi automaton. Let w = p1 (l1 )y[1]
· · · pk−1 (lk−1 )y[k−1] pk (lk )ω and B A = h Q, Γ, δ, qi , F i. Since F is a finite
set and within an accepting run we should see infinitely many times
a state from F, at least one q f ∈ F appears infinitely many times in
the accepting run of w if w ∈ L(B A ). Again, only lk is taken infinitely
many times in w and so there exists at least one position j in lk such
that the transition to q f from some q ∈ Q reading lk ( j) is taken infinitely many times. For this reason, we try to find a state q f ∈ F and a
position j ∈ [1, len(lk )] such that p1 (l1 )y[1] · · · pk−1 (lk−1 )y[k−1] pk lk [1, j]
has a run from an initial state to q f and lk [ j + 1, len(lk )](lk )∗ lk [1, j] has
a run from q f to q f . Such a procedure is repeated for every available
q f ∈ F and for every j ∈ [1, lk ] in the Algorithm 3.
Lemma 26. Algorithm 3 decides the Membership problem for the specification languages L satisfying the nice Büchi property.
Proof. Let cps = h p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω , φ(x1 , . . . , xk−1 )i be a
constrained path schema over h at, agn , Γi, A be a specification from L
and y ∈ Nk−1 . We also assume that w = p1 (l1 )y[1] · · · pk−1 (lk−1 )y[k−1] pk
(lk )ω and the Büchi automaton associated to A (thanks to the nice
Büchi property) is B A = h Q, Γ, δ, qi , F i. First observe that by the nice
Büchi property, we know that w ∈ L( A) iff w ∈ L(B A ). Thus, in the
rest we will prove that Algorithm 3 returns true iff w ∈ L(B A ).
111
112
ω -regular properties
Algorithm 3 Checking Membership for languages L with nice
Büchi property
Inputs: A specification A in L, a constrained path schema cps = h p1
(l1 )+ · · · pk−1 (lk−1 )+ pk (lk )ω , φi and a vector of naturals y ∈ Nk−1
Output: Does p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk (lk )ω ∈ L( A)?
1: Let B A = h Q, Γ, ∆, qi , F i be the Büchi automaton associated to A
thanks to the nice Büchi property
2: for each q f ∈ F and each j ∈ [1, len(lk )] do
3:
Let A1 = h Q, Γ, ∆, q0 , {q f }i and A2 = h Q, Γ, ∆, q f , {q f }i.
4:
Check p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk lk [1, j] ∈ L(A1 )
5:
Check L(A2 ) ∩ L(lk [ j + 1, len(lk )]lk∗ lk [1, j]) 6= ∅
6:
if both checks Return True then
7:
Return True
8:
end if
9: end for
10: Return False
First let us assume that w ∈ L(B A ). Thus, there is an accepting run
ρ ∈ Qω for w in B A . According to the Büchi acceptance condition
there exists a state q f ∈ F which is visited infinitely often in ρ. w
contains a suffix of (lk )ω . Thus, lk being of finite size, there exists a
lk ( j )
position j ∈ [1, len(lk )] such that transitions of the form q −−→ q f for
some q ∈ Q occurs infinitely many times in ρ. Thus, for ρ to be an
accepting run, there exists w0 = p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk lk [1, j]
for some j, which has a run in B A from qi to q f and there must exists
words w00 ∈ L(lk [ j + 1, len(lk )]lk∗ lk [1, j]) which has a run from q f to q f .
In effect, w0 ∈ L(A1 ) and L(A2 ) ∩ L(lk [ j + 1, len(lk )]lk∗ lk [1, j]) 6= ∅.
Hence there exists at least one choice of q f and j, for which both the
checks return true and hence the algorithm returns true.
Now let us assume that the algorithm returns true. Thus, there
exists q f ∈ F and j ∈ [1, len(lk )] such that
• w1 = p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk lk [1, j] is in L(A1 ) and
• L(A2 ) ∩ L(lk [ j + 1, len(lk )]lk∗ lk [1, j]) 6= ∅.
From the second point, we deduce that there exists a word w2 =
lk [ j + 1, len(lk )]lkn lk [1, j] ∈ L(A2 ) for some n. Consider the word w =
w1 .(w2 )ω . First we have directly that w ∈ L(cps). And by construction of A1 and A2 we know that w1 has a run in B A starting from qi
to q f and w2 has a run in B A starting from q f to q f . Since q f is an
accepting state of B A , we deduce that w ∈ L(B A ).
We will now prove that Algorithm 3 runs in nondeterministic polynomial space (and hence in PSpace thanks to Savitch’s Theorem).
Lemma 27. Algorithm 3 runs in nondeterministic polynomial space.
6.3 translation to ba
Proof. The proof that the above algorithm belongs to NPSpace is standard and uses the nice Büchi property which allows us to perform
the procedure “on-the-fly”. First note that for A in L having the nice
Büchi property, the corresponding Büchi automaton B A can be of exponential size in the size of the A, so we cannot construct the transition relation of B A explicitly, instead we do it on-the-fly. We consider
the different steps of the algorithm and show that they can be done
in polynomial space.
1. A1 and A2 are essentially copies of B A and hence their transition relations are also not constructed explicitly. But, by the nice
Büchi property, their states can be represented in polynomial
space.
2. Checking p1 (l1 )y[1] . . . pk−1 (lk−1 )y[k−1] pk lk [1, j] ∈ L(A1 ) can be
done by simulating A1 on this word. Note that for simulating
A1 , at any position we only need to store the previous state and
the letter at current position to obtain the next state of A1 . Thus,
this can be performed in non-deterministic polynomial space
using Property 3. of nice Büchi property. By Savitch’s Theorem,
we get that, this step can be done in polynomial space in size( A)
and size(cps) + size(y).
3. Checking L(A2 ) ∩ L(lk [ j + 1, len(lk )]lk∗ lk [1, j]) 6= ∅ can be done
easily by constructing a finite state automaton Aloop for L(lk [ j +
1, len(lk )]lk∗ lk [1, j]) and by checking for reachability of final state
in the automaton A2 × Aloop . Note that size(Aloop ) is polynomial, but since size(A2 ) can be of exponential size, and hence,
size(A2 × Aloop ) can also be of exponential magnitude. However, the graph accessibility problem (GAP), involving in finding whether there exists a path between a source and a target
node in a graph, is in NLogSpace and can be done without explicitly constructing A2 × Aloop . So, L(A2 ) ∩ L(Aloop ) 6= ∅ can
also be done in nondeterministic polynomial space.
Thus, the whole procedure can be completed in nondeterministic
polynomial space.
From the previous properties we have just shown concerning the
Algorithm 3, we are able to state our second main result concerning
specification languages satisfying the nice Büchi property.
Theorem 25. Specification languages satisfying the nice Büchi property
have their Membership problem in PSpace.
Hence using the result of Theorem 7 and the two previous Theorems 24 and 25, we can deduce the main result for the complexity
of model-checking flat counter systems with specification languages
having the nice Büchi property.
Theorem 26. If L is a specification language satisfying the nice Büchi property, then MC(L, FlatCS) is in PSpace.
113
ω -regular properties
114
6.4
complexity of model-checking aba, etl, µtl
For the model-checking procedure for specification languages ABA,
ETL, µTL, we follow a similar path. We will first show that all these
specification languages have nice Büchi property. This alongwith the
Theorem 26, gives PSpace bound for the model-checking problem for
these specifications languages.
6.4.1
Upper Bounds
• In [VW94] it is shown that from a specification in ETL over
the constrained alphabet h at, agn , 2at∪agn i we can construct a
Büchi automaton over 2at∪agn and the construction allows to
deduce that ETL has the nice Büchi property. In fact, the conditions stated in [VW94, Lemma 2.5] are exactly similar to the
conditions in nice Büchi property. Furthermore, the constructed
Büchi automaton corresponding to a given ETL formula φ (denoted as the intersection of Local Automaton and Eventuality Automaton) in [VW94, Theorem 3.5] follows the properties highlighted in the nice Büchi property. This can be concluded by a
close inspection of the construction and in fact is used in the reasoning which concludes that the satisfiability problem for ETL
is in PSpace ([VW94, Theorem 3.6]). Thus, ETL is known to have
the nice Büchi property.
• Linear µ-calculus has the nice Büchi property by [Var88]. Note
that the construction in [Var88] uses a (one-way) Büchi automaton of exponential size to check for the satisfaction of the formula in the model whereas two Büchi automata check the nonfoundedness of the model. This gives us an overall exponential
size Büchi automaton corresponding to a given µTL formula
([Var88, Theorem 4.4]). A close inspection reveals that all of
these steps can be done without explicitly constructing the automaton and in fact this is used in [Var88] to obtain the PSpace
upper bound for satisfiability of µTL [Var88, Corollary 4.6].
• In [MH84], equivalence of various types of automaton are shown
by translation. The translation we are interested in, is from ABA
to Büchi automaton, which is presented in the proof of [MH84,
Theorem 5.1]. The states of the constructed Büchi automaton
are pairs of subsets of the given ABA and for each transition, it
is shown that we can construct the next reachable states using
only the present state and the transition relation of ABA. From
this, we can deduce that from a specification in ABS over the
constrained alphabet h at, agn , 2at∪agn i, we can build a Büchi automaton over B( at ∪ agn ) (or equivalently a BS specification
over h at, agn , 2at∪agn i). From this Büchi automaton we are able
to deduce a Büchi automaton over 2at∪agn using the translation
6.4 complexity of model-checking aba, etl, µtl
from BS to EBS (Chapter 2). Note that by doing this, we do not
change the number of states of the automaton, but we might
face an exponential blowup in the number of edges, which is
however not a problem to satisfy the nice Büchi property. The
latter construction allows us to conclude that ABS have the nice
Büchi property.
As a consequence of the above results, we can say that the specification languages ETL, µTL, ABS have the nice Büchi property. The
results for ETL and ABS can be also obtained thanks to existing translations into linear µ-calculus. Hence applying Theorem 26, we obtain
the following result.
Theorem 27. MC(ABS, FlatCS), MC(ETL, FlatCS), MC(µTL, FlatCS)
are in PSpace.
6.4.2 Lower Bounds
We will show the matching lower bounds for the specification languages ABA and µTL. A tight lower bound for the specification language ETL is still open. To prove PSpace-hardness for MC(ABS, FlatCS)
and MC(µTL, FlatCS), we will first prove PSpace-hardness of the intersection non-emptiness problem for ABS and µTL. But before that,
we need to establish some definitions and lemmas.
An alternating finite automaton (AFA), defined similarly as an alternating Büchi automaton, is a structure of the form A = ( Q, Σ, δ, q0 , F )
such that Q and Σ are finite nonempty sets, δ : Q × Σ → B+ ( Q)
is the transition function (B+ ( Q) is the set of positive Boolean formulae built over Q), q0 ∈ Q and F ⊆ Q. A run ρ on the word
a0 a1 a2 . . . ak ∈ Σ? is a finite directed acyclic graph (DAG) in which
nodes are labelled by elements from Q:
• ρ = hV, Ri where V ⊆ Q × [0, k + 1] and hq0 , 0i ∈ V.
• R⊆
S
l ∈[0,k ] ( Q
× {l }) × ( Q × {l + 1}),
• For every hq, l i ∈ V we have {q0 : hhq, l i, hq0 , l + 1ii ∈ R} |=
δ(q, al ).
A run ρ is accepting whenever every path through that run defines
a word in Q? such that it ends with either a state from F or a node
hq, l i such that δ(q, al ) = >. The language L(A) is defined as the
set of words in Σ? having an accepting run from q0 . In general, we
define L(A, q) = {w | w has an accepting run starting from q}. We
then define L(A) = L(A, q0 ).
Theorem 28. [JS07] Nonemptiness problem for alternating finite automata
over a singleton alphabet is PSpace-hard.
115
116
ω -regular properties
For the ease of construction and analysis, we will consider only
a special kind of alternating finite automata where every path in the
run has same length. An alternating finite automata A = ( Q, {a}, δ, q0 ,
F ) over a singleton alphabet {a} is a looping AFA, if it has the following properties:
1. q0 6∈ F,
2. F = {q f },
3. δ(q f , a) =⊥ and
4. For every q ∈ Q, δ(q, a) 6= >
To show that deciding emptiness of a looping AFA is as hard as deciding emptiness of an alternating finite automaton over singleton
alphabet, we have the following lemma,
Lemma 28. For any given alternating finite automaton A over singleton
alphabet, we can construct in polynomial time, a looping AFA A0 whose size
is linear in the size of A such that L(A) = ∅ iff L(A0 ) = ∅.
Proof. Let A = ( Q, {a}, δ, q0 , F ) be a given alternating finite automaton over singleton alphabet {a}. We construct A0 = ( Q0 , {a}, δ0 , qnew
0 ,
{qnew
})
such
that
f
new },
• Q0 = Q ] {qnew
0 , qf
• δ0 (qnew
0 , a) = q0 ,
• δ0 (qnew
, a) =⊥,
f
• for every q ∈ Q and δ(q, a) 6= >, δ0 (q, a) is obtained from δ(q, a)
by simultaneously replacing every occurrence of q f ∈ F by (q f ∨
qnew
) and
f
• for every q ∈ Q and δ(q, a) = > with q ∈ Q, δ0 (q, a) is defined
as q ∨ qnew
.
f
It is easy to see that A0 is a looping AFA satisfying all the conditions
and size(A0 ) is linear in size(A) and can be constructed in polynomial time in the size of A. In effect, A0 reads an a and then start
simulating A switching to qnew
on the last letter of any accepting
f
word.
Now we will prove that L(A0 ) = {a · w | w ∈ L(A)}. Consider any
accepting word w ∈ L(A). Thus, there exists an accepting run ρ =
hV, Ri of A over w. We will construct an accepting run ρ0 = hV 0 , R0 i
of A0 over a · w from ρ. We define ρ0 as
0
• V 0 ⊆ Q0 × [0, len(w) + 1] and hqnew
0 , 0i ∈ V .
• For every hq, l i ∈ V, hq, l + 1i ∈ V 0 for all q ∈ Q.
6.4 complexity of model-checking aba, etl, µtl
0
• hhqnew
0 , 0i, h q0 , 1ii ∈ R .
• For every hhq, l i, hq0 , l + 1ii ∈ R,hhq, l + 1i, hq0 , l + 2ii ∈ R0 for
0 ≤ l < len(w) − 1.
• For every q ∈ Q such that δ(q, a) = > and hhq0 , l i, hq, l + 1ii ∈ R,
– hhq, k i, hq, k + 1ii ∈ R0 for all k ∈ [l + 2, len(w) − 1] and
, len(w) + 1ii ∈ R0 .
– hhq, len(w)i, hqnew
f
• For every hhq, len(w) − 1i, hq f , len(w)ii ∈ R, for q f ∈ F and any
, len(w) + 1ii ∈ R0 .
q ∈ Q, hhq, len(w)i, hqnew
f
First, we will prove that ρ0 is indeed a valid run of A0 by checking each
of the elements of R0 and then show that ρ0 is indeed accepting. Since
new
the word is of the form a · w and δ0 (qnew
0 , a) = q0 , hh q0 , 0i, h q0 , 1ii ∈
0
0
0
R is a valid step in ρ . As δ (q, a) is obtained from δ(q, a) by simul) and
taneously replacing every occurrence of q f ∈ F by (q f ∨ qnew
f
0
0
ρ is over w whereas ρ is over a · w, for every hhq, l i, hq , l + 1ii ∈ R,
hhq, l + 1i, hq, l + 2ii ∈ R0 for 0 ≤ l < len(w) − 1 also forms valid
steps in ρ0 . For the case, δ(q, a) = > with q ∈ Q, δ0 (q, a) is defined as q ∨ qnew
. Thus for any path ending with hq, l i for some l ∈
f
[1, len(w) − 1], we can continue the path as hhq, ki, hq, k + 1ii ∈ R0 . for
every k ∈ [l + 2, len(w) − 1] and hhq, len(w)i, hqnew
, len(w) + 1ii ∈ R0
f
again forming valid steps in ρ0 . Since A is over singleton alphabet a,
and ρ is an accepting run, a path either ends with q with δ(q, a) = >
or with q f ∈ F. Thus for every hhq, len(w) − 1i, hq f , len(w)ii ∈ R,
for some q f ∈ F, hhq, len(w)i, hqnew
, len(w) + 1ii ∈ R0 also are valid
f
steps as δ0 (q, a) is obtained from δ(q, a) by replacing q f with q f ∨ qnew
.
f
0
0
Thus, by construction, ρ is a valid run of A over a · w. Note that ρ is
an accepting run in A and hence every path in ρ ends with q f such
that either q f ∈ F or δ(q, a) = >. Since by construction, the number
of paths in ρ and ρ0 are preserved, in both cases, the respective path
in ρ0 ends with qnew
. Thus, ρ0 is an accepting run of A0 on a · w.
f
On the other hand consider, an accepting run ρ0 of A0 recognising
the word a · w. We will construct an accepting run ρ of A recognising
the word w. We define ρ = hV, Ri from ρ0 = hV 0 , R0 i as following:
• V ⊆ Q × [0, len(w)] and hq0 , 0i ∈ V.
• For every hq, l i ∈ V 0 , hq, l − 1i ∈ V for every q ∈ Q.
• For every hhq, l i, hq0 , l + 1ii ∈ R0 , hhq, l − 1i, hq, l ii ∈ R for 1 ≤
l < len(w) and q, q0 ∈ Q (Note that either q0 = q or q0 = qnew
).
f
• For every q ∈ Q such that δ(q, a) = >, we remove all elements
of the form hhq, l i, hq0 , l + 1ii from R.
, len(w) + 1ii ∈ R0 , hhq0 , len(w) −
• For every hhq0 , len(w)i, hqnew
f
1i, hq f , len(w)ii ∈ R where q f ∈ F that appear in δ(q0 , a).
117
118
ω -regular properties
Similarly as before, we will show first that ρ is indeed a valid run in
A and that its an accepting one. By construction, A0 simulates A after
reading a. Since δ0 (q, a) is obtained from δ(q, a) by replacing q f with
, for every hhq, l i, hq0 , l + 1ii ∈ R0 , hhq, l − 1i, hq, l ii ∈ R for
q f ∨ qnew
f
1 ≤ l < len(w) where q, q0 ∈ Q, are valid steps in R. Since, q f was
, len(w) +
, for every hhq0 , len(w)i, hqnew
replaced in δ0 with q f ∨ qnew
f
f
0
0
1ii ∈ R , hhq , len(w) − 1i, hq f , len(w)ii ∈ R where q f ∈ F are also
valid steps in R. Since, δ0 (q, a) = q ∨ qnew
whenever δ(q, a) = >, for all
f
0
such q, the only relations in R were of the form hhq, l i, hq0 , l + 1ii with
}. Since there is no relation of the form hhq, l i, hq0 , l + 1ii
q0 ∈ {q, qnew
f
in R, q is the last state of the path where q appears in R. Hence, using
the above transformation we get a valid run ρ of A on word w. Note
that by the above construction all path in ρ ends with either q with
δ(q, a) = > or some state q f in F as all the paths in ρ0 ended in
qnew
. Hence, ρ is an accepting run of A. As a result, we have that
f
L(A0 ) = {a · w | w ∈ L(A)}. Thus, it is easy to see that L(A0 ) = ∅
iff L(A) = ∅.
From the above lemma we can conclude that emptiness checking
of looping AFA is also PSpace-hard. In the sequel we will only talk
about looping AFA. Observe the following points about any accepting
run ρ of looping AFA over a word w,
1. all paths in ρ are of the same length len(w).
2. all paths in ρ ends with q f ∈ F.
3. in every path in ρ, q f ∈ F appears only at the end.
In order to prove the result for ABS, first we will prove the result
for alternating Büchi automaton. We will construct an alternating
Büchi automaton A0 from a given looping AFA A. Given a looping
AFA A = ( Q, {a}, q0 , δ, {q f }), we construct an alternating Büchi automaton A0 = ( Q, {a, b}, q0 , δ0 , {q f }) over two-letter alphabet, where
δ0 (q, a) = δ(q, a) for any q ∈ Q \ {q f } and δ(q f , b) = q f . It is easy
to see from the construction and from the properties of the accepting
runs of a looping AFA, that L(A0 ) = L(A) · {b}ω and hence L(A0 ) =
∅ iff L(A) = ∅. Thus, it is equally hard to decide the non-emptiness
of alternating Büchi automaton of type A0 . Notice that L(A0 ) ⊆
L(ha∗ · bω , >i) where ha∗ · bω , >i is a constrained path schema over
the alphabet {a, b} and the Presburger formula >. Hence, we have
that, L(A) is non-empty iff L(ha∗ · bω , >i) ∩ L(A0 ) 6= ∅. Since deciding non-emptiness of L(A) is PSpace-hard, we have that deciding
non-emptiness of L(ha∗ · bω , >i) ∩ L(A0 ) is also PSpace-hard. Also, it
is easy to see that we can construct a specification A0 in ABS from the
constructed alternating Büchi automaton A such that L(A) = L(A0 )
and size of A0 is linear in the size of A. Thus, we have the following
theorem.
6.4 complexity of model-checking aba, etl, µtl
Theorem 29.
(i) The intersection non-emptiness problem for ABS is PSpace-hard.
(ii) MC(ABS, FlatCS) is PSpace-hard.
For other hardness result we will show PSpace-hardness for a relaxed version of linear µ-calculus known as vectorial linear µ-calculus.
Let us first give the definition and the satisfiability relation for vectorial linear µ-calculus (µTLvec ). In vectorial linear µ-calculus, formulae
with outermost fixed point operators are of the form
µhz1 , . . . , zβ ihφ1 , . . . , φβ i · z j
with j ∈ [1, β] for some β where φ1 , . . . , φβ are linear µ-calculus formula possibly with free occurances of zi . Informally, in vectorial linear
µ-calculus, the fixed point operator is applied over hz1 , . . . , zβ i simultaneously. This is in constrast to the form of the formulae with outermost fixed point operators, µz1 · φ1 (z1 ) where the fixed point operator
is applied over only one variable z1 at a time. Whereas fixed points in
linear µ-calculus are considered for monotone functions over the complete lattice h2N , ⊆i, fixed points in vectorial linear µ-calculus are considered for monotone functions over the complete lattice h(2N ) β , ⊆i,
where h Z1 , . . . , Zβ i ⊆ h Z10 , . . . , Zβ0 i iff for every i ∈ [1, β], we have
Zi ⊆ Zi0 . So, the satisfaction relation is defined as follows. Given a
model σ ∈ (2AT )ω , assuming that the variables zk ’s occur positively
in the φl ’s, we have
µ
σ, i |= f µhz1 , . . . , zβ ihφ1 , . . . , φβ i · z j iff i ∈ Zj
µ
µ
where f is any assignment function for variables and h Z1 , . . . , Zβ i is
the least fixed point of the monotone function F f ,σ : (2N ) β → (2N ) β
defined by F f ,σ (Y1 , . . . , Y β ) = hY10 , . . . , Y β0 i where
Yl0 = {i0 ∈ N : σ, i0 |= f [z1 ←Y1 ,...,zβ ←Yβ ] φl }
def
µ
µ
It is well-known that the least fixed point h Z1 , . . . , Zβ i can be obtained
def
def
by an iterative process: h Z10 , . . . , Zβ0 i = h∅, . . . , ∅i, h Z1i+1 , . . . , Zβi+1 i =
µ
µ
F f ,σ ( Z1i , . . . , Zβi ) for all i ≥ 0 and, h Z1 , . . . , Zβ i = i h Z1i , . . . , Zβi i. Because models of linear µ-calculus are ω-sequences, fixed points are
reached by considering a generalized union until the ordinal ω.
6.4.2.1
S
Lower Bound for µTLvec
The PSpace-hardness for µTLvec is essentially obtained by reducing
non-emptiness problem for alternating finite automata with a singleton alphabet (see e.g. [JS07]) into the vectorial linear µ-calculus
with a fixed and simple constrained path schema. In the sequel, for
ease of presentation, we consider looping AFA and we present a
119
120
ω -regular properties
logarithmic-space reduction into the intersection non-emptiness problem with vectorial linear µ-calculus. More precisely, for every alternating finite automaton A built over the singleton alphabet {{p}},
we build a formula φA in the vectorial linear µ-calculus (without
X−1 and the greatest fixed point operator ν) such that L(A) is nonempty iff L(cps) ∩ L(φA ) is non-empty with the constrained path
schema cps = h{p} · {p}∗ · ∅ω , >i. Note that in this case the formula
is defined over atomic propositions, but the constrained path schema
includes the letter ∅ to denote the positions where none of the propositional symbols are satisfied.
Now, we can state the lemma which reduces the intersection nonemptiness problem for µTLvec to the non-emptiness problem from a
looping AFA.
Lemma 29. Given a looping AFA A, we can construct a formula φA in
µTLvec in logarithmic space in the size of A such that for all n ≥ 1, {p}n ∈
L(A) iff {p}n · ∅ω |= φA .
Proof. Let A = ( Q, {{p}}, q1 , δ, F ) be a looping AFA with a singleton
alphabet such that q1 6∈ F, F = {q f } and for F = {q f }, δ(q f , {p}) =⊥.
We order the states of Q \ F with q1 , . . . , qα such that q1 is the initial
state.
We define the formulae in the vectorial version of linear µ-calculus
with subformulas ψ10 , . . . , ψα0 Let us define below the formulae:
- For every i ∈ [1, α], ψi0 is obtained from δ(qi , {p}) by substituting
each q j ∈ Q \ F by Xz j and q f by X¬p, and then by taking the
conjunction with p. So, ψi0 can be written schematically as p ∧
δ(qi , {p})[q j ← Xz j , q f ← X¬p].
We define φA = µhz1 , . . . , zα ihψ10 , . . . , ψα0 i · z1 which can be built in
logarithmic space in the size of A.
To prove the lemma, we will prove the following property about
the formula.
(•) For all n ≥ 1, {p}n ∈ L(A) iff {p}n · ∅ω |= µhz1 , . . . , zα i hψ10 , . . . , ψα0 i ·
z1 .
Informally, Property (•) expresses the property that the formula φA
encodes the transition relation of A. Thus, the formula in vectorial
version of linear µ-calculus utilising the formulas φA essentially computes the accepting runs of A with the help of fixed point operators.
Hence checking its satisfiability over the model {p}n · ∅ω is equivalent to having an accepting run of A over the word {p}n .
Now we verify that (•) holds true. Let σn be the model {p}n · ∅ω
with n > 0, f ∅ be the constant assignment equal to ∅ everywhere
and F f ∅ ,σn be the monotone function F f ∅ ,σn : (2N )α → (2N )α defined
from µhz1 , . . . , zα ihψ10 , . . . , ψα0 i · z1 . In order to prove that for all n ≥ 1,
{p}n ∈ L(A) iff σn |= µhz1 , . . . , zα ihψ10 , . . . , ψα0 i · z1 , we will in fact
6.4 complexity of model-checking aba, etl, µtl
prove properties for the sets h Z1i , . . . , Zαi i generated during the comµ
µ
putation of the fixed point h Z1 , . . . , Zβ i of F f ∅ ,σn . Note that due to the
monotonous nature of computing h Z1i , . . . , Zβi i in each iteration and
the simple structure of σn , we only need to check for all i ∈ [1, n].
In fact we can also show by induction, that for all l ∈ [1, α] and
all i ∈ [1, n], Zli ⊆ [n − i, n − 1] and Zli \ Zli−1 ⊆ {n − i }(†). Note that
when i = 0 Zl0 = ∅ for all l ∈ [1, α] in accordance with the starting
def
map f ∅ and by construction of Zl1 we know that Zl1 = {i0 ∈ N :
σn , i0 |= f [z1 ←Z0 ,...,zα ←Zα0 ] ψl0 }. Since ψl0 = p ∧ δ(ql , {p})[q j ← Xz j , q f ←
1
X¬p], we can conclude that Zl1 ⊆ [n − 1, n − 1] and thus necessarily
Zl1 \ Zl0 ⊆ {n − 1} for all l ∈ [1, α]. Assuming that for some i ∈ [1, n −
1], we have that Zli ⊆ [n − i, n − 1] and Zli \ Zli−1 ⊆ {n − i } for all l ∈
[1, α], we will show that Zli+1 ⊆ [n − i − 1, n − 1] and Zli+1 \ Zli ⊆ {n −
i − 1} for all l ∈ [1, α]. From the definition of iterative construction of
def
Zli+1 we know that Zli+1 = {i0 ∈ N : σn , i0 |= f [z1 ←Zi ,...,zα ←Zαi ] ψl0 }.
1
By construction of the formula we know that ψl0 = p ∧ δ(ql , {p})[q j ←
Xz j , q f ← X¬p]. Since, by our assumption, Zji ⊆ [n − i, n − 1] for all
j ∈ [1, α], it is easy to see from the possible valuations obtained for
any z j , that Zli+1 ⊆ [n − i − 1, n − 1]. Now to show that Zli+1 \ Zli ⊆
{n − i − 1}, we will assume that n − j ∈ Zli+1 \ Zli for any j < i − 1
and show a contradiction. By the repetitive construction of Zli+1 and
/ Zli iff
Zli as observed earlier, it is clear that n − j ∈ Zli+1 and n − j ∈
n − j + 1 ∈ Zli and n − j + 1 ∈
/ Zli−1 and hence n − j + 1 ∈ Zli \ Zli−1
for some j < i − 1. This is a contradiction to our assumption that
Zli \ Zli−1 ⊆ {n − i }. Thus, Zli+1 \ Zli ⊆ {n − i − 1}.
The property we will prove by induction is that - “for every i ∈
[1, n], the ith iterated tuple h Z1i , . . . , Zαi i verifies that for every l ∈ [1, α],
u ∈ Zli iff u ∈ [n − i, n − 1] and {p}n−u ∈ L(A, ql )”. First of all, note
that the property implies, at nth iteration, we have that, h Z1n , . . . , Zαn i
µ
µ
which is equivalent to h Z1 , . . . , Zα i verifies for every l ∈ [1, α], u ∈
Zln iff u ∈ [0, n − 1] and {p}n−u ∈ L(A, ql ). This in turn implies
that for every l ∈ [1, α], {p}n−u · ∅ω |= µhz1 , . . . , zα ihψ10 , . . . , ψα0 i · zl
iff u ∈ [0, n − 1] and {p}n−u ∈ L(A, ql ). Instantiating l = 1, u = 0
and using the fact that q1 is the initial state, we get that {p}n · ∅ω |=
µhz1 , . . . , zα ihψ10 , . . . , ψα0 i · z1 iff {p}n ∈ L(A) which gives us Property
(I). By construction, ψl0 encodes the transition relation from state ql
for l ∈ [1, α] alongwith the fact that after q f there is no {p}. Starting
with f ∅ every iteration i in the construction of fixed point for the
variable hz1 , . . . , zα i we obtain h Z1i , . . . , Zαi i. Note that by construction
of hψ10 , . . . , ψα0 i, we implicitly construct Zli as the set of positions from
where there is an accepting run of A from ql on word {p}n . This is due
to the fact in the iterations for the construction of h Z1i , . . . , Zαi i we are
using the formula φA which is essentially simulating the transition
relation of A to check whether to include a position or not in Zli .
Base Case: i = 1. The propositions below are equivalent (l ∈ [1, α]):
121
122
ω -regular properties
• u ∈ Zl1 ,
• σn , u |= f ∅ [z1 ←∅,...,zα ←∅] ψl0 (by definition of F f ∅ ,σn ),
• σn , u |= f ∅ [z1 ←∅,...,zα ←∅] p ∧ δ(ql , {p})[q j ← Xz j , q f ← X¬p] (by
definition of ψl0 ),
• σn , u |= p ∧ δ(ql , {p})[q j ←⊥, q f ← X¬p] (by definition of |=),
• σn , u |= p and there is a Boolean valuation v : Q → {⊥, >} such
that
def
1. for every ql 0 ∈ ( Q \ F ), we have v(ql 0 ) =⊥,
2. for q f ∈ F, v(q f ) = >,
v |= δ(ql , {p}),
• σn , u |= p, σn , u + 1 |= ¬p and there exists an accepting run of A
on {p}1 starting with ql . (by definition of accepting run and by
properties of looping AFA),
• u = n − 1 and {p}n−u ∈ L(A, ql ) (by definition of σn and
L(A, ql )).
Induction Step: Now let us assume that for some i ∈ [1, n − 1], the ith
iterated tuple h Z1i , . . . , Zαi i verifies that for every l ∈ [1, α], u ∈ Zli iff
u ∈ [n − i, n − 1] and {p}n−u ∈ L(A, ql ). We will show that the same
holds true for (i + 1)th iteration h Z1i+1 , . . . , Zαi+1 i. Since Zli ⊆ Zli+1
(monotonicity), for every u ∈ Zli+1 ∩ Zli , we have u ∈ [n − i, n − 1] and
{p}n−u ∈ L(A, ql ) (since [n − i, n − 1] ⊆ [n − i − 1, n − 1]). Similarly,
if u ∈ [n − i, n − 1] and {p}n−u ∈ L(A, ql ), then u ∈ Zli by induction
hypothesis and therefore u ∈ Zli+1 . Hence, it remains to show that
u ∈ ( Zli+1 \ Zli ) iff u = n − i − 1 and {p}n−u ∈ L(A, ql ) (i.e. {p}i+1 ∈
L(A, ql )). By (†), it is sufficient to show that (n − i − 1) ∈ Zli+1 iff
{p}i+1 ∈ L(A, ql ).
The propositions below are equivalent (l ∈ [1, α], i ≥ 1, n − i − 1 ≥
0):
• (n − i − 1) ∈ Zli+1 ,
• σn , n − i − 1 |= f ∅ [z1 ←Zi ,...,zα ←Zαi ] ψl0 (by definition of F f ∅ ,σn ),
1
• σn , n − i − 1 |= f ∅ [z1 ←Zi ,...,zα ←Zαi ] p ∧ δ(ql , {p})[q j ← Xz j , q f ← X¬p]
(by definition of ψl0 ),
1
• σn , n − i − 1 |= p and there is a Boolean valuation v : Q → {⊥
, >} such that
1. for every ql 0 ∈ ( Q \ F ), we have v(ql 0 ) = > iff n − i ∈ Zli0 ,
2. for q f ∈ F, v(q f ) =⊥,
v |= δ(ql , {p}) (by definition of |= and i ≥ 1),
• there is v : Q → {⊥, >} such that
1. for every ql 0 ∈ ( Q \ F ), we have v(ql 0 ) = > iff n − i ∈
[n − i, n − 1] and {p}i ∈ L(A, ql 0 ),
6.4 complexity of model-checking aba, etl, µtl
123
2. for q f ∈ F, v(q f ) =⊥,
and v |= δ(ql , {p}) (by induction hypothesis and since n − i −
1 ∈ [0, n − 1]),
• there is v : Q → {⊥, >} such that
1. for every ql 0 ∈ ( Q \ F ), we have v(ql 0 ) = > iff {p}i ∈
L(A, ql 0 )
2. for q f ∈ F, v(q f ) =⊥
and v |= δ(ql , {p}) (by propositional reasoning),
• there is v : Q → {⊥, >} such that
1. for every ql 0 ∈ ( Q \ F ), we have v(ql 0 ) = > iff {p}i ∈
L(A, ql 0 ),
2. for q f ∈ F, v(q f ) = > iff {p}i ∈ L(A, q f ),
and v |= δ(ql , {p}) (since i ≥ 1, δ(q f , {p}) =⊥),
• there exists Q0 ⊆ ( Q \ F ) such that
1. Q0 |= δ(ql , {p}) considering Q0 as the usual valuation v
that v(q0 ) = > iff q0 ∈ Q0
2. for all q0 ∈ Q0 , {p}i ∈ L(A, q0 )
• there exists an accepting run ρ = hV, Ri on {p}i+1 and a set of
states Q0 ⊆ ( Q \ F ) such that
1. Q0 |= δ(ql , {p})
2. for all q0 ∈ Q0 , {p}i ∈ L(A, q0 )
3. hql , 0i ∈ V and for all ql 0 ∈ Q0 , hql 0 , 1i ∈ V and hhql , 0i, hql 0 , 1ii ∈
R.
4. for all ql 0 ∈ Q0 , {hq, i + 1i : hq, i i ∈ Vl 0 } ⊆ V and {hhq, i +
1i, hq0 , i + 2ii : hhq, i i, hq0 , i + 1ii ∈ Rl 0 } ⊆ R where ρl 0 =
hVl 0 , Rl 0 i is an accepting run of A on {p}i from state ql 0 .
because every path in ρ ends with the state q f ∈ F (by construction of ρ and definition of accepting runs).
• {p}i+1 ∈ L(A, ql ).
As noted earlier, this in turn proves Property (•) which is equivalent to the statement we want to prove.
From the above lemma, it is clear that we can construct φA corresponding to a looping AFA A in logarithmic space such that L(A) is
non-empty iff L(h{p} · {p}∗ · ∅ω , >i) ∩ L(φA ) is non-empty. Thus, the
intersection non-emptiness problem for µTLvec is as hard as deciding
whether L(A) 6= ∅. Hence we have the following theorem.
Theorem 30.
(i) The intersection non-emptiness problem for µTLvec is PSpace-hard.
ω -regular properties
124
(ii) MC(µTLvec , FlatCS) is PSpace-hard.
Note that it is possible to obtain a linear µ-calculus formula from a
formula in vectorial linear µ-calculus. Given a formula φA = µhz1 , . . . , zα i
hψ10 , . . . , ψα0 i · z1 , constructed as previous, corresponding to an alternating finite automaton A, we can construct a linear µ-calculus formula φ0 such that L(h{p} · {p}∗ · ∅ω , >i) ∩ L(φA ) is non-empty iff
L(h{p} · {p}∗ · ∅ω , >i) ∩ L(φ0 ) is non-empty (as in [Wal01, Section
5.4]). The construction uses the well-known Bekič’s Principle [AN01].
However, as shown in [BFL13], this translation can result in a formula of exponential size. This in fact prohibits us from obtaining a
PSpace lowerbound for linear µ-calculus in this way.
Thus, we can conclude from Theorem 27, 29 and 30 the following
corollary
Corollary 4. MC(ABS, FlatCS) is PSpace-complete, MC(µTLvec , FlatCS)
is PSpace-hard whereas MC(µTL, FlatCS) and MC(ETL, FlatCS) is in
PSpace.
6.5
global model-checking
We will in fact show the construction for the global model-checking
problem with Büchi specification. Recal that by definition, the global
model-checking problem, GMC(BS,FlatCS), asks for a Presburger formula whose solutions are exactly the initial value of counters such
that there exists a run from the configuration satisfying the BS specification. Given a flat counter system S, its decomposed set of parameterized constrained path schemas X and the FO specification A, the
existential Presburger formula φ(z1 , . . . , zn ) has the form below
_
_
pcps=h·,ψi∈ X
qinit ,q,(lk )ω ∈L( A0q )
(∃ y1 , . . . , y M ∃ x1 , . . . , xk−1
ψqinit ,q (y1 , . . . , y M ) ∧ (y1 = α10 + α11 x1 + · · · + α1k−1 xk−1 ) ∧ · · ·
. . . ∧ (y M = α0M + α1M x1 + · · · + αkM−1 xk−1 ) ∧ ψ(x1 , . . . , xk−1 , z1 , . . . , zn ))
where
1. h at, agn , Γ0 i is the alphabet of pcps, M = card(Γ0 ) and by Lemma 25,
there is a specification A0 such that L( A0 ) = L( A) ∩ (Γ0 )ω .
2. qinit is an initial state of A0 and q is a state of A0 .
3. ψqinit ,q (y1 , . . . , y M ) is the quantifier-free Presburger formula for
the Parikh image of finite words over the alphabet Γ0 accepted
by A0 (viewed as a finite-state automaton) with initial state qinit
and final state q. ψqinit ,q (y1 , . . . , y M ) is of polynomial size in the
size of Büchi automaton.
4. pcps = h p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω , ψ(x1 , . . . , xk−1 , z1 , . . . , zn )i.
6.6 summary
5. For each letter a j , we write α0M , . . . , αkM−1 to denote the natural
numbers such that if each loop i in pcps is taken xi times, then
j
j
j
the letter a j is visited α0 + α1 x1 + · · · + αk−1 xk−1 times along
p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk . Those coefficients can be easily comj
puted from p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (for instance α1 is the number of times the letter a j is present in the first loop).
6. Finally, observe that checking whether (lk )ω ∈ L( A0q ) where
A0q is defined as the specification A0 in which the unique initial
state is q, amounts to perform a nonemptiness test between two
Büchi automata.
The Presburger formula intuitively states that at least one of the parameterized constrained path schemas in X (first disjunction) satisfies
the condition that, we can find at least one state q and the corresponding automata A0q (second disjuction) such that,
1. There exists a run of A0 from qinit to q reading p1 (l1 )∗ · · · pk−1
(lk−1 )∗ pk by checking the satisfiability of the Parikh image of
the word (ψqinit ,q (y1 , . . . , y M )).
2. (lk )ω ∈ L( A0q ) (in the conditions of the second disjunction).
3. The parameterized constraint of the pcps is satisfied.
This ensures that there is an accepting run of A0 on some word w ∈
L( p1 (l1 )∗ · · · pk−1 (lk−1 )∗ pk (lk )ω ).
6.6
summary
In this chapter, we proved the complexity results for a bunch of logics. We showed that MC(BS, FlatCS) is NP-complete (Theorem 23). To
prove this, we first show an equivalent of stuttering theorem for BS for
an unconstrained alphabet which in turn allowed us to obtain an exponentially bounded limiting loops map for BS (Theorem 19). Following the general roadmap of Theorem 7, we obtain that MC(BS, FlatCS)
is NP-complete (Theorem 23). Then we defined the nice Büchi property about specification languages which indicates that the specification can be translated to an equivalent Büchi automata. This allows
us to obtain a PSpace upper bound for spectifications from specification languages having nice Büchi property (Theorem 26). Later we
show that ABA, ETL and µTL all have nice Büchi property and hence
have PSpace upper bound for model-checking problem (Theorem 27).
At the end, we show that model-checking ABA and µTLvec is also
PSpace-hard (Theorem 29 and 30). Note that the lower bound for the
complexity of the model-checking problem for ETL and µTL is still
not known.
125
7
C T L ∗ A N D R E L AT E D B R A N C H I N G - T I M E
TEMPORAL LOGICS
In the thesis so far we have considered the verification of linear-time
properties for flat counter systems but now we move to verification
of branching time logic. Branching-time extensions often lead to undecidability, see e.g. the case with Petri nets for which CTL is undecidable (with propositional variables only) whereas the reachability
problem and model-checking for several LTL variants are known to
be decidable [Hab97]. Though for flat counter systems, decidability of
model-checking CTL ∗ formulae is established in [DFGvD10] but this
work does not provide any lower bound and the translation into PA
requires exponential time, which is rather unsatisfactory. Our main
motivation is therefore to understand and obtain the optimal complexity of model-checking flat counter systems with branching-time
logics.
We show that the model-checking problem for flat counter systems
over the version of CTL ∗ with arithmetical constraints on counter
values is equivalent to satisfiability for PA, modulo logarithmic-space
reductions.
• For the complexity lower bound, we will show that the satisfiability problem for PA can be reduced to the model-checking
problem but there is no need for arithmetical constraints and
for temporal operators other than E F.
• For the complexity upper bound, we reduce the model-checking
problem to satisfiability problem in PA by using the fact that
runs in flat counter systems can be encoded by tuples of natural
numbers and then the semantics for CTL ∗ can be internalized in
PA. This very fact has been already observed in [DFGvD10] but
herein, we provide a logarithmic-space reduction which makes
a substantial difference with [DFGvD10]. Indeed, we are also
able to quantify over path schemas (symbolic representation of
potential infinite sets of runs), but concisely. This witnesses once
more, that verification problems can be encoded efficiently to
PA, see e.g. [BDR03].
As a by-product, we are able to get the equivalence with PA to known
branching-time temporal logics stronger than CTL E F (such as CTL)
and our proof technique can be applied to extensions with past-time
operators with a minimal amount of change. The case for branching time logics is a bit different than all the previous logics as here
we will not provide explicit algorithm for model-checking but instead
127
ctl ∗ and related branching-time temporal logics
128
provide explicit reductions to show the desired property of the modelchecking procedure. For the lower bound, we take advantage of the
observation that a quantification in PA over a variable z can be simulated by a loop that increments a corresponding counter and there
is a correspondence between first-order quantifier ∃ [resp. ∀ ] and
temporal connective E F [resp. A G]. For the upper bound, quantification over path schemas is done, directly followed by a quantification
over the number of times loops are visited. However, we provide a
new way to encode runs in flat counter systems, which is rewarding
complexity-wise as well as much simpler, and therefore this leaves
some hope to use then some solvers for PA, see e.g. [dMB08, LP09].
7.1
blocking and non-blocking systems
Before giving the reduction we will show some property about runs
in flat counter systems. A run ρ in a flat counter system S is maximal iff
δ0
δα−1
either it is infinite or it is finite and has the form ρ = c0 −
→ · · · −−→ cα
δ
such that there does not exists δ and c verifying cα −
→ c. In other
words, in a finite maximal run the last configuration is a deadlock
and the length of the run is denoted as |ρ| = α. Otherwise for the
infinite run ρ, |ρ| = ω. A flat counter system S is called non-blocking
if every maximal run ρ in S is infinite. Otherwise it is called a blocking flat counter system. For the ease of our analysis and simplifying
the reduction, we will first show that every instance of the modelchecking problem with a blocking flat counter system, can be transformed into an equivalent instance of the model-checking problem
with a non-blocking flat counter system.
Lemma 30. Let L be either CTL∗ or CTLEF . Given a flat counter system S, a
configuration c and a formula φ in L, there exist a non-blocking flat counter
system S0 , a configuration c0 and a formula φ0 in L such that S, c |= φ iff
S0 , c0 |= φ0 . Such a reduction can be performed in logarithmic space.
Proof. Let S = h Q, ∆, Cn , li be a flat counter system. Let us build the
non-blocking counter system as follows:
def
• Q 0 = Q ] { q ⊥ }.
def
• l0 (q⊥ ) = {p⊥ } where p⊥ is a new propositional variable and for
def
all q ∈ Q, l0 (q) = l(q).
def
• ∆0 = ∆ ∪ {hq, ¬gq , 0, q⊥ i|q ∈ Q} ∪ {hq⊥ , >, 0, q⊥ i} where for
every state q ∈ Q, gq = ∨source(δ)=q guard(δ).
Firstly, observe that since S is flat, the counter system S0 is flat too as
the construction does not introduce any new loops. For every maximal run ρ in S, we write maximize(ρ) to denote the maximal run in
S0 defined as follows:
7.1 blocking and non-blocking systems
def
• if ρ is infinite, then maximize(ρ) = ρ,
• otherwise, maximize(ρ) is defined from ρ as follows:
δα+1
δ
δ
⊥
⊥
maximize(ρ) = ρ0 = ρ −−→ hq⊥ , vα i −→
hq⊥ , vα i −→
···
where |ρ| = α, ρ[α] = hqα , vα i, δ⊥ = hq⊥ , >, 0, q⊥ i and δα+1 =
hqα , ¬(∨source(δ)=qα guard(δ)), 0, q⊥ i. Note that since hqα , vα i is a
deadlock configuration we have that vα 2 guard(δ) for every
δ such that source(δ) = qα . Thus, vα |= ¬(∨source(δ)=qα guard(δ))
and hence the only configuration possible after hq, vi is hq⊥ , vi.
So, for all such finite runs this is the only way to get an infinite
maximal run extending ρ.
δ
δ
⊥
⊥
In other words, if we assume that ρ⊥ = hq⊥ , vα i −→
hq⊥ , vα i −→
···.
We can define the function maximize(·) for any run ρ of S as following
(
ρ
if ρ is infinite
def
maximize(ρ) =
δα+1
ρ −−→ ρ⊥ |ρ| = α, α ∈ N
So, clearly, for any run ρ in S there exists an unique run ρ0 in S0 such
that ρ0 = maximize(ρ). Hence, there is a bijection between the set of
maximal runs in S and the set of maximal runs in S0 that start by a
state in Q. Also, every maximal run in S0 is infinite. Below, we also
use the inverse map maximize−1 (·) that returns a maximal run in S.
Let us define a formula map t(·) for formulas in CTL∗ such that
t(·) is the identity for the atomic formulae, homomorphic for Boolean
connectives and for the path quantifier E, and it satisfies the following
clauses:
def
• t(Xψ) = X(¬p⊥ ∧ t(ψ)).
def
• t(ψUψ0 ) = t(ψ)U(¬p⊥ ∧ t(ψ0 ))).
When dealing the the fragment CTLEF , these two clauses are replaced
by t(EFψ) = EF(¬p⊥ ∧ t(ψ)).
By induction on the structure of the formula, we will show that
there exists a run ρ from S starting with c such that ρ, 0 |= φ iff
maximize(ρ), 0 |= t(φ). As a consequence, for all configurations c in
S and for all formulae φ in CTL∗ [resp. CTLEF ], we have S, c |= φ iff
S0 , c |= t(φ). Note that by construction, S0 is non-blocking and, S0 and
φ0 can be built in logarithmic space in the size of S, φ.
• Base case: Observe that, by construction, each configuration c
in S is also a configuration in S0 . Thus, for any run ρ in S
and any i < |ρ|, we can have a maximal run ρ0 in S0 such
that ρ[i ] = ρ0 [i ]. The fact that t(·) is identity for atomic formulas p and ψ(x1 , · · · , xn ) and the fact that by definition of
satisfiability relation of CTL∗ , satisfaction of atomic formulas
depend on the current configuration, allows us to deduce that
ρ, i |= p [resp. ρ, i |= ψ(x1 , · · · , xn )] iff ρ0 , i |= t(p) [resp. ρ0 , i |=
t(ψ(x1 , · · · , xn ))] for any i < |ρ|.
129
130
ctl ∗ and related branching-time temporal logics
• Induction step: We assume that for all formula φ of size at most
k − 1 and configuration c from S, there exists a run ρ from S
starting with c such that ρ, 0 |= φ iff maximize(ρ), 0 |= t(φ). We
will prove the same for formulas of size k.
– Case Xψ: First, suppose that ρ, i |= Xψ. By definition of
|=, i < |ρ| and ρ, i + 1 |= ψ. By induction hypothesis,
maximize(ρ), i + 1 |= t(ψ). Since i < |ρ|, maximize(ρ)(i +
1) = ρ(i + 1) and since maximize(ρ)(i + 1) |= ¬p⊥ , we get
that maximize(ρ), i |= X(¬p⊥ ∧ t(ψ)). Assume maximize(ρ)
, i |= X(¬p⊥ ∧ t(ψ)). So, maximize(ρ), i + 1 |= t(ψ) and
maximize(ρ), i + 1 |= ¬p⊥ . By construction, for all the positions j in maximize(ρ) such that maximize(ρ), j |= ¬p⊥ ,
maximize(ρ)( j) is a configuration in ρ. Thus, |ρ| > i. By
induction hypothesis, maximize−1 (ρ), i + 1 |= ψ. Therefore
ρ, i |= X ψ.
– Case ψUψ0 : First suppose that ρ, i |= ψUψ0 . There is i ≤
j < |ρ| such that ρ, j |= ψ0 and for all k ∈ [i, j − 1], we
have ρ, k |= ψ. By induction hypothesis, maximize(ρ), j |=
t(ψ0 ) and for all k ∈ [i, j − 1], maximize(ρ), k |= t(ψ). Since
maximize(ρ)( j) = ρ( j), we get that maximize(ρ), j |= ¬p⊥ .
Consequently, there is i ≤ j such that maximize(ρ), j |=
¬p⊥ ∧ t(ψ0 ) and for all k ∈ [i, j − 1], we have maximize(ρ), k
|= t(ψ). So, maximize(ρ), i |= t(ψ)U(¬p⊥ ∧ t(ψ0 ))).
Now suppose that maximize(ρ), i |= t(ψUψ0 ). By definition of t(·), there is i ≤ j0 such that maximize(ρ), j0 |= ψ0 ,
maximize(ρ), j0 |= ¬p⊥ and for all k0 ∈ [i, j0 − 1], we have
ρ, k0 |= ψ. Since maximize(ρ), j0 |= ¬p⊥ , we know that
j0 < |ρ| and ρ[k ] = maximize(ρ)[k ] for all k ∈ [i, j]. Hence,
by induction hypothesis, ρ, j0 |= ψ0 and for all k ∈ [i0 , j0 − 1],
ρ, k0 |= ψ. So, ρ, i |= ψUψ0 .
– Case Eψ: First, suppose that ρ, i |= Eψ. By definition of
|=, there is a maximal run ρ0 such that ρ0 (0) = ρ(i ) and
ρ0 , 0 |= ψ. By induction hypothesis, maximize(ρ0 ), 0 |= t(ψ).
Since i < |ρ|, maximize(ρ)(i ) = ρ(i ) and since ρ0 (0) =
maximize(ρ0 )(0), we get that maximize(ρ), i |= E t(ψ). Assume that maximize(ρ), i |= E t(ψ). So, there is a run ρ0
such that ρ0 (0) = maximize(ρ)(i ) and ρ0 , 0 |= t(ψ). By
induction hypothesis, maximize−1 (ρ0 ), 0 |= ψ (indeed the
control state of ρ0 (0) is in Q). Since, ρ(0) = maximize(ρ)(i )
and maximize(ρ)(i ) ∈ Q, we have maximize(ρ)(i ) = ρ(i ).
But, maximize−1 (ρ0 )(0) = maximize(ρ)(i ) = ρ(i ) and therefore ρ, i |= E ψ.
– Case EFψ: First, suppose that ρ, i |= EFψ. By definition of
|=, there is a maximal run ρ0 and a position 0 ≤ j < |ρ0 |
such that ρ0 (0) = ρ(i ) and ρ0 , j |= ψ. By induction hypothe-
7.2 lower bound
sis, maximize(ρ0 ), j |= t(ψ). Since i < |ρ|, maximize(ρ)(i ) =
ρ(i ) and since ρ0 ( j) = maximize(ρ0 )( j), we get maximize(ρ),
i |= EF(¬p⊥ ∧ t(ψ)). Assume that maximize(ρ), i |= EF(¬p⊥
∧ t(ψ)). So, there is a run ρ0 in S0 and position j ≥ 0 such
that ρ0 (0) = maximize(ρ)(i ) and ρ0 , j |= t(ψ) and ρ0 , j |=
¬p⊥ . By induction hypothesis, maximize−1 (ρ0 ), j |= ψ and
maximize−1 (ρ0 ), j |= ¬p⊥ . By construction, |maximize−1 (ρ0 )|
> j. But, maximize−1 (ρ0 )(0) = maximize(ρ)(i ) = ρ(i ) and
therefore ρ, i |= EF ψ.
Due to Lemma 30, henceforth in this chapter, we consider only nonblocking flat counter systems.
7.2
lower bound
In a flat counter system with n counters, the guards on transitions are
quantifier-free Presburger formulae with free variables in {x1 , . . . , xn }.
Below, we show that a very restricted subproblem of MC(CTL∗ , FlatCS),
simply called MC− (CTL∗ , FlatCS), is already at least as hard as the
satisfiability problem for PA and our reduction is based on a simple
and nice correspondence between quantifiers in PA and the temporal
operators EF and AG in CTL∗ . First, let us define MC− (CTL∗ , FlatCS)
as the subproblem of MC(CTL∗ , FlatCS) with the following restrictions:
• atomic formulae are restricted to propositional variables (no
arithmetical constraints on counter values) and the only temporal connective is EF (and its dual AG, by closure under negation)
and
• the guards on the transitions are linear constraints t ≤ t0 or
their negations. So, there are no Boolean connectives.
Note that the subset of formulas of CTL∗ allowed in MC− (CTL∗ ,
FlatCS) is already less expressive than the logical fragment CTLEF ,
specifically since arithmetical constraints over the counters are not allowed. Moreover, the allowed class of counter systems are actually a
subclass of counter system as the set of allowed guards over a transition is strictly less expressive than that of flat counter systems. Thus,
in effect, MC− (CTL∗ , FlatCS) is a restricted fragment of MC(CTLEF ,
FlatCS).
Theorem 31. There is a logarithmic-space reduction from the satisfiability
problem for PA to MC− (CTL∗ , FlatCS).
Proof. Let φ be formula in PA. Without any loss of generality, we can
assume that φ has the form
Q1 z1 Q2 z2 · · · Qn zn φ0 (z1 , z2 , . . . , zn )
131
ctl ∗ and related branching-time temporal logics
132
>, e1
q0
> , e2
>,0
> , en
q1
q n −1
qn
φ0 (x1 , x2 , . . . , xn ),0
q n +1
Figure 13: Flat counter system Sφ
with Q1 , Q2 , . . . , Qn ∈ {∃, ∀} and φ0 is a quantifier-free formula. Note
that given any formula in PA, we can reduce it to an equisatisfiable
formula of that form in logarithmic space (which is then fine for our
main result since logarithmic-space reductions are closed under composition [Pap94]). This is essentially based on the construction of formulae in prenex normal form in first-order logic.
Let us consider Sφ as shown in Figure 13 where ei ∈ Nn is the
ith unit vector. Observe that φ0 (x1 , x2 , . . . , xn ) may contain Boolean
connectives. To eliminate the Boolean connectives in the guard of the
transition between qn and qn+1 , we follow two simple rules, while preserving flatness (easy to check, since that transition does not belong
to a loop). Without loss of generality, we can assume that negations
are only in front of linear constraints. For a transition of the form
ψ,0
q−
→ q0 with ψ being a formula with Boolean connectives, we disintegrate it into a flat system such that there exists a run from q to q0 iff the
ψ1 ∧ψ2 ,0
v |= ψ for any configuration hq, vi. A transition q −−−→ q0 is replaced
ψ1 ,0
ψ1 ∨ψ2 ,0
ψ2 ,0
by q −→ q00 −→ q0 where q00 is new. Similarly, a transition q −−−→ q0
ψ1 ,0
ψ2 ,0
is replaced by q −→ q0 and q −→ q0 , assuming that q does not belong
to a loop. It is easy to show that Sφ can be transformed into a flat
counter system Sφ0 by applying the two rules above as much as possible so that eventually, Sφ0 is a proper counter system for MC− (CTL∗ ,
FlatCS). This is a standard way of decomposing and representing a
boolean combination of literals. Though, for the ease of the proof we
will actually prove the properties of Sφ as shown in Figure 13.
Below, we define ψ in CTLEF whose atomic formulae are among q1 ,
. . . , qn+1 (also abusively understood as control states) such that
(†) Sφ , hq0 , 0i |= ψ iff φ is satisfiable in PA.
Intuitively, each variable zi from φ is taken care by the ith loop (that
can only increment the ith counter). Additionally, the quantifications
from φ are simulated in the formula ψ by using EF or AG, depending
whether the first-order quantification is either existential or universal.
def
We define the formulae ψ = ψ1 where ψi with i ∈ [1, n + 1] is defined
as



 EF(qi ∧ ψi+1 ) i ≤ n and Qi = ∃
ψi =
AG(qi ⇒ ψi+1 ) i ≤ n and Qi = ∀


 EFq
i = n+1
n +1
7.2 lower bound
Given a valuation f : VAR → N, we write v f ∈ Nn to denote the
def
vector such that v f [i ] = f (zi ) for every i ∈ [1, n]. We will in fact prove
the following properties, which in turn will imply (†).
(† †).1 for all valuation f , we have that f |= φ 0 ( z 1 , z 2 , . . . , z n ) iff
h q n , v f i |= ψ n + 1 ,
(† †).2 for all i ∈ [ 1, n ] and valuations f such that f ( z i ) = f ( z i ) =
· · · = f ( z n ) = 0, we have f |= Q z i · · · Q n z n φ 0 ( z 1 , z 2 , . . . , z n )
iff h q i − 1 , v f i |= ψ i .
First, let us prove Property ( † †).1. Note that ψ n + 1 = EF q n + 1 and
the only edge between q n and q n + 1 is the following:
φ 0 ( x 1 ,. . .,x n ) ,0
q n −−−−−−→ q n + 1
Let f be a valuation. By the definition of |= , we have h q n , v f i |=
EF q n + 1 iff v f |= φ 0 ( x 1 , . . . , x n ) . By definition of v f , we get v f |=
φ 0 ( x 1 , . . . , x n ) iff f |= φ 0 ( z 1 , z 2 , . . . , z n ) .
Now, let us prove Property († †).2 by induction, for which the base
case i = n + 1 corresponds precisely to the satisfaction of the property Property († †).1. Suppose that Property († †).2 holds for i + 1, let
us show that it holds for i too.
Case 1: Q i = ∃ .
Let f be a valuation such that f ( z i ) = · · · f ( z n ) = 0. We prove that
f |= ∃ z i · · · Q n z n φ 0 ( z 1 , . . . , z n ) iff h q i − 1 , v f i |= EF ( q i ∧ ψ i + 1 ) .
First, let us assume that f |= ∃ z i · · · Q n z n φ 0 ( z 1 , . . . , z n ) . By assumption, there exists a ∈ N such that f [ z i 7 → a ] |= Q i + 1 z i + 1 · · ·
Q n z n φ 0 ( z 1 , z 2 , . . . , z n ) . By induction hypothesis, h q i , v f 0 i |= ψ i + 1
where f 0 = f [ z i 7 → a ] . Now consider the transition system T ( S φ )
starting at the configuration h q i − 1 , v f i associated with S φ . There is a
run ρ in T ( S ) starting from h q i − 1 , v f i that reaches q i and where the
loop l i is visited exactly a times. Since, the effect of the simple loop l i
is to increment the counter x i each time, and v f [ i ] = 0, there is a finite run from h q i − 1 , v f i to h q i , v f 0 i . So, h q i − 1 , v f i |= EF ( q i ∧ ψ i + 1 ) .
On the other hand, let us assume that h q i − 1 , v f i |= EF ( q i ∧ ψ i + 1 ) .
By definition of |= , there exists a run ρ in T ( S φ ) with ρ ( 0 ) =
h q i − 1 , v f i such that for some position j < | ρ | , ρ ( j ) |= q i ∧ ψ i + 1 .
Thus, ρ ( j ) = h q i , v 0 i for some v 0 ∈ N n . Since q i is reached only
after taking the simple loop l i , let us assume that the loop l i is
taken a ≥ 0 times. Since, the effect of the simple loop l i is to increment the counter x i each time, v 0 [ i ] = a and v f and v 0 differ
only on the ith component. So, v 0 = v f 0 where f 0 = f [ z i 7 → a ] .
Since h q i , v f 0 i |= ψ i + 1 , by the induction hypothesis f [ z i 7 → a ] |=
Q i + 1 z i + 1 · · · Q n z n φ 0 ( z 1 , z 2 , . . . , z n ) . By definition of |= in PA,
we can conclude that f |= ∃ z i · · · Q n z n φ 0 ( z 1 , . . . , z n ) .
133
ctl ∗ and related branching-time temporal logics
134
Case 2: Q i = ∀ .
Let f be a valuation such that f ( z i ) = · · · f ( z n ) = 0. We prove
that f |= ∀ z i · · · Q n z n φ 0 ( z 1 , . . . , z n ) iff h q i − 1 , v f i |= AG ( q i ⇒
ψi + 1 ).
First, let us assume that f |= ∀ zi · · · Qn zn φ0 (z1 , . . . , zn ). By assumption, for all a ∈ N such that f [zi 7→ a] |= Qi+1 zi+1 · · · Qn zn
φ0 (z1 , z2 , . . . , zn ). By induction hypothesis, for all such v f 0 , we have
that hqi , v f 0 i |= ψi+1 where f 0 = f [zi 7→ a]. Now consider the transition system T(Sφ ) starting at the configuration hqi−1 , v f i. There are
two types of run ρ in T(S) starting from hqi−1 , v f i:
1. ρ reaches qi and the loop li is visited exactly a times for every
a ∈ N.
2. ρ loops li infinitely many times and never reaches qi .
Due to the implication qi ⇒ ψi+1 we can easily ignore the runs of type
2 above as the formula is vacuously true for any state other than qi .
Hence, we will consider only the runs where li is taken only finitely
many times. Since, the effect of the simple loop li is to increment the
counter xi each time, and v f [i ] = 0, there are finite runs from hqi−1 , v f i
to hqi , v f 0 i for each of the valuations f 0 = f [zi 7→ a] for all a ∈ N. So,
hqi−1 , v f i |= AG(qi ⇒ ψi+1 ).
On the other hand, let us assume that hqi−1 , v f i |= AG(qi ⇒ ψi+1 ).
By definition of |=, there exist a set of runs X, in T(Sφ ) such that for
all ρ ∈ X we have ρ(0) = hqi−1 , v f i and for some position j < |ρ|, if
ρ( j) |= qi then ρ( j) |= ψi+1 . Thus, for every run ρ ∈ X, ρ( j) = hqi , v0 i
for some v0 ∈ Nn . Since qi is reached only after taking the simple loop
li a finite number of times in any run, let us assume that for each value
of a ≥ 0, there exists a run ρ a ∈ X where the loop li is taken a times.
Since, the effect of the simple loop li is to increment the counter xi
each time, v0 [i ] = a and v f and v0 differ only on the ith component in
any run ρ a in X. So, v0 = v f 0 where f 0 = f [zi 7→ a]. Since hqi , v f 0 i |=
ψi+1 for all such valuations v f 0 , by the induction hypothesis f [zi 7→
a] |= Qi+1 zi+1 · · · Qn zn φ0 (z1 , z2 , . . . , zn ) for all a ∈ N. By definition
of |= in PA, we can conclude that f |= ∀ zi · · · Qn zn φ0 (z1 , . . . , zn ).
Thus, we can conclude that given an instance of satisfiability problem for PA, one can reduce the problem in logarithmic-space to the
model-checking problem of a restricted version of CTLEF over flat
counter system. This reduction gives one side of the equivalence of
the complexity that we are trying to show. The other side is explained
in the next section.
7.3
upper bound
In this section, we present a logarithmic space reduction from the
model-checking problem of CTL∗ over flat counter systems to the
7.3 upper bound
satisfiability problem for PA. In [DFGvD10], a reduction is already
presented to get decidability of MC(CTL∗ , FlatCS). Unfortunately, it
requires exponential space and is quite difficult to parse. Following a
similar idea, we propose here a simpler reduction that has the great
advantage to be optimal complexity-wise. The idea of this reduction
is based on the two following points:
1. to encode the runs in flat counter systems by tuples of natural numbers thanks to a symbolic representation for potential
infinite sets of runs,
2. to internalize CTL∗ semantics into PA by using the encoding of
runs.
Below, we consider a fixed flat counter system S = h Q, Cn , ∆, li and
without loss of generality order the states as Q = {1, . . . , α} for some
α ≥ 1 and ∆ = {δ1 , . . . , δβ }. Since Q ⊆ N, configurations of S can be
represented as vectors in Nn+1 where the first component represents
the control state and the rest represent the counter values.
7.3.1 Encoding Iterated Path Schemas
Recall that a minimal path schema P is an ω-regular expression over
the transitions of the system and of the form p1 l1+ p2 l2+ · · · pk lkω where
• each segment is different,
• each transition occurs only once in each segment and
• each transition occurs at most twice in P.
In the sequel, since we deal with only minimal path schemas, we will
denote them simply as path schemas. Moreover, we denote the ith
segment of P as P[i ] for i ∈ [1, size( P) − 1]. In order to obtain concrete
paths from a path schema P, we augment P with a vector specifying
how many times each internal loop is visited. By definition, a loop in
P is internal if it is not the last one. An iterated path schema is a pair
h P, mi where P is a minimal path schema and m ∈ Nsize( P) such that
m[1] = size( P) and for all i ∈ [1, size( P) − 1], m[i + 1] > 0 and if
P[i ] ∈ ∆ (not a loop), then m[i + 1] = 1. From h P, mi, we define the
ω-word
def
trans( P, m) = P[1]m[2] . . . P[ j]m[ j+1] . . . P[size( P) − 1]m[size( P)] P[size( P)]ω
Lemma 31 below states that iterated path schemas encode all runs
from flat counter systems by noting that infinite runs necessarily end
by a simple loop (repeated infinitely) and the visit of loops is strictly
ordered.
Lemma 31. Given an infinite run ρ in a flat counter system S , there exists
an iterated path schema h P, mi such that trans(ρ) = trans( P, m).
135
136
ctl ∗ and related branching-time temporal logics
Proof. Given any run ρ in S, from Theorem 1, we know that there exists a minimal path schema P of S such that ρ respects P. We construct
vm ∈ Nsize( P) as following (for every i ∈ [1, size( P) − 1]),
• vm [1] = size( P)
• if P[i ] = p j for some j ∈ [1, len( P)] then vm [i + 1] = 1
• if P[i ] = l j for some j ∈ [1, len( P) − 1] then vm [i + 1] = iterP (w)[ j]
Clearly, h P, mi is an iterated path schema and by definition of iterP (w)
[ j] for any loop l j in P, it is clear that trans(ρ) = trans( P, m). Thus, for
any run ρ in S, we can construct an iterated path schema h P, mi such
that trans(ρ) = trans( P, m).
Let the set of loops be enumerated as L = {l1 , . . . , lγ }. Thanks to
the definition of minimal path schemas, it is clear that we can denote
the string p1 p2 · · · pk using a vector v ∈ Nβ (using the indexes of the
transitions in order). Hence, we can represent a minimal path schema
using vectors of size β + γ + 1. We will first show that it is possible to
encode path schemas with loops by vectors in NK with K = 1 + β + γ.
Intuitively, we encode a path schema P by two vectors v p and vt in
NK where the first element of each vector is equal to size( P) and
for all i ∈ [2, size( P) + 1], we have vt [i ] = 1 if P[i ] is a loop and
vt [i ] = 0 otherwise. So, vt encodes the type of each element (transition
vs. loop) in the sequence defining P. Similarly, v p [i ] represents the
number of the associated transition or loop; for instance, v p [i ] = 2
and vt [i ] = 1 encodes that P[i ] is the second loop, say l2 . Furthermore,
we encode the vector m by a vector vit ∈ NK . Let us formalize this.
First, we define the auxilliary function τ : (({0} × [1, β]) ∪ ({1} ×
def
def
[1, γ])) → ∆ ∪ L such that τ (0, i ) = δi for all i ∈ [1, β] and τ (1, i ) = li
for all i ∈ [1, γ]. Now, we provide a set of conditions C on the vectors
vt , v p , vit ∈ NK which have to be respected so that, we can build from
them an iterated path schema.
C.1 v p [1] = vt [1] = vit [1] with v p [1] ∈ [1, K − 1]; for all i ∈ [vit [1] +
2, K ], v p [i ] = vt [i ] = vit [i ] = 0,
C.2 vt [i ] ∈ {0, 1} for all i ∈ [2, K ],
C.3 if vt [i ] = 0 then v p [i ] ∈ [1, β], for all i ∈ [2, v p [1] + 1],
C.4 if vt [i ] = 1 then v p [i ] ∈ [1, γ], for all i ∈ [2, v p [1] + 1],
C.5 vt [v p [1] + 1] = 1,
C.6 there are no i, j ∈ [2, v p [1] + 1] such that i 6= j, vt [i ] = vt [ j] and
v p [ i ] = v p [ j ],
C.7 target(τ (vt [i ], v p [i ])) = source(τ (vt [i + 1], v p [i + 1])) for all i ∈
[2, v p [1]],
C.8 for all i ∈ [2, v p [1]], vit [i ] > 0 and if vt [i ] = 0 then vit [i ] = 1.
7.3 upper bound
The first four conditions ensure that the vectorial representation is
coherent. The three next conditions guarantee that the encoding respects the structure of a minimal path schema, i.e. that the last element is a loop (C.5), that there are no two identical transitions or
loops in the schema (C.6) and that the succession of elements effectively represents a path in the counter system (C.7). The last condition
ensures that vit matches the definition of the vector in an iterated path
schema.
It follows that given vectors v p , vt and vit in NK that satisfy all the
conditions (C.i), we can build a minimal path schema Pvt ,v p equal to
τ (vt [2], v p [2]) · · · τ (vt [v p [1] + 1], v p [v p [1] + 1])
From the vector vit , we can define the vector mvit ∈ Nvit [1] such that
def
for all i ∈ [1, vit [1]], mvit [i ] = vit [i ]. We will see that there exists a
Presburger formula Schema(Zt , Z p , Zit ) over the sets of variables Z p =
{z1p , . . . , zKp }, Zt = {z1t , . . . , ztK } and Zit = {z1it , . . . , zitK } to express the
conditions (C.i)i∈[1,8] .
Lemma 32.
1. Let P be a finite non-empty sequence of length N ≤ β + γ over the
alphabet ∆ ∪ L and m ∈ N N . Then, h P, mi is an iterated path schema
iff there are vt , v p and vit in NK respecting C and such that P = Pvt ,v p
and m = mvit .
2. One can build a PA formula Schema(Zt , Z p , Zit ) of polynomial size in
the size of the counter system S such that for all vt , v p , vit ∈ NK , we
have vt , v p , vit |= Schema(Zt , Z p , Zit ) iff vt , v p and vit satisfy C.
Proof.
1. Recall that by definition, an iterated path schema is defined as
h P, mi, such that P is a minimal path schema and m ∈ Nsize( P) .
Now assume that we have vectors vt , v p , vit ∈ NK such that
vt , v p , vit satisfies all the conditions of C. We perform the construction of Pvt ,v p . By definition of Pvt ,v p and C.1 through C.4
ensure that Pvt ,v p is a sequence of loops and edges from S. C.5
ensures that Pvt ,v p ends with a loop. Alongwith C.7 the construction ensures that Pvt ,v p is a path schema from S. C.6 ensures
that the path schema Pvt ,v p is a minimal path schema where
none of the edges or loops are repeated. By construction v p [1]
is exactly equal to size( Pvt ,v p ). Thus, mvit is defined to be in
Nsize( Pvt ,v p ) . Thus, we can conclude that h Pvt ,v p , mvit i is an iterated path schema.
For the other side, given an iterated schema h P, mi, we construct
vt and v p as:
• vt [1] = v p [1] = size( P).
137
138
ctl ∗ and related branching-time temporal logics
• v p [i ] = j and vt [i ] = 0 if P[i − 1] = δj for all i ∈ [2, size( P) +
1] and some j.
• v p [i ] = j and vt [i ] = 1 if P[i − 1] = l j for all i ∈ [2, size( P) +
1] and some j.
• v p [i ] = vt [i ] = 0 for all i ∈ [size( P) + 2, K ].
Note that the above construction follows exactly the reverse
steps of the construction of Pvt ,v p . In other words, given an iterated path schema h P, mi, the above construction gives us the
vectors vt and v p such that P = Pvt ,v p . Moreover, we can construct vit from m ∈ Nsize( P) as :
• vit [1] = size( P),
• vit [i ] = m[i ] for all i ∈ [1, size( P)],
• vit [i ] = 0 for all i ∈ [size( P) + 1, K ].
Clearly by the construction of vt , v p and the fact that size( P) > 0
we can conclude that C.1 is satisfied. Similarly, by construction,
and the fact that P is a sequence of transitions and loops, C.2 to
C.5 are satisfied. Due to the fact that P is a minimal path schema,
C.6 and C.7 are also satisfied. Since, h P, mi is an iterated path
schema, C.8 is also satisfied.
2. To construct the formula Schema(Zt , Z p , Zit ), we first define a
formula ψi for each condition C.i.
def
ψ1 = (z1t = z1p ∧ z1p = z1it ∧ z1p > 0 ∧ z1p < K )∧
K
V
z1p + 1 < i ⇒ (zit = zip ∧ zip = ziit ∧ ziit = 0)
i =2
def
ψ2 =
K
^
(zit ≤ 1)
i =2
def
ψ3 =
K
^
i ≤ z1p + 1 ⇒ (zit = 0 ⇒ zip ≤ β ∧ zip ≥ 1)
i =2
def
ψ4 =
K
^
i ≤ z1p + 1 ⇒ (zit = 1 ⇒ zip ≤ γ ∧ zip ≥ 1)
i =2
def
ψ5 =
K
^
i = z1p + 1 ⇒ zit = 1
i =2
def
ψ6 =
K
V
i =2
(i ≤ z1p + 1 ⇒ (
j≤
def
ψ7 =
K
V
i =2
z1p
i ≤ z1p + 1 ⇒
(zit
K
V
j=2,j6=i
j
j
+ 1 ⇒ (zip 6= z p ∨ zit 6= zt )))
W
{( a,b,a0 ,b0 )|target(τ ( a,b))=source(τ ( a0 .b0 ))}
= a ∧ zip = b ∧ zit+1 = a0 ∧ zip+1 = b0 )
7.3 upper bound
def
ψ8 =
K
^
i ≤ z1p + 1 ⇒ (ziit > 0 ∧ (zit = 0 ⇒ ziit = 1))
i =2
We construct the formula Schema(Zt , Z p , Zit ) as (ψ1 ∧ · · · ∧ ψ8 ).
For all i ∈ [1, 8], vt , v p , vit satisfies C.i iff vt , v p , vit |= ψi . For example, consider C.6, which expresses the minimality constraint
for the minimal path schema, saying that for any two distinct
positions either the values are different or they are of different types. More formally, for all i, j ∈ [1, v p [1] + 1], i 6= j ⇒
(v p [i ] 6= vt [ j] ∨ vt [i ] 6= vt [ j]). Notice that ψ6 has a nested conjunction allowing to compare every possible pair of position
hi, ji. And for every possible pair we check exactly the condition
stated in C.6. Clearly, vt , v p , vit satisfies C.6 iff vt , v p , vit |= ψ6 . Finally, the formula Schema states that all formulae ψi hold for
the vectors vt , v p , vit . Hence it is easy to see that, vt , v p , vit |=
Schema(Zt , Z p , Zit ) iff vt , v p , vit satisfies C.
Hence, we can construct, a polynomial size quantifier-free Presburger formula Schema(Zt , Z p , Zit ), characterizing as solutions, all vectors which can be used to construct a minimal path schema from S.
This allows us a concise way to quantify over all path schemas in a
flat counter system.
7.3.2 An Example
Let us consider the following flat counter system.
q2
q7
δ7
δ1
δ5
l2
δ2
l1
δ4
q1
q5
δ6
δ3
l3
δ9
q6
q8
δ8
δ10
There are 10 transitions and 3 simple loops. The enumeration of
transitions and loops is done as shown above. Let h P, mi be such that
P = p · l2 · p0 · l3 with p = δ3 · δ6 , p0 = δ8 and m = (5, 1, 1, 146, 1).
So, we get the resulting ω-word as δ3 · δ6 · (l2 )146 · δ8 · (l3 )ω . From the
previous encoding, the ω-word is encoded by vectors
v p = (5, 3, 6, 2, 8, 3, 0, 0, 0, 0, 0, 0, 0, 0)
vt = (5, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0)
vit = (5, 1, 1, 146, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0)
7.3.3 Encoding Runs Using Vectors
Now that we are able to characterize the path schemas of a counter
system S using a Presburger arithmetic formula, we will try to charac-
139
140
ctl ∗ and related branching-time temporal logics
terize the runs respecting any path schema P of S using a Presburger
arithmetic formula. Even though Lemma 31 states that any infinite
run can be encoded by an iterated path schema. However, not every
iterated path schema corresponds to a run in due form. We will see
now how to check that an iterated path schema indeed represents a
run starting from a given configuration c. First, we need to introduce
a notion of pseudo-run in which only the updates are precise. Given
c ∈ Q × Zn , a pseudo-run ρ starting from c in S is an infinite sequence
ρ : = c0
δ1
···
δm−1
cm
δm
···
where c0 = c, ci = hqi , vi i ∈ Q × Zn for all i ≥ 0 and for all transitions
δ ∈ ∆ we have hq, vi
δ
def
hq0 , v0 i ⇔ q = source(δ), q0 = target(δ)
δ1
δm−1
and v0 = v + update(δ). So, a pseudo-run ρ = hq0 , v0 i
···
hqm , vm i · · · is a run iff for all i ∈ N, vi |= guard(δi ) and vi ∈ Nn .
Note also that for all configurations hq, vi, if h P, mi is an iterated
path schema such that source( P[1]) = q then there exists a pseudorun starting from c such that trans(ρ) = trans(h P, mi).
From these observations, we conclude that an iterated path schema
h P, mi augmented with c0 = hq0 , v0 i verifying source( P[1]) = q0 , defines a unique pseudo-run that is denoted by ρ( P, m, c0 ). Given a
configuration c0 = hq0 , v0 i, we say that ρ( P, m, c0 ) is well-defined if
def
j =i
source( P[1]) = q0 . For every i ∈ [0, size( P) − 1] let pi = ∑ j=1 m[ j] ∗
def
len( P[ j]) with limit case p0 = 0. The value pi is called the position
of the ith witness configuration ρ( P, m, c0 )(pi ). Intuitively, we reach the
ith witness configuration after going through the first i elements of
the path schema P in ρ( P, m, c0 ). We say that ρ( P, m, c0 ) is positive if
for all the witness configurations hq, vi, we have v ∈ Nn . Note that
since for all path schemas P, we have size( P) ≤ β + γ, the number of
witness configurations for such a pseudo-run is bounded by β + γ.
Now, we show how to build a PA formula whose set of solutions
corresponds to the witness configurations of a pseudo-run associated
to an iterated path schema equipped with an initial configuration.
Before defining the formula, we explain some further notions. In the
sequel, we use the sets of variables X0 = {x10 , . . . , x0n+1 } and X =
{x1 , . . . , xn+1 } to represent configurations and Wi = {wi1 , . . . , win+1 }
for every i ∈ [0, β + γ − 1] to represent pseudo-configurations and
the variables p0 , . . . , pβ+γ−1 and y to represent positions in (pseudo)runs. Furthermore, given sets of variables X, W representing (pseudo)configurations, a variable x and a vector u ∈ Nn , we use the shortcut
X = W + x.u to denote the formula
n^
+1
xi = wi + x.u[i − 1]
i =2
Let us define the formula Witness that states whether a given set of
configurations and natural numbers represent the witness configurations and their respective positions in a pseudo-run associated to an
7.3 upper bound
141
iterated path schema. The main idea of the formula is to check at each
step whether the control states of the witness configurations match
with the states of the taken transitions or loops in the path schema
and then to compute the effect of the corresponding element of the
iterated path schema taking into account the number of iterations.
def
Witness ( W 0 , . . . , W β + γ − 1 , p 0 , . . . , p β + γ − 1 , Z t , Z p , Z i t , X 0 ) =
( p0 = 0 ∧ X0 = W0 ∧
β +V
γ−1
i=1
( β,γ )
1 maxW
W
z 2p = j ∧ z 2t = t ∧ x 10 = source ( τ ( t, j ) ))∧
t=0
j=1
( i < z 1t ⇒
( β,γ )
1 maxW
W
t=0
j=1
( z ip+ 1 = j ∧ z it + 1 = t ∧ p i = p i − 1 + z ii t+ 1 ∗ len ( τ ( t, j ) )∧
w i1 = target ( τ ( t, j ) ) ∧ W i = W i − 1 + z ii t+ 1 ∗ update ( τ ( t, i ) ))
Lemma 33 below, states the property characterized by the formula
Witness constructed above.
Lemma 33. Let w0 , . . . , wβ+γ−1 , c0 ∈ Nn+1 and p0 , . . . , pβ+γ−1 ∈ N
and vt , v p , vit in NK such that vt , v p , vit |= Schema(Zt , Z p , Zit ). We have
w0 , . . . , wβ+γ−1 , p0 , . . . , pβ+γ−1 , vt , v p , vit , c0 |= Witness iff the pseudorun ρ( Pvt ,v p , mvit , c0 ) is well-defined and positive and for all j ∈ [0, β +
γ − 1], if j < size( Pvt ,v p ), then w j represents the jth witness configuration
of ρ( Pvt ,v p , mvit , c0 ) and p j its position.
Proof. Let w0 , . . . , wβ+γ−1 , c0 ∈ Nn+1 and p0 , . . . pβ+γ−1 ∈ N and vt ,
v p , vit in NK such that vt , v p , vit |= Schema(Zt , Z p , Zit ). By Lemma 32,
we know that vt , v p and vit respect the conditions in C and consequently that h Pvt ,v p , mvit i is an iterated path schema.
First we suppose that w0 , . . . , wβ+γ−1 , p0 , . . . , pβ+γ−1 , vt , v p , vit , c0 |=
Witness.
• The subformula
( β,γ)
1 max_
_
t =0
z2p = j ∧ z2t = t ∧ x10 = source(τ (t, j))
j =1
ensures that q0 = source( Pvt ,v p [1]); in fact it guearantees that
c0 [1] = source(τ (vt [2], v p [2])). Consequently, we can define the
pseudo-run ρ( Pvt ,v p , mvit , c0 ).
• Let N = size( Pvt ,v p ). We recall that N = vt [1]. We will now show
that w j is the jth witness configuration of ρ( Pvt ,v p , mvit , c0 ) and
p j is its position for all j < N.
– First thanks to the part of formula saying p0 = 0 ∧ X0 =
W0 , we now that d0 = 0 and that w0 = c0 , whence w0
142
ctl ∗ and related branching-time temporal logics
is effectively the witness configuration at position 0. Now
thanks to the part of the formula saying that
β+V
γ −1
i =1
(i < z1t ⇒
( β,γ)
1 maxW
W
(zip+1 = j ∧ zit+1 = t∧
t =0
j =1
pi = pi−1 + ziit+1 ∗ len(τ (t, j))))
k= j
we have that for all 1 < j < N, p j = ∑k=1 vit [k + 1] ∗
len(τ (vt [k + 1], v p [k + 1])) and this allows us to deduce that
p j is the position of the jth witness configuration (using the
definition of witness configuration).
– Similarly, the part of the formula saying
β+V
γ −1
i =1
(i < z1t ⇒
( β,γ)
1 maxW
W
(zip+1 = j ∧ zit+1 = t∧
t =0
j =1
wi1 = target(τ (t, j))∧
Wi = Wi−1 + ziit+1 ∗ update(τ (t, i ))))
ensures us that for all j < N, w j [1] = target(τ (vt [ j + 1], v p [ j
k= j
+ 1])) and for all i ∈ [2, n + 1], w j [i ] = c0 [i ] + ∑k=1 vit [k +
1] ∗ update(τ (vt [k + 1], v p [k + 1]))[i ] and consequently w j
corresponds effectively to the jth witness configuration. Furthermore since for all j < N, w j belongs to Nn+1 , then we
deduce that the pseudo-run ρ( Pvt ,v p , mvit , c0 ) is positive.
We now assume that ρ( Pvt ,v p , mvit , c0 ) is well-defined and positive
and for all j ∈ [0, β + γ − 1], if j < size( Pvt ,v p ), then w j is the jth
witness configuration of ρ( Pvt ,v p , mvit , c0 ) and p j its position. Let N =
size( Pvt ,v p ). We recall that N = vt [1] by definition of Pvt ,v p . By definition of the witness configurations, the following assertions hold:
• p0 = 0 and w0 = c0 and c0 [1] = source( Pvt ,v p [1]),
whence w0 [1] = source( Pvt ,v p [1]);
• for all 1 < j < N,
k= j
p j = ∑k=1 vit [k + 1] ∗ len( Pvt ,v p [k ])
k= j
= ∑k=1 vit [k + 1] ∗ len(τ (vt [k + 1], v p [k + 1]))
= p j−1 + vit [ j + 1] ∗ len(τ (vt [ j + 1], v p [ j + 1]))
• for all 1 < j < N,
w j [1] = target( Pvt ,v p [ j]) = target(τ (vt [ j + 1], v p [ j + 1]))
7.3 upper bound
• for all 1 < j < N, for all i ∈ [2, n + 1],
k= j
w j [i ] =
∑ vit [k + 1] ∗ update( Pv ,v
t
p
[k])[i ] =
k =1
k= j
∑ vit [k + 1] ∗ update(τ (vt [k + 1], v p [k + 1]))[i] =
k =1
w j−1 [i ] + vit [ j + 1] ∗ update(τ (vt [ j + 1], v p [ j + 1]))[i ]
These assertions allow us to deduce that we effectively have w0 , . . . ,
wβ+γ−1 , p0 , . . . , pβ+γ−1 , vt , v p , vit , c0 |= Witness.
The formula Witness gives us a way to characterize the witness
position and the configuration at those positions of a pseudo-run represented by an iterated path schema. Identifying witness positions
and the configurations is essential to check whether a pseudo-run is
a run or not. In effect, using Witness, one can build in logarithmic
space a formula to check whether a vector c is the ith configuration hqi , vi i of a pseudo-run ρ( Pvt ,v p , mvit , c0 ) with the property that
vi |= guard(trans(h Pvt ,v p , mvit i)[i + 1]) and vi ∈ Nn (here i is the number of transitions to reach that configuration) and then to construct a
formula to check whether a pseudo-run is a run. In fact, as observed
earlier, it is enough to check whether at each step the ith configuration satisfies the guard of the (i + 1)th transition. This is done in
Lemma 34 below.
Lemma 34. One can build in logarithmic-space in the size of S two PA
formulae Conf (Zt , Z p , Zit , X0 , y, X) and Run(Zt , Z p , Zit , X0 ) such that for
all c0 , c ∈ Nn+1 , for all i ∈ N and for all vt , v p , vit ∈ Nβ+γ+1 , we have
the two following properties:
1. vt , v p , vit , c0 , i, c |= Conf iff vt , v p , vit |= Schema and ρ( Pvt ,v p , mvit , c0 )
is well defined and c = ρ( Pvt ,v p , mvit , c0 )(i ) and c[2], · · · , c[n + 1] |=
guard(trans(h Pvt ,v p , mvit i)[i + 1])
2. vt , v p , vit , c0 |= Run iff vt , v p , vit |= Schema and ρ( Pvt ,v p , mvit , c0 ) is
well-defined and is a run.
Proof. First we explain how to build the formula Conf (Zt , Z p , Zit ,
X0 , y, X). This formula uses Schema(Zt , Z p , Zit ) to check whether the
variables correspond to a path schema. Then, thanks to existential
quantifiers, the formula guesses the positions and the values of the
witness configurations using the formula Witness(W0 , . . . , Wβ+γ−1 , p0 ,
. . . , pβ+γ−1 , Zt , Z p , Zit , X0 ) and the result of Lemma 33. We recall that
the formula stores in X the configuration of the corresponding pseudorun at the position stored in the variable y. To do this, it performs a
case analysis by looking at where the value stored in y lays compared
to the positions of the witness configurations, the cases are the following:
143
144
ctl ∗ and related branching-time temporal logics
1. the value stored in y corresponds to a witness position from
which the next step in the path schema is a transition δ. It is
then easy to find the value of the associated configuration which
corresponds to a witness configuration. Also, thanks to the encoding of the path schema provided by the variables in Zt ,Z p
and Zit , it is easy to check that the guards of δ is satisfied;
2. the value stored in y corresponds to a position between two
consecutive witness positions and lays inside a loop, then one
has to check how many times the corresponding loop has been
taken and thanks to this information, the formula can compute
the value of reached configuration and find the corresponding
guard to be checked for satisfaction.
3. the value stored in y lies in the last loop of the path schema,
then the treatment is the same as for the second case.
Before giving the definition of the formula Conf , we introduce the
following notations. First we recall that in PA we can use the modulo
operator ≡, the following formula t ≡c t0 with c ∈ N being a short
hand for the expression ∃x.(t = c.x + t0 ) ∨ (t0 = c.x + t). Then for
a simple loop l of the form δ1 , . . . , δm , for all i ∈ [1, m], we will use
the notation l [i ] to represent the transitions δi . We are now ready to
define the formula Conf as follows:
def
Conf (Zt , Z p , Zit , X0 , y, X) = Schema(Zt , Z p , Zit ) ∧
∃W0 . . . ∃Wβ+γ−1 ∃p0 . . . ∃pβ+γ−1
Witness(W0 , . . . , Wβ+γ−1 , p0 , . . . , pβ+γ−1 , Zt , Z p , Zit , X0 ) ∧
β+W
γ −1
j =0
j +2
[( j ≤ z1p ∧ y = p j ∧ zt
β
W
(j
(j
= 0 ∧ X = Wj ∧
j +2
= k ∧ guard(δk )(x2 , · · · , xn+1 )))∧
k =1
j +2
≤ z1p ∧ p j ≤ y < p j+1 ∧ zt = 1∧
γ
W
j +2
(z p = k ∧ ConfLooplk (W j , y − p j , X)))∧
k =1
= z1p ∧ p j ≤ y∧
γ
W
j +2
(z p = k ∧ ConfLooplk (W j , y − p j , X)))]
k =1
(z p
where for all loops lk with k ∈ [1, γ], the formula ConfLooplk (W, y, X)
(defined below) is used to find the configurations corresponding to
7.3 upper bound
X obtained when taking the loop lk from the configuration W and
taking y transitions in the loop.
def
ConfLooplk (W, y, X) ⇔
len(W
lk )−1
j =0
[y ≡len(lk ) j ∧ x1 = source(lk [ j + 1])∧
guard(lk [ j + 1])(x2 , · · · , xn+1 )∧
∃h.(h ∗ len(lk ) ≤ y < h ∗ len(lk ) + 1 ∧
j
X = W + h ∗ update(lk ) + ∑ update(lk [r ]))]
r =1
Note that in the definition of the formula Conf the second line corresponds to the first case we have stated above, the third line to the
second case and the fourth line to the last and third case. We are now
ready to prove the properties satisfied by this formula.
We assume that there exist c0 , c ∈ Nn+1 and all i ∈ N and vt , v p , vit ∈
Nβ+γ+1 such that vt , v p , vit , c0 , i, c |= Conf . Note that thanks to the
conjunct Schema(Zt , Z p , Zit ), we have that vt , v p , vit |= Schema and using Lemma 32 we know that h Pvt ,v p , mvit i is an iterated path schema.
Furthermore we know that there exist w0 , . . . , wβ+γ−1 ∈ Nn+1 and
p0 , . . . , pβ+γ−1 ∈ N such that w0 , . . . , wβ+γ−1 , p0 , . . . , pβ+γ−1 , vt , v p , vit ,
c0 |= Witness, hence thanks to Lemma 33, we have that ρ( Pvt ,v p , mvit , c0 )
is well defined and positive and for all j ∈ [0, β + γ − 1], if j <
size( Pvt ,v p ), then w j represents the jth witness configuration of ρ( Pvt ,v p ,
mvit , c0 ) and p j its position. We now proceed on a case analysis on the
value of i:
• First assume that there exists j ≤ v p [1] = size( Pvt ,v p ) such that
i = p j and vt [ j + 2] = 0, then we know from the formula that c =
w j and hence since w j = ρ( Pvt ,v p , mvit , c0 )[p j ] (by definition of
witness configuration), we deduce that c = ρ( Pvt ,v p , mvit , c0 )[i ].
Furthermore we have that vt [ j + 2] = 0, hence Pvt ,v p [ j + 1] ∈ ∆
and since we also have that c[2], . . . , c[n + 1] |= guard(δv p [ j+2] ).
Using the definition of iterated path schema we have that
δv p [ j+2] = Pvt ,v p [ j + 1]
k= j
= trans(h Pvt ,v p , mvit i)[ ∑ len( Pvt ,v p [k]) ∗ vit [k + 1] + 1]
k =1
and using the definition of the position of the jth witness configuration, we deduce that δv p [ j+2] = trans(h Pvt ,v p , mvit i)[p j + 1] =
trans(h Pvt ,v p , mvit i)[i + 1]. Consequently, we have c[2], . . . , c[n +
1] |= guard(trans(h Pvt ,v p , mvit i)[i + 1]).
• Now assume that there exists j ≤ v p [1] = size( Pvt ,v p ) such
that p j ≤ j < p j+1 and vt [ j + 2] = 1 (hence Pvt ,v p [ j + 1] is a
loop in L). We have then that w j , i − p j , c |= ConfLooplk with
k = v p [ j + 2]. Then let u ∈ [0, len(lk ) − 1] and v ∈ N such
145
146
ctl ∗ and related branching-time temporal logics
that i − p j = v ∗ len(lk ) + u. Note that since p j ≤ i < p j+1 , we
know that the pseudo-run ρ( Pvt ,v p , mvit , c0 ) at position i lies exactly in the loop lk . Moreover this also implies that it has taken
this loop exactly v times and also the u first transition along
with that the next transition will still be one of the loop (otherwise we would have i ≥ p j+1 ). The formula tells us then
that c[1] = source(lk [u + 1]) and for all 2 ≤ ` ≤ n + 1, we
r =u
have c[`] = w j [`] + ∑ update(lk [r ])[`], hence this allows us to
r =1
deduce that c = ρ( Pvt ,v p , mvit , c0 )[i ]. Furthermore we also have
that c[2], . . . , c[n + 1] |= guard(lk [u + 1]), which allows us to deduce that c[2], . . . , c[n + 1] |= guard(trans(h Pvt ,v p , mvit i)[i + 1]),
in fact we have trans(h Pvt ,v p , mvit i)[i + 1] = trans(h Pvt ,v p , mvit i)
[p j + (i − p j ) + 1] = trans(h Pvt ,v p , mvit i)[p j + v ∗ len(lk ) + u + 1] =
l k [ u + 1].
• The case where there exist j = v p [1] = size( Pvt ,v p ) and p j ≤ j
is equivalent to the previous one, the only difference being that
this time the position of the run is in the last loop of the path
schema Pvt ,v p .
The other direction which consists in proving that if vt , v p , vit |=
Schema and ρ( Pvt ,v p , mvit , c0 ) is well defined and c = ρ( Pvt ,v p , mvit , c0 )[i ]
and c[2], · · · , c[n + 1] |= guard(trans(h Pvt ,v p , mvit i)[i + 1]) then vt , v p , vit
, c0 , i, c |= Conf can be done in a similar way.
δ1
δm−1
···
As we have already stated, a pseudo-run ρ = hq0 , v0 i
hqm , vm i · · · is a run iff for all i ∈ N, vi |= guard(δi ) and vi ∈ Nn .
Consequently to construct the formula Run(Zt , Z p , Zit , X0 ), we only
have to check that the values contained in the set of variables Zt , Z p ,Zit
and X0 correspond to a pseudo-run for which at each step the vector
value of the configuration is in Nn and satisfies the guard of the next
transition. According to the properties satisfied by the formula Conf ,
we build the formula Run as follows:
def
Run(Zt , Z p , Zit , X0 ) = ∀ i ∃ X Conf (Zt , Z p , Zit , X0 , i, X)
We will now prove the properties of this formula. First, we assume
that there exist c0 ∈ Nn+1 and vt , v p , vit ∈ Nβ+γ+1 such that vt , v p , vit , c0
|= Run, then for all i ∈ N, there exists c ∈ Nn+1 such that vt , v p , vit , c0 , i, c
|= Conf . Thanks to the previous property we have that vt , v p , vit |=
Schema and ρ( Pvt ,v p , mvit , c0 ) is well-defined, positive and c = ρ( Pvt ,v p ,
mvit , c0 )[i ] is represented by c. Moreover c[2], · · · , c[n + 1] |= guard(
trans(h Pvt ,v p , mvit i)[i + 1]). Hence, the pseudo-run ρ( Pvt ,v p , mvit , c0 ) is
a run.
Now assume that there exist c0 ∈ Nn+1 and vt , v p , vit ∈ Nβ+γ+1
such that vt , v p , vit |= Schema and ρ( Pvt ,v p , mvit , c0 ) is well-defined and
is a run. Let i ∈ N and let c = ρ( Pvt ,v p , mvit , c0 )[i ], by definition of
a run we have c[2], · · · , c[n + 1] |= guard(trans(h Pvt ,v p , mvit i)[i + 1]),
7.3 upper bound
consequently we deduce that vt , v p , vit , c0 , i, c |= Conf . This allows us
to deduce that vt , v p , vit , c0 |= Run.
Finally, if we consider that the size of the system S is equal to its
number of transitions multiplied by the size of each transition, which
correspond to the size of the guards (i.e. the number of subformulae
multiplied by the size of the maximal value found in the formulae
encoded in binary) to which is added the size of the maximal value
in the updated vector (encoded in binary), we remark by construction
that the size of the formula Witness is in O(| β + γ)2 ∗ |S|) and for what
concerns the size of the formula Conf it is in O(( β + γ) ∗ ( β ∗ |S| + (γ ∗
|S|)2 )). Hence these two formulae can be built in polynomial time in
the size of S.
Thus, as a final result, we obtain that, we can construct a Presburger
formula in logarithmic space which characterizes the vectors that can
be used to represent runs in a flat counter system. This result allows
us to quantify over all runs of a flat counter system starting from
a specific configuration. The ability to do this lends a useful hand
in encoding the model-checking problem in PA without exponential
blowup.
7.3.4 Encoding CTL∗ Formulae Using PA
We can encode path schemas and runs using vectors and check their
validity using Presburger arithmetic formula, our next aim is to encode a given CTL∗ formula using a formula in PA. The forthcoming
encoding internalizes CTL∗ semantics and a similar idea has been
already used in [DFGvD10]. For each CTL∗ formula φ, we build a
PA formula Checkφ (Zt , Z p , Zit , X0 , y) where the variables Zt , Z p , Zit and
X0 represent a run as in the formula Run and, y represents a position
such that the formula checks whether the CTL∗ formula is satisfied at
the current position. Formula Checkφ is defined recursively (Boolean
clauses are omitted):
Checkp
def
= ∃ X (Conf (Zt , Z p , Zit , X0 , y, X) ∧
def
Checkψ(x1 ,...,xn ) = ∃ X (Conf (Zt , Z p , Zit , X0
W
x1 = j)
{ j∈ Q | p ∈ l( j)}
, y, X) ∧ ψ(x2 , . . . , xn+1 ))
def
CheckXφ
= ∃ y0 (y0 = y + 1 ∧ Checkφ (Zt , Z p , Zit , X0 , y0 ))
CheckφUφ0
= ∃ y00 (y ≤ y00 ∧ Checkφ0 (Zt , Z p , Zit , X0 , y00 )∧
def
∀ y0 (y ≤ y0 < y00 ⇒ Checkφ (Zt , Z p , Zit , X0 , y0 )))
CheckEφ
def
= ∃ Z0t ∃ Z0p ∃ Zit0 ∃ X (Conf (Zt , Z p , Zit , X0 , y, X)∧
Run(Z0t , Z0p , Zit0 , X)∧
∃ y0 (y0 = 0 ∧ Checkφ (Z0t , Z0p , Zit0 , X, y0 )))
Now, we can state the main property concerning the formulae Checkφ
based on Lemmas 31, 32 and 34.
147
148
ctl ∗ and related branching-time temporal logics
Lemma 35. Let c0 ∈ Nn+1 , i ∈ N and vt , v p , vit ∈ NK be such that
vt , v p , vit , c0 |= Run. We have ρ( Pvt ,v p , mvit , c0 ), i |= φ iff vt , v p , vit , c0 , i |=
Checkφ (Zt , Z p , Zit , X0 , y).
Proof. We will prove the lemma using induction on the size of the
formula. Let c0 ∈ Nn+1 and i ∈ N and vt , v p , vit ∈ NK be such
that vt , v p , vit , c0 |= Run. Thus, from Lemma 34, we can conclude that,
ρ( Pvt ,v p , mvit , c0 ) is a run in S. We will show that for any i, ρ( Pvt ,v p , mvit ,
c0 ), i |= φ iff vt , v p , vit , c0 , i |= Checkφ (Zt , Z p , Zit , X0 , y).
• Base case 1: φ = p. By definition, Checkp (Zt , Z p , Zit , X0 , y) = ∃X.
Conf (Zt , Z p , Zit , X0 , y, X) ∧ ∨{ j|p∈l( j)} x1 = j. Let us assume that
for some i, ρ( Pvt ,v p , mvit , c0 ), i |= p. Then p ∈ l(ci [1]) with ci =
ρ( Pvt ,v p , mvit , c0 )[i ]. From Lemma 34 we know that vt , v p , vit , c0 , i,
ci |= Conf and ci [1] ∈ { j | p ∈ l( j)}. Thus, vt , v p , vit , c0 , i |=
Checkp .
On the other hand, let us assume that vt , v p , vit , c0 , i |= Checkp for
some i. Thus, there exists a configuration ci such that vt , v p , vit , c0 ,
i, ci |= Conf and ci [1] ∈ { j | p ∈ l( j)}. In that case by Lemma 34,
ci = ρ( Pvt ,v p , mvit , c0 )[i ] and p ∈ l(ci [1]). Hence, ρ( Pvt ,v p , mvit , c0 ), i
|= p.
• Base case 2: φ = ψ(x1 , . . . , xn ). By definition, Checkψ(x1 ,...,xn ) (Zt , Z p ,
Zit , X0 , y) = ∃X.Conf (Zt , Z p , Zit , X0 , y, X) ∧ ψ(x2 , . . . , xn+1 ). Let us
assume that for some i, ρ( Pvt ,v p , mvit , c0 ), i |= ψ(x1 , . . . , xn ). Then
(ci [2], . . . ci [n + 1] |= ψ(x1 , . . . , xn ) with ci = ρ( Pvt ,v p , mvit , c0 )[i ].
From Lemma 34 we know that vt , v p , vit , c0 , i, ci |= Conf and
ψ(ci [2], . . . , ci [n + 1]) is true. Thus, vt , v p , vit , c0 , i |= Checkψ(x1 ,...,xn ) .
On the other hand, let vt , v p , vit , c0 , i |= Checkψ(x1 ,...,xn ) for some i.
Thus, there exists a configuration ci such that vt , v p , vit , c0 , i, ci |=
Conf and ψ(ci [2], . . . , ci [n + 1]). In that case by Lemma 34, ci =
ρ( Pvt ,v p , mvit , c0 )[i ] and ci [2], . . . , ci [n + 1] |= ψ(x1 , . . . , xn ). Hence,
ρ( Pvt ,v p , mvit , c0 ), i |= ψ(x1 , . . . , xn ).
• Induction step: Let us assume that for some i and k, we have
ρ( Pvt ,v p , mvit , c0 ), i |= φ iff vt , v p , vit , c0 , i |= Checkφ (Zt , Z p , Zit , X0 , y)
for all j ≤ k and |φ| = j. We will prove the same for the case
when |φ| = k + 1.
– Xφ: First we assume that ρ( Pvt ,v p , mvit , c0 ), i |= Xφ for some
i. By satisfaction relation, we have that ρ( Pvt ,v p , mvit , c0 ), i +
1 |= φ. Since, for both |φ| < k, by induction hypothesis,
vt , v p , vit , c0 , i + 1 |= Checkφ (Zt , Z p , Zit , X0 , y). We can hence
deduce that vt , v p , vit , c0 , i |= CheckXφ (Zt , Z p , Zit , X0 , y).
On the other hand, vt , v p , vit , c0 , i |= CheckXφ (Zt , Z p , Zit , X0 , y)
for some i. By definition of CheckXφ , we have that vt , v p , vit , c0 ,
i + 1 |= CheckXφ (Zt , Z p , Zit , X0 , y). By induction hypothesis,
ρ( Pvt ,v p , mvit , c0 ), i + 1 |= φ. From the satisfaction relation
we get that, ρ( Pvt ,v p , mvit , c0 ), i |= Xφ.
7.3 upper bound
– φUφ0 : First we assume that ρ( Pvt ,v p , mvit , c0 ), i |= φUφ0 for
some i. By satisfaction relation, there exists j ≥ i such that
ρ( Pvt ,v p , mvit , c0 ), j |= φ0 and for all i ≤ l < j, ρ( Pvt ,v p , mvit , c0 ),
l |= φ. Since, for both |φ|, |φ0 | < k, by induction hypothesis,
vt , v p , vit , c0 , j |= Checkφ0 (Zt , Z p , Zit , X0 , y) and for all i ≤ l <
j, vt , v p , vit , c0 , l |= Checkφ (Zt , Z p , Zit , X0 , y). We can hence
deduce that vt , v p , vit , c0 , i |= CheckφUφ0 (Zt , Z p , Zit , X0 , y).
On the other hand, vt , v p , vit , c0 , i |= CheckφUφ0 (Zt , Z p , Zit , X0 , y)
for some i. By definition of CheckφUφ0 , we have that there exists i ≤ j such that vt , v p , vit , c0 , j |= Checkφ0 (Zt , Z p , Zit , X0 , y)
and for all i ≤ j < j, vt , v p , vit , c0 , l |= Checkφ (Zt , Z p , Zit , X0 , y).
By induction hypothesis, ρ( Pvt ,v p , mvit , c0 ), j |= φ0 and for
all i ≤ l < j, ρ( Pvt ,v p , mvit , c0 ), l |= φ. From the satisfaction
relation we get that, ρ( Pvt ,v p , mvit , c0 ), i |= φUφ0 .
– Eφ: Let us assume that ρ( Pvt ,v p , mvit , c0 ), i |= Eφ for some i.
By definition of the satisfaction relation there exists a run
ρ0 such that ρ0 [0] = ρ( Pvt ,v p , mvit , c0 )[i ] = ci and ρ0 , 0 |= φ.
By Lemma 31, we know that there exists an iterated path
schema h P, mi such that trans(ρ0 ) = trans(h P, mi). From
Lemma 32, we get that there exists vectors v0t , v0p , vit0 such
that trans(ρ0 ) = trans(h Pv0t ,v0p , mvit0 i) and ρ0 can be represented as ρ0 ( Pv0t ,v0p , mvit0 , ci ). Thus, ρ0 ( Pv0t ,v0p , mvit0 , ci ), 0 |= φ.
Since, φ ≤ k, by induction hypothesis, v0t , v0p , vit0 , ci , 0 |= y =
0 ∧ Checkφ (Zt , Z p , Zit , X0 , y). Moreover, since ρ0 ( Pv0t ,v0p , mv0 0 , ci )
it
is a run, v0t , v0p , vit0 , ci |= Run. Hence, we have that, vt , v p , vit ,
c0 , i |= CheckEφ (Zt , Z p , Zit , X0 , y)
We assume that vt , v p , vit , c0 , i |= CheckEφ (Zt , Z p , Zit , X0 , y).
Thus, by definition of CheckEφ , there exist v0t , v0p , vit0 such
that ρ( Pv0t ,v0p , mvit0 , ci ) is a run and v0t , v0p , vit0 , ci , 0 |= Checkφ
where ci = ρ( Pvt ,v p , mvit , c0 )[i ]. Again, by induction hypothesis, ρ( Pv0t ,v0p , mv0 0 , ci ), 0 |= φ. Since, there exists a run ρ( Pv0t ,v0p
it
, mv0 0 , ci ) from ci satisfying φ, by definition of the satisfacit
tion relation, ρ0 ( Pvt ,v p , mvit , c0 ), i |= Eφ.
– The other cases with Boolean connectives can be proved in
a similar manner.
Given these results, we can now construct a Presburger formula
pertaining to our original aim of encoding the model-checking problem MC(CTL∗ , FlatCS). Given a flat counter system S, a configuration
c0 and a formula φ in CTL∗ , we construct the following Presburger
arithmetic formula ψ as
ψ = ∃Zt ∃Z p ∃Zit ∃X0 (X0 = c0 ∧Run(Zt , Z p , Zit , X0 )
∧Checkφ (Zt , Z p , Zit , X0 , 0))
149
ctl ∗ and related branching-time temporal logics
150
It is easy to see that ψ is satisfiable iff there exists vt , v p , vit such that
vt , v p , vit , c0 , 0 |= Checkφ (Zt , Z p , Zit , X0 , y) and vt , v p , vit , c0 |= Run(Zt , Z p ,
Zit , X0 ). By Lemma 35, that is the case iff ρ( Pvt ,v p , mvit , c0 ), 0 |= φ. By
Lemma 34, ρ( Pvt ,v p , mvit , c0 ) is a run in S and hence by definition
S, c0 |= φ. This allows us to conclude the main result of this section.
Theorem 32. There is a logarithmic-space reduction from MC(CTL∗ , FlatCS)
to the satisfiability problem for PA.
It is possible to extend the reduction by admitting linear past-time
operators to the temporal language since we have seen that we can
easily quantify over runs. One can easily check that it is possible to
encode the past-time operators as following,
def
CheckX−1 φ = y > 0 ∧ ∃ y0 (y = y0 + 1 ∧ Checkφ (Zt , Z p , Zit , X0 , y0 ))
CheckφSφ0
def
= ∃ y00 (y00 ≤ y ∧ Checkφ0 (Zt , Z p , Zit , X0 , y00 )∧
∀ y0 (y00 < y0 ≤ y ⇒ Checkφ (Zt , Z p , Zit , X0 , y0 )))
However, in this case, since we deal with past time operators, finite
prefixes in runs should not be reset while encoding the formula Eφ.
More formally, the encoding of the formula ∃φ should be like the
following
def
CheckEφ = ∃ Z0t ∃ Z0p ∃ Zit0 ∃ X (∀y0 (0 ≤ y0 ≤ y ⇒
∀X0 (Conf (Zt , Z p , Zit , X0 , y0 , X0 ) ⇒ Conf (Z0t , Z0p , Zit0 , X, y0 , X0 )))∧
∃y0 (y0 = 0 ∧ Checkφ (Z0t , Z0p , Zit0 , X, y0 )))
Equipped with Theorem 32 and Theorem 31 and the fact that formulas in CTLEF is a subclass of formulas in CTL∗ , we can conclude
that the model-checking problem for all branching-time logics which
are subclasses of CTL∗ over flat counter systems is equivalent to the
satisfiability problem of Presburger arithmetic and hence have the
same complexity bounds.
7.4
global model-checking
Recall that by definition, the global model-checking problem for CTL∗
(GMC(CTL∗ ,FlatCS)), asks for a Presburger formula whose solutions
are exactly the initial value of counters such that there exists a run
from the configuration satisfying the CTL∗ specification. It is quite
easy to construct the Presburger formula for the global model-checking
problem with CTL∗ as the model-checking problem itself is encoded
by a Presburger formula. In the previous section, we saw that given
a flat counter system S, a configuration c0 and a formula A in CTL∗ ,
we construct the following Presburger arithmetic formula φ as
φ = ∃Zt ∃Z p ∃Zit ∃X0 (X0 = c0 ∧Run(Zt , Z p , Zit , X0 )
∧Check A (Zt , Z p , Zit , X0 , 0))
7.5 summary
For the global model-checking problem, given a flat counter system
S, a control state q a and a formula A in CTL∗ , we construct the Presburger formula φ(z1 , . . . , zn ) as
φ(z1 , . . . , zn ) = ∃Zt ∃Z p ∃Zit ∃X0 (x10 = a
n
V
x0i = zi ∧ Run(Zt , Z p , Zit , X0 )
i =1
∧Check A (Zt , Z p , Zit , X0 , 0))
Following the proves in the previous section, it is easy to see that
φ(z1 , . . . , zn ) has the solution v iff there exists a run ρ in S and starting
from hq a , vi such that ρ, 0 |= A.
7.5
summary
In this chapter we showed the equivalence of model-checking of branching time logics over flat counter systems with the satisfiability problem of Presburger arithmetic. For the lower bound we show that
the satisfiability problem for Presburger arithmetic can be encoded
into a model-checking problem where both the logical fragment and
the subclass of counter systems considered can be very weak (Theorem 31). The encoding proceeds by using loops incrementing particular counter of the system to enumerate the values of the variables
and quantifiers encoded by the branching operator of the logical fragment. On the other hand, we show that the model-checking problem
involving CTL∗ formulas and flat counter systems can be encoded
by a Presburger arithmetic formula (Theorem 32). For this, we use
the fact that every run in a given system can be represented using
fixed size vectors of natural numbers. Also, we construct formulas to
characterize vectors which represent runs of the flat counter system
(Lemma 34). At last, we encode the semantics of CTL∗ formula using Presburger arithmetic formula over runs represented by vectors
of natural numbers (Lemma 35). Combining all these we get a polynomial size Presburger arithmetic formula which is satisfiable iff the
flat counter system satisfies the CTL∗ formula. Combining the two,
we get that for any logical specification language which is a subclass
of CTL∗ and equal or more expressive than CTLEF (like CTL), the
model-checking problem over flat counter systems is equivalent to
the satisfibility of Presburger arithmetic.
151
8
ALGORITHMS FOR MODEL-CHECKING
Till now the algorithms in the thesis are developed with the aim
of obtaining the optimal complexity bound for the model-checking
problem. Pertaining to the aim, our algorithms for most of the linear specification languages lie between non-deterministic polynomial
time to non-deterministic polynomial space. Even though the algorithms provide us with the optimal complexity bounds, they are not
very suitable for implementation as it is. The main cause being, that
the algorithms are inherently non-deterministic. Resolving the nondeterministic guesses in a naive way amounts to enumerate all choices
and repeat the procedure for all choices. As noted in the algorithms,
for every guess, there could be exponentially many choices. Moreover,
most of the algorithms use guesses depending on a previous guess.
This increases the number of possible choices to an exponential with
the exponential being polynomial in the number of guesses in the
algorithm. Of course, this is not the best way to implement these algorithms. As an example, one way to obtain a better implementation
is to utilise SMT solvers to resolve the non-deterministic guesses. SMT
solvers are known to be very efficient in resolving non-deterministic
guesses for a specific fragment of the cases. Our aim is to utilise a
combination of SMT solvers as well as the techniques developed here
to obtain an algorithm which is optimal in terms of both implementation and complexity bounds. To this end, in this chapter, we present
various different approaches that we have tested to obtain algorithms
which have less running time or memory usage and uses the same
principles as used by the previous algorithms. We show these different approaches on the model-checking algorithm for LTL with past
over flat counter systems. The choice of LTL with past for implementing is driven by the fact that the complexity of model-checking problem for Past LTL is the least among all the specification languages
we considered. Moreover, as evident from the model-checking procedures of various specification languages, a large part of the procedure can be reused for implementing the model-checking procedure
for the remaining specification languages.
We consider three following approaches.
1. A straightforward encoding of the problem in quantified Presburger formula and using SMT solver to find a solution.
2. Enumerate all possible “unfoldings” of loops of all possible
path schemas and check the LTL formula for each of the path
schemas. Here we use the SMT solvers to only solve the quantifier-
153
154
algorithms for model-checking
free Presburger formula obtained for each of the path schema
and unfolding.
3. Enumerating all the choices sequentially and the LTL formula
is checked over an ultimately periodic path.
In this chapter we will first recall the previous algorithm presented
in Chapter 4 and show the problems faced while implementing such
algorithm. Then we will show a way to enumerate only useful path
schemas using SMT solvers and use under-approximation techniques
to extract path schemas from non-flat counter systems. In the subsequent sections we show in details all the three approaches and their
advantages or drawbacks.
8.1
challenges with previous algorithm
Let us recall first the NP algorithm presented in Chapter 4, for the
model-checking problem of LTL with past over flat counter systems.
Recall, that the algorithm presented a PTime solution to the membership problem with PLTL. We then employed Theorem 7 to obtain the
NP algorithm for the model-checking problem. Here we present the
full algorithm for model-checking problem of PLTL over flat counter
systems.
Algorithm 4 : MC(φ, S, c)
1:
2:
3:
4:
Guess a constrained path schema cps = h p1 l1+ · · · pk lkω , ψ(z1 , · · · , zk−1 )i from YP .
Guess a vector y ∈ [1, f PLTL (cps, φ)]k−1 .
Check that y |= ψ(z1 , · · · , zk−1 ).
Let y0 [i ] = Min(y, 2 · td(φ) + 5) for all i ∈ [1, k − 1].
y0 [ 1 ]
5: Check that p1 l1 · · · pk lkω , 0 |= φ.
6: Return True iff both checks return true.
Let us first recall how each part of the algorithm is obtained. Consider any instance of MC(PLTL, FlatCS) with φ ∈ PLTL, S ∈ FlatCS
and c a configuration of S. Algorithm 4 should return true iff S, c |= φ.
By definition of the satisfaction relation, we know that S, c |= φ iff
there exists a run ρ starting from c such that ρ, 0 |= φ. By Theorem 7 (Chapter 3), we know that there exists a constrained path
schema cps of S such that there exists w ∈ L(cps) and ρ |= w. Without loss of generality, let us assume that the guessed path schema
in Step 1 is cps. Again by satisfaction relation over constrained alphabet, we get that, w ∈ L(cps), ρ |= w and ρ, 0 |= φ iff w ∈
L(cps) ∩ L(φ). By the definition of exponentially bounded limiting
loops map of PLTL(Theorem 9, Chapter 4), we know that there exists
a word w ∈ L(cps) ∩ L(φ) iff there exists a word w0 = p1 l1n1 · · · pk lkω
with ni ≤ f PLTL (cps, φ) for all i ∈ [1, k − 1]. Without loss of generality,
we can assume that the guessed vector y in Step 2, has the property
that y[i ] = ni for every i ∈ [1, k − 1]. We know that w0 ∈ L(cps) iff
8.2 enumerating path schemas
y |= ψ and hence the check on Step 3 returns true. By Theorem 8,
w0 ∈ L(φ) iff the check on Step 5 returns true. Thus, ρ, 0 |= φ iff
Algorithm 4 returns true.
8.1.1 Implementation Challenges
Algorithm 4 is in NP. Since, the problem itself is NP-hard by Lemma 19
(Chapter 4), we cannot hope to do any better in terms of complexity.
Note that the presented algorithm makes multiple guesses of polynomial size at two places. Following are the places where we use
non-determinism in the algorithm:
• Selecting a constrained path schema.
• Selecting a solution for the number of times each loop is taken.
A naive implementation of Algorithm 4 (enumerating all possible
choices for each guess) will result in taking exponential time bounded
size(S)+size(φ)
× td(φ)size(S) . This is due to the fact that there
by 2size(S)
could be exponentially many constrained path schemas for a flat
counter system (Theorem 1, Chapter 2). Again for each constrained
path schema f PLTL is bounded by an exponential of size(S). Obviously
this implementation would be very inefficient. In particular, since Algorithm 4 runs in time polynomial in size(S) × size(φ) with guesses
of size at most size(S) + size(φ), one should be able to enumerate all
choices in time 2size(S)+size(φ) . Moreover, we can use SMT solvers to
resolve the guesses much faster for many cases. We will in fact improve the naive algorithm in these lines and present three different
approaches in the following sections.
8.2
enumerating path schemas
In any of the algorithms first we need a way to enumerate path
schemas of the given counter system. Even in Algorithm 4, a constrained path schema is easier to be obtained from a path schema as
outlines in Chapter 3. In practice, the number of path schemas could
be exponential in the size of S. Among the exponentially many path
schemas, there could be many path schemas such that there are no
runs which respect them. To weed out these path schemas we employ SMT solvers. For the rest of this section, we will describe the
procedure to weed out “unnecessary” path schemas of a flat counter
system. Note that our aim is to remove, with certainty, as many path
schemas as possible without performing too many computations.
Consider a given path schema P = p1 l1+ p2 l2+ · · · pk lkω where each
pi ∈ ∆+ and li ∈ ∆+ with ∆ being the set of transitions of a flat
counter system S. To check that there exists at least one run ρ respecting P, we intend to check that a Presburger formula encoding
155
156
algorithms for model-checking
the fact that all the guards are satisfied while applying the updates
faithfully, is satisfiable. For this, we generate the Presburger formula
Φ exactly as in Chapter 3, Section 3.2.1. As before, Φ is considered
as the conjunction of the Presburger formulas Φ1 to Φ4 and gives us
a quantifier-free Presburger formula with k − 1 free variables. Recall
that in Section 3.2.1, the property proved about the constructed Presburger formula Φ is that the solutions of Φ characterises exactly the
number of times a run takes each loop in P, where P does not contain
any disjunction in the guards. Since, P in the present case, consists of
transitions from a flat counter system S, the guards on the transitions
consists of disjunction. Hence, we cannot have same relation for solutions of Φ and runs respecting P. Here, we obtain something less
strong and formally stated as the following lemma.
Lemma 36. Given a path schema P from a flat counter system S and the
corresponding constructed Presburger formula Φ (Section 3.2.1), if there
exists a run respecting P, then Φ is satisfiable.
Proof. Assume that there exists a run ρ of S respecting P = p1 l1+ · · · lk+−1
pk lkω . Thus, there exists y = iterP (trans(ρ)). Since ρ respects P, each
loop of P is visited at least once. Thus, Φ1 is satisfied by y. Since ρ is
a run of S, the counter values never reach a non-negative value hence
the formulas in Φ2 is also satisfied by y. Similarly, for being a run of S,
ρ also satisfies all the guards appearing on the transitions of P. Thus,
the formulas in Φ3 and Φ4 is also satisfied by y. Since Φ is formed by
a Boolean combination of all the formulas from Φ1 to Φ4 , Φ is also
satisfied by y. Hence we have that, if there exists a run respecting P,
then Φ is satisfiable.
Note that because of disjunction in guards in P, we do not have the
other direction of implication, i. e. if Φ is satisfiable then there might
not exist a run respecting P. Since we allow disjunction in guards, we
cannot use the convexity property of individual guards to ensure the
satisfaction of the guards within a loop for every iteration using only
constant number of formulas and hence satisfiability of Φ does not
necessarily gives us existence of a run. We denote a path schema as
useful path schema when the corresponding formula Φ is satisfiable.
In the algorithms appearing in this chapter, we only deal with useful path schemas enumerated from the given system. We can use
a procedure similar to [BDD13] to enumerate path schemas for not
only flat counter systems but also general counter system. A clever
way would be to enumerate path schemas according to the procedure
in [BDD13] and at the same time discard the path schemas that have
unsatisfiable Presburger formulas. This helps us in selecting only useful path schemas to do the rest of the model-checking. Note that the
procedure is not complete. Even though for a flat counter system, it
would eventually enumerate all path schemas, but for general counter
systems, it might not terminate execution. Moreover, a path schema
8.3 first approach
enumerated by the procedure might not admit any run, but a path
schema discarded by the procedure will surely not admit any run.
8.3
first approach
This approach is more similar to the way we handled branching time
logics in Chapter 7. It involves translating the whole model-checking
problem into a quantified Presburger formula and try to solve it using
SMT solvers. Before we describe the algorithm, we will show, in short,
how we encode the runs in a path schema and the satisfiability of a
PLTL formula using quantified Presburger formula.
8.3.1 Encoding Runs Using Quantifiers
Recall that in Section 3.2.1, we constructed a quantifier-free Presburger arithmetic formula to characterise exactly the number of times
the loops of a path schema (without disjunction) can be taken by a
run. The fact that the guards are monotonic in nature and does not
contain disjunction allows us to check the satisfiability of the guards,
for every iteration, easily without using quantifiers. This however is
not true if the guards contain disjunction. For example, consider the
x1 <1∨x1 >3,(1)
transition q −−−−−−−→ q with one counter x1 . Notice that, following only the update, the guard on the self loop is satisfied the first
time and 4th time but not in between. Hence, by construction of Section 3.2.1, we will obtain that a run can take the self loop four or
more times, while respecting the guards, the self loop can be taken
only once. We will adapt the construction from Section 3.2.1 here,
but for characterizing the number of times loops can be taken by
a run in a path schema with disjunction. Consider a path schema
P = p1 l1+ p2 l2+ · · · pk lkω where each pi ∈ ∆+ and li ∈ ∆+ with ∆ being
the set of transitions of a flat counter system S. We construct Φ as the
conjunction of the following Presburger formula.
Φ1 : Each loop is visited at least once:
y1 ≥ 1 ∧ · · · ∧ yk−1 ≥ 1
Φ2 : Counter values are non-negative. We consider the conjunction of
the following constraints.
• For each segment p (loop or non-loop segment) and each
β ∈ [1, len( p)], the value of counter i just before entering
for the first time in the transition after the βth transition of
p is non-negative:
effect< ( p)[i ] + effect( p[1] · · · p[ β])[i ] ≥ 0
The segment p can be either a loop or a non-loop segment.
157
158
algorithms for model-checking
• For each α ∈ [1, k − 1] and each β ∈ [1, len(lα )], the value of
counter i before entering every time in the transition after
the βth transition of lα is non-negative:
∀zα .1 ≤ zα < yα ⇒ (effect< (lα )[i ]+
effect(lα )[i ](zα − 1)+
effect(lα [1] · · · lα [ β])[i ] ≥ 0)
Φ 3 : Counter values should satisfy the guards the first time when a
transition is visited. For each segment p in P, each β ∈ [ 1, len ( p )]
and each atomic guard ∑ i a i x i ∼ b occurring in guard ( p [ β ]) ,
we add the atomic constraint:
∑ a i ( effect < ( p )[ i ] + effect ( p [ 1 ] · · · p [ β ])[ i ]) ∼ b
i
Φ 4 : Counter values should satisfy the guards every time a transition is visited in a loop. For each α ∈ [ 1, k − 1 ] , each β ∈
[ 1, len ( l α )] and for each atomic guard ∑ i a i x i ∼ b occurring
in guard ( l α [ β ]) , we add the atomic constraint:
∀ z α .1 ≤ z α < y α ⇒ ∑ i a i ( effect < ( l α )[ i ] + effect ( l α )[ i ] z α
+ effect ( l α [ 1 ] · · · l α [ β ])[ i ]) ∼ b
Note that the solutions of the final Presburger formula Φ are the
number of times each loop from P can be taken by a run ρ of a
flat counter system. A property similar to Lemma 5 (Section 3.2.1)
can be proved for the quantified Presburger formula Φ constructed
here. Note that the constructed formula Φ contains quantifiers and
quantified variables. This causes Φ to fall outside the quantifier-free
fragment of Presburger arithmetic which results in higher complexity
procedure for checking satisfiability.
Lemma 37. Let S = h Q, C n , ∆, l i be a flat counter system, P = p 1 l 1+ p 2 l 2+
. . . p k l kω be one of its valid path schemas and c 0 be a configuration. One can
compute a Presburger formula Φ such that
• the set of solutions of Φ is equal to iter P ( c 0 ) ,
• Φ has k − 1 variables,
• Φ has at most len ( P ) × 2 × size ( P ) 2 conjuncts,
• the greatest absolute value from constants in Φ is bounded by 2n ×
K ( K + 2 ) × ( len ( P ) + 1 ) where K is the maximum absolute value
of constants appearing in P and v0 .
The proof of the Lemma 37 can be easily seen as an adaptation of
the proof of Lemma 5.
8.3 first approach
8.3.2 Encoding PLTL Using Presburger Formula
To encode a PLTL formula using a quantified Presburger formula, we
can employ a translation similar to the one presented in Chapter 7.
Note that PLTL is a subclass of CTL ∗ with past and also that instead
of using four vectors to represent an iterated path schema, here we
have the pair h P, y i to give us the iterated path schema. Observing
these two facts, it is easy to see that the construction of Check φ for a
formula φ in PLTL is straightforward. Thus, given an initial configuration c and a path schema P = p 1 l 1+ p 2 l 2+ . . . p k l kω , we can construct
Check φ over the free variables y 1 , y 2 , · · · , y k − 1 such that the following property is satisfied.
Lemma 38. Given a PLTL formula φ, a path schema P and an initial configuration c, we can construct a quantified Presburger formula Checkφ (y1 , y2 ,
· · · , yk−1 ) of polynomial size such that for any vector y ∈ Nk−1 , y |=
Checkφ iff there exists a run ρ starting from c such that ρ, 0 |= φ where
iterP (trans(ρ)) = y.
Note that the property is similar to the one proved in the translation of CTL∗ formula and the proof follows the same lines. Given
these two lemmas, the model-checking algorithm can be given as in
Algorithm 5. Intuitively, the algorithm tries to enumerate all possiAlgorithm 5 : MC(φ, S, c)
1:
2:
3:
4:
5:
6:
7:
8:
for every useful path schema P of S starting from c do
Construct a quantified formula Φ(y1 , · · · , yk−1 ) characterizing
the number of times loops are taken in runs respecting P and
starting from c.
Construct the quantified formula ψ0 (y1 , · · · , yk−1 ) encoding
the satisfiability of PLTL formula φ.
if SMT(Φ ∧ ψ0 ) returns satisfiable then
Return True.
end if
end for
Return False.
ble combination of number of times, the loops of a path schema can
be taken and checks whether any of those combinations satisfy the
formula or not. The correctness of the algorithm is obtained by the
following Lemma.
Lemma 39. Algorithm 5 returns true iff Algorithm 4 with input φ, S, c
returns true.
Proof. First let us assume that Algorithm 5 returns true. Thus, for
some path schema P of S, the “if” condition is satisfied. Note that “if”
condition is satisfied iff (Φ ∧ ψ0 ) is satisfied. This is the case iff there
159
160
algorithms for model-checking
exists a run ρ respecting P (satisfaction of Φ and Lemma 37) such
that ρ, 0 |= φ (satisfaction of ψ0 and Lemma 38). By construction of Φ
and Lemma 37, we know that ρ is a run of S starting from c. Thus,
S, c |= φ and so Algorithm 4 with input φ, S, c returns true.
Now suppose that Algorithm 4 with input φ, S, c returns true. Thus,
there exists a run ρ in S starting with c and ρ, 0 |= φ. By Theorem 1
(Section 2.1.1.1), there exists a path schema P such that ρ respects P.
By Lemma 37, in this case Φ is satisfied. Since ρ, 0 |= φ, by Lemma 38,
ψ0 is also satisfied. Hence, there exists a useful path schema P of S,
such that the “if” condition (Φ ∧ ψ0 ) is satisfied. Hence, Algorithm 5
returns true.
The advantage of the method is that it only relies on tools for
solving Presburger arithmetic and consists of only constructing the
appropriate Presburger formula. On the other hand it heavily uses
quantified formulas which has much higher theoretical complexity.
8.4
second approach
Another approach which is closer to Algorithm 4 is to enumerate all
possible unfoldings of loops in a path schema and then check whether
an unfolding is indeed a “valid” unfolding of the loops. In effect,
these unfoldings actually give rise to one constrained path schema
each. By the constructions of constrained path schema from path
schema from Section 3.2.3, we can actually get a set of constrained
path schemas YP obtained from unfolding the loops of P. Intuitively,
Algorithm 6 : MC(φ, S, c)
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
for every useful path schema P of S starting from c do
for every constrained path schema cps = h p1 l1+ · · · pk lkω ,
ψ(z1 , · · · , zk−1 )i in YP do
for every y ∈ [1, f PLTL (φ, cps)]k−1 such that y |= ψ do
y[1]
y[ k −1]
Let w = p1 l1 · · · lk−1 pk lkω .
Consider a run with ρ[0] = c and ρ |= w
if ρ, 0 |= φ then
Return True.
end if
end for
end for
end for
Return False.
the algorithm tries to enumerate all possible combination of number
of times the loops of a path schema can be taken and checks whether
any of those satisfy the formula or not. Note that in case of a constrained path schema. The correctness of the algorithm is obtained by
the following Lemma.
8.5 third approach
Lemma 40. Algorithm 6 returns true iff Algorithm 4 with input φ, S, c
returns true.
Proof. First let us assume that Algorithm 6 returns true. Thus, for
some constrained path schema cps of S and some vector y ∈ [1, f PLTL (
cps, φ)]k , the “if” condition is satisfied. Note that “if” condition is
satisfied iff there exists a run ρ such that ρ, 0 |= φ and ρ |= w ∈
L(cps). By Theorem 5 (Section 3.2.3), we know that ρ is a run of S
starting from c. Thus, S, c |= φ and so Algorithm 4 with input φ, S, c
returns true.
Now suppose that Algorithm 4 with input φ, S, c returns true.
Thus, there exists a run ρ in S starting with c and ρ, 0 |= φ. By
Theorem 5 (Section 3.2.3), there exists a constrained path schema
cps such that ρ |= w and w ∈ L(cps). By the mappings provided
in Section 3.2.3, and Theorem 4, we know that there exists a path
schema P such that cps can be obtained from an extended path
schema P0 ∈ YP . Hence, ρ respects P. By Lemma 36, P is a useful
path schema. Let y = itercps (w). By Theorem 8, we know that, either
y ∈ [1, f PLTL (cps, φ)]k−1 or we can get y0 ∈ [1, f PLTL (cps, φ)]k−1 such
that there exists a word w0 with y0 = itercps (w0 ) and ρ |= w0 . Thus,
there exists a useful path schema P of S, a constrained path schema
cps and a vector y ∈ [1, f PLTL (cps, φ)]k−1 such that the “if” condition
is satisfied. Hence, Algorithm 6 returns true.
The advantages of the method is that the formulas and objects constructed while executing the algorithm are expected to be smaller in
size due to various decomposition. But the drawback of the procedure
is that it tries to go through all possible combination of unfoldings for
each loop, which might be exponential.
8.5
third approach
Another way is to enumerate all the possible times we can take each
loop in a path schema of the counter system. Note that the path
schemas considered in this approach are path schemas from counter
systems and not constrained path schemas that we have been using
till now. This is a type of brute force attempt to unfold each loop in
the path schema upto a maximum number of times that could be possibly necessary. Note that, for this reason, we have the exact number
of times each loop is taken and hence no need to build constrained
path schemas. This is what we will do here. Before that we will define a map f PLTL , the exponentially bounding map as previous but for
path schemas, instead of constrained path schemas.
Lemma 41. Given a flat counter system S a configuration c of S and a PLTL
formula φ, there exists a run ρ starting from c in S with ρ, 0 |= φ iff there
exists a finite run ρ0 starting from c which takes each loop of S at most, N
times for some N at most exponential in size(S) + size(φ) and ρ0 , 0 |= φ.
161
162
algorithms for model-checking
Proof. We will in fact prove that N can be obtained from f PLTL (cps, φ).
Note that by construction given in Section 3.2.3 and Section 3.2.2, we
get an exponential set of constrained path schemas YP corresponding to a path schema P. Moreover, by the property of any cps ∈ YP ,
we know that size(cps) is polynomial in the size of P and the maximum absolute value of any constant appearing in cps is polynomial in size( P) times the maximum absolute value of any constant
appearing in P. Together with the property of f PLTL we obtain that
f PLTL ( P, φ) = max({ f PLTL (cps, φ) | cps ∈ YP }) × size( P)3 . From Theorem 4 and the maps in Section 3.2.3 from path schema to constrained
path schema, we know that each loop in P can be unfolded in to
at most size( P)3 loops and each run in P follows some cps. Thus,
number of times a loop in P needs to be taken by any run could be
bounded by max({ f PLTL (cps, φ) | cps ∈ YP }) × size( P)3 .
Algorithm 7 : MC(φ, S, c)
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
for every useful path schema P of S starting from c do
Construct Φ characterizing the runs respecting P.
for every y ∈ [1, f PLTL ( P, φ)]k−1 do
y[1]
y[ k −1]
Consider ρ, such that trans(ρ) = p1 l1 · · · lk−1 pk lkω .
if y |= Φ and ρ, 0 |= φ then
Return True.
end if
end for
end for
Return False.
Note that the construction of quantified Presburger arithmetic formula characterizing the runs respecting P is done as explained in
the first approach. Also, given P and y, we can easily check whether
ρ, 0 |= φ using the procedure described in [MS03]. Intuitively, the algorithm tries to enumerate all possible combination of number of times
the loops of a path schema can be taken and checks whether any of
those satisfy the formula or not. The correctness of the algorithm is
obtained by the following Lemma.
Lemma 42. Algorithm 7 returns true iff Algorithm 4 with input φ, S, c
returns true.
Proof. First let us assume that Algorithm 7 returns true. Thus, for
some useful path schema P of S and some vector y ∈ [1, f PLTL (S, φ)]k−1
the “if” condition is satisfied. Note that “if” condition is satisfied iff
there exists a run ρ of S such that ρ, 0 |= φ. Since, ρ respects P, by
construction, ρ starts from c. Thus, S, c |= φ and so Algorithm 4 with
input φ, S, c returns true.
Now suppose that Algorithm 4 with input φ, S, c returns true. Thus,
there exists a run ρ in S starting with c and ρ, 0 |= φ. By Theorem 1
8.6 implementation
(Section 2.1.1.1), there exists a path schema P such that ρ respects
P. By Lemma 36, P is a useful path schema. Let y = iterP (trans(ρ)).
By Lemma 41, we know that, either y ∈ [1, f PLTL (S, φ)]k−1 or we can
get y0 ∈ [1, f PLTL (S, φ)]k−1 such that there exists a run ρ0 with y0 =
iterP (trans(ρ0 )) and ρ0 , 0 |= φ. Thus, there exists a useful path schema
P of S and a vector y ∈ [1, f PLTL (S, φ)]k−1 such that the “if” condition
is satisfied. Hence, Algorithm 7 returns true.
The advantage of the procedure is that it is simple and uses a
straight forward method to obtain the run. But in doing so it goes
through an exponentially big number of possible values.
8.6
implementation
In the previous sections, we presented a few algorithms for PLTL
model-checking tailored from the perspective of implementing the
model-checking algorithms. In this section, we describe the design
and implementation of a prototype implementing the model-checking
procedure for PLTL over flat counter system. As described in the previous sections, we consider a few ways to handle non-determinism
in the algorithm proposed in Chapter 4 for model-checking PLTL.
We also show the results of applying the implementation on various
examples with varying complexity. In the prototype, we implement
the first approach (Algorithm 5) and second approach (Algorithm 6).
The prototype takes as input a flat counter system with marked initial
state and a PLTL formula with counter constraints. The output of the
prototype states whether the PLTL formula is satisfied by the given
flat counter system or not. In some cases (Algorithm 7) it also gives as
output, the run which satisfies the formula. The prototype provides
options to select which algorithm to use, for the model-checking procedure.
The prototype first starts with parsing the input file for the flat
counter system given in the form of a numerical transition system.
The checks whether the given counter system follows the definition
of our counter system (guards, update, counter values, etc.) is done
during parsing. The counter system is stored in a linked structure consisting to separate structures for nodes and edges. Next the counter
system is checked for flatness. After making sure that the provided
counter system is according to our specifications, the prototype proceeds to parse the PLTL formula and check whether it is satisfied or
not. As a first step towards model-checking, it tries to enumerate all
path schemas and check them one by one. The enumeration routine
everytime includes a loop in the path schema and construct a quantified Presburger formula to check whether the path schema admits
any run or not. Checking satisfiability of the bounded quantifier Presburger formula is done using SMT solvers.
163
164
algorithms for model-checking
8.6.1
SMT Solvers
CVC4 is the new version of a line of validity checkers that started
from the “Stanford Validity Checker (SVC)” [BDL96]. SVC incorporated different theories and its own SAT solver. The next version,
called “Cooperating Validity Checker (CVC)” [SBD02] had a more
optimised design, included support for generating proof and used
“Chaff” [MMZ+ 01] as SAT solver. “CVC Lite” [BB04] was the first in
this line to extend the feature set of CVC to include support for quantifiers. Soon after CVC3 [BT07] was released with a major overhaul
of optimised decision procedures. It also added support to use MiniSAT [ES03] as SAT solver due to its better performance in general.
CVC4 [BCD+ 11], though being fundamentally similar to CVC3 in the
fact that it is a DPLL(T) solver with a SAT solver at its core, it is a complete re-evaluation of the core architecture to be more performant. It
is built around three engines: Prop engine, Theory engine and SMT
engine serving the purpose of propositional solver, theory specific
decision procedure and external interface to the solver respectively.
The prototype uses CVC4 [CVC] for all purposes. Use of CVC4 is
mainly evident in the implementation of the first approach. For other
approaches CVC4 usage occurs in the enumeration of path schema.
As pointed out in Algorithm 5, CVC4 is used in the following places:
• Selecting out the path schemas such that there exists at least one
run respecting the path schema.
• Checking whether the formula characterizing the runs and translation of formula is satisfiable or not. This essentially amounts
to solving the model-checking problem.
As Algorithm 6 is also path schema based and involves choosing the
best path schema at first, we also use CVC4 to reject the path schemas
that do not admit any run.
CVC4, like other SMT solvers allow input in two ways: (1) Using
files in SMTLIB format, (2) Using APIs. Using files in SMTLIB format
gives the obvious advantage to change the SMT solvers that is being
used. The drawback with this kind of input is the fact that we need
to start a new instance of CVC4 everytime we want to check the satisfiability of a formula. Running a fresh instance of CVC4 discards all
previously deduced facts and proof structure. In our case, for implementation of Algorithm 5, we need to check satisfiability of formulas
more than once for each subpart of the problem where access to the
previously deduced facts and axioms can lead to faster solutions for
later queries. Due to this reason, we use the C++ API of CVC4 to
interact and query.
Notice that the first approach utilises quantifiers in an essential way.
In general, dealing with quantifiers is problematic for SMT solvers.
8.6 implementation
Acc
s − x1 = 0
s − xn = 0
s − x2 = 0
init
L1
s − x1 6 = 0
L2
s − x2 6 = 0
s − x3 = 0
L3
Ln
s − xn 6= 0
Reject
Figure 14: Search in List
Though there are well-known ways to eliminate quantifiers, the elimination procedure may result in exponentially large formulas which
may be hard to solve. CVC4 implements as an option a “finite model
finding method” [RTG+ 13]. The method essentially tries to cleverly
instantiate the quantified variable and reduce search space. This specific option can be applied only over very few datatypes and is practical when relatively small models exists. Luckily for our case all the
quantified variables are integers and are bounded. This allows us to
take advantage of the option to find satisfiability of the generated
equations.
The model-checking procedure itself is done according to the algorithm chosen by the user using the -algo option. For Algorithm 6
(corresponding to the second approach in Chapter 8), it outputs the
path schema and the number of times each loop is taken to satisfy
the specification. For Algorithm 5, it only shows whether the specification is satisfied or not.
8.6.2 Benchmarks
There are a few examples available for counter systems or numerical transition systems from previous tools like LASH, Fast [Ler03],
Flata [HKG+ 12], etc. But most of the examples are non-flat and
hence not quite useful for the present prototype. Moreover, there
are other incompatibilities among the models used by these tools
and the present tool. For example Flata allows a subroutine based
model where it is possible to invoke another counter system using
a transition. This in turn allows the model to specify recursive behaviours. Fast, on the other hand, uses a simpler systems than allowed by the present work. For these reasons we use a few examples
of our own constructed from some practical applications. These examples include “search in a list”, where we take a list of integers and
search for a given integer in the list. We verify the property that if
the list contains the searched number then eventually it will reach
the state “found”. The counter system associated with the example is
presented in Figure 14. The encoding of the element of the list is done
using counters. For n element list we have n + 1 counters x1 , · · · xn representing list elements and s representing the element to be searched.
165
166
algorithms for model-checking
We compare the given number with the list elements using a simple
guard where the condition states that the subtraction of the given
number and a specific list element is equal to zero. A particularly interesting example is that of the “Producer-Consumer Problem”. We
encode the problem using a flat counter system with parameters. First
encoding is done of a simple solution of the producer-consumer problem without using any concurrent mechanism, as presented in Algorithm 8. As the encoding for the problem turns out to be inherently
Algorithm 8 : Producer-Consumer Problem
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
itemCount=0
procedure Producer
while true do
item = produceItem()
if itemCount == BUFFER_SIZE then
sleep();
end if
putItemIntoBuffer(item);
itemCount = itemCount + 1;
if itemCount == 1 then
wakeup(consumer);
end if
end while
end procedure
procedure Consumer
while true do
if itemCount == 0 then
sleep();
end if
item = removeItemFromBuffer();
itemCount = itemCount - 1;
if itemCount == BUFFER_SIZE-1 then
wakeup(Producer);
end if
consumeItem(item)
end while
end procedure
non-flat, we consider the problem to be parameterised by the number
of context switches allowed between producer and consumer. Let the
number of allowed context-switches between producer and consumer
be n and the size of the buffer m. We encode the problem into a flat
counter system as following:
8.6 implementation
C2
PF1
PSleep < 1
PSleep + +
ic = m
CSleep > 0
ic < m, ic + +
P1
ic > 0
PE1
CF1
init
CSleep − −
PSleep > 0
I1
PSleep − −
ic = m − 1
C1
ic − 0
CE1
CSleep < 1
CSleep + +
ic > 0, ic − −
P2
The nodes P1 and C1 denotes the procedures producer and consumer respectively in the first context-switch. The counter ic keeps
track of the produced item whereas PSleep and CSleep denotes whether
the producer or consumer is sleeping or not. Notice that the procedures in the next context-switch is represented by P2 and C2. The
same structure is copied n times to cover all the n context switches.
The procedures wakeup(consumer) and wakeup(Producer) are simulated in the model by adjusting the number of items in the buffer and
transferring the control to the appropriate process in the next context.
Finally to check for deadlock we verify the LTL formula F(( I1 ∨ I2 ∨
· · · ∨ In) ∧ PSleep = 1 ∧ CSleep = 1) which states that eventually we
will reach a position where both the producer and consumer process
is sleeping. In that case, we will have a deadlock as none of them can
awake the other.
8.6.3 Results
The results obtained by performing the verification using both the
algorithms is summarised in Table 8.6.3.
167
168
algorithms for model-checking
List Search
Producer-Consumer
Instances
Algorithm 5
Algorithm 6
10
<1s
2s
20
5s
10s
40
20s
80s
80
100s
250s
2
5s
7s
5
150s
T.O.
7
T.O.
T.O.
In case of example “List Search”, the number of instance denotes
the number of list elements in the list. Due to the simple nature of
the problem, both the algorithms can handle high number of list elements relatively easily. Even then Algorithm 6 takes more time than
Algorithm 5. This is due to the reason that Algorithm 6 explicitly
enumerates all the iterations of loops in path schema.
In case of example “Producer-Consumer”, the number of instance
denotes the number of context-switches between Producer and Consumer. Similar to the previous example Algorithm 5 is faster among
the two. But in this case, the both the algorithms run out of time
very quickly. The reason for this is the fact that the number of path
schemas grow exponentially as the number of context switches are
increased. Thus, with 7 context switches the number of path schemas
get very high to handle within 300 minutes.
Note that in case of Algorithm 5, formulas with universal quantifiers over integer variables were generated. But, in spite of that, the
quantified formulas were handled efficiently by CVC4 and their satisfaction were determined very fast.
All the time given in the table are in seconds rounded off to the
nearest integer.
8.7
summary
Here we present three aproaches of solving the model-checking problem for PLTL over flat counter systems. The three algorithms differ
in their way of solving the problem which might affect their running
time. They also differ in their extent of using SMT solvers. Note that
all three algorithms are complete, when applied to flat counter systems.
For the first approach, we adapt the technique of Chapter 7. We
construct a big quantified Presburger formula encoding the whole
model-checking problem. We then check whether the quantified Presburger formula is actually satisfiable or not. This procedure depends
heavily on the SMT solvers as the only job for it is to construct the
formula and check for satisfiability. Moreover, in this case, all the uni-
8.7 summary
versally quantified variables are bounded and hence we can hope to
obtain quicker results for satisfiability querry from SMT solvers.
In the third approach, we loop for N times for each loop in each
useful path schema. As shown before, N is bounded by an exponential in the size of S and φ. Thus, the procedure takes exponential time.
As it enumerates all possible path schemas and the number of times
each loop can be taken in each of them, it avoids use of any external
tool to resolve the guesses. Note that even though it needs to use SMT
solver to determine the validity of the sentence y |= Φ, by construction it deals with only bounded quantifiers which are shown to be
handled easily by SMT solvers [RTG+ 13].
The second approach is in between these two approaches and follows almost the algorithm presented in the Chapter 4. It uses SMT
solvers to check satisfiability of quantifier-free Presburger formula
while going through all possible unfolded path schemas. Note also
that there are three nested loops where each one of them can run
for an exponential time in the size of S and φ. Moreover calculating
the unfolded constrained path schemas, corresponding to a specific
path schema can be quite complex. Hence, even though the implementation could be complex, it only uses SMT solvers for solving
quantifier-free Presburger formulas which can be done quickly.
As explained, we can summarise the advantages and disadvantages
of the three approaches in the following table:
Property
Approach 1
Approach 2
Approach 3
Quantifier-free
No
Yes
No
Quantifiers
Enumeration
Enumeration
Non-determinism
Resolution
Usage of
Quantified
formula
Checking run,
specification
-
Checking
validity of the run
Moreover, as shown by running the two algorithms on two examples, we have that the algorithm with the maximum usage of SMT
solver performs better than others. This is expected as using SMT
solver for resolving guesses is always faster than enumerating all
guesses and checking them.
169
9
CONCLUSION
In this thesis we investigated the complexity of the model-checking
procedure for various specification languages over flat counter systems. We distinguish two types of specification languages: linear-time
specifications and branching-time specifications. For both the parts
we presented an uniform way to decide the model-checking problem. We also show that the uniform method of deciding the modelchecking problem gives us the optimal complexity of problem in almost all cases. This leads to general way of handling a large number of logical specifications without compromising the optimal complexity of the procedure. Overall, we see that for most of the logical specifications there is a gain in computational complexity of the
model-checking problem when we consider flat systems. Note that
even though we consider systems with flatness constraint, we allow
quite expressive guards to be specified on the transitions and in specifications. Consideration of flat systems as an under-approximation
of the general counter systems give a way to find an approximate
solution to model-checking problem for the general counter systems.
9.1
summary
In the case of linear-time specification languages, we present a reduction in Chapter 3 to show that flat counter systems can be decomposed into an exponential set of constrained path schemas (Theorem 5). In fact, this result alone, allows us to reduce the modelchecking problem for linear-time specifications over flat counter systems to the model-checking problem for linear-time specifications
over constrained path schema (Theorem 7). This gives us a general
roadmap for deciding the model-checking problem for linear-time
specifications in the form of an algorithm (Algorithm 1). The algorithm itself relies on the reduction of the model-checking problem
to some simpler problems on constrained path schemas (intersection
non-emptiness, membership problem) alongwith some polynomial
guesses.
As our first linear-time specification, we consider LTL with past in
Chapter 4. We start with proving the stuttering theorem for LTL with
past (Theorem 8). The stuttering theorem allows us to show that LTL
with past has an exponentially bounding limiting loops map (Theorem 9). This in turn allows us to obtain a PTime algorithm for the
membership problem for LTL with past (Theorem 10) allowing us to
follow the general road map for linear-time specifications to obtain
171
172
conclusion
an NP upper bound for the model-checking problem for LTL with
past over flat counter systems (Lemma 18). Similarly, we showed a
matching lower bound of NP (Lemma 19).
Next, we consider First order logic (FO) in Chapter 5. We start with
proving the stuttering theorem for FO using EF games (Theorem 15).
Similar to before, the stuttering theorem allows us to show that FO
has an exponentially bounding limiting loops map (Theorem 16). This
in turn allows us to obtain a PSpace algorithm for the membership
problem for FO (Theorem 17). This again allows us to follow the general road map for linear-time specifications to obtain an PSpace upper
bound for the model-checking problem for FO over flat counter systems and we conclude that the model-checking problem with FO is
PSpace-complete (Theorem 18).
In Chapter 6, we consider the rest of the linear-time specifications
which express the ω-regular properties. We first consider Büchi automata and show a stuttering theorem using techniques similar to
pumping lemma (Theorem 19). This, in a similar way as before, allows us to follow the general road map and obtain that the modelchecking problem with Büchi automata over flat counter systems is
NP-complete (Theorem 23). Once, we are equipped with this result,
the upper bound for the complexity of model-checking problem with
other specifications like Alternating Büchi automata, ETL, µTL are
shown easily using respective translations to Büchi automata and Algorithm 3 (Theorem 27). The PSpace lower bound for ABA and for a
relaxed version of µTL known as µTLvec is obtained using reduction
for the non-emptiness problem for single alphabet alternating finite
automata (Theorem 29, Theorem 30).
This completes the linear-time specifications we consider. For branching-time specifications, we employ a different methodology. In Chapter 7, we show that the model-checking problem for CTL∗ over flat
counter systems can be encoded using a quantified Presburger formula. In effect, we show a logspace reduction from the model-checking
problem for CTL∗ to Presburger arithmetic (Theorem 32). A crucial
point in obtaining a logspace reduction is the fact that we can encode
the runs of a counter system using a polynomially size Presburger
formula by encoding the path schemas of a flat counter systems as
vector of integers (Lemma 34). On the other hand we also show that
the satisfiability of a Presburger arithmetic formula can be encoded
by an instance of model-checking problem for CTLEF over flat counter
systems (Theorem 31). This proves the equivalence of model-checking
problem of all branching-time logics in between CTLEF and CTL∗
is equivalent to the satisfiability of Presburger arithmetic (modulo
LogSpace reduction).
All these results and their counterparts for Kripke structures are
shown in the following figure. The specification languages above the
dotted line have NP-complete model-checking procedure over flat
9.2 open problems and future work
PLTL
Büchi Automata
NP-complete
PSpace-complete
FO
ABA
ETL, µTL
(PSpace-hardness?)
counter systems and the ones below have PSpace-complete procedures (except for ETL and µTL, whose hardness is not yet known).
The arrows succinctness of the specification languages. An arrow
from A to B specification denotes that A is less succinct than B. Moreover, the two disjoint parts of the figure shows two different group of
specification languages with respect to expressiveness. The ones on
right can express regular properties whereas the ones on the left can
only express star-free properties.
In Chapter 8, we show some of the ways to implement the algorithms presented in the thesis. We address the main challenge in implementing the non-deterministic guesses appearing in all the modelchecking procedures for linear time specification languages. In particular, we show three algorithms for the model-checking procedure
for Past LTL . The three algorithms differs in the amount of usage of
SMT solvers and running time. The first algorithm (Algorithm 5) tries
to encode the model-checking problem into a quantified Presburger
arithmetic formula and checks satisfiability using a SMT solver. The
second algorithm (Algorithm 7), tries to follow the the algorithm presented in Chapter 4 and resolves the non-deterministic guesses by
enumerating all possible choices. The third algorithm (Algorithm 6)
first tries to characterize the runs using quantified formula and then
enumerate all runs for the model-checking of given formula. We also
present a prototype implementing Algorithm 6 and Algorithm 5 and
using CVC4 as SMT solver.
9.2
open problems and future work
A possible way to extend the work is to consider more powerful models. Once such model used in [DFGvD10] contains more expressive
guards and updates. More specifically the updates consists of matrices with special properties. This allows for more complicated updates
than are allowed in our system. For example assignment of counter
values within a loop. This kind of models, or course, will give rise
to higher complexity bounds for the model-checking problem, but, it
is interesting to find optimal complexity for such problems nonethe-
173
174
conclusion
less. Other types of models that could be interesting to study are flat
pushdown systems, flat parametric counter automata etc.
Another way to extend is to consider more expressive logical specifications. Even though we consider a wide-range of logical specifications there are few even more expressive or succinct logics that are
left behind. For example modal µ-calculus etc.
There are a few other problems that are left unanswered by the
present work, like the following:
• Lower bound for MC(ETL,FlatCS) and MC(µTL, FlatCS): The
lower bound for expressively similar specification languages
like ABA or µTLvec were obtained by a reduction from the
non-emptiness problem of single alphabet alternating finite automata. Such a reduction could not be found for ETL. For µTL,
even though a translation is known, it results in exponential
blowup.
• Lower bound for MC(ETL,PS(n)), MC(BA,PS(n)), MC(PLTLΣ ,
PS(n)) where PS(n) denotes a path schema (with counters and)
with a constant (n) number of loops.
To utilise more efficiently, the algorithms developed herein, the prototype itself can be improved in many ways. Of them, a possible direction is to allow non-flat counter systems as input and consider
an under-approximation of their runs represented as their flat unfoldings. Allowing non-flat counter systems as input will also have
the added benefit of testing the tool on various benchmarks obtained
from other projects like Flata, Fast etc. Moreover, it is also possible to improve the part of enumeration of path schema utilising the
information obtained from checking previous enumerations and to
reject non-useful path schemas as early in the process as possible. As
of now, the process of rejecting a path schema during enumeration
is very primitive and does not depend on the formula itself. But in
many cases it might be possible to reject a path schema for certain
types of formula (conjunction of propositional variables which does
not appear as label in path schema). Whereas, in the present form,
one of the algorithms (Algorithm 7) is not implemented, it would be
interesting to compare the performance of the implementation of the
algorithm with the present two.
A
APPENDIX
We will prove the claims made in Chapter 4 for “Stuttering theorem”.
The proofs rely on identifying equivalent portions (not necessarily in
terms of length) in both the words and proving properties on them.
For this reason, we partition the words into different zones. Our aim
is to compare the corresponding zones of two different words.
a.1
a zone classification for proving (claim 1) – (claim
5)
For the proofs of (Claim 1) – (Claim 5), the positions of each word
w of the form w = w1 u M w2 ∈ Σω (w1 ∈ Σ∗ , u ∈ Σ+ and w2 ∈ Σω )
with M > 2N are partitionned into five zones (A, B, C, D and E). We
also assume that N ≥ 2. Indeed, given that hw, i i ≈ N hw0 , i0 i, we shall
proceed by a case analysis on the positions i and i0 depending on
which zones i and i0 belong to. The definition of zones is illustrated
on Figure 15 and here is the formal characterization:
• Zone A corresponds to the set of positions i ∈ N such that
0 ≤ i < len(w1 ) + ( N − 1) · len(u).
• Zone B corresponds to the set of positions i ∈ N such that
len(w1 ) + ( N − 1) · len(u) ≤ i < len(w1 ) + N · len(u).
• Zone C corresponds to the set of positions i ∈ N such that
len(w1 ) + N · len(u) ≤ i < len(w1 ) + ( M − N ) · len(u).
• Zone D corresponds to the set of positions i ∈ N such that
len(w1 ) + ( M − N ) · len(u) ≤ i < len(w1 ) + ( M − ( N − 1)) ·
len(u).
• Zone E corresponds to the set of positions i ∈ N such that
len(w1 ) + ( M − ( N − 1)) · len(u) ≤ i.
Note that the definition of zones depends on the value N (taken
from ≈ N ) and also on u, w1 and w2 . In the sequel, we may index
the zones by N (providing e.g., A N , B N etc.) when it is useful to
make explicit from which relation ≈ N the definition of zones is made.
A
C
B
|
D
|
E
|
Figure 15: The five zones for w1 ()8 w2 with N = 3 and u = 175
176
appendix
Moreover, we may use a prime (providing for instance, A0N , B0N etc.) to
refer to zones for w0 . So, the relation ≈ N can be redefined as follows
def
when M, M0 > 2N: hw, i i ≈ N hw0 , i0 i ⇔ (M ≈2N M0 ) and one of the
conditions holds true:
1. i = i0 and either (i ∈ A N and i0 ∈ A0N ) or (i ∈ B N and i0 ∈ B0N ).
2. (i − i0 ) = ( M − M0 )len(u) and either (i ∈ D N and i0 ∈ D0N ) or
(i ∈ E N and i0 ∈ E0N ).
3. i ∈ C N , i0 ∈ C0N and |i − i0 | = 0 mod len(u).
a.1.0.1
Proof of (Claim 1)
Before the proof, let us recall what is (Claim 1). Let w = w1 u M w2 , w0 =
0
w1 u M w2 ∈ Σω , i, i0 ∈ N and N ∈ N such that M, M0 ≥ max(2N +
1, 5) and hw, i i ≈ N hw0 , i0 i.
(claim 1) hw, i i ≈ N −1 hw0 , i0 i; w[i ] = w0 [i0 ].
Proof. Let us first prove that hw, i i ≈ N −1 hw0 , i0 i. As N > N − 1, and
M, M0 ≥ 2N + 1, it is easy to see that M ≈2( N −1) M0 , i.e. min( M, 2( N −
1)) = min( M0 , 2( N − 1)).
• If i < len(w1 ) + ( N − 1)len(u) [i is in Zone A N ], then i = i0 .
Hence either (i ∈ A N −1 , i0 ∈ A0N −1 and i = i0 ) or (i ∈ B N −1 ,
i0 ∈ B0N −1 and i = i0 ). Hence, hw, i i ≈ N −1 hw0 , i0 i.
• If i ≥ len(w1 ) + ( M − ( N − 1))len(u) [i is in zone E N ] then i =
i0 + ( M − M0 )len(u) and i0 ≥ len(w1 ) + ( M0 − ( N − 1))len(u)
[i0 is in zone E0N ]. So, either (i is in zone E N −1 and i0 is in zone
E0N −1 ) or (i is in zone D N −1 and i0 is in zone D0N −1 ). Since i =
i0 + ( M − M0 )len(u), we conclude that hw, i i ≈ N −1 hw0 , i0 i.
• If len(w1 ) + ( N − 1)len(u) ≤ i < len(w1 ) + N · len(u) [i is in
Zone B N ] then i = i0 . Hence, i ∈ C N −1 , i0 ∈ C0N −1 and |i − i0 | = 0
mod len(u). Hence, hw, i i ≈ N −1 hw0 , i0 i.
• If len(w1 ) + Nlen(u) ≤ i < len(w1 ) + ( M − N )len(u) [i in Zone
C N ], then len(w1 ) + N · len(u) ≤ i0 < len(w1 ) + ( M0 − N )len(u)
[i0 is in Zone C0N ] and |i − i0 | = 0 mod len(u). Consequently, i
is in Zone C N −1 , i0 is in Zone C0N −1 and |i − i0 | = 0 mod len(u).
This entails that hw, i i ≈ N −1 hw0 , i0 i.
• If len(w1 ) + ( M − N )len(u) ≤ i < len(w1 ) + ( M − ( N − 1))len(u)
[i in Zone D N ], then i is in Zone D0N and i = i0 + ( M − M0 )len(u).
Consequently, i is in Zone C N −1 , i0 is in Zone C0N −1 and |i − i0 | =
0 mod len(u). This also entails that hw, i i ≈ N −1 hw0 , i0 i.
As far as the second property is concerned, it is also clear that
w[i ] = w0 [i0 ], because either i and i0 are at the same position in the
word w1 or w2 or they are pointing some positions in the portions of
the word which belong to u+ and since their difference will be such
that |i − i0 | = 0 mod len(u), it is easy to see that i and i0 will point at
the same position in u.
A.1 a zone classification for proving (claim 1) – (claim 5)
a.1.0.2
Proof of (Claim 2)
Before the proof, let us recall what is (Claim 2). Let w = w1 u M w2 , w0 =
0
w1 u M w2 ∈ Σω , i, i0 ∈ N and N ∈ N such that M, M0 ≥ max(2N +
1, 5) and hw, i i ≈ N hw0 , i0 i.
(claim 2) i, i0 > 0 implies hw, i − 1i ≈ N −1 hw0 , i0 − 1i.
Proof. Let us prove that i, i0 > 0 implies hw, i − 1i ≈ N −1 hw0 , i0 − 1i.
Since N > N − 1, it is obvious that M ≈2( N −1) M0 .
• If i < len(w1 ) + ( N − 1)len(u) [i is Zone A N ], then i = i0 . Hence,
i − 1 ∈ A N −1 , i0 − 1 ∈ A0N −1 and i − 1 = i0 − 1. So, hw, i −
1 i ≈ N −1 h w 0 , i 0 − 1 i.
• If i ≥ len(w1 ) + ( M − ( N − 1))len(u) [i is in zone E N ] then i =
i0 + ( M − M0 )len(u) and i0 ≥ len(w1 ) + ( M0 − ( N − 1))len(u)
[i0 is in zone E0N ]. So, either (i − 1 is in zone E N −1 , i0 − 1 is in
zone E0N −1 and i − 1 = i0 − 1 + ( M − M0 )len(u)) or (i − 1 is
in zone D N −1 and i0 − 1 is in zone D0N −1 and i − 1 = i0 − 1 +
( M − M0 )len(u)) or (i − 1 is in zone C N −1 and i0 − 1 is in zone
C0N −1 and |(i − 1) − (i0 − 1)| = 0 mod len(u)). We conclude
that hw, i − 1i ≈ N −1 hw0 , i0 − 1i.
• If len(w1 ) + ( N − 1)len(u) ≤ i < len(w1 ) + Nlen(u) [i is in
Zone B N ] then i = i0 . Hence, either (i − 1 ∈ C N −1 , i0 − 1 ∈ C0N −1
and |(i − 1) − (i0 − 1)| = 0 mod len(u)) or (i − 1 ∈ B N −1 , i0 −
1 ∈ B0N −1 and i − 1 = i0 − 1). Hence, hw, i − 1i ≈ N −1 hw0 , i0 − 1i.
• If len(w1 ) + Nlen(u) ≤ i < len(w1 ) + ( M − N )len(u) [i in Zone
C N ], then len(w1 ) + Nlen(u) ≤ i0 < len(w1 ) + ( M0 − N )len(u)
[i0 is in Zone C0N ] and |i − i0 | = 0 mod len(u). Consequently,
i − 1 is in Zone C N −1 , i0 − 1 is in Zone C0N −1 and |(i − 1) − (i0 −
1)| = 0 mod len(u). This entails that hw, i − 1i ≈ N −1 hw0 , i0 −
1i.
• If len(w1 ) + ( M − N )len(u) ≤ i < len(w1 ) + ( M − ( N − 1))len(u)
[i in Zone D N ], then i0 is in Zone D0N and i = i0 + ( M − M0 )len(u).
Consequently, i − 1 is in Zone C N −1 , i0 − 1 is in Zone C0N −1
and |(i − 1) − (i0 − 1)| = 0 mod len(u). This entails that hw, i −
1 i ≈ N −1 h w 0 , i 0 − 1 i.
a.1.0.3
Proof of (Claim 3)
Before the proof, let us recall what is (Claim 3). Let w = w1 u M w2 , w0 =
0
w1 u M w2 ∈ Σω , i, i0 ∈ N and N ∈ N such that M, M0 ≥ max(2N +
1, 5) and hw, i i ≈ N hw0 , i0 i.
(claim 3) hw, i + 1i ≈ N −1 hw0 , i0 + 1i.
177
178
appendix
Proof. Let us prove that hw, i + 1i ≈ N −1 hw0 , i0 + 1i. Since N > N − 1,
it is obvious that M ≈2( N −1) M0 .
• If i < len(w1 ) + ( N − 1)len(u) [i is Zone A N ], then i = i0 . Hence
either (i + 1 ∈ A N −1 , i0 + 1 ∈ A0N −1 and i + 1 = i0 + 1) or (i +
1 ∈ B N −1 , i0 + 1 ∈ B0N −1 and i + 1 = i0 + 1) or (i + 1 ∈ C N −1 ,
i0 + 1 ∈ C0N −1 and i − i0 = 0). Hence, hw, i + 1i ≈ N −1 hw0 , i0 + 1i.
• If i ≥ len(w1 ) + ( M − ( N − 1))len(u) [i is in zone E N ] then i =
i0 + ( M − M0 )len(u) and i0 ≥ len(w1 ) + ( M0 − ( N − 1))len(u)
[i0 is in zone E0N ]. So, either (i + 1 is in zone E N −1 and i0 + 1
is in zone E0N −1 ) or (i + 1 is in zone D N −1 and i0 + 1 is in zone
D0N −1 ). Since i + 1 = i0 + 1 + ( M − M0 )len(u), we conclude that
hw, i + 1i ≈ N −1 hw0 , i0 + 1i.
• If len(w1 ) + ( N − 1)len(u) ≤ i < len(w1 ) + Nlen(u) [i is in
Zone B N ] then i = i0 . Hence, i + 1 ∈ C N −1 , i0 + 1 ∈ C0N −1
and |(i + 1) − (i0 + 1)| = 0 mod len(u). Hence, hw, i + 1i ≈ N −1
h w 0 , i 0 + 1i.
• If len(w1 ) + Nlen(u) ≤ i < len(w1 ) + ( M − N )len(u) [i in Zone
C N ], then len(w1 ) + Nlen(u) ≤ i0 < len(w1 ) + ( M0 − N )len(u)
[i0 is in Zone C0N ] and |i − i0 | = 0 mod len(u). Consequently, i +
1 is in Zone C N −1 , i0 + 1 is in Zone C0N −1 and |(i + 1) − (i0 + 1)| =
0 mod len(u). This entails that hw, i + 1i ≈ N −1 hw0 , i0 + 1i.
• If len(w1 ) + ( M − N )len(u) ≤ i < len(w1 ) + ( M − ( N − 1))len(u)
[i in Zone D N ], then i is in Zone D0N and i = i0 + ( M − M0 )len(u).
Consequently, either (i + 1 is in Zone C N −1 , i0 + 1 is in Zone
C0N −1 and |(i + 1) − (i0 + 1)| = 0 mod len(u)) or (i + 1 is in
Zone D N −1 , i0 + 1 is in Zone D0N −1 and i + 1 = i0 + 1 + ( M −
M0 )len(u)). This also entails that hw, i + 1i ≈ N −1 hw0 , i0 + 1i.
a.1.0.4
Proof of (Claim 4)
Before providing the detailed proof, we give a concrete example on
Figure 16. On this example, we assume that the top word w and the
bottom word w0 and their respective positions i and i0 are such that
hw, i i ≈3 hw0 , i0 i. We want to illustrate (Claim 4) and for this matter,
we choose a position j in w. Now observe that according to the zone
classification, j is in the Zone C of the word w and furthermore it is
not possible to find a j0 > i0 in the Zone C of the word w0 such that j
and j0 points on the same position of the word u. That is why we need
to consider at this stage not the relation ≈3 but instead ≈2 . In fact, as
shown on the bottom of Figure 16, we can find for j, a position j0 in
w0 such that hw, ji ≈2 hw0 , j0 i (take j = j0 ) and this figure also shows
that for all i0 ≤ k ≤ j0 , hw, k i ≈2 hw0 , k i.
Before the proof, let us recall what is (Claim 4). Let w = w1 u M w2 ,
0
0
w = w1 u M w2 ∈ Σω , i, i0 ∈ N and N ∈ N such that M, M0 ≥
A.1 a zone classification for proving (claim 1) – (claim 5)
Two letter word u =
w
w0
w
w1
w1
w1
| i
j
|
|
|
|
w2
hw, i i ≈ N hw0 , i0 i
i0
|
|
|
j
i
w2
w2
|
hw,ki≈ N −1 hw0 ,k0 i
w0
w1
for i ≤ k ≤ j
|
i0
j0
|
|
w2
Figure 16: Relation between ≈ N and ≈ N −1
max(2N + 1, 5) and hw, i i ≈ N hw0 , i0 i. We can show the following
property:
(claim 4) For all j ≥ i, there is j0 ≥ i0 such that hw, ji ≈ N −1 hw0 , j0 i
and for all k0 ∈ [i0 , j0 − 1], there is some k ∈ [i, j − 1] such that
hw, ki ≈ N −1 hw0 , k0 i.
Proof. We proceed by a case analysis on the positions i and j:
• If i ≥ len(w1 ) + ( M − N )len(u) [i is in Zone D N or E N ] then
j ≥ len(w1 ) + ( M − N )len(u) [j is in Zone D N or E N ] and i0 ≥
len(w1 ) + ( M0 − N )len(u) [i0 is Zone D N or E N ] and i = i0 +
( M − M0 )len(u). We define j0 = j − ( M − M0 )len(u). Then it is
clear that j0 ≥ i0 and hw, ji ≈ N hw0 , j0 i. By (Claim 1), we get
hw, ji ≈ N −1 hw0 , j0 i. Let k0 ∈ [i0 , j0 − 1] and let k = k0 + ( M −
M0 )len(u), then we have that k ∈ [i, j − 1] and also hw, k i ≈ N
hw0 , k0 i, hence by (Claim 1), hw, ki ≈ N −1 hw0 , k0 i.
• If i < len(w1 ) + Nlen(u) [i is in Zone A N or B N ] then i0 <
len(w1 ) + Nlen(u) [i0 is in Zone A N or B N ] and i = i0 and we
have the following possibilities for the position j ≥ i:
– If j < len(w1 ) + Nlen(u) [j is in Zone A N or B N ], then
let j0 = j. Consequently we have hw, ji ≈ N hw0 , j0 i and by
(Claim 1) we get hw, ji ≈ N −1 hw0 , j0 i. Let k0 ∈ [i0 , j0 − 1] and
k = k0 . Then we have that k ∈ [i, j − 1] and also hw, k i ≈ N
hw0 , k0 i and by (Claim 1), hw, ki ≈ N −1 hw0 , k0 i.
– If len(w1 ) + Nlen(u) ≤ j < len(w1 ) + ( M − N )len(u) [j
is in Zone C N ], then let ` = ( j − (len(w1 ) + N len(u)))
mod len(u) (` the relative position of j in the word u it belongs to). Consequently 0 ≤ ` < len(u). Let j0 = len(w1 ) +
179
180
appendix
Nlen(u) + ` (we choose j0 at the same relative position
of j in the first word u of the Zone C N ). Then len(w1 ) +
Nlen(u) ≤ j0 < len(w1 ) + ( M0 − N )len(u) [j0 is in Zone
C N ] (because ( M0 − N ) > 0) and | j − j0 | = 0 mod len(u).
We deduce that hw, ji ≈ N hw0 , j0 i and by (Claim 1) we
get hw, ji ≈ N −1 hw0 , j0 i. Then let k0 ∈ [i0 , j0 − 1] and let
k = k0 . Then we have that k ∈ [i, j − 1]. Furthermore, if
k0 < len(w1 ) + Nlen(u) [k0 is in Zone A N or B N ] we obtain
hw, ki ≈ N hw0 , k0 i and by (Claim 1), hw, ki ≈ N −1 hw0 , k0 i.
Moreover, if len(w1 ) + Nlen(u) ≤ k0 [k0 is in Zone C N ] then
k is in Zone C N and |k − k0 | = 0 mod len(u) since k = k0 .
So, hw, k i ≈ N hw0 , k0 i and by (Claim 1), hw, k i ≈ N −1 hw0 , k0 i.
– If len(w1 ) + ( M − N )len(u) ≤ j [j is in Zone E N or D N ], let
j0 = j − ( M − M0 )len(u). Then, we have len(w1 ) + ( M0 −
N )len(u) ≤ j0 [j0 is in Zone D N or E N ] and we deduce
that hw, ji ≈ N hw0 , j0 i and by (Claim 1) we get hw, ji ≈ N −1
hw0 , j0 i. Then let k0 ∈ [i0 , j0 − 1]. If k0 < len(w1 ) + Nlen(u)
[k0 is in Zone A N or B N ], for k = k0 , we obtain hw, k i ≈ N
hw0 , k0 i and by (Claim 1), hw, ki ≈ N −1 hw0 , k0 i. For the case
when k0 ≥ len(w1 ) + ( M0 − N )len(u) [k0 is in Zone D N
or E N ], we choose k = k0 + ( M − M0 )len(u) and here also
we deduce hw, k i ≈ N hw0 , k0 i and by (Claim 1), hw, k i ≈ N −1
hw0 , k0 i. If on the other hand, w1 + Nlen(u) ≤ k0 < len(w1 ) +
( M0 − N )len(u) [k0 is in Zone C N ], let ` = (k0 − (len(w1 ) +
Nlen(u))) mod len(u) (` is the relative position of k0 in
the word u it belongs to) and let k = len(w1 ) + Nlen(u) + `
(k is placed at the same relative position of k0 in the first
word u of the Zone C N ). Then we have w1 + Nlen(u) ≤
k < len(w1 ) + ( M − N )len(u) and |k − k0 | = 0 mod len(u)
which allows to deduce that hw, ki ≈ N hw0 , k0 i and by
(Claim 1), hw, k i ≈ N −1 hw0 , k0 i.
• If len(w1 ) + Nlen(u) ≤ i < len(w1 ) + ( M − N )len(u) [i is Zone
C N ] then len(w1 ) + Nlen(u) ≤ i0 < len(w1 ) + ( M0 − N )len(u)
[i0 is in Zone C N ] and |i − i0 | = 0 mod len(u). Let ` = (i −
(len(w1 ) + Nlen(u))) mod len(u) (the relative position of i in
the word u). We have the following possibilities for the position
j ≥ i:
– If j − i < len(u) − ` + len(u) (j is either in the same word
u as i or in the next word u), then j < len(w1 ) + ( M −
( N − 1))len(u) [j is in Zone C N or D N ]. We define j0 =
i0 + ( j − i ) and we have that len(w1 ) + Nlen(u) ≤ j0 <
len(w1 ) + ( M0 − ( N − 1))len(u) [j0 is in Zone C N or D N ]
and since |i − i0 | = 0 mod len(u), we deduce | j − j0 | = 0
mod len(u). From this we obtain hw, ji ≈ N −1 hw0 , j0 i. Let
k0 ∈ [i0 , j0 − 1] and k = i + k0 − i0 . We have then that k ∈
[i, j − 1] and len(w1 ) + Nlen(u) ≤ k0 < len(w1 ) + ( M0 −
A.1 a zone classification for proving (claim 1) – (claim 5)
( N − 1))len(u) and len(w1 ) + Nlen(u) ≤ k < len(w1 ) +
( M − ( N − 1))len(u). Since |i − i0 | = 0 mod len(u), we
also have |k − k0 | = 0 mod len(u). Hence, hw, k i ≈ N −1
h w 0 , k 0 i.
– If j − i ≥ len(u) − ` + len(u) (j is neither in the same word
u as i nor in the next word u) and j ≥ len(w1 ) + ( M −
N )len(u) [j is in Zone E N or D N ]. Let j0 = j − ( M −
M0 )len(u) then j0 ≥ len(w1 ) + ( M0 − N )len(u) [j0 is in
Zone E N or D N ] and consequently hw, ji ≈ N hw0 , j0 i and by
(Claim 1) we get hw, ji ≈ N −1 hw0 , j0 i. Then let k0 ∈ [i0 , j0 − 1].
If k0 ≥ len(w1 ) + ( M0 − N )len(u) [k0 is in Zone D N or E N ],
then let k = k0 + ( M − M0 )len(u); we have in this case that
k ≥ len(w1 ) + ( M − N )len(u) and this allows us to deduce that hw, k i ≈ N −1 hw0 , k0 i. Now assume k0 < len(w1 ) +
( M0 − N )len(u) [k0 is in Zone C N ] and k0 − i0 < len(u) − `
(k0 and i0 are in the same word u), then let k = i + k0 − i0 .
In this case we have k < len(w1 ) + ( M − N )len(u) [k is
in Zone C N ] and since |i − i0 | = 0 mod len(u), we also
have |k − k0 | = 0 mod len(u), whence hw, k i ≈ N −1 hw0 , k0 i.
Now assume k0 < len(w1 ) + ( M0 − N )len(u) [k0 is in Zone
C N ] and k0 − i0 ≥ len(u) − ` (k0 and i0 are not in the same
word u). We denote by `0 = (k0 − (len(w1 ) + Nlen(u)))
mod len(u) the relative position of k0 in u and let k =
i + (len(u) − `) + `0 (k and k0 occur in the same position
in u but k occurs in the word u just after the word u in
which i belongs to) Then k ∈ [i, j − 1] (because `0 < len(u)
and j − i ≥ len(u) − ` + len(u)) and k < len(w1 ) + ( M −
( N − 1))len(u) (because i + (len(u) − `) < len(w1 ) + ( M −
N )len(u) and `0 < len(u)) and |k − k0 | = 0 mod len(u) (k
and k0 are both pointing on the `0 -th position in word u).
This allows us to deduce that hw, k i ≈ N −1 hw0 , k0 i.
– If j − i ≥ len(u) − ` + len(u) (j is neither in the same word
u as i nor in the next word u) and j < len(w1 ) + ( M −
N )len(u) [j is in Zone C N ]. Then let `0 = ( j − (len(w1 ) +
Nlen(u))) mod len(u) the relative position of j in u. We
choose j0 = i0 + (len(u) − `) + `0 (j and j0 occur in the same
position in u but j0 occurs in the word u just after the word
u in which i0 belongs to) We have then that j0 < len(w1 ) +
( M0 − ( N − 1))len(u) [j0 is in Zone C N or D N ] (because i0 +
(len(u) − `) < len(w1 ) + ( M − N )len(u) and `0 < len(u))
and | j − j0 | = 0 mod len(u) (j and j0 are both pointing
on the `0 -th position in word u), hence hw, ji ≈ N −1 hw0 , j0 i.
Let k0 ∈ [i0 , j0 − 1]. If k0 − i0 < len(u) − ` (k0 and i0 are
in the same word u), then let k = i + k0 − i0 . In this case
we have k < len(w1 ) + ( M − N )len(u) [k is in Zone C N ]
and since |i − i0 | = 0 mod len(u), we also have |k − k0 | = 0
181
182
appendix
mod len(u), hence hw, k i ≈ N −1 hw0 , k0 i. If k0 − i0 ≥ len(u) −
` (k0 and i0 are not in the same word u), then j0 − k0 < `0
and let k = j − j0 − k0 . In this case we have k < len(w1 ) +
( M − N )len(u) [k is in Zone C N ] and since | j − j0 | = 0
mod len(u), we also have |k − k0 | = 0 mod len(u), hence
hw, ki ≈ N −1 hw0 , k0 i.
a.1.0.5
Proof of (Claim 5)
Before the proof, let us recall what is (Claim 5). Let w = w1 u M w2 , w0 =
0
w1 u M w2 ∈ Σω , i, i0 ∈ N and N ∈ N such that M, M0 ≥ max(2N +
1, 5) and hw, i i ≈ N hw0 , i0 i.
(claim 5) for all j ≤ i, there is j0 ≤ i0 such that hw, ji ≈ N −1 hw0 , j0 i
and for all k0 ∈ [ j0 − 1, i0 ], there exists k ∈ [ j − 1, i ] such that
hw, ki ≈ N −1 hw0 , k0 i.
Proof. The proof is similar to the proof for (Claim 4) by looking backward instead of looking forward (still there are slight differences because past is finite). Nevertheless, full proof is provided below for the
sake of completeness. We proceed by a case analysis on the positions
i and j:
• If i < len(w1 ) + Nlen(u) [i is in Zone A N or B N ] then j <
len(w1 ) + Nlen(u) [j is in Zone A N or B N ] and i0 < len(w1 ) +
Nlen(u) [i0 is in Zone A N or B N ] and i = i0 . We define j0 = j.
Then it is clear that j0 < i0 and hw, ji ≈ N hw0 , j0 i. By (Claim 1),
we get hw, ji ≈ N −1 hw0 , j0 i. Let k0 ∈ [ j0 − 1, i0 ] and let k = k0 , then
we have that k ∈ [ j − 1, i ] and also hw, k i ≈ N hw0 , k0 i, hence by
(Claim 1), hw, ki ≈ N −1 hw0 , k0 i.
• If i ≥ len(w1 ) + ( M − N )len(u) [i is Zone D N or E N ] then i0 ≥
len(w1 ) + ( M0 − N )len(u) [i0 is in Zone D N or E N ] and i =
i0 + ( M − M0 )len(u) and we have the following possibilities for
the position j ≤ i:
– If j ≥ len(w1 ) + ( M − N )len(u) [j is in Zone D N or E N ],
then let j0 = j − ( M − M0 )len(u). Consequently, we have
hw, ji ≈ N hw0 , j0 i and by (Claim 1) we get hw, ji ≈ N −1
hw0 , j0 i. Let k0 ∈ [ j0 − 1, i0 ] and k = k0 + ( M − M0 )len(u).
Then we have that k ∈ [ j − 1, i ] and also hw, k i ≈ N hw0 , k0 i.
By (Claim 1), hw, k i ≈ N −1 hw0 , k0 i.
– If len(w1 ) + Nlen(u) ≤ j < len(w1 ) + ( M − N )len(u) [j
is in Zone C N ], then let ` = ( j − (len(w1 ) + N len(u)))
mod len(u) (` is the relative position of j in the word u
it belongs to). Consequently 0 ≤ ` < len(u). Let j0 =
len(w1 ) + ( M0 − N )len(u) − (len(u) − `) (j0 is at the same
position as j in the last word u of the Zone C N ). Then
A.1 a zone classification for proving (claim 1) – (claim 5)
len(w1 ) + Nlen(u) ≤ j0 < len(w1 ) + ( M0 − N )len(u) [j0
is in Zone C N ] (because ( M0 ≥ 2N + 1) and | j − j0 | = 0
mod len(u) (they are at the same position in the word u).
We deduce that hw, ji ≈ N hw0 , j0 i and by (Claim 1) we
get hw, ji ≈ N −1 hw0 , j0 i. Then let k0 ∈ [ j0 − 1, i0 ] and let
k = k0 + ( M − M0 )len(u). Then we have that k ∈ [ j − 1, i ].
Furthermore, if k0 ≥ len(w1 ) + ( M0 − N )len(u) [k0 is in
Zone D N or E N ] then k ≥ len(w1 ) + ( M − N )len(u) [k is
in Zone D N or E N ] and we obtain hw, k i ≈ N hw0 , k0 i and by
(Claim 1), hw, k i ≈ N −1 hw0 , k0 i. Moreover, if k0 < len(w1 ) +
( M0 − N )len(u) then necessarily len(w1 ) + Nlen(u) ≤ k0
[k0 is in Zone C N ] (because j0 < k0 ) and |k − k0 | = 0
mod len(u) (because k = k0 + ( M − M0 )len(u)). Whence,
k is in Zone C N and hw, k i ≈ N hw0 , k0 i. By (Claim 1), we
obtain hw, k i ≈ N −1 hw0 , k0 i.
– If j < len(w1 ) + Nlen(u) [j is in Zone A N or B N ], let
j0 = j. We have then j0 < len(w1 ) + Nlen(u) [j0 is in
Zone A N or B N ]. We deduce that hw, ji ≈ N hw0 , j0 i and
by (Claim 1) we get hw, ji ≈ N −1 hw0 , j0 i. Then let k0 ∈
[ j0 − 1, i0 ]. If k0 < len(w1 ) + Nlen(u) [k0 is in Zone A N ],
for k = k0 , we obtain hw, k i ≈ N hw0 , k0 i and by (Claim 1),
hw, ki ≈ N −1 hw0 , k0 i. If k0 ≥ len(w1 ) + ( M0 − N )len(u) [k0
is in Zone D N or E N ], we choose k = k0 + ( M − M0 )len(u)
and here also we deduce hw, k i ≈ N hw0 , k0 i and by (Claim
1), hw, k i ≈ N −1 hw0 , k0 i. If w1 + Nlen(u) ≤ k0 < len(w1 ) +
( M0 − N )len(u) [k0 is in Zone C N ], let ` = (k0 − (len(w1 ) +
Nlen(u))) mod len(u) (` is the relative position of k0 in
the word u it belongs to) and let k = len(w1 ) + Nlen(u) + `
(k is at the same position of k0 in the first word of the
Zone C N ). Then we have w1 + Nlen(u) ≤ k < len(w1 ) +
( M − N )len(u) [k is in the Zone C N ] and |k − k0 | = 0
mod len(u) which allows to deduce that hw, ki ≈ N hw0 , k0 i
and by (Claim 1), hw, k i ≈ N −1 hw0 , k0 i.
• If len(w1 ) + Nlen(u) ≤ i < len(w1 ) + ( M − N )len(u) [i in Zone
C N ] then len(w1 ) + Nlen(u) ≤ i0 < len(w1 ) + ( M0 − N )len(u)
[i0 in Zone C N ] and |i − i0 | = 0 mod len(u). Let ` = (i −
(len(w1 ) + Nlen(u))) mod len(u) (` is the relative position of i
in the word u it belongs to). We have the following possibilities
for the position j ≤ i:
– If i − j < ` + len(u) (j is in the same word u as i or in
the previous word u) then j ≥ len(w1 ) + ( N − 1)len(u)
[j is in Zone B N or C N ]. We define j0 = i0 − (i − j) and
we have that len(w1 ) + ( N − 1)len(u) ≤ j0 < len(w1 ) +
( M0 − N )len(u) [j0 is in Zone B N or C N ] and since |i −
i0 | = 0 mod len(u), we deduce | j − j0 | = 0 mod len(u).
From this, we obtain hw, ji ≈ N −1 hw0 , j0 i. Let k0 ∈ [ j0 − 1, i0 ]
183
184
appendix
and k = i − (i0 − k0 ). We have then that k ∈ [ j − 1, i ] and
len(w1 ) + ( N − 1)len(u) ≤ k0 < len(w1 ) + ( M0 − N )len(u)
[k0 is in Zone B N or C N ] and len(w1 ) + ( N − 1)len(u) ≤
k < len(w1 ) + ( M − N )len(u) [k is in Zone B N or C N ] and
since |i − i0 | = 0 mod len(u), we also have |k − k0 | = 0
mod len(u). Consequently hw, k i ≈ N −1 hw0 , k0 i.
– If i − j ≥ ` + len(u) (j is neither in the same word u as i nor
in the previous word u) and j < len(w1 ) + Nlen(u) [j is in
zone A N or B N ]. Let j0 = j. So, j0 < len(w1 ) + Nlen(u) and
hw, ji ≈ N hw0 , j0 i. By using (Claim 1) we get hw, ji ≈ N −1
hw0 , j0 i. Then let k0 ∈ [ j0 − 1, i0 ]. If k0 < len(w1 ) + Nlen(u)
[k0 is in Zone A N or B N ], then let k = k0 ; we have in
this case that k < len(w1 ) + Nlen(u) and this allows us
to deduce that hw, k i ≈ N −1 hw0 , k0 i. Now assume k0 ≥
len(w1 ) + Nlen(u) [k0 is in Zone C N ] and i0 − k0 ≤ ` (k0
and i0 are in the same word u), then let k = i − (i0 − k0 ). In
this case we have k ≥ len(w1 ) + Nlen(u) [k is in Zone C N ]
and since |i − i0 | = 0 mod len(u), we also have |k − k0 | = 0
mod len(u), hence (w, k ) ≈ N −1 (w0 , k0 ). Now assume k0 ≥
len(w1 ) + Nlen(u) [k0 is in Zone C N ] and i0 − k0 > ` (k0
and i0 are not in the same word u). We denote by `0 = (k0 −
(len(w1 ) + Nlen(u))) mod len(u) the relation position of
k0 in u and let k = i − ` − (len(u) − `0 ) (k is at the same
position as k0 of k in the word u preceding the word u i belongs to). Then k ∈ [ j − 1, i ] (because len(u) − `0 < len(u)
and i − j ≥ ` + len(u)) and k ≥ len(w1 ) + ( N − 1)len(u)
(because i + (len(u) − `) ≥ len(w1 ) + ( M − N )len(u) and
len(u) − ` < len(u)) and |k − k0 | = 0 mod len(u) (k and
k0 are both pointing on the `0 -th position in word u). This
allows us to deduce that hw, ki ≈ N −1 hw0 , k0 i.
– If j − i ≥ ` + len(u) (j is neither in the same word u as
i nor in the previous word u) and j ≥ len(w1 ) + Nlen(u)
[j is in zone C N ]. Then let `0 = ( j − (len(w1 ) + Nlen(u)))
mod len(u) the relative position of j ∈ u. We choose j0 =
i0 − ` − (len(u) − `0 ) (j0 and j are on the same position of u
but in the word u precedent in the one to which i belongs
to). We have then that j0 ≥ len(w1 ) + ( N − 1)len(u) [j0 is
zone B N or C N ] (because i0 − ` ≥ len(w1 ) + N )len(u) and
len(u) − `0 ≤ len(u)) and | j − j0 | = 0 mod len(u) (j and
j0 are both pointing on the `0 -th position in word u), hence
hw, ji ≈ N −1 hw0 , j0 i. Let k0 ∈ [ j0 − 1, i0 ]. If i0 − k0 ≤ ` (k0 and
i0 are in the same word u), then let k = i − (i0 − k0 ). In this
case we have k ≥ len(w1 ) + Nlen(u) [k is in Zone C N ] and
since |i − i0 | = 0 mod len(u), we also have |k − k0 | = 0
mod len(u), hence hw, k i ≈ N −1 hw0 , k0 i. If i0 − k0 > ` (k0
and i0 are not in the same word u), then k0 − j0 < len(u) −
A.1 a zone classification for proving (claim 1) – (claim 5)
`0 and let k = j + k0 − j0 . In this case we have len(w1 ) +
Nlen(u) ≤ k < len(w1 ) + ( M − N )len(u) [k is in Zone C N ]
and since | j − j0 | = 0 mod len(u), we also have |k − k0 | = 0
mod len(u), hence hw, k i ≈ N −1 hw0 , k0 i.
185
BIBLIOGRAPHY
[AD94] Rajeev Alur and David L. Dill. A theory of timed
automata. Theoretical Computer Science, 126(2):183–235,
1994.
[AN01] André Arnold and Damian Niwinski. Rudiments of µcalculus. Elsevier, 2001.
[BB04] Clark W. Barrett and Sergey Berezin. CVC lite: A new
implementation of the cooperating validity checker category B. In Computer Aided Verification, CAV 2004, pages
515–518, 2004.
[BBH+ 06] Ahmed Bouajjani, Marius Bozga, Peter Habermehl, Radu
Iosif, Pierre Moro, and Tomás Vojnar. Programs with lists
are counter automata. In Computer Aided Verification, CAV
2006, pages 517–531, 2006.
[BC96] Alexandre Boudet and Hubert Comon. Diophantine
equations, Presburger arithmetic and finite automata. In
Trees in Algebra and Programming - CAAP’96, pages 30–43,
1996.
[BCD+ 11] Clark Barrett, Christopher L. Conway, Morgan Deters,
Liana Hadarean, Dejan Jovanovic, Tim King, Andrew
Reynolds, and Cesare Tinelli. CVC4. In Computer Aided
Verification, CAV 2011, pages 171–177, 2011.
[BDD13] Clark Barrett, Stéphane Demri, and Morgan Deters. Witness runs for counter machines. In Frontiers of Combining
Systems, FroCoS 2013, pages 120–150, 2013.
[BDL96] Clark W. Barrett, David L. Dill, and Jeremy R. Levitt. Validity checking for combinations of theories with equality. In Formal Methods in Computer-Aided Design, FMCAD
1996, pages 187–201, 1996.
[BDR03] Véronique Bruyère, Emmanuel Dall’Olio, and JeanFrançois Raskin. Durations, parametric model-checking
in timed automata with Presburger arithmetic. In 20th
Annual Symposium on Theoretical Aspects of Computer Science, STACS 2003, pages 687–698, 2003.
[Ber77] Leonard Berman. Precise bounds for Presburger arithmetic and the reals with addition: Preliminary report.
In Annual Symposium on Foundations of Computer Science,
FOCS 1977, pages 95–99, 1977.
187
188
bibliography
[BFL13] Florian Bruse, Oliver Friedmann, and Martin Lange.
Guarded transformation for the modal mu-calculus.
CoRR, abs/1305.0648, 2013.
[BIK10] Marius Bozga, Radu Iosif, and Filip Konecný. Fast acceleration of ultimately periodic relations. In Computer
Aided Verification, CAV 2010, pages 227–242, 2010.
[BIK14] Marius Bozga, Radu Iosif, and Filip Konecný. Safety
problems are NP-complete for flat integer programs with
octagonal loops. In Verification, Model Checking, and Abstract Interpretation, VMCAI 2014, pages 242–261, 2014.
[BIL09] Marius Bozga, Radu Iosif, and Yassine Lakhnech. Flat
parametric counter automata. Fundamenta Informaticae,
91(2):275–303, 2009.
[BJW01] Bernard Boigelot, Sébastien Jodogne, and Pierre Wolper.
On the use of weak automata for deciding linear arithmetic with integer and real variables. In International
Joint Conference on Automated Reasoning, IJCAR 2001,
pages 611–625, 2001.
[BKR96] Morten Biehl, Nils Klarlund, and Theis Rauhe. Mona:
Decidable arithmetic in practice. In Formal Techniques in
Real-Time and Fault-Tolerant Systems, FTRTFT 1996, pages
459–462, 1996.
[BMS+ 06] Mikolaj Bojanczyk, Anca Muscholl, Thomas Schwentick,
Luc Segoufin, and Claire David. Two-variable logic on
words with data. In Logics in Computer Science, LICS 2006,
pages 7–16, 2006.
[BMT+ 11] Olaf Beyersdorff, Arne Meier, Michael Thomas, Heribert Vollmer, Martin Mundhenk, and Thomas Schneider.
Model checking CTL is almost always inherently sequential. Logical Methods in Computer Science, 7(2), 2011.
[Boi98] Bernard Boigelot. Symbolic methods for exploring infinite
state spaces. PhD thesis, Université de Liège, 1998.
[BP12] Laura Bozzelli and Sophie Pinchinat. Verification of gaporder constraint abstractions of counter systems. In Verification, Model Checking, and Abstract Interpretation, VMCAI
2012, pages 88–103, 2012.
[BT07] Clark Barrett and Cesare Tinelli. CVC3. In Computer
Aided Verification, CAV 2007, pages 298–302, 2007.
[Büc60] J. Richard Büchi. Weak second-order arithmetic and finite automata. Mathematical Logic Quarterly, 6(1-6):66–92,
1960.
bibliography
[Cau03] Didier Caucal. On infinite transition graphs having a
decidable monadic theory. Theoretical Computer Science,
290(1):79–115, 2003.
[CC77] Patrick Cousot and Radhia Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In
Fourth ACM Symposium on Principles of Programming Languages, pages 238–252, 1977.
[CC00] Hubert Comon and Véronique Cortier. Flatness is not a
weakness. In Computer Science Logic, CSL 2000, volume
1862, pages 262–276, 2000.
[CE81] Edmund M. Clarke and E. Allen Emerson. Design and
synthesis of synchronization skeletons using branchingtime temporal logic. In Logic of Programs, pages 52–71,
1981.
[CES86] Edmund M. Clarke, E. Allen Emerson, and A. Prasad
Sistla. Automatic verification of finite-state concurrent
systems using temporal logic specifications. ACM Trans.
Program. Lang. Syst., 8(2):244–263, 1986.
[CGK12] Aiswarya Cyriac, Paul Gastin, and K. Narayan Kumar.
Mso decidability of multi-pushdown systems via splitwidth. In Concurrency Theory, CONCUR 2012, pages 547–
561, 2012.
[CGP01] Edmund M. Clarke, Orna Grumberg, and Doron Peled.
Model checking. MIT Press, 2001.
[CHV14] Edmund M. Clarke, Thomas A. Henzinger, and Helmut
Veith. Handbook of Model Checking. Springer, 2014.
[CJ98] Hubert Comon and Yan Jurski. Multiple counter automata, safety analysis and PA. In Computer Aided Verification, CAV 1998, volume 1427, pages 268–279, 1998.
[CKL04] Edmund M. Clarke, Daniel Kroening, and Flavio Lerda.
A tool for checking ANSI-C programs. In Tools and Algorithms for the Construction and Analysis of Systems, TACAS
2004, pages 168–176, 2004.
[CKS81] Ashok K. Chandra, Dexter Kozen, and Larry J. Stockmeyer. Alternation. JACM, 28(1):114–133, 1981.
[CKY03] Edmund M. Clarke, Daniel Kroening, and Karen Yorav.
Behavioral consistency of C and verilog programs using
bounded model checking. In Design Automation Conference, DAC 2003, pages 368–371, 2003.
189
190
bibliography
[CMNF12] Lucas Cordeiro, Jeremy Morse, Denis Nicole, and Bernd
Fischer. Context-bounded model checking with ESBMC
1.17 - (competition contribution). In Tools and Algorithms
for the Construction and Analysis of Systems, TACAS 2012,
pages 534–537, 2012.
[Con12] Sylvain Conchon. SMT techniques and their applications: from alt-ergo to cubicle. In Habilitation à Diriger
des Recherches, Université Paris-Sud, 2012.
[Cou90] Bruno Courcelle. Graph rewriting: An algebraic and
logic approach. In Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics (B), pages 193–
242. MIT Press, Cambridge, 1990.
[CVC] Cvc4 homepage. http://cvc4.cs.nyu.edu/web/.
[Daw07] Anuj Dawar. Model-checking first-order logic: Automata
and locality. In Computer Science Logic, CSL 2007, page 6,
2007.
[DD02] Stéphane Demri and Deepak D’Souza. An automatatheoretic approach to constraint ltl. In Foundations
of Software Technology and Theoretical Computer Sciencem,
FSTTCS 2002, pages 121–132, 2002.
[DDS12] Stéphane Demri, Amit Kumar Dhar, and Arnaud Sangnier. Taming Past LTL and Flat Counter Systems. In
International Joint Conference on Automated Reasoning, IJCAR 2012, volume 7364 of LNAI, pages 179–193. Springer,
2012. See also http://arxiv.org/abs/1205.6584.
[DDS13] Stéphane Demri, Amit Kumar Dhar, and Arnaud Sangnier. On the complexity of verifying regular properties
on flat counter systems,. In Automata, Languages, and
Programming - 40th International Colloquium, ICALP 2013,
pages 162–173, 2013. See also http://arxiv.org/abs/
1304.6301.
[DFGvD10] Stéphane Demri, Alain Finkel, Valentin Goranko, and
Govert van Drimmelen. Model-checking CTL∗ over flat
Presburger counter systems. JANCL, 20(4):313–344, 2010.
[DFK07] Clare Dixon, Michael Fisher, and Boris Konev. Temporal
logic with capacity constraints. In Frontiers of Combining
Systems, FROCOS 2007, volume 4720 of LNCS, pages 163–
177. Springer, 2007.
[DL09] Stéphane Demri and Ranko Lazic. LTL with the freeze
quantifier and register automata. ACM Transaction on
Computational Logic, 10(3), 2009.
bibliography
[DLS08] Stéphane Demri, Ranko Lazic, and Arnaud Sangnier.
Model checking freeze LTL over one-counter automata.
In Foundations of Software Science and Computational Structures, FOSSACS 2008, pages 490–504, 2008.
[dMB08] Leonardo Mendonça de Moura and Nikolaj Bjørner. Z3:
An Efficient SMT Solver. In Tools and Algorithms for the
Construction and Analysis of Systems, TACAS 2008, volume
4963 of LNCS, pages 337–340, 2008.
[EH85] E. Allen Emerson and Joseph Y. Halpern. Decision procedures and expressiveness in the temporal logic of branching time. Journal of Computer and Systen Sciences, 30(1):1–
24, 1985.
[EH86] E. Allen Emerson and Joseph Y. Halpern. “sometimes”
and “not never” revisited: on branching versus linear
time temporal logic. Journal of ACM, 33(1):151–178, 1986.
[EJS93] E. Allen Emerson, Charanjit S. Jutla, and A. Prasad Sistla.
On model-checking for fragments of µ-calculus. In Computer Aided Verification, 5th International Conference, CAV
1993, pages 385–396, 1993.
[EL87] E. Allen Emerson and Chin-Laung Lei. Modalities for
model checking: Branching time logic strikes back. Science of Computer Programming, 8(3):275–306, 1987.
[ES03] Niklas Eén and Niklas Sörensson. An extensible satsolver. In Theory and Applications of Satisfiability Testing,
SAT 2003, pages 502–518, 2003.
[EW00] Kousha Etessami and Thomas Wilke. An until hierarchy
and other applications of an Ehrenfeucht-Fraïssé game
for temporal logic. Information and Computation, 160(1–
2):88–108, 2000.
[FL02] Alain Finkel and Jérôme Leroux. How to compose Presburger accelerations: Applications to broadcast protocols. In Foundations of Software Technology and Theoretical
Computer Sciencem, FSTTCS 2002, volume 2256 of LNCS,
pages 145–156. Springer, 2002.
[FO96] Laurent Fribourg and Hans Olsén. Symbolic verification
with gap-order constraints. In Logic Program Synthesis and
Transformation (LOPSTR 1996), pages 187–203. Springer,
1996.
[FR74] Michael J. Fischer and Michael O. Rabin.
Superexponential complexity of Presburger Arithmetic. In
191
192
bibliography
Symposium on Applied Mathematics, volume 7, pages 27–
41, 1974.
[FR79] Jeanne Ferrante and Charles Rackoff. The Computational
Complexity of Logical Theories, volume 718. SpringerVerlag, 1979.
[Gab87] Dov M. Gabbay. The declarative past and imperative
future. In Temporal Logic in Specification, Altrincham, UK,
volume 398 of LNCS, pages 409–448. Springer, 1987.
[GHOW10] Stefan Göller, Christoph Haase, Joël Ouaknine, and
James Worrell. Model checking succinct and parametric one-counter automata. In International Colloquium on
Automata, Languages and Programming, ICALP 2010, pages
575–586, 2010.
[GHOW12] Stefan Göller, Christoph Haase, Joël Ouaknine, and
James Worrell. Branching-time model checking of parametric one-counter automata. In Foundations of Software Science and Computational Structures, FOSSACS 2012,
pages 406–420, 2012.
[GL13] Stefan Göller and Markus Lohrey. Branching-time model
checking of one-counter processes and timed automata.
SIAM Journal on Computing, 42(3):884–923, 2013.
[GMP03] Blaise Genest, Anca Muscholl, and Doron Peled. Message sequence charts. In Lectures on Concurrency and Petri
Nets, Advances in Petri Nets, pages 537–558, 2003.
[GMT09] Stefan Göller, Richard Mayr, and Anthony Widjaja To.
On the computational complexity of verifying onecounter processes. In IEEE Symposium on Logic in Computer Science, LICS 2009, pages 235–244, 2009.
[GNRZ08] Silvio Ghilardi, Enrica Nicolini, Silvio Ranise, and
Daniele Zucchelli. Towards SMT Model Checking of
Array-Based Systems. In IJCAR’08, volume 5195 of LNCS,
pages 67–82. Springer, 2008.
[Grä88] Erich Grädel. Subclasses of Presburger arithmetic and
the polynomial-time hierarchy. Theoretical Computer Science, 56:289–301, 1988.
[Hab97] Peter Habermehl. On the complexity of the linear-time
mu-calculus for Petri nets. In International Conference on
Application and Theory of Petri Nets, ICATPN 1997, volume
1248 of LNCS, pages 102–116. Springer, 1997.
bibliography
[HKG+ 12] Hossein Hojjat, Filip Konecný, Florent Garnier, Radu
Iosif, Viktor Kuncak, and Philipp Rümmer. A verification toolkit for numerical transition systems - tool paper.
In International Symposium on Formal Methods, FM 2012,
pages 247–251, 2012.
[HKOW09] Christoph Haase, Stephan Kreutzer, Joël Ouaknine, and
James Worrell. Reachability in succinct and parametric one-counter automata. In CONCUR, pages 369–383,
2009.
[Iba78] Oscar H. Ibarra. Reversal-bounded multicounter machines and their decision problems. JACM, 25(1):116–133,
1978.
[JS07] Petr Jancar and Zdenek Sawa. A note on emptiness for
alternating finite automata with a one-letter alphabet. Information Processing Letters, 104(5):164–167, 2007.
[Kam68] Johan A. W. Kamp. Tense Logic and The Theory of Linear
Order. PhD thesis, University of California, Los Angeles,
1968.
[KF11] Lars Kuhtz and Bernd Finkbeiner. Weak Kripke structures and LTL. In CONCUR’11, volume 6901 of LNCS,
pages 419–433. Springer, 2011.
[KM69] Richard M. Karp and Raymond E. Miller. Parallel program schemata. Journal of Computing System Sciences,
3(2):147–195, 1969.
[Kna28] Bronislaw Knaster. Un théoréme sur les fonctions
d’ensembles. Annales de la Société Polonaise de Mathématique, 6:133–134, 1928.
[Kos82] S. Rao Kosaraju. Decidability of reachability in vector
addition systems (preliminary version). In Symposium on
Theory of Computing, STOC 1982, pages 267–281, 1982.
[Kri63] Saul Kripke. Semantical considerations on modal logic.
In Acta Philosophica Fennica, volume 16, pages 83–94,
1963.
[KS05] Antonín Kučera and Jan Strejček. The stuttering principle revisited. Acta Informatica, 41(7–8):415–434, 2005.
[KT14] Daniel Kroening and Michael Tautschnig. CBMC - C
bounded model checker - (competition contribution). In
International Conference Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2014, pages 389–
391, 2014.
193
194
bibliography
[Kuh10] Lars Kuhtz. Model Checking Finite Paths and Trees. PhD
thesis, Universität des Saarlandes, 2010.
[Ler03] Jérôme Leroux. Algorithmique de la vérification des systèmes
à compteurs. Approximation et accélération. Implémentation
de l’outil FAST. PhD thesis, ENS de Cachan, France, 2003.
[Ler11] Jérôme Leroux. Vector addition system reachability problem: a short self-contained proof. In Symposium on Principles of Programming Languages, POPL 2011, pages 307–316,
2011.
[Lib04] Leonid Libkin. Elements of Finite Model Theory. Springer,
2004.
[LMS02] François Laroussinie, Nicolas Markey, and Ph. Schnoebelen. Temporal logic with forgettable past. In Logics in
Computer Science, LICS 2002, pages 383–392. IEEE, 2002.
[LP09] Jérôme Leroux and Gérald Point. TaPAS: The talence
Presburger arithmetic suite. In Tools and Algorithms for the
Construction and Analysis of Systems, TACAS 2009, pages
182–185, 2009.
[lps] Lp_solve homepage.
net/5.5/.
http://lpsolve.sourceforge.
[LS00] François Laroussinie and Ph. Schnoebelen. Specification
in CTL + past for verification in CTL. Information & Computation, 156:236–263, 2000.
[LS05] Jérôme Leroux and Grégoire Sutre. Flat counter systems
are everywhere! In Symposium on Automated Technology
for Verification and Analysis, ATVA 2005, volume 3707 of
LNCS, pages 489–503. Springer, 2005.
[Lyn77] Nancy A. Lynch. Log Space recognition and translation
of parenthesis languages. Journal of ACM, 24(4):583–590,
1977.
[May81] Ernst W. Mayr. An algorithm for the general Petri net
reachability problem. In Symposium on Theory of Computing, STOC 1981, pages 238–246, 1981.
[MH84] Satorou Miyano and Takeshi Hayashi. Alternating finite automata on ω-words. Theoretical Computer Science,
32:321–330, 1984.
[Min67] Marvin Minsky. Computation, Finite and Infinite Machines.
Prentice Hall, 1967.
bibliography
[MMZ+ 01] Matthew W. Moskewicz, Conor F. Madigan, Ying Zhao,
Lintao Zhang, and Sharad Malik. Chaff: Engineering
an efficient SAT solver. In Design Automation Conference,
DAC 2001, pages 530–535, 2001.
[Mon10] David Monniaux. Quantifier elimination by lazy model
enumeration. In Computer Aided Verification, CAV 2010,
pages 585–599, 2010.
[MPS98] Anca Muscholl, Doron Peled, and Zhendong Su. Deciding properties for message sequence charts. In Foundations of Software Science and Computation Structure, FoSSaCS 1998, pages 226–242, 1998.
[MS85] David E. Muller and Paul E. Schupp. The theory of ends,
pushdown automata, and second-order logic. Theoretical
Computer Science, 37:51–75, 1985.
[MS03] Nicolas Markey and Ph. Schnoebelen. Model checking a
path. In CONCUR’03, Marseille, France, volume 2761 of
LNCS, pages 251–261. Springer, 2003.
[Pap94] Christos H. Papadimitriou.
Computational complexity. Amsterdam: Addison-Wesley Publishing Company,
1994.
[PBW06] Johan F.A.K. van Benthem Patrick Blackburn and Frank
Wolter. Handbook of Modal Logic. Studies in Logic and
Practical Reasoning. Elsevier Science, 2006.
[Pet81] James L. Peterson. Petri Net Theory and the Modeling of
Systems. Prentice Hall, 1981.
[Pnu77] Amir Pnueli. The temporal logic of programs. In Foundations Of Computer Science, FOCS 1977, pages 46–57, 1977.
[Pot91] Loic Pottier. Minimal solutions of linear diophantine systems: Bounds and algorithms. In International Conference
on Rewriting Techniques and Applications, RTA 1991, pages
162–173, 1991.
[Pre30] Mojżesz Presburger. Über die vollständigkeit eines
gewissen systems der arithmetik ganzer zahlen, in
welchem die addition als einzige operation hervortritt.
In Comptes Rendus du Premier Congrés des Mathematiciens
des Pays Slaves, pages 92–101, 1930.
[PW97] Doron Peled and Thomas Wilke. Stutter-invariant temporal properties are expressible without the next-time operator. Information Processing Letters, 63(5):243–246, 1997.
195
196
bibliography
[Rac78] Charles Rackoff. The covering and boundedness problems for vector addition systems. TCS, 6(2):223–231,
1978.
[RL78] C. R. Reddy and Donald W. Loveland. Presburger arithmetic with bounded quantifier alternation. In Symposium
on Theory of Computing, STOC 1978, pages 320–325, 1978.
[RTG+ 13] Andrew Reynolds, Cesare Tinelli, Amit Goel, Sava Krstic,
Morgan Deters, and Clark Barrett. Quantifier instantiation techniques for finite model finding in SMT. In International Conference on Automated Deduction, CADE 2013,
pages 377–391, 2013.
[SBD02] Aaron Stump, Clark W. Barrett, and David L. Dill. CVC:
A cooperating validity checker. In Computer Aided Verification, CAV 2002, pages 500–504, 2002.
[SC85] A. Prasad Sistla and Edmund M. Clarke. The complexity
of propositional linear temporal logics. JACM, 32(3):733–
749, 1985.
[Ser06] Olivier Serre. Parity games played on transition graphs
of one-counter processes. In Foundations of Software Science and Computation Structure, FoSSaCS 2006, pages 337–
351, 2006.
[Sho79] Robert E. Shostak. A practical decision procedure for
arithmetic with function symbols. J. ACM, 26(2):351–360,
1979.
[SJ80] Norihisa Suzuki and David Jefferson. Verification decidability of Presburger array programs. J. ACM, 27(1):191–
205, 1980.
[smt] Smt-comp homepage. http://www.smtcomp.org/.
[Sto74] Larry J. Stockmeyer. The complexity of decision problems in
automata and logic. PhD thesis, MIT, 1974.
[Sud78] Ivan Hal Sudborough. On the tape complexity of deterministic context-free languages. J. ACM, 25(3):405–414,
1978.
[Tap] PresTAF homepage. http://tapas.labri.fr.
[Tar55] Alfred Tarski. A lattice-theoretical fixpoint theorem and
its applications. Pacific Journal of Mathematics, 5(2):285–
309, 1955.
bibliography
[Tho96] Wolfgang Thomas. Languages, automata, and logic. In
G. Rozenberg and A Salomaa, editors, Handbook of Formal
Language Theory. Springer-Verlag, 1996.
[Var82] Moshe Y. Vardi. The complexity of relational query languages (extended abstract). In Symposium on Theory of
Computing, STOC 1982, pages 137–146, 1982.
[Var88] Moshe Y. Vardi. A temporal fixpoint calculus. In Symposium on Principles of Programming Languages, POPL 1988,
pages 250–259. ACM, 1988.
[VW94] Moshe Y. Vardi and Pierre Wolper. Reasoning about infinite computations. Information & Computation, 115(1):1–
37, 1994.
[Wal01] Igor Walukiewicz. Automata and logic, 2001. Lecture
notes.
[WB95] Pierre Wolper and Bernard Boigelot. An automatatheoretic approach to Presburger arithmetic constraints
(extended abstract). In Symposium on Static Analysis, SAS
1995, pages 21–32, 1995.
[Wil99] Thomas Wilke. CTL+ is exponentially more succinct
than ctl. In Foundations of Software Technology and Theoretical Computer Sciencem, FSTTCS 1999, pages 110–121,
1999.
[Wol83] Pierre Wolper. Temporal logic can be more expressive.
Information and Control, 56:72–99, 1983.
[WVS83] Pierre Wolper, Moshe Vardi, and Prasad Sistla. Reasoning about infinite computation paths. In Symposium on
Foundations of Computer Science, pages 185–194, 1983.
[Z3] Z3 homepage. http://z3.codeplex.com/.
197