Memoryfull Branching-Time Logic

Transcription

1 Memoryfull Branching-Time Logic Orna Kuferman 1 and Moshe Y. Vardi 2 1 Hebrew University, School of Engineering and Comuter Science, Jerusalem 91904, Israel orna@cs.huji.ac.il, URL: htt:// orna 2 Rice University, Deartment of Comuter Science, Houston, TX , U.S.A. vardi@cs.rice.edu, URL: htt:// vardi Abstract. Traditional branching-time logics such as CTL are memoryless: once a ath in the comutation tree is quantified at a given node, the comutation that led to that node is forgotten. Recent work in laning suggests that CTL cannot easily exress temoral goals that refer to whole comutations. Such goals require memoryfull quantification of aths. With such a memoryfull quantification, Eψ holds at a node s of a comutation tree if there is a ath π starting at the root of the tree and going through s such that π satisfies the linear-time formula ψ. In this work we define the memoryfull branching-time logic mctl and study its exressive ower and algorithmic roerties. In articular, we show that while the satisfiability roblem for mctl is 2EXPTIME-comlete not harder than that of CTL, its model-checking roblem is EXPSPACE-comlete exonentially harder than that of CTL. The uer bounds are obtained by extending the automata-theoretic aroach to handle memoryfull quantification, and are much more efficient than these obtained by translating mctl to branching logics with ast. 1 Introduction Since the introduction of temoral logic into comuter science by Pnueli in [Pnu77], the family of temoral logics has been widely acceted as an aroriate formal framework for the descrition of dynamic behavior, cf. [MP92]. Within this family, the branchingtime logic CTL has emerged as one of the more exressive logics [EH86], unifying the linear-time logic LTL [Pnu77] and the branching-time logic CTL [CE81]. While the modal fixoint logic [Koz83] is more exressive than CTL, it is in some sense a low-level logic, making it an unfriendly logic for users, whereas CTL can naturally exress comlex roerties of comutation trees. While the aroriateness of a branching-time logic for ractical formal verification is debatable [Var01], CTL is the right logic for alications that require comutation-tree reasoning. An examle of an alication that requires comutation-tree reasoning is sanity checks for the modeling of a system: verification is done with resect to a mathematical model of the system, and it is imortant to check that the model, whose generation tyically involves abstraction and reduction techniques, is correct. For examle, in order to detect vacuous satisfaction of secifications, one has to check the satisfaction of witness formulas [KV03], which are existential formulas describing a nontrivial behavior of the model. Likewise, in order to check that the model does not disable essential behaviors of the system, one has to check ossibility roerties [Lam98], which require comutations of the model to be extendible to comutations exhibiting the behaviors.

2 Another examle of a setting in which comutation-tree reasoning is required is automated task lanning [FN71,PW92], where given a descrition of a dynamic domain and of the basic actions that can be erformed on it, and given a goal that defines a success condition to be achieved, one has to find a suitable lan, that is, a descrition of the actions to be executed on the domain in order to achieve the goal. Classical lanning concentrates on the so called reachability goals, that is, on goals that define a set of final desired states to be reached (e.g., the red block is above the yellow block). Quite often, ractical alications require lans that deal with goals that are more general than sets of final states. Several lanning aroaches have been recently roosed, where temoral logic formulas are used as goal languages, thus allowing for goals that define conditions on the whole lan execution aths, i.e., on the sequences of states resulting from the execution of lans (see, e.g., [BK98,BK00,?,CM98,DLPT02,dGV99,KD01,PT01]). Most of these aroaches use LTL as the goal language. The temoral logic LTL allows one to exress reachability goals (e.g., F q reach q), maintainability goals (e.g., Gq maintain q), as well as goals that combine reachability and maintainability requirements (e.g., F Gq reach a set of states where q can be maintained), and Boolean combinations of these goals. In lanning in nondeterministic domains [CRT98b,PS92,War76], actions are allowed to have different outcomes, and it is not ossible to know at lanning time which of the different ossible outcomes will actually take lace. Nondeterminism in action outcome is necessary for modeling in a realistic way several ractical domains (e.g., robotics, autonomous controllers, etc.). For instance, in a realistic robotic alication one has to take into account that actions like ick u object might result in a failure (e.g., if the object slis out of the robot s hand). A consequence of nondeterminism is that the execution of a lan may lead to more than one ossible execution ath. Therefore, one has to distinguish between the case the given goal has to be satisfied by all the ossible execution aths ( strong lanning) and the case where the goal has to be satisfied only by some of the ossible execution aths ( weak lanning). In the case of an LTL goal ϕ, strong lanning corresonds to interreting the formula in a universal way, as the CTL formula as Aϕ, while weak lanning corresonds to interret it in an existential way, as the CTL formula Eϕ. Weak and strong lans are two very extreme ways of satisfiability of an LTL formula. In ractical alications, it might be imossible to achieve goals in a strong way: for instance, in the robotic alication it might be imossible to fulfill a given task if objects kee sliing from the robot s hand. On the other hand, weak lans are too unreliable, since they achieve the goal only under overly otimistic assumtions on the outcomes of action executions. In the case of reachability goals, strong cyclic lanning [CRT98a,?] has been shown to rovide a viable comromise between weak and strong lanning. Formally, a lan is strong cyclic if each ossible artial execution of the lan can always be extended to an execution that reaches some goal state. Strong cyclic lanning allows for lans that encode iterative trial-and-error strategies, like ick u an object until succeed. The execution of such strategies may loo forever only in the case the action ick u object continuously fails, and a failure in achieving the goal in the case of such an unfair execution is usually accetable. This always ossibly aroach corresonds to Lamort s ossibility roerties mentioned above. Insired by the work on strong cyclic lanning, Pistore and Vardi went on to exlore the different degrees in which an LTL formula ϕ can be satisfied that exist between the strong goal Aϕ and the weak goal Eϕ [PV03]. They showed that a two-layer game can 2

3 model the sectrum between strong and weak lanning. Player A chooses action outcomes in order to make goal ϕ fail, while layer E chooses action outcomes in order to satisfy the goal ϕ. The degree of strength of the temoral requirement is determined by the structure of the game: who makes the first move and how many turns. Pistore and Vardi then roosed a logic based on these ath games, using ath quantifiers A and E, which can exress the sectrum between strong and weak lanning. While the Pistore-Vardi logic is a branching-time logic, quite close to CTL, it is different from CTL. In CTL, a ath quantifier turns a ath formula into a ure state formula. Thus, for examle, the formula AGEϕ holds at a start state s 0 if for every state s reachable from s 0 there is a ath starting at s that satisfies ϕ; the truth of Eϕ deends only on the state in which it is evaluated. In contrast, in the Pistore-Vardi logic the formula AEϕ holds at a start state s 0 if for every state s reachable from s 0 there is a ath starting at s 0 and continuing through s that satisfies ϕ; the truth of Eϕ in a state deends also on the ath that lead to that state. In other words, while CTL ath quantifiers are memoryless, the ath quantifiers A and E are memoryfull 1. The Pistore-Vardi logic, however, does not have a standard logical syntax; for examle, it is not closed under conjunction and disjunction. We roose in this aer a memoryfull variant of CTL, which unifies CTL and the Pistore-Vardi logic. We name the new logic mctl. Semantically, mctl is obtained from CTL by reinterreting the ath quantifiers of the logic to be memoryfull 2. With memoryfull quantification, Eϕ holds at a node s of a comutation tree if there is a ath π starting at the root of the tree and going through s such that π satisfies the linear-time formula ϕ. Syntactically, we add a secial roosition resent, which is needed to emulate the ability of CTL to talk about the resent. One of our main results is that the addition of resent is needed to make mctl at least as exressive as CTL. (As in [BGK03], one can translate mctl to CTL via ath logic, but this translation is of nonelementary comlexity. We note that resent is not required to easily exress the Pistore-Vardi logic in mctl ; the strong cyclic goal of AEϕ is exressed in mctl by the formula AGEϕ.) We show that memoryfull quantification can be exressed in CTL extended with the ability to refer to the linear ast [KP95]. We note that the roosition resent of mctl is different from the Now used in [FLS02], in the context of branching temoral logics with ast. While the Now in [FLS02] is a unary temoral oerator, which chos away the ast, our resent is an atomic roosition that holds in the resent. We then examine two decision roblems related to mctl : satisfiability and model checking. We first show that satisfiability of mctl is 2EXPTIME-comlete, which is the same comlexity as that of CTL [EJ88,VS85]. Establishing the uer bound is quite nontrivial, as the standard automata-theoretic aroach to CTL satisfiability [ES84,KVW00] is strongly based on the memoryless character of CTL quantifiers. We describe an extension of the automata-theoretic framework that can handle memoryfull ath quantifiers. We then show that model checking mctl is significantly harder than model checking CTL. Model checking mctl is EXPSPACE-comlete, while model checking CTL is PSPACE-comlete [EL85]. Since our lower-bound roof uses an mctl - formula corresonding to Lamort s ossibility roerties, it also settles an oen question on the comlexity of model checking of such roerties, as well as the Pistore-Vardi logic. In 1 It is shown in [BGK03] that the Pistore-Vardi logic is exressible in CTL, but only a nonelementary translation, which goes through ath logic [HT87], is known. 2 Strictly seaking, mctl covers only the finite-alternation fragment of the Pistore-Vardi logic, leaving out the infinite-alternation fragment. 3

4 addition, our results, together with the linear translation of mctl to CTL with linear ast, imly new results about the comlexity of branching temoral logic with ast [LS00,FLS02,Mar03]. Our results show that the transition from memoryless to memoryfull quantifiers is significant. We can see now that the significant comlexity ga between CTL satisfiability, which is 2EXPTIME-comlete, and CTL model checking, which is PSPACE-comlete, is due to quantifier memoryless, which hels model checking [EL85] but not satisfiability [VS85]. 2 Preliminaries 2.1 The temoral logic memoryfull CTL The branching-time logic memoryfull CTL (mctl, for short) combines both branchingtime and linear-time oerators [EH86]. A ath quantifier E ( for some ath ) can refix an assertion comosed of an arbitrary combination of the linear-time oerators X ( next time ) and U ( until ). The syntax of mctl is similar to the syntax of CTL : there are two tyes of formulas in mctl : state formulas, whose satisfaction is related to a secific state, and ath formulas, whose satisfaction is related to a secific ath. The only difference in the syntax between the two logics is the fact mctl formulas may refer to a secial atomic roosition resent, which holds only in the resent. Formally, let AP be a set of atomic roosition names. An mctl state formula is either: true, false, resent, or, for all AP ; ϕ 1 or ϕ 1 ϕ 2, where ϕ 1 and ϕ 2 are mctl state formulas; Eψ, where ψ is an mctl ath formula. An mctl ath formula is either: An mctl state formula; ψ 1, ψ 1 ψ 2, Xψ 1, or ψ 1 Uψ 2, where ψ 1 and ψ 2 are mctl ath formulas. The logic mctl consists of the set of state formulas generated by the above rules. We define the size ϕ of ϕ as the number of state and ath subformulas that ϕ has. Note that our definition of size corresonds to the number of nodes in a reduced DAG reresentation of the formula. We use the usual and Boolean abbreviations. Additional temoral oerators can be obtained from X, U, and their negations (e.g., F ψ 1 = trueuψ 1 and Gψ 1 = F ψ 1 ). Finally, the ath quantifier A ( for all aths ) can be obtained by negating the ath quantifier E (i.e., Aψ = E ψ). The semantics of mctl is defined with resect to comutation trees. Given a finite set D of directions, a D-tree is a set T D such that if x d T where x D and d D, then also x T. The elements of T are called nodes, and the emty word ε is the root of T. The refix relation induces a artial order between nodes of T. Thus, for two nodes x and y, we say that x y iff there is some z D such that y = x z. For every x T, the nodes x d, for d D, are the successors of x. The direction of a node x d is d. The direction of the root is some designated d D, referred to as the root direction. We denote the direction of a node y T by dir(y). A node is a leaf if it has no successors. For a node x T, an x-ath of T is a minimal set π T such that x π and for every y π, either y is a leaf or there exists a unique d D such that y d π. When x = ε, 4

5 we say that π is a ath. For a ath π and a node x π, the suffix of π that starts at x is the x-ath π {y : x y}. Given an alhabet Σ, a Σ-labeled D-tree is a air T, τ where T is a D-tree and τ : T Σ mas each node of T to a letter in Σ. Of secial interest to us are Σ-labeled trees in which Σ = 2 AP for some set AP of atomic roositions. We call such Σ-labeled trees comutation trees. A comutation tree is often given by means of a Krike structure K = AP, W, R, w in, L, where AP is the set of atomic roositions, W is a set of states, R W W is a transition relation that must be total (i.e., for every w W there exists w W such that w, w R), w in is an initial state, and L : W 2 AP mas each state to the set of atomic roositions true in that state. A ath in K is an infinite sequence of states, π = w 0, w 1,... such that w i, w i+1 R for every i 0. We define the size K of K as W + R. The Krike structure K induces a comutation tree T K, τ K that corresonds to the unwinding of K from w in. Formally, T K, τ K is a 2 AP -labeled W -tree where T K W contains exactly all the refixes of aths in K that start at w in and τ K (x), for x T K, is L(dir(x)), with w in being the root direction. The difference between mctl and CTL is in the semantics of ath quantification. Consider a comutation tree. In CTL, ath quantification ranges over aths that start in the current node. In mctl, ath quantification ranges over aths that start at the root and visit the current node. For examle, the CTL formula AGEψ, for a linear formula ψ holds in a root of a comutation tree if a comutation satisfying ψ starts from every node in the tree. When viewed as an mctl formula, it holds in a comutation tree if for every node x of the tree, the ath from the root to x can be extended to a ath satisfying ψ. As discussed in Section 1, this corresonds to string cyclic lans [CRT98b,DTV99]. In articular, when ϕ = F, it states that has either occurred in the ast or is ossible in the future. This corresonds to Lamort s ossibility roerties [Lam98]. Thus, when evaluating ath formulas, one cannot ignore the ast and satisfaction may deend on the events that have taken lace since the beginning of the execution and until the resent. Below we define the semantics of mctl formally. Consider a comutation tree T, τ. For two nodes x and c in T and an mctl formula ϕ, we use x, c = ϕ to indicate that x satisfies ϕ with c being the resent. Similarly, π, x, c = ψ, for a ath formula ψ, iff the suffix of the ath π that starts at x satisfies ψ with c being the resent. Formally, we have the following (for known T and τ). For all x, c in T, we have x, c = true and x, c = false. x, c =, for AP, iff τ(x). x, c = resent iff x = c. x, c = ϕ 1 iff x, c = ϕ 1. x, c = ϕ 1 ϕ 2 iff x, c = ϕ 1 or x, c = ϕ 2. x, c = Eψ iff there exists a ath π such that x π and π, ε, x = ψ. π, x, c = ϕ for a state formula ϕ, iff x, c = ϕ. π, x, c = ψ 1 iff π, x, c = ψ 1. π, x, c = ψ 1 ψ 2 iff π, x, c = ψ 1 or π, x, c = ψ 2. π, x, c = Xψ iff π, x d, c = ψ, where d D is such that x d π. π, x, c = ψ 1 Uψ 2 iff π contains a node y x such that π, y, c = ψ 2 and for all x z < y, we have π, z, c = ψ 1. We say that a comutation tree T, τ satisfies an mctl formula ϕ iff ε, ε = ϕ. Note that while in CTL ath quantification ranges over aths that start in the current node, here 5

6 ath quantification ranges over aths that start at the root and visit the current node. Thus, when evaluating ath formulas, one cannot ignore the ast and satisfaction may deend on the events that have taken lace since the beginning of the execution and until the resent. Note also that formulas of the form Eψ reset the resent ; thus the satisfaction of Eψ with resect to x, c is indeendent of c, and the resent is set to x. The logic mctl - is a fragment of mctl in which the atomic roosition resent is not allowed. Thus, while CTL and mctl formulas can directly refer to the resent (in CTL, ath quantification starts in the resent, and in mctl, resent holds only in the resent), this is not the case for mctl - formulas. As we show in Section 3, mctl - cannot emulate the ability of CTL to refer to the resent, and is strictly weaker than mctl. Examles Consider the mctl formula AG( EF q). The formula states that whenever a node x is labeled with, then some ath that goes through x has a node labeled q. Thus, whenever holds, it is linearly ordered with q. Note that the secification of this roerty in CTL is much more comlicated. The formula AG(grant EF (req F (ack F resent))) demonstrates how mctl formulas can use the ability to refer to the resent with resent in order to refer to the ast. Indeed, the formula states that whenever a node x is labeled with grant, the ath from the root to x has a node labeled with req, followed by a node labeled with ack, followed by the resent. Thus, grants are given only if a request was issued and then acknowledged in the ast. Finally, The formula AG(ack EF (req F (resent F grant))) gives a different view of the same sequence of events and demonstrates how mctl formulas can refer to both the ast and the future. Indeed, the formula states that whenever a node x is labeled with ack, the ath from the root to x has a node labeled with req and some ath that starts in x has a node labeled with grant. Thus, acknowledgments are given only if a request was issued in the ast and and is going to be granted in the future. The definition of mctl leads to natural theoretical and ractical questions: in the theoretical front, we would like to study how the transition to a memoryfull ath quantification influences the exressive ower of the logic, its connection to logics with ast, and to standard CTL, as well as the necessity of the atomic roosition resent. In the ractical front, we would like to study how the transition influences the comlexity of the satisfiability and the model-checking roblems. The later is of articular interest as model-checking algorithms for CTL are based on a bottom-u reasoning, where internal state formulas are evaluated first and relaced by new atomic roositions [EL85]. Such reasoning cannot be alied with a memoryfull ath quantification. 3 Exressiveness In this section we discuss the exressive ower of mctl and mctl -. We show that while mctl and CTL are equally exressive, the ability to oint to the resent is crucial, thus mctl - is strictly weaker than mctl. Theorem 1. mctl and CTL are equally exressive. 6

7 Proof: We first rove that every CTL formula has an equivalent mctl formula of linear length. Consider a CTL formula ψ. An equivalent mctl formula can be obtained from ψ by relacing each subformula of the form Eξ by the formula EF (resent ξ). Clearly, the translation is linear. For the other direction, we show that every mctl formula can be translated to a monadic SnS formula in which all sets quantifiers are over aths. By [HT87], this fragment of SnS is as exressive as CTL. Since reference to the ast is easy in first-order logic, the translation of mctl formulas to monadic SnS formula in which all sets quantifiers are over aths is similar to the one described in [HT87] for CTL. Note that while the blow u in translating a CTL formula to an mctl formula is linear, the translation in the other direction goes via monadic SnS and is of nonelementary comlexity 3. We now show that this comlication originates from the ability of mctl to refer to the ast. Thus, if we extend CTL with ast temoral oerators, the translation is linear. Let CTL l and CTL l - denote the extension of CTL with ast oerators, with and without resent, resectively, where formulas are interreted over comutation trees, thus ast is linear [KP95]. Theorem 2. Every mctl (mctl -) formula has an equivalent CTL l (res. CTL l -) formula of linear length. Proof: Consider an mctl (mctl -) formula ψ. An equivalent CTL l (res. CTL l -) formula can be obtained from ψ by relacing each subformula of the form Eξ by the formula EF (init ξ), where F is the ast counterart o of F (that is, F ξ iff ξ holds along some suffix that starts in the ast), and init is a secial atomic roosition that labels the root of the tree (alternatively, init can be relaced by AXfalse, which holds only at the root). Clearly, the translation is linear. We note that the comlexity of the model-checking and the satisfiability roblems for CTL l and CTL l- is oen [KP95], thus Theorem 2 does not lead to a model-checking or decidability rocedure. In fact, the translation, together with the lower bounds we describe in Section 4 for mctl and mctl imroves the known lower bounds known for CTL l and CTL l -. Recall that the roosition resent emulates the ability of CTL to talk about the resent. Indeed, the translation we described, of CTL formulas to mctl formulas, uses resent. We now show that the use of resent is essential, thus mctl - is strictly weaker than mctl (and thus, also CTL ). Theorem 3. There is a CTL formula with no equivalent mctl - formula. Proof: We rove that the CTL formula ψ = EF (EX EX ) has no equivalent mctl - formula. For n 0, let K n and K n be the Krike structures described in Figure 1. It is not hard to see that K n satisfies ψ and K n does not. We rove that for all n 0, no mctl - formula ϕ with less than n X oerators can distinguish between K n and K n. Note that this imlies that no mctl - formula is equivalent to ψ. Indeed, if we assume by way of contradiction that such a formula ϕ exists, it has some fixed number n of X oerators, so it cannot distinguish between M n+1 and M n+1, whereas ψ does distinguish between them. 3 In Section 4 we show that mctl is at least exonentially more succinct than CTL 7

8 K n : K n :... n... n 1 Fig. 1. The Krike structures K n and K n. The roof is based on Woler s result that no LTL formula with less than n X oerators, for n 0, can distinguish between n ω and n+1 ω [Wol81]. We extend Woler s result to comutations and formulas over several atomic roositions. For a comutation π and an atomic roosition, we denote by π the rojection of π on. For two aths π and ρ, an atomic roosition, and n 0, we say that π and ρ are (, n)-indistinguishable if one of the following holds: π = ρ = ω, π = ρ = ( ) ω, π = n ω and ρ = n+1 ω, or π = ( ) n ( ) ω and ρ = ( ) n+1 ( ) ω. Lemma 1. Consider an LTL formula ξ over the set AP of atomic roositions. Let π and ρ be (, n)-indistinguishable for all AP. If ξ has less than n X oerators, then ξ cannot distinguish between π and ρ. The roof of Lemma 1 is by induction on the structure of ξ and is similar to the roof in [Wol81], which corresonds to the secial case where AP = 1. Let T n, τ n and T n, τ n be the 2{} -labeled {0, 1}-trees corresonding to the unwinding of K n and K n, resectively. Let P n T n be such that x P n iff τ n (x) = {}, and let Q n T n be such that x Q n iff τ n (x) =. Define P n and Q n similarly with resect to T n, τ n. Note that Q n = Q n = 2. Consider an mctl - formula ϕ. For a state subformula θ of ϕ (that is, θ is an atomic roosition, a formula of the form Eξ, or a Boolean combination of them), denote by f(θ) and f (θ) the set of nodes that satisfy θ in T n, τ n and T n, τ n, resectively. We claim that all the nodes in P n agree about the satisfaction of θ, and similarly for P n, Q n, and 8

9 Q n. Moreover, θ is satisfied in (all the nodes in) P n iff it is satisfied in (all the nodes in) P n, and similarly for Q n and Q n. Formally, we have the following. Lemma 2. For every state subformula θ of ϕ, the following holds: 1. P n f(θ) or P n f(θ) =, 2. Q n f(θ) or Q n f(θ) =, 3. P n f(θ) or P n f(θ) =, 4. Q n f(θ) or Q n f(θ) =, 5. P n f(θ) iff P n f (θ), and 6. Q n f(θ) iff Q n f (θ). Proof: The roof roceeds by an induction on the structure of θ. If θ is an atomic roosition, then θ =, so f(θ) = P n, f (θ) = P n, and we are done. If θ is a Boolean combination of state formulas, the lemma follows from the induction hyothesis. If θ is of the form Eξ, we roceed by an internal induction on the nesting deth of existential ath quantifiers in ξ. For the induction base, if there is no nested ath quantifier in ξ, then ξ is an LTL formula over. Therefore, by Lemma 1, the formula ξ cannot distinguish between n ω and n+1 ω the labels of the two aths of both T n, τ n and T n, τ n. Therefore, for every node x in T n or T n, the value of Eξ in x is the (same) value of ξ in these aths, and we are done. For the induction ste, let θ 1,..., θ k be the maximal strict state subformulas of ξ. Let q 1,..., q k be new atomic roositions corresonding to θ 1,..., θ k. Consider an extension of τ and τ to 2 {,q1,...,qk} such that for every 1 i k and x T n, we have that q i τ(x) iff x satisfies θ i. Similarly, for every x T n, we have that q i τ (x) iff x satisfies θ i. The induction hyothesis guarantees that the aths of T n, τ n and T n, τ n are airwise (q i, n)-indistinguishable, for all 1 i k. Hence, by Lemma 1, the formula ξ cannot distinguish between the aths of T n, τ n and T n, τ n. Therefore, for every node x in T n or T n, the value of Eξ in x is the (same) value of ξ in these aths, and we are done. Lemma 2 imlies that for every mctl - formula ϕ with less than n X oerators, ϕ is satisfied in the root of T n, τ n iff ϕ is satisfied in the root of T n, τ n. Thus, no mctl - formula with less than n X s can distinguish between K n and K n, and we are done. The fact that mctl - loses track of the resent whenever ath quantification is alied weakens its branching nature. This is reflected in the fact that the CTL formula we have used in the roof of Theorem 3 is similar to the formula with which Milner shows the differences between trace equivalence and bisimulation [Mil80]. This weakness of mctl - motivates us to focus, in the rest of this aer, in the logic mctl. 4 Decision Procedures In this section we study the model-checking and satisfiability roblems for mctl. We show that while the satisfiability roblem is not harder than the one for CTL, the modelchecking roblem is exonentially harder. For the uer bounds, we need to develo an automata-theoretic aroach for memoryfull branching temoral logic. For that, we start with definitions of alternating automata and introduce alternating automata with satellites. We then translate mctl formulas to such automata. 9

10 4.1 Alternating automata Automata over infinite trees (tree automata) run over Σ-labeled D-trees that have no leaves [Tho90]. Alternating tree automata generalize nondeterministic tree automata and were first introduced in [MS87]. Here we define symmetric alternating automata, which cannot distinguish between the different successors of a node, and send coies to the successors in either a universal or an existential manner [JW95,Wil99]. Let Ω = {, }, and let B + (Ω Q) be the set of ositive Boolean formulas over Ω Q; i.e., Boolean formulas built from elements in Ω Q using and, where we also allow the formulas true and false and, as usual, has recedence over. For a set S Ω Q and a formula θ B + (Ω Q), we say that S satisfies θ iff assigning true to elements in S and assigning false to elements in (Ω Q) \ S makes θ true. Consider a set D of directions. In a nondeterministic automaton A over Σ-labeled D- trees, with a set Q of states, the transition function δ mas an automaton state q Q and an inut letter σ Σ to a set of tules of states. Each tule suggests a nondeterministic choice for the automaton s next configuration. When the automaton is in a state q and is reading a node x with successors x d 1,..., x d n, and labeled by a letter σ, it roceeds by first choosing a tule q 1,..., q n δ(q, σ) and then slitting into n coies, where coy i enters the state q i and roceeds to the node x d i. In a symmetric automaton, the transition function δ mas q and σ to a formula in B + (Ω Q). Intuitively, an atom, q corresonds to coies of the automaton in state q, sent to all the successors of the current node. An atom, q corresonds to a coy of the automaton in state q, sent to some successor of the current node. When, for instance, the automaton is in state q, reads a node x with successors x d 1,..., x d n, and δ(q, V (x)) = (, q 1 ) (, q 2 ) (, q 2 ) (, q 3 ), the automaton can either send n coies in state q 1 to all the successors of x and a coy in state q 2 to one of the successors, or send a coy in state q 2 to one of the successors and a coy in state q 3 to one (ossibly the same) successor. So, while nondeterministic tree automata send exactly one coy to each successor, symmetric automata can send several coies to the same successor. On the other hand, symmetric automata cannot distinguish between left and right and can send coies to successor nodes only in either a universal or an existential manner. Formally, a symmetric automaton is a tule A = Σ, Q, δ, q in, α where Σ is the inut alhabet, Q is a finite set of states, δ : Q Σ B + (Ω Q) is a transition function, q in Q is an initial state, and α secifies the accetance condition (a condition that defines a subset of Q ω ). Let T = D. A run of a symmetric automaton A on an inut Σ-labeled D-tree T, τ is a tree T r, r (to be formally defined shortly) in which each node is labeled by an element of D Q. Unlike T, in which each node has exactly D children, the tree T r may have nodes with many children and may also have leaves. Thus, T r IN and a ath in T r may be either finite, in which case it ends in a leaf, or infinite. Each node of T r corresonds to a node of T. A node in T r, labeled by (x, q), describes a coy of the automaton that reads the node x of T and visits the state q. Note that many nodes of T r can corresond to the same node of T ; in contrast, in a run of a nondeterministic automaton on T, τ there is a one-to-one corresondence between the nodes of the run and the nodes of the tree. The labels of a node and its children have to satisfy the transition function. Formally, the run T r, r is a (D Q)-labeled IN-tree that satisfies the following: 1. ε T r and r(ε) = (ε, q in ). 10

11 2. Let y T r with r(y) = (x, q) and δ(q, V (x)) = θ. Then there is a (ossibly emty) set S Ω Q, such that S satisfies θ, and for all (c, s) S, the following hold: If c =, then for each d D, there is j IN such that y j T r and r(y j) = (x d, s). If c =, then for some d D, there is j IN such that y j T r and r(y j) = (x d, s). For examle, if T, τ is a {1, 2}-tree with τ(ε) = a and δ(q in, a) = q 1 q 2, then the nodes of T r, r at level 1 include one of the labels (1, q 1 ) or (2, q 1 ), and include both labels (1, q 2 ) and (2, q 2 ). Note that if θ = true, then y need not have children. This is the reason why T r may have leaves. Also, since there exists no set S as required for θ = false, we cannot have a run that takes a transition with θ = false. Each infinite ath ρ in T r, r is labeled by a word in Q ω. Let inf (ρ) denote the set of states in Q that aear in r(ρ) infinitely often. A run T r, r is acceting iff all its infinite aths satisfy the accetance condition. In Büchi automata, α Q, and an infinite ath ρ satisfies α iff inf (ρ) α. In co-büchi automata, α Q, and an infinite ath ρ satisfies α iff inf (ρ) α =. An automaton accets a tree iff there exists an acceting run on it. We denote by L(A) the language of the automaton A; i.e., the set of all labeled trees that A accets. We say that A is nonemty iff L(A). We denote by A q the automaton obtained from A by making q the initial state. The comlement of an automaton A is an automaton à that accets exactly all the tress that A rejects. In [KVW00], the authors introduce hesitant alternating automata (HAAs, for short) and show that CTL formulas can be translated to such automata. An HAA is an alternating automaton A = Σ, Q, δ, q 0, α, where α = G, B with G Q and B Q. That is, the accetance condition of HAAs consists of a air of sets of states. As in weak alternating automata [MSS88], there exists a artition of Q into disjoint sets Q 1,..., Q m and a artial order on these sets such that transitions lead to sets that are lower in the artial order. Formally, for every q Q i and q Q j for which q occurs in δ(q, σ), for some σ Σ, we have Q j Q i. In addition, each set Q i is classified as either transient, existential, or universal, such that for each set Q i and for all q Q i and σ Σ, the following hold: 1. If Q i is a transient set, then δ(q, σ) contains no states of Q i. 2. If Q i is an existential set, then δ(q, σ) only contains disjunctively related states of Q i. Thus, no state of Q i is in a scoe of a, and if δ(q, σ) is rewritten in DNF, then there are no two states of Q i in the same disjunct. 3. If Q i is a universal set, then δ(q, σ) only contains conjunctively related elements of Q i. Thus, no state of Q i is in a scoe of a, and if δ(q, σ) is rewritten in CNF, then there are no two states of Q i in the same conjunct. It follows that every infinite ath π of a run T r, r gets traed within some existential or universal set Q i. The ath then satisfies an accetance condition G, B if and only if either Q i is an existential set and inf(π) G, or Q i is a universal set and inf(π) B =. Note that the accetance condition of HAAs combines the Büchi and the co-büchi condition: existential sets refer to the Büchi condition G and universal sets refer to the co-büchi condition B. Given a transition function δ, let δ denote the dual function of δ. That is, for every q and σ with δ(q, σ) = θ, let δ(q, σ) = θ, where θ is obtained from θ by switching and, switching and, and switching true and false. If, for examle, θ = (true q) then θ = (false q), 11

12 Lemma 3. [MSS88,KVW00] Given an HAA A = Σ, Q, δ, q in, G, B, the alternating automaton à = Σ, Q, δ, q in, B, G is an HAA that comlements A. A satellite for an HAA A = Σ, Q, δ, q in, α is a deterministic word automaton U = Σ, Q, δ, q in with no accetance condition. For a node x = d 0 d k of a Σ-labeled D-tree T, τ, let word to(x) = τ(ε) τ(d 0 ) τ(d 0 d 1 ) τ(d 0 d 1 d k 1 ) be the word that labels the ath from the root to x. When the HAA reads a node x of the inut tree, its transitions may deend on δ (q in, word to(x)), namely on the state in which U would have been if we had run it along the aths of the tree. Formally, the transition function of A is δ : Q Σ Q B + (Ω Q), and is such that when A is in state q as it reads the node x, it roceeds according to δ(q, τ(x), δ (q in, word to(x))). Technically, an HAA with a satellite is equivalent to the HAA obtained by taking the roduct of A and U: the new state sace is Q Q, and whenever the roduct is in state q, q and reads a node x, the transition from q, q is obtained from δ(q, τ(x), q ) by relacing each atom s or s by (s, δ (q, τ(x))) or (s, δ (q, τ(x))), resectively. The accetance condition of the roduct HAA is induced by F. The artition of the state sace to sets, the artial order on the sets, and their classification into transient, universal, and existential are induced by these in A. Note that satellites are only a convenient way to describe HAA in which the state sace can be artitioned to two comonents, one of which is deterministic, indeendent of the other, has no influence on the accetance, and runs on all the branches of the tree. In articular, Lemma 3 holds also for HAA with satellites. It is sometimes convenient to describe the HAA and its satellite searately. In addition to clarity, the searation to A and U enables a tighter analysis of the comlexity of the nonemtiness roblem. Recall that the solution of the emtiness roblem for alternating automata involves alternation removal, which results in a nondeterministic automaton with exonentially many states. While the roduct of an HAA with n states and a satellite with n states has nn states, there is a need to ay the exonential rice of alternation removal in the rocess of the nonemtiness check only for A. Formally, we have the following. Theorem 4. The nonemtiness roblem for an HAA with n states and a satellite with n states can be solved in time 2 O(n log n +n 2 log n). Proof: Let A be an HAA with n states, and let U be its satellite with n states. We first claim that A is not emty iff it accets a tree of branching degree n. The roof of the claim is similar to the linear branching degree roerty of µ-calculus [CE81,SE89]. Now, we can translate A to a nondeterministic arity tree automaton A over trees of branching degree n, with n O(n) states, index O(n) [MS95], and with the same satellite U. By taking the roduct of A and U, we get a nondeterministic arity automaton with n n O(n) states, index O(n), and no satellite. Checking the nonemtiness of such an NPT requires time n O(n) n O(n2) = 2 O(n log n +n 2 log n) [EJ88,PR89]. Theorem 5. The 1-letter nonemtiness roblem for an HAA with n states, deth m, and a satellite with n states can be solved in sace O(m log 2 (nn )). Proof: Let A be an HAA with n states and deth m, and let U be its satellite with n states. We can translate A to an HAA with nn states, deth m, and no satellite. By [KVW00], checking the 1-letter nonemtiness of such an HAA requires sace O(m log 2 (nn )). 12

13 4.2 From mctl to HAA In this section we describe a translation of mctl formulas to HAA. In the sequel, we use the translation in order to obtain satisfiability and model-checking decision rocedures for mctl. We first need some definitions. For an mctl formula ψ, let sf (ψ) be the set of state subformulas of ψ. For two formulas θ and ϕ of ψ, we say that θ is maximal in ϕ if θ is a strict state subformula of ϕ and there exists no state formula between them, namely, there exists no strict subformula ξ of ϕ such that θ is a strict subformula of ξ. We denote by max(ϕ) the set of all formulas maximal in ϕ. For examle, max(a((x )U(EXq))) = {, EXq}. Consider an mctl formula ψ and a comutation tree T, τ. We say that a 2 sf (ψ) -labeled tree T, g is sound for ψ if for all x T and θ sf (ψ), we have that x, ɛ = θ iff θ g(x). Thus, a node x is labeled by exactly all the formulas in sf (ψ) that are satisfied in x, with ɛ being the resent (note that the fact ɛ is the resent is imortant only for θ = resent). Theorem 6. Given an mctl formula ψ, we can construct an HAA A ψ with 2 O( ψ ) states, deth O( ψ ), and a satellite with 2 2O( ψ ) states, such that A ψ runs on 2 sf (ψ) - labeled trees and accets exactly all trees that are sound for ψ and satisfy ψ. Proof: We first define the satellite U for A ψ. Consider a subformula of ψ of the form Eξ. Let U ξ = 2 sf (ψ), Q ξ, M ξ, Q in ξ, α ξ be a nondeterministic Büchi automaton on infinite words such that U ξ accets exactly all the comutations satisfying ξ [VW94]. Note that U ξ regards the formulas maximal in ϕ as atomic roositions (U ξ ignores the other formulas in sf (ψ)). Let Uξ d = 2sf (ψ), 2 Q ξ, Mξ d, {Qin ξ } be the deterministic automaton with no accetance condition obtained by alying the subset construction [RS59] to U ξ. Thus, for all S 2 Q ξ and σ 2 sf (ψ), we have that Mξ d(s, σ) = s S M ξ(s, σ). Now, the satellite U = 2 sf (ψ), Q, δ, q in is the crossroduct of all the automata U ξ d above (for all the subformulas Eξ of ψ). Intuitively, U sulies to A ψ the information required in order to evaluate ath formulas on aths that start in the root of the tree and visit the current node. When there is a need to check that Eξ holds in some node x, the automaton A ψ guesses a state q that is a member of the current state S 2 Q ξ of Uξ d (recall that 2Q ξ is a comonent in the state sace of the satellite) and it executes U q ξ along some x-ath. The osition in which A ψ starts the execution of U q ξ is the only osition in which the atomic roosition resent holds. Note that a correct guess of q and a successful run of U q ξ along some x-ath are ossible iff there is a ath that visits x and satisfies ξ, which corresonds to the semantics of Eξ. As in the case of the HAA for CTL [KVW00], we construct A ψ by induction on the structure of ψ. With each subformula ϕ of ψ, we associate an HAA A ϕ comosed from HAAs associated with formulas maximal in ϕ. We assume that the state sets of comosed HAAs are disjoint (otherwise, we rename states). The HAA A ϕ assumes that the tree is sound for the formulas in max(ϕ) and only checks the satisfaction of ϕ under this assumtion. We then define A ψ as the intersection of A ψ with an automaton that checks, by sending coies to the different A ϕ automata, that the inut tree is indeed sound with resect to ψ. If ϕ = for AP or = resent, then A ϕ is the one-state HAA that goes to true when it reads σ with σ and goes to false otherwise. 13

14 If ϕ = ϕ 1, then A ϕ is Ãϕ 1 the HAA obtained by dualizing the HAA A ϕ1 for ϕ 1. If ϕ = ϕ 1 ϕ 2, then A ϕ = 2sf (ψ), Q 1 Q 2 {q in }, δ, q in, G 1 G 2, B 1 B 2, where A ϕ i = 2 sf (ψ), Q i, δ i, qin i, Gi, B i, q in is a new state and δ is defined as follows. For states in Q 1 and Q 2, the transition function δ agrees with δ 1 and δ 2, resectively. For the state q in and for all σ 2 sf (ψ) and q Q, we have δ(q in, σ, q ) = δ(qin 1, σ, q ) δ(qin 2, σ, q ). Thus, in the state q in, the HAA A ϕ sends all the coies sent by A ϕ 1 or all the coies sent by A ϕ 2. The singleton {q in } constitutes a transient set, with the ordering {q in } > Q i for all the sets Q i in Q 1 and Q 2. If ϕ = Eξ, where ξ is an mctl ath formula, we roceed as follows. Let U ξ = 2 sf (ψ), Q ξ, M ξ, Q in ξ, α ξ. Recall that the state sace Q of the satellite U is the roduct of the state saces of the deterministic automata for the ath formulas. Thus, each state q Q has a comonent for each of these automata, and in articular for Uξ d. Consider a state q Q. Let q ξ be the state of U ξ d in q. Note that q ξ 2Q ξ. Then, A ϕ = 2 sf (ψ), Q ξ, δ, q in, α ξ, is defined so that from its initial state q in, it consults the satellite s state q and executes U ξ along a single ath, starting from some state in q ξ. The roosition resent holds exactly at the node in which the execution of U ξ starts, thus its first transition assumes that resent holds. Formally, for all σ 2 sf (ψ) and q Q, we have δ (q in, σ, q ) = s. s q ξ s M ξ (s,σ {resent}) Also, for all q Q ξ, we have δ (q, σ, q ) = q i M ξ (q,σ) q i. If M ξ (q, σ) =, then δ(q, σ, q ) = false. Note that the only transition in which the inut from the satellite is taken into an account is the transition from q in, where A ϕ chooses a state from q ξ to roceed with. Note also that Q ξ constitutes a single existential set. The HAA A ϕ accets a 2 sf () -labeled tree from node x iff x satisfies ϕ, assuming the inut tree is sound for the formulas in max(ϕ). The states in Q ξ constitute an existential set of the HAA. We now add to A ψ transitions that check that the inut tree is indeed sound for ψ, thus the letter read at node x describes the set of formulas satisfied in x. For this urose, we add a new state q check. Whenever A ψ is in state q check and reads a letter σ, it sends coies sent from the initial states of the HAA A ϕ i = 2 sf (ψ), Q i, δ i, qin i, Gi, B i, for all ϕ i σ, sends coies sent from the initial states of the HAA Ã ϕ i = 2 sf (ψ), Q i, δ i, qin i, Bi, G i, for all ϕ i σ, (and also sends a coy that stays in q check to all the successors). Formally, for all σ 2 sf (ψ) and q Q, we have δ(q check, σ, q ) = q check δ i (qin i, σ, q ) δ i (qin i, σ, q ). ϕ i σ The HAA A ψ = 2 sf (ψ), Q, δ, q in, G, B is such that Q is the union of {q in, q check } with the union of the state saces of A θ, for θ sf (ψ). The initial state q in checks for the satisfaction of ψ and for the soundness with resect to ψ, thus δ(q in, σ, q ) = δ ψ (q ψ in, σ, q ) δ(q check, σ, q ), where δ ψ and q ψ in are the transition function and initial state of A ψ. Finally, G = ϕ i sf (ψ) Gi and B = ϕ i sf (ψ) Bi. The state q in is transient and the state q check constitute a singleton universal set of the HAA. ϕ i σ 14

15 The arguments about the correctness of the construction, its size, and its deth, are similar to these in [KVW00], and are given in Aendix A Satisfiability Theorem 7. The satisfiability roblem for mctl is 2EXPTIME-comlete. Proof: We start with the uer bound. Consider an mctl - formula ψ. By Theorem 6, there is an HAA A ψ with 2 O( ψ ) states, deth O( ψ ), and a satellite with 2 2O( ψ ) states such that L(A ψ ) is exactly the set of 2 sf (ψ) -labeled trees that are sound for ψ and satisfy ψ. The HAA A ψ is nonemty iff ψ is satisfiable. By Theorem 4, the nonemtiness of A ψ can be decided in time 2 2O( ψ ), which is therefore also the time required for deciding the satisfiability of ψ. It is left to rove the lower bound. By Theorem 1, each CTL formula can be linearly translated to an equivalent mctl formula. The lower bound then follows from the fact CTL satisfiability is 2EXPTIME-hard [VS85]. Note that the alication of the 2EXPTIME lower bound of CTL satisfiability is not ossible for mctl -, and the exact comlexity of the satisfiability roblem for this logic is left oen. 4.4 Model Checking For CTL, the automata-theoretic aroach is similar for satisfiability and model checking: the HAA for a CTL formula ψ accets exactly all 2 AP -labeled trees that satisfy ψ, so satisfiability is reduced to emtiness and model checking to 1-letter emtiness (that is, emtiness for an automaton with a singleton alhabet) of the roduct of the HAA with the system [KVW00]. In the case of mctl, the need to execute the word automata for the ath formulas from the root of the tree, has forced us to define the HAA with resect to 2 sf (ψ) -labeled trees. While this was not a roblem for satisfiability, it is a roblem for model checking, where we need to take the roduct of the HAA with a Krike structure that is labeled by 2 AP. Fortunately, this is not a real roblem, as it is ossible to guess an extension of the 2 AP -labeling to a 2 sf (ψ) -labeling, and then let the HAA check the soundness of the guess. Theorem 8. Given an mctl formula ψ, we can construct an HAA A AP ψ with 2 O( ψ ) states, deth O( ψ ), and a satellite with 2 2O( ψ ) states, such that A AP ψ runs on 2 AP - labeled trees and accets exactly all trees that satisfy ψ. Proof: The construction is similar to the one described in Theorem 6, only that we have to adjust the HAA and its satellite to the alhabet 2 AP. Intuitively, instead of having the inut tree labeled by subsets of sf (ψ), we let the satellite guess the richer labels, and then let the HAA check the guess. Thus, the satellite is nondeterministic on to of its deterministic transition we add a guess of the subset of sf (ψ) to be read in the successor node. Yet, running the HAA on a 2 AP -labeled tree, and letting it check the guesses, guarantees that word to(x) can be viewed as a word in (2 sf (ψ) ) rather than a word in (2 AP ). Accordingly, δ (q in, word to(x)) is a singleton, as in the case of a deterministic satellite. 15

16 Formally, if in the construction in Theorem 6 we ended u with a satellite U = 2 sf (ψ), Q, δ, q in and HAA A ψ = 2 sf (ψ), Q, δ, q in, G, B, now we have a satellite U AP = 2 AP, Q 2 sf (ψ), δ AP, q in where for all q, σ Q 2 sf (ψ) and σ 2 AP, we have δ AP ( q, σ, σ ) = {δ (q, σ)} 2 sf (ψ), and A AP ψ = 2AP, Q, δ AP, q in, G, B, where for all q Q, σ 2 AP, and q, σ Q 2 sf (ψ), we have δ AP (q, σ, q, σ ) = δ(q, σ, q ) ϕ i σ δi (q i in, σ, q ) ϕ i σ δ i (q i in, σ, q ). Theorem 9. The model-checking roblem for mctl is EXPSPACE-comlete. Proof: We start with the uer bound. Consider an mctl formula ψ. By Theorem 6, there is an HAA A ψ with 2 O( ψ ) states, deth O( ψ ), and a satellite with 2 2O( ψ ) states, such that L(A ψ ) is exactly the set of comutation trees satisfying ψ. Consider a Krike structure K. By [KVW00], K satisfies ψ iff the 1-letter HAA obtained by taking the roduct of K with A ψ is not emty. The roduct has K 2 O( ψ ) states, deth O( ψ ), and a satellite with 2 2O( ψ ) states. Thus, by Theorem 5, its 1-letter nonemtiness roblem can be solved in sace ψ log 2 ( K 2 2O( ψ ) ) = ψ (log 2 K + 2 O( ψ ) log K + 2 O(ψ) ). Note that the comlexity is only logarithmic in the size of the structure, and the exonential deendency is in the length of the formula, which is usually much smaller. In order to rove the EXPSPACE lower bound, we do a reduction from the exonential tiling roblem. In this roblem, we are given a fixed set T of tiles, two relations H, V T T, an integer n, a tule of n tiles t 0,..., t n 1 T n, and a tile t fin T. The roblem is to decide whether there is m 0 such that it is ossible to tile a (2 n m)- square so that horizontal neighbors belong to H, vertical neighbors belong to V, the first n tiles in the first row are t o,..., t n 1, and the first tile in the last row is t fin. Thus, formally, a legal tiling is a function t : {0,..., 2 n 1} {0,..., m 1} T such that: (1) for all 0 i 2 n 2 and 0 j m 1, we have that H(t(i, j), t(i + 1, j)), (2) for all 0 i 2 n 1 and 0 j m 2, we have that V (t(i, j), t(i, j + 1)), (3) for all 0 j n 1, we have that t(0, j) = t j, and (4) t(0, m 1) = t fin. The exonential tiling roblem is known to be EXPSPACE-comlete [Lew78]. Given a tiling roblem T = T, H, V, n, t 0,..., t n 1, t fin, we construct an mctl formula ϕ over a fixed set AP of atomic roositions such that a legal tiling for T exists iff the universal model M AP for AP (that is, a clique in which each node is labeled by a different subset of AP ) satisfies ϕ. The formula ϕ is of length olynomial in T, and the size of M AP is fixed, so we actually rove that the EXPSPACE lower bound holds for structures of a fixed size. Some of the atomic roositions in AP encode tiles in T. We refer to a word π (2 AP ) ω as an attemt to encode a legal tiling t. We divide the word π to blocks of length n. Every block corresonds to a single location (in which we lace a single tile) in the (2 n m)-square. An atomic roosition in AP that acts as a 2 n -counter encodes the column i {0,..., 2 n 1} of the location. The tile in each location is encoded in the first oint in the block. In addition, we mark the first oint of each block by an atomic roosition b, and mark the first oint of blocks that encode locations with i = 2 n 1 by an atomic roosition l. Proer increase of the counter as well as correct labelling of b and l can be forced by an LTL formula ξ. Let t 0... t 2n 1, t 0... t 2 n 1 be two successive rows of the tiling t. For each 0 i 2 n 1 we know, given t i, the ossible values for t i+1 (these for which H(t i, t i+1 ), in case i < 2 n 1) and the ossible values for t i (these for which V (t i, t i )). Consistency with 16