of concurrent and reactive systems is now well developed [2] as well as a deductive methodology for proving their properties [3]. Part of the reason f

A New Decidability Proof for Full Branching Time Logic CPL N.V. Shilov Research On Program Analysis System (ROPAS) Department of Computer Science Korean Advanced Institute of Science and Technology (KAIST) Kusong-dong Yusong-gu 373-1 Taejon 305-701, Republic of Korea shilov@ropas.kaist.ac.kr http://ropas.kaist.ac.kr/shilov May 17, 2000 Abstract A so-called Program Scheme Technique (PST) is a self-contained, automata free technique for proving elementary decidability of program and polymodal propositional logics. A particular advantage of PST is its expressive power which is equal to the expressive power of Second Order Theory of Monadic Successors in Herbrand Models. This time it leads to decidability of CTL with double exponential upper time bound. Key words: logic. full branching time logic, second order propositional dynamic Submission for: International Conference on Temporal Logic (ICTL2000). 1 Introduction Temporal logic have been shown to provide a convenient framework for reasoning about properties of a broad class of systems which can be presented or simulated by computer programs. A. Pnueli was the rst who proposed to use temporal logic for reasoning about programs [1]. His approach for specication While on leave from A.P. Ershov Institute of Informatics Systems of Siberian Division of Russian Academy of Science, Novosibirsk, Russia. 1

of concurrent and reactive systems is now well developed [2] as well as a deductive methodology for proving their properties [3]. Part of the reason for further success of temporal logic is based on automatic model checking of specications expressed on propositional level temporal logics for nite state systems [14]. It is known that model checking problem for nite state systems is polynomial hard for basic propositional branching temporal logic called Computation Tree Logic (CTL) [4], while it is PSPACE-complete for a basic propositional linear temporal logic (PLTL) [5]. More careful analysis of computational complexity of a combined temporal logic CTL (called Full Branching Time Logic) lead to a polynomial upper time bound on the number of states in a system and an exponential upper time bound on the length of a formula [6]. Decidability is another fundamental algorithmic property of CTL. It is well known [8] that CTL has double exponential low time bound but a complete proof of the same upper time bound is published quite recently [15]. The last cited result as well as an exponential upper time bound for the propositional -Calculus [10] are proved in [15] on base of an improved upper time bound for checking emptiness of special non-deterministic automata on innite trees. Another impressive application of automata technique for decidability of propositional program logics is exponential upper time bound for the propositional -Calculus with program converse which was proved quite recently too [11] by means of two-way alternating automata on innite trees. A so-called Program Scheme Technique (PST) [19, 20, 21] is a an alternative technique for proving decidability of program and polymodal propositional logics. It is completely self-contained, automata free technique. In [19, 20] PST led to exponential decidability of the propositional -Calculus, in [21] a revised PST led to exponential decidability of the propositional -Calculus with program converse. This time PST is applied to a decidability of CTL and yields a new automata-free proof of double exponential upper time bound. A preliminary versions of PST were designed in collaboration with Prof. Nepomniaschy V.A. in 1983-88 [16, 17, 18]. PST is based on a reduction of the decidability of a propositional program logic to the validity problem in Herbrand Models of Second Order Propositional Dynamic Logic of program schemata (SOPDL). SOPDL is a variant of Propositional Dynamic Logic (PDL) [23] with second order quantiers (weak as well as strong) and non-deterministic monadic (Ianov) program schemata [28, 27, 29]. Unfortunately SOPDL is undecidable, but the validity in Herbrand Models (i.e. models for Second Order Theory of Monadic Successors [30]) is decidable with exponential upper time bound [19, 20]. A particular advantage of SOPDL in Herbrand Models is its expressive power which is equal to the expressive power of Second Order Theory of Monadic Successors (since the propositional -Calculus in Herbrand Models and the Second Order Theory of Monadic Successors have equal expressive powers [22]). We suppose that it is a basic reason why PST is as powerful as automata-theoretic technique. An utility of PST is closely related to expressive power and exponential decidability of SOPDL in Herbrand Models: 2

if a propositional program logic is decidable due to interpretation in the Second Order Theory of Monadic Successors, then it is reasonable to try to prove an elementary decidability by an interpretation of the logic in SOPDL in Herbrand Models. This time this utility leads to decidability of CTL, previously it led to decidability of the -Calculus [19, 20] and the -Calculus with converse [21]. We would like to remark also that CTL and the propositional -Calculus are closely connected not only due automata- or schemata- decidability technique: the propositional -Calculus can encode CTL as well as some other temporal, program and polymodal logics [31]. Nevertheless, due to a non-triviality of these embedding, automata-based and schemata-based decision procedures for CTL diers from corresponding decision procedures for the propositional -Calculus. The remaining part of the paper comprises two sections. Syntax and semantics of CTL and SOPDL are dened in the section 2. A reduction of decidability problem for CTL to validity in Herbrand Models for SOPDL is described in the next section 3. This exponential reduction together with exponential decidability of validity problem in Herbrand Models for SOPDL imply double exponential upper time bound for CTL. 2 Two Program Logics: CTL and SOPDL The Full Branching Time Logic (or Full Computation Tree Logic) CTL [7, 8, 9, 12, 13, 14, 15] is a powerful propositional temporal logic for reasoning about states and sequences of states of a program. The syntax of CTL is constructed from boolean values B and a nite alphabet of propositional variables P and consist of two parts: state formulae F stt and path formulae F pth. A context-free denition of them both follows: F stt ::= B j P j (:F stt ) j (F stt ^ F stt ) j (E F pth ) ; F pth ::= F stt j(:f pth ) j (F pth ^ F pth ) j (X s F pth ) j (F pth U w F pth ) : The semantics of CTL is dened in models, which are temporal Kripke structures. A temporal Kripke structure T is a triple (D T ; R T ; L T ) where D T is a nonempty set of states, R T D T D T is a nonempty binary relation, L T : D T! P is a labeling. A fullpath in a model T is a maximal sequence seq of states s 1 :::s i s i+1 ::: such that (s i ; s i+1 ) 2 R T for every pair of adjacent states (s i ; s i+1 ) 2 seq. If seq = s 1 :::s i ::: is a fullpath then for every nite i jseqj let us denote by seq i the state s i and by seq i the sux s i :::. For every model T = (D T ; R T ; L T ) the validity relation j= T between states and state formulae and between fullpaths and path formulae can be dened inductively with respect to the structure 3

of formulae. For boolean constants and propositional connectives the validity relation is dened in a standard way while we have 1. s j= T p i p 2 L T (s), where p 2 P, 2. seq j= T i seq 1 j= T, where 2 F stt, 3. s j= T (E ) i seq j= T and seq 1 = s for some fullpath seq, 4. seq j= T (X s ) i jseqj 2 and seq 2 j= T (X s ), 5. seq j= T ( U w ) i either seq i j= T for every nite i jseqj, or seq j j= T for some nite j jseqj and seq i j= T for every nite i < j. The Second Order Propositional Dynamic Logic (SOPDL) [20] is an extension of Propositional Dynamic Logic (PDL) [23, 24, 29, 25, 26] with quantiers over propositional variables. The syntax of SOPDL is constructed from the same alphabets B and P as above and from an additional nite alphabet A of action variables. The syntax consists of (non-deterministic monadic program (Ianov)) schemata S and (logical) formulae F SO. A denition of program schemata follows: A label is a natural number or a special symbol 1; 0 is call the start-label while 1 - the exit-label. An assignment is an expression of the form l : a goto L, where l is a label, a is a action variable and L is a nite set of labels 1. A test is an expression of the form l : if A then L + else L?, where l is a label, A is a boolean formula 2 and L+; L? are nite sets of labels 1. A (program) scheme is a nite set of assignments and tests. Elementary programs S e are special schemata of two kinds: (a) f0 : a goto f1gg, (A?) f0 : if A then f1g else f0g g, where a is an action variable, while A is a boolean formula. Formal context-free denition of formulae follows: F SO ::= B j P j (:F SO ) j (F SO ^ F SO ) j (F SO _ F SO ) j ([S]F SO ) j (hsif SO ) j j (9P:F SO ) j (8P:F SO ) {z } strong quantiers j (9 f P:F SO ) j (8 f P:F SO ) {z } weak quantiers j (2F SO ) j (3F SO ) {z } S5-modalities 1 The empty set ; (abort) is admissible also. 2 a propositional combination of boolean constants and propositional variables 4

Semantics of SOPDL is dened in models, which are special Kripke structures called Labeled Transition Systems. A model M is a pair (D M ; I M ) where the domain D M is a nonempty set, while the interpretation I M is a pair of special mappings (P M ; R M ). Elements of the domain D M are called states. The interpretation maps propositional variables into sets of states and action variables into binary relations on states: P M : P! 2 DM ; R M : A! 2 DM DM : We write I M (p) and I M (a) instead of P M (p) and R M (a) whenever it is implicit that p and a are propositional and action variables respectively. The semantics of program schemata in models (i.e. Labeled transition Systems) are their inputoutput relations which can be dened in dierent but equivalent manners [25, 27, 28, 29]. We would like to write s 0 hi M s 00 i a pair of states (s 0 ; s 00 ) is from this input-output relation of a scheme in a model M. For every model M the validity relation j= M between states and formulae of SOPDL can be dened too. Propositional operations have the usual semantics. For a program scheme the semantics of the associated modalities [] and hi is the same as for usual K-modalities but with respect to the input-output semantics of. Modalities 2 and 3 are the usual S5-modalities \in all states" and \in some state" respectively. The semantics of quantiers is straightforward from their names - \for all/some (nite) interpretation of a propositional variable as a unary predicate". Formally we have: 1. s j= M p i s 2 I M (p), where p 2 P, 2. s j= M (:) i not the case s j= M, 3. s j= M ( ^ ) i s j= M and s j= M, 4. s j= M ( _ ) i s j= M or s j= M, 5. s j= M (hi) i (s; s 0 ) 2 I M () and s 0 j= M for same state s 0, 6. s j= M ([]) i (s; s 0 ) 2 I M () implies s 0 j= M for every state s 0. 7. s j= M (9p:) i s j= MS=p for some S D M ; 8. s j= M (8p:) i s j= MS=p for every S D M. 9. s j= M (3) i s 0 j= M for same state s 0, 10. s j= M (2) i s 0 j= M for every state s 0. 11. s j= M (9 f p:) i s j= MS=p for some nite S D M ; 12. s j= M (8p:) i s j= MS=p for every nite S D M, where M S=p is a model which agrees with M everywhere but p: I MS=p (p) = S. 5

3 Interpretation of CTL in SOPDL First let us dene for a technical convenience a special set of structured schemata (called programs in the PDL framework). Structured schemata are constructed from elementary programs S e by means of (sequential) composition, (nondeterministic) choice and (nondeterministic) iteration. Context-free denition of structured schemata S s follows: S s ::= S e j composition (S s ; S s ) j choice (S s [ S s ) j iteration (S s ) i.e. structured schemata are regular expressions over elementary programs with `;' for the concatenation and `[' instead of `+'. Let us omit (due to space limitations) boring syntactical details of representation of structured schemata as nite sets of operators, but illustrate only: composition!!!, choice % & & %, iteration % &! -. Let us remark also that deterministic choice as well as deterministic while-loop and until-loop are expressible in terms of nondeterministic choice and nondeterministic iteration: if A then else? ((A?); ) [ (((:A)?); ), while A do? ((A?); ) ; ((:A)?), do until A? (; (:A?)) ; (; (A)?). Then for a technical convenience also let us extend SOPDL by an ability to use arbitrary formulae as conditions in tests, not only the boolean ones. We would like to refer this ability as complex tests. This extension does not increase the expressive power of the logic since it is possible to eliminate complex conditions: for all formulae and, for a new propositional variable q the formula is equivalent to the formula 9q:(2(q $ ) ^ (q= )), where $ is a standard abbreviation for the boolean equivalence. But we should be aware that due to the use of $, the elimination of complex tests can cause an exponential blow up of a size of an equivalent formulae without complex tests. Finally let us dene a special class of labeled transition systems called Herbrand Models. All Herbrand Models have a xed domain D H and a xed interpretation R H of action variables, while interpretation P H of propositional variables is variable. The Herbrand Domain D H is A { a free semi-group generated by A, i.e. a set of all words over A. This set includes the empty word " and can be presented as an innite tree. The Herbrand Interpretation R H of an action variable a is a total function R H (a) : D H! D H such that w 7! aw for every w 2 A. In particular, Herbrand Models are models for Rabin's Second Order Theory of Monadic Successors S(n)S [30]. 6

Now we are ready to dene a pair of translations: a translation S of state formulae of CTL and a translation P of program schemata with path formulae of CTL into SOPDL formulae with complex tests. Both algorithms use two disjoint xed action variables f and g. A background intuition behind these two algorithms is trivial: to simulate a next-state relation in a fullpath by a deterministic program p (while p do f; g), a fullpath by means of a maximal sequence! p! p ::: and a choice of a fullpath a quantier 9p, where p is a new propositional variable. Algorithm S : F stt! F SO S(p) = p, where p 2 P; S(:) = :S(p); S( ^ ) = S() ^ S( ); S(E ) = 9p:P ( p ; ), where 2 F pth, p is a new propositional variable and p is a program (while p do f; g). Algorithm P : S F pth! F SO P (; ) = S(), where 2 F stt ; P (; :) = :P (; ); P (; ( ^ )) = P (; ) ^ P (; ); P (; (X s )) = hip (; ); P (; ( U w )) =? ([ ]P (; ) _ hitrue), where is a program do (P (; )?; ) until P (; ). Proposition 1 Let T be a countable temporal Kripke structure (D T ; R T ; L T ), and let us x an enumeration of immediate R T -successors for every state. Let us x some state t also. Let H : D H! D T be a partial mapping from the Herbrand domain D H into the temporal domain D T such that H(") = t while H(gf j w) is j immediate R T -successor of H(w) (i dened) for all w 2 ff; gg and j 1. Let H be a Herbrand model generated by two action variables f and g such that w 2 I H (p) i p 2 L T (H(w)) for all p 2 P and w 2 domh. In these settings the following holds: For all state s 2 D T, word w 2 ff; gg and state formula 2 F stt, if H(w) = s then s j= T i w j= H S(). For all full path seq 2 DT, word w 2 ff; gg and path formula 2 F pth, if H(w) = seq 0 and a new propositional variable p 2=P is interpreted by I H to be invalid on a word f m gf ni :::gf n1 w (m; i; n 1 ; :::n i 0) i seq i+1 is the m immediate R T -successor of seq i, then seq j= T i w j= H P ( p ; ), where p is a program (while p do f; g). 7

Proposition 2 Let H be a Herbrand model generated by two action variables f and g and let T be a temporal Kripke structure (D T ; R T ; L T ) with D T = D H, R T = f(w; gf j w) : w 2 ff; gg ; j 0g and L T (w) = fp 2 P : w 2 I H (p)g for every w 2 ff; gg. In these settings the following holds: w j= T i w j= H S() for all word w 2 ff; gg and state formula. seq j= T i w j= H P ( p ; ) for all word w 2 ff; gg and path formula, where p is a program (while p do f; g), p is a new propositional variable and seq is a maximal sequence of words w 1 :::w i ::: such that w = w 1, w 1 h p i H :::w i h p i H :::. Let us summarize above propositions 1 and 2: Corollary. Decidability problem for Full Branching Time Logic CTL can be reduced to the validity problem in Herbrand Models for Second Order Propositional Dynamic Logic SOPDL. Complexity of the reduction is exponential. The following is proved in [20]: Fact. Validity problem in Herbrand Models for Second Order Propositional Dynamic Logic SOPDL is decidable in exponential time. Combining this fact with the above corollary we immediately get Theorem. Full Branching Time Logic CTL is decidable in double exponential time. Thus an alternative automata-free proof of double exponential upper time bound for CTL is over. This upper bound meets double exponential low time bound. We would like to remark also that we hope to extend the technique presented in this paper on Process Logic [32, 33]. References [1] Pnueli A. Temporal Logic of Programs. Theoretical Computer Science, v.13, n.1, 1981, p.45-60 [2] Manna Z., Pnueli A. The temporal logic of Reactive and Concurrent Systems. Springer-Verlag, 1991 [3] Manna Z., Pnueli A. Temporal verication of reactive systems: safety. Springer-Verlag, 1995 [4] Clarke E.M., Emerson E.A. Design and Synthesis of synchronization skeletons using Branching Time Temporal Logic. Lecture Notes in Computer Science, v.131, 1982, p.52-71. [5] Sistla A.P., Clarke E.M. The Complexity of Propositional Linear Temporal Logic. J.ACM, v.32, n.3, 1985, p.733-749. 8

[6] Emerson E.A., Lei C.L. Modalities for Model Checking: branching time strikes back. Sci. Comput. Programming, v.8, 1987, p.275-306. [7] Emerson E.A., Sistla A.P. Deciding branching time logic. Information and Control, v.61, 1984, p.175-201. [8] Vardi M.Y., Stockmeyer L. Improved upper and lower bounds for modal logics of programs. 17 th ACM Symposium on the Theory of Computing, 1985, p.240-251. [9] Emerson E.A., Halpern J.Y. \Sometimes" and \not never" revised: On branching versus linear time temporal logic. J. of ACM, v.33, 1986, p.151-178. [10] Kozen D. Results on the Propositional Mu-Calculus. Theoretical Computer Science, v.27, n.3, 1983, p.333-354. [11] Vardi M.Y. Reasoning about the past with two-way automata'. LNCS, v.1443, 1998, p.628-641. [12] Emerson E.A. Temporal and Modal Logic. Handbook of Theoretical Computer Science, v.b, Elsevier and The MIT Press, 1990, p.995-1072. [13] Stirling C. Modal and Temporal Logics. Handbook of Logic in Computer Science, v.2, Claredon Press, 1992, p.477-563. [14] Clarke E.M., Grumberg O., Peled D. Model Checking. MIT Press, 1999. [15] Emerson E.A., Jutla C.S. The Complexity of Tree Automata and Logics of Programs. SIAM J. Comput., v.29, n1, 1999, p.132-158. [16] Nepomniaschy V.A. Shilov N.V. Non-deterministic Program Schemata and there relation to Dynamic Logic. Int. Conf. on Math. Logic and its Applications, Plenum Press, 1986, p.137-149. [17] Nepomniaschy V.A. Shilov N.V. Non-deterministic Program Schemata and there relation to Dynamic Logic. Cybernetics, n.3, 1988, p.12-19 (in Russian, English translation by Plenum Press) [18] Nepomniaschy V.A. Shilov N.V. Program Schemata Technique for decidability of Propositional Dynamic Logic variants. Proc. of Int. Conf. COLOG'88, v.2, Tallinn 1988, p.193-205. [19] Shilov N.V. Propositional Dynamic Logic with Fixed Points: algorithmical tools for verication of nite state machines. Lecture Notes in Computer Science, v.620, 1992, p.452-458 [20] Shilov N.V. Program schemata vs. automata for decidability of program logics. Theoretical Computer Science, v.175, n.1, 1997, p.15-27 9

[21] Shilov N.V. Program Schemata Technique Revised. Submitted to Journal of Logic and Computation. (Also available on http://ropas.kaist.ac.kr/shilov/remuc-.ps) [22] Schlinglo H. On expressive power of Modal Logic on Trees. Lecture Note in Computer Science, v.620, 1992, p.441-450. [23] Fisher M.J. Ladner R.E. Propositional dynamic logic of regular programs. J. Comput. System Sci., v.18, n.2, 1979, p.194-211. [24] Harel D. First-Order Dynamic Logic. Lecture Notes in Computer Science, v.68, 1979. [25] Harel D. Dynamic Logic. Handbook of Philosophical Logic, v.ii, Reidel Publishing Company, 1984 (1-st ed.), Kluwer Academic Publishers, 1994 (2-nd ed.), p.497-604. [26] Kozen D., Tiuryn J. Logics of Programs. Handbook of Theoretical Computer Science, v.b, Elsevier and The MIT Press, 1990, p.789-840. [27] Kotov V.E., Sabelfeld V.K. Theory of Program Schemata. Nauka (Science), Novosibirsk, 1990 (in Russian). [28] Greibach S.A. Theory of Program Structures: Schemes, Semantics, Verication. Lecture Notes in Computer Science, v. 36, 1975. [29] Harel D., Sherman R. Propositional Dynamic Logic of Flowcharts. Information and Control, v.64, 1985, p.119-135. [30] Rabin M.O. Decidability of second order theories and automata on innite trees. Trans. Amer. Math. Soc., v.141, 1969, p.1-35. [31] Dam M. CTL and ECTL as fragments of the modal Mu-Calculus. Theoretical Computer Science, v.126, n.1, 1994, p.77-96. [32] Harel D., Kozen D., Parikh R. Process Logic: Expressiveness, Decidability, Completeness. J. Comput. Sys. Sci., v.25, 1982, p.144-170. [33] Sherman R., Pnueli A., Harel D. Is the Interesting Part of Process Logic Uninteresting?: A Translation from PL to PDL. SIAM J. Comput., v.13, 1984, p.825-839. 10