ON ACTL FORMULAS HAVING DETERMINISTIC

I N F S Y S RESEARCH R E P O R T

¨ I NFORMATIONSSYSTEME I NSTITUT F UR A BTEILUNG W ISSENSBASIERTE S YSTEME

O N ACTL F ORMULAS H AVING D ETERMINISTIC C OUNTEREXAMPLES

Francesco BUCCAFURRI Georg GOTTLOB

Thomas EITER Nicola LEONE

INFSYS R ESEARCH R EPORT 1843-99-01 JANUARY 1999

Institut für Informationssysteme Abtg. Wissensbasierte Systeme Technische Universität Wien Treitlstraße 3 A-1040 Wien, Austria Tel:

+43-1-58801-18405

Fax:

+43-1-58801-18493

[email protected] www.kr.tuwien.ac.at

INFSYS RESEARCH R EPORT INFSYS R ESEARCH R EPORT 1843-99-01, JANUARY 1999

O N ACTL F ORMULAS H AVING D ETERMINISTIC C OUNTEREXAMPLES Francesco Buccafurri,1 Thomas Eiter,2

Georg Gottlob,3 Nicola Leone3

Abstract. In case an ACTL formula fails over a labeled transition graph M , it is most useful to provide a counterexample, i.e., a computation tree of M witnessing the failure. If there exists a single path in M which by itself witnesses the failure of , then has a deterministic counterexample. We show that, given M and , where M = , it is NP-hard to determine whether there exists a deterministic counterexample. Moreover, it is PSPACE-hard to decide whether an ACTL formula always admits a deterministic counterexample if it fails. This means that there exists no simple characterization of the ACTL formulas that guarantee deterministic counterexamples. Consequently, we study templates of ACTL formulas, i.e., skeletons of modal formulas whose atoms are of templates whose instances (obtained disregarded. We identify the (unique) maximal set by replacing atoms with arbitrary pure state formulas) always guarantee deterministic counterexam, and for ples. We show that for each ACTL formula which is an instance of a template ? each Kripke structure M such that M = , a single path of M witnessing the failure by itself can be computed in polynomial time.

6j

DET

6j

1

2 DET

DIMET, Universitá di Reggio Calabria, I-89100 Reggio Calabria, Italy. E-mail: [email protected] Institut und Ludwig Wittgenstein Labor für Informationssysteme, Technische Universität Wien, Treitlstraße 3, A-1040 Wien, Austria. E-mail: [email protected] 3 Institut und Ludwig Wittgenstein Labor für Informationssysteme, Technische Universität Wien, Paniglgasse 16, A-1040 Wien, Austria. E-mail: (leone gottlob)@dbai.tuwien.ac.at 2

Copyright c 1999 by the authors

j

INFSYS RR 1843-99-01

I

Contents 1 Introduction 1.1 Counterpaths and deterministic counterexamples 1.2 Deterministic counterexamples may not exist . . 1.3 Main research questions addressed . . . . . . . . 1.4 Main results . . . . . . . . . . . . . . . . . . . . 1.5 Structure of the paper . . . . . . . . . . . . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

1 1 2 3 3 4

2 Preliminaries

4

3 Multi-Paths and Counterexamples 3.1 Multi-Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Counterexamples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6 6 8

4 Deterministic Counterexamples 9 4.1 Deterministic counterexamples and c-deterministic formulas . . . . . . . . . . . . . . . . . 10 4.2 Complexity of recognizing c-deterministic formulas . . . . . . . . . . . . . . . . . . . . . . 11 4.3 ACTL templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

DET

are c-deterministic 14 5 Templates in 5.1 Computing a counterpath for -instances . . . . . . . . . . . . . . . . . . . . . . . . . 18 6

DET All c-deterministic Templates are in DET

7 Discussion and Conclusion

21 44


1

1 Introduction ACTL is a well-known particular fragment of Computational Tree Logic (CTL), which is a propositional branching-time temporal logic [2]; see [7, 6] for a rich background on this and further such logics. ACTL formulas are specified and evaluated over Kripke structures which model finite-state systems. Besides Boolean connectives, ACTL provides linear-time and branching time operators. The linear-time operators allow for expressing properties of a particular evolution of the systems given by a series of events in time. Branching time operators allow to take into account the existence of multiple possible future scenarios, starting from a given system state at a point in time. The temporal order defines an evolution tree, which branches from that point towards the future. Thus, every point in time has a unique past, but, in general, more than one future. Each branch of the tree amounts to a particular evolution series. The elementary linear-time operators are (next time), (until), and (unless, releases). Informally, means that is true at the next point in time; 1 2 means that 1 is true until 2 is true; and 1 2 means that truth of 2 releases truth of 1 . Further operators such as (sometimes ), (always ) can be derived from the elementary operators. ACTL has the branching time operator , by which it is possible to express necessary properties for an evolution tree. Informally, means that is true for all branches of the tree. Note that in full CTL, a dual operator for expressing possible properties (true along some branch) is provided.

X

X

U

U

V

F

A

A

E

G

V

1.1 Counterpaths and deterministic counterexamples The task of an automatic ACTL model checker is the verification of a given ACTL formula on a Kripke Structure M . In case M does not satisfy (denoted by M 6j= ), the more advanced implemented model checkers (e.g. McMillan’s SMV system [10]) provide more information. In particular, as a witness for the failure, a finite representation of an infinite computation path of M is provided. This path represents a counterexample to in M . In the ideal case, such a path witnesses by itself that M 6j= , in other terms, all information needed to disprove that M j= is already contained in . In this case, we call a counterpath. To make the above concepts precise, we give in Section 3 a formal definition of the concept of counterexample. Roughly, a counterexample to an ACTL formula on structure M is a computation tree represented as a multi-path disproving that M j= . In case this multi-path has no true branching, and thus actually represents a unique path, we speak about a deterministic counterexample. A counterpath for in M is then the unique path corresponding to a deterministic counterexample. Note that if there exists such a counterpath , then it holds that M 6j= , where M is the Kripke structure induced by , i.e., the structure whose states are all those states of M that also occur in , where the states are, moreover, labeled by the same labels as in M , and whose transitions are those that occur in . Example 1.1 Let M amount to the labeled transition graph in Figure 1, and consider the formula (true a1 ), which can be written shortly as a1 .

A

U

AF

L(s1 ) = fa2 g L(s ) = ; 0 s1

s0

L(s2 ) = fa1 g s2

Figure 1: Labeled transition graph representing structure

M (initial state s0)

=

2


It holds that M 6j= : Along the path = [s0 ; s1 ; s1 ; : : :], the atom a1 is false at each stage (i) of , i 0. This implies M; j= :Fa1. Thus, witnesses the failure of in M . Note that the information contained in alone is sufficient for disproving ; we do not have to consider elements of M (states or transitions) outside to show that M 6j= . Thus is a counterpath of .

1.2 Deterministic counterexamples may not exist A counterpath provides very useful, compactly presented, and self-contained information to a system designer or verifier, allowing him or her to locate a design error in a most comfortable way. It would thus be most desirable to be able to compute a (representation of a) counterpath in polynomial time whenever an ACTL formula fails over a structure M . Unfortunately, as shown by the example below, if M 6j= , a counterpath (or, equivalently, a deterministic counterexample) does not necessarily exist.

L(s0 ) = fag

L(s1 ) = ; s0

s1

s2

L(s2 ) = fag

Figure 2: Another transition graph representing structure

M (initial state s0)

Example 1.2 Let M amount to the labeled transition graph in Figure 2. Consider the formula = a. It is easy to verify that M 6j= . Indeed, (true (false a)), which can be abbreviated as there is a path = [s0 ; s0 ; : : :] starting from the initial state where always the nested formula a does not hold, as, for each i 0, there exists a path starting at (i) where sometimes a is not true (e.g., on the path 0 = [s0 ; s1 ; s2 ; s2 ; : : :] a is not true at s1 ). The path itself is not a complete counterexample. To disprove that M j= , it is necessary to consider a further path for each state of (here always s0 ) in a does not hold. This gives rise to a multi-path , which we write order to show that the subformula as follows: = [[s0 ; s1 ; s2 ; s2 ; : : :]; [s0 ; s1 ; s2 ; s2 ; : : :]; : : :]. This multi-path is a counterexample for in M , and not the single path . Note that is not a deterministic counterexample, but a truly branching infinite tree. Note, furthermore, that no single path is a counterexample for . Therefore, no deterministic counterexample exists in this case, and thus no counterpath witnessing that M 6j= exists.

A

UA

V

AFAG

AG

AG

Besides the above very simple example, many other cases can be found in which each counterexample is _ (e.g., a 1 _ a2 a truly branching computation tree. They include formulas of the shape on the structure M in Fig. 1), ( _ :), which informally states that any evolution must commit _ , which states that either becomes at some point about a condition being true or false, and true at some stage or always holds. Thus, in many cases the “counterexample path” output by an ACTL model checker such as McMillan’s system [10] is not a complete counterexample, but only one path – usually the main path or “backbone” – of a counterexample. Such a path may help to track the design or implementation error, but it does by itself not necessarily explain why the formula fails, and one may need to consider states and transitions outside that path in order to track the flaw.

AF AG AG

AF AF

AF AG

AF

AF


j

^

3

j

_

j _ j AX( DET ) j A( PSF V DET ) j UDET jA U j _ PSF ) j ( PSF _ UDET ) j _ j: j

DET ::= PSF ( DET DET ) ( DET PSF ) ( PSF DET ) ( PSF UDET ) ( UDET UDET ::= ( DET PSF ) PSF ::= ( PSF PSF ) ( PSF PSF ) ( PSF ) ?

A

^

U

Table 1: BNF Grammar for deterministic templates

1.3 Main research questions addressed Given that deterministic counterexamples (and counterpaths) are useful, but do not always exist, the following questions naturally arise:

Is there an efficient method of deciding whether an ACTL formula has a deterministic counterexample (and thus a counterpath) on a given Kripke structure M , where M 6j= ? Is there a simple characterization of those ACTL formulas which guarantee deterministic counterexamples? In other terms, is there an efficient method for telling whether a formula has the property that whenever M 6j= holds for a structure M , then there exists a deterministic counterexample (and thus a counterpath) witnessing this?

If the above fails, how can we efficiently identify large classes of formulas that guarantee deterministic counterexamples?

Can we efficiently compute deterministic counterexamples in case they exist?

If this is not generally

possible, then maybe for large classes of ACTL formulas?

1.4 Main results Our main results are shortly summarized as follows:

We give, in Section 2, a precise definition of the concepts of deterministic counterexample and of the related concept of counterpath. We show that given M and , where M 6j= , it is NP-hard to determine whether there exists a determin-

istic counterexample (Theorem 4.2).

As a consequence, even in case counterpaths exist, computing a counterpath is a hard problem. Therefore, unless NP=P, for every ACTL model-checker MC that works in polynomial time and produces “singlepath counterexamples” in case of failure, there exist infinitely many Kripke structures M and formulas , such that M 6j= and the counterexample path output by MC represents a partial (and not a complete) counterexample even though there exists a counterpath (i.e., a path representing a complete counterexample).

It is PSPACE-hard to decide whether an ACTL formula in case of failure always admits a deterministic counterexample (Theorem 4.1). This means that there exists no simple characterization of the ACTL formulas that guarantee deterministic counterexamples.

Consequently, we study templates of ACTL formulas, i.e., skeletons of modal formulas whose atoms are disregarded and replaced by the symbol ?. As main result of this paper, we identify the (unique) maximal set DET of templates whose instances, obtained by replacing ?’s with arbitrary pure state formulas, always

DET of templates is given by the BNF A VAX(?))), and (? ^ A(?VAX(?))) are in

guarantee deterministic counterexamples (Theorem 4.3). The set (?), (? grammar in Table 1. For example, the templates

AX

4


DET, as well as A(?U?), A(?UA(?U?)), A(A(?VAX(?))U(? ^ ?)). On the other hand, the template A(?UA(?V?)) of the formula = A(trueUA(falseVa)) in Example 1.2 is not in DET, and also the template A(trueUA(falseV?)) of the formula A(trueUa1 ) _ A(trueUa2 ) = AFa1 _ AFa2 mentioned above is not in DET. Obviously, it is recognizable in polynomial time (and in fact in linear time) whether a template belongs to DET, and whether an ACTL formula is an instance of some template in DET. In particular, we prove: If is an instance of a template ? 2 DET, then, for each structure M such that M 6j= , there exists a deterministic counterexample, and thus a counterpath in M witnessing this failure.

If ? is a template not contained in DET, then there exist an instance of and a structure M such that M 6j= but there exist no deterministic counterexample for in M . We show that for each ACTL formula which is an instance of a template ? 2 DET, and for each Kripke structure M such that M 6j= , a counterpath, i.e., a single path of M witnessing the failure, can be computed in polynomial time.

1.5 Structure of the paper After this introduction, some preliminaries and notation are given in Section 2. In Section— 3, the formal definition of counterexamples is provided, for which multi-paths are introduced. Thereafter, we turn our attention in Section 4 to deterministic counterexamples and multi-paths. After proving that recognizing of templates; furthermore, we formally deterministic ACTL formulas is intractable, we define the class state the characterization of c-deterministic templates, which is the first main result of this paper. Sections 5– -instances, which 6 are devoted to the proof of this result and to the computation of counterpaths for is the second main result. The paper is closed in Section 7 with a discussion and an outlook on future work.

DET

DET

2 Preliminaries Definition 2.1 (ACTL formulas) Let A be a set of atomic propositions. Then, ACTL is the set of state formulas on A inductively defined as follows: (1) Any Boolean formula over atoms from formula. (2) if and

are state formulas, then ( _

(3) if and

are state formulas, then

(4) if is a path formula, then

AP

built using the connectives

^; _; and : is a pure state

), and ( ^ ) are state formulas;

X, U

V

and

A() is a state formula.

are path formulas;

2

Intuitively, path formulas describe properties of evolution series because they use temporal operators next time, until, and unless. Notation. For any sets D1 and D2 of formulas, we shall use the following notation:

AX(D1 ) AU(D1 ; D2 )

= fAX( ) j 2 D1 g; = fA( 1 U 2 ) j 1 2 D1 ; 2 2 D2 g;


AV(D1 ; D2 ) D1 ^D2 D1 _D2

5

= fA( 1 V 2 ) j 1 2 D1 ; 2 2 D2 g; = f( 1 ^ 2 ) j 1 2 D1 ; 2 2 D2 g; = f( 1 _ 2 ) j 1 2 D1 ; 2 2 D2 g:

Given a formula or a set of formulas S , we will denote by AP () (resp., AP (S )) the set of atomic propositions occurring in (resp., S ). We will use true and false as shorthand for pure state formulas which are tautologies and contradictions, respectively. We shall omit or add parentheses in formulas following the usual conventions. The formal definition of the semantics of ACTL refers to particular Kripke structures. Informally, they are labeled finite transition graphs. Definition 2.2 (Kripke Structure) A Kripke structure is a quintuple M

= (A; S0 ; S; R; L) such that:

A is a finite set of atomic propositions, denoted A(M ); S is a finite set of states, denoted S (M ); S0 S is a finite set of initial states, denoted S0(M ); R S S is a transition relation, denoted R(M ); L : S ! 2A is a mapping assigning each state of S the set of atomic propositions true in that state; L is called label function, and is denoted by L(M ). 2

For convenience, we often denote by Ms the Kripke structure which is identical to M except S0 (Ms ) = fsg where s 2 S (M ), i.e., s is the unique initial state. Furthermore, we will sometimes focus on structures M such that S0(M ) = fs0g and (s; s0) 2= R(M ), for all s 2 S (M ), i.e., M has a unique initial state s0, and s0 is not reachable from any state in M . We refer to such structures as conic. The dynamic temporal evolution is modeled by infinite paths in the Kripke structure.

Definition 2.3 (path) A path of a Kripke structure M is an infinite sequence = [s0 ; s1 ; ; si ; ] such that for each i 0 (si ; si+1 ) 2 R. Given an integer i 0 and a path we denote by (i) the i-th state of . Given an integer j 0 and a path , the j-suffix j of is the path [(j ); (j + 1); ]. Clearly, = 0 and (i) = i (0). 2 The semantics of ACTL is now defined through an entailment relation j=, which can be applied on states s and paths for evaluating state and path formulas, respectively. Definition 2.4 (satisfaction) Let s and be a generic state and path in M , respectively. Then, the satisfaction relation j= for state and path formulas, respectively, on a Kripke structure M is inductively defined as follows. 1. 2. 3. 4.

M; s j= p, if p 2 L(M )(s), for any atomic proposition p 2 A; M; s j= :, if M; s 6j= , where is a state formula; M; s j= 1 _ 2 , if M; s j= 1 or M; s j= 2 , where 1 and 2 are state formulas; M; s j= 1 ^ 2 , if M; s j= 1 and M; s j= 2, where 1, 2 are state formulas;

6


M; s j= A( ), if M; j= for all paths such that (0) = s; 6. M; j= X, if M; (1) j= ; 7. M; j= 1 U2 , if there exists an integer k 0 such that M; (k ) j= 2 and M; (j ) j= 1 , for all 0 j < k; 8. M; j= 1 V2 , if for every k 0, M; (j ) 6j= 1 for all 0 j < k implies M; (k ) j= 2 We write M j= if M; s0 j= , for every initial state s0 2 S0 (M ), 2 5.

U

Intuitively, a state formula holds along a path, if it is true at its first state; 1 2 is true, if 1 is true along the path until some state is reached at which 2 is true; and 1 2 is true, if there is no stage such that 2 is false and 1 is false at all previous previous states. Note that and are dual operators: 1 2 is true precisely if :1 :2 is false.

V U

V

V

U

3 Multi-Paths and Counterexamples If an ACTL formula is not true in a structure M , then there must be some evidence which proves the failure of the formula. For a pure state formula , an initial state s0 at which is false is a witness of this fact; if is of the form , where is a pure state formula,then a path starting at some s0 2 S0 such that is false at (1) is such a witness. The falsity of formulas (1 2 ), (1 2 ) where the i are pure state formulas is witnessed similarly by a path . Intuitively, a path as described is a counterexample for the truth of in M . It appears that for more complex formulas which involve nested quantifiers, a single path may not be by itself witness that fails in M . To formally capture this, nesting of paths must be taken into account. This motivates the definition of multi-paths, which serve as a basis for a formal definition of counterexamples [1].

AX

A U

A V

A

3.1 Multi-Paths Informally, a multi-path represents an infinite tree T , which has a designated branch as a backbone (called main path). The branches of the tree which spring off from the main path at a certain stage are collected in a tree, which is recursively represented as a multi-path. Thus, multi-paths can be inductively defined. Observe that this representation of a tree is different from the usual inductive definition in which a tree is built by assigning child nodes to a parent node. The main advantage of the multi-path concept is the preservation of the nesting of paths, which is lost in the standard tree definition. Preliminary to the formal definition of multi-paths, we introduce multi-sequences. Definition 3.1 (multi-sequence) Let S be a set of states. Then,

for every state s 2 S , = s is a finite multi-sequence in S ; if 0 ; 1 ; : : : are countably infinite many multi-sequences in S , then = [0 ; 1 ; : : :] is a multisequence in S . For any multi-sequence , its i-th element is denoted by (i), for all i 0; moreover, its origin, denoted or(), is or() = s, if = s is a single state, and or() = or((0)), otherwise. 2


7

Next we introduce the notion of main sequence of a multi-sequence. Informally, it is the sequence formed by the origins of all elements in a multi-sequence. Definition 3.2 (main-sequence) Given a multi-sequence , the main sequence of , denoted by (), is

s, if = s is finite; the sequence [or((0)); or((1)); or((2)); : : : ], otherwise. 2 Multi-paths are multi-sequences which model nested paths in M . Definition 3.3 (multi-path) A multi-sequence is a multi-path in M , if either is finite, or () is a path in M and for every i 0, (i) is a multi-path in M . The main sequence of a multi-path is called the main path of . 2 Note that multi-paths generalize paths. Indeed, a path can be seen as an infinite multi-path such that each element (i) is a state. An infinite multi-path represents intuitively an evolving computing tree, whose branches are the main path () and all paths of form 0 1 where 0 = ()(0); : : : ; ()(i ? 1) is a finite prefix of () and 1 is a branch of the multi-path (i), where (i) must be infinite.

Example 3.1 Assuming proper M , the multi-sequence = [[s0 ; s1 ; s1 ; : : :]; s2 ; s2 ; : : :] is a multi-path, which represents two paths 1 = [s0 ; s1 ; s1 ; : : :] and 2 = [s0 ; s2 ; s2 ; : : :] starting at s0 (Figure 3). 2 is the main path () of . The multi-path = [[s0 ; s1 ; s1 ; : : :]; s2 ; [s0 ; s1 ; s1 ; : : :]; s2 ; [s0 ; s1 ; s1 ; : : :]; : : :] has main path () = [s0 ; s2 ; s0 ; s2 ; : : :] and represents the computation tree in which from () at every even stage ()(2k ) a path [s0 ; s1 ; s1 ; : : :] branches off; hence, contains besides () all paths of form [(s0 ; s2 )i ; s0 ; s1 ; s1 ; : : :], i 0. 2

s0

s1

s1

s1

s0 s2

s2

s2

...

...

1

2

s1

s1

s2

s1

...

s1

s1

...

s1 s1 ...

s0

s2

s0

s2 ...

Figure 3: Branching paths An important note is that in general, a multi-path may not directly reflect in its structure a truly branching computation tree. In fact, the definition allows fake branching, in the sense that two nested branching paths may amount to the same path in the structure. For example, in the multi-path = [s0 ; s1 ; [s2 ; s3 ; s4 ; : : :]s3 ; s4 ; : : :], the branch s2 ; s3 ; s4 ; : : : is identical to the remainder of the main path s2; s3 ; s4; : : :. This is not a shortcoming of our definition, but an important feature; it allows to express that a particular path is a subpath of another one. In an extended vocabulary for multi-paths, this could be expressed more elegantly; however, we disregard such an extension here. Note that for our purposes, we can restrict to multi-paths which have effective finite representations [1].

8


3.2 Counterexamples We are now prepared to formalize the notion of counterexample. Intuitively, a counterexample for a formula is a special multi-path originating at an initial state demonstrating the falsity of . Since counterexamples are defined inductively, we need the concept of a local counterexample, which may origin at an arbitrary state rather than an initial state. For the technical definition of local counterexamples, we use an operation for merging two multi-paths into a single one. Definition 3.4 (merge) Let 1 and 2 be two multi-paths such that or (1 ) and 2 , denoted by 1 2 , is the multi-path recursively defined as follows:

8 > < 1 2 = > :

1 ; [1 ; 2 (1); 2 (2); : : :]; [1 2 (0); 2 (1); 2 (2); : : :];

= or(2 ).

The merge of

if 2 is finite; if 2 is infinite and 2 (0) is finite; otherwise.

1

2

Intuitively, the trees represented by 1 and 2 are merged at their common root.

= [[s0 ; s11 ; s12 ; : : :]; s21 ; s23 ; : : :] and 0 = [s0 ; s31 ; s32 ; : : :] yields 0 = [; s31 ; s32 ; : : :] = [[[s0 ; s11 ; s12 ; : : :]; s21 ; s22 ; : : :]; s31 ; s32 ; : : :]; while 0 = [0 [s0 ; s11 ; s12 ; : : :]; s21 ; s22 ; : : :] = [[0 ; s11 ; s12 ; : : :]; s21 ; s22 ; : : :] = [[[s0 ; s31 ; s32 ; : : :]; s11 ; s12 ; : : :]; s21 ; s22 ; : : :]: The two merges essentially represent the same branching of three paths i = [s0 ; si1 ; si2 ; : : :] for i 2 f1; 2; 3g, starting from s0. 2 Note that merging 1 and 2 by adding 1 as first element to 2 does not work, since in general, this leads to a set of paths different from those in 1 and 2 ; the result may even not be a multi-path.

Example 3.2 Merging

Definition 3.5 (l-counterexample) Let M be a Kripke structure and be an ACTL formula on A(M ). A multi-path in M is a local (l-) counterexample for if, depending on the structure of , the following holds:

if is a pure state formula: = s is a state and M; s 6j= ; otherwise, if 1. = A(1 U2 ): is an infinite multi-path and either 1.1 there exists k 0 such that (k ) is an l-counterexample for 1 _ 2 , (i) is an lcounterexample for 2 , for each 0 i k , and (j ) is a state, for j > k ; or 1.2 (i) is a l-counterexample for 2 , for each i 0; 2. = A(1 V2 ): is an infinite multi-path and there exists a k such that every (j ), 0 j < k , is an l-counterexample for 1 , (k ) is an l-counterexample for 2 , and every (`) is a state, for ` > k; 3. = AX1 : is an infinite multi-path, (1) is an l-counterexample for 1 , and (i) is a state, 6 1; for each i =


4. 5.

9

= 1 _ 2 : = 1 2 , where i, i = 1; 2, is an l-counterexample for i ; = 1 ^ 2 : is an l-counterexample for either 1 or 2 .

2

Recall that M 6j= if there exists an initial state s0 at which is false. Hence, we introduce a notion of “global” counterexample. Definition 3.6 (counterexample) Let M be a Kripke structure and be a formula on A(M ). Any l2 counterexample for in M such that or () 2 S0 (M ) is called a counterexample for in M . Example 1.1 illustrates this definition. Let us consider some more examples.

A

VA

U

Example 3.3 Reconsider the Kripke structure M from Figure 1, and let = (false (true a1 )). Also this formula is false on M . Intuitively, this is witnessed by path again. However, from the formal definition, is not a counterexample of , as it does not respect witness paths for the subformula (true a1 ) of . The multi-path = [[s0 ; s1 ; : : :]; s1 ; s1 ; : : :] is a proper counterexample for according to the definition, as well as any multi-path [s0 ; (s1 ; )i ; [s1 ; s1 ; : : :]; s1 ; s1 ; : : :], where i 0. (false a1 )) is false in M ; again, intuitively the path = Finally, also the formula = (true [s0 ; s1 ; s1 ; : : :] shows this. Formally, the multi-path [[s0 ; s1 ; s1 ; : : :], [s1 ; s1 ; : : :]; [s1 ; s1 ; : : :]; : : :] is a coun2 terexample for ; in fact, it is the unique counterexample.

A

A

UA

U

V

The following result states that l-counterexamples appropriately model the failure of a formula in a state. Theorem 3.1 ([1]) Let M be a Kripke structure, a formula on A(M ), and s 2 S (M ). Then, M; s 6j= if and only if there exists an l-counterexample for such that or () = s. Corollary 3.2 ([1]) For any Kripke structure M and formula on A(M ), M at a counterexample for in M .

6j= if and only if there exists

As discussed earlier, in many cases a counterexample for a formula is (essentially) a single path. This is true e.g. for the formulas considered in the Examples 1.1 and 3.3. However, as Example 1.2 and the following example show, there are different cases in which a truly branching tree is needed.

A

U

Example 3.4 Consider the structure M as in Figure 1 again, but now the formula = (true a1 ) _ (true a2 ). Clearly, M 6j= : For every ai , i = 1; 2, there is an infinite path i = s0 ; si ; si ; : : : which never reaches a state at which ai is true; hence, every disjunct ai in is false. A counterexample for is the multi-path = [[s0; s1 ; s1; : : :]; s2; s2 ; : : :], which results by merging the i’s into = (1 2). Notice that no counterexample for exists that is an ordinary path, and that 1 2 , 2 1 are the only 2 (isomorphic) counterexamples for .

A

U

AF

4 Deterministic Counterexamples In this section, we formalize our intuition of a single path counterexample from the previous section. For this purpose, we introduce first the concept of a deterministic multi-path. Such a path is built over a single path in the structure, which exactly prescribes the next state in each transition throughout the multi-path.

10


4.1 Deterministic counterexamples and c-deterministic formulas Definition 4.1 (deterministic multi-path) A multi-path is deterministic, if one of the following applies: 1.

is finite (i.e., a single state);

2.

is a path; or

3. for each i 0, either 3.1 3.2

(i) is a state, or ((i)) coincides with ()i (the i-suffix of ()) and (i) is deterministic.

2

Informally, a multi-path is deterministic if the main paths of its elements are suffixes of its main path, and this is recursively true also for the multi-paths of the sequence. Thus, while in general, multi-paths represent evolutions with branching, deterministic multi-paths have only artificial branching, and represent essentially a single path. Example 4.1 Consider the multi-path

= [s0 ; s1 ; s2 ; s3 ; [s4 ; s5 ; s4 ; [s5 ; s4 ; s5 ; s4 ; :::]s4 ; s5 ; :::]s5 ; s4 ; s5 ; s4 ; :::]: As can be seen, this multi-path is deterministic. The path [s5 ; s4 ; s5 ; s4 ; :::] nested into (4)(3) represents a path branching from the main path of (4). However, this path coincides with the suffix ((4))3 of the main path of (4). Hence, it does not represent an alternative evolution. In this sense, a deterministic multi-path represents only deterministic evolutions. Observe that the multi-path 0 = [[s0 ; s1 ; s2 ; s3 ; s2 ; s3 ; :::]; s4 ; s5 ; s6 ; s5 ; s6 ; s5 ; :::] is not deterministic.

2

Definition 4.2 (deterministic counterexample and counterpath) A counterexample for an ACTL formula in a structure M is deterministic, if is a deterministic multi-path. The main path () of any deterministic counterexample for in M is a counterpath for in M . 2 As easily verified, the counterexamples for the formulas presented in Examples 1.1 and 3.3 are deterministic counterexamples, and the “intuitive” counterexamples there are the respective counterpaths. As for counterexamples, it is of particular interest to have a deterministic counterexample at hand, since such a counterexample is in generally easier to understand than an arbitrary counterexample. Moreover, the description of such counterexamples can be simplified. Observe that McMillan’s SMV procedure [10] returns a single path rather than a counterexample as used here when an ACTL formula fails. This path plays a similar role as the main path of our notion of a counterexample . If and grasp the same witness, then () should coincide with , and it contains in fact all relevant information which is needed for witnessing the failure of . From , a counterexample respecting the (artificial) branching of paths as required from the structure of can be reconstructed. We thus direct our attention to the existence of deterministic counterexamples. Definition 4.3 (c-deterministic) An ACTL formula is c-deterministic, if ministic counterexample for exists in M , for every Kripke structure M .

M 6j= implies that a deter-


11

4.2 Complexity of recognizing c-deterministic formulas Unfortunately, recognizing c-deterministic formulas is complex in general, which is expressed by the following result. Theorem 4.1 Deciding whether a given ACTL formula is c-deterministic is PSPACE-hard. Proof. This result is proved by a reduction from the unsatisfiability problem for ACTL formulas on structures M where R(M ) is total, i.e. 8s9s0:R(s; s0) holds. This problem is PSPACE-complete by results of Vardi and Kupferman (see [9]). Let be an arbitrary ACTL-formula, and let a be a fresh atom not occurring in . Let the formula be defined as follows:

= AXa _ AX(:a ^ ):

It holds that is c-deterministic if and only if is unsatisfiable over structures M where R(M ) is total. To prove this, suppose first that is unsatisfiable over all M where R(M ) is total. Let M be any structure a has a counterexample in (where R(M ) is not necessarily total) such that M 6j= . This implies that M , which is a simple path represented by a pair P; C where P is a path (prefix) and C a cycle in M . The assumption on implies that :a ^ is globally false (and in particular, at (1)) in the structure M which is naturally induced by in M . Consequently, is a counterpath for in M , and thus also in M . This means that is c-deterministic. Now suppose that is satisfiable on some structure M with total R(M ). Hence, a state s0 2 S0 (M ) exists such that M; s0 j= . Let M 0 be the structure corresponding to the labeled transition graph in Figure 4.

AX

L(s01 ) = fag L(s00 ) = fg s01 Figure 4: Structure

s0

s00

M

M for = AXa _ AX(:a ^ ) (initial state s00 )

AX

It holds that M 0 6j= . Indeed, the path 1 = [s00 ; s1 ; s1 ; : : :] is a counterpath for 1 = a, and 0 (:a ^ ); thus, their merge = 1 2 is any path 2 = [s0 ; s0 ; : : :] is a counterpath for 2 = a counterexample for . Clearly, any counterexample for in M 0 must contain both s0 and s1 ; thus, a deterministic counterexample for in M 0 is impossible, which means that is not c-deterministic. 2 This result implies that a polynomial-sized and polynomial-time checkable proof witnessing that a formula is c-deterministic is illusive, and thus we may abandon the search for an appealing syntactical characterization of c-deterministic formulas. A related, in practice perhaps more important issue is whether the existence of a deterministic counterexample for a formula can be efficiently decided ad hoc, i.e., given an ACTL formula and a structure M , decide whether has a deterministic counterexample in M (and, if so, return a counterpath represented in a suitable way). As it turns out, also this problem is intractable.

AX

Theorem 4.2 Given a Kripke structure M and an ACTL-formula , deciding whether has a deterministic counterexample (equivalently, a counterpath) in M is NP-hard.

12


Proof. We describe a polynomial-time transformation of deciding whether a given directed graph G = (V; E ) has a Hamiltonian circuit, which is well-known NP-complete [8], into this problem. Recall that a Hamiltonian circuit is a sequence C = vi1 ; : : : ; vin of all the vertices V = fv1 ; : : : ; vn g such that an edge is directed from vij to vij +1 and from vin to vi1 . We construct M and as follows. The set S of states of M is V , which is also the set A of atomic propositions and the set S0 of initial states. The transition relation R is E , and each v 2 V has the label L(v) = fvg. The formula is as follows:

=A

true

U

_

_

v2V

w2V nfvg

v^

AXA(vV:w)

Intuitively, a deterministic counterexample for in M is an infinite path such that in each state (i) = v , the path must be continued in states (i + 1), (i + 2), . . . , such that all other vertices w 6= v appear before v may reappear. We claim that G has a Hamiltonian circuit if and only if has a counterpath in M . ()) Let C = vi1 ; : : : ; vin be a Hamiltonian circuit of G. We claim that the path = (vi1 ; vi2 ; : : : ; vin ; )1 is a counterpath of . To verify this, we have to show that the formula

_

v2V

v;

where

v =v^

_

w2V nfvg

AXA(vV:w)

is false in each state (i), i 0, and that a local counterexample witnessing this fact can be built over i . For each v 2 V such that v 6= (i), v is false at (i) and thus (i) is a local counterexample for v over i . For the v 2 V such that v = (i), we must show that for each w 2 V n fv g, the suffix i is a (v :w); that is, that the suffix i+1 is a local counterexample of local counterpath of the formula (v :w). Clearly, this is true for the w 2 V n fvg such that w = (i + 1); any w0 2 V n fv; wg occurs as (i + k), where 1W< k < n, and v is false at (i + k ? 1); thus, i+1 is a local counterexample for (v :w). This proves that v2V v is false in (i), and that i is a local counterpath for each (v :w) where w 2 V n fvg. Thus, is a counterpath for in M . (() Suppose that has a counterpath in M . We show that the prefix (0),. . . ,(n ? 1) of is a Hamiltonian circuit of G. Let v 2 V be the node such that (0) = v . Then, is a counterpath for the (v :w), for each formula v from above. This implies that is a counterpath for the formula w 2 V nfvg. Thus, 1 is a local counterpath for (v :w). Hence, w must occur in , and v must be false in each state (i) where 1 i < kw and (kw ) is the first occurrence of w in . Consequently, (n) is the first possible position for a second occurrence of v in . Now consider v (i) = (i), where i > 0. By similar arguments, we obtain that each w 2 V n fv (i) g occurs in i , and that w must occur in i before any possible further occurrence of v (i) after i (0) = (i). It follows that (0), (1),. . . , (n ? 1) are all pairwise different, and that (n) = (0) holds. This means that (0),. . . , (n ? 1) is a Hamiltonian circuit in G, and completes the proof of the claim. 2 Since M and are constructible in polynomial time from G, the result is proved.

A V

AXA V

A V AXA V

A V

AXA V

4.3 ACTL templates In the light of the previous results, we look into structural properties of formulas which guarantee the existence of a deterministic counterexample whenever a formula does not hold in a structure. This leads


13

us to consider templates of ACTL formulas – formulas, in which the particular atomic propositions are meaningless, i.e., they can be substituted by arbitrary pure state formulas. Intuitively, a template expresses the structure of a formula in terms of linear-time and branching time operators. A pure state formula always has a deterministic counterexample (given by a single state); however, the application of these operators and Boolean connectives might destroy this property. In the following, we shall identify the class of templates which are deterministic, i.e., each instantiation

of a template ? obtained by filling in pure state formulas, has always a deterministic counterexample if is not true. As it turns out, this class is decidable, and in fact efficiently recognizable. More formally, templates are defined as follows. Definition 4.4 (template) A template ? is an ACTL formula over “?” as single atomic proposition. The template of an ACTL formula , denoted ? , is the template obtained by uniformly substituting “?” for all atomic propositions in .1 Observe that for any ACTL formula , its template ? is unique. As with ordinary formulas, we shall often omit or introduce parentheses as usual.

= A(aVAX(b ^ c)) is ? = A(?VAX(? ^ ?)), and the template of = A((b _ :c) U a) ^ AX(c ^ a)) is ? = A((? _ :?)U?) ^ AX(? ^ ?)). 2 Definition 4.5 (T? ,PSF ) We denote by T? we denote the set of all ACTL templates and by PSF T? the set of pure state formulas on the atomic proposition ?. We next define a subset DET T? of templates in terms of the least fixpoint of a continuous operator Example 4.2 The template of

which is applied to a pair of sets of templates. The main effort in the rest of the paper will be the proof that this set is precisely the set of all deterministic templates.

DET

2T ! 2T 2T (S1 ; S2 ) = (S10 ; S20 );

Definition 4.6 (operator ) The operator : 2T

?

where

?

?

?

is defined as follows:

S10 = PSF [ S1 ^ S1 [ S1 _PSF [ PSF _ S1 [ AX(S1 ) [ AV(PSF ; S1 ) [ S2 S20 = AU(S1 ; PSF ) [ AU(PSF ; S2 ) [ S2 _PSF [ PSF _ S2

Obviously, is a continuous operator on a complete lattice, and hence by Kleene’s Theorem, the least fixpoint 1 = (S11 ; S21 ) exists and is the limit of the sequence 0 = (;; ;), i+1 = (i ), i 0.

DET) We define DET = S11 as the first component of the least fixpoint 1 = (S11 ; S21)

Definition 4.7 ( of .

Example 4.3 As easily checked, the sample templates in Section 1 generated by the grammar in Table 1 are in . In fact, it is easy to see that coincides with the language generated by that grammar. are: ?, (? (? _ :?)), ( ? (? ^ ?)), (:(? _ Further templates belonging to ?) ?), (? (: ? _ (? ?))), ( (? ?) ?). On the other hand, the templates ( (?) ?) and (? (? ^ (?))) are not in .

DET VAX A V A U AX

DET DET AXAX AXA U A U AA U U DET

A AX U A A AX V

1 Alternatively, we could define that maximal pure state formulas in are replaced by ?, rather than atoms. However, the definition of and the BNF grammar in Table 1 would become more complex, while the main results are not affected.

DET

14


Instantiations of templates are defined as follows. Definition 4.8 (instantiation) An ACTL formula over atoms AP , where ? 2 = AP , is an instantiation of a template ? 2 ? , if results by substituting each occurrence of ? in ? with a (possibly different) pure state formula over AP .

T

A V A U

A U A AX

V

A

U

Example 4.4 An instantiation of (? (: ? _ (? ?)) is (false (:req _ (true ack ))), which expresses that a request is always finally acknowledged (see [5] for this formula). Instantiations of ((? _ :?) ?) ^ (? ^ ?)) are ((b _ :c) (b ^ a)) ^ (c ^ a)) and ((a _ :a) a) ^ (a ^ :a)), i.e., (true a) ^ (false)).

U A

AX U AX

A

U

AX

A

To formulate our main result, we formally define the notion of deterministic template as follows. Definition 4.9 (c-deterministic template) An ACTL formula is c-deterministic, if M 6j= implies that a deterministic counterexample for exists in M , for every Kripke structure M . A template ? is cdeterministic, if each instantiation of ? is c-deterministic. The first of the main results of this paper can now be stated as follows. Theorem 4.3 Let ?

2 T? . Then, ? is c-deterministic if and only if ? 2 DET.

DET

From this result and the inductive definition of , we easily obtain the following corollary concan be cerning the recognition of deterministic templates; observe that membership of a template in checked in a single bottom up pass of the formula tree, in which each step is unambiguous. Corollary 4.4 Given a template ? time, where j ? j is the length of ? .

DET

2 T?, deciding whether ? is c-deterministic is possible in O(j ? j)

The proof of Theorem 4.3 is rather technical, and involves detailed case studies. It is given in Sections 5 (if-part) and 6 (only-if part).

5 Templates in

DET are c-deterministic

DET

In this section, we prove that all instances of templates in are c-deterministic. The proof proceeds . However, it appears that the property of c-determinism is not strong along the inductive definition of enough to allow the induction step go through smoothly for all templates. We can remedy this problem by revealing that a strengthened version of c-determinism is satisfied by some of the templates, which has the benign property of being establishable in the induction step comparatively easy. We start with some useful definitions.

DET

Definition 5.1 (strongly c-deterministic) An ACTL formula is strongly c-deterministic, if is c-deterministic and the following two conditions hold for any Kripke structure M : 1. if is a deterministic l-counterexample for in M , then every path of form = s0 ; : : : ; sk ; () in M such that s0 2 S0 (M ) and has l-counterexamples at s0 ; : : : ; sk is a counterpath of ; and

2. if is a path in M such that (0) 2 S0 (M ) and every (i), counterexample for in M , then is a counterpath for in M .

i 0,

is the origin of some l-


15

A template ? is strongly c-deterministic, if every instantiation of ? is strongly c-deterministic.

A U

Example 5.1 The formula = (a b) is strongly c-deterministic: a local counterexample for is a path , and at the state (0), the atom b is false. By adding a prefix s0 ; : : : ; sk?1 of states to such that b is false in each state si , we clearly obtain a path 0 = s0 ; : : : ; sk?1 ; witnessing that a b is false, i.e., 0 is a counterpath for . Thus, item 1 of strong c-determinism is satisfied. Also item 2 is satisfied: b must be false at the origin of any local counterexample of ; thus, if is a path as described in item 2, b is false at each state (i). This means that is a counterexample (and thus a counterpath) for . It is easy to see that this holds if the atoms a and b are replaced by arbitrary pure state formulas; thus, (PSF ; PSF ) are strongly c-deterministic. the templates (? ?) and all templates in On the other hand, the formula = (a b), even if it is c-deterministic (as we shall see below), is not strongly c-deterministic, since it fails to satisfy item 2 of the definition. Indeed, consider a path where each (i) is the origin of a local counterexample for , in which a is false and b is true. Then, b is true in each state of . However, a counterexample for must involve a state at which b is false. Thus, is (PSF ; PSF ) is not a counterpath for and item 2 fails. It is easy to see from this that no template in strongly c-deterministic. Similarly, it is easy to see that a is not strongly c-deterministic (both item 1 (PSF ) is strongly c-deterministic. and 2 may fail), and that no template in As for more complex formulas, e.g., the templates (? (? ?)) and (? ?) _ ? are strongly c2 deterministic. This will be formally proven below.

U

A U

AU A V

AX

AX A U U

AV

A U

DET

The next theorem shows that the templates in the class are sound with respect to the property of c-determinism, i.e., each template in this class is c-deterministic. In fact, in the proof of the result we are strongly c-deterministic. establish a little more, namely that all templates in the subset S21 Theorem 5.1 Every template in

DET is c-deterministic.

DET

Proof. We establish the result proving by induction on the stages i = (S1i ; S2i ), i 0, that every template

? 2 S1i is c-deterministic and every template ? 2 S2i is strongly c-deterministic. (Basis) The case i = 0 is trivial, since S10 = S20 = ;. (Induction) Consider i + 1 and assume the statement holds for i. Let ? be any template such that ? 2 S1i+1 n S1i (resp., ? 2 S2i+1 n S2i ). To complete the proof it suffices to show that ? is c-deterministic (resp., strongly c-deterministic), i.e. each instantiation of ? is c-deterministic (resp., strongly c-deterministic). Let M be any Kripke structure such that M 6j= . Then, we have to prove that a deterministic counterexample for exists in M . From the definition of , the following cases for ? are possible.

? 2 PSF S1i+1 .

(In this case,

i = 0.)

Each counterexample of

in M

is finite, and thus

deterministic.

? 2 S1i ^ S1i S1i+1 . Thus, = 1^ 2, where both 1 and 2 are c-deterministic by induction hypothesis. Since M 6j= , either M 6j= 1 or M 6j= 2 . In both cases, the statement follows from the induction hypothesis.

? 2 S1i _PSF [ PSF_S1i S1i+1. Then, = 1 _ 2. Assume 2 is a pure state formula and 1 is an instantiation of a template in S1i ; the other case (vice versa) is similar. By the induction hypothesis, 1 is c-deterministic. Since M 6j= , there exists a counterexample = 1 2 in M such that 1 is a counterexample for 1 and 2 is a counterexample for 2 . Since 2 is a pure state formula, 2 is finite; thus, by definition of merge

16


(Def. 3.4) = 1 . Further, or () is a state where 2 is false. Clearly, Mor() 6j= 1 . Moreover, since 1 is c-deterministic, it admits a deterministic counterexample 1 also in Mor() . Clearly, or ( 1 ) = or (), since or () is the only initial state of Mor() . As or () 2 S0 (M ), 1 is a counterexample for 1 in M too. Hence the deterministic multi-path 1 or ( 1 ) is a counterexample for 1 _ 2 in M . Thus, is c-deterministic.

? 2 AX(S1i ) S1i+1. Consequently, is of shape AX( 1 ), where 1 is an instantiation of a template in S1i . Suppose is a counterexample for . By definition of counterexample, (1) is a l-counterexample for 1 and (0) is a state. By the induction hypothesis, 1 is c-deterministic. Thus, 1 has a deterministic counterexample in every Kripke structure in which it fails, and hence also in M()(1) . Denote by 1 any

such deterministic counterexample. Consider now the multi-path defined as follows: (0) = (0), (1) = 1 , (i) = ( 1 )(i ? 1), for each i > 1. Clearly, (1) is a l-counterexample for 1 in M . Hence, is a counterexample for ; clearly, it is deterministic.

? 2 AV(PSF ; S1i ) S1i+1. Then = A( 1 V 2 ), where 1 is a pure state formula and 2 is c-deterministic by the induction hypothesis. Let be a counterexample for in M . By definition of counterexample, is such that there exists a k 0 and (k ) is a l-counterexample for 2 , and (i) is a l-counterexample for 1 , for 0 i < k . Since 1 is a pure state formula, (i), for 0 i < k , is a state where 1 is false. Moreover, since 2 is c-deterministic, there exists a deterministic counterexample 2 for

2 in Mor((k)) . Hence, the multi-path such that (i) = (i), for each 0 i < k, (k) = 2 , and (i + k) = ( 2 )(i), for i > 1, is a counterexample for in M . Since is deterministic, it follows that is c-deterministic. ? 2 S2i S1i+1. By the induction hypothesis. ? 2 AU(S1i ; PSF ) S2i+1 . We first show that is c-deterministic. is of the form A( 1 U 2 ), where 1 is c-deterministic by the induction hypothesis and 2 is a pure state formula. Let be a counterexample for in M . By definition of counterexample, is such that either (1) (i) is a counterexample for 2 , for each i 0, or (2) there exists a k 0 such that (k ) is a counterexample for 1 _ 2 , (i) is a counterexample for 2 (and thus it is a state), for each 0 i k and (j ) is a state, for each j > k . In case (1), since 2 is a pure state formula, (i) is a state, for each i > 0, and, hence, it is a deterministic counterexample. Consider now case (2). As shown above, each template in S1i _ PSF , is c-deterministic, and thus 1 _ 2 is c-deterministic. Hence, 1 _ 2 has a deterministic counterexample also in M()(k) .

Let 1 _ 2 be any such deterministic counterexample. Consider now the multi-path defined as follows: (i) = (i) for each 0 i < k, (k) = 1 _ 2 , (j ) = ( 1 _ 2 )(j ? k), for j > k. Clearly, (k) is a counterexample for 1 _ 2 in M . Hence, is a counterexample for in M . Further, as can be easily checked, is deterministic. Now we prove that satisfies item 1 of Definition 5.1. Consider a path = s0 ; : : : ; sk ; (), as there, where is a deterministic l-counterexample for in M . Recall that = ( 1 2 ), where 1 is, by the induction hypothesis, c-deterministic and 2 is a pure state formula. Msi 6j= implies that 2 is false at si , for each i = 0; : : : ; k , Since is a deterministic counterexample for in Mor() , either

A U

2.1 there exists a j 0 such that (j ) is a counterexample for 1 _ 2 and (i), for each 0 l-counterexample for 2 (and thus a state), or

i < j , is a

(i), is a l-counterexample for 2 for each i 0 (hence is a path). = [s0 ; : : : ; sk ; (0); (1); : : : ] is a counterexample for in M (recall that In either case, the multi-path s0 2 S0 (M )), which is clearly deterministic. Since = ( ) item 1 of Definition 5.1 is satisfied. 2.2


17

To show that satisfies also item 2 of Definition 5.1, consider any path such that (0) 2 S0 (M ) and (i) is the origin of some l-counterexample for in M , for each i 0. Thus, 2 is false in each state (i), for i 0. Hence, is a counterpath for in M . ? 2 AU(PSF ; S2i ) S2i+1 . Then is of the shape A( 1 U 2 ), where 1 is a pure state formula and 2 is strongly c-deterministic by the induction hypothesis. We have to prove that also is strongly c-deterministic. We first show that is c-deterministic. Consider thus a counterexample for . Then, either 8.1 there exists a k 0 such that (k ) is a counterexample for 1 _ 2 and (i) is a counterexample for

2 , for each 0 i < k, or 8.2

(i) is a counterexample for 2 , for each i 0.

In the case (8.1), by definition of counterexample Mor((i)) 6j= 2 , for each 0 i k . Consider now any deterministic counterexample 2 for 2 in Mor((k)) . Such a counterexample exists, since 2 is strongly c-deterministic (thus c-deterministic). Hence, by item 1 of Definition 5.1, it follows that for every path j = [or(()(j )); :::; or(()(k ? 1)); ( 2 )(0); ( 2 )(1); :::], for all 0 j k, there exists a deterministic such that (i) = i , counterexample j for 2 in Mor((j )) such that (j ) = j . Hence, the multi-path (k) = 2 , and (i + k) = ( 2 )(i), for i > 0, is a counterexample for . Moreover, as for 0 i < k , can be easily verified, each j , for 0 j < k , is deterministic. In the case (8.2), by definition of counterexample Mor((i)) 6j= 2 , for each i 0. Since 2 is strongly cdeterministic, it satisfies item 2 of Definition 5.1. Thus, each suffix ()j is a counterpath for 2 . Hence, for i of 2 such that ( i ) = ()i , i 0, the deterministic multi-path any deterministic counterexamples of [ 0 ; 1 ; :::; i ; :::] is a deterministic counterexample for . It remains to prove that satisfies items 1 and 2 of Definition 5.1. Let = s0 ; s1 ; : : : ; sk ; () be a path as in item 1 for a deterministic l-counterexample of in M . Recall that = ( 1 2 ), where 1 is a pure state formula and 2 is, by the induction hypothesis, strongly c-deterministic. Since si is origin of some l-counterexample for in M , it follows Msi 6j= 2 , for each 0 i k . Furthermore, since is a deterministic counterexample for , either

A U

8.10 there exists a j 0 such that (j ) is a counterexample for 1 _ 2 and (i) is a counterexample for

2 , for each 0 i < j , or 8.20

(i) is a counterexample for 2 , for each i 0. at or() such that ( ) = (). Since 2 is strongly In any case, 2 has a deterministic l-counterexample c-deterministic, item 1 of Definition 5.1 implies that for each i = 0; : : : ; k a deterministic l-counterexample i for 2 exists at si such that (i ) = i . Hence, the multi-path 0 = [0 ; : : : ; k ; (0); (1); : : :] is a deterministic counterexample for in M . Since (0 ) = , is a counterpath for in M ; thus, item 1 is satisfied. To show that satisfies also item 2 of Definition 5.1, let be a path in M such that (0) 2 S0 (M ) and each (i) is origin of a l-counterexample for in M , i 0. Then, each (0) must be the origin of a l-counterexample for 2 . Since 2 is strongly c-deterministic, it follows from item 2 of Definition 5.1 that each suffix i of , i 0, is a counterpath for 2 in M , i.e., a corresponding deterministic l-counterexample i for 2 exists in M at (i). Thus, = [0 ; 1 ; : : :] is a deterministic counterexample for in M such that = (). This means is a counterpath for in M , and item 2 of Definition 5.1 is satisfied.

18


? 2 S2i _ PSF [ PSF _ S2i S2i+1. The proof that ? is c-deterministic is analogous to the case

? 2 S1i _ PSF [ PSF _ S1i above. The verification of points 1 and 2 in Definition 5.1 is straightforward. 2 The proof of the previous theorem intuitively explains why the only possible nesting for 2 in an until 1 2 is another until operator. On the other hand, if the formula 2 in 1 2 is a pure state formula, then 1 can be any c-deterministic formula. Concerning nesting into an unless ( 1 2 ), it is not possible to nest an arbitrary non-pure state formula in the left position. In this case, strong c-determinism does not ensure that the formula is cdeterministic. Recall that a counterexample for ( 1 2 ) is a multi-path = [(0); (1); : : : ] such that (0),. . . ,(k ? 1) prove the falsity of 1 and (k ) the falsity of 2 . Trying to construct from a for ( 1 2 ), we have to replace each (i), 0 i k, with a suitable deterministic counterexample deterministic counterexample (i). We can do so easily for all i < k : Since 1 is strongly c-deterministic, (k ? 1) for 1 we can find appropriate (0),. . . , (k ? 2) by exploitfor any deterministic counterexample (k ? 1) misses ing the property in item 1 of Definition 5.1. However, it may happen that every possible can not be some state from (k ) which is necessary to refute 2 ; thus, a deterministic counterexample built.

U

U

A V

A V

A V

5.1 Computing a counterpath for

DET-instances

In Section 4, we have shown that deciding whether an arbitrary formula has a counterpath on a given structure M is intractable in general, and so is computing a counterpath. Since instances of -templates always have a counterpath if they are false in M , the question whether there is an (efficient) procedure for computing any counterpath is natural. Note that existence of a counterpath does not a priori mean that computing a counterpath is easy; this could still be a difficult problem. Our second main result shows that this is not the case. Let for any path P = s0 ; s1 ; : : : ; sk in a structure M denote jP j the length of P (= k + 1), and let for any formula denote dA ( ) the -nesting depth of (where dA ( ) = 0 for every pure state formula ).

DET

A

DET

Theorem 5.2 Let be such that ? 2 . If M 6j= , then has a counterpath in M which is either a single state (if ? 2 PSF ), or representable as P; C where P is a finite path (prefix) and C a cycle in M such that jP j + jC j dA ( )jS (M )j. Moreover, given and M , such P and C can be computed in polynomial time. Proof. The first part (existence of a representation P; C as described) is shown following the induction in the proof of Theorem 4.3. For each instance of a template ? 2 S1i [ S2i , we can construct the desired representation P; C from the main path of the deterministic counterexample constructed in the proof there, exploiting that deterministic counterexamples 0 used in the constructions have representations P 0 ; C 0 as described. We omit repeating all these constructions in detail, and focus here on the relevant facts that establish P; C : 1. In cases where is of the form 1 _ 2 , 1 ^ 2 , a counterpath for is immediately obtained by the induction hypothesis.

AX A(1 V2 ), and in some cases of A(1 U2 ), the deter-

2. In cases where is of the form 1 , ministic counterexample constructed for

is of the form [(0); : : : ; (k); (k + 1); : : :] where


19

(0),. . . ,(k ? 1) are states except if ? 2 AU(PSF ; DET n PSF ), (k) is a deterministic counterexample for a formula 0 such that dA ( 0 ) < dA (), and all (j ) are states, j > k . Two subcases arise, depending on the formula

0:

dA ( 0 ) = 0, i.e., 0 ? 2 PSF . Then, is a simple path in M , and the states (j ), j > k, in are meaningless (i.e., the suffix [(k ); (k + 1) : : :] can be replaced by any infinite path starting at (k )). Thus, a counterpath for can be represented by P; C such that jP j + jC j jS (M )j dA ()jS (M )j: 2.2 dA ( 0 ) > 0. Then, 0 can be assumed to have a counterpath P 0 ; C 0 as in the induction hypothesis, and P; C is given by s0 ; : : : ; sk?1 ,P 0 ; C 0 , where si = or ((i)), for i = 0; : : : ; k ? 1. For a minimal k , it holds that k jS (M )j, and we obtain jP j + jC j = k + jP 0 j + jC 0j jS (M )j + dA ( 0 )jS (M )j dA()jS (M )j: 3. In the case where = A( 1 U 2 ), a deterministic counterexample may be constructed such that each (i) is a counterexample for 2 . In the case where 2? 2 PSF , is a simple path in M , which can be replaced by a prefix-cycle pair P; C such that jP j + jC j jS (M )j dA ()jS (M )j (cf. 2.1); otherwise, if 2? 2 DET n PSF , then P; C is given by P 0 ; C 0 representing ((0)), and by the induction hypothesis jP j + jC j = jP 0 j + jC 0 j = dA ( 2 )jS (M )j dA ()jS (M )j. This concludes the proof of the first part of the theorem. For computing P; C in polynomial time (second part of Theorem 5.2) we describe an algorithm which proceeds in two steps. Suppose that and M are given 2.1

for input. Step 1. Label each state s 2 S with the set

F (s) = f0 j 0 is a subformula of such that M; s 6j= 0g: It is well-known that this labeling is possible in polynomial time (in fact in O (jj(jS (M )j + jR(M )j) time) [3].

Step 2. Construct a counterpath for , which is either a single state or using the following procedure:

P; C representing an infinite path,

Procedure C OUNTERPATH Input: Labeled graph G = (S; R; F ),

Output: s, if ?

DET instance , state s 2 S s.t. 2 F (s).

2 PSF ; otherwise, P; C representing a counterpath for starting at s.

Execute C OUNTERPATH(G; ; s0 ) for some arbitrary s0 result.

2 S such that 2 F (s0), and return the

C OUNTERPATH proceeds top-down, and constructs the output either directly, or by making a recursive call; thus, C OUNTERPATH extends an initially empty prefix P0 to P1 P2 repeatedly until it is eventually completed with a cycle. In general, different choices exist for extending Pi to Pi+1 . The crucial fact is that membership of ? in guarantees a “don’t care” nondeterminism, i.e., no backtracking is necessary. If Pi is properly extended to Pi+1 , then it can be finally completed with a cycle. We now describe how C OUNTERPATH proceeds for ? 2 = PSF , depending on the structure of . We consider the different possible cases:

DET

20


= 1 ^ 2.

Then, either 1 2 F (s) or 2 2 F (s) (or both). Call either C OUNTERPATH(G; 1 ; s) or C OUNTERPATH(G; 2 ; s), respectively, and return the result.

= 1_ 2. If 1? 2 PSF , then call COUNTERPATH(G; 2 ; s); otherwise, call C OUNTERPATH(G; 1 ; s).

Return the result.

= AX( 1). Choose any s0 such that (s; s0 ) 2 R and 1 2 F (s0). If 1? 2= PSF , then call C OUNTERPATH(G; 1 ; s0 ) and return the result; otherwise, complete the path s; s0 to an arbitrary prefixcycle path P; C (where P may be void) containing at most jS (M )j states. = A( 1 V 2 ). Determine any node s0 reachable by a (possible empty) path s = s0; s1; : : : ; sk = s0 = PSF , then call in R such that 1 V 2 2 F (si ), for all i = 0; : : : ; k ? 1 and 2 2 F (s0 ). If 2? 2 C OUNTERPATH(G; 2 ; s0 ), and return s0 ; : : : ; sk?1 ; P 0 ; C 0 where P 0 ; C 0 is the result of the call; otherwise, if 2? 2 PSF , then complete s0 ; : : : ; sk to any prefix-cycle path P; C having at most jS (M )j states and return it.

= A( 1 U 2 ). If there exists a prefix-cycle pair P; C = s0; s1; : : : ; sk in G such that k < jS (M )j and

2 2 F (si), for each i = 0; : : : ; k then return P; C (this can be efficiently determined). In the other case, determine any state s0 which is reachable from s by a path s = s0 ; : : : ; sk = s0 such that 2 2 F (si ), for all i = 0; : : : ; k and 1 2 F (sk ). Now, if both 1? ; 2? 2 PSF , then complete the path s0; : : : ; sk to an arbitray prefix-cycle pair P; C such that jP j + jS j jS (M )j and return it. Otherwise, call C OUNTERPATH(G; 1 ; s0 ), if 1? 2 = PSF , and call C OUNTERPATH(G; 2 ; s0), if 2? 2= PSF ; note that only one of the two cases can apply. Return P; C = s0; : : : ; sk?1; P 0; C 0 where P 0; C 0 is the result of the call.

The correctness of the procedure C OUNTERPATH(G; ; s) follows from the proof of Theorem 5.1. It is not hard to see that each of the cases in the body of C OUNTERPATH can be completed in polynomial time (modulo recursion). Since the recursion depth is bounded by the formula length jj, it follows that some P; C can be constructed in polynomial time. Using proper data structures (in particular for the maximal strongly conneceted components in subgraphs of R induced by labelings in F ), each case can be handled in O(jS (M )j+jR(M )j) time, i.e., in linear time in the size of M . Thus, the procedure C OUNTERPATH(G; ; s) takes O (jj(jS (M )j + jR(M )j)) time. Since, as remarked above, also the construction of G = (S; R; F ) is possible in O (jj(jS (M )j + jR(M )j)) time, it follows that some P; C can be computed from M and in O(jj(jS (M )j + jR(M )j)) time. This proves the second part and the result. 2 Remarks. (1) We remark that the representation P; C of the path returned by C OUNTERPATH can be adorned in order to provide more information about the failure of subformulas. In particular, for an unless (1 2 ) the stage sk in demonstrating the failure of 1 2 can be marked, and similarly for an until (1 2 ); if 2 is false in each state of , this could be marked at (0). An adorned cycle-prefix pair P; C can be seen as a compact representation of a deterministic counterexample, which, different from a counterpath, retains all structural information of the underlying multi-path. (2) There are instances of templates in and structures M such that for any prefix-cycle pair P; C of an arbitrary counterpath for in M , the size jP j + jC j is (dA()jS (M )j); the prefix P may cycle through states in M for a number of times that is bounded by dA (), which can not be expressed by an (infinite) cycle.

A V A U

V

DET


21

6 All c-deterministic Templates are in

DET

The proof of the converse of Theorem 5.1 is based on the observation that particular instantiations of nondeterministic templates can be used to derive the result. The structure of these instantiations allows to build structures in which no deterministic counterexamples exist in a systematic way.

T AU AV

Definition 6.1 (disjoint and positive instantiation) A disjoint instantiation of a template ? 2 ? is an instantiation of ? which can be built starting from pure state formulas such that ^, _, ( ), ( ) are only applied to formulas 1 and 2 having disjoint sets of atomic propositions, i.e. AP (1 ) \ AP (2 ) = ;. An instantiation is positive, if each occurrence of an atom in is under an even number of negations. Notice that in a positive template instantation , each subformula : which is not in the scope of another negation is logically equivalent to a monotone (negation-free) Boolean formula over AP ( ). Observe also that : 6 true and : 6 false holds in this case. Positive disjoint instantiations have the nice property that with respect to counterexamples, any part of a Boolean combination of formulas 1 ; : : : ; m can be “projected out” in suitable structures, i.e., to counterexamples for a simplified formula 0 give rise to counterexamples for . This is particularly useful for showing that is not c-deterministic if any of 1 ; : : : ; m is not c-deterministic.

T

Lemma 6.1 Let be a positive disjoint instantiation of ? 2 ? which is a monotone Boolean combination of distinct formulas 1 ; : : : ; m (each of which is considered as atom and used only once). Let + be any nonempty formula which results by removing arbitrary subformulas from . Let M + be any structure such that R(M + ) is total, i.e., each state reaches some state, and AP (M + ) = AP (+ ). Then, there exists a structure M coinciding with M + except AP (M ) = AP () and L(M + )(s) L(M )(s), for each state s, such that (1) M; s j= iff M + ; s j= + holds for each state s, and (2) for each path , it holds that is a local counterpath for in M iff is a local counterpath for + in M + . Proof. Since is positive, all i are positive. Thus, every formula i which does not occur in + can be made globally true in M + by including AP (i ) in the label of each state s; otherwise, since AP (i )\AP (M + ) = ;, i is false in each state of M +. Let M result from M + by making each i globally true such that i occurs in a maximal subformula that is pruned from and is connected in by conjunction. (Any other other pruned j occurs in a maximal pruned subformula which is connected by disjunction; it is globally false in M + and thus also in M .) It is not hard to see that this M satisfies the property stated in the lemma. 2 The next lemma informally states that for any positive disjoint instantiation of a template in , we can always find a structure such that the formula is true in it, but false if we proceed long enough from an initial state. Observe that this property is not true for all formulas that are instantiations of templates in . Consider e.g. the formula = (false a), where a is an atomic proposition. This formula is an instance of the template (? ?), which belongs to . A counterexample for is a path along which a is false in some state (i). Here, it is impossible to prefix with a sequence s0; : : : ; sk of states such that along the resulting path false a becomes true.

DET

DET

A V V

A

V

DET

Definition 6.2 (single-path structure) A conic structure M is called a single-path structure, if single path starting at the initial state, and each state in M occurs in it. An immediate consequence of this definition is that for any single-path structure formula it holds that M 6j= just in case where (M ) is a counterpath for .

M

has a

M and non pure-state

22


DET

Lemma 6.2 For every positive disjoint instantiation of a template ? 2 , there exist a single-path structure M and a k 1 such that M j= and (M )k is a local counterpath for (resp., (M )(k ) 6j= if

? 2 PSF ), where (M ) denotes the unique infinite path in M . Proof. We prove the statement by induction on the stage i 0 of i = (S1i ; S2i ) in which ? first occurs. (Basis) The case i = 0 is trivial. (Induction) Assume that the statement holds for i and consider the possible cases for ? 2 S1i+1 [ S2i+1 where i + 1 > 0. By the induction hypothesis, it remains to consider ? 2 = S1i [ S2i .

? 2 PSF . (In this case, i = 1.) Let M have the states s0 and s1 , where s0 is the unique initial state, and the transitions (s0 ; s1 ), (s1 ; s1 ). Let L(M )(s0 ) = AP ( ) and L(M )(s1 ) = ;. Clearly, M is a single-path structure such that M j= , and M; (M )1 (0) 6j= . Thus the statement holds. ? 2 AX(S1i ). Thus, = AX( 1 ). By the induction hypothesis, a single-path structure M with initial state s0 and a k 1 exist for 1 which satisfy the statement of the lemma. Let k be the least such k . If k > 1 we are done, since M is a single-path structure where also satisfies the statement of the lemma. Otherwise (i.e., if k = 1), we can modify M by adding a new state s00 which reaches s0 and has an arbitrary label. Denote by M 0 the resulting single-path structure with initial state s00 . Since (M 0 )1 = (M ), it holds that M 0 j= . Furthermore, (M 0 )1 is a local counterpath for , since (M 0 )2 = (M )1 . Hence the statement holds.

? 2 AV(PSF ; S1i ). Let = A( 1 V 2 ). By induction hypothesis, for 2 exist a single-path structure M and an index k 1 such that the property of the lemma holds. We modify M by adding AP ( 1 ) to every state label in M . It is easy to see that the resulting structure M 0 satisfies M 0 j= because 1 is globally true along (M 0 ). Furthermore, (M 0 )k is still a local counterpath for 2 (resp., (M 0 )(k ) 6j= 2 ) since is a disjoint positive instantiation. Hence, the statement holds.

? 2 AU(S1i ; PSF ). Thus, = A( 1 U 2 ). Consider the single-path structure M with states s0 and s1 , where s0 is the initial state, transitions (s0 ; s1 ), (s1 ; s1 ) and labeling L(M )(s0 ) = AP ( 2 ) and L(M )(s1 ) = ;. This M and k = 1 prove the statement for . Indeed, M j= since 2 is true in s0. Further, (M )1 is a local counterpath for since 2 is globally false along it. ? 2 AU(PSF ; S2i ). Thus, = A( 1 U 2). By induction hypothesis, for 2 exist a single-path structure M and an index k 1 as in the lemma. Without loss of generality, no atomic proposition from AP ( 1 ) occurs in any state label of M . Since is a positive disjoint instantiation, it is easy to see that M and k witness the statement also for . Indeed, M j= since 2 is true in the initial state of M . Furthermore, (M )k is a local counterpath for , since it is a local counterpath for 2 (resp., 2 is false in (M )(k)) and

1 is globally false along it. ? 2 S1i _PSF [ PSF_S1i . Thus, = 1 _ 2 . Assume that 1? 2= PSF ; the case 2? 2= PSF is similar. By induction hypothesis, for 1 exist a single-path structure M and an index k 1 as stated in the lemma. Without loss of generality, no atomic proposition from AP ( 2 ) occurs in any state label of M . Since is a positive disjoint instantiation, it is easy to see that M and k witness the statement also for . Indeed, M j= since M j= 1 . Further, (M )k is a local counterpath for since it is a local counterpath for 1 (resp., 1 is false in (M )(k )) and 2 is globally false along it. Thus, the statement holds. ? 2 S1i ^S1i . Thus, = 1 ^ 2 , and w.l.o.g. 1? 2= PSF . By induction hypothesis, for 1 exist a single-path structure M and an index k 1 as stated in the lemma. We modify M by adding to every state label the set of atomic propositions appearing in 2 . It is easy to see that the resulting structure M 0 and k


23

witness the statement also for . Clearly, M 0 j= since M 0 j= 1 and M 0 j= 2 since 2 is globally true in M 0 . Furthermore, (M 0 )k is a local counterpath for since it is a local counterpath for 1 . Thus, the statement holds. This concludes the proof. 2

DET

The next lemma informally says that for any positive disjoint instantiation of a template in , it is possible to find a single-path structure which does not satisfy , but is always satisfied if we proceed long enough on the single path. This lemma is in a sense complementary to the previous lemma. Similar as there, the property is not true for arbitrary instantiations of templates from . E.g., a single-path structure falsifying = (true a) does not contain any “suffix” structure in which holds. Prior to the lemma, we introduce the notion of k -structure.

A

DET

U

T

Definition 6.3 (k -structure) A k-structure for a positive disjoint instantiation of a template ? 2 ? is any conic structure M such that M 6j= and for each path in M starting at s0 , there exists an index k 1 such that M; i (0) j= , for each i k . 2 We will use k -structures repeatedly in constructions of structures which do not have deterministic counterexamples for formulas involving the until operator. Lemma 6.3 Each positive disjoint instantiation of any template ? fact, always single-path k -structures M do exist.

2 DET has some k-structure M . In

Proof. As previously, we prove the statement by induction on the stage i 0 of i = (S1i ; S2i ) in which ? first occurs. (Basis) The case i = 0 is trivial. (Induction) Assume that the statement holds for i, and consider the possible cases for ? 2 S1i+1 [ S2i+1 , = S1i [ S2i . where i + 1 > 0. By the induction hypothesis, it remains to consider ? 2

? 2 PSF . (In this case, i = 1.) Let M have the states s0 and s1, where s0 is the unique initial state, and the transitions (s0 ; s1 ), (s1 ; s1 ). Let L(M )(s0 ) = ; and L(M )(s1 ) = AP ( ). Clearly, M is a single path structure such that M 6j= , and M; (M )1 (0) j= . Thus the statement holds. ? 2 AX(S1i ). Let = AX( 1 ). By induction hypothesis, there exist a single-path structure M and an index k 1 such that M 6j= 1 and M; (M )i (0) j= 1 for all i k . Let s0 be the initial state of M . We modify M by changing the initial state to a new state s with arbitrary label and adding the transition (s; s0 ). Clearly, the resulting structure M 0 is single-path and M 0 6j= . From the induction hypothesis, it follows that for each i k + 1, M 0 ; (M 0 )i (0) j= 1 . Hence, the statement holds. ? 2 AV(PSF ; S1i ). Let = A( 1 V 2 ). Let s0 be the initial state of a single-path structure M for

2 and k 1 as stated in the lemma, which exist by the induction hypothesis. Since M 6j= 2 , it follows M 6j= . Furthermore, M; ()i (0) j= 2 implies M; ()i (0) j= , for each i k. Thus the statement holds.

? 2 AU(S1i ; PSF ).

A U

Let = ( 1 2 ). Let for 1 be M and k 1 as stated in the lemma, which exist by induction hypothesis. Without loss of generality, M includes AP ( 2 ) in each state label L(s) except for the initial state s0 , which contains no atomic proposition from AP ( 2 ). Then, M; s0 6j= 2 , and since M 6j= 1, it follows M 6j= . Furthermore, M; (M )i (0) j= for all i k since 2 is true in (M )i (0). Thus, the statement holds.

24


? 2 AU(PSF ; S2i ).

A U

Let = ( 1 2 ). Let for 2 be M and k 1 as stated in the lemma, whose existence follows from the induction hypothesis. Without loss of generality, we assume that the initial state s0 of M contains no atomic proposition from AP ( 1 ). Since M j= 2 , it follows M 6j= . Furthermore, since M; (M )i (0) j= 2 it follows that M; (M )i (0) j= , for all i k . Thus the statement holds.

? 2 S1i _PSF [ PSF _ S1i . Let = 1_ 2. Assume 1? 2= PSF ; the case 2? 2= PSF is similar. Let for 1 be M and k 1 as stated in lemma, which exist by induction hypothesis. Assume without loss of generality that no atomic proposition from AP ( 2 ) occurs in any label of M . Then, it is easy to see that M and k witness the statement for . ? 2 S1i ^S1i . Let = 1 ^ 2. Let for 1 be M and k 1 as stated in the lemma, which exist by the = PSF , and that each label of M includes induction hypothesis. Assume without loss of generality that 1? 2 AP ( 2 ). Since 2 is globally true in M , it is easy to see that M and k witness the statement also for . This concludes the proof. 2 In the next lemma, we show that a large class of templates in T? n DET which involve nesting into the

U

V

until operator or the unless operator , respectively, are not deterministic. We establish this by proving that positive disjoint instantiations of these templates are not c-deterministic. Prior to that, we introduce some useful concepts.

A

Definition 6.4 (left- and right-structures) A left-structure M for a positive disjoint instantiation = is a conic structure with initial state s0 and AP (M ) = AP (), which satisfies, depending on the linear-time operator guarding , the following properties (see Figure 5):

s00 1 (a)

s0

Figure 5: Left-structures for (a)

k 1 (a)

s00

s0

s00

s0

s00

(b)

2 s0 (c)

= AX1 , (b) = A(1 V2 ), and (c) = A(1 U2 ) k

Figure 6: Right-structures for (a) = If =

1

s00

1 s0

(b)

k

s00

k

2

s0 (c)

AX1, (b) = A(1 V2 ), and (c) = A(1 U2 )

AX(1 ), then only one transition (s0; s00 ) leaving from s0 exists, and

s00 is the initial state of another structure, denoted by 1 ,


25

s0 does not appear in the set of states of 1 , 1 j6 = 1 . If = A(1 V2 ), then s0 is the initial state of another structure, denoted by 1 , such that 1 6j= 1 ; there is only one transition from s0 to a state s00 not belonging to 1 , which is the initial state of another structure, denoted by , such that 6j= ; the sets of states of 1 and are disjoint. For = A(1 U2 ), M is similar as for = A(1 V2 ), but with the roles of 1 and 2 exchanged. Right-structures for are particular left structures, such that all structures , 1 , and 2 involved— with the exception of 1 for = A(1 V2 )—are k -structures (see Figure 6). 2 Left- and right-structures will be used as components for the left-nested and right-nested formulas 1 and 2 , respectively, in the constructions of structures M witnessing the fact that formulas A( 1 U 2 ) are not c-deterministic in general, and similarly for formulas A( 1 V 2 ). We note the following proposition.

Proposition 6.4 Let M be any left-structure for a positive disjoint instantiation . Then M

AX

A V

6j= .

(1 ), this is obvious. To see this for = (1 2 ), let be a counterexample Proof. For = for in (which exists by Theorem 3.1), and let 0 be a counterexample for 1 in 1 (starting at s0 ). Then, the multi-path [0 ; (0); (1); ] is a counterexample for . In case = (1 2 ), let be a counterexample for in (which exists by Theorem 3.1), and let 0 be a counterexample for 2 in 2 (starting at s0 ). Then, the multi-path [0 ; (0); (1); ] is a counterexample for . 2

A U

Definition 6.5 (fusion of structures) Let M1 and M2 be conic structures with initial states s10 and s20 , respectively, having disjoint sets of states. Then, the fusion of M1 and M2 is the conic structure M obtained by taking the union of M1 and M2 , where s10 and s20 are merged into a single state s0 with label L(s0) = L(s10) [ L(s20 ). 2 Lemma 6.5 Let be a positive disjoint instantiation of a template ?

2 T? such that either

= A( 1U 2 ), where 1? =2= PSF and 2? 2 DET n PSF , or 2. = A( 1 V 2 ), where 1? 62 PSF , and 2? 2 DET. Then, is not c-deterministic. Proof. To prove the statement, we have to find a structure M such that both M 6j= and each counterexample for in M is not a deterministic multi-path. We will construct such a M starting from left- and rightstructures M1 and M2 for the subformulas 1 and 2 , respectively. Unless stated otherwise, such structures 1.

will have disjoint sets of states. We observe the following fact. Fact. For each 1 , some left-structure exists, and for each 2 , by Lemma 6.3 some right-structure exists. (Recall that right-structures are particular left-structures, and thus Lemma 6.3 implies also the existence of left-structures for each 2 . However, for each 2 simple left-structures can be found.) Technically, we prove the statement in the lemma first for the case in which 1 and 2 are either of the form or pure state formulas. By exploiting Lemma 6.1, we can then conclude that the statement is true in general. Thus, according to 1? and 2? , we consider the following cases (1) and (2).

A

26


A

A U

A

DET

? ? ? (1) = ( 1 2 ), where 1? = n PSF . We construct M as 1 62 PSF and 2 = 2 2 the fusion of a left-structure M1 for 1 and a right-structure M2 for 2 with initial state s0 , and modify M according to the linear time operators , , and , guarding 1 and 2 , respectively. The following cases are possible:

XV

U

1 = AX( 1;1 ) and 2 = AX( 2;1). We modify M as follows. In each state s of the structure 1 1 in M1 (see Def. 6.4), we include AP ( 2;1) (i.e., in its label L(s)), and in each state of 2 1 in M2 , we include AP ( 1;1 ) (see Figure 7). ;

;

M1 1 1

s0

;

AP( 2;1 ) Figure 7: The

M2

2 1 ;

k

AP( 1;1 )

X-X case: A( 1 U 2 ), where 1 = AX( 1;1 ) and 2 = AX( 2;1 )

Clearly, these additions preserve the existence of counterexamples for 1;1 in 1;1 and for 2;1 in 2;1 , respectively, since AP ( 1;1 ) and AP ( 2;1 ) are disjoint. It holds that M 6j= , since M1 6j= 1 and M2 6j= 2 . Indeed, we can find a counterexample for

1 _ 2 simply by merging a counterexample for 1 in M1 with a counterexample for 2 in M2. Clearly, this counterexample is not deterministic. It remains to show that no deterministic counterexample for in M exists. First observe that no counterexample for 1 is in M2 . Indeed, for every multi-path in M2 , (1) cannot be a counterexample for

1;1 , since each state of M1 except s0 contains the set AP ( 1;1 ). Similarly, there is no counterexample for

2 is in M1. Hence, each counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition 3.5, any counterexample for must involve counterexamples for 2 . Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. Clearly, this concludes the proof. Towards a contradiction, suppose is a deterministic counterexample such that (i) is a counterexample for 2 , for every i 0. Since 2 is globally true in M1 , () must lead into M2 , and thus into 2;1 . However, 2;1 is a k -structure, which means that 2 is eventually true. This raises the desired contradiction.

1 = AX( 1;1 ) and 2 = A( 2;1 V 2;2 ). We modify M in the following way. We add to every state s of M1 except s0 the set AP ( 2 ). Similarly, we add to every state of M2 except s0 the set AP ( 1 ). Finally, we add in every other state of 2 1 in M2 (see definition of right-structure), including s0 , the set AP ( 2;2 ) ;

(see Figure 8). It easy to see that after these additions, M1 6j= 1 and M2 6j= 2 still hold. Thus, M 6j= . Moreover, no counterexample for 1 is in M2 . Indeed, for every multi-path in M2 , (1) cannot be a counterexample for 1;1 , since each state of M2 except contains the set AP ( 1;1 ). Finally, no counterexample for 2 is in M1 . Indeed, a counterexample for 2 must contain a counterexample for 2;2 . However, this is impossible, since 2;2 is globally true in M1 . Hence, a counterexample for involving counterexamples for both 1 and

2 cannot be deterministic. By Definition 3.5 a counterexample for must involve counterexamples for 2 .


27

M2

AP( 2;2 ) s0

1

2 1 ;

AP( 1 ) [ AP( 2;2 )

AP( 2 ) 2

M1

Figure 8: The

AP( 1 )

k

X-V case: A( 1 U 2 ), where 1 = AX( 1;1) and 2 = A( 2;1 V 2;2 )

Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. Clearly, this concludes the proof. Towards a contradiction, suppose is a deterministic counterexample involving only counterexamples for 2 . By Definition 3.5, is such that (i) is a counterexample for 2 , for each i 0. But such a counterexample cannot be deterministic. Indeed, cannot lead into 2 , since it is a k -structure of 2 . On the other hand, it cannot lead into M1 or 2;1 , since a counterexample for 2 must contain a counterexample for 2;2 , and 2;2 is globally true in 2;1 . Hence, every counterexample for

in M is not deterministic.

1 = AX( 1;1 ) and 2 = A( 2;1 U 2;2 ). We modify M as follows. We add to every state of M1 except s0 the set AP ( 2 ), and to every state of M2 except s0 the set AP ( 1 ). Finally, we add in every state of 2 2 in M2 including s0 the set AP ( 2;1 ) (see Figure 9). It easy to see that after these additions M1 6j= 1 and M2 6j= 2 still hold. Thus, M 6j= . Moreover, no counterexample for 1 is in M2 . Indeed, for every multi-path in M2 , (1) cannot be a counterexample for

1;1, since each state of M2 except s0 contains the set AP ( 1;1 ). Finally, no counterexample for 2 is in M1. Indeed, since each state of M1 contains AP ( 2;1 ), a counterexample for 2 in M1 could only be a multipath such that (i) is a counterexample for 2;2 , for each i 0. But this is impossible, since for every multi-path in M1 , each state appearing in (i), for i 1 contains AP ( 2;2 ). Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. Definition 3.5 request that a counterexample for must involve a counterexample for 2 . Now we show that every counterexample for

involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towards a contradiction, suppose is a deterministic counterexample for such that (i) is a counterexample for 2 , for every i 0. But such a counterexample cannot be deterministic. Indeed, it can neither lead into M1 nor into 2 , since this is a k -structure of 2 . Furthermore, it cannot lead into 2 2 . Indeed, a counterexample for 2 cannot involve a counterexample for 2;1 as 2 2 contains in each state the set AP ( 2;1 ). Thus, such a counterexample could only be a multi-path such that (i) is a (deterministic) counterexample for 2;2 , for each i 0. But this is not possible, since 2 2 is a k -structure of 2;2 . Hence, no counterexample for in M is deterministic. ;

;

;

;

28


M2

AP( 2;1 ) s0

1

2 2 k ;

AP( 2 ) 2

M1

Figure 9: The

AP( 1 ) [ AP( 2;1 )

AP( 1 )

k

X-U case: A( 1 U 2), where 1 = AX( 1;1 ) and 2 = A( 2;1 U 2;2 )

1 = A( 1;1V 1;2 ) and 2 = AX( 2;1 ). We modify M as follows. We add to every state of M1 except s0 the set AP ( 2 ) and to every state of M2 except s0 the set AP ( 1 ). Moreover, we add to s0 the set AP ( 1;2 ). Finally, we add in every other state of 1 1 in M1 (see definition of left-structure), the set AP ( 1;2 ) (see Figure 10). ;

M1 AP( 2 ) [ AP( 1;2 ) 1

;

AP( 1;2 ) 2 1 k

s0 AP( 2 )

Figure 10: The

1 1

;

M2

AP( 1 )

V-X case: A( 1 U 2 ), where 1 = A( 1;1V 1;2 ) and 2 = AX( 2;1 )

After these additions, M1 6j= 1 and M2 6j= 2 still hold. Thus, M 6j= . Moreover, no counterexample for 2 is in M1 . Indeed, for every multi-path in M1 , (1) cannot be a counterexample for 2;1 , since each state of M1 except s0 contains the set AP ( 2;1 ). Finally, no counterexample for 1 is in M2 . Indeed, a counterexample for 1 must contain a counterexample for 1;2 , but this is impossible, since each state in M2 contains AP ( 1;2 ). Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition 3.5, a counterexample for must involve counterexamples for 2 . Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towards a contradiction, suppose is a deterministic counterexample


29

involving only counterexamples for 2 . Definition 3.5 implies that (i) is a counterexample for 2 , for each i 0. But such a counterexample cannot be deterministic. Indeed, cannot lead into M1 and not into M2, since 2;1 is a k -structure of 2;1 . This proves the statement.

1 = A( 1;1 V 1;2 ) and 2 = A( 2;1 V 2;2 ). We modify M as follows. We add to every state of M1 except s0 the set AP ( 2 ). Then, we add to every state of M2 except s0 the set AP ( 1 ). Moreover, we add to s0 the set AP ( 1;2 ). Finally, we add in every state of 2 1 in M2 , including s0 , the set AP ( 2;2 ) (see ;

Figure 11).

AP( 2 )

;

AP( 1;2 ) [ AP( 2;2 ) 1

2 1

s0

;

AP( 1 ) [ AP( 2;2 )

AP( 2 )

M1

Figure 11: The

M2

1 1

2

AP( 1 )

k

V-V case: A( 1 U 2 ), where 1 = A( 1;1V 1;2 ) and 2 = A( 2;1 V 2;2 )

It easy to see that, also after these additions, M1 6j= 1 and M2 6j= 2 . Thus, M 6j= . Moreover, no counterexample for 1 is in M2 . Indeed, 1;2 is globally true in M2 . Similarly, no counterexample for 2 is in M1 . Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition 3.5, a counterexample for must involve a counterexample for 2 . Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towards a contradiction, suppose is a deterministic counterexample for 2 such that (i) is a counterexample for 2 , for each i 0. But such a counterexample cannot be deterministic. Indeed, cannot lead into M1 , and it cannot lead into 2 since it is a k -structure of 2 . On the other hand, it cannot lead into 2;1 , since a counterexample for 2 must contain a counterexample for 2;2 and 2;2 is globally true in 2;1 . Hence, every counterexample for in M is not deterministic.

1 = A( 1;1 V 1;2 ) and 2 = A( 2;1 U 2;2 ). We modify M as follows. We add to every state of M1 except s0 the set AP ( 2 ). Then, we add to every state of M2 except s0 the set AP ( 1 ). Moreover we add to s0 the set AP ( 1;2 ) [ AP ( 2;1 ). Finally, we add in every other state of 2 2 in M2 the set AP ( 2;1 ) (see ;

Figure 12). It easy to see that, also after these additions, M1 6j= 1 and M2 6j= 2 . Thus, M 6j= . Moreover, no counterexample for 1 is in M2 . Indeed, a counterexample for 1 must contain a counterexample for 1;2 .

30


AP( 2 ) ;

AP( 1;2 ) [ AP( 2;1 ) 1

2 2 k

s0

;

AP( 1 ) [ AP( 2;1 )

AP( 2 )

M1

Figure 12: The

M2

1 1

2

AP( 1 )

k

V-U case: A( 1 U 2), where 1 = A( 1;1 V 1;2) and 2 = A( 2;1 U 2;2 )

But this is impossible, since each state in M2 contains AP ( 1;2 ). Finally, no counterexample for 2 is in M1 . Indeed, since each state of M1 contains the set AP ( 2;1 ), a counterexample for 2 in M1 could only be a multi-path such that each element (i) is a counterexample for 2;2 , for each i 0. But this is impossible, since 2;2 is globally true in M1 . Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition 3.5 a counterexample for must involve a counterexample for 2 . Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towards a contradiction, suppose is such a deterministic counterexample, i.e., (i) is a counterexample for 2 , for each i 0. But such a counterexample cannot be deterministic. Indeed, it cannot lead into 2 , since this is a k -structure of 2 . On the other hand, it cannot lead into 2;2 . Indeed, a counterexample for 2 cannot involve a counterexample for 2;1 as 2;2 contains in each state the set AP ( 2;1 ). Thus, such a counterexample could only be a multi-path such that (i) is a (deterministic) counterexample for

2;2 , for each i 0. But this is not possible, since 2;2 is a k-structure of 2;2. Hence, no counterexample for in M is deterministic.

1 = A( 1;1 U 1;2) and 2 = AX( 2;1). We modify M in the following way. We add to every state of M1 except s0 the set AP ( 2 ) and to every state of M2 except s0 the set AP ( 1 ). Finally, we add in every state of 1 2 in M1 the set AP ( 1;1 ) (see Figure 13). It easy to see that, also after these additions, M1 6j= 1 and M2 6j= 2 . Thus, M 6j= . Moreover, no counterexample for 2 is in M1 . Indeed, for every multi-path in M1 , (1) cannot be a counterexample for 2;1 , since each state of M1 except s0 contains the set AP ( 2;1 ). Finally, no counterexample for 1 is in M2 . Indeed, since each state of M2 contains the set AP ( 1;1 ), a counterexample for 1 in M2 could only be a multi-path such that each element (i) is a counterexample for 1;2 , for each i 0. But this is impossible, since for every multi-path in M2 , each state appearing in (i) contains the set AP ( 1;2 ), ;


31

M1 AP( 2 ) [ AP( 1;1 ) 1 AP( 2 ) Figure 13: The

1 2 ;

s0 M2

AP( 1;1 ) 2 1

k

;

AP( 1 )

U-X case: A( 1 U 2 ), where 1 = A( 1;1 U 1;2 ) and 2 = AX( 2;1)

for each i 1. Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition 3.5 a counterexample for must involve a counterexample for 2 . Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towards a contradiction, suppose is a deterministic counterexample such that (i) is a counterexample for 2 , for each i 0. But such a counterexample cannot be deterministic. Indeed, cannot lead into M1 , since 2 is globally true in M1 , and it cannot lead into M2 , since 2;1 is a k-structure of 2;1. Thus, the statement is proven.

1 = A( 1;1 U 1;2 ) and 2 = A( 2;1 V 2;2 ). We modify M in the following way. We add to every state of M1 except s0 the set AP ( 2 ). Then, we add to every state of M2 except s0 the set AP ( 1 ). Moreover, we add to s0 the set AP ( 1;1 ) [ AP ( 2;2 ). Finally, we add to every other state of 2 1 in M2 the set AP ( 2;2 ) ;

(see Figure 14). It easy to see that after these additions, M1 6j= 1 and M2 6j= 2 hold. Thus, M 6j= . Moreover, no counterexample for 1 is in M2 . Indeed, 1;1 is globally true in M2 and for every multi-path in M2 , (i), for i 1, cannot be a counterexample for 1;2 , since each state of M2 except s0 contains the set AP ( 1;2 ). Finally, no counterexample for 2 is in M1 . Indeed, 2;2 is globally true in M1 . Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition 3.5, a counterexample for must involve a counterexample for 2 . Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towards a contradiction, suppose is a deterministic counterexample for such that (i) is a counterexample for

2 , for each i 0. Such a counterexample cannot be deterministic. Indeed, can neither lead into M1 (cf. above) nor into 2;1 , since a counterexample for 2 must contain a counterexample for 2;2 which is globally true in 2;1 . Furthermore, cannot lead into 2 , since it is a k -structure of 2 . Hence, no counterexample for in M is deterministic.

1 = A( 1;1 U 1;2) and 2 = A( 2;1U 2;2 ). We modify M in the following way. We add to every state of M1 except s0 the set AP ( 2 ) and to every state of M2 except s0 the set AP ( 1 ). Moreover, we add in s0 the set AP ( 1;1 ) [ AP ( 2;1 ). Finally, we add in every other state of 2 2 in M2 (see definition of right-structure) the set AP ( 2;1 ) (see Figure 15). It easy to see that after these additions, M1 6j= 1 and M2 6j= 2 hold. Thus, M 6j= . Moreover, no counterexample for 1 is in M2 . Indeed, 1;1 is globally true in M2 and for every multi-path in M2 , (i), ;

32


AP( 2 )

;

AP( 1;1 ) [ AP( 2;2 ) 1

2 1

s0

;

AP( 1 ) [ AP( 2;2 )

AP( 2 )

M1

Figure 14: The

M2

1 2

2

AP( 1 )

k

U-V case: A( 1 U 2), where 1 = A( 1;1 U 1;2) and 2 = A( 2;1 V 2;2 )

for i 1, cannot be a counterexample for 1;2 , since each state of M2 except s0 contains the set AP ( 1;2 ). Similarly, no counterexample for 2 is in M1 . Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition 3.5, a counterexample for must involve a counterexample for 2 . Now we show that every counterexample for involving only counterexamples for

2 is not deterministic. This, clearly, concludes the proof. Towards a contradiction, let be a deterministic counterexample for such that (i) is a counterexample for 2 , for each i 0. But such a counterexample cannot be deterministic. Indeed, cannot lead into M1 , and furthermore, it cannot lead into 2 , since this is a k -structure of 2 . Finally, it also cannot lead into 2;2 . Indeed, a counterexample for 2 cannot involve a counterexample for 2;1 , as 2;2 contains in each state the set AP ( 2;1 ). Thus, such a counterexample could only be a multi-path such that (i) is a (deterministic) counterexample for 2;2 , for each i 0. But this is not possible, since 2;2 is a k -structure of 2;2 . Hence, every counterexample for in M is not deterministic.

A V

A

A

DET

? ? ? or (2) The second case is = ( 1 2 ), where 1? = 1 2= PSF and either 2 = 2 2 ?

2 2 PSF . In this case, we consider all possible shapes of the template 1? . In each case, we construct a structure M such that both M 6j= and each counterexample for in M is not deterministic. The structure M is obtained by a modification of the structure M which we define next. Let M 0 be a single-path structure as stated in Lemma 6.2 for formula 2 . Thus, M 0 j= 2 . Furthermore, there exists an index k 1 such that (M 0 )k is a local counterpath for 2 (resp., 2 is false in (M 0 )(k )). Without loss of generality, k is the least index having this property. Denote by si = (M 0 )(i), for i = 0; : : : ; k, the first k + 1 states appearing in (M 0 ). Note that the si (hence also the suffixes (M 0 )i ) are pairwise distinct. Furthermore, sk is the initial state of a structure M + induced by sk in M 0 (i.e., the suffix (M 0 )k ) such that M + 6j= 2 .


33

AP( 2 )

;

AP( 1;1 ) [ AP( 2;1 ) 1

2 2

s0

;

M1

k

AP( 1 ) [ AP( 2;1 )

AP( 2;1 ) [ AP( 2;2 )

Figure 15: The

M2

1 2

2

AP( 1 )

k

U-U case: A( 1 U 2 ), where 1 = A( 1;1U 1;2 ) and 2 = A( 2;1 U 2;2 )

Let M0 be a left-structure for 1 . We take copies M1 ; : : : ; Mk?1 and repeatedly take the fusion of Mi with the substructure of M 0 induced by the state si in M 0 , for i = 0; : : : ; k ? 1. The repeatedly so revised structure M 0 is the desired structure M with initial state s0 (cf. Figure 16). We now consider the possible types of 1? .

1 = AX( 1;1), i.e., = A(AX( 1;1 )V 2 ).

To construct M , we modify the above structure M as follows. Include in the label of each state not appearing in (M 0 )k the set AP ( 2 ). Note that this addition does not affect the existence of (local) counterexamples for 1 starting at s0 ; s1 ; : : : ; sk?1 , since AP ( 1 ) and AP ( 2 ) are disjoint. Finally, we add the set AP ( 1 ) in every state of M 0 (thus, to each state appearing in (M 0 )). This addition preserves the existence of counterexamples for 1 starting with s0 ; s1 ; : : : ; sk?1 , since 1 involves the next-time operator. Furthermore, (M 0 )k is still a local counterpath for 2 , since AP ( 1 ) and AP ( 2 ) are disjoint. The resulting conic structure with initial state s0 is M (see Figure 16). We can see that M 6j= . Indeed, there exists a multi-path 2 , such that 2 (i) is a l-counterexample for

1 , for 0 i k ? 1 (recall that each state si is origin of a l-counterexample for 1 ), and 2 (k) is a local counterexample for 2 with main path (M 0 )k . Clearly, this multi-path is not deterministic. Moreover, no deterministic counterexample for is in M . Indeed, each counterexample for needs a counterexample for 2 . But all paths starting with the initial state s0 cannot be a local counterpath for 2 . Indeed, each path not reaching states beyond sk cannot be a counterpath for 2 , since the label of each state appearing in would contain the set AP ( 2 ). On the other hand, the only path starting with s0 and reaching sk is (M 0 ). However, as M 0 was chosen according to Lemma 6.2, this path cannot be a counterpath for

2 . Hence, we need a counterexample whose first element is a counterexample for 1 . Clearly, we cannot find a counterexample for 1 along the path (M 0 ), since each state in it contains AP ( 1 ). Hence, each counterexample for necessarily contains branching, that is, it is not deterministic.

1? = A( 1?;1V 1?;2 ).

Then,

= A(A( 1;1 V 1;2 )V 2 ). To construct M , we modify the above structure

34


left-structure for 1

s0

0 1

M0

1 1

M1

s1

...

k1?1 AP( 2 )

sk?1 Mk?1 sk M0

AP( 1 ) Figure 16: Nesting into unless, the

X case: = A(AX( 1;1 )V 2 )


35 left-structure M0 for 1

s0

0 1

0 1 1 ;

1 1

s1

1 1 1 ;

M1

...

k1?1

...

sk?1

k1?11 ;

Mk?1

AP( 2 ) sk M0

AP( 1;2 ) Figure 17: Nesting into unless, the

V case: = A(A( 1;1 V 1;2 )V 2 )

M as follows. We add in each state not appearing in (M 0 )k the set AP ( 2 ). Note that this addition does not affect the existence of counterexamples for 1 starting with s0 ; s1 ; : : : ; sk?1 , since AP ( 1 ) and AP ( 2 ) are disjoint. Finally, we add the set AP ( 1;2 ) in every state appearing in (M 0 ). This addition preserves the existence of counterexamples for 1;1 (hence, for 1 ) starting with s0 ; s1 ; : : : ; sk?1 . Furthermore, (M 0 )k is still a local counterpath for 2 , since AP ( 2 ) and AP ( 1;2 ) are disjoint. The resulting conic structure with initial state s0 is M (see Figure 17). We can see that M 6j= . Indeed, there exists a multi-path 2 , such that 2 (i) is a l-counterexample for

1 , for 0 i k ? 1 (recall that each state si is origin of a l-counterexample for 1 ), and 2 (k) is a local counterexample for 2 with main path (M 0 )k . Clearly, this multi-path is not deterministic. Moreover, no deterministic counterexample for in M exists. Indeed, each counterexample for needs a counterexample for 2 . It holds that every path starting at s0 cannot be a counterpath for 2 . Indeed, each path not reaching the state sk cannot be a counterpath for 2 , since the label of each state appearing in would contain the set

36


AP ( 2 ).

On the other hand, the only path starting at s0 and reaching sk is (M 0 ). As M 0 was chosen according to Lemma 6.2, this path cannot be a counterpath for 2 by construction. Hence, we need a counterexample such that the first element is a counterexample for 1 . Clearly, we cannot find a counterexample for 1 along the path (M 0 ), since each state in it contains AP ( 1;2 ) (and a counterexample for 1 necessarily contains a counterexample for 1;2 ). Hence, each counterexample for necessarily contains branching, that is, it is not deterministic.

A

U

AA

U

V

1 = ( 1;1 1;2 ), i.e., = ( ( 1;1 1;2 ) 2 ). We modify the structure M from above as follows. We add to each state not appearing in (M 0 )k the set AP ( 2 ). Note that this addition does not affect the existence of local counterexamples for 1 starting at s0 ; s1 ; :::; sk?1 , since AP ( 1 ) and AP ( 2 ) are disjoint. Furthermore, add the set AP ( 1;1 ) in every state appearing in (M 0 ). This addition preserves the existence of counterexamples for 1;2 (hence for 1 ) starting at s0 ; s1 ; :::; sk?1 . Finally, we add in every state appearing in (M )k the set AP ( 1;2 ). Clearly, after this addition (M 0 )k is still a local counterpath for 2 , since AP ( 1 ) and AP ( 2 ) are disjoint. The resulting conic structure with initial state s0 is M (see Figure 18). We can see that M 6j= . Indeed, there exists a multi-path 2 , such that 2 (i) is a l-counterexample for 1 , for 0 i k ? 1, and 2 (k ) is a counterexample for 2 with main path (M 0 )k . Clearly, this multi-path is not deterministic. Moreover, no deterministic counterexample for exists in M . Indeed, each counterexample for needs a counterexample for 2 . Every path starting at the initial state s0 cannot be a counterpath for 2 . Indeed, if does not reach the state sk , it cannot be a counterpath for 2 , since the label of each state appearing in would contain the set AP ( 2 ). On the other hand, the only path starting at s0 and reaching sk is (M 0 )k . Since M 0 was chosen according to Lemma 6.2, it is not a counterpath for 2 . Hence, we need a counterexample whose first element is a counterexample for 1 . Clearly, we cannot find a counterexample for 1;1 along the path (M 0 ), since each state in it contains the set AP ( 1;1 ). Hence, a counterexample for 1 could only be a multi-path such that (i) is a counterexample for 1;2 , for each i 0. But such a counterexample cannot be found along the path (M 0 ). Indeed, along its suffix (M 0 )k the formula 1;2 is always true. Hence, each counterexample for necessarily contains branching, that is, it is not deterministic.

A

This concludes the proof for the case in which 1? , 2? have form or 2? 2 PSF . For the case of a general 1? , we observe that Lemma 6.1 can be exploited: the instantiation 1 is a monotone Boolean combination of positive disjoint instantiations 1;1 ; : : : ; 1;m (each of which occurs only . We proceed then for 1 as for 1;1 , but use the structure once) such that w.l.o.g. 1;1 is of the form M from Lemma 6.1 for = 1 instead of the structure M + for + = 1;1 (observe that M + can always be chosen such that R(M + ) is total). For the general case of 2 , we proceed analogously. This proves the result. 2

A

Theorem 6.6 Let be any positive disjoint instantiation of a template ? not c-deterministic.

A DET

2 T?. If ? 2= DET, then is

Proof. We proceed by induction on the number of universal quantifiers appearing in , which is denoted by nA ( ). (Basis) The case nA ( ) = 0 is trivial, since ? belongs to PSF . (Induction) Assume that the statement is true for every such that nA ( ) < k . We have to show that each positive disjoint instantiation of ? 2 ? n such that nA ( ) = k is not c-deterministic, i.e., that there is a structure M such that both M 6j= and each counterexample for in M is not deterministic.

T DET


37

AP( 1;1 ) s0

0 1

left-structure M0 for 1

0 1 2 ;

1 1

1 1 2

s1

;

M1

...

k1?1 AP( 2 )

...

k1?21

sk?1

;

Mk?1 sk

AP( 1 )

M0

AP( 1 ) Figure 18: Nesting into unless, the

V case: = A(A( 1;1 V 1;2 )V 2 )

38


The formula is either of the form the possible cases.

A

, or a Boolean combination of formulas 1 ; : : : ; m . We consider

= AX, where nA() = k ? 1. By Definition 4.7, ? 62 DET if and only if ? 62 DET. Thus, since nA() = k ? 1, the induction hypothesis implies that is not c-deterministic. Hence, there exists a structure M 0 such that both M 0 6j= and no counterexample for in M 0 is deterministic. Without loss of generality, M 0 is conic and has the initial state s00. Let the conic structure M with initial state s0 result by connecting a new state s0 to M 0 via the transition (s0 ; s00 ). Clearly, M 6j= . Furthermore, each counterexample for is such that (1) is a counterexample for . Since or ((1)) = s00 , (1) cannot be deterministic, by hypothesis. Hence, is not deterministic.

= A( 1 V 2 ), where nA( 1 ) + nA( 2 ) = k ? 1. cover each such that ? 2 = DET: 1. 2.

By the definition of

DET, the following two cases

1? 62 PSF and 2? 2 DET. This case has been already proven in Lemma 6.5.

2? 62 DET. By the induction hypothesis, 2 is not c-deterministic. Thus, there exists a structure M such that M 6j= 2 and no counterexample in M is deterministic. We modify M by adding in each state the set AP ( 1 ). Clearly, no local counterexamples for 1 can be found in M . However, M 6j= . Moreover, each counterexample for in M must start with a counterexample for 2 . Hence, it is not deterministic.

= A( 1 U 2 ), where nA( 1 ) + nA( 2 ) = k ? 1.

Due to the intricate possibilities of nesting into an , this case requires a careful analysis of several subcases. The following cases exhaust each until from possibility of ? 2 = :

DET

1. 2. 3. 4. 5. 6. 7.

DET

1? 2= PSF and 2? 2 DET n PSF ;

1? 2= DET and 2? 2 PSF ;

2? 2= DET;

1? 2 PSF and 2? 2 AX(DET);

1? 2 PSF and 2? 2 AV(PSF ; DET);

1? 2 PSF and 2? 2 S21 ^ S21;

1? 2 PSF and 2? 2 PSF ^ S21 [ S21 ^ PSF .

We now consider these cases. 1. 2.

1? 62 PSF and 2? 2 DET n PSF . This case has been already proven in Lemma 6.5.

1? 62 DET and 2? 2 PSF . Since 1? 2= DET, by the induction hypothesis a structure M exists such that M 6j= 1 and no counterexample for 1 in M is deterministic. Without loss of generality, M is conic with initial state s0 and AP ( 2 ) \ AP (M ) = ;. Clearly, M 6j= , since M 6j= 2 . Modify now M by adding to each state except s0 the set AP ( 2 ). Since AP ( 1 ) \ AP ( 2 ) = ;, still M 6j= 1 holds. Moreover, since L(M )(s0 ) \ AP ( 2 ) = ;,


39

s0 s1

sk?1

M0 M1

Mk?1

k k

k

sk AP( 1 )

Figure 19: Nesting of PSF and

AX(T?) into until: = A( 1 UAX( 2;1 )).

also M 6j= 2 holds. Thus, M 6j= . It holds that each counterexample for in M must contain a counterexample for 1 , and thus it is not deterministic. Indeed, in any alternative counterexample for the element (i) would a local counterexample for 2 , for every i 0. Since all states of M except s0 contain AP ( 2 ), this is impossible. 3.

2? 62 DET.

By the inductive hypothesis, there exists a structure M such that both M 6j= 2 and each counterexample for 2 in M is not deterministic. W.l.o.g., M is conic with initial state s0 and AP ( 1 ) \ AP (M ) = ;.

A U

Clearly, M 6j= , where = ( 1 2 ), since M 6j= 1 and M 6j= 2 . We can conclude that each counterexample for in M is not deterministic. Indeed, if is a counterexample for in M , (0) must be a l-counterexample for 2 . Moreover or ((0)) = s0 . Hence, (0) is a counterexample for

2 in M . Consequently, (0) and hence also cannot be deterministic. 4.

1? 2 PSF and 2? 2 AX(DET). Let M 0 be a single-path structure and k 1 for formula

2 as described in Lemma 6.2. Thus, M 0 j= 2, and (M 0 )k is a local counterpath for 2 (resp., M 0 ; (M 0 )(k) 6j= 2 ). Let k w.l.o.g. be the least such index. Let s0 ; s1 ; : : : ; sk denote the first k + 1 states appearing in (M 0 ). These si are pairwise distinct. Clearly, sk is the first state of the suffix (M 0 )k . We assume w.l.o.g. L(M 0 )(sk ) \ AP ( 1 ) = ;. Let

40


s0 AP( 1 ) [ AP( 2;2 ) Figure 20: Nesting of PSF and

5.

s00

2 1 ;

k

AP( 1 )

AV(T? ) into until: = A( 1 UA( 2;1 V 2;2 ))

M0 be a k?structure for 2 such that the initial state has an empty label. Lemma 6.3 implies that such a M0 exists; observe that M0 6j= 2 . Let M1 ; : : : ; Mk?1 be copies of M0 . For i = 0; : : : ; k ? 1 we repeatedly take the fusion of Mi with the structure induced by si in M 0 . Since the initial state of Mi has an empty label, these fusions do not change any label in M 0 . Finally, we add to every state except sk the set AP ( 1 ). The resulting structure is the desired M (see Figure 19). First observe that M 6j= . Indeed, each state si , for 0 i k is origin of a local counterexample for 2 . Furthermore, sk is also origin of a local counterexample for 1 . It remains to show that no deterministic counterexample is in M . In any counterexample for the element (0) must be a counterexample for 2 . This implies that a counterpath for cannot reach state sk . Indeed, the only path reaching state sk is (M 0 ), which by construction is not a counterpath for 2 . Thus, a counterpath for could only lead into some structure Mi , where 0 i k ? 1. However, in each Mi formula

1 is globally true. Hence would have to satisfy that j , for each j 1, is a local counterpath for 2 . Since each Mi is a k -structure for 2 , this is impossible. This proves that no deterministic counterexample for exists in M .

1? 2 PSF and 2? 2 AV(PSF ; DET). Thus, 2 = A( 2;1V 2;2 ), where 2;1 is a pure state formula and 2;2 is c-deterministic by Theorem 5.1. Let M be a k -structure for 2 with initial state s00 . Such a structure exists by Lemma 6.3, and w.l.o.g. AP (M ) \ AP ( 1 ) = ;. We modify M by adding a new initial state s0 with empty label and the transitions (s0 ; s00 ) and (s0 ; s0 ). Then, we add to each state the set AP ( 1 ) and to s0 the set AP ( 2;2 ) (see Figure 20).

The path [s0 ; s00 ; :::] is a counterpath for 2 . Thus, the multi-path [[s0 ; s00 ; :::]; [s0 ; s00 :::]; :::] is a counterexample for the . It holds that no deterministic counterexample for exists in M . Indeed, since AP ( 1 ) is contained in each state, any counterexample for must contain infinitely many counterexamples for 2 . Since s00 is the initial state of a k -structure for 2 , no counterpath for is possible which reaches s00 . Hence, the only possibility for a counterpath of is = [s0 ; s0 ; s0 ; :::]. Since s0 contains AP ( 2;2 ), this is impossible. Thus, non deterministic counterexample for exists. 6.

1? 2 PSF and 2? 2 S21 ^ S21. Thus, 2? = 1 ^2 , where 1 = A(1;1 U1;2 ) and 2 = A(2;1U2;2 ); moreover, each i;j , i; j 2 f1; 2g is an instantiation of a template in DET. We construct the requested structure M in the following way. Let M 0 be a single-path structure as stated in Lemma 6.2 for formula 2 . Thus, M 0 j= 2 . Furthermore, there exists an index k 1 such that (M 0 )k is a local counterpath for 2 (and hence for 2 ). Let k w.l.o.g. be the least such index. Let s0; s1; ::::; sk , denote the first k + 1 states appearing in (M 0); observe that they are pairwise distinct. Clearly, sk is the first state of the suffix (M 0 )k . Since is a positive disjoint instantiation, we can always assume that no atomic proposition from AP ( 1 ) [ AP (1 ) occurs in any state of M 0 .


41

AP(2 ) M0

k

01

M1

k

11

AP(1;1 ) s0

01 2

k

11 2

k

;

s1

;

...

Mk?1

k

k?1 1

AP( 1 )

...

sk?1

k?1 21 ;

k

sk M0

AP(1 ) Figure 21: Right-Nesting of S21 ^ S21 into until: 2 = ( 2;1 2;2).

A

U

= A( 1 U(1 ^ 2)), where 1 = A( 1;1 U 1;2 ) and

42


AP(2;1 ) k

2

s0

2 2 ;

s1

AP(2 ) AP(1 ) [ AP(2 ) Figure 22: Right-Nesting of PSF

k

AP( 1 ) [ AP(1 )

s2

^ S21 into until: = A( 1 U(1 ^ 2 )), 2 = A(2;1 U2;2 )

DET

Let M0 be a right-structure for 1 . Since ?1 2 , such a structure exists (cf. Lemma 6.3). We remark that, by definition of right-structure, M0 6j= 1 . Let M1 ; : : : ; Mk?1 be copies of M0 . For i = 0; : : : ; k ? 1 we repeatedly take the fusion of Mi and the structure induced by the state si in M 0 . Next, we add in every state s0 ; : : : ; sk?1 the set AP (1;1 ). Note that after this addition, each structure Mi still satisfies Mi 6j= 1 , for i = 1; : : : ; k ? 1. Indeed, since AP (1;1 ) \ AP (1;2 ) = ; for i1;2 , still i1;2 6j= 1;2 holds. Now we add in every state belonging to structures Mi , for 0 i k ? 1, including states s0 ; :::; sk?1 , the set AP ( 1 ). Since AP ( 1 ) \ AP ( 2 ) = ;, this has no effect on the properties of Mi described above. Moreover, we add in every state belonging to the structures Mi , for 0 i k ? 1, except the states s0 ; :::; sk?1 , the set AP (2 ). Since AP (1 ) \ AP (2 ) = ;, this addition preserves the existence of counterexamples for 1 in the structures Mi . Finally, we add in every state occurring in the path (M 0 )k , the set AP (1 ). After this addition, (M 0 )k is still a local counterpath for formula 2. The resulting structure is the desired M (see Figure 21). First observe that M 6j= . Indeed, each state si , for 0 i k ? 1 is origin of a local counterexample for 1 and thus for 2 . Furthermore, sk is also origin of a local counterexample for 2 , and then for

2. Moreover, sk is a local counterexample for the formula 1 .

Now we show that no deterministic counterexample for exists in M . By Definition 3.5, in any counterexample for the element (0) must be a counterexample for 2 . Hence, a counterpath for cannot reach state sk . Indeed, the only path reaching state sk is (M 0 ). This path is not a counterpath for 2 by construction: (M 0 ) does not contain any local counterpath for 1 , and, moreover, (M 0 ) is not an counterpath for 2 . Thus, a counterpath for could only lead into some structure Mi , where 0 i k ? 1. Since in each Mi formula 1 is globally true, the suffix i must be a local counterpath for 2 , for each i 1. Since each state in Mi except the initial state si contains AP (2 ), this counterpath for 2 can only be a counterpath for 1 . But this is impossible, since a right-structure for formula 1 cannot contain a deterministic counterexample such that (i) is a counterexample for 1 , for each i 0. Thus, it follows that no deterministic counterexample for exists in M .


7.

43

1? 2 PSF and 2? 2 PSF ^ S21 [ S21 ^ PSF . Thus, 2 = 1^2 . Assume that 1 is a pure state formula and 2 = A(2;1 U2;2 ), where 2;1 and 2;2 are instantiations of templates in DET. The other case (vice versa) is similar.

A

U

Let M2 be a right-structure for the formula 2 = (2;1 2;2 ). We modify M2 by adding AP ( 1 ) [ AP (1 ) to each state and by further adding AP (2;1 ) to the initial state s0. Observe that after this modification M2 6j= 2 still holds. We now add two new states s1 , s2 and connect them via (s0 ; s1 ) and (s1 ; s2 ); their labels are L(s1 ) = AP (2 ) and L(s2 ) = AP (1 ) [ AP (2 ) = AP ( 2 ). Furthermore, we add the loop (s2 ; s2 ). The resulting structure is the desired M (see Figure 22).

It holds that M 6j= . Indeed, there exists a counterexample for where (0) is a counterexample for 2 , and (1) is a counterexample for both 1 and 2 . Furthermore, no deterministic counterexample for exists in M . To see this, observe that no path leading into 2 or into 2;2 can be a counterpath for , as 1 and 1 are always true there and 2 , 2;2 are k -structures for 2;2 (consequently, 2 is not globally false). Thus, only = [s0 ; s1 ; s2 ; s2 ; :::] remains as a candidate for a counterpath for . To eliminate , assume towards a contradiction that = () for some deterministic counterexample for . The first element (0) of every counterexample for must be a counterexample for 2 = 1 ^ 2 ; since 1 is true in s0 , it must be a counterexample of 2 . Along , however, 2;2 is not always false, which means that (0) must involve a counterexample for 2;1. Along , however, 2;1 is by construction always true. This raises a contradiction, and proves that in M no deterministic counterexample for exists.

? = ?1 ^?2 or ? = ?1 _?2 , where nA(?1 ) + nA(?2 ) = k. Thus, can be viewed as a monotone Boolean combination of formulas 1 ; : : : ; m . By applying Lemma 6.1, if one of the i is not c-deterministic either by the induction hypothesis or by one of the already considered cases, then is not c-deterministic as

DET DET

well. To complete the proof, by the inductive definition of and Lemma 6.1 it remains to consider the ?2 ?2 ?= and

. case = 1 _ 2 where 1? = 1 2 2 We construct a conic structure M having three states s0 ; s1 , and s2 such that M 6j= and no deterministic counterexample for exists in M . The initial state is s0 and reaches both s1 and s2 , which have loops (s1 ; s1 ) and (s2 ; s2 ), respectively. The labels of the states depend on the outermost linear-time operators in

1? and 2? . By commutativity of logical conjunction, it suffices to consider the following cases:

A

DET

A

1 = A( 1;1 U 1;2 ), 2 = A( 2;1 U 2;2 ). Define L(M )(s0 ) = AP ( 1;1 )[AP ( 2;1 ), L(M )(s1 ) = AP ( 1 ) [ AP ( 2;1 ), L(M )(s2 ) = AP ( 1;1 ) [ AP ( 2 ) (see Figure 23). s1 AP( 1 ) [ AP( 2;1 ) s2 AP( 1;1 ) [ AP( 2;1 ) s0 Figure 23: Disjunction of 1

AP( 1;1 ) [ AP( 2 )

= A( 1;1 U 1;2 ) and 2 = A( 2;1 U 2;2 )

A

U A U

It easy to see that M 6j= . Indeed, from s0 start both a counterpath for ( 1;1 1;2 ) and a counterpath for ( 2;1 2;2 ). The path 1 = [s0 ; s1 ; s1 ; :::] is a counterpath for ( 2;1 2;2 ), since the formula 2;2 is always false along it. Similarly, the path 2 = [s0 ; s2 ; s2 ; :::] is a counterpath for ( 1;1 1;2 ), since the formula 1;2 is always false along it. On the other hand, 1 cannot be a counterpath for ( 1;1 1;2 ), since therein 1;1 is always true and 1;2 is not always false. By

A

A U

U

A

U

44

INFSYS RR 1843-99-01 symmetry, 2 cannot be a counterpath for deterministic.

A( 2;1 U 2;2 ). Hence, each counterexample for in M not

1 = A( 1;1 U 1;2 ), 2 = A( 2;1 V 2;2 ). Set L(M )(s0 ) = AP ( 1;1 ) [ AP ( 2;2 ), L(M )(s1 ) = AP ( 1 ), and L(M )(s2 ) = AP ( 1;1 ) [ AP ( 2;2 ). This M witnesses that is not deterministic. We omit the details.

1 = A( 1;1 V 1;2 ), 2 = A( 2;1 V 2;2 ). Set L(M )(s0 ) = AP ( 1;2 ) [ AP ( 2;2 ), L(M )(s1 ) = AP ( 1;2), and L(M )(s2 ) = AP ( 2;2 ). 1 = AX( 1;1 ), 2 = AX( 2;1 ). Set L(M )(s0 ) = ;, L(M )(s1 ) = AP ( 1;1 ), and L(M )(s2 ) = AP ( 2;1). 1 = AX( 1;1 ), 2 = A( 2;1 U 2;2 ). Set L(M )(s0 ) = AP ( 2;1 ), L(M )(s1 ) = AP ( 1 ), and L(M )(s2 ) = AP ( 2 ). 1 = AX( 1;1 ), 2 = A( 2;1 V 2;2 ). Set L(M )(s0 ) = AP ( 2;2), L(M )(s1 ) = AP ( 1;1 ), and L(M )(s2 ) = AP ( 2;2 ). 2 The main result of this paper on templates, Theorem 4.3, follows from Theorems 5.1 and 6.6.

7 Discussion and Conclusion For the class of ACTL formulas which are positive disjoint instantiations, the results in the preceding sections give a complete characterization of the c-deterministic fragment. This class is given by those formulas such that ? 2 . Observe that this class is efficiently recognizable. This result can be extended by the same proof technique to more general classes of formulas , as long as certain independency properties hold on the pure state formulas. Introduce for each occurrence of a maximal pure state formula in a new propositional atom p , and consider the formula

DET

F ( ) =

^

2MP ( )

(p $ );

where MP ( ) is a list of all occurrences of maximal pure state formulas in . Call pure state independent, if for every truth value assignment to the atomic propositions p , the formula F ( ) is satisfiable. Observe that every positive disjoint instantiation is pure state independent. Then, along the same line of proof as above we can show the following. Theorem 7.1 Let be any pure state independent formula. Then, .

DET

is c-deterministic if and only if ? 2

However, testing pure state independence is complex in general; this amounts to evaluating the quantified Boolean formula (QBF) = 8P 9AP:F ( ), where P is the collection of all atomic propositions p introduced for occurrences of maximal pure state formulas, and AP is the collection of all atomic propositions in . This problem is complete for the class p2 of the polynomial hierarchy (cf. [8] for p2 ). Indeed, the evaluation of the QBFs 8X 9Y: is in p2 [8], and the QBF is constructible in polynomial time from . On the other hand, consider a QBF 8X 9Y: , where is of the form y1 ^ 0 where y1 2 Y . Then, the ACTL


45

AX

AX

AX

formula = ( x1 ) ^ ^ ( x n ) ^ ( ), where X = fx1 ,. . . ,xng, is pure state independent, just if 8X 9Y: is true. Since deciding the latter is p2 -hard, also deciding pure state independence is p2 -hard. Our results can be adapted for the concept of witness [5] in the existential fragment of CTL (denote this by ECTL), i.e., a portion of a computation tree which witnesses the truth of a formula . Since on any structure M it holds that M j= if and only if M 6j= :, the existence of deterministic witnesses (formally defined in the same vein as counterexamples) is related to the existence of deterministic counterexamples. As well-known [6], the equivalences : ( ) = (: : ) and : ( ) = (: : ) hold. It follows that a formula in the existential CTL-fragment has always a deterministic witness (call this w-deterministic), if and only if the formula obtained by dualization of and negating all elementary atomic propositions, is c-deterministic. As a consequence, all instantiations of an ECTL-template ? (defined as obvious) have deterministic witnesses (call this w-deterministic), just if the dual template d( ? ) is c-deterministic. As a consequence, we obtain the following characterization of the class of w-deterministic ECTL-templates.

E

A E U

A V

E

A U

Theorem 7.2 Let ? be an ECTL-template. Then, ? is w-deterministic if and only if d( ? ) 2

E V

DET.

Several issues remain for further work. One issue is the consideration of linear time operators which are derived from the basic operators ; ; . The most important such operators are (sometimes) and (globally, always) defined as = true ;, = false . It is easily recognized from the definition of and our results that these operators correspond to c-deterministic templates. However, the use of these templates in nesting remains to be explored. The characterization of the class of c-deterministic templates ACTL enriched by derived linear time operators is as an interesting issue. Finally, an extension of our study by fairness constraints [4] would be interesting. In the general framework, path quantifiers do not range over all infinite paths, but instead over paths along which the fairness constraints, expressed by formulas, must be satisfied infinitely often. E.g., fair schedules in a system of concurrent infinite processes, represented through a Kripke structure, can be expressed easily through fairness constraints. Our results do not immediately carry over to this case. Techniques applied in [5] might be useful.

DET

F

XVU U G

V

F

G

References [1] F. Buccafurri, T. Eiter, G. Gottlob, and N. Leone. Enhancing Symbolic Model Checking by AI Techniques. Technical Report 9701, Institut für Informatik, Universität Gießen, Germany, September 1997. Abstract in: Proc. 2nd Workshop on Trends in Theoretical Informatics, Albrecht and G. Nemeth (eds), Budapest, March 1997. [2] E. Clarke and E. Emerson. Skeletons for Branching Time Temporal Logic. In Logic in Programs: Workshop Proceedings, number 131 in LNCS. Springer, 1981. [3] E. Clarke, E. Emerson, and A. Sistla. Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications. ACM Transactions on Programming Languages and Systems, 8(2):244–263, 1986. [4] E. Clarke, O. Grumberg, and D. Long. Verification Tools for Finite-State Concurrent Systems. In J. de Bakker, W. de Roever, and G. Rozenberg, editors, A Decade of Concurrency - Reflections and Perspectives, number 803 in LNCS, pages 124–175. Springer, 1994. [5] E. Clarke, O. Grumberg, K. McMillan, and K. Zhao. Efficient Generation of Counterexamples and Witnesses in Symbolic Model Checking. In Proc. 32nd ACM/SIGDA Design Automation Conference 1995 (DAC ’95). ACM Press, 1994. Also Technical Report CMU-CS-94-204, Carnegie Mellon University, Pittsburgh, PA, 1994.

46


[6] E. Clarke, O. Grumberg, and D. Long. Model Checking. In M. Broy, editor, Deductive Program Design, volume 152 of NATO ASI Series F. Springer, 1996. [7] E. Emerson. Temporal and Modal Logics. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B, chapter 16. Elsevier Science Publishers B.V. (North-Holland), 1990. [8] M. Garey and D. S. Johnson. Computers and Intractability – A Guide to the Theory of NP-Completeness. W. H. Freeman, New York, 1979. [9] O. Kupferman and M. Y. Vardi. An automata-theoretic approach to modular model checking. Manuscript based on LICS ’95 and CONCUR ’95 abstracts, 1998, submitted for publication. [10] K. McMillan. Symbolic Model Checking. Kluwer, 1993.