Chapter 1LINEAR TIME DATALOG ANDBRANCHING TIME LOGICGeorg GottlobInstitut f�ur InformationssystemeTechnische Universit�at Wien, Austriagottlob@dbai.tuwien.ac.atErich Gr�adelMathematische Grundlagen der InformatikRWTH Aachen, Germanygraedel@informatik.rwth-aachen.deHelmut VeithSchool of Computer ScienceCarnegie Mellon University, Pittsburgh, USAveith@cs.cmu.eduAbstract We survey recent results about the relation between Datalog and tem-poral veri�cation logics. Datalog is a well-known database query lan-guage relying on the logic programming paradigm. We introduce Dat-alog LITE, a fragment of Datalog with well-founded negation, whichhas an easy strati�ed semantics and a linear time model checking algo-rithm. Datalog LITE subsumes temporal languages such as CTL andthe alternation-free �-calculus. We give easy syntactic characterizationsof these temporal languages by fragments of Datalog LITE, and showthat Datalog LITE has the same expressive power as the alternation-freeportion of guarded �xed point logic.Keywords: Datalog, temporal logic, computer-aided veri�cation, linear time1

21. INTRODUCTIONDuring the last decade, model checking has become one of the preemi-nent applications of logic in computer science. Temporal model checkingis a technique for verifying that a system satis�es its speci�cations by(i) representing the system as a Kripke structure, (ii) writing the spec-i�cation in a suitable temporal logic, and (iii) algorithmically checkingthat the Kripke structure is a model of the speci�cation formula. Modelchecking has been successfully applied in hardware veri�cation, and hasbecome an industrial standard tool for hardware design.The main practical problem in model checking is the so-called stateexplosion problem caused by the fact that the Kripke structure rep-resents the state space of the system under investigation, and thus itis of size exponential in the number of variables. The state explosionproblem is alleviated by a number of techniques, in particular symbolictechniques which represent the Kripke structure by Binary Decision Di-agrams (Bryant, 1986; Burch et al., 1992; McMillan, 1993), abstractiontechniques (e.g. Clarke et al., 1994; Kurshan, 1994; Clarke et al., 2000a),and reduction techniques such as the cone of in uence reduction and thepartial order reduction. For recent overviews of model checking, we referthe reader to Clarke et al., 2000b; Clarke and Schlinglo�, 2000.The temporal logics used in model checking provide a number of im-portant properties which are crucial for the method, distinguish themfrom many other logics in computer science, and serve as a basis for theabove mentioned methods. The most outstanding properties are fast(in fact, often linear time) model checking procedures, decidability ofthe satis�ability problem, and structure theorems about the models oftemporal formulas such as the tree model property. Some of the mostprominent examples of temporal logics are branching time logics such ascomputational tree logic CTL (Clarke and Emerson, 1981), the modal�-calculus L� (Kozen, 1983), and its alternation-free fragment L�1 .The contribution of this paper is to present Datalog LITE (LInearTime Extended Datalog), a powerful language based on logic program-ming which subsumes CTL and L�1 . Datalog LITE is a deductive querylanguage which simultaneously inherits the intuitive semantics of Data-log and the favorable properties of temporal logics, in particular lineartime model checking. Datalog LITE is intended as a �rst step in com-paring and combining methods from two quite distinct �elds. Thus,Datalog LITE has potential applications in veri�cation systems as wellas in databases. It is expected that for veri�cation of software and e-commerce protocols as in Abiteboul et al., 1998, such hybrid languagesmay be of great value.

Linear Time Datalog and Branching Time Logic 3Example 1 In the veri�cation system SMV, the state space S of aKripke structure is given by the possible assignments to the systemvariables. Thus, a system with 3 variables x; y; reset and variable do-mains Dx = Dy = f0; 1; 2; 3g and Dreset = f0; 1g has state spaceS = Dx �Dy �Dreset, and jSj = 32.A binary transition relation E is de�ned by transition blocks which foreach variable de�ne its possible next value in the next time cycle, as inthe following example:init(reset) := 0;next(reset) := f0; 1g; init(x) := 0;next(x) := casereset = 1 : 0;x < y : x+ 1;x = y : 0;else : x;esac; init(y) := 1;next(y) := casereset = 1 : 0;(x = y) ^ :(y = 2) : y + 1;(x = y) : 0;else : y;esac;Here, next(reset) := f0; 1g means that the value of reset is chosennondeterministically. Such situations occur frequently when reset is de-termined by the environment, or when the model of the system is tooabstract to determine the values of reset. For details about the SMVinput language, we refer the reader to McMillan, 1993. Typical CTLproperties to be veri�ed by the system include the following:CTL Informal SemanticsAGEF reset = 1 "From all reachable states, it is possible to resetthe system in the future.\EFAG x = 1 \There exists a reachable state, after which x = 1becomes an invariant."The formal semantics of CTL is de�ned in Section 2.In database theory, a database is identi�ed with a �nite relationalstructure. A query associates to each input database over a givenschema (vocabulary) a result consisting of one or more output relations.Queries are formulated in query languages. Datalog (cf. Abiteboul et al.,1995; Ceri et al., 1990; Ullman, 1989) is a very powerful, well-studieddeclarative query language based on Horn clause logic. Datalog adaptsthe paradigm of Logic Programming to the database setting. A Dat-alog query (�; P ) is a �nite set of (recursive or nonrecursive) rules �(i.e., a Datalog program) and a distinguished output relation P . Sincequeries are de�ned by Datalog programs, we shall usually not distinguishbetween queries and programs.

4Example 2 The query (�; T ), where � consists of the rulesT (x; y) E(x; y) T (x; y) T (x; z); E(z; y):associates with any input relation E its transitive closure.A brief description of Datalog is given in Section 3. Pure Datalog canbe made more expressive by using negated literals in the rule bodies.For our purposes, there are two relevant extensions of pure Datalog bynegation: Datalog with strati�ed negation introduced by Apt et al., 1988where negation does not interact with recursion, and the more expressiveDatalog with well-founded negation de�ned by Gelder et al., 1991.Example 3 We continue Example 1. In order to evaluate a Datalogprogram over a Kripke structure, we use the transition relation E asinput relation. Moreover, for all atomic properties of states s such asx = 1, monadic relations such as Ix=1 are provided with the input. Forbetter readability, we shall write s:x = 1 instead of Ix=1(s).Then the speci�cations of Example 1 can be expressed in Datalog asfollows:AGEF reset = 1 Reset Reachable(s) s:reset = 1Reset Reachable(s) E(s; s0);Reset Reachable(s0)BadState(s) :Reset Reachable(s)BadState(s) E(s; s0);BadState(s0)GoodState(s) :BadState(s)EFAG x = 1 No Invariant(s) :s:x = 1No Invariant(s) E(s; s0);No Invariant(s0)Result(s) :No Invariant(s)Result(s) E(s; s0);Result(s0)The above programs belong to a simple fragment of both Datalog LITEand Strati�ed Datalog. While at �rst sight these programs are longerthan their counterparts in CTL, they have several advantages includingeasy readability and reusability of (sub)programs. Moreover, we shall seethat the expressive power of Datalog LITE is much higher than that ofCTL and L�1 .Research Programme. The favorable logical properties of temporallogics have attracted interest from various communities. In pure logic,modal fragments of �rst order logic and generalizations thereof such as

Linear Time Datalog and Branching Time Logic 5the bounded fragment have been studied by Andr�eka et al., 1998; Gr�adel,2000; Gr�adel and Walukiewicz, 1999, and general insight in model the-oretic and algorithmic properties of temporal logics has been gained.For databases, fast model checking procedures and decidability arenatural properties of query languages which have received wide consid-eration in the literature. The advantages of Datalog and its capabilityof expressing and checking temporal properties of Kripke structures sug-gest to study fragments of Datalog that are suited for model checking.We believe that from the point of view of both veri�cation and databasesit is a rewarding task to investigate the exact relation between temporallogics and deductive query languages. Thus, our research programmewas aimed at identifying a suitable Datalog fragment which meets thefollowing criteria:The fragment should be clearly syntactically identi�able, but syn-tactically ample enough to allow the programmer to make use ofthe main paradigms of Logic Programming (including, in particu-lar, some form of negation).It should be expressive enough to state a large number of usefultemporal properties, in particular those in CTL.The fragment should have linear time data complexity. This meansthat the complexity of evaluating a �xed query over variable inputstructures is O(n), where n is the structure size.The fragment should also have low (preferably linear time) pro-gram complexity, i.e. one should be able to evaluate programs inlinear time with respect to the length of the program.Given the increasing importance of model checking on in�nite tran-sition systems, the fragment should be able to express relevanttemporal properties not just on �nite Kripke structures but alsoon in�nite ones.In the current paper we survey recent results in this direction. Werefer the interested reader to the technical report (Gottlob et al., 1998)which contains all proofs and more technical details.Note that a mere ad hoc translation of CTL to Datalog does not pro-vide us with a suitable fragment ful�lling the above requirements. Thefragment suggested by such a translation is { on one hand { syntacticallyextremely limited, e.g., no predicate symbols of arity greater than twooccur in it. On the other hand this fragment is not known to admit alinear time evaluation algorithm.

6Results. We present Datalog LITE, a fragment of Datalog that ful�llsall desired criteria. We �rst de�ne the fragmentDatalog LIT (LIT standsfor linear time) as the set of all strati�ed Datalog queries (over arbitraryinput structures) whose rules are either monadic or guarded. A monadicrule is a rule that contains only monadic literals. A rule is guarded1 ifits body contains a positive atom (the guard) in which all variables ofthe rule occur.We prove that Datalog LIT has linear time data complexity (Theo-rem 8). Moreover, for bounded arity programs or for programs whoseguards are all input relations, also the combined complexity is in lineartime. Although Datalog LIT can express a large number of interestingtemporal properties, the language is not powerful enough for expressingfull CTL. For example, (as shown in Section 3., Theorem 10), the simpleCTL formula AF' (\on all paths, eventually '") cannot be expressedin Datalog LIT. Consequently, we de�ne an extended language DatalogLITE. The latter is obtained from Datalog LIT by including the possi-bility of using a limited (guarded) kind of universal quanti�cation in therule bodies.A generalized literal G is an expression of the form (8y1 � � �yn:�)�where � and � are atoms, and the free variables in � also occur in �. Theintended meaning of (8y1 � � �yn:�)� is its standard �rst order semantics,that is, 8y1 � � �yn(� ! �). (For a precise de�nition, see Section 3.)It is important to note that generalized literals are not just arti�cial\plug ins" to Datalog, but that they can be expressed in Datalog withwell-founded negation. In fact, universal quanti�cation can be easilyresolved by double negation under the well-founded semantics. ThusDatalog LITE can be considered a fragment of Datalog with well-foundednegation. Datalog LITE has the following important properties:For �xed Datalog LITE programs model-checking is feasible inlinear time (Theorem 18). This remains true even for variableDatalog LITE programs whose predicate-arities are bounded by aconstant or whose guards are all input atoms.Datalog LITE can be easily embedded into well-founded Datalog.Thus, Datalog LITE can be considered an intuitive yet powerfulfragment of well-founded Datalog with linear time model checking.We show that semantically, every Datalog LITE program is equiv-alent to a Datalog LITE program where all guards are input1This notion is completely unrelated to the concept of guarded Horn clause as de�ned in Mu-rakami, 1990.

Linear Time Datalog and Branching Time Logic 7atoms; for arbitrary programs, the translation requires exponentialtime. In fact, evaluating variable Datalog LITE programs with un-bounded predicate arities is Exptime- complete. (Proposition 19).Datalog LITE is equivalent in expressive power to alternation-freeguarded �xed point logic, a natural fragment of the guarded �xedpoint logic �GF which has recently been studied by Gr�adel andWalukiewicz, 1999; several important properties like satis�abilityin Exptime and a generalized tree model property are thus ob-tained for Datalog LITE.Propositional multi-modal logic, CTL, the alternation free modal�-calculus, and guarded �rst order logic each correspond to well-de�ned and syntactically simple subfragments of Datalog LITE.Hence, Datalog LITE (with bounded arities) is at least as expres-sive as CTL and the alternation-free �-calculus L�1 . Actually DatalogLITE is more expressive than these logics. For example, it is obviousthat past modalities (cf. Vardi, 1998) are expressible in Datalog LITE.Furthermore Datalog LITE can de�ne new modalities, e.g. via Booleancombinations of existing ones.Related work. The de�nitions of guarded rules and generalized liter-als are motivated by the notion of guarded quanti�cation as introducedby Andr�eka et al., 1998 (see Section 7.) The variables that appear in thebody but not in the head of a Datalog rule are implicitly existentiallyquanti�ed. The condition that all variables of the rule appear in oneatom implies that this existential quanti�cation is guarded in the senseof Andr�eka et al., 1998. Similarly the variable occurrence condition inthe de�nition of generalized literals implies that the universal quanti-�er is guarded in this sense. In fact we will see that Datalog LITE canbe viewed as a clausal presentation of the alternation-free fragment ofguarded �xed point logic, cf. Gr�adel and Walukiewicz, 1999.It is not new that CTL, the modal �-calculus and related formalismscan be translated into logic programming. Such translations werecarried-out by Ramakrishnan et al., 1997; Cui et al., 1998; Charatonikand Podelski, 1998. In a recent paper by Immerman and Vardi, 1997it is shown how various temporal logics can be translated into �rst or-der logic augmented by a transitive closure construct (FO+TC). Sincethe latter is expressible in Datalog, that approach implicitly yields atranslation into Datalog. Note, however, that all previously proposedtranslations are ad hoc translations of existing modal model-checkingformalisms. None of them identi�es an ample fragment of Datalog with

8guaranteed linear time data complexity suited for model checking. Toour best knowledge, the �rst such fragment is Datalog LITE.2. MODAL AND TEMPORAL LOGICSIn this subsection, we recall the de�nitions of some logics commonlyused in veri�cation. For more background on temporal logics, the readeris referred to Emerson, 1990; Clarke and Schlinglo�, 2000. The formulaeof the logics we describe here are evaluated on Kripke structures (withone or more transition relations) at a particular state.A Kripke structure K is usually given as a tuple (S; (Ea)a2A; L) whereS is the state space, A is a set of actions, Ea is the transition relation as-sociated with action a, and L : S ! fP1; : : : ; Pkg is a labelling functionthat assigns a set of atomic propositions to each state. K can be triv-ially identi�ed with the relational structure (S; (Ea)a2A; P1; : : :Pk) whereP1; : : : ; Pk are monadic relations representing all the atomic propositionsand for each s 2 S, Pi(s) is true i� Pi 2 L(s).Given a formula and a Kripke structure K with state v, we will writeK; v j= to denote that the formula holds in the Kripke structure Kat state v. Such formulae are sometimes called state formulae. A stateformula can also be understood as a (monadic) query that associateswith each Kripke structure K the set of states v such that K; v j= .Propositional modal logic. The simplest of these formalisms ispropositional modal logic ML.Syntax of ML. The formulae of ML are de�ned by the following rules.(S1) Each atomic proposition Pi is a formula.(S2) If and ' are formulae of ML, then so are ( ^ ') and : .(S3) If is a formula of ML and a 2 A is an action, then hai and [a] are formulae of ML.If there is only one action, hence one transition relation in the Kripkestructure one simply writes 2 and 3 for the modal operators.Semantics of ML. Let be a formula of ML, K =(S; (Ea)a2A; P1; P2; : : :) a Kripke structure, and v 2 S a state. In thecase of atomic propositions, = Pi, we haveK; v j= ' i� v 2 Pi. Booleanconnectives are treated in the natural way. Finally for the semantics ofthe modal operators we putK; v j= hai i� K; w j= for some w such that (v; w) 2 EaK; v j= [a] i� K; w j= for all w such that (v; w) 2 Ea

Linear Time Datalog and Branching Time Logic 9CTL and CTL�. The logics CTL (computation tree logic) and CTL�extend ML by path quanti�cation and temporal operators on paths. Wede�ne �rst CTL�, and obtain CTL as a fragment of CTL�. For computa-tion tree logics, one usually restricts attention to Kripke structures witha single binary relation which is required to be total, i.e. for every statev there exists a least one state w that is reachable from v. (Note thatthis de�nition of totality which is common in model checking is di�ersfrom standard terminology.)Syntax of CTL�. We have state formulae and path formulae in CTL�.The path formulae are auxiliary formulae to make the inductive de�ni-tion more transparent. Actually we are interested only in state formulae.The state formulae are de�ned by the rules (S1) and (S2) (read every-where state formula instead of formula) and the rule(S4) If # is a path formula, then E# and A# are state formulae.The path formulae are de�ned by(P1) Each state formula is a path formula.(P2) If #; � are path formulae, then so are (# ^ �) and :#.(P3) If #; � are path formulae, then so are X# and (#U�).Semantics of CTL�. Consider a total Kripke structure K =(S;E; P1; P2; : : :). An in�nite E-path (or just an in�nite path) is anin�nite sequence �s = s0; s1; s2; : : : of states such that for all i � 0,(si; si+1) 2 E for all i. �si denotes the su�x path si; si+1; si+2; : : : . Asabove, we write K; s0 j= to denote that the state formula is true inK at state s0. We write K; �s j= # to denote that the path formula # istrue on the in�nite path �s in K. We de�ne j= inductively as follows. Forformulae de�ned via rules (S1), (S2) and (P2) the meaning is obvious.(S3) K; s0 j= E# i� there exists an in�nite path �s from s0 such thatK; �s j= #.K; s0 j= A# i� K; �s j= # for all in�nite paths �s that start at s0.(P1) K; �s j= i� K; s0 j= where s0 is the starting point of �s.(P3) K; �s j= (#U�) i� for some i � 0, K; �si j= � and K; �sj j= # for allj < i.K; �s j= X# i� K; �s1 j= #.CTL is the fragment of CTL� without nestings and without Booleancombinations of path formulae. Thus, rules (P1) { (P3) are replaced by

10(P0) If ; ' are state formulae, then X and ( U') are path formulae.Actually, for CTL we can disregard path formulae altogether andequivalently de�ne the set of state formulae by the rules (S1), (S2) ofML together with rules(S3') If is a (state) formula, then so are EX and AX .(S4) If and ' are (state) formula, then so are E( U') and A( U').Note that indeed the formulae EX and AX de�ned by (S3') areequivalent to 3 and 2 , respectively.Other temporal operators are de�ned by abbreviations as follows:EF abbreviates E(trueU ),AG abbreviates :EF: ,AF abbreviates A(trueU ), andEG abbreviates :AF: .The �-calculus L�. The propositional �-calculus L� is propositionalmodal logic augmented with least and greatest �xed points. It subsumesalmost all of the commonly used modal logics, in particular LTL, CTL,CTL�, PDL and also many logics used in other areas of computer science,for instance most description logics.Syntax of L�. The �-calculus extends propositional modal logic ML(including propositional variables X; Y; : : :) by the following rule forbuilding �xed point formulae.(S�) If is a formula in L�, and X is a propositional variable that doesnot occur negatively in , then �X: and �X: are L� formulae.An L�-formula is alternation-free if no occurrence of any propositionalvariable is inside the scope of both a �- and a �-operator.Semantics of L�. The semantics of the � calculus is given as follows.A formula (X) with propositional variable X de�nes on every Kripkestructure K (with state set S) an operator K : 2S ! 2S assigning toevery set X � S the set K(X) := fs 2 S : (K; X); s j= g:If X occurs only positively in , then K is monotone for every K,and therefore has a least and a greatest �xed point. Now we put(S�) K; s j= �X: i� s is contained in the least �xed point of the oper-ator K. Similarly K; s j= �X: i� s is contained in the greatest�xed point of K.

Linear Time Datalog and Branching Time Logic 113. FROM DATALOG TO DATALOG LITDe�nition 4 A Datalog rule is an expression of the form H B1; : : : ; Br, r � 1, where H , the head of the rule, is an atomic formulaRu1 � � �us, and B1; : : : ; Br, the body of the rule, is a collection of literals(i.e. atoms or negated atoms) of the form Sv1 � � �vt or :Sv1 � � �vt whereu1; : : : ; us; v1; : : : ; vt are variables. The relation symbol R is called thehead predicate of the rule. Note that we use the symbol : to denotedefault negation as common in database theory; in AI, the symbol notis more common.We �rst de�ne basic Datalog programs where negation is applied onlyto input relations. A basic Datalog program � is a �nite collection ofrules such that none of its head predicates occurs negated in the bodyof any rule. The predicates that appear only in the bodies of the rulesare called extensional or input predicates. Given a structure A over thevocabulary of the extensional predicates, the program computes, via theusual �xed point semantics, an interpretation for the head predicates.A Datalog query is a pair (�; Q) consisting of a Datalog program � anda designated head predicate Q of �. With every structure A, the query(�; Q) associates the result (�; Q)[A], i.e. the interpretation of Q ascomputed by � on input A. For details, we refer to Abiteboul et al.,1995.Note that atoms may be written in the form Axy or in the formA(x; y). Usually, we shall prefer the �rst form in the context of proofsand de�nitions (where atoms are usually denoted by single letters), andthe second form in real programs as in Example 3, where atoms aredenoted by longer names like Invariant.De�nition 5 A strati�ed Datalog program is a sequence � =(�0; : : : ;�r) of basic Datalog programs which are called the strata of�, such that �0 is a basic Datalog program, and every �i is a basicDatalog program whose extensional predicates are either extensional inthe entire program � or are head predicates of a lower stratum. Thus,if a head predicate of stratum �j occurs positively in the body of a ruleof stratum �i, then j � i, and if a head predicate of stratum �j occursnegatively in the body a rule of stratum �i, then j < i. The seman-tics of a strati�ed program is de�ned stratum by stratum. Hence, oncethe lower strata are evaluated, we can compute the interpretation of thehead predicates of �i as in the case of basic Datalog-programs.De�nition 6 A Datalog rule is monadic if each of its literals has atmost one free variable. Note that this does not necessarily imply that

12only unary predicates are used. We permit the appearance of literals(:)Sv1 � � �vk with k > 1 that may contain repeated occurrences of asingle variable. A Datalog rule is guarded if its body contains a positiveatom (the guard of the rule) in which all free variables of the rule occur.A Datalog LIT program is a strati�ed Datalog program whose rules areeither monadic or guarded.We adopt the convention that the input relations of a query are givenby lists of tuples. We shall refer to this representation as the list repre-sentation of the input structure.De�nition 7 Let A be a �nite relational structure. Then the size jAjof A is the sum of the sizes of the tuples contained in the relations of A,plus the number of domain elements.In our algorithms we shall also use the array representation, which ismore common in �nite model theory. There, the characteristic member-ship function of a relation is stored in an array whose dimension equalsthe arity of the relation. (For graphs, this means that the graph is de-scribed by its adjacency matrix.) With array representation, member-ship of an individual tuple can be checked in constant time on RandomAccess Machines (cf. van Emde Boas, 1990), but on the other hand, weobtain a non-realistic notion of linear time computability when the adja-cency matrix is sparse. It is easy to see that a Random Access Machinecan translate the list representation into array representation in lineartime.Theorem 8 The time complexity of model checking (i.e., evaluation) ofDatalog LIT is1. linear in the input size and the program size for programs whereall guards are input relations.2. linear in the input size and the program size for bounded arityprograms.3. linear in the input size and exponential in the program size forarbitrary programs.We defer the proof to Section 5., where it follows from a more generalresult. In the rest of this section we show that Datalog LIT is toorestricted to express important linear time computable properties. Weexemplify these restrictions by the well-foundedness query which is lineartime computable and important in many applications. (Recall that a

Linear Time Datalog and Branching Time Logic 13vertex x is well-founded, if no cycle can be reached from x, and noin�nite path originates at x.)Example 9 Well-foundedness statements for subgraphs of the transi-tion relation are expressed in CTL by formulae of the form AF' andin the �-calculus by �X:' _ �X, where ' is any (non-contradictory)formula (for instance, an atomic proposition).Well-foundedness in �nite graphs. It is easy to see that in �nitegraphs, detecting well-foundedness essentially reduces to detecting cyclesin the graph; in full strati�ed Datalog, this is done by de�ning the tran-sitive closure of the graph, i.e. by using a binary relation as intermediateresult. The following results state that this is not possible in DatalogLIT, and that indeed Datalog LIT does not express well-foundedness.Theorem 10 1. Over �nite structures, the well-foundedness querycannot be expressed by strati�ed Datalog programs with onlymonadic head predicates.2. Over Kripke structures, every Datalog LIT query with monadicoutput predicate is equivalent to a Datalog LIT query where allhead predicates are monadic.Proof of 1. Let � be a strati�ed Datalog program with a single binaryinput predicate E and monadic head predicates H1; : : : ; Hr. Then thereexist formulae �Hi(x) in monadic second-order logic (MSO) which areequivalent to the queries (�; Hi). Suppose, towards a contradiction, that(�; H1) computes the well-founded elements of the input graph, thatis, the set of nodes v such that the graph contains no in�nite E-pathoriginating in v.For each n, let Sn be the graph (f0; : : : ; ng; f(j; j + 1) : 0 � j < ng)(i.e. the path of length n). The evaluation of � on Sn leads to the wordstructure Wn = (Sn; �SnH1 ; : : : ; �SnHr) of vocabulary � := (E;H1; : : : ; Hr).For two ordered structures A andB, let A�B denote the ordered sum ofA and B, cf. Ebbinghaus and Flum, 1999. (Note that � is associative.)Moreover, let Ak denote the k�fold ordered sum of A.Let L be the language fWn : n 2 Ng, and let � be the MSO-sentenceV1�i�h(8x:�Hi(x) $ Hix). Then for every word structure W of vo-cabulary � , W j= � if and only if W is isomorphic to some Wi 2 L.Hence, by B�uchi's Theorem, L describes a regular language. Since L isin�nite, the Pumping Lemma implies that there exist word structuresWi;Wj;Wk, such that for all ` � 1, Wi �Wj̀ �Wk 2 L. Note that wecan without loss of generality choose i; j and k arbitrarily large.

14We conclude that for su�ciently large i; j; k the Datalog program �cannot distinguish input structures of the form Si+`j+k from the root.Now consider the structure A = Si � Sj � Sj � Sk. In A, let c be thenode connecting the two copies of Sj , and obtain a second structure Bby adding a cycle of length j to the node c.Obviously, the root of A is well-founded, while the root ofB is not. Weclaim that � does not distinguish A and B on their common elements.To see this, we consider the contribution of the strata �1; : : : ;�p of �.For simplicity, let us identify relations on the graphs with colours, andlet m be the number of variables of �.We show that after evaluation of each stratum of �, the commonelements of A and B are coloured identically, and the j-cycle in B iscoloured isomorphically to the copies of Sj in A and B. Suppose thatthis condition is satis�ed before the evaluation of stratum �i (clearlythis is the case for i = 1).Each stratum corresponds to an existential least �xed point formula,and every Datalog rule expresses an existential �rst-order statementwhich is positive in the new colours of that stratum. By inductionhypothesis the m-neighbourhoods around corresponding elements of AandB satisfy the same existential statements concerning the old colours.Therefore, for su�ciently large i; j; k, the loop and the copies of Sj arecoloured isomorphically. Operationally, one can imagine that �rst thesubstructure A of B is coloured, and then the loop has to be colouredidentically, since the existential statements are true on the loop if theywere true on Sj . 2Corollary 11 Datalog LIT does not express the well-foundedness query.Hence, Datalog LIT does not express all of CTL.Well-foundedness in in�nite graphs. The intuitive reason why,over in�nite structures, well-foundedness is not expressible by strati�edprograms is that they require recursion through a universal statement,whereas Datalog (even strati�ed Datalog) has only recursion throughexistential statements. We establish a more general result, in terms ofan appropriate fragment of in�nitary logic.De�nition 12 The logic L!1! extends �rst-order logic by the possibilityto take disjunctions W� and conjunctions V� over countable sets � offormulae. Inside this logic we de�ne a hierarchy of fragments L(�k)and L(�k) for k < !. The bottom level L(�0) = L(�0) is the set ofquanti�er-free formulae in L!1!. Further, for every k, L(�k) := f:' :' 2 L(�k)g and L(�k+1) is the class of formulae W� where � is acountable subset of f9x1 � � � 9xm' :m < !; ' 2 L(�k)g.

Linear Time Datalog and Branching Time Logic 15Lemma 13 Every query in strati�ed Datalog is equivalent to some for-mula in Sk<! L(�k).Theorem 14 Over countable structures, well-foundedness statementsare not expressible in Sk<! L(�k). In particular they are not expressibleby strati�ed Datalog programs.4. DATALOG LITEThe linear time evaluation of Datalog LIT can be extended to DatalogLITE, which is obtained from Datalog LIT by introducing a new kindof literal:De�nition 15 A generalized literal G is an expression of the form(8y1 � � �yn:�)� where � and � are atoms, and free(�) � free(�). Thefree variables free(G) of G are given by free(�)� fy1; : : : ; yng.The intended meaning of (8y1 � � �yn:�)� is its standard �rst-ordersemantics, that is, 8y1 � � �yn(� ! �). Therefore, when the generalizedliteral is used within a program �, the notion of strati�cation has to beadapted in such a way that for (8�y:R�x�y)S�x�y, the occurrences of R areto be regarded as negative, and the occurrences of S are positive. Ina strati�ed program, R must therefore belong to a lower stratum whileS can be from the current stratum, too. In the context of a rule, thegeneralized literal is regarded as a negative literal. Since the notionof free variables is well-de�ned for generalized literals, De�nition 6 isapplicable to rules with generalized literals.De�nition 16 A Datalog LITE program is a Datalog LIT program con-taining (unnegated) generalized literals where the notions of guardednessand strati�cation are extended to generalized literals as described above.Note that according to this de�nition, generalized literals cannot beused as guards. Formally, the (operational) semantics of Datalog Liteprograms can be obtained from the standard semantics of Datalog asfollows.The program is evaluated bottom-up stratum by stratum. After theevaluation of each stratum, the predicate values of all predicates at thisstratum and at lower strata are �xed (i.e., their interpretation is �xed).The evaluation proceeds exactly as for strati�ed datalog programs exceptthat every generalized literal L(�y) := (8�x : �(�x; �y))�(�x; �y) is instantiated(for any tuple �d interpreting �y) by the conjunction^�c:�(�c; �d) true�(�c; �d):

16Remarks.1. Datalog LITE is indeed stronger than Datalog LIT, since the pro-gram Wx (8y:Exy)Wy computes the well-foundedness queryon both �nite and in�nite structures.2. In a non-recursive query (�;W ), universal quanti�cation canbe rewritten by double negation, obtaining an equivalent query(�::;W ). For example, the single rule query (�;W ) : Wx (8z:Exz)Mz is rewritten by the query (�::;W ) which containsthe two rules Wx :W:x andW:x Exz;:Mz. For recursive� however, �:: will in general not be strati�ed. The well-foundedsemantics by Gelder et al., 1991 assigns the correct meaning to thequery:Theorem 17 The rewriting operation � 7! �:: is a conservative em-bedding of Datalog LITE into well-founded Datalog.Thus, up to trivial rewriting operations, Datalog LITE is a fragmentof well-founded Datalog; by the following result, we have thus identi�eda linear time computable fragment of well-founded Datalog:Theorem 18 The complexity results about Datalog LIT (Theorem 8)hold also for Datalog LITE.We shall see later (cf. Lemma 21) that surprisingly, the use of headpredicates as guards does not increase the expressive power of DatalogLITE. Therefore, from the point of expressive power one can alwaysuse Datalog LITE with input guards. Head predicates as guards per-mit writing programs in a much more compact way. By the followingproposition, the exponential time bound for this case is indeed optimal:Proposition 19 With respect to data complexity, Datalog LIT and Dat-alog LITE are Ptime-complete. With respect to program complexity,they are Exptime-complete for unbounded arity, and remain Ptime-complete for bounded arity and for programs with input guards only.Proof Sketch. Since Datalog LITE is obviously contained in �xed pointlogic whose data complexity is PTIME, membership follows for bothformalisms. For hardness, it is easy to see that the problem MonotoneCircuit Value is expressible in Datalog LIT. For program complexity,the result for the bounded case follows immediately from the fact thatevaluating ground Horn clause problems is Ptime-complete. Since thislanguage is a trivial fragment of Datalog LIT, hardness follows. Mem-bership is a trivial consequence of Theorem 8. For general program

Linear Time Datalog and Branching Time Logic 17complexity, it is again su�cient to show hardness for Datalog LIT; sincewe know that Monotone Circuit Value is expressible in Datalog LIT, thegeneral method for program complexity worked out in Gottlob et al.,1999 is applicable. For details, consult Gottlob et al., 1999, Section 6.4and Gottlob et al., 1998. 25. LINEAR TIME ALGORITHMSThis section outlines the proof of Theorems 8 and 18. We proceed intwo phases: (1) we show that we can reduce the problem to programswith input guards only, and (2) we solve the problem for this restrictedcase.Phase 1: Locality Invariance and Input Guards. Given a struc-ture A, we de�ne the binary relation EA on A by EA = f(a; b) :there is a tuple in a relation in A containing both a and b g: The graph(jAj; EA) is called the Gaifman graph of A.Lemma 20 Let � be a Datalog LITE program with head predicatesT1; : : : ; Tr, and let TA1 ; : : : ; TAr be the relations computed by � on in-put structure A. Then the Gaifman graphs of A and (A; TA1 ; : : : ; TAr )coincide.Thus, the new relations computed by a Datalog LITE program do notchange the Gaifman graph of the input structure. We shall refer to thisproperty of programs as the locality invariance of Datalog LITE. Themost important application of locality invariance is the following lemma:Lemma 21 Every Datalog LIT and Datalog LITE program is equivalentto a program where all guards are input atoms. Moreover, the timecomplexity of eliminating non-input guards is1. linear in the program size if the program has bounded arity.2. exponential in the program size if the program has unbounded arity.Proof Sketch. The proof is based on the observation that due tolocality invariance, all head predicates contain only tuples which areobtained as permutations of subtuples of input relations. Hence, everyrule can be replaced by new rules obtained by adding an input relationto the body as new guard, and unifying the old guard and the newguard in such a way that all the variables which occur in the old guardappear in the new guard. The number of new rules is easily seen to beexponential in the number of the old rules. The algorithm is immediatelyobtained from the exact proof. It is easily checked that the algorithm is

18exponential in the program arity, as exempli�ed in the following remark.2Example 22 Consider the rule Rx Gxyz where G is a guard, butnot an input guard, and there is only one input relation E of arity 2.Then the rule can be replaced by the following set of new rules which areall guarded by E.Rx Exy;GxyyRx Exy;GxxyRx Exy;GxyxRx Exy;Gxxx Rx Eyx;GxyyRx Eyx;GxxyRx Eyx;GxyxRx Eyx;GxxxPhase 2: Evaluation of Input Guard Programs. A propositionalDatalog program is a program where no rule contains free variables.Thus, every rule is equivalent to a propositional Horn clause of the formh _ :b1 _ � � � _ :bn. It is well-known (cf. Dowling and Gallier, 1984;Itai and Makowsky, 1987; Minoux, 1988) that propositional Horn clauseprograms can be evaluated by a variant of unit resolution in linear timeon RAMs. We shall refer to this linear time algorithm as EvalHORN.EvalHORN makes use of a special data structure to store the Hornclauses and the result in such a way that literals can be stored, deletedand read in constant time. We shall call such a data structure a Hornclause base (HCB), and use it in our algorithm.The standard way to evaluate a negation-free Datalog program �over an input structure A is called grounding. This means that thelanguage is extended by constant symbols for all domain elements fromA, and the program is replaced by the rules obtained by instantiatingconstant symbols for the variables. The Gelfond-Lifschitz transformGL(�;A) over A then is the set of rules obtained from the set of groundinstantiations of rules in �, such that input literals which are true overA are removed from rule bodies, and rules containing false input literalsare removed completely.The resulting propositional program is of polynomial size and cantherefore be evaluated in polynomial time by EvalHORN. This proce-dure can be extended to strati�ed programs by evaluating the strata oneby one as in Berman et al., 1995.Algorithm EvalLIT. The algorithm proceeds in two phases:(1) Monadic rules are transformed in such a way that every rule containsat most one variable. This can be easily achieved by introducing newrules with variable-free heads. If there is a e.g. a rule Fx Gx;My,it will be replaced by Fx Gx;M 0, and M 0 My. This translation

Linear Time Datalog and Branching Time Logic 19increases the size of the program only by a constant factor, and can bedone in linear time by a subprogram Normalize. Normalize guaran-tees that the number of ground instances of monadic rules is boundedby jAj.Algorithm EvalLIT(�;A)Normalize(�)store A in array Afor all strata �i from �0 to �nfor all rules r 2 �ilet G(�y) := guard of rfor all tuples �d 2 G� := uni�er of �d and �yr0 := GL(fr�g; A)store r0 in HCB Hicall EvalHORN(Hi)and store results in array A(2) The Datalog program is evaluated stratum by stratum as a proposi-tional Horn program similarly as sketched by Berman et al., 1995. Sincethe ground instances of a guarded rule are determined by the groundsubstitutions of the variables in the guard, the number of ground in-stantiations of a guarded rule is bounded by the number of tuples in theguard relation, and thus by jAj. We conclude that for every rule, thenumber of ground instances is bounded by jAj, and obtain the algorithmEvalLIT which performs the grounding stratum by stratum. Thus, thealgorithm is linear both in the program size and jAj.Algorithm EvalLITE. For Datalog LITE, we shall adapt the algorithmto handle generalized literals. Over an input structure A, a generalizedliteral '(�y) := (8�x:��x�y)��x�y can for a �xed �y = �d be instantiated bya �nite conjunction V�c:�c �d2�A ��c �d: If for some �d, the set f�c : �c �d 2 �Agis empty, the conjunction is equal to true. Thus, we can apply thefollowing strategy: For every generalized literal '(�y) = (8�x:��x�y)��x�y,we introduce a new relation symbol R'(�y), and replace all occurrencesof ' by R'. In addition, we add ground rules with head predicate R'to the program.Algorithm EvalLITE(�;A)store A in array Afor all generalized literals '(�y) = (8�x:��x�y)��x�y in �iadd the rule R' to HCB H0for all tuples �c �d 2 �Aadd ��c �d to the body of the rule for R'for all rules r 2 �replace generalized literals ' in r by R'call EvalLIT(�;A)

20Note that EvalLITE uses the HCB H0 of EvalLIT. Since the sizeof �A is bounded by cjAj (cf. the proof of Theorem 8), the new loopincreases the size of the propositional program only linearly. It is easyto see that on a RAM, the program transformation can be done in lin-ear time. (Note that the standard RAM model of van Emde Boas, 1990assumes an array to be initialized by zeroes. Alternatively, the initial-ization can be simulated by the lazy array technique as described byMoret and Shapiro, 1990 with time overhead linear in jAj.)According to the most widely used RAM model our algorithms Eval-LIT and EvalLITE use linear space because only those registers (arraypositions) which are e�ectively used are taken into account and becauseinitialization is |as mentioned| not necessary. In the case where re-lation symbols are at most binary, adjacency lists of linear size can beused as data structures. In this case the space complexity is linear evenwhen measured according to less liberal RAM models where the indexof the largest used register determines space usage.6. MODAL DATALOG AND CTLOGIn this section we show that three common temporal veri�cation for-malisms, namely propositional (multi-)modal logic ML, CTL, and thealternation-free portion of the �-calculus can be captured by appropriatefragments of Datalog LITE.De�nition 23 A modal Datalog program � is a Datalog LITE programsuch that1. All extensional predicates of � are unary or binary and all headpredicates are unary.2. All rules have one of the following forms:Hx (:)P1x; : : : ; (:)PrxHx Exy; (:)P1y; : : : ; (:)PryHx (8y:Exy)P0y; (:)P1y; : : : ; (:)PryHere, (:) denotes that negation is optional.The notion of bisimulation plays a central role in modal logic andmodel checking. Bisimilarity is usually de�ned as a kind of two-playergame, cf. Clarke et al., 2000b. For our purposes, it is su�cient to knowthat two �nite structures are bisimilar i� they cannot be distinguishedby ML formulas. In fact, it is a characteristic feature of modal logicsthat they cannot distinguish between bisimilar structures. Thus, thefollowing lemma justi�es the terminology modal Datalog program.

Linear Time Datalog and Branching Time Logic 21Lemma 24 Every query de�ned by a modal Datalog program is invari-ant under bisimulation.We say that a modal logic L, like e.g. ML, CTL or the �-calculus, isequivalent to a class C of modal Datalog programs if for every Datalogquery (�; H) with � 2 C there exists a sentence 2 L, and vice versa,such that, for all Kripke structures K and all states v of K, K; v j= i�v 2 (�; H)[K]. Recall that a Datalog program is non-recursive if thereare no circular dependencies of its predicates (for a formal de�nition, seeAbiteboul et al., 1995, Chapter 5.2.)De�nition 25 A CTLog program is a modal Datalog LITE program �satisfying the following conditions:1. Every head predicate appears in at most one recursive rule (i.e.a rule where the head predicate occurs also in the body of therule). Moreover, this rule has the form Hx Px;Exy;Hy orHx Px; (8y : Exy)Hy.2. If we remove these rules, the remaining program is non-recursive.Theorem 26 The following equivalences are valid:1. non-recursive modal Datalog = propositional multi-modal logic2. CTLog = CTL on total Kripke structures.3. modal Datalog = alternation-free �-calculusProof of 1. and 2. (1) Given a non-recursive modal program � withbinary predicates Ea (a 2 A) we construct for each predicate H of � aformula H of propositional multi-modal logic with modalities (actions)a 2 A, such that H expresses the query (�; H).By renaming variables, if necessary, we can assume that all rules withhead predicate H have head variable x. Further, we can assume thatall these rules have the form Hx (:)Px; (:)Qx or Hx Eaxy; Py,or Hx (8y:Eaxy)Py where each S 2 fP;Qg is either an extensionalpredicate of � (in which case S := S) or a head predicate for whichthe formula S has already been constructed. For every rule r of the�rst form let 'r := (:) P ^ (:) Q, for every rule r of the second form,let 'r := hai P , and for every rule of the third form, let 'r := [a] Px.Finally take for H the disjunction of all the formulae 'r for all ruleswith head Hx. It is easy to see that H is equivalent to (�; H).Conversely, we construct for every sentence 2 ML a non-recursivemodal Datalog program � with distinguished head predicate H such

22that the query (� ; H ) is equivalent to . If is an atomic propositionP , then � consists of the single rule H x Px. If programs forthe subformulae of have already been constructed, then extend theseprograms as follows:1. = ' ^ #. Add the rule H x H'x;H#x.2. = ' _ #. Add the rules H x H'x and H x H#x.3. = :'. Add a new stratum consisting of the rule H x :H'x.4. = hai'. Add the rule H x = Eaxy;H'y.5. = [a]'. Add the rule H x = (8y : Eaxy)H'y.(2a) Every CTL-sentence is equivalent to a query (� ; H ) where � is a CTLog-program.The translation is precisely the same as above except for CTL-sentences of form E('U#) and A('U#). (Recall that EX' and AX'are equivalent to 3' and �', respectively. := E('U#). Add to the programs �' and �# the two rulesH x H#xH x H'x;Exy;H y = A('U#). Add to �' and �# two strata as follows:Rx H#x Rx (8y : Exy)RySx :H'x;:H#x Sx :H#x;Exy; SyH x Rx;:SxThe correctness of the translation is obvious for E('U#). To see thatthe program for = A('U#) is correct, note that A('U#) � AF# ^:E(:#U(:' ^ :#)). The �rst stratum computes the set R of states atwhich AF# holds and the set S of states where E(:'U(:' ^ :#)) istrue (see case (5)). The second stratum takes the conjunction of R withthe complement of S.(2b) Every query computed by a CTLog-program is expressible by a CTL-formula.Let � be a CTLog program and H be a head predicate of �. Thereis in � at most one recursive rule with head Hx and, further, a collec-tion r1; : : : ; rm of rules with head Hx from the non-recursive portion

Linear Time Datalog and Branching Time Logic 23of �. The latter can be translated as in part (1) of the proof into sen-tences 'r1 ; : : : ; 'rm that are built via the basic propositional connectivesand the modal operators 3 and � (or, in CTL-syntax, EX and AX)from previously constructed CTL-sentences P where P are extensionalmonadic predicates or head predicates from lower strata.Let 'H := 'r1 _ � � � _ 'rm . If there is no recursive rule with headH , set H := 'H . If the recursive rule with head H has the formHx Px;Exy;Hy then set H := E( PU'H) and if the recursiverule with head H has the form Hx Px; (8y : Exy)Hy then set H :=A( PU'H). It is easily veri�ed that H is equivalent to (�; H). 2Proposition 27 With respect to data complexity, CTLog isNlogspace-complete. With respect to program complexity, CT-Log is Ptime-complete. With respect to data complexity and programcomplexity, modal Datalog is Ptime-complete.7. GUARDED FIXED POINT LOGICIn this section we show that Datalog LITE is equivalent to a naturalfragment of the guarded �xed point logic �GF which has recently beenstudied by Gr�adel and Walukiewicz, 1999. The idea to consider guardedfragments of �rst-order logic and its extensions is due to Andr�eka et al.,1998. Their main goal was to identify the reasons for the convenientmodel-theoretic and algorithmic properties of modal logics and to gen-eralize the modal fragment of �rst-order logic.De�nition 28 The guarded fragment GF of �rst-order logic is de�nedinductively as follows:1. Every relational atomic formula belongs to GF.2. GF is closed under propositional connectives.3. If �x; �y are tuples of variables, �(�x; �y) is a positive atomic formulaand (�x; �y) is a formula in GF such that free( ) � free(�) = f�x; �yg,then the formulae 9�y(�(�x; �y) ^ (�x; �y)) and 8�y(�(�x; �y)! (�x; �y))belong to GF.Here free( ) means the set of free variables of . An atom �(�x; �y)that relativizes a quanti�er as in rule (3) is the guard of the quanti�er.Notice that the guard must contain all the free variables of the formulain the scope of the quanti�er.Notation. We will use the notation (9�y : �) and (8�y : �) for relativizedquanti�ers, i.e., we write guarded formulae in the form (9�y : �) (�x; �y)

24and (8�y : �) (�x; �y). When this notation is used, then it is always under-stood that � is indeed a proper guard as speci�ed by condition (3).The guarded fragment GF extends the modal fragment and turns outto have interesting properties (Andr�eka et al., 1998; Gr�adel, 2000): (1)The satis�ability problem for GF is decidable; (2) GF has the �nitemodel property, i.e., every satis�able formula in the guarded fragmenthas a �nite model; (3) GF has (a generalized variant of) the tree modelproperty; (4) Many important model theoretic properties which holdfor �rst-order logic and modal logic, but not, say, for the bounded-variable fragments FOk, do hold also for the guarded fragment; (5) Thenotion of equivalence under guarded formulae can be characterized by astraightforward generalization of bisimulation.Further, in (Gr�adel, 2000) it is shown that the satis�ability prob-lem for GF is 2Exptime-complete in the general case and Exptime-complete in the case where all relation symbols have bounded arity.The guarded �xed point logic �GF is the extension of GF by leastand greatest �xed points, and it relates to GF in the same way as the�-calculus relates to propositional modal logic and as least �xed pointlogic FO(LFP) relates to �rst-order logic.De�nition 29 The guarded �xed point logic �GF is obtained by addingto GF the following rules for constructing �xed-point formulae: Let be a formula, W a k-ary relation variable that occurs only positivelyin , and let �x = x1; : : : ; xk be a k-tuple of distinct variables. Thenwe can build the formulae [LFP W �x : ](�x) and [GFP W �x : ](�x). Asentence in �GF is alternation-free if it does not contain subformulae := [LFP T �x : '](�x) and # := [GFP S�y : �](�y) such that T occurs in �and # is a subformula ', or S occurs in ' and is a subformula of �.The semantics of the �xed point formulae is the usual one, cf. Ebbing-haus and Flum, 1999. Note that may contain besides �x and W otherfree �rst-order and second-order variables. The �xed-point operatorbinds W and �x but leaves all other variables free. It is obvious that�GF generalizes the �-calculus. On the other side it is not di�cultto see that �GF does not have the �nite model property (see Gr�adeland Walukiewicz, 1999 for an example of an in�nity axiom in �GF).However, �GF shares most of the other model-theoretic and algorithmicproperties of the �-calculus. In particular, �GF has the generalized treemodel property and its satis�ability problem is decidable via automata-theoretic methods. The complexity of �GF could be identi�ed precisely(Gr�adel and Walukiewicz, 1999).Theorem 30 (Gr�adel, Walukiewicz) The satis�ability problem forguarded �xed point logic is 2Exptime-complete. For every k � 2, the

Linear Time Datalog and Branching Time Logic 25satis�ability problem for �GF-sentences with relation symbols of arity atmost k is Exptime-complete.Theorem 31 Every alternation-free sentence in �GF is equivalent to aDatalog LITE query. Conversely, every Datalog LITE query is equiva-lent to an alternation free formula in �GF.Theorem 32 Recursion-free Datalog LITE has the same expressivepower as the guarded fragment of �rst order logic.8. CONCLUSIONIn summary, Datalog LITE is a robust variant of Datalog with guar-anteed linear-time model checking complexity and rich expressive power.This new language facilitates the direct speci�cation of temporal prop-erties of �nite (and in�nite) state systems by using the paradigm of logicprogramming. Since Datalog (both with strati�ed or well-founded nega-tion) is a well-studied database query language for which a number ofoptimization methods for secondary-storage access have been developed,our results can also be used for applications, where a �nite state systemis stored in a relational database.There are several interesting questions related to Datalog LITE whichwe are currently studying. One is to �nd suitable extensions of thelanguage to express CTL* and LTL. This can be done by adding very fewnew primitives along the lines of a general approach to extending Datalogpresented in Eiter et al., 1997. Another interesting issue currently underinvestigation is the relationship between Datalog LITE and automata,and more general, Datalog and tree automata.AcknowledgmentsThis work was supported by the Austrian Science Fund Project N Z29-INF, byDeutsche Forschungsgemeinschaft (DFG), and the Max Kade Foundation. Most ofthis research has been carried out while the third author was with TU Wien.We are thankful to Harald Ganzinger, Martin Grohe, J�org Flum, Thomas Hen-zinger, Sergey Vorobyov, Jack Minker and an anonymous referee for valuable com-ments.ReferencesAbiteboul, S., Hull, R., and Vianu, V. (1995). Foundations of Databases.Addison-Wesley.Abiteboul, S., Vianu, V., Fordham, B. S., and Yesha, Y. (1998). Rela-tional transducers for electronic commerce. In Paredaens, J., editor,Proceedings of the Seventeenth ACM SIGACT-SIGMOD-SIGART

26Symposium on Principles of Database Systems, pages 179{187. ACMPress.Andr�eka, H., van Benthem, J., and N�emeti, I. (1998). Modal languagesand bounded fragments of predicate logic. Journal of PhilosophicalLogic, 27:217{274.Apt, K. R., Blair, H. A., and Walker, A. (1988). Towards a theory ofdeclarative knowledge. In Minker, J., editor, Foundations of DD andLP, pages 89{148.Berman, K. A., Schlipf, J. S., and Franco, J. V. (1995). Computingwell-founded semantics faster. In Marek, V. and Nerode, A., editors,LPNMR'95, LNCS, pages 113{126. Springer.Bryant, R. E. (1986). Graph-based algorithms for boolean function ma-nipulation. IEEE Transaction on Computers, pages 35(8):677{691.Burch, J. R., Clarke, E.M., McMillan, K. L., Dill, D. L., and Hwang, L. J.(1992). Symbolic model checking: 1020 states and beyond. Informationand Computation, 98(2):142{170.Ceri, S., Gottlob, G., and Tanca, L. (1990). Logic Programming andDatabases. Surveys in Computer Science. Springer.Charatonik, W. and Podelski, A. (1998). Set-based analysis of reactivein�nite-state systems. In Ste�en, B., editor, TACAS'98, volume 1384of LNCS. Springer.Clarke, E. and Emerson, E. A. (1981). Design and synthesis of synchro-nization skeletons using branching time temporal logic. In Logics ofPrograms: Workshop, volume 131 of LNCS, pages 52{71. Springer.Clarke, E., Grumberg, O., Jha, S., Lu, Y., and Veith, H. (2000a).Counterexample-guided abstraction re�nement. Technical ReportCMU-CS-00-103, Computer Science, Carnegie Mellon University. Ex-tended abstract to appear in CAV 20000.Clarke, E., Grumberg, O., and Peled, D. (2000b). Model Checking. MITPress.Clarke, E. and Schlinglo�, H. (2000). Model checking. In Robinson, J.and Voronkov, A., editors, Handbook of Automated Reasoning. Else-vier. to appear.Clarke, E. M., Grumberg, O., and Long, D. E. (1994). Model checkingand abstraction. ACM Transactions on Programming Languages andSystem (TOPLAS), Vol.16(5):pp.1512 { 1542.Cui, B., Dong, Y., Du, X., Kumar, K. N., Ramakrishnan, C. R., Ramakr-ishnan, I. V., Roychoudhury, A., Smolka, S. A., and Warren, D. S.(1998). Logic programming and model checking. In Palamidessi, C.,Glaser, H., and Meinke, K., editors, PLAP/ALP'98, volume 1490 ofLNCS, pages 1{20. Springer.

Linear Time Datalog and Branching Time Logic 27Dowling, W. F. and Gallier, J. H. (1984). Linear-time algorithms fortesting the satis�ability of propositional Horn formulae. J. Logic Pro-gramming, 1(3):267{284.Ebbinghaus, H.-D. and Flum, J. (1999). Finite Model Theory (2nd edi-tion). Springer.Eiter, T., Gottlob, G., and Veith, H. (1997). Modular logic programmingand generalized quanti�ers. In Dix, J., Furbach, U., and Nerode, A.,editors, LPNMR'97, volume 1265 of LNCS, pages 290{309. Springer.Emerson, E. (1990). Temporal and modal logic. In van Leeuven, J., ed-itor, Handbook of Theor.Comp.Science. Vol. B., pages 995{1072. El-sevier.Gelder, A. V., Ross, K. A., and Schlipf, J. S. (1991). The well-foundedsemantics for general logic programs. J. ACM, 38(3):620{650.Gottlob, G., Gr�adel, E., and Veith, H. (1998). Datalog LITE: Temporalversus deductive reasoning in veri�cation. Technical Report DBAI-TR-98-22, Institut f�ur Informationssysteme, TU Wien.Gottlob, G., Leone, N., and Veith, H. (1999). Succinctness as a source ofcomplexity in logical formalisms. Annals of Pure and Applied Logic,97(1-3):231{260.Gr�adel, E. (2000). On the restraining power of guards. J. Symb.Logic.To appear.Gr�adel, E. and Walukiewicz, I. (1999). Guarded �xed point logic. InLongo, G., editor, Proc. 14th IEEE Symp. on Logic in Computer Sci-ence, pages 45{54.Immerman, N. and Vardi, M. Y. (1997). Model checking and transitive-closure logic. In Grumberg, O., editor, CAV 1997, volume 1254 ofLNCS, pages 291{302. Springer.Itai, A. and Makowsky, J. A. (1987). Uni�cation as a complexity measurefor logic programming. J. of Logic Programming, 4(2):105{117.Kozen, D. (1983). Results on the propositional �-calculus.Theor.Comp.Science, 27(3):333{354.Kurshan, R. P. (1994). Computer-Aided Veri�cation of CoordinatingProcesses. Princeton University Press.McMillan, K. L. (1993). Symbolic Model Checking. Kluwer.Minoux, M. (1988). LTUR: A simpli�ed linear-time unit resolution algo-rithm for Horn formulae and computer implementation. Inf.Proc.Let.,29(1):1{12.Moret, B. and Shapiro, H. (1990). Algorithms from P to NP. Ben-jamin/Cummings.Murakami, M. (1990). A declarative semantics of at guarded Hornclauses for programs with perpetual processes. Theor.Comp.Science,75(1{2):67{83.

28Ramakrishnan, Y. S., Ramakrishnan, C. R., Ramakrishnan, I. V.,Smolka, S. A., Swift, T., and Warren, D. S. (1997). E�cient modelchecking using tabled resolution. In Grumberg, O., editor, CAV'97,volume 1254 of LNCS, pages 143{154. Springer.Ullman, J. D. (1989). Principles of Data Base Systems. Computer Sci-ence Press.van Emde Boas, P. (1990). Machine models and simulations. In vanLeeuven, J., editor, Handbook of Theor.Comp.Science. Vol. A., pages1{66. Elsevier.Vardi, M. Y. (1998). Reasoning about the past with two-way automata.In Larsen, K. G., Skyum, S., and Winskel, G., editors, ICALP, volume1443 of LNCS, pages 628{641. Springer.