Discounting in LTL

Shaull Almagor1, Udi Boker1,2, and Orna Kupferman1

1 The Hebrew University, Jerusalem, Israel.2 IST Austria, Klosterneuburg, Austria.

Abstract. Traditional formal methods are based on a Boolean satisfaction notion– a reactive system satisfies, or not, a given specification. In recent years, thereis growing need and interest in formalizing and reasoning about the quality ofsystems. One direction in this effort is a refinement of the “eventually” operators oftemporal logics to discounting operators: the satisfaction value of a specificationis a value in [0, 1], where the longer it takes to fulfill eventuality requirements, thesmaller the satisfaction value is. A second direction is an extension of temporallogic by propositional quality operators that enable the specifier to grade differentsatisfying possibilities. In this paper we add discounting to Linear Temporal Logic(LTL), and study it, as well as its combination with propositional quality operators.We introduce LTLdisc[D] – an augmentation by discounting of LTL. The logicLTLdisc[D] is parameterized by a set D of discounting functions (e.g., lineardecaying, exponential decaying, etc.) and includes, for each function η ∈ D, adiscounting-“until” operator Uη .We solve the model-checking problem for LTLdisc[D]: given a Kripke structure K,an LTLdisc[D] formula ϕ and a threshold t ∈ [0, 1], our model-checking algorithmdecides whether the satisfaction value of ϕ in K is at least t. Our automata-basedalgorithm copes with the infinitely many satisfaction values that ϕ may have byrestricting attention to values that may influence the particular threshold. We showthat for standard discounting functions, such as exponential decaying, the problemis PSPACE-complete – not more complex than standard LTL. We then augmentLTLdisc[D] with propositional quality operators. Two such basic operators are themultiplication of an LTLdisc[D] formula by a constant in [0, 1], and the averagingbetween the satisfaction values of two LTLdisc[D] formulas. We show that whilethe first extension does not increase the expressive power of LTLdisc[D] or itscomplexity, the latter causes the model-checking problem to become undecidable.We further extend LTLdisc[D] to refer to the past, via discounting-“since” operators,to handle weighted systems, where the quantitative reasoning is combined withquantitative aspects of the system, and to allow not only discounting functions,but also functions that converge to an arbitrary value in [0, 1]. All these extensionsdo not increase the complexity of the model-checking problem.

1 Introduction

One of the main obstacles to the development of complex computerized systems lies inensuring their correctness. A successful paradigm addressing this obstacle is temporal-logic model checking – given a mathematical model of the system and a temporal-logicformula that specifies a desired behavior of the system, decide whether the model satisfiesthe formula [4]. Correctness is Boolean: a system can either satisfy its specification or not

satisfy it. The richness of today’s systems, however, justifies specification formalisms thatare multi-valued. The multi-valued setting arises directly in systems with quantitativeaspects (multi-valued / probabilistic / fuzzy) [8–11, 14, 21], but is applied also withrespect to Boolean systems, where it origins from the semantics of the specificationformalism itself [1, 6].

When considering the quality of a system, satisfying a specification should no longerbe a yes/no matter. Different ways of satisfying a specification should induce different lev-els of quality, which should be reflected in the output of the verification procedure. Con-sider for example the specification G(request → F(response grant ∨ response deny))(“every request is eventually responded, with either a grant or a denial”). There should bea difference between a computation that satisfies it with responses generated soon afterrequests and one that satisfies it with long waits. Moreover, there should be a differencebetween positive and negative responses, or cases in which no request is issued. It mayalso be useful to relate the positivity of the request with the waiting time.

As the example above demonstrates, we can distinguish between two componentsof the quality of satisfaction. The first, to which we refer here as “temporal quality”concerns the waiting time to satisfaction of eventualities. The second, to which we referas “propositional quality” concerns prioritizing related components of the specification.One may try to reduce “temporal quality” to “propositional quality”, using the factthat an eventuality involves a repeated choice between satisfying it in the present ordelaying its satisfaction to the strict future. This attempt, however, requires unboundedlymany applications of the propositional choice, and is similar to a repeated use of theX (“next”) operator rather than a use of eventuality operators. Clearly, the use of X isa very limited solution, as it partitions the future into finitly many zones, all of whichare in the “near future”, except for a single, unbounded, “far future”. A more involvedapproach to distinguish between the “near” and “far” future includes bounded (prompt)eventualities [2, 3]. There, one distinguishes between eventualities whose waiting time isbounded and ones that have no bound.

The weakness of both approaches is not surprising – correctness of LTL is Boolean,and thus has inherent dichotomy between satisfaction and dissatisfaction. The distinctionbetween “near” and “far”, however, is not dichotomous. This suggests that in order tocapture these concepts, one must extend LTL to an unbounded setting. Realizing this,researchers have suggested to augment temporal logics with future discounting [7]. Inthe discounted setting, the satisfaction value of specifications is a numerical value, and itdepends, according to some discounting function, on the time waited for eventualities toget satisfied.

In this paper we add discounting to Linear Temporal Logic (LTL), and study it, aswell as its combination with propositional quality operators. We introduce LTLdisc[D] –an augmentation by discounting of LTL. The logic LTLdisc[D] is actually a family oflogics, each parameterized by a set D of discounting functions – strictly decreasingfunctions from N to [0, 1] that tend to 0 (e.g., linear decaying, exponential decaying,etc.). LTLdisc[D] includes discounting-“until” (Uη) and discounting-“dual until” (Uη)operators, parameterized by a function η ∈ D. We solve the model-checking thresholdproblem for LTLdisc[D]: given a Kripke structure K, an LTLdisc[D] formula ϕ and a

2

threshold t ∈ [0, 1], the algorithm decides whether the satisfaction value of ϕ in K is atleast t.

In the Boolean setting, the automata-theoretic approach has proven to be very usefulin reasoning about LTL specifications. The approach is based on translating LTL formu-las to nondeterministic Buchi automata on infinite words [24]. The discounted settinggives rise to infinitely many satisfaction values. This poses a big algorithmic challenge,as model-checking algorithms, and in particular those that follow the automata-theoreticapproach, are based on an exhaustive search, which cannot be simply applied when thedomain becomes infinite. A natural relevant extension to the automata-theoretic approachis to translate formulas to weighted automata [20]. Unfortunately, these extensively-studied models are complicated and many problems become undecidable for them[13]. We show that for threshold problems, we can translate LTLdisc[D] formulas into(Boolean) nondeterministic Buchi automata. We cope with the infinitely many possiblesatisfaction values by using the given threshold in order to partition the state space into afinite number of classes. The complexity of our algorithm depends on the discountingfunctions used in the formula. We show that for standard discounting functions, suchas exponential decaying, the problem is PSPACE-complete – not more complex thanstandard LTL. The fact our algorithm uses Boolean automata also enables us to suggest asolution to other decision procedures, like threshold satisifiability and threshold synthesis.In addition, it allows to adapt the heuristics and tools that exist for Boolean automata.

Before we continue to describe our contribution, let us review existing work on dis-counting. The notion of discounting has been studied in several fields, such as economy,game-theory, and Markov decision processes [22]. In the area of formal verification, itwas suggested in [7] to augment the µ-calculus with discounting operators. The discount-ing suggested there is exponential; that is, with each iteration, the satisfaction value ofthe formula decreases by a multiplicative factor in (0, 1]. Algorithmically, [7] showshow to evaluate discounted µ-calculus formulas with arbitrary precision. Formulas ofLTL can be translated to the µ-calculus, thus [7] can be used in order to model-checkdiscounted-LTL formulas. The translation from LTL to the µ-calculus, however, iscomplicated and involves an exponential blow-up [5]. Moreover, LTLdisc[D] allowsfor arbitrary discounting functions, and our algorithm returns an exact solution to thethreshold model-checking problem, which is more difficult than the approximationproblem.

Closer to our work is [6], where CTL is augmented with discounting and weighted-average operators. The motivation in [6] is to introduce a logic whose semantics is nottoo sensitive to small perturbations in the model. Accordingly, formulas are evaluatedon weighted-systems or on Markov-chains. Adding discounting and weighted averageoperators to CTL preserves its appealing complexity, and the model-checking problemfor the augmented logic can be solved in polynomial time. As is the case in the traditionalsemantics, the expressive power of discounted CTL is limited.

Perhaps closest to our approach is [17], where a version of discounted-LTL wasintroduced. Semantically, there are two main differences between the logics. The firstis that they use discounted sum, while we interpret discounting without accumulation,and the second is that the discounting there replaces the standard temporal operators, soall eventualities are discounted. As discounting functions tend to 0, this strictly restricts

3

the expressive power of the logic, and one cannot specify traditional eventualities in it.On the positive side, it enables a clean algebraic characterization of the semantics, andindeed the contribution in [17] is a comprehensive study of the mathematical propertiesof the logic. Yet, they do not look into algorithmic questions about to the logic. We, onthe other hand, focus on the algorithmic properties of the logic, and specifically on themodel-checking problem.

Let us now return to our contribution. After introducing LTLdisc[D] and studying itsmodel-checking problem, we augment LTLdisc[D] with propositional quality operators.Beyond the operators min, max, and ¬, which are already present, two basic proposi-tional quality operators are the multiplication of an LTLdisc[D] formula by a constantin [0, 1], and the averaging between the satisfaction values of two LTLdisc[D] formulas[1]. We show that while the first extension does not increase the expressive power ofLTLdisc[D] or its complexity, the latter causes the model-checking problem to becomeundecidable. In fact, model checking becomes undecidable even if we allow a singlediscounting function. Recall that this is in contrast with the extension of discounted CTLwith an average operator, where the complexity of the model-checking problem stayspolynomial [6].

We consider additional extensions of LTLdisc[D]. First, we study a variant of thediscounting-eventually operators in which we allow the discounting to tend to arbitraryvalues in [0, 1] (rather than to 0). This captures the intuition that we are not alwayspessimistic about the future, but can be, for example, ambivalent about it, by tendingto 1

2 . We show that all our results hold under this extension as well. Second, we addto LTLdisc[D] past operators and their discounting versions (specifically, we allow adiscounting-“since” operator, and its dual). In the traditional semantics, past operatorsenable clean specifications of many interesting properties, make the logic exponentiallymore succinct, and can still be handled within the same complexity bounds [16, 15]. Weshow that the same holds for the discounted setting. Finally, we show how LTLdisc[D]and algorithms for it can be used also for reasoning about weighted systems.

Due to lack of space, the full proofs appear in the appendix.

2 The Logic LTLdisc[D]

The linear temporal logic LTLdisc[D] generalizes LTL by introducing discounting tem-poral operators. The logic is actually a family of logics, each parameterized by a set Dof discounting functions.

Let N = {0, 1, ...}. A function η : N → [0, 1] is a discounting function iflimi→∞ η(i) = 0, and η is strictly monotonic-decreasing. Examples for natural dis-counting functions are η(i) = λi, for some λ ∈ (0, 1), and η(i) = 1

i+1 .Given a set of discounting functions D, we define the logic LTLdisc[D] as follows.

The syntax of LTLdisc[D] adds to LTL the operators ϕUηψ (discounting-Until) andϕUηψ (discounting-dual Until), for every function η ∈ D. Thus, the syntax is givenby the following grammar, where p ranges over the set AP of atomic propositions andη ∈ D.

ϕ := True | p | ¬ϕ | ϕ ∨ ϕ | Xϕ | ϕUϕ | ϕUηϕ | ϕUηϕ.

4

The semantics of LTLdisc[D] is defined with respect to a computation π = π0, π1, . . . ∈(2AP )ω . Given a computation π and an LTLdisc[D] formula ϕ, the truth value of ϕ in πis a value in [0, 1], denoted [[π, ϕ]]. The value is defined by induction on the structure ofϕ as follows, where πi = πi, πi+1, . . ..

– [[π, True]] = 1. –[[π, ϕ ∨ ψ]] = max {[[π, ϕ]], [[π, ψ]]}.

– [[π, p]] =

{1 if p ∈ π00 if p /∈ π0.

–[[π,¬ϕ]] = 1− [[π, ϕ]].

– [[π,Xϕ]] = [[π1, ϕ]].– [[π, ϕUψ]] = sup

i≥0{min{[[πi, ψ]], min

0≤j<i{[[πj , ϕ]]}}}.

– [[π, ϕUηψ]] = supi≥0{min{η(i)[[πi, ψ]], min

0≤j<i{η(j)[[πj , ϕ]]}}}.

– [[π, ϕUηψ]] = infi≥0{max{η(i)[[πi, ψ]], max

0≤j<i{η(j)[[πj , ϕ]]}}}.

The intuition is that events that happen in the future have a lower influence, and the rateby which this influence decreases depends on the function η that is used.

We add the standard abbreviations Fϕ ≡ TrueUϕ, and Gϕ = ¬F¬ϕ, as well as theirquantitative counterparts: Fηϕ ≡ TrueUηϕ, and Gηϕ = ¬Fη¬ϕ.

The semantics is extended to Kripke structures by taking the path that admits thelowest satisfaction value. Formally, for a Kripke structure K and an LTLdisc[D] formulaϕ we have that [[K, ϕ]] = inf {[[π, ϕ]] : π is a computation of K}.

Example 1. Consider a system that grants locks (e.g., for a data structure). When aprocess requests a grant, it is desirable that the grant is given as soon as possible. Keepingthe process waiting incurs a multiplicative cost λ. We can specify this requirement bythe formula G(req → Fηgrant), where η(i) = λi. Then, a system that always grantsrequests immediately satisfies the formula with value of 1, a system that sometimewaits for k steps satisfies it with value λk, and a system where the waiting time can bearbitrarily long (e.g., a system that grants the i-th request after i steps) satisfies it withvalue 0 (even if indeed a grant is eventually given for every request).

3 LTLdisc[D] Model Checking

In the Boolean setting, the model-checking problem asks, given an LTL formula ϕ anda Kripke structure K, whether [[K, ϕ]] = True. In the quantitative setting, the model-checking problem is to compute [[K, ϕ]], where ϕ is now an LTLdisc[D] formula. Asimpler version of this problem is the threshold model-checking problem: given ϕ, Kand a threshold v ∈ [0, 1] decide whether [[K, ϕ]] > v. In this section we show how wecan solve the latter, as well as other decision problems for LTLdisc[D]. Our solution usesthe automata-theoretic approach and we first define alternating weak automata.

3.1 Alternating Weak Automata

Given an alphabetΣ, an infinite word overΣ is an infinite sequencew = σ0·σ1 · · ·σ2 · · ·of letters in Σ. For a given set X , let B+(X) be the set of positive Boolean formulasover X (i.e., Boolean formulas built from elements in X using ∧ and ∨), where we also

5

allow the formulas True and False. For Y ⊆ X , we say that Y satisfies a formulaθ ∈ B+(X) iff the truth assignment that assigns true to the members of Y and assignsfalse to the members of X \ Y satisfies θ. An alternating Buchi automaton on infinitewords is a tuple A = 〈Σ,Q, qin, δ, α〉, where Σ is the input alphabet, Q is a finite setof states, qin ∈ Q is an initial state, δ : Q×Σ → B+(Q) is a transition function, andα ⊆ Q is a set of accepting states. We define runs of A by means of (possibly) infiniteDAGs (directed acyclic graphs). A run of A on a word w = σ0 · σ1 · · · is a (possibly)infinite DAG G = 〈V,E〉 satisfying the following (note that there may be several runs ofA on w).

– V ⊆ Q×N is as follows. Let Ql ⊆ Q denote all states in level l. Thus, Ql = {q :〈q, l〉 ∈ V }. Then, Q0 = {qin}, and Ql+1 satisfies

∧q∈Ql δ(q, σl).

– For every l ∈ N, Ql is minimal with respect to containment.– E ⊆

⋃l≥0(Ql × {l}) × (Ql+1 × {l + 1}) is such that E(〈q, l〉, 〈q′, l + 1〉) iff

Ql+1 \ {q′} does not satisfy δ(q, σl).

Thus, the root of the DAG contains the initial state of the automaton, and the statesassociated with nodes in level l + 1 satisfy the transitions from states correspondingto nodes in level l. The run G accepts the word w if all its infinite paths satisfy theacceptance condition α. Thus, in the case of Buchi automata, all the infinite paths haveinfinitely many nodes 〈q, l〉 such that q ∈ α (it is not hard to prove that every infinitepath in G is part of an infinite path starting in level 0). A word w is accepted by A ifthere is a run that accepts it. The language of A, denoted L(A), is the set of infinitewords that A accepts.

When the formulas in the transition function of A contain only disjunctions, thenA is nondeterministic, and its runs are DAGs of width 1, where at each level there is asingle node.

The alternating automaton A is weak, denoted AWA, if its state space Q can bepartitioned into sets Q1, . . . , Qk, such that the following hold: First, for every 1 ≤ i ≤ keither Qi ⊆ α, in which case we say that Qi is an accepting set, or Qi ∩ α = ∅, inwhich case we say that Qi is rejecting. Second, there is a partial-order ≤ over the sets,and for every 1 ≤ i, j ≤ k, if q ∈ Qi and s ∈ Qj and s ∈ δ(q, σ) for some σ ∈ Σ,then Qj ≤ Qi. Thus, transitions can lead only to states that are smaller in the partialorder. Consequently, each run of a AWA eventually gets trapped in a set Qi and isaccepting iff this set is accepting. A useful property of AWA is that it is very easy tocomplement the language of a given AWAA: we only have to dualize its transitions (thatis, swap disjunctions with conjunctions, and trues with falses) and dualize its acceptancecondition (that is, swap accepting and rejecting sets).

3.2 From LTLdisc[D] to AWW

Our model-checking algorithm is based on translating an LTLdisc[D] formula to an AWA.Before describing the construction of the AWA, we need the following lemma, which

reduces satisfaction values in {0, 1} of an LTLdisc[D] formula to Boolean satisfaction ofLTL formulas. The proof proceeds by induction on the structure of the formulas.

Lemma 1. Given an LTLdisc[D] formula ϕ, there exist LTL formulas ϕ+ and ϕ<1 suchthat for every computation π it holds that π |= ϕ+ iff [[π, ϕ]] > 0 and π |= ϕ<1 iff[[π, ϕ]] < 1.

6

For a function f : N → [0, 1] and for k ∈ N, we define f+k : N → [0, 1] as follows.For every i ∈ N we have that f+k(i) = f(i+ k).

Let ϕ be an LTLdisc[D] formula over the atomic propositions AP . We define theextended closure of ϕ, denoted xcl(ϕ), to be the set of all the formulas ψ of the followingclasses:1. ψ is a subformula of ϕ.2. ψ is a subformula of θ+ or ¬θ+, where θ is a subformula of ϕ 3.3. ψ is of the form θ1Uη+kθ2 or θ1Uη+kθ2 for k ∈ N, where θ1Uηθ2 or θ1Uηθ2 is a

subformula of ϕ.

Observe that xcl(ϕ) may be infinite, and that it has both LTLdisc[D] formulas (fromClasses 1 and 3) and LTL formulas (from Class 2).

Theorem 1. Given an LTLdisc[D] formula ϕ and a threshold v ∈ [0, 1], there exists anAWAAϕ,v such that for every computation π it holds thatAϕ,v accepts π iff [[π, ϕ]] > v.

Proof. Let v ∈ [0, 1], we construct an AWA Aϕ,v = 〈Q, 2AP , Q0, δ, α〉 such that forevery computation π it holds that Aϕ,v accepts π iff [[π, ϕ]] > v.

The state space Q consists of two types of states. Type-1 states are assertions of theform (ψ > t) or (ψ < t), where ψ ∈ xcl(ϕ) is of Class 1 or 3 and t ∈ [0, 1]. Type-2states correspond to LTL formulas of Class 2 above. Let S be the set of Type-1 andType-2 states for every ψ ∈ xcl(ϕ) and for every threshold t ∈ [0, 1], then Q is a subsetof S which is constructed on-the-fly according to the transition function defined below.We later show that Q is indeed finite.

The transition function δ : Q× 2AP → B+(Q) is defined as follows. Let σ ∈ 2AP ,for Type-2 states, the transitions are as in the standard translation from LTL to AWA[23] (see Appendix A.2 for details). For the rest of the states, we define the transitions asfollows.

– δ((True > t), σ) =

[True if t < 1,False if t = 1.

– δ((False > t), σ) = False.

– δ((True < t), σ) = False. – δ((False < t), σ) =

[True if t > 0,False if t = 0.

– δ((p > t), σ) =

[True if p ∈ σ and t < 1,False otherwise.

– δ((p < t), σ) =

[False if p ∈ σ or t = 0,True otherwise.

– δ((ψ1 ∨ ψ2 > t), σ) = δ((ψ1 > t), σ) ∨ δ((ψ2 > t), σ).– δ((ψ1 ∨ ψ2 < t), σ) = δ((ψ1 < t), σ) ∧ δ((ψ2 < t), σ).– δ((¬ψ1 > t), σ) = δ((ψ1 < 1− t), σ) – δ((¬ψ1 < t), σ) = δ((ψ1 > 1− t), σ).– δ((Xψ1 > t), σ) = (ψ1 > t). – δ((Xψ1 < t), σ) = (ψ1 < t).– δ((ψ1Uηψ2 > t), σ) = δ((ψ2 >

tη(0) ), σ) ∨ [δ((ψ1 >

tη(0) ), σ) ∧ (ψ1Uη+1ψ2 > t)] if 0 < t

η(0) < 1,

False if tη(0) ≥ 1,

δ(((ψ1Uηψ2)+), σ) if t

η(0) = 0 (i.e., t = 0).

3 The reader may be concerned that θ+ is not uniquely defined. While this does not affect theproof, one may assume that the construction is as in the proof of Lemma 1

7

– δ((ψ1Uηψ2 < t), σ) = δ((ψ2 <t

η(0) ), σ) ∧ [δ((ψ1 <t

η(0) ), σ) ∨ (ψ1Uη+1ψ2 < t)] if 0 < tη(0) ≤ 1,

True if tη(0) > 1,

False if tη(0) = 0 (i.e., t = 0).

– δ((ψ1Uηψ2 > t), σ) = δ((ψ2 >t

η(0) ), σ) ∧ [δ((ψ1 >t

η(0) ), σ) ∨ (ψ1Uη+1ψ2 > t)] if 0 < tη(0) < 1,

False if tη(0) ≥ 1,

δ(((ψ1Uηψ2)+), σ) if t

η(0) = 0 (i.e., t = 0).

– δ((ψ1Uηψ2 < t), σ) = δ((ψ2 <t

η(0) ), σ) ∨ [δ((ψ1 <t

η(0) ), σ) ∧ (ψ1Uη+1ψ2 < t)] if 0 < tη(0) ≤ 1,

True if tη(0) > 1,

False if tη(0) = 0 (i.e., t = 0).

– δ((ψ1Uψ2 > t), σ) =

δ((ψ2 > t), σ) ∨ [δ((ψ1 > t), σ) ∧ (ψ1Uψ2 > t)] if 0 < t < 1,False if t ≥ 1,

δ(((ψ1Uψ2)+), σ) if t = 0.

– δ((ψ1Uψ2 < t), σ) =

δ((ψ2 < t), σ) ∧ [δ((ψ1 < t), σ) ∨ (ψ1Uψ2 < t)] if 0 < t ≤ 1,True if t > 1,False if t = 0.

We provide some intuition for the more complex parts of the transition function: considere.g. the transition δ((ψ1Uηψ2 > t), σ). Since η is decreasing, the highest possiblesatisfaction value for ψ1Uηψ2 is η(0). Thus, if η(0) ≤ t (equivalently, t

η(0) ≥ 1), then itcannot hold that ψ1Uηψ2 > t, so the transition is to False. If t = 0, then we only needto ensure that the satisfaction value of ψ1Uηψ2 is not 0, which is equivalent to requiringthat (ψ1Uηψ2)

+ is satisfied. So the transition is identical to that of the state (ψ1Uηψ2)+.

Finally, if 0 < t < η(0), then (slightly abusing notation) the assertion ψ1Uηψ2 > t istrue if either η(0)ψ2 > t is true, or both η(0)ψ1 > t and ψ1Uη+1ψ2 > t are true.

The initial state of Aϕ,v is (ϕ > v).The accepting states are those whose formula is of the form (ψ1Uψ2 < t), as well

as accepting states that arise in the standard translation of Boolean LTL to AWA (inType-2 states). Note that each path in the run of Aϕ,v eventually gets trapped in a singlestate. Thus, Aϕ,v is indeed a AWA. The intuition behind the acceptance condition is asfollows. Getting trapped in state of the form (ψ1Uψ2 < t) is allowed, as the eventualityis satisfied with value 0. On the other hand, getting stuck in other states (of Type-1 orType-3) is not allowed, as they involve eventualities that are not satisfied in the thresholdpromised for them.

This concludes the definition of Aϕ,v . It is not hard to see that it is indeed an AWA,with each state consisting a singleton set. Observe, however, that the construction asdescribed above is infinite (indeed, uncountable). Yet, only finitely many states arereachable from the initial state (ϕ > v), and we can compute these states in advance.Intuitively, it follows from the fact that once the proportion between t and η(i) goes above1, for Type-1 states associated with threshold t and sub formulas with a discountingfunction η, we do not have to generate new states.

A detailed proof of A’s finiteness and correctness is provided in the appendix.

8

3.3 From Aϕ,v to an NBW

Every AWA can be translated to an equivalent nondeterministic Buchi automaton (NBA,for short) [19]. In this section we analyze the size of the NBW obtained from the AWWAϕ,v .

It is clear from the construction in Section 3.2 that the number of states in the AWAdepends on the discounting functions in D as well as on the threshold v. Intuitively,the faster the discounting tends to 0, the less states there will be. Therefore, a concretecomplexity analysis requires prior knowledge on D.

We start with the following general result that does not depend on D. In Section 3.4,we focus in exponential discounting. The idea behind our complexity analysis is asfollows. Translating an AWA to an NBA involves alternation removal, which proceedsby keeping track of all entire levels in a run-DAG. Thus, a run of the NBA correspondsto a sequence of subsets of Q. The key to the proof is showing that the number of suchsubsets is only |Q|O(|ϕ|). To see why, consider a subset S of the states of A. We say thatS is minimal if it does not include two states of the form ϕ < t1 and ϕ < t2, for t1 < t2,nor two states of the form ϕUη+iψ < t and ϕUη+jψ < t, for i < j, and similarly for“>”. Intuitively, sets that are not minimal hold redundant assertions, and can be ignored.Accordingly, we restrict the state space of the NBA to have only minimal sets, whichbounds their number as follows.

Lemma 2. The AWA Aϕ,v constructed in Theorem 1 can be translated to an NBA with|Q|O(|ϕ|) states.

3.4 Exponential Discounting

In this section, we analyze the size of the AWA for a specific class of discountingfunctions, namely exponential discounting. This class is perhaps the most common classof discounting functions, as it describes what happens in many natural processes (e.g.,Markov chains, capacitor charge) [7, 22].

For λ ∈ (0, 1) we define the exponential-discounting function expλ : N → [0, 1]by expλ(i) = λi. For the purpose of this section, we restrict to λ ∈ (0, 1) ∩ Q. LetD = {expλ : λ ∈ (0, 1) ∩Q}, and consider the logic LTLdisc[D].

For an LTLdisc[D] formula ϕ we define the set F (ϕ) to be {λ1, ..., λk : the operatorsUexpλ or Uexpλ appear in ϕ}. Let |ϕ| be the number of subformulas of ϕ, and let |〈ϕ〉| bethe length of the description of ϕ. That is, |〈ϕ〉| includes the length, in bits, of describingF (ϕ).

Theorem 2. Given an LTLdisc[D] formula ϕ and a threshold v ∈ [0, 1] ∩ Q, thereexists an AWA Aϕ,v such that for every computation π it holds that Aϕ,v accepts π iff[[π, ϕ]] > v. Furthermore, the number of states ofAϕ,v is single-exponential in |〈ϕ〉| andthe description of v.

The proof follows from the following observation. Let λ ∈ (0, 1) and v ∈ (0, 1). Whendiscounting by expλ, the number of states in the AWA constructed as per Theorem 1 isproportional to the maximal number i such that λi > v, which is at most logλ v = log v

log λ ,which is polynomial in the description length of v and λ. A similar (yet more complicated)consideration is applied for the setting of multiple discounting functions and negations.

9

From Theorem 2 and Lemma 2 we conclude that the size of an NBA correspondingto ϕ and v is also single-exponential in |〈ϕ〉| and the description of v.

3.5 Decision Procedures for LTLdisc[D]

The AWA Aϕ,v constructed as per Section 3.2 accepts a path π iff [[ϕ, π]] > v. Bydualyzing (and hence, complementing) Aϕ,v, we can obtain an AWA Aϕ,v such thatL(Aϕ,v) = {π : [[π, ϕ]] ≤ v}.

Consider a Kripke structure K. By checking the emptiness of the intersection of Kwith Aϕ,v, we can solve the threshold model-checking problem. Using Theorem 1 andthis observation on the formula ¬ϕ and the threshold 1− v, we can also decide whetherthere exist a path π such that [[π, ϕ]] ≥ v, and whether there exists a path π such that[[π, ϕ]] < v. Finally, by adjusting the initial states ofAϕ,v and its complement automaton,we can decide whether there exists a path π such that [[π, ϕ]] ∈ I for every (continuous)interval I ⊆ [0, 1], either closed, open, or half-open.

Threshold satisfiability and synthesis: The NBA obtained in Lemma 2 can be used tosolve the threshold variant of additional classical decision problems for temporal logics.In particular, given an LTLdisc[D] formula ϕ and a threshold v ∈ [0, 1], we can decidewhether there is a computation π such that [[π, ϕ]] ∼ v, for ∼∈ {≤, <,≥, >}, and returnsuch a computation when the answer is positive. Also, assuming a partition of the atomicpropositions in ϕ to input and output signals, we can use Aϕ,v in order to generate anI/O-transducer all of whose computations π satisfy [[π, ϕ]] ∼ v.

4 Adding Propositional Quality Operators

As model checking is decidable for LTLdisc[D], one may wish to push the limit andextend the expressive power of the logic. In particular, of great interest are propositionalquality operators.

4.1 Adding the Average Operator

A well-motivated extension is the introduction of the average operator ⊕, with thesemantics [[π, ϕ ⊕ ψ]] = [[π,ϕ]]+[[π,ψ]]

2 . Our work in [1] proves that extending LTL bythis operator, in fact also a more general one, where average is weighted, enables cleanspecification of quality and results in a logic for which the model-checking problem canbe solved in PSPACE.

We show that adding the⊕ operator to LTLdisc[D] gives a logic, denoted LTLdisc⊕ [D],for which the validity and model-checking problems are undecidable. The validity prob-lem asks, given an LTLdisc⊕ [D] formula ϕ over the atomic propositions AP and athreshold v ∈ [0, 1], whether [[π, ϕ]] > v for every π ∈ (2AP )ω .

In the undecidability proof, we show a reduction from the 0-halting problem for two-counter machines. A two-counter machineM is a sequence (l1, . . . , ln) of commandsinvolving two counters x and y. We refer to {1, . . . , n} as the locations of the machine.There are five possible forms of commands:

INC(c), DEC(c), GOTO li, IF c=0 GOTO li ELSE GOTO lj , HALT,

10

where c ∈ {x, y} is a counter and 1 ≤ i, j ≤ n are locations. Since we can alwayscheck whether c = 0 before a DEC(c) command, we assume that the machine neverreaches DEC(c) with c = 0. That is, the counters never have negative values. Given acounter machineM, deciding whetherM halts is known to be undecidable [18]. GivenM, deciding whetherM halts with both counters having value 0 is also undecidable.Indeed, given a counter machineM, we can replace every HALT command with codethat clears the counters before halting. Thus, the halting problem can be reduced to thelatter problem, termed the 0-halting problem.

Theorem 3. The validity problem for LTLdisc⊕ [D] is undecidable (for every nonemptyset of discounting functions D).

The proof goes along the following lines: We construct fromM an LTLdisc⊕ [D]formula ϕ such thatM 0-halts iff there exists a computation π such that [[π, ϕ]] = 1. Theidea behind the construction is as follows. The computation that ϕ reads correspondsto a description of a run ofM, where every triplet 〈li, α, β〉 is encoded as the stringixαyβ#.

Example 2. Consider the following machineM:l1: INC(x) l4: DEC(x)l2: IF x=0 GOTO l6 ELSE GOTO l3 l5: GOTO (l2)l3: INC(y) l6: HALT

The command sequence that represents the run of this machine is〈l1, 0, 0〉, 〈l2, 1, 0〉, 〈l3, 1, 0〉, 〈l4, 1, 1〉, 〈l5, 0, 1〉, 〈l2, 0, 1〉, 〈l6, 0, 1〉

and the encoding of it as a computation is 1#2x#3x#4xy#5y#2y#6y#.

The formula ϕ “states” (recall that the setting is quantitative, not Boolean) thefollowing properties of the computation π:

1. The first configuration in π is the initial configuration ofM, namely 〈l1, 0, 0〉, or1# in our encoding.

2. The last configuration in π is 〈HALT, 0, 0〉, or k in our encoding, where k is a linewhose command is HALT.

3. π represents a legal run of M, up to the consistency of the counters betweentransitions.

4. The counters are updated correctly between configurations.

Properties 1-3 can easily be captured by an LTL formula. Property 4 utilizes the ex-pressive power of LTLdisc⊕ [D], as we now explain. The intuition behind Property 4 isthe following. We need to compare the value of a counter before and after a command,such that the formula takes a negative value if a violation is encountered, and a positivevalue otherwise. Since the value of counters can change by at most 1, the essence of thisformula is the ability to test equality of counters.

We start with a simpler case, to demonstrate the point. Let η ∈ D be a discountingfunction. Consider the formula CountA := aUη¬a and the computation aibj#ω. Itholds that [[aibj , CountA]] = η(i). Similarly, it holds that [[aibj#ω, aU(bUη¬b)]] =

11

η(j). Denote the latter by CountB. Let CompareAB := (CountA ⊕ ¬CountB) ∧(¬CountA⊕ CountB). We now have that

[[aibj#ω, CompareAB]] = min

{η(i) + 1− η(j)

2,η(j) + 1− η(i)

2

}= 1−|η(i)− η(j)|

2

and observe that the latter is 1 iff i = j (and is less than 1 otherwise). This is because ηis strictly decreasing, and in particular an injection.

Thus, we can compare counters. To apply this technique to the encoding of a com-putation, we provide some technical formulas to “parse” the input and find successiveoccurrences of a counter.

Since, by considering a Kripke structure that generates all computations, it is easy toreduce the validity problem to the model-checking problem, we can conclude with thefollowing.

Theorem 4. The model-checking problem for LTLdisc⊕ [D] is undecidable.

4.2 Adding Unary Multiplication Operators

As we have seen in Section 4.1, adding the operator⊕ to the logic makes model checkingundecidable. One may still want to find propositional quality operators that we can addto the logic preserving its decidability. In this section we describe one such operator. Weextend LTLdisc[D] with the operator Oλ, for λ ∈ (0, 1), with the semantics [[π,Oλϕ]] =λ · [[π, ϕ]]. This operator allows the specifier to manually change the satisfaction valueof certain subformulas. This can be used to express importance, reliability, etc. ofsubformulas. For example, in G(request → (response ∨ O 2

3Xresponse), we limit the

satisfaction value of computations in which a response is given with a delay to 23 .

Note that the operator Oλ is similar to a one-time application of Uexp+1λ

, thus Oλϕ isequivalent to FalseUexp+1

λψ. In practice, it is better to handle Oλ formulas directly, by

adding the following transitions to the construction in the proof of Theorem 1.

- δ(Oλϕ > t, σ) =

{δ(ϕ > t

λ , σ) if tλ < 1,

False if tλ ≥ 1,

- δ(Oλϕ < t, σ) =

{δ(ϕ < t

λ , σ) if tλ ≤ 1,

True if tλ > 1.

5 Extensions

5.1 LTLdisc[D] with Past Operators

One of the well-known augmentations of LTL is the addition of past operators [16].These operators enable the specification of exponentially more succinct formulas,while preserving the PSPACE complexity of model checking. In this section, we adddiscounting-past operators to LTLdisc[D], and show how to perform model-checking onthe obtained logic.

We add the operators Yϕ, ϕSψ, and ϕSηϕ (for η ∈ D) to LTLdisc[D], denoting theextended logic PLTLdisc[D] with the following semantics. For PLTLdisc[D] formulasϕ,ψ, a function η ∈ D, a computation π, and an index i ∈ N, we have

– [[πi,Yϕ]] = [[πi−1, ϕ]] if i > 0, and 0 otherwise.

12

– [[πi, ϕSψ]] = max0≤j≤i{min

{[[πj , ψ]],minj<k≤i

{[[πk, ϕ]]

}}}.

– [[πi, ϕSηψ]] = max0≤j≤i{min

{η(i− j)[[πj , ψ]],minj<k≤i

{η(i− k)[[πk, ϕ]]

}}}.

Observe that since the past is finite, then the semantics for past operators can usemin and max instead of inf and sup. As we now show, the construction we use whenworking with the “infinite future” Uη operator is similar to that of the one we use forthe “finite past” Sη operator. The key for this somewhat surprising similarity is the factour construction is based on a threshold. Under this threshold, we essentially bound thefuture that needs to be considered, thus the fact that it is technically infinite plays norole.

We now wish to translate PLTLdisc[D] formulas to automata. In the Boolean case,there are two approaches to this: one is to use 2-way weak alternating automata (2AWA),and the other goes through nondeterministic automata. To comply with our use of AWAin Theorem 1, we work with 2AWA.

A 2AWA is a tuple A = 〈Σ,Q, q0, δ, α〉 where Σ,Q, q0, α are as in AWA. Thetransition function is δ : Q × Σ → B+({−1, 1} × Q). That is, positive Booleanformulas over atoms of the form {−1, 1} × Q, describing both the state to which theautomaton moves and the direction in which the reading head proceeds.

As in LTLdisc[D], the construction extends the construction for the Boolean case,so we need to extend Lemma 1 and generate Boolean PLTL formulas for satisfactionvalues in {0, 1}. It is not hard to see that defining (ψ1Sηψ2)

+= (ψ1

+)S(ψ2+) and

(Yψ)+ = Y(ψ+) works.Given a PLTLdisc[D] formula ϕ and a threshold t ∈ [0, 1), we construct a 2AWA as

in Theorem 1, with the following additional transitions:

– δ((Yψ > t), σ) = 〈−1, (ψ > t)〉 - δ((Yψ < t), σ) = 〈−1, (ψ < t)〉.– δ((ψ1Sψ2 > t), σ) = δ((ψ2 > t), σ) ∨ (δ((ψ1 > t), σ) ∧ 〈−1, (ψ1Sψ2 > t)〉).– δ((ψ1Sψ2 < t), σ) = δ((ψ2 < t), σ) ∧ (δ((ψ1 < t), σ) ∨ 〈−1, (ψ1Sψ2 < t)〉).– δ((ψ1Sηψ2 > t), σ) = δ((ψ2 >

tη(0) ), σ) ∨ [δ((ψ1 >

tη(0) ), σ) ∧ 〈−1, (ψ1Sη+1ψ2 > t)〉] if 0 < t

η(0) < 1,

False if tη(0) ≥ 1,

δ(((ψ1Sηψ2)+), σ) if t

η(0) = 0.

– δ((ψ1Sηψ2 < t), σ) = δ((ψ2 <t

η(0) ), σ) ∧ [δ((ψ1 <t

η(0) ), σ) ∨ 〈−1, (ψ1Sη+1ψ2 < t)〉] if 0 < tη(0) ≤ 1,

True if tη(0) > 1,

False if tη(0) = 0 .

The operator Sη (dual-since), with the semantics [[πi, ϕSηψ]] = min0≤j≤i{max{η(i− j) [[πj , ψ]],maxj<k≤i

{η(i− k)[[πk, ϕ]]

}}}, can be added in a similar manner.

The correctness of the construction, the analysis of the blow up, and the use indecision procedures are similar to these in the Section 3. In particular, it follows that themodel-checking problem for PLTLdisc[D] is in PSPACE.

5.2 Weighted Systems

A weighted Kripke structure is a tuple K = 〈AP, S, I, ρ, L〉, where AP, S, I , and ρ areas in Boolean Kripke structures, and L : S → [0, 1]AP maps each state to a weighted

13

assignment to the atomic propositions. Thus, the value L(s)(p) of an atomic propositionp ∈ AP in a state s ∈ S is a value in [0, 1]. The semantics of LTLdisc[D] with respect toa weighted computation coincides with the one for non-weighted systems, except thatfor an atomic proposition p, we have that [[π, p]] = L(π0)(p).

It is possible to extend the construction of Aϕ,v described in Section 3.2 to analphabet WAP , where W is a set of possible values for the atomic propositions. Indeed,we only have to adjust the transition for states that correspond to atomic propositions, asfollows: for p ∈ AP , v ∈ [0, 1], and σ ∈WAP , we have that

− δ(p > v, σ) =

{True if σ(p) > v,

False otherwise.− δ(p < v, σ) =

{True if σ(p) < v,

False otherwise.

5.3 Changing the Tendency of Discounting

One may observe that in our discounting scheme, the value of future formulas is dis-counted toward 0. This, in a way, reflects an intuition that we are pessimistic about thefuture, or at least we are impatient. While in some cases this fits the needs of the specifier,it may well be the case that we are ambivalent to the future. To capture this notion, onemay want the discounting to tend to 1

2 . Other values are also possible. For example, itmay be that we are optimistic about the future, and want the discounting to tend to 3

4 . Forexample, when a system is constantly under maintenance and we know that componentsare likely to function slightly better in the future.

To capture this notion, we define the operators Oη,z and Oη,z for η ∈ D and z ∈ [0, 1]with the following semantics.[[π, ϕOη,zψ]] = sup

i≥0{min{η(i)[[πi, ψ]]+(1−η(i))z, min

0≤j<iη(j)[[πj , ϕ]]+(1−η(j))z}}.

[[π, ϕOη,zψ]] = infi≥0{max{η(i)[[πi, ψ]]+(1−η(i))z, max

0≤j<iη(j)[[πj , ϕ]]+(1−η(j))z}}.

The discounting function η determines the rate of convergence, and z determines thelimit of the discounting. The longer it takes to fulfill the “eventuality”, the closer thesatisfaction value gets to z.

Example 3. Consider a process scheduler. The scheduler decides which process to runat any given time. The scheduler may also run a defragment tool, but only if it is not inexpense of other processes. This can be captured by the formula ϕ = TrueOη, 12 defrag.Thus, the defragment tool is a “bonus”: if it runs, then the satisfaction value is above12 , but if it does not run, the satisfaction value is 1

2 . Treating 1 as “good” and 0 as “bad”means that 1

2 is ambivalent.

One may verify that ¬(ϕOη,zψ) ≡ (¬ϕ)Oη,1−z(¬ψ), so it is enough to includeOη,z in the logic. Also, clearly ϕUηψ ≡ ϕOη,0ψ and ϕUηψ = ϕOη,1ψ.

We claim that Theorem 1 holds under the extension of LTLdisc[D] with the operatorO. Indeed, the construction of the AWA is augmented as follows. For ϕ = ψ1Oη,zψ2,denote t−(1−η(0))z

η(0) by τ . One may observe that the conditions on tη(0) correspond

to conditions on τ when dealing with O. Accordingly, the transitions from the state(ψ1Oη,zψ2 > t) are defined as follows.

14

First, if t = z, then τ = t and we identify the state (ψ1Oη,zψ2 > t) with the state(ψ1Uψ2 > t). Otherwise, z 6= t and we define

– δ((ψ1Oη,zψ2 > t), σ) = δ((ψ2 > τ), σ) ∨ [δ((ψ1 > τ), σ) ∧ (ψ1Oη+1,zψ2 > t)] if 0 ≤ τ < 1,False if τ ≥ 1,True if τ < 0.

– δ((ψ1Oη,zψ2 < t), σ) = δ((ψ2 < τ), σ) ∧ [δ((ψ1 < τ), σ) ∨ (ψ1Oη+1,zψ2 < t)] if 0 < τ ≤ 1,True if τ > 1,False if τ ≤ 0.

References

1. S. Almagor, U. Boker, and O. Kupferman. Formalizing and reasoning about quality. Submitted.2. S. Almagor, Y. Hirshfeld, and O. Kupferman. Promptness in omega-regular automata. In 8th

ATVA, volume 6252, pages 22–36, 2010.3. M. Bojanczyk and T. Colcombet. Bounds in ω-regularity. In 21st LICS, pages 285–296, 2006.4. E. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.5. M. Dam. CTL? and ECTL? as fragments of the modal µ-calculus. TCS, 126:77–96, 1994.6. L. de Alfaro, M. Faella, T. Henzinger, R. Majumdar, and M. Stoelinga. Model checking

discounted temporal properties. TCS, 345(1):139–170, 2005.7. L. de Alfaro, T. Henzinger, and R. Majumdar. Discounting the future in systems theory. In

30th ICALP, LNCS 2719, pages 1022–1037, 2003.8. M. Droste, W. Kuich, and G. Rahonis. Multi-valued mso logics over words and trees.

Fundamenta Informatica, 84(3–4):305–327, 2008.9. M. Droste and G. Rahonis. Weighted automata and weighted logics with discounting. TCS,

410(37):3481–3494, 2009.10. M. Droste and H. Vogler. Weighted automata and multi-valued logics over arbitrary bounded

lattices. TCS, 418:14–36, 2012.11. M. Faella, A. Legay, and M. Stoelinga. Model checking quantitative linear time logic. Electr.

Notes Theor. Comput. Sci., 220(3):61–77, 2008.12. P. Gastin and D. Oddoux. Fast LTL to Buchi automata translation. In 13th CAV, LNCS 2102,

pages 53–65. Springer, 2001.13. D. Krob. The equality problem for rational series with multiplicities in the tropical semiring

is undecidable. International Journal of Algebra and Computation, 4(3):405–425, 1994.14. M. Kwiatkowska. Quantitative verification: models techniques and tools. In ESEC/SIGSOFT

FSE, pages 449–458, 2007.15. F. Laroussinie and P. Schnoebelen. A hierarchy of temporal logics with past. In 11th STACS,

pages 47–58, 1994.16. O. Lichtenstein, A. Pnueli, and L. Zuck. The glory of the past. In Logics of Programs, LNCS

193, pages 196–218. Springer, 1985.17. E. Mandrali. Weighted LTL with discounting. In CIAA, LNCS 7381, pages 353–360, 2012.18. M. Minsky. Computation: Finite and Infinite Machines. Prentice Hall, 1 edition, 1967.19. S. Miyano and T. Hayashi. Alternating finite automata on ω-words. TCS, 32:321–330, 1984.20. M. Mohri. Finite-state transducers in language and speech processing. Computational

Linguistics, 23(2):269–311, 1997.21. S. Moon, K. Lee, and D. Lee. Fuzzy branching temporal logic. IEEE Transactions on Systems,

Man, and Cybernetics, Part B, 34(2):1045–1055, 2004.

15

22. L. Shapley. Stochastic games. In Proc. of the National Academy of Science, volume 39, 1953.23. M.Y. Vardi. An automata-theoretic approach to linear temporal logic. In Logics for Concur-

rency: Structure versus Automata, LNCS 1043, pages 238–266, 1996.24. M. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification.

In 1st LICS, pages 332–344, 1986.

16

A Proofs

A.1 Proof of Lemma 1

We construct ϕ+ and ϕ<1 by induction on the structure of ϕ.

– If ϕ is of the form True, False, or p, for an atomic proposition p, then ϕ+ = ϕ andϕ<1 = ¬ϕ. Correctness is trivial.

– Ifϕ is of the formψ1∨ψ2, Xψ1, orψ1Uψ2, thenϕ+ isψ1+∨ψ2

+, Xψ1+,ψ1

+Uψ2+,

respectively. Dually, ϕ<1 is ¬(ϕ+) (which is sound since we already defined ϕ+ forthis case). Again, correctness is immediate.

– If ϕ = ¬ψ we define ϕ+ = ψ<1 and ϕ<1 = ψ+. Again, correctness is trivial.– If ϕ = ψ1Uηψ2 for η ∈ D, then ϕ+ = ψ1

+Uψ2+. Indeed, for every computation

π we have that [[π, ϕ]] > 0 iff there exists i ∈ N such that η(i)[[πi, ψ2]] > 0 andfor every 0 ≤ j < i it holds that η(j)[[πj , ψ1]] > 0, which happens iff there existsi ∈ N such that πi |= ψ2

+ and for every 0 ≤ j < i it holds that πj |= ψ1+, which

holds iff π |= ψ1+Uψ2

+.ϕ<1 is defined as follows. First, if η(0) < 1, then (

<1ϕ) = True. If η(0) = 1,

then ϕ<1 = ψ2<1. Indeed, [[π, ϕ]] = 1 iff η(0)[[π0, ψ2]] = 1 (since η is strictly

decreasing). The latter happens iff η(0) = 1 and π 6|= ψ2<1.

– If ϕ = ψ1Uηψ2 for η ∈ D, then ϕ+ = (ψ1+ ∨ ψ2

+)Uψ1+. Indeed, the value of

ψ1Uηψ2 is greater than 0 iff ψ1 actually holds at some point, and until then thesatisfaction value of either ψ1 or ψ2 is positive at every index.ϕ<1 is defined as follows. First, if η(0) < 1, then (

<1ϕ) = True. If η(0) = 1, then

ϕ<1 = ψ2<1∨ψ1

<1. Indeed, [[π, ϕ]] = 1 iff η(0)[[π0, ψ1]] = 1 and η(0)[[π0, ψ2]] = 1(since η is strictly decreasing). The latter happens iff η(0) = 1 and both π 6|= ψ1

<1

and π 6|= ψ2<1.

A.2 The standard translation of LTL to AWA

For completeness, we bring here the construction of the translation from LTL to AWA,which we use in Theorem 1. For the correctness proof, see e.g. [23].

Given an LTL formula ϕ over the atomic propositions AP , we construct an AWAAϕ = 〈Q, 2AP , Q0, δ, α〉 as follows. The state space Q consists of all the subformulasof ϕ, and their negations (we identify ¬¬ψ with ¬ψ). The initial state is ϕ, and theaccepting states are all the formulas of the form ¬(ψ1Uψ2). It remains to define thetransition function.

We start with a few notations. For a Boolean formula θ over Q, we define its dualformula θ by induction over the construction of θ, as follows.

– For ψ ∈ Q we have ψ = ¬ψ.– True = False and False = True.– ψ1 ∨ ψ2 = ψ1 ∧ ψ2 and ψ1 ∧ ψ2 = ψ1 ∨ ψ2

The transition function can now be defined as follows. Let ψ ∈ Q and σ ∈ 2AP .

– If ψ = p ∈ AP , then δ(ψ, σ) =

{True p ∈ σ,False p /∈ σ,

17

– If ψ = ζ1 ∨ ζ2, then δ(ψ, σ) = δ(ζ1, σ) ∨ δ(ζ2, σ),– If ψ = ¬ζ, then δ(ψ, σ) = δ(ζ, σ),– If ψ = Xζ, then δ(ψ, σ) = ζ,– If ψ = ζ1Uζ2, then δ(ψ, σ) = δ(ζ2, σ) ∨ (δ(ζ1, σ) ∧ ζ1Uζ2).

A.3 Continuation of the Proof of Theorem 1

We continue the proof that is given in the main text, showing that the constructed AWAAϕ,v is indeed finite and correct.

We first make some notations and observations regarding the structure of Aϕ,v . Forevery state (ψ > t) (resp. (ψ < t)) we refer to ψ and t as the state’s formula andthreshold, respectively. If the outermost operator in ψ is a discounting operator, then werefer to its discounting function as the state’s discounting function. For states of Type-2we refer to their formula only (as there is no threshold).

First observe that the only cycles inAϕ,v are self-loops. Indeed, consider a transitionfrom state q to state s 6= q. Let ψq, ψs be the formulas of q and s, respectively. Goingover the different transitions, one may see that either ψs is a strict subformula of ψq,or s is a Type-2 state, or both ψq and ψs have an outermost discounting operator withdiscounting functions η and η+1 respectively. By induction over the construction of ϕ,this observation proves that there are only self-cycles in Aϕv .

We now observe that in every run of Aϕ,v on an infinite word w, every infinitebranch (i.e., a branch that does not reach True) must eventually be in a state of the formψ1Uψ2 > t, ψ1Uψ2 < t, ψ1Uψ2 or ¬(ψ1Uψ2) (if it’s a Type-2 state). Indeed, thesestates are the only states that have a self-loop, and the only cycles in the automaton areself-loops.

We start by proving that there are finitely many states in the construction. First,all the sub-automata that correspond to Type-2 states have O(|ϕ|) states. This followsimmediately from Lemma 1 and from the construction of an AWA from an LTL formula.

Next, observe that the number of possible state-formulas, up to differences in thediscounting function, is O(|ϕ|). Indeed, this is simply the standard closure of ϕ. Itremains to prove that the number of possible thresholds and discounting functions isfinite.

We start by claiming that for every threshold t > 0, there are only finitely manyreachable states with threshold t. Indeed, for every discounting function η ∈ D (thatappears in ϕ), let it,η = max

{i : t

η(i) ≤ 1}

. The value of it,η is defined, since thefunctions tend to 0. Observe that in every transition from a state with threshold t, ifthe next state is also with threshold t, then the discounting function (if relevant) iseither some η′ ∈ D, or η+1. There are only finitely many functions of the former kind.As for the latter kind, after taking η+1 it,η times, we have that t/η+it,η (0) > 1. Bythe definition of δ, in this case the transitions are to the Boolean-formula states (i.e.,True, False, or some ψ+), from which there are finitely many reachable states. Weconclude that for every threshold, there are only finitely many reachable states with thisthreshold.

Next, we claim that there are only finitely many reachable thresholds. This followsimmediately from the claim above. We start from the state ϕ > v. From this state, there

18

are only finitely many reachable discounting functions. The next threshold that can beencountered is either 1− v, or v

η(0) for η that is either in D or one of the η+i for i ≤ iv,η .Thus, there are only finitely many such thresholds. Further observe that if a differentthreshold is encountered, then by the definition of δ, the state’s formula is deeper inthe generating tree of ϕ. Thus, there are only finitely many times that a threshold canchange along a single path. So by induction over the depth of the generating tree, we canconclude that there are only finitely many reachable thresholds.

We conclude that the number of states of the automaton is finite.Next, we prove the correctness of the construction. From Lemma 1 and the correct-

ness of the standard translation of LTL to AWA, it remains to prove that for every pathπ, π is accepted from state (ψ > v) (resp. (ψ < v)) iff [[π, ψ]] > v (resp. [[π, ψ]] < v).

The proof is by induction over the construction of ϕ, and is fairly trivial given thedefinition of δ.

A.4 Proof of Lemma 2

We start by defining generalized Buchi automata. An NGBA is A = 〈Q,Σ, δ,Q0, α〉,where Q,Σ, δ,Q0 are as in NBA. The acceptance condition is α = {F1, ..., Fk} whereFi ⊆ Q for every 1 ≤ i ≤ k. A run r of A is accepting if for every 1 ≤ i ≤ k, r visitsFi infinitely often.

We now proceed with the proof.Consider the AWA A obtained from ϕ using the construction of Section 3.2.In the translations of AWA to NBA using the method of [12], the AWA is translated to

an NGBA whose states are the subset-construction of the AWA. This gives an exponentialblowup in the size of the automaton. We claim that in our translation, we can, in a sense,avoid this blowup.

Intuitively, each state in the NGBA corresponds to a conjunction of states of theAWA. Consider such a conjunction of states of A. If the conjunction contains two states(ψ < t1) and (ψ < t2), and we have that t1 < t2, then by the correctness proof ofTheorem 1, it holds that a path π is accepted from both states, iff π is accepted from(ψ < t1). Thus, in every conjunction of states from A, there is never a need to considera formula with two different “<” thresholds. Dually, every formula can appear with atmost one “>” threshold.

Next, consider conjunctions that contain states of the form (ψ1Uηψ2 < t) and(ψ1Uη+kψ2 < t). Again, since the former assertion implies the latter, there is never aneed to consider two such formulas. Similar observations hold for the other discountingoperators.

Thus, we can restrict the construction of the NGBA to states that are conjunctionsof states from the AWA, such that no discounting operator appears with two different“offsets”.

Further observe that by the construction of the AWA, the threshold of a discountingformula does not change, with the transition to the same discounting formula, onlythe offset changes. That is, from the state (ψ1Uηψ2 < t), every reachable state whoseformula is ψ1Uη+kψ2 has threshold t as well. Accordingly, the possible number ofthresholds that can appear with the formula ψ1Uηψ2 in the subset construction of A, isthe number of times that this formula appears as a subformula of ϕ, which is O(|ϕ|).

19

We conclude that each state of the obtained NGBA is a function that assigns eachsubformula4 of ϕ two thresholds. The number of possible thresholds and offsets is linearin the number of states of A, thus, the number of states of the NGBA is |A|O(|ϕ|).

Finally, translating the NGBA to an NBA requires multiplying the size of the statespace by |A|, so the size of the obtained NBA is also |A|O(|ϕ|).

A.5 Proof of Theorem 2

We construct an AWA A = Aϕ,v as per Section 3.2, with some changes.Recall that the “interesting” states in A are those of the form ψ1Uη+iψ2 (resp.

ψ1Uη+iψ2). Observe that for the function expλ it holds that exp+iλ = λi · expλ. Accord-ingly, we can replace a state of the formψ1Uexp+i

λψ2 < twith the stateψ1Uexpλψ2 <

tλi ,

as they express the same assertion (and similarly for U, and for > t). Finally, notice thatexpλ(0) = 1. Thus, we can simplify the construction ofA with the following transitions:

Let σ ∈ 2AP , then we have that

–δ((ψ1Uexpλψ2 > t), σ) = δ((ψ2 > t), σ) ∨ [δ((ψ1 > t), σ) ∧ (ψ1Uexpλψ2 >tλ )] if 0 < t < 1,

False if t ≥ 1,

δ(((ψ1Uexpλψ2)+), σ) if t = 0.

–δ((ψ1Uexpλψ2 < t), σ) = δ((ψ2 < t), σ) ∧ [δ((ψ1 < t), σ) ∨ (ψ1Uexpλψ2 <tλ )] if 0 < t ≤ 1,

True if t > 1,False if t = 0 .

–δ((ψ1Uexpλψ2 > t), σ) = δ((ψ2 > t), σ) ∧ [δ((ψ1 > t), σ) ∨ (ψ1Uexpλψ2 >tλ )] if 0 < t < 1,

False if t ≥ 1,

δ(((ψ1Uexpλψ2)+), σ) if t = 0.

–δ((ψ1Uexpλψ2 < t), σ) = δ((ψ2 < t), σ) ∨ [δ((ψ1 < t), σ) ∧ (ψ1Uexpλψ2 <tλ )] if 0 < t ≤ 1,

True if t > 1,False if t = 0.

The correctness and finiteness of the construction follows from Theorem 1, with theobservation above. We now turn to analyze the number of states in A.

For every state (ψ > t) (resp. (ψ < t)) we refer to ψ and t as the state’s formula andthreshold, respectively. Observe that the number of possible state-formulas is O(|ϕ|).Indeed, the formulas in the states are either in the closure of ϕ, or are of the form ψ+,where ψ is in the closure of ϕ. This is because in the new transitions we do not carry theoffset, but rather change the threshold, so the state formula does not change.

4 where a subformula may have several occurences, e.g., in the formula p ∧ Xp we have twooccurences of the subformula p

20

It remains to bound the number of possible thresholds. Consider a state with thresholdt. In every succeeding state5, the threshold (if exists) can either remain t, or change to1− t (in case of negation), or t/λ, where λ ∈ F (ϕ), providing t < 1.

Initially, we ignore negations. In this case, the number of states that can be reachedfrom a threshold t is bounded by the size of the set{

k∏i=1

λi :

k∏i=1

λi > t, k ∈ N,∀i λi ∈ F (ϕ)

}

This length of the products can be bounded by logµ t = log tlog µ = O(log t), where

µ = maxF (ϕ). Thus, the number of possible values is bounded by (logµ t)|F (ϕ)|. From

here we denote logµ t by `.Next, we consider negations. Observe that in every path, there are at most |ϕ|

negations. In every negation, if the current state has threshold s, the threshold changesto 1 − s. We already proved that from threshold t we can get at most (`)m states.Furthermore, every such state has a threshold of the form

t∏`i=1 λi

where λi ∈ F (ϕ) ∪ {1} (we allow 1 instead of allowing shorter products).Consider a negation state with threshold s = t∏`

i=1 λi. If s = 1 then in the next state

the threshold is 0, and every reachable state is part of a Boolean AWA corresponding toan LTL formula, and thus has polynomially many reachable states.

Otherwise, we have that s < 1. Denote F (ϕ) = {λ1, ..., λm}, and assume thatt, λ1, ..., λm can be written as t = pt

qtand for all i, λi = pi

qi(which is possible as they

are inQ), then we have that

log(1− s) = log(1− t∏`i=1 λi

) = log(∏i=1

λi − t)− log(∏i=1

λi) > log(∏i=1

λi − t)

where the last transition is because log(∏`i=1 λi) < 0.

Let qmax = max {q1, ..., qm}, we now observe that

∏i=1

λi − t =∏i=1

piqi− ptqt

=

∏`i=1 piqt −

∏`i=1 qipt∏`

i=1 qiqt≥ 1∏`

i=1 qiqt≥ 1

q`maxqt

where the last transitions are because all the numbers are natural, and s > 1, so thenumerator must be a positive integer. From this we get that

log(1− s) > log

(1

q`maxqt

)= −(` · (log qmax + log qt))

5 This is almost correct. In fact, since δ is defined inductively, we may go through severaltransitions.

21

We see that we can bound 1− s from below by a rational number whose representationis linear in that of t and |〈ϕ〉|. Denote this linear function by f(n). Thus, continuingin this manner through O(ϕ) negations, starting from the threshold v, we have that thenumber of thresholds reachable from every state is bounded by (f(f(...f(log v)))︸ ︷︷ ︸

O(ϕ)

)m

which is single exponential in |〈ϕ〉| and the description of v.We conclude that the number of states of the automaton is single-exponential.

A.6 Proof of Theorem 3

We show a reduction from the 0-halting problem for two-counter machines to thefollowing problem: given an LTLdisc⊕ [D] formula ϕ over the atomic propositions AP ,whether there exists a path π ∈ APω such that [[π, ϕ]] = 1. We dub this the 1-co-validityproblem.

Let M be a two-counter machine with commands (l1, . . . , ln). A halting run ofa two-counter machine with commands from the set L = {l1, . . . , ln} is a sequenceρ = ρ1, . . . , ρm ∈ (L×N×N)∗ such that the following hold.

1. ρ1 = 〈l1, 0, 0〉.2. For all 1 < i ≤ m, let ρi−1 = (lk, α, β) and ρi = (l′, α′, β′). Then, the following

hold.– If lk is a INC(x) command (resp. INC(y)), then α′ = α + 1, β′ = β (resp.β = β + 1, α′ = α), and l′ = lk+1.

– If lk is a DEC(x) command (resp. DEC(y)), then α′ = α − 1, β′ = β (resp.β = β − 1, α′ = α), and l′ = lk+1.

– If lk is a GOTO ls command, then α′ = α, β′ = β, and l′ = ls.– If lk is an IF x=0 GOTO ls ELSE GOTO lt command, then α′ = α, β′ = β, andl′ = ls if α = 0, and l′ = lt otherwise.

– If lk is a IF y=0 GOTO ls ELSE GOTO lt command, then α′ = α, β′ = β, andl′ = ls if β = 0, and l′ = lt otherwise.

– If l′ is a HALT command, then i = m. That is, a run does not continue afterHALT.

3. ρm = 〈lk, α, β〉 such that lk is a HALT command.

Observe that the machineM is deterministic. We say that a machineM 0-halts ifits run ends in 〈l, 0, 0〉.

We say that a sequence of commands τ ∈ L∗ fits a run ρ, if τ is the projection of ρon its first component.

We construct fromM an LTLdisc⊕ [D] formula ϕ such thatM 0-halts iff there existsa computation π such that [[π, ϕ]] = 1. The idea behind the construction is as follows.The computation that ϕ reads corresponds to a description of a run ofM, where everytriplet 〈li, α, β〉 is encoded as the string ixαyβ#.

Example 4. Consider the following machineM:

l1: INC(x)l2: IF x=0 GOTO l6 ELSE GOTO l3

22

l3: INC(y)l4: DEC(x)l5: GOTO (l2)l6: HALT

The command sequence that represents the run of this machine is

〈l1, 0, 0〉, 〈l2, 1, 0〉, 〈l3, 1, 0〉, 〈l4, 1, 1〉, 〈l5, 0, 1〉, 〈l2, 0, 1〉, 〈l6, 0, 1〉

and the encoding of it as a computation is

1#2x#3x#4xy#5y#2y#6y#

The formula ϕ “states” (recall that the setting is quantitative, not Boolean) thefollowing properties of the computation π:

1. The first configuration in π is the initial configuration ofM (〈l1, 0, 0〉, or 1# in ourencoding).

2. The last configuration in π is 〈HALT, 0, 0〉 (or k in our encoding, where k can beany line whose command is HALT).

3. π represents a legal run of M, up to the consistency of the counters betweentransitions.

4. The counters are updated correctly between configurations.

Properties 1-3 are can easily be captured by an LTL formula. Property 4 utilizes theexpressive power of LTLdisc⊕ [D], as we now demonstrate. The intuition behind property4 is the following. We need to compare the value of a counter before and after a command,such that the formula takes a negative value if a violation is encountered, and a positivevalue otherwise. Since the value of counters can change by at most 1, the essence of thisformula is the ability to test equality of counters.

We start with a simpler case, to demonstrate the point. Let η ∈ D be a discountingfunction. Consider the formula CountA := aUη¬a and the computation aibj#ω. Itholds that [[aibj , CountA]] = η(i). Similarly, it holds that [[aibj#ω, aU(bUη¬b)]] =η(j). Denote the latter by CountB. Let CompareAB := (CountA ⊕ ¬CountB) ∧(¬CountA⊕ CountB). We now have that

[[aibj#ω, CompareAB]] = min

{η(i) + 1− η(j)

2,η(j) + 1− η(i)

2

}= 1−|η(i)− η(j)|

2

and observe that the latter is 1 iff i = j (and less than 1 otherwise). This is because η isstrictly decreasing, and in particular an injection.

Thus, we can compare counters. To apply this technique to the encoding of a compu-tation, we only need some technical formulas to “parse” the input and find consecutiveoccurrences of a counter.

We now dive into the technical definition of ϕ. The atomic propositions are AP ={1, ..., n,#, x, y} (where l1, ..., ln are the commands ofM). We let

ϕ := CheckCmds∧CheckInit∧CheckF inal∧CheckCounters∧ForceSingletons

23

ForceSingletons: This formula ensures that for a computation to get a value of morethan 0, every letter in the computation must be a singleton. Formally,

ForceSingletons := G

∨p∈AP

(p ∧∧

q∈AP\{p}

¬q)

CheckInit and CheckFinal: These formulas check that the initial and final configurationsare correct, and that after the final configuration, there are only #s.

CheckInit := 1 ∧ X#

Let I = {i : li = HALT}, we define

CheckF inal := G((∨i∈I

i)→ XG#)

CheckCmds: This formula verifies that the local transitions follow the instructions inthe counter machine, ignoring the consistency in the counter values, but enforcing that ajump behaves according to the counters. We start by defining, for every i ∈ {1, ..., n}:

waitfor(i) := (x ∨ y)U(# ∧ Xi)

Intuitively, a computation satisfies this formula (i.e., gets value 1) iff it reads counterdescriptions until the next delimiter, and the next command is li.

Now, for every i ∈ {1, ..., n} we define ψi as follows.

– If li = GOTO lj , then ψi := Xwaitfor(j).– If li ∈ {INC(c), DEC(c) : c ∈ {x, y}}, then ψi := Xwaitfor(i+ 1). 6

– If li = IF x=0 GOTO lj ELSE GOTO lk thenψi := X((x→ waitfor(k))∧((¬x)→waitfor(j))).

– If li = IF y=0 GOTO lj ELSE GOTO lk then ψi := X(((xUy) ∧ waitfor(k)) ∨((xU#) ∧ waitfor(j))).

– If li = HALT we do not really need additional constraints, due to CheckF inal.Thus we have ψi = True.

Finally, we define

CheckCmds := G∧

i∈{1,...,n}

ψi

CheckCounters: This is the heart of the construction. The formula checks whetherconsecutive occurrences of the counters match the transition between the commands. Westart by defining countX := xUη¬x and countY := xU(yUη¬y). Similarly, we havecountX−1 = xUηX¬x and countY −1 = xU(yUηX¬y).

6 if i = n then this line can be omitted from the initial machine, so w.l.o.g this does not happen

24

We need to define a formula to handle some edge cases. Let IHALT = {i : li = HALT},and similarly define IDECx and IDEC(y). We define

orHalt :=∨

i∈IDEC(x)

i ∧ X(x ∧ X(# ∧ X∨

k∈IHALT

k))∨

∨i∈IDEC(y)

i ∧ X(y ∧ X(# ∧ X∨

k∈IHALT

k)) ∨∨

i∈{1,...,n}

i ∧ X(# ∧ X∨

k∈IHALT

k)

Intuitively, this formula simply states that it is the last step, and the counters behave theway they should.

Testing the counters involves six types of comparisons: checking equality, increaseby 1, and decrease by 1 for each of the two counters. We define the following formulasfor these tests.

– Comp(x,=) := (countX ⊕ (xU(yU(# ∧ XX¬countX))))∧ ((¬countX)⊕ (xU(yU(# ∧ XXcountX)))).

– Comp(y,=) := (countY ⊕ (xU(yU(# ∧ XX¬countY ))))∧ ((¬countY )⊕ (xU(yU(# ∧ XXcountY ))))

– Comp(x,+1) :=(countX ⊕ (xU(yU(# ∧ XX¬countX−1)))

)∧((¬countX)⊕ (xU(yU(# ∧ XXcountX−1)))

)– Comp(y,+1) :=

(countY ⊕ (xU(yU(# ∧ XX¬countY −1)))

)∧((¬countY )⊕ (xU(yU(# ∧ XXcountY −1)))

)– Comp(x,−1) :=

(countX−1 ⊕ (xU(yU(# ∧ XX¬countX)))

)∧((¬countX−1)⊕ (xU(yU(# ∧ XXcountX)))

)– Comp(y,−1) :=

(countY −1 ⊕ (xU(yU(# ∧ XX¬countY )))

)∧((¬countY −1)⊕ (xU(yU(# ∧ XXcountY )))

)Now, for every i ∈ {1, ..., n} we define ξi as follows.

– If li ∈ {GOTO lj , IF c=0 GOTO lj ELSE GOTO lk : c ∈ {x, y}} , we need to makesure the value of the counters do not change. We define

ξi := i→ (X(comp(x,=) ∧ comp(y,=)) ∨ orHalt.

– If li = INC(x), we need to make sure that x increases and y does not change. Wedefine

ξi := i→ (X(comp(x,+1) ∧ comp(y,=)) ∨ orHalt.– If li = INC(y), we define

ξi := i→ (X(comp(x,=) ∧ comp(y,+1)) ∨ orHalt.

– If li = DEC(x), we define

ξi := i→ (X(comp(x,−1) ∧ comp(y,=)) ∨ orHalt.

– If li = DEC(y), we define

ξi := i→ (X(comp(x,=) ∧ comp(y,−1)) ∨ orHalt.

25

– If li = HALT we do not need additional constraints, due to CheckF inal. Thus wehave ψi = True.

Finally, we defineCheckCounters := G

∧i∈{1,...,n}

ξi

The correctness of the construction is obvious, once one verifies that the definedformulas indeed test what they claim to. Thus, we conclude thatM 0-halts iff thereexists a computation π such that [[π, ϕ]] = 1.

Finally, we reduce the 1-co-validity problem to the complement of the validityproblem: given a formula ϕ, the reduction outputs ¬(ϕ). Now, there exists a computationπ such that [[ϕ, π]] = 1 iff there exists a computation π such that [[π,¬ϕ]] = 0, iff not allthe computations of ¬ϕ give strictly positive satisfaction value. Thus, ϕ is 1-co-valid iff¬ϕ is not valid for threshold 0. Thus, the validity problem is undecidable.

A.7 Correctness Proof of the Construction in Section 5.3

Consider the case of (ψ1Oη,zψ2 > t). We check when this assertion holds.First, if z = t, then this assertion is equivalent to ψ1Uψ2 > t (this follows directly

from the semantics).Thus, assume that z 6= t.If τ < 0, then t < (1− η(0))z, so in particular, for every value of [[π0, ψ2]], it holds

that t < η(0)[[π0, ψ2]] + (1− η(0))z, so the assertion is true, since the first operand inthe sup is greater than t.

If τ ≥ 1 then η(0) + (1− η(0))z ≤ t, so both η(0)[[π0, ψ2]] + (1− η(0))z ≤ t andη(0)[[π0, ψ1]] + (1 − η(0))z ≤ t. Thus, every operand in the sup has an element lessthan t, so the sup cannot be greater than t, so the assertion is false.

If 0 ≤ τ < 1, then similarly to the case of Uη - the assertion is equivalent to thefollowing: either ψ2 > τ , or both ψ1 > τ and (ψ1Oη+1,zψ2 > t).

The case of O is proved similarly.It remains to show that there are still only finitely many states. Since z 6= t, we get

that limη(0)→0 τ =

{∞ t > z

−∞ t < z. Thus, after a certain number of transitions, τ takes

a value that is not in [0, 1], in which case the next state is True or False, so the numberof states reachable from ϕ > t is finite.

We remark that this is not true if z = t, which is why we needed to treat this caseseparately.

26