Linear Temporal Logic: Expressiveness and Model Checkinganna.fi.muni.cz/papers/src/public/ca6ca64bc134d3211d7f60a5a0bfbcbd.pdf · Vojtech Reh ak.· I thank all the people who have

��

�� !" # $ % & ')(�*,+�- .0/214365 7 8�9: ;< => ?@ Masaryk University Brno

Faculty of Informatics

Linear Temporal Logic:Expressiveness and Model Checking

Jan Strejcek

Ph.D. Thesis

2004

Abstract

Model checking of finite-state systems with specifications given as formu-lae of Linear Temporal Logic (LTL) is one of the most common verificationproblems. Like other verification problems, LTL model checking suffersfrom state explosion. Techniques tackling state explosion usually employsome specific property of the LTL fragment they are designed for. For ex-ample, a popular method called partial order reduction is based on the factthat specifications given by LTL formulae without the ‘next’ operator donot distinguish between the stutter equivalent behaviours of a system.

We study the properties of LTL fragments that are related to modelchecking. In particular, we are interested in the properties that can po-tentially lead to new techniques suppressing the state explosion problem.At the same time we study expressiveness and decidability of LTL frag-ments, and complexity of model checking problem for the fragments. Be-sides a broad unifying overview of hitherto known results, this thesispresents some original results about LTL fragments with temporal oper-ators ‘next’ and ‘until’, where the nesting depths of one or both operatorsare bounded. More precisely, we extend the above-mentioned stutteringprinciple to these fragments and describe a new concept of characteristicpatterns. In both cases we indicate that our results can improve existingmodel checking techniques. Furthermore, we develop the established factthat LTL is expressively equivalent to alternating 1-weak Buchi automata(A1W automata). Specifically, we identify the classes of A1W automatathat are expressively equivalent to LTL fragments of the until-release hi-erarchy and LTL fragments using only future temporal operators with orwithout bounded nesting depths. This thesis also contains a collection ofopen questions and topics for future work.

Acknowledgements

First of all I would like to thank my supervisor Mojmır Kretınsky for hishelp, encouragement, and many valuable and wide-ranging discussionsduring my studies. I am grateful to him also for careful reading a draft ofthis thesis.

Many thanks go to Antonın Kucera for his support and fruitful collab-oration. I also much appreciate the collaboration with Radek Pelanek andVojtech Rehak.

I thank all the people who have contributed to this thesis in some way.Namely, I thank Michal Kunc for providing the crucial hints which eventu-ally led to the definition of characteristic patterns, Nicolas Markey for theclarification of the situation around the chop modality, Lenore Zuck forsending me an electronic version of her PhD thesis (at the same time I thankthe person who had to scan the whole thesis because of me), Thomas Wilkefor sending me a hard copy of his post-doctoral thesis, Ivana Cerna and JirıSrba for providing me with some papers that are neither online nor in ourfaculty library, and James Thomas for consultation regarding my English.

My thanks go also to all colleagues from Parallel and Distributed Sys-tems Laboratory (ParaDiSe). From time to time they infected me with theiralmost constant enthusiasm for formal verification.

Finally, I thank my wife Adriana and our daughter Zorka for their love,support, and patience.

Jan Strejcek

Contents

1 Introduction 11.1 Subject of this thesis . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Thesis contribution . . . . . . . . . . . . . . . . . . . . . . . . 41.3 Thesis organization . . . . . . . . . . . . . . . . . . . . . . . . 61.4 Author’s publications . . . . . . . . . . . . . . . . . . . . . . 7

2 Preliminaries 92.1 Linear temporal logic . . . . . . . . . . . . . . . . . . . . . . . 9

2.1.1 Basic syntax and semantics . . . . . . . . . . . . . . . 112.1.2 Satisfiability, validity, and equivalence . . . . . . . . . 132.1.3 Other temporal operators . . . . . . . . . . . . . . . . 142.1.4 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.2 First-order monadic logic of order . . . . . . . . . . . . . . . 282.2.1 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.3 Automata and formal languages . . . . . . . . . . . . . . . . 292.3.1 Finite words . . . . . . . . . . . . . . . . . . . . . . . . 292.3.2 Infinite words . . . . . . . . . . . . . . . . . . . . . . . 312.3.3 Alternating automata . . . . . . . . . . . . . . . . . . 32

2.4 Model checking . . . . . . . . . . . . . . . . . . . . . . . . . . 342.4.1 Partial order reduction . . . . . . . . . . . . . . . . . . 372.4.2 Model checking a path . . . . . . . . . . . . . . . . . . 39

3 Expressiveness 413.1 Complete LTL . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.1.1 Finite words . . . . . . . . . . . . . . . . . . . . . . . . 423.1.2 Infinite words . . . . . . . . . . . . . . . . . . . . . . . 44

3.2 Simple fragments . . . . . . . . . . . . . . . . . . . . . . . . . 463.2.1 Stuttering and its implications . . . . . . . . . . . . . 473.2.2 Forbidden patterns . . . . . . . . . . . . . . . . . . . . 483.2.3 Connection to FOMLO and its implications . . . . . . 493.2.4 Expressiveness hierarchy . . . . . . . . . . . . . . . . 52

3.3 Nesting fragments . . . . . . . . . . . . . . . . . . . . . . . . 543.3.1 Fragments �� : Until hierarchy . . . . . . . 54

viii CONTENTS

3.3.2 Fragments �� : Until-since hierarchy . . . . . . . . . 553.3.3 Fragments � � �� . . . . . . . . . . . . . . . . . . 553.3.4 Fragments � � �� , �� , and � � �� 57

3.4 Other fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 583.4.1 Hierarchy of temporal properties . . . . . . . . . . . . 583.4.2 Until-release hierarchy . . . . . . . . . . . . . . . . . . 613.4.3 Deterministic fragment . . . . . . . . . . . . . . . . . 623.4.4 Flat fragment . . . . . . . . . . . . . . . . . . . . . . . 63

3.5 Succinctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643.6 Additional notes . . . . . . . . . . . . . . . . . . . . . . . . . . 66

4 Complexity issues 694.1 Satisfiability and model checking . . . . . . . . . . . . . . . . 704.2 Model checking a path . . . . . . . . . . . . . . . . . . . . . . 754.3 Additional notes . . . . . . . . . . . . . . . . . . . . . . . . . . 76

5 Stuttering principles 775.1 A general stuttering theorem . . . . . . . . . . . . . . . . . . 79

5.1.1 Letter stuttering ( -stuttering) . . . . . . . . . . . . . 795.1.2 Subword stuttering . . . . . . . . . . . . . . . . . . . . 815.1.3 General stuttering . . . . . . . . . . . . . . . . . . . . 83

5.2 Stuttering as a sufficient condition . . . . . . . . . . . . . . . 895.2.1 Letter stuttering . . . . . . . . . . . . . . . . . . . . . . 895.2.2 General stuttering . . . . . . . . . . . . . . . . . . . . 93

5.3 Answers to Questions 1, 2, and 3 . . . . . . . . . . . . . . . . 945.4 Application in model checking . . . . . . . . . . . . . . . . . 97

5.4.1 Letter stuttering . . . . . . . . . . . . . . . . . . . . . . 975.4.2 General stuttering . . . . . . . . . . . . . . . . . . . . 98

5.5 Additional notes . . . . . . . . . . . . . . . . . . . . . . . . . . 99

6 Characteristic patterns 1016.1 Definitions and basic theorems . . . . . . . . . . . . . . . . . 1046.2 Applications in model checking . . . . . . . . . . . . . . . . . 110

6.2.1 Decomposition technique . . . . . . . . . . . . . . . . 1116.2.2 Model checking a path using patterns . . . . . . . . . 1156.2.3 Partial order reduction using patterns . . . . . . . . . 117


7 Deeper connections to alternating automata 1197.1 Equivalence of LTL and A1W automata . . . . . . . . . . . . 120

7.1.1 LTL A1W translation . . . . . . . . . . . . . . . . . . 1207.1.2 A1W LTL translation . . . . . . . . . . . . . . . . . . 121

7.2 Improving A1W LTL translation . . . . . . . . . . . . . . . 1227.3 Defining LTL fragments via A1W automata . . . . . . . . . . 129

CONTENTS ix

7.3.1 Fragments �� . . . . . . . . . . . . . . . 1307.3.2 Until-release hierarchy . . . . . . . . . . . . . . . . . . 131


8 Conclusions 1378.1 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Bibliography 139

Chapter 1

Introduction

Today, the power of computers and sophisticated software methodologiesand tools enable the design of very complex systems. Together with an in-crease in complexity, it is still more and more difficult to make the systemsbug-free. Every error found late in the design process can delay the pro-duction phase and the consequences of a latent error could be catastrophic.It is extremely important to find all possible bugs and to find them as earlyin the design process as possible.

Several so-called design validation methods have been introduced so farto help developers to find bugs. Two such methods are testing and simula-tion. Although they are the oldest ones, they are still heavily used. Both ofthem are quite effective in early phases of the debugging process, but theeffectiveness dramatically decreases when the system hides only a smallnumber of bugs. Moreover, these methods are not usually able to confirmthat the design is fully correct as they explore only some of the possiblebehaviours of the system.

Another approach to design validation is formal verification. The mainadvantage shared by various verification techniques is an ability to pro-nounce that the system is correct (i.e. the system corresponds to its specifi-cation) as they explore all the possible behaviours of the system. There arethree basic formal verification techniques.

Theorem proving - The idea is to prove formally that the designed systemhas the required properties. Unlike the other formal verification tech-niques, theorem proving has not yet been automatized. However,there are some semi-automatic methods and research into this area isongoing.

Equivalence checking - Equivalence checking refers to the problem of de-ciding if a system and its specifications are the same with respect toa given behavioural equivalence or not. Many behavioural equiva-lences have been suggested and studied within this context. Several

2 INTRODUCTION

algorithms to solve the equivalence checking problem have been de-signed and implemented. The main disadvantage of this approach isthe need for a detailed specification.

Model checking - Specification is denoted by a formula of suitable modalor temporal logic. Model checking is required to decide whethera given system satisfies the specification formula or not. In the lat-ter case, the algorithms return a negative answer accompanied by acounterexample, i.e. a run of the system violating the specification.

These formal verification techniques are aimed at validation of finite-state as well as infinite-state systems. The motivation for verificationof finite-state systems is obvious; all concrete instances of hardware andsoftware systems have a finite number of possible states (thanks to thefiniteness of data types, limited address space, etc.). However, there aregood reasons to deal with verification techniques for infinite-state systems.For example, these techniques can be used for verification of general orparametrized systems. Further, infinite-state abstractions of large finite-state systems can be smaller and the verification of such abstractions canbe easier. An example of a natural abstraction that can decrease the com-plexity is obtained when we forget that in real systems every stack has alimited height.

Many different modal and temporal logics can serve to express the sys-tems specifications for model checking purposes. In general, there are twoclasses of logics used in this context. The formulae of linear time logicsare interpreted over linear sequences of actions corresponding to possi-ble runs of the system. The “standard” linear time logic is Linear TemporalLogic (LTL). On the other hand, the formulae of branching time logics areinterpreted over states (in fact, over computational trees, i.e. the structureswhere the successors of each state are all states reachable from the state inone step). Unlike the linear case, several branching time logics are used, forexample Computational Tree Logic (CTL), CTL � , and � -Calculus.

One of the most prominent instances of the model checking problem isthe problem to decide whether a given finite-state system satisfies specifica-tions expressed by a given formula of the logic LTL. The problem is knownas the LTL model checking of finite-state systems. In this thesis we restrict ourattention just to this particular problem of formal verification.

As commonly agreed, the major disadvantage model checking suffersfrom is the well-known state explosion problem. Roughly speaking, the prob-lem is that the number of global states of a common system is very largein contrast to the length of the system’s high level definition (e.g. its sourcecode). This problem has basically two causes. First, the number of globalstates grows exponentially with the number of parallel components or

INTRODUCTION 3

threads of the system, which can be high especially in case of communica-tion protocols or complex hardware systems consisting of many separatedunits. The second cause of state explosion is the large data domains that thecommon systems are working with. Despite original pessimism, severalmethods dealing with the state explosion problem have been introduced.Besides abstraction, symbolic model checking, and partial order reduction, whichare already well established, there are other promising approaches such ascompositional reasoning or distributed model checking.

Abstraction techniques are usually performed on a high level descrip-tion of the system under verification. Intuitively, abstraction attempts todecrease the size (i.e. the number of global states) of the system by focus-ing on the aspects that are relevant to a given specification. For example, anabstraction method known as the cone of influence reduction eliminates thevariables that do not influence the variables in the specification. Further,data abstraction transforms the actual data domains into a smaller abstractdata domains. Abstraction is often combined with the other methods deal-ing with state explosion.

Symbolic model checking employs Ordered Binary Decision Diagrams(OBDDs – see e.g. [Weg00]) to represent sets of global states of the sys-tem. For the systems that are regular in some sense (especially synchronoushardware chips), the OBDDs are much smaller than the representation byexplicit enumeration. This fact and the existence of fast algorithms for ma-nipulation with OBDDs have led to the development of many academicand even some commercial symbolic model checkers, which are used withsatisfactory success for verifying hardware circuits. Unfortunately, the statespaces of software systems are usually “less regular” than state spaces ofhardware systems. Therefore, the representation by OBDDs is not efficientenough in this case.

Another few promising techniques tackling state explosion have beendeveloped for LTL model checking. However, these techniques usuallydo not work for a general LTL formulae. In fact, they employ the specificproperties of LTL fragments they are designed for. For example, partialorder reduction methods can be used when a specification formula doesnot contain the temporal operator next saying that ‘a subformula holds inthe next state’ – these methods employ the fact that system specificationsgiven by such a formula are not sensitive to an order of independent actions(two action are independent when executing them in either of the orderresults in the same global state). Other examples are efficient algorithmsfor model checking of safety formulae, i.e. formulae saying that there is noreachable state with particular characteristics. We believe that the researchon properties of LTL fragments can lead to new and more efficient modelchecking techniques.

4 INTRODUCTION

1.1 Subject of this thesisThe central subject of this thesis are fragments of LTL and their attributesrelevant to model checking. More precisely, we are interested in the follow-ing properties.

Expressiveness – The expressiveness of an LTL fragment is measured bylanguages corresponding to the formulae of the fragment. We studyvarious characterizations of these language classes in terms of firstorder logic, finite automata, regular expressions, and algebraic struc-tures. The relative expressiveness of LTL fragments is studied as well.

Decidability – A fragment is said to be decidable if there is a proceduredeciding whether a given language can be defined by a formula ofthe fragment or not.

Complexity of model checking – We study the asymptotic complexity ofthe considered model checking problem and its subproblem calledmodel checking a path [MS03].

Other properties – We are also searching for all properties of LTL frag-ments that can potentially improve efficiency or tractability of modelchecking.

We have already provided a motivation for the properties in the last itemof the list given above. The motivation for research on expressiveness, de-cidability, and complexity of model checking is straightforward. Let usassume that we want to decide whether a finite-state system meets a givenspecification. In this situation we have to deal with the questions like: Inwhat fragments of LTL can the specification be denoted? What is the com-plexity of model checking for these fragments? Are there any techniquesimproving efficiency of model checking (like specialized model checkingalgorithms or partial order reduction methods) available for these frag-ments? Another natural question is whether the specification is satisfiable.This is why we also study the complexity of the satisfiability problem.

1.2 Thesis contributionResearch in the area of LTL fragments has been vital during the last decade.There are several papers surveying the results achieved, but they usuallyconcentrate on a specific aspect of the topic only. For example, the pa-per [Wil99] is focused on expressiveness and decidability of LTL fragments.Moreover, it is already out of date. A nice overview of complexity of themodel checking problem for various fragments of LTL, CTL, and CTL �

written by Schnoebelen [Sch03] concentrates on the asymptotic complex-ity of the problem. To the best of author’s knowledge, there is no paper

1.2 THESIS CONTRIBUTION 5

summarizing the properties of LTL fragments that lead to (asymptotic ornonasymptotic) improvements in model checking.

The contribution of this thesis can be divided into two parts.

� This thesis provides a broad and unifying summary of results regard-ing LTL fragments and their relations to model checking discussed inthe previous section. This thesis includes

– a comprehensive overview of temporal modalities and variousLTL fragments considered in literature,

– a summary of results on expressiveness and the decidability ofthese fragments, and

– a survey of complexity results for satisfiability and model check-ing problems for LTL fragments.

� Further, this thesis presents the following original results. Most ofthem are connected with LTL fragments that contain only widespreadfuture modalities next and until, and where the nesting depth of nextis bounded by parameter (denoted �� ), or nesting depthsof until is bounded by parameter � (denoted �� ), or bothnesting depths are bounded (denoted �� ).

– We formulate extended versions of the well-known stutteringprinciple. Using these extended principles we show that hier-archies of the fragments are strict and we also indicate that theprinciples can improve partial order reduction methods.

– We introduce a concept of characteristic patterns. This conceptprovides new insights into the expressive power of �� fragments. Further, we suggest three application of characteris-tic patterns that can potentially improve existing model check-ing techniques.

– It is known that alternating 1-weak (A1W) automata have the sameexpressive power as LTL. We improve the translation of A1Wautomata to equivalent LTL formulae. The improved transla-tion allows us to characterize the language classes correspond-ing to LTL fragments mentioned above and also to fragmentswith the temporal operator eventually. We also provide a charac-terization of language classes corresponding to fragments of theuntil-release hierarchy [CP03].

– Finally, few original (and almost evident) statements are in-cluded directly in the overview of known expressiveness resultsand in the survey of known complexity results.

6 INTRODUCTION

1.3 Thesis organization

The thesis is organized as follows.

Chapter 2 recalls all formalisms employed in the thesis, namely LTL andits fragments, first-order monadic logic and its fragments, and se-lected parts of automata and formal languages theory. We also de-scribe a classic automata-based algorithm for LTL model checking,theoretical background of standard partial order reduction methods,and a subproblem called model checking a path. The definition of LTLis divided into two parts. First we define the “light version” usingonly future modalities next and until. This version is sufficient for al-most all the original results presented in Chapters 5, 6, and 7. Thenwe present an overview of other modalities occurring in literature ac-companied by basic relations between the modalities.

Chapter 3 summarizes known expressiveness and decidability results forLTL fragments. Further, this chapter contains a section devoted to thesuccinctness of LTL fragments with respect to other equivalent for-malisms. In this chapter we also mention many fragment properties,like standard stuttering principle or relations to automata of specialtype, that can lead to improvements of model checking algorithms.

Chapter 4 provides a survey of results concerning the asymptotic com-plexity of satisfiability, model checking, and model checking a pathproblems for various LTL fragments.

Chapter 5 extends the standard stuttering principle to more general letterstuttering, subword stuttering, and general stuttering principles. Thesenew principles allow us to prove the semantic strictness of naturalhierarchies of �� , �� , and �� fragments.Further, we provide an effective characterization of languages defin-able by �� formulae. We also indicate potential applicationsof letter stuttering and general stuttering in partial order reduction.

Chapter 6 gives a new characterization of languages that are definablein fragments of the form �� . We also propose a genericmethod for decomposing LTL formulae into an equivalent disjunc-tion of “semantically refined” LTL formulae, and indicate how thisresult can be used to improve the functionality of existing LTL modelcheckers. Application of characteristic patterns in model checking apath and partial order reduction are suggested as well.

Chapter 7 reviews the translations between LTL and A1W automata show-ing that the two formalisms are expressively equivalent. We improve

1.4 AUTHOR’S PUBLICATIONS 7

the translation of A1W automata to LTL formulae. Using the im-proved translation we identify the classes of A1W automata equiv-alent to �� , �� , and � � �� fragments, andto those fragments extended with the temporal operator eventually.Further, we identify the classes of A1W automata equivalent to frag-ments of the until-release hierarchy [CP03].

Chapter 8 recapitulates the content of the thesis and the most importanttopics for future work.

The last sections of Chapters 3–7 are called “Additional notes”. Thesesections contain many open questions and topics for future work related tothe subject of the corresponding chapter.

1.4 Author’s publicationsThis section lists all publications (co-)authored by the author of this thesis.

Journal articles

1. Antonın Kucera and Jan Strejcek. The Stuttering Principle Revisited.Acta Informatica. To appear.

International conference and workshop proceedings

1. Antonın Kucera and Jan Strejcek. Characteristic Patterns for LTL. InSOFSEM 2005, Lecture Notes in Computer Science. Springer-Verlag,2005. To appear.

2. Mojmır Kretınsky, Vojtech Rehak, and Jan Strejcek. Extended ProcessRewrite Systems: Expressiveness and Reachability. In Philippa Gardnerand Nobuko Yoshida, editors, CONCUR 2004 - Concurrency Theory,volume 3170 of Lecture Notes in Computer Science, pages 355–370.Springer-Verlag, 2004.

3. Mojmır Kretınsky, Vojtech Rehak, and Jan Strejcek. On Extensions ofProcess Rewrite Systems: Rewrite Systems with Weak Finite-State Unit.In Philippe Schnoebelen, editor, INFINITY 2003: 5th InternationalWorkshop on Verification of Infinite-State Systems, volume 98 of Elec-tronic Notes in Theoretical Computer Science, pages 75–88. ElsevierScience Publishers, 2004.

4. Antonın Kucera and Jan Strejcek. The Stuttering Principle Revisited:On the Expressiveness of Nested X and U Operators in the Logic LTL. InJulian Bradfield, editor, CSL 2002: 11th Annual Conference of the

8 INTRODUCTION

European Association for Computer Science Logic, volume 2471 ofLecture Notes in Computer Science, pages 276–291. Springer-Verlag,2002.

5. Jan Strejcek. Rewrite Systems with Constraints. In Luca Aceto andPrakash Panangaden, editors, EXPRESS 2001: 8th InternationalWorkshop on Expressiveness in Concurrency, volume 52 of ElectronicNotes in Theoretical Computer Science. Elsevier Science Publishers,2002.

Other work

1. Jitka Crhova, Pavel Krcal, Jan Strejcek, David Safranek, and PavelSimecek. YAHODA: Verification Tools Database. In Ivana Cerna, editor,Tools Day, Proceedings, FIMU-RS-2002-05, pages 99–103. Faculty ofInformatics, Masaryk University Brno, 2002.

2. Jan Strejcek. Boundaries and Efficiency of Verification. In Proceedings ofsummer school on MOdelling and VErification of Parallel processes(MOVEP 2002), pages 403–408. IRCCyN, Ecole Centrale de Nantes,2002.

Technical reports

Six technical reports, mostly extended versions of the conference and work-shop papers.

The results presented in journal article 1 and conference paper 4 form thebase Chapter 5 while the results from conference paper 1 can be found inChapter 6.

The other conference and workshop papers deal with extended processrewrite systems, their expressiveness, and the reachability problem for theextended systems. The results from this area are not included here as amono-thematic thesis is preferred.

Chapter 2

Preliminaries

This chapter recalls the formalisms used in the thesis. We provide defini-tion of linear temporal logic including a comprehensive survey of temporaloperators introduced so far, definition of first-order monadic logic of order,and selected parts of formal languages and automata theory. Finally, wemention the model checking problem and describe some aspects of modelchecking area related to our topic.

First of all we establish the following convention. The set of naturalnumbers with zero is denoted by �� , while the set of natural numbers with-out zero is denoted by � .

2.1 Linear temporal logicThe genesis of linear temporal logic is linked with modal logic. Modal logichas been developed by philosophers to study reasoning that involves theuse of modalities, i.e. expressions of the form “it is possible that . . . ” and “itis necessary that . . . ”. Modal logic is interpreted over a set of possible worlds.The truth values of atomic propositions are determined by the consideredworld. Besides the boolean connectives, the logic uses the unary modal op-erators (or modalities) possibly and necessarily denoting that a proposition istrue in some possible world or all possible worlds of the considered set re-spectively. These operators have been already used (also in temporalizedform) by ancient Greek philosophy schools and further refined into differ-ent variants of necessity and possibility by European and Arabian logiciansduring Middle Ages.

The twentieth century brought new wave of interest in modal logics. In1963, Kripke [Kri63] formalized the semantics of modal logic based on theidea of possible worlds. Even before that, Prior [Pri57] introduced the tem-poral variant of modal logic under the name of Tense Logic; a set of possibleworlds is ordered into a (temporal) sequence and the modal operators pos-sibly and necessarily become the temporal operators eventually and always.

10 PRELIMINARIES

The variety of other modalities have been proposed during the followingyears, particularly the binary modalities until and since (presented by Kampin [Kam68]) and the unary modality next.

Many temporal logics have been introduced so far. They can be clas-sified with respect to the considered model of time flow as linear time orbranching time. In linear time concept, each instant has only one possiblefuture. That is, a set of possible worlds is ordered into a linear sequence.In branching time logics, each instant may have several distinct futures(but only one history). In this case, possible worlds are ordered into a treestructure. The concept of branching time naturally corresponds to the non-determinism. However, non-determinism can be modelled in linear timeas well; instead of one linear sequence we can consider a set of linear se-quences, each one corresponding to a particular course of events.

The best way to document the potential of temporal logic framework isto mention some of main applications. First applications of temporal log-ics can be found in the area of natural language analysis. The frameworkhas been also accepted by artificial intelligence community for dealing withtemporal issues. A concrete application in computer science was proposedfor the first time by Burstall in 1974 [Bur74]. His approach has been elab-orated by Pnueli in [Pnu77]. The paper is now considered to be the classicsource of program specification and verification based on temporal logic.

A popular examples of branching time temporal logic used in the con-text of computer science are the Computation Tree Logic (CTL) introduced byClarke and Emerson in [CE81] and the CTL* logic introduced by Emersonand Halpern in [EH86]. No less popular example of linear time temporallogic is the Linear Temporal Logic (LTL) [Pnu77, GPSS80] – the central subjectof the thesis.

First of all, we should specify a variant of LTL we deal with in the the-sis. As written above, LTL (as a linear time logic) is interpreted over (setsof) linear sequences of instants. However, this still allows several distinctmodels of time flow. For example, the linear sequence can be discrete orcontinuous. At the same time, it can be bounded on both side or just onone side (the beginning of the sequence is usually given in this case) orunbounded at all. In the following we work with (finite or infinite) dis-crete linear sequences with a given beginning. This is a natural choice inthe context of computer science as the beginning of a linear sequence cor-responds to the launch of a studied system (e.g. software or hardware) thatcan terminate after a finite number of steps or run forever.

More or less independently on a model of time flow, one can considervarious extensions of LTL. Here we mention just two important examplesas LTL extensions are out of the scope of the thesis. One of the oldest LTLextensions is Extended Temporal Logic (ETL) defined by Wolper in [Wol83].This extension enables LTL to express properties definable by right-linear

2.1 LINEAR TEMPORAL LOGIC 11

grammars. Other LTL extensions have been designed to deal with real time.For more details about timed logics we refer to the survey [AH92].

2.1.1 Basic syntax and semantics

The linear temporal logic can be equivalently defined with use of varioussets of temporal operators. In the following definition, we employ justtwo common temporal operators, namely next and until. We choose thesemodalities as they play the main role in Chapters 5, 6, and 7 devoted to re-sults of our research. Later we introduce the other temporal operators andargue that they do not change the expressive power of the logic.

The syntax of LTL formulae (ranged over by � �� ) is given by thefollowing abstract syntax:

��

where

� stands for true,

� � ranges over a countable set of atomic propositions �� "! #� %$ ��'& ,� � and � are boolean operators negation and conjunction respectively,

� � and � are temporal operators next and until respectively.

Given a formula � , �(�)� denotes its length and �� *�� denotes the set ofatomic propositions occurring in � .Other boolean connectives + , , , and- are derived operators defined via the standard abbreviations. We alsouse . (false), �/� (eventually), 01� (always), and �32�� (release) to abbreviate�� , �� , � �* �4�� , and � �*�� 5� � respectively.

In order to reduce the number of parentheses in formulae we establisha priority order of the operators as follows.

� Unary operators ( �� 60 , and operators defined later) have higherpriority than all binary operators.

� Binary temporal operators ( ��'2 , and temporal operators definedlater) have higher priority than ��7+�7, - .

� ��7+ have higher priority than , - .

� , has higher priority than - .

Example 2.1 We write �8� �9$:,;�1!<+ �=$ instead of �� 8� � �>$ ��, ��*��! �?+ �=$ � .

12 PRELIMINARIES

We define the semantics of LTL in terms of (languages over) infinite ornonempty finite words. An alphabet is a set �� , where �� is afinite set of atomic propositions. Elements of an alphabet are called letters.A finite sequence of letters from an alphabet � is called finite word or stringover � . An infinite sequence of letters from an alphabet � is called infiniteword or � -word over � . By word we refer to both finite and infinite words.A set of words over � is called language over � . Languages of � -words aresometimes called � -languages. Languages of all strings, nonempty strings,and � -words over an alphabet � are denoted by � � , � , and �� respec-tively. We use �� 5�� to range over � , � �� to range over � � , and� �� to range over � � . Finally, we use � to denote a finite or infiniteword.

Given a word � , by � �� we denote the length of � (for infinite words weset � �� ). An empty word � has a zero length. A concatenation of astring � and a word � is denoted by �?�� or �� . For all ��! �" � �� by � �# �� wedenote the �# %$'& �)(+* letter of � , i.e. � �,� �-��)� �%& �)� �.� � ��/� �%� ��01& � if � is finiteand � �� -��)� �%& �)� �.� � �� otherwise. Further, for all �2�3 4" � �� by �65 wedenote the 7(+* suffix of � , i.e. ��5 �8� �# ��)� �# �$9& �)� �# �$:� � ��/� �%� ��+04& � if � is finiteand �;5?�<� �# �)� �# =$1& �)� �# =$>� � �� otherwise. Moreover, for all �'�? @" � �� andACB & such that D$ A 0E&F" � �� the symbol � �# A � denotes the subword of �of length A which starts with � �# � , i.e. � �# A � �G� �# �)� �# H$,& � ��I� �# J$ A 0E& � .A pointed word is a pair �-�� of a nonempty word � and a position �'�? �" � ��in this word.

Let � be an LTL formula and �-�� be a pointed word. We define whena formula � is valid for the position in the word � , written �-�� 4�� , byinduction on the structure of � .

�-�� -�� iff �LKM� �# ��-�� iff �-�� ON� � ��-�� iff �-�� -�� -�� iff J$8&P" � �� -�� D$<& � � � ��-�� iff QSR ��# @�ERT" � �� -��R��

�VU A � �# �� A "ER , �-� A � � � ��

Intuitively, �)� says that � is true in the next position (and this nextposition exists). A formula � �>� means that � is true either now or in thefuture and � holds since now until that moment.

We say that a word � satisfies � , written � � � � , if �-�� . Givenan alphabet � , an LTL formula � defines the languages of finite or infinite


words over � in the following way:�� *�� /� K � �=� � � ��&� � �*�� K � � � � � � ��&

We omit the superscript � if � �,��

.On the other hand, a language � (of finite or infinite words) over an

alphabet � is said to be LTL language or LTL property if there exists an LTLformula � satisfying � � � �� *�� or � � � � �*�� .

The definition of LTL languages indicates that we work with languagesof finite words and with languages of infinite words, but not with lan-guages of finite and infinite words together. In this thesis we prefer towork with infinite words. However, we do not restrict our attention onlyto infinite words as some interesting results about LTL (e.g. characteriza-tion of LTL fragments via forbidden patterns) valid for finite words haveno proper counterparts in terms of infinite words. In the following chaptersthe logic is interpreted over infinite words unless stated otherwise.

Contrary to the model checking area, where the presented definition ofLTL fits perfectly, for theoretical study of LTL properties it is often moreconvenient to work with the variant of LTL using letters instead of atomicpropositions. More precisely, in syntax of the logic the atomic propositionsare replaced by letters and the second line in the definition of LTL semanticsis replaced by

�-�� < iff �<� �# �7�We use �� to range over letters. The definition of LTL based on lettersis also used in Chapters 5, 6, and 7 presenting the original results. Thedifference between the two presented versions of LTL is very subtle andresults proven for one setting can be easily adapted to the other.

2.1.2 Satisfiability, validity, and equivalenceThe decision whether we consider all pointed words or just the pointedwords of the form �-�� yields different notions of satisfiability, validity,and equivalence.

Definition 2.2 A formula � is said to be (initially) satisfiable if there existsa word � such that � � � � . A formula � is said to be globally satisfiable ifthere exists a word � and a position such that �-�� .

Definition 2.3 A formula � is said to be (initially) valid if for all words � wehave � � � � . A formula � is said to be globally valid if for all words � and for allpositions �'�! �" � �� we have �-�� .

14 PRELIMINARIES

It is easy to see that if a formula is initially satisfiable then it is alsoglobally satisfiable. On the other hand, if a formula is globally valid, then itis also initially valid. Moreover, a formula is globally satisfiable if and onlyif its negation is not globally valid. Analogous proposition holds for initialversions of satisfiability and validity.

Definition 2.4 Let � and � be LTL formulae. The formulae are said to be (ini-tially) equivalent, written ��P5 � , if for all words � we have

� � � � if and only if � � � � �The formulae are said to be globally equivalent, written ��<� , if for all words� and for all positions �'�? @" � �� we have

�-�� if and only if �-�� One can readily confirm that if two formulae are globally equivalent

then they are also initially equivalent.Let us mention that there is no difference between initial and global

versions of satisfiability, validity, and equivalence as far as we consideronly so called future modalities like until and next. Indeed, for all pointedwords �-�� and all formulae � containing only these modalities it holdsthat

�-�� if and only if � 5 � � �and hence the respective initial and global versions coincide. However,the difference between initial and global versions arises as soon as pastmodalities are introduced.

The satisfiability, validity, and equivalence problems are often consid-ered in context of either finite or infinite words only. However, the al-gorithms solving these problems for infinite words can be usually trans-formed to solve the problems for finite words with the same complexity.

2.1.3 Other temporal operatorsIn this subsection we enrich the syntax of LTL with other modalities con-sidered in the literature. For the sake of completeness, presented list ofmodalities includes the operators already defined as well. The descriptionsof individual operators contain alternative names and notations, formal se-mantics, and basic relations between modalities. These relations representthe first step in our study of expressive power of temporal operators.

Let us note that we present only temporal operators that we have foundin LTL related literature. Of course, one can define other temporal opera-tors like e.g. strict release or past versions of all the presented future oper-ators. We do not do this as the definition of new temporal operators is notthe goal of this thesis.


All temporal modalities can be divided into three categories, namelyfuture modalities, past modalities, and other modalities.

Future modalities

A unary temporal operator � is said to be future operator if the validityof a formula � � for a pointed word �-�� is determined by validity ofthe subformula � for pointed words of the form �-� A � where 9� A . Thedefinition of binary future modalities is analogous. It is easy to see thatboth � and � are future modalities. In literature dealing with LTL one canencounter the following future modalities.

�� – The operator called next or nexttime. It is sometimes denoted as �or �� .

�� – The operator weak next. It is sometimes denoted as �� . While �)� isnever valid for the last position in a finite word, � � � is valid in thiscase.

�-�� iff J$<&P" � �� , �-�� J$,& �<� � �The operator is dual to � operator:

�� )��

� �>� – The binary operator called until or strong until. It is sometimes de-noted as �� . The same name is sometimes used for the two followingversions of until operator.

� �� – The operator strict until is sometimes denoted as �� or � � . Thestrictness means that the validity of � � � � for a pointed word de-pends on the validity of the subformulae � and � for strictly futurepositions in the word.

�-�� iff Q R ��# @"ERT" � �� -��R��<� � � �� U A � �# �" A "ER , �-� A � � � � ��

Both � and � operators can be expressed using � � . Further, �� can beexpressed using the operators � and � :

�� . �� >� � � � + �*� � � � � � �� *� �>� �

Hence, LTL can be equivalently defined using just one temporal op-erator �� .

16 PRELIMINARIES

� � � � – The operator called weak until or waiting-for or unless is sometimesdenoted as � or � � . In contrast to � �9� , a formula � � � � does notsay that � must be true now or in the future.

�-�� iff U A ��# @� A " � �� , �-� A � � � ��++ Q R ��# @�ERT" � �� -��R��<� � � �

�VU A ��# @� A "ER , �-� A � � � ��

The operator is expressively equivalent to � operator:

� �>� � � � � � � � � �*�5� � � . �� + � �* �9��

By analogy, the strict version of this operator defined in [Kro87] underthe name unless is equivalent to � � .

�32 � – The operator release. Informally, �32�� means that � remains trueforever or at least to the position where � is true (including this posi-tion).

�-�� 32 � iff U A ��# @� A " � ��, �-� A �� ++ Q R ��# @�ERT" � �� -��R��<� � � � � �

�VU A ��# @� A "ER , �-� A � � � � ��

The operator is dual to � operator:

� �>� � � � �*��32 �5� ��32 � � � � �*�� 5� �

�� – The operator as long as introduced by Lamport [Lam83a]. A for-mula �� says that � remains true at least as long as � does.

�-�� iff UJR ��# � R>" � �� ,, ��-��R�� +

+�Q A � �# �� A �ER � �-� A � � � ��


� � � � � �5�� 4��

The strict version of this operator (with the arguments swapped) hasbeen introduced under the name while in [Kro87]. It is equivalent to�� operator.


�� – The operator called before or precedes. Intuitively, �� means thatif � is true now or in the future then � is true in some position beforethat moment.

�-�� :� iff UDR � ��# �� R>" � �� -��R�� ,, Q A � �# �� A "ER � �-� A ��

The operator is expressively equivalent to 2 operator and thus also to� operator:

�32�� 1�� 32 �5�

By analogy, the strict version of this operator defined in [Kro87] isequivalent to � � .

�� – The operator at next or first time introduced in [Kro87]. A formula�� says that either � is never true in the future or � is true in thefirst position where � is true.

�-�� iff UJR � �# �" R>" � �� , �-��R�� 5� ��++�Q R ��# �"ER>" � �� -��R��

� U A � �# �" A "ER , �-� A � � � �5� ��The operator is expressively equivalent to � � operator:

� � � � � � �� + �� *.�� 1� �� *� � � ��+ � �* ��

� � – The operator called eventually or sometime (in the future). It is some-times denoted as � . Informally, �/� means that � is true now or insome future position.

�-�� /� iff Q R ��# @�ERT" � �� -��R��<� � ��As already mentioned, the operator can be expressed using � opera-tor:

�/� � � ��

01� – The operator called always (in the future) or globally or henceforth. It issometimes denoted as � . A formula 0�� means that � is true now aswell as in all future positions.

�-�� 01� iff UDR � �# ��ERT" � �� , �-��R��<� � � �The operator is dual to � operator:

�/� � � � 0��01� � � � � ��

18 PRELIMINARIES

� � � – The operator strict eventually is sometimes denoted as � � or � � . Intu-itively, �� means that � is true in some future position.

�-�� iff Q R � �# �"ERT" � �� -��R��<� � � �The operator can be expressed using the operator �� or the operators� and � . Further, the operator � can be expressed with � � operator:

�� /� � � ��+ ��

0 � � – The operator strict always is sometimes denoted as 0 � or �60 . A for-mula 0�� says that � is true in all future positions.

�-�� 0 � � iff UDR � �# "ER>" � ��, �-��R�� The operator is dual to � � operator:

�� 0 � ��0��

�

� � – The operator infinitely often. A formula�

� � interpreted over an infi-nite word says that � is true in infinitely many future positions. Thesame formula interpreted over a finite word means that � is true atleast in the last position in the word. Hence, the operator is some-times called finally in the context of finite words.

�-��

� � iff UDR ��# ��ERM" � �� ,, Q A � �.R>� A " � �� -� A � � � � ��

The operator can be expressed using � operator:�

� � � � 0�� /� � ��

0 � – The operator called almost always or almost everywhere. A formula�

0 �interpreted over an infinite word means that � is true in all but a finitenumber of positions. The formula interpreted over a finite word hasthe same meaning as

�

� � .

�-��

0 � iff QSR ��# @�ERT" � ��<��VU A � �.R>� A " � ��, �-� A � � � ��

The operator is dual to�

� operator:�

� � � � ��

0 ��

0 � � � ��

� ��


Past modalities

The definition of past operators is analogous to the definition of future op-erators. Roughly speaking, a modality has the adjective past if its validityfor a pointed word �-�� depends on validity of its immediate subformulaefor pointed words �-� A � , where A �? .� � – The past version of � operator called previously or lasttime. It is some-

times denoted as �� or � �� or � - .

�-�� iff ��"? � �-�� 0!& �<� � �� – The weak version of � operator called weak previously. It is some-

times denoted as�� - .

�-�� iff ��"? , �-�� 0E& �<� � �The operator is dual to � operator:

� � � � � � �?��

� �)� – The past version of � operator called since. It is sometimes denotedas � �� .

�-�� iff QSR � �-��ERM�? � �-��R�� VU A ��.RM" A �! �, �-� A � � � ��

� � � � – The past version of � � called strict since. It is sometimes denotedas � � .

�-�� =� iff Q R � �-� �ER>"? � �-��R��<� � �� U A � �.R " A "? , �-� A � � � ��

Both � and � operators can be expressed using � � . Further, � � can beexpressed using the operators � and � :

� � � � . � � �� )� � � � + �*� � � � �=� ��

� �*� � � �

� � � � – The past version of � � operator called weak since or back to. It issometimes denoted as � .

�-�� iff U A ��-� � A �! �, �-� A � � � ��++�Q R � �-�9�!R>�? � �-��R��

�VU A � �.R>" A � R , �-� A � � � ��

20 PRELIMINARIES


� �)� � � � � � � � � �*�5� � � . �� )� + � �* �<��

� � – The past version of � operator called sometime in the past or eventuallyin the past. It is sometimes denoted as � �� or � - .

�-�� iff Q R ��-��ER>�! � �-��R��<� � ��

The operator can be expressed using � operator:� � � � � �

� � – The past version of 0 operator called always in the past or hitherto. Itis sometimes denoted as 0 �� or � - .

�-�� iff UDR � �-��ERT�! , �-��R��

The operator is dual to � operator:� � � � � � ��

� � � – The past version of � � operator called sometime in the strict past. It issometimes denoted as �� .

�-�� <� � � � � iff Q R � �-� �ER>"? � �-��R��

The operator can be expressed using the operator � � or the operators� and � . Further, the operator � can be expressed with � � operator:

� � � � � � � ��

�� + � � �

� � � – The past version of 0 � operator called always in the strict past. It issometimes denoted as �� .

�-�� iff UDR � �-��ERT"! , �-��R��

The operator is dual to � � operator:� � � � � � � � ��


� � – The operator called initially. A formula � � interpreted over a pointedword �-�� says that � is valid for the initial position in the word.

�-�� iff �-��

The operator can be seen as a past version of both�

� and�

0 operatorsas each prefix of a word is finite and the formulae

�

� � and�

0 � inter-preted over a finite word say that � is valid for the last position in theword. The operator can be expressed using � operator:

� � � ��

Other modalities

In the following we list the modalities that are not neither future nor pastmodalities.� � – The operator called now or from now on introduced [LS95]. Roughly

speaking, the operator cuts off the history.

�-�� iff �-�;5 ��

It is easy to see that if we restrict the set of temporal operators only tofuture ones, the addition of � operator is meaningless as � � � � � inthis case. Further, a formula using only past modalities in combina-tion with � can easily be converted into a globally equivalent formulawithout � operator in obvious way. Hence, the operator is used incombination with some future modalities and some past modalitiesas well.The operator 2 (and thus also � ) can be expressed using the operators� , � , and � . Moreover, the modality � � can be expressed using theoperators � , � , and � � :1

� 2�� *� � � � � + 0?�

� �� *� � � � �1� �8+�� 5�

� ��=� � �� *� � � � � � � � �*� +��

� �� *� � � � � � � � � �*��

Let us note that the above relations allow to define an expressivelyequivalent temporal logic containing only unary modalities.

The last operator covered by this overview is called chop. The operatorhas been introduced in [HKP82] and studied in [RP86]. Other two versions

1Let us note that the formula �� is valid only for the first positions in a word.

22 PRELIMINARIES

of chop have been defined in [MS03] and [Mar03a]. Intuitively, using thismodality one can divide a word (corresponding to a run of a system) intoa prefix (corresponding to a subrun of that run) and a suffix and formulatetheir temporal specifications separately. The operator has been consideredonly in connection with future modalities so far and its semantics has beengiven just for initial positions (semantics for general pointed words is givenonly in [Mar03a]). As indicated in [RP86], one has to define a global seman-tics for every pointed word to make this operator “compatible” with pastmodalities. We define the global semantics for the three versions of chopmodality in the following way.

��8� – The original version of chop operator as introduced in [HKP82] andstudied in [RP86]. Intuitively, ��8� is valid for a pointed word if theword can be divided into a prefix and a suffix (beginning with the lastletter of the prefix) such that the suffix starts at the current or a futureposition and it satisfies � , and � is valid for the current position inthe prefix.

�-�� iff QSR ��# @�ERT" � �� -� � ��<� � � �� -� �-��R:$<& � � �� We recall that � �-��R@$ & � �<� �-��)� �%& � �� .R�� and � � �<� �.R��)� �.RS$ & � �� .Please note that if a formula �� is interpreted over an infiniteword then � is interpreted over a finite prefix while � is interpretedover an infinite suffix.

�� – The version of chop operator introduced in [Mar03a] and denotedthere as �� . The difference between this version and the original oneis that the prefix and the suffix do not overlap and � has to be valid forthe prefix only on the assumption that the prefix contains the currentposition.

�-�� :� iff QSR � �# �� R>" � �� -� � ��<� � � �� # @"ER , �-� �-��R�� The operator � can be expressed using the operator � :

� � � � .� �

�� – The version of chop operator considered in [MS03] and called strictchop here. In contrast to the previous version of chop, the suffix sat-isfying � has to start at a (strictly) future position. Hence, the prefixhas to satisfy � in all cases.

�-�� iff Q R ��# @"ERT" � �� -� � ��<� � �� -� �-��R��


The operator � can be expressed using the operators �� and � . More-over, if we work with future modalities only (as mentioned before,initial and global equivalences coincide in this case) then the opera-tor � can be expressed by using the operator � � only:

��:� � � �� + � ��:� � 5��=� + �

The results about the chop modality cited in this thesis are valid for allthree versions of chop. In order to improve the presentation we refer to theoperator � only.

� � �

��

��

��

��

�

��

��

��

��

��

��

��

��

�

��

��

��

�

�� '2 � � � � 60��

��

��

��

��

�

� � � � � � � � � �

��

��

��

��

��60 � � �

�

� �

0�

Figure 2.1: Relations between temporal operators.

To sum up, we have introduced 15 future modalities, 10 past modali-ties, and 4 modalities that are neither past nor future. In many cases wehave shown that a modality can be equivalently (with respect to globalequivalence) replaced by a formula using another modality and booleanoperators. If this relation is symmetric we say that the two operators areexpressively equivalent. Hence, the operators can be divided into groupsof mutually equivalent operators. Figure 2.1 provides a summary of pre-sented relations between modalities. A line between two groups of equiv-alent modalities means that each modality from the lower group can beexpressed using arbitrary modality from the upper group.

The hierarchies of future and past temporal operators presented in Fig-ure 2.1 are strict. More precisely, modalities from different groups are notexpressively equivalent and if two groups are depicted to be incompara-ble then they are really incomparable (meaning that there exists a formulausing a modality from one group such that there is no globally equivalentformula using modalities from the other group instead of the modality, andvice versa). We do not prove our statements about the strictness of the hi-erarchies here as it is easy to find examples of formulae and pointed wordsproving them.

24 PRELIMINARIES

The relations depicted in Figure 2.1 often allow to restrict our attentionto set of modalities containing one representative of each group. In this casewe prefer to work with modalities listed on the first positions in the groups( �� ). Different situation arises when we put some restrictionson the applicability of boolean operators (e.g. the until-release hierarchygiven in Definition 2.10 employs a restriction on the applicability of a nega-tion). In this case, modalities in a group cannot be seen as interchangeablein general.

2.1.4 FragmentsFragments of a temporal logic are sets of formulae defined by various re-strictions on syntax of the logic. A language � is said to be expressible ordefinable by/in a fragment � (or � language for short) if the fragment con-tains a formula � such that � � � � �*�� or � � � �� *�� for some alphabet � .We sometimes say ‘a fragment’ meaning a set of languages expressible bythe fragment. Finally, we say that a formula � is expressible in a fragment �if � is equivalent to some formula of � .

This section presents all types of fragments we are working with in thefollowing chapters of this thesis. At first we give a general definition cov-ering most of the fragments considered in the literature and then we definethe fragments that do not fit into the general scheme.

The general definition employs the notion of nesting depth of a set ofmodalities.

Definition 2.5 Let � be an a formula and � be a set of temporal operators. Thenesting depth of the operators of � in the formula � , written � -depth �*� � , isdefined by induction on the structure of � . The operators � and �� range overunary and binary (temporal as well as boolean) operators respectively.

� -depth �* � � �� -depth �� -depth ��

�� -depth �*� � $<& if � K �� -depth �*� � otherwise

� -depth �*� � � � � � �� -depth �*� � �

� -depth �*�� & $8& if ��6K �� -depth �*� � � � -depth �*� � & otherwise

To improve our notation we omit the curly brackets whenever � is a singleton.

Example 2.6 Let � � � �>$�+ $ � � �� 9$ � + � ��$ . Then �� & -depth �*�� ,� -depth �*�� , and � -depth �*�� & .


Definition 2.7 Let � � � �� be mutually disjoint sets of temporal modal-

ities and � � � �� K� � � �=� & . By � � ��

� � �� we de-note the set

� � � � is a formula using only modalities of � �� and satisfying � 5 -depth �*�� M5 for every &O�? @�ER & �

The set is called simple fragment if � 5>�� for all , and it is called nestingfragment otherwise.

Let K � � . By �� we denote the set of all

formulae � K � � �� such that �� *�� (i.e. the

number of atomic propositions occurring in � is at most ). Further, by��

� � � � �� we denote a positive fragment containing theformulae of ��

� � �� where no temporal operator is inscope of any negation. By � � � � � ��

� � �� we denote a strat-ified fragment containing the formulae of ��

� � �� whereno future modality is in scope of any past modality [MP91]. Finally, by��

� � � � �� we denote the set

� � � � � ��

� � �� 7�To make the notation more readable, we omit the superscripts �15 equal to � andcurly brackets delimiting sets � 5 with a single element.

For example, �� denotes nesting fragment of LTL formulae builtwith temporal operators � and � such that their � -depth is at most � . Fur-ther, �� is simple fragment of the formulae using modalities � and � .The set of the formulae without any temporal operators can be denoted by�� .

The general definition covers also some recognized fragments. For ex-ample, �� is known as restricted temporal logic [PP04], fragments�� form the until hierarchy [EW00, TW01], and the fragment�� called next-free LTL is popular in the model checking area.Furthermore, fragments �� & � � �� form so-called until-sincehierarchy [TW02]. To shorten our notation, we write � � � instead of�� & � �� .

Let us note that a formula of a fragment with temporal operators in�� can contain modalities that are expressible with use

of the modalities in the union. The modalities outside the union are for-mally viewed as abbreviations. For example, � � ��0 � can be seen as aformula of fragment �� as 0 � is an abbreviation for � �* �� . In thiscase, � -depth �*�� equals � . For similar reason, fragment � � �� shouldbe seen as LTL fragment containing all future modalities. By analogy,�� denotes the fragment with all future and past modalities(this fragment is sometimes denoted by LTL+Past).

26 PRELIMINARIES

In the following we define other fragments of LTL which are studied inthis thesis.

Hierarchy of temporal properties

The hierarchy of temporal properties has been introduced by Manna andPnueli [MP90b, CMP92]. The classes of the hierarchy are characterizedthrough four views. Besides language-theoretic, automata, and topologi-cal views they have been also defined with use of LTL. The hierarchy con-tains classes of safety properties, guarantee properties, obligation properties,response properties2, persistence properties, and reactivity properties. We de-fine two fragments of LTL formulae for each of these classes.

First we define canonical fragments.

Definition 2.8 An LTL formula � is

a canonical safety formula iff � � 0?� ,a canonical guarantee formula iff � � � � ,a canonical obligation formula iff � �� 5�� 0?� 5 + �� 5 � ,

a canonical response formula iff � ��

� � ,a canonical persistence formula iff � �

�

0 � ,a canonical reactivity formula iff � � � �5��

�

0 � 59+�

� � 5 � ,where � K � � and � �� are formulae of �� .

In contrast to the canonical fragments, corresponding future frag-ments [CP03] are built only with future modalities.

Definition 2.9 The fragments of future safety ( �� ), future guarantee ( � ),future obligation ( �� ), future response ( �� ), and future persistence ( � � )formulae are defined inductively.

� � �� %� � + � � �� 01� � �� 2 � � �� %� +�� /� �� 9� �� >�� %� ��+�� 9� �� 2 � � �� >�� %� ��+�� 01� � �� 32:� � �� 9� �� >�� %� ��+�� /� � �� 4� � �� 2:�� Further, every �� formula is a future reactivity formula.

In fact, these future fragments coincide with standard fragments [CMP92]without the formulae containing past modalities.

2The response properties are sometimes called recurrence properties.


Until-release hierarchy

The until-release hierarchy of LTL fragments has been introduced in [CP03].It is based on the alternation depth of the operators � and 2 . Therefore it isalso called alternating hierarchy. The hierarchy consists of fragments of twotypes, namely � 265 and 2 �H5 .

Definition 2.10 The fragments � 2D5 '2 �H5 are defined inductively.� � 2 � � 2 � � � �� .� The fragments � 265 � is the least set containing 2 � 5 and closed under the

application of operators ��7+�� and � .� The fragment 2 � 5 � is the least set containing � 2D5 and closed under the

application of operators ��7+�� and 2 .

Let us note that there is no temporal operator in scope of any negation inthese fragments.

Deterministic fragment

The deterministic fragment of LTL, denoted �� , has been identified as thecommon fragment of LTL and CTL [Mai00].

Definition 2.11 The fragment �� is the smallest set of formulae such that� all atomic propositions are in �� ,� if � �� are formulae in �� and � K �� , then � � � , �)� , �� >��=+ �*� � �� , ��4�� *� �4�� , and � ��*� �4+�� 4+��1� �� are in �� .

Flat fragment

The idea of flat fragments of temporal logics have been introducedin [Dam99] where linear as well as branching temporal logics are underconsideration. Although the paper presents only one flat fragment of LTL,namely � � �� , we give a general definition of flat LTL fragments.

Definition 2.12 Let � be an LTL fragment. Fragment � � � consists of all for-mulae of � such that left subformula of each � operator is from � � �� .

These flat fragments can be alternatively defined with use of the specialmodality called flat until and denoted � � [DS02, Sch03]. The modality isthe until operator where only �� formulae are allowed on its left-handside.

28 PRELIMINARIES

2.2 First-order monadic logic of orderWe recall the syntax, semantics, and definitions of important fragments ofFirst-Order Monadic Logic of Order (FOMLO).

The signature of FOMLO contains unary predicates � � �� corre-sponding to atomic propositions � � #� � �� (here we assume that all atomicpropositions are of this form) and binary predicates �� and " standing forsuccessor and less than respectively. We use standard notations for variables,true, boolean connectives, equality, and quantifiers.

The formulae of FOMLO are defined as follows.� Atomic formulae �� 5�� "� and � � , where 9K � �

and � � are variables, are formulae of FOMLO.� Let � �� be FOMLO formulae and � be a variable. Then �� 7�� Q��

are FOMLO formulae as well.

The length of a FOMLO formula � is denoted by �(�)� . The syntax is fur-ther extended with . , disjunction, and universal quantification defined viastandard abbreviations.

Formulae of FOMLO are interpreted over (finite or infinite) words. Let� be a word over an alphabet � � , where � � �� . With � we associate thesets of natural numbers �� '� " � �� & and

� �5 � � � � � K � � and ��5 KM� � � � &

for every . We define when a FOMLO formula � is valid for � under a vari-able assignment � mapping variables to �� , written � � � �� , by inductionon the structure of � .

� � � �� ,�H5�� iff � �� K>� �5� � �� iff � �� $,&��8� �� "�� iff � �� " � �� iff � �� *�� iff �EN� � �� *� �3� �� iff � � � �� and � � � �� Q��?�� iff there exists an assignment � � such that � � � �� and

� � ��8� �� for every variable different from �By �� we denote the formula � where at most the variable � is free. To

bring this notation closer to the one for LTL, we write �-�� 9�� if �� is

2.3 AUTOMATA AND FORMAL LANGUAGES 29

valid for a word � under an assignment mapping � to . Further, we write� � � � if �-��<� � � .

Given an alphabet � �,� � , where � is a finite set of atomic propositions,a FOMLO formula �� defines the languages of finite or infinite wordsover � in the following way:

� �� *�� /� K � �=� � � ��&� � �*�� K � � � � � � ��&

2.2.1 Fragments

The FOMLO fragments we are dealing with are given by bounds on num-bers of variables used in a formula and/or by disallowing the use of ��predicate.

Definition 2.13 For every K � , the fragment �� consists of all FOMLOformulae of the form �� containing at most variables. Moreover, by �� " �we denote the set of formulae from �� that contain no �� predicate.

In the following, we use mainly the fragments �� and �� " � .

2.3 Automata and formal languages

This subsection recalls some definitions from the area of automata and for-mal languages employed in this thesis. We start with basic theory aboutlanguages of finite words, then we move to � -languages, and we close withalternating automata.

2.3.1 Finite words

Definition 2.14 A finite automaton is a tuple �� %$ � �� , where �is a finite input alphabet, � is a finite set of states, $ � K� is an initial state,�>�� is a transition function, and � �� is a set of accepting states.An automaton is called deterministic if for all states $ K�� and all >K � the set� �#$ � �� is a singleton. The automaton is called nondeterministic otherwise. A runof the automaton over a word �?K?� � is a sequence of states � � #� � �� #�� K��such that � � � $ � and ��5 � K�� ;5��# �� for all ��? �" � �1� . The run is acceptingif � � �� K�� . A word is accepted by the automaton if there is an accepting run ofthe automaton over the word. We say that the automaton � recognizes a language

� �� /�LK � � � � is accepted by � & �

30 PRELIMINARIES

The transition function � can be extended into a function � � � � � � � �� defined inductively as

� � �#$ �� "$=& and � � �#$ ��6 ��

�� #$ � � � where $4K�� K � � , and 9K � .

Languages recognized by finite automata are called regular. A deter-ministic finite automaton (DFA) � is called minimal if there is no DFAwith smaller number of states recognizing the language � �� . The factthat for each regular language � there exists a unique (up to the labellingof states) minimal DFA recognizing the language � is a fundamental re-sult of automata theory. The proof can be found in standard textbooks,e.g. in [HU79].

Definition 2.15 A regular expression over an alphabet � is given by the follow-ing abstract syntax:

��

��

�

$

�

�

where ranges over � and operations � 7� $ , and � denote concatenation, com-plementation (with respect to � � ), union, and iteration (also known as Kleeneor star closure) respectively.

A regular expression

over � denotes a language �

� � � � defined by induc-

tion on the structure of

:

� � � � � � & �

�

� � � �/�;��=� K �

� ��CK �

� � &

�� 8��

� � � ��

�

� �� & �

$

� � � �

� � �

� �

�

� � � �

� �

A regular expression without any occurrence of � is called star-free.

In the following a regular expression is identified with the language it de-fines. Regular expressions define exactly regular languages. Languagesdefinable by star-free regular expressions are called star-free.

Definition 2.16 Let � � � � be a language. A syntactic congruence of � is anequivalence �� defined as

�� if and only if U�� K � � �=� � �LK � - � � �LK � �

Syntactic monoid of � is the quotient � � � �� with the operation concatenationand the class containing � as an identity element.

A language is regular if and only if its syntactic monoind is finite.


2.3.2 Infinite words

In contrast to automata over finite words defined above, many various ac-ceptance conditions has been considered in connection with infinite words.In the following we use seven of them.

Definition 2.17 A finite automaton (over infinite words) is a tuple � �� %$ � �� , where � is an acceptance condition. The meaning of � �� %$ � ,and � as well as the notions of determinism and nondeterminism are the same asin Definition 2.14. A run � of the automaton over an infinite word � K?�� is asequence of states � � � � #� � �� such that � � � $ � and �;5 � K � ��;5�

� �# �� for each B � . By �� we denote the set of states occurring infinitely many times inthe run � . The set of all states occurring (at least once) in � is denoted by � � � �� .The acceptance of a run depends on chosen acceptance condition.

� Buchi condition ( �V�� ): a run � is accepting iff �� N�� .� co-Buchi condition ( �3�� ): a run � is accepting iff �� .� Streett condition ( � � � � �

� � ��

� � & , where 5

5 � � ):

a run � is accepting iff U6 �� O5N�� , � ��

5N�� .

� Muller condition ( �3�E� ): a run � is accepting iff �� K � .� occurrence Buchi condition ( � � � ): a run � is accepting iff � �� N�� .

� occurrence co-Buchi condition ( � � � ): a run � is accepting iff � � � �� .

� occurrence Streett condition ( � � � � �

� � ��

� � & , where

5

5!� � ): a run � is accepting iff U� � �� O5,N� � � ,

��

5@N�� .

An � -word is accepted by the automaton with a given acceptance condition ifthere is an accepting run of the automaton over the � -word. We say that theautomaton � with a given acceptance condition recognizes a language

� �� K � � � � is accepted by � & �

The transition function � can be extended into a function � � � � � � � �� in the same way as in the case of automata over finite words.

We say Buchi automaton instead of automaton over infinite words withBuchi acceptance condition. By analogy we use terms occurrence Buchi au-tomaton, (occurrence) co-Buchi automaton, (occurrence) Street automaton, andMuller automaton.

32 PRELIMINARIES

Languages of � -words recognizable by nondeterministic Buchi au-tomata are called � -regular. The class of � -regular languages can equiva-lently be defined as the class of � -languages recognized by (deterministicor nondeterministic) Streett or Muller automata.

In this thesis we also employ weak and terminating nondeterministicBuchi automata.

Definition 2.18 Let � � � � �� %$ � �� be a Buchi automaton. The automatonis called weak if there exists a partition of the set � into sets �45 and an ordering� on these sets such that

� for each �P5 , either �O5 � � �� or �O5 � � , and� for each $'K �� , � K�� , if $4K � �� for some 9KL� then � 5 �� .

The automaton is called 1-weak if it is weak and every �:5 is a singleton. Theautomaton is called terminal if for each � K � and 9KL� it holds that � �� ON��and � �� .

Several definitions of various syntactic congruences have been pro-posed for � -languages (see [MS97]). We present the one introduced byArnold [Arn85] and sometimes called iteration syntactic congruence.

Definition 2.19 Let � �,� � be an � -language. For each word �>K � � we definethe sets ��#�� and � �#�� as

��#� � � � �#� �� 1K � � ��;� � � � K � & � �#� � � � �#� �� 1K � � �� #�� K � & �

A syntactic congruence of � is an equivalence � � � � � � � � defined as

�� if and only if ��#� ��#�� and � �#� �� #� �7�

Syntactic monoid of � is a quotient � � � � � with the operation concatenation andthe class containing � as an identity element.

Let us note that the syntactic monoid of � -regular language is always finite,but there are nonregular � -languages with finite syntactic monoid.

2.3.3 Alternating automata

In Chapter 7 we work with alternating automata. Transition function of analternating automaton combines the nondeterministic (i.e. existential) anduniversal mode. More formally, the transition function assigns to each stateand letter a positive boolean formula over states. The set of positive booleanformulae over a finite set of states � , denoted � � � � , contains formulae


(true), . (false), all elements of � and boolean combinations over � builtwith � and + . A subset � of � is a model of � K � �� if the valuationassigning true just to the states in � satisfies � . A set � is a minimal model of� , denoted � � � � , if � is a model of � and no proper subset of � is a modelof � .

Definition 2.20 An alternating Buchi automaton is a tuple � �� %$ � �� , where � �� %$ � �� have the same meaning as in nondeterminis-tic Buchi automaton (see Definition 2.17) and �>� � �T� �� is a transitionfunction.

A run of an alternating automaton is a (potentially infinite) tree. A treeis a set � � � �� such that if �� K�� , where � K � �� and � K � � , then also� K�� and �� K�� for all �>�,� � ",� . A � -labelled tree is a pair �� where� is a tree and �4�� is a labelling function.

Definition 2.21 Let � � � � �� %$ � �� be an alternating Buchi automaton. Arun of � over an � -word � K � � is a � -labelled tree �� with the followingproperties:

1. ��-� �� $ � .2. For each �LK�� the set � � �� 6�OK�� & satisfies � � � � �� %� �1� �� .

A run �� is accepting if for every infinite path � in � it holds that �� N� � , where �� is a set of all labels (i.e. states) appearing infinitely often on � .An � -word � K3� � is accepted by the automaton if there exists an acceptingrun of � over � . We say that the alternating Buchi automaton � recognizesa language

� �� K � � � � is accepted by � & �

In Chapter 7 we use the following notation and terminology. Let � bea state of an alternating Buchi automaton � � � � �� %$ � �� . By � �� wedenote the automaton � with initial state � instead of $ � . Further, �� denotes the set

� �� "$ � Q KL� �� and $4K � &

of all possible successors of � . We also set �� <�� & . More-over, we say that a state � has a loop whenever � K�� . Finally, insteadof � � � � �- #� � we write �� and say that the automaton has a transitionleading from � to � under .

The alternating 1-weak Buchi automata (A1W automata) defined below arealso known as very weak alternating Buchi automata or linear alternating Buchiautomata.

34 PRELIMINARIES

PSfrag replacements$ �

$ � $

$

�

�

� �

�

�

Figure 2.2: The automaton accepting the language � �'� �� & � � � .

Definition 2.22 An alternating Buchi automaton � � � � �� %$ � �� is called1-weak if there exists an ordering " on the set � such that $ K � �� implies$4" � .

An A1W automaton can be depicted as a graph where nodes corre-spond to the states of the automaton and every transition � � � is rep-resented by a branching edge labelled with and leading from the node �to the nodes in � . Edges that are not leading to any node correspond tothe case when � is an empty set. An initial state is indicated by a specialunlabelled edge leading to the corresponding node. The nodes correspond-ing to the accepting states are double-circled. For example, the Figure 2.2depicts an automaton accepting the language � �'� �� & � � � .

2.4 Model checkingThis section provides a brief introduction into the area of a popular veri-fication method known as model checking. In general, the model checkingproblem is to decide whether a given system satisfies a given specifica-tions. According to the topic of this thesis, we focus on LTL model check-ing of finite-state systems. In this case, the question is whether all the pos-sible runs (or behaviours) of a given finite-state system satisfy a given LTLformula (called specification formula). We describe the automata-based al-gorithm proposed in [VW86] and implemented in many model checkingtools like, for example, SPIN [Hol97]. For more information about modelchecking see, for example, [CGP99].

A system to be verified is given in a suitable modelling language (forexample, SPIN uses its own C-like language ProMeLa) and it is interpretedas a Kripke structure.

2.4 MODEL CHECKING 35

Definition 2.23 Kripke structure is a tuple � � � �� , where� � is a set of states,� � is a set of transitions (for each � K�� , � �� ),�� K � is an initial state,� � � � �

� �is a labelling function associating to each state a set of atomic

propositions that are true in the state.

We consider deterministic systems only, hence every � K � is seen as a partialfunction � � � � . A path in a Kripke structure � starting from a state � K �is a maximal (finite or infinite) sequence � � � � �� of states such that � � � � andfor every there is a transition � 5 K�� satisfying � 5�� 5 �� 5 � .The validity of an LTL formula for a Kripke structure is defined in the fol-lowing way.

Definition 2.24 Let � � � � � �� be a Kripke structure. We say that an LTLformula � is valid for a state � K�� of the Kripke structure � , written � � � � � ,if for every path � � � � �� such that � � � � it holds that � � � � � � � � � � �� .Further, we write � � � � instead of � �� .

Formally, the model checking problem is to decide whether a givenKripke structure � and a given specification formula � satisfy � � � � ornot.

For technical reasons, it is assumed that all paths in a Kripke structureare infinite. This can be achieved by adding a special looped transition toevery terminal state.

Paths of a Kripke structure represent runs of the system. The la-belling function � translates each path � � � � �� into an infinite word� � � � � � � � � � �� over alphabet �

� �. The range of the labelling function is usu-

ally restricted to ��

, where �� *�� is a set of atomic propositions occur-ring in a considered specification formula � .

Example 2.25 Figure 2.3 provides an example of a system and associated Kripkestructure. The system is a programme beginning with parallel execution of twothreads A and B. The corresponding Kripke structure reflects the fact that the in-structions of A and B can be interleaved in arbitrary way. The states carry theinformation about variables and about the position of control in the two threads.The transitions correspond to individual assignment instructions. In the follow-ing, the system is considered in connection with specification formulae with atomicpropositions depending on the value of x only. In Figure 2.3 we therefore explicitlyindicate the value of x in each state of the Kripke structure (the value is consideredto be � at the very beginning). The � direction corresponds to the instructions ofA, and the direction corresponds to the instructions of B.

36 PRELIMINARIES

cobeginA; B;

coend...

procedure A()beginfor i=1 to 5 do

beginx = x + 1;x = x - 1;

endend

procedure B()beginz = 2;x = x + 7;z = 2 * z;z = z - 1;

end

�� x = x + 1;�� z = 2;��

�x = x - 1;��

�� x = x + 7;�� x = x + 1;�� z = 2 * z;��

�x = x - 1;��

�� z = z - 1;�� x = x + 1;��

�x = x - 1;��

�� x = x + 1;��

�x = x - 1;��

x = x + 1;�� x = x - 1;��

��

��

��

. . .

Figure 2.3: Programme and associated Kripke structure.

The classic automata-based model checking algorithm works as fol-lows. The Kripke structure associated with a given system is translated(by moving labels from states to edges) into a Buchi automaton � accept-ing words corresponding to all possible runs of the system. A given spec-ification formula � is transformed into a Buchi automaton � such that �recognizes the language of all infinite words (over �

� � � �) satisfying ��

(i.e. � � � � � � �*�� ). The automaton � is called the property automaton.The original model checking problem to decide whether � �� M� � �*�� istransformed into the problem to decide whether � �� . Hence,the Buchi automaton � called the product automaton and accepting the in-tersection � �� is constructed. It is now sufficient to check if � � � �is empty or not. Algorithms checking the emptiness, including the popularnested depth-first search, employ the observation that � � � � is nonempty ifand only if the automaton contains a cycle such reachable from the initialstate such that there is an accepting state on the cycle. If such a cycle is


found, an infinite word accepted by � can be derived from it. This wordcorresponds to a run of the system that violates the specification formula.

The running time of the indicated algorithm is linear in the size of aKripke structure corresponding to the system and exponential in the lengthof a specification formula. The exponential complexity with respect to thelength of a formula is not the main problem as the formula is typically veryshort. The real problem is that the Kripke structure is usually very largecomparing to the original description of the system given in a modellinglanguage. This effect, called the state explosion problem, has two main rea-sons, namely the asynchronous parallelism and large data domains. Thereare various strategies how to deal with this problem. For example, onecan reduce the number of states by abstracting the code and/or the dataof the system, use various ‘compositional’ techniques, or use restricted for-malisms (like, e.g. pushdown automata) which allow for a kind of ‘sym-bolic’ model checking where the explicit construction of the associatedKripke structure is not required. One of the most successful methods isthe partial order reduction [Val91, God96, HP95, Pel98], also known as themodel checking using representatives.

2.4.1 Partial order reductionIn fact, the term partial order reduction contains several different algorithmsbased on the same idea: it is not needed to check whether a run of thesystem satisfies a specification formula if there exists another run that ischecked and the two runs cannot be distinguished by the specification for-mula.

Design of a partial order reduction method has two steps.

1. First, one have to identify a condition (possibly parametrized by aspecification formula) such that if a pair of runs satisfies the conditionthen the runs cannot be distinguished by the specification formula.

2. Second, an algorithm is built. The input of the algorithm is a Kripkestructure and a specification formula. The algorithm uses the con-dition in order to remove some paths from the structure and thusproduce a smaller but an equivalent (with respect to the specificationformula) Kripke structure.

The condition is usually formulated as an equivalence such that everytwo equivalent runs are not distinguished by the specification formula.Most partial order reduction methods employ the stutter equivalence (seeDefinition 3.14 or Chapter 5 devoted to stuttering principles). More pre-cisely, the methods uses the fact that two runs cannot be distinguished byany formula � of �� formula � if the words corresponding to theseruns and restricted to alphabet �

� � � ��are stutter equivalent.

38 PRELIMINARIES

In Chapters 5 and 6 we propose several new equivalences that can bepotentially used for the construction of new reduction methods. All ofthem subsume stutter equivalence. Later we illustrate that applicationsof these new equivalences can lead to more efficient reductions (meaningthat the resulting structures are smaller). Unfortunately, we do not pro-vide any indication of the algorithms based on these equivalences. All thereductions presented are made by hand.

In order to provide a more concrete idea of the partial order reduc-tion algorithms we sketch a basic algorithm for the partial order reductionbased on stutter equivalence. This algorithm is implemented, for example,in SPIN and well described in [CGP99].

Let � be a Kripke structure. For all states � of � , by � � � �� we de-note a set of transitions enabled in state � , i.e. � K�� if and only if� � � � is defined. For each state � , the reduction algorithm computes a sub-set of � � � �� called �4� � � � � � . The reduced version of the structure �arises from the original structure by disabling all the transitions leadingform a state � that are not in �4� � � � � � . Subsequently, some of the statesbecome unreachable in the reduced structure. The sets �4� � �� should belarge enough as the paths in the reduced structure must contain at leastone representative of each class of stutter equivalent paths in the originalstructure. On the other hand, the reduced structure should be substantiallysmaller than the original one.

The reduction employs two important principles: independence and in-visibility. An independence relation � � � � � is a symmetric and antireflex-ive relation satisfying for every state � and every � � � � � K�� the followingcondition.

If � � � K�� then � K�� and � � � � � � �� 7�The dependency relation is the complement of the independence relation � .

A transition � K � is invisible with respect to a set of atomic proposi-tions � � �� if for each pair of states � � � such that � � � �� the equation� � � � �� '� holds. In other words, an invisible transition does notchange the validity of atomic propositions in � . In the following, invisibil-ity is always associated with a set of atomic propositions occurring in thespecification formula.

It has been proved that a reduced system given by sets �4� � � � � � pre-serves the satisfaction of �� specification if for every state � the fol-lowing four conditions hold.

1. �4� � �� iff � � � �� .

2. Along every path in the original structure starting at � it holds that atransition dependent on a transition in �4� � �� cannot be executedwithout a transition in �4� � � � � � occurring first.


��

� ��

� ��

� ��

� ��

� �� . . .

Figure 2.4: The Kripke structure reduced by standard partial order reduc-tion.

3. If �4� � � � � �ON� � � � �� then every � KM �4� � �� is invisible.

4. A cycle is not allowed if it contains a state in which some transition� is enabled, but is never included in �4� � �� for any state � on thecycle.

Reduction algorithm uses heuristic for proposing sets �4� � � � � � and itchecks if the conditions are satisfied. In the case that for some � every pro-posed �4� � �� violates some condition, the �4� � �� is set to � � � �� .

It does not make much sense to construct the whole Kripke structureand then try to reduce it. That is why the reduced system is calculated on-the-fly, meaning that a set �4� � �� is computed when the model checkingalgorithm running on the reduced system needs to know the successorsof the state � . Hence, for the states that are not reachable in the reducedsystem the sets �4� � � � � � are not computed at all.

Example 2.26 Let us consider the system given in Example 2.25 and a specifica-tion formula of �� talking only about value of x like, for example, 0�� x " � � .The only invisible transitions correspond to the three instructions changing thevalue of z. Using the described partial order reduction method based on the stutterequivalence, the Kripke structure depicted in Figure 2.3 can be reduced into theKripke structure given in Figure 2.4.

2.4.2 Model checking a pathRecently, Markey and Schnoebelen [MS03] have introduced a problem ofmodel checking a finite-state system with a single path. The problem is mo-

40 PRELIMINARIES

tivated primarily by runtime verification. A Kripke structure correspond-ing to a system with a single path has one of the two shapes depicted inFigure 2.5.

��

Figure 2.5: A Kripke structure with a single finite (left) or infinite (right)path.

Hence, a word corresponding to a path of such system is either finiteor ultimately periodic. Ultimately periodic words are the words of the form�;� � , where � ��TK � � and �LN�<� . They are called loops for short.

Chapter 3

Expressiveness

This chapter provides an overview of results about the expressive powerof linear temporal logic and its fragments. The expressive power of a for-malism (e.g. LTL or its fragment, FOMLO, or Buchi automata) is measuredby the languages definable by the formalism.1 Formally, given fragments�� of LTL or first-order logic, we write � � � � meaning that every

language definable in � � is also definable in � and vice versa.Basically, the results we are going to present can be divided into two

groups.

1. Results comparing the expressive power of LTL fragments and theother formalisms mentioned in the previous chapter. These resultssubsume several translations between the fragments and formalismsunder consideration.

2. Results on decidability of the considered LTL fragments. A fragment� is said to be decidable if there exists an algorithm deciding the prob-lem whether a given (regular or � -regular) language � can be ex-pressed in � or not. The problem is sometimes called the membershipproblem. If we restrict our attention to languages over strings only, werefer to decidability (of the membership problem) over strings. Similarlywe talk about decidability over � -words. Complexity of the respectiveproblems is studied as well.

The first group also contains various characterizations of language express-ible in the considered fragments. Some characterizations lead directly tothe decision algorithms for these fragments. Such characterizations arecalled effective.

Our overview of the expressiveness results is organized as follows.First, we present various characterizations of languages definable in LTL.

1Let us note that there is also another natural measure of expressive power, namely thelanguages of pointed words definable in a given formalism. We do not provide systematicoverview of results using this measure. For more details see [Eme90, Wil98].

42 EXPRESSIVENESS

Most of them are classic results originally presented more then twentyyears ago. This part of our overview is partly based on well-written sur-veys [Eme90] and [Tho90]. The results concerning simple fragments arediscussed thereafter. In particular, we give a hierarchy illustrating expres-siveness of selected simple fragments. Then we summarize results regard-ing the other fragments under consideration. The chapter closes with somesuccinctness issues.

3.1 Complete LTLFirst of all we should explain the term complete LTL. Originally, we havedefined LTL as a temporal logic with two modalities � and � . Later wehave added a plethora of other modalities to the logic that is still calledLTL. This ambiguity in terminology is justified as these two logics are ex-pressively equivalent, i.e. every language definable in temporal logic withall modalities mentioned in Subsection 2.1.3 is also definable in �� .This is a consequence of the following facts.

Fact 3.1 Given any formula � of LTL (with all the mentioned modalities) thereexists a globally equivalent formula � � �� of FOMLO. The construction of � � �� is given by first-order definition of LTL semantics.

Theorem 3.2 ([Kam68, GPSS80]) Given any FOMLO formula �� there ex-ists a globally equivalent formula � � of �� .

Theorem 3.3 (Separation Theorem [Gab89]) Every �� formula� can be effectively translated into a boolean combination of formulae of�� that is globally equivalent to � .

Obviously, any �� formula is initially equivalent to a formula with-out any modality. Hence, every �� formula � can be effectivelytranslated into a formula of �� that is initially equivalent.

To sum up, every LTL formula with arbitrary modalities is initiallyequivalent to a formula of �� .

Corollary 3.4 A language is expressible in LTL if and only if it is expressible in�� .

3.1.1 Finite wordsFirst, we summarize characterizations of LTL languages over finite words.Roughly speaking, it is known that LTL languages “cannot count modulo for any �� & ”. The following definitions formalize this non-countingproperty in terms of monoids, formal languages, and finite automata.

3.1 COMPLETE LTL 43

Definition 3.5 A finite monoid � � � /& � is called aperiodic if there exists 1K � �such that � � �� holds for all � K � .

Definition 3.6 A language � � � � is noncounting if there exists R K � � suchthat for all B R and � �� K � � it holds that

�� K �� , �� GK � �

Definition 3.7 Let � � � � �� %$ � �� be a finite automaton. A sequence� � �� #� � K�� of distinct states is a counter (of length � ) for a string � K � if

� � & and �;5 � K �� 5 �� for all & � � � , where � � � � � � . An automaton

is counter-free if it does not have any counter.

Theorem 3.8 Let � be an alphabet and � �� be a language. The followingstatements are equivalent:

1. � is definable in LTL.

2. � is definable in FOMLO.

3. � is definable in �� .

4. The minimal deterministic finite automaton recognizing � is counter-free.

5. � is definable by a star-free regular expression.

6. The syntactic monoid of � is finite and aperiodic.

7. � is regular and noncounting.

8. � is regular and � � � -stutter closed2 for some � K � � .

The equivalence of conditions 1 and 2 follows from Fact 3.1 and Theo-rem 3.2. Further, the equivalence of conditions 1 and 3 follows from Corol-lary 3.4 and the fact that every formula of �� can be transformed(using the semantics of � and � given by first-order formulae) into a for-mula of ��

. The equivalence of conditions 2, 4, and 5 has been proved

by McNaughton and Papert [MP71]. A short proof of equivalence betweenconditions 2 and 5 can be found in [PP86]. Conditions 5 and 6 are equiv-alent due to classical theorem of Schutzenberger [Sch65]. Finally, it is easyto see that the remaining conditions 7 and 8 are equivalent to condition 4.

Direct translations between LTL formulae and star-free regular expres-sions can be found in [Zuc86]. The construction of LTL formula acceptingthe same language as counter-free deterministic finite automaton (DFA) ispresented in [Wil99]. Alternative direct proofs of the fact that a counter-freeDFA recognizes an LTL language can be found in [CPP93] and [MP90a].

2Definition of �� -stutter closed languages is given in Chapter 5.

44 EXPRESSIVENESS

Some of the conditions presented in Theorem 3.8 lead to algorithms de-ciding the membership problem for LTL over strings. Namely, given a reg-ular language � one can decide whether its syntactic monoid is aperiodic orwhether the corresponding minimal DFA is counter-free. The decision pro-cedure for counter-freeness employs a consequence of a pumping lemmasaying that an automaton with states has a counter if and only if it hasa counter for a string � such that � �� . This bound allows to decidethe problem whether a DFA is counter-free in polynomial space. Moreover,this problem is � � � � �� -complete due to [CH91]. As a minimization of adeterministic finite automaton can be done in � � � � �� , we get the follow-ing.Theorem 3.9 The problem whether a given deterministic finite automaton recog-nizes an LTL language is � � � � �� -complete.

3.1.2 Infinite wordsWe now move to LTL languages of infinite words where the situation is abit different. As in the previous case, we start with some definitions.Definition 3.10 An � -language � � � � is noncounting if there is RTK �� suchthat for all B R and � � ��LK � � the two following equivalences hold:

�;� � �� K � � , �;� � � �� K �

� �� K � � , � �� K �

Counter-free finite automata over infinite words are defined in the sameway as counter-free finite automata over finite words – see Definition 3.7.

The characterizations of LTL � -languages use the notion of regular ex-pressions in two different ways. The first approach employs an operatorwhich maps languages defined by regular expressions to � -languages. Thecharacterizations work with two operators of this type.

1. The operator infinite repetition (also known as � -iteration). Given aregular expression

, the expression

� denotes the language of all

� -words of the form � � �� , where each �65 K

.

2. The limit operator. Given a regular expression

, the expression ��

denotes the language of all � -words � such that infinitely many dis-tinct prefixes of � are in

.

The second approach, mentioned in [Eme90], is to embed the regular ex-pressions into LTL. This is done via special operator called history, written�

�� , where

is a regular expression. Roughly speaking, �

�� is true for

�-�� if a word � �-��)� �%& � �� # �� corresponding to the history of consideredcomputation is in the language defined by

.

�-��

�� iff � �-�� J$<& � K

3.1 COMPLETE LTL 45

Theorem 3.11 Let � � � � be an � -language. The following statements areequivalent:

1. � is definable in LTL.

2. � is definable in FOMLO.

3. � is definable in �� .

4. � �� 5��

5 � �5 , where

5 ��65 are star-free regular expressions such that

�65 � �D5 ��D5 .5. � �� 5��

� 5 � �� D5 � where

5 ��65 are star-free regular expressions.

6. � is obtained from � � by repeated application of boolean operations andconcatenation with star-free languages � � � � � on the left.

7. � � � �5��

5 �� 65 , where

5 ��65 are star-free regular expressions.

8. � is definable by a formula of the form � �5��

� �

5��

�

� � �65�� , where 5 ��65 are star-free regular expressions.

9. � is � -regular and its syntactic monoid is aperiodic.

10. � is � -regular and noncounting.

11. � is recognized by a counter-free Muller automaton.

12. � is recognized by an alternating 1-weak Buchi automaton.

13. � is � -regular and � � � -stutter closed for some � K � � .

Proof of the equivalence of the first three conditions is the same as inTheorem 3.8. Condition 6 has been formulated by Ladner [Lad77] as adefinition of star-free � -languages. The equivalence of conditions 2, 4, 5,and 6 has been established by Thomas [Tho79, Tho81]. A short proof ofequivalence between conditions 2 and 6 can be found in [PP86]. Condi-tions 7 and 8 mentioned in [Eme90] are another variations on conditions 4and 5. Further, Perrin [Per84] showed that an � -regular language is star-free if and only if its syntactic monoid is aperiodic. The equivalence ofconditions 9 and 10 follows directly from Definition 2.19, Definition 3.10,and finiteness of syntactic monoids of � -regular languages. Condition 11is equivalent to definability by �� according to [LPZ85]. The equiv-alence between conditions 1 and 12 is a corollary of two following facts.First, given an LTL formula � and an alphabet � , one can construct anA1W automaton accepting language � � �*�� [MSS88]. Second, the trans-lation of A1W automata into language equivalent LTL formulae has been

46 EXPRESSIVENESS

developed independently in [Roh97] and [LT00]. Deeper connections be-tween LTL and A1W automata are studied in Chapter 7, where we alsopresent the mentioned translations. Finally, the definition of � � � -stutterclosed languages as well as the proof of the equivalence between LTL de-finability and � � � -stutter closeness can be found in Chapter 5.

As mentioned in [Tho90], the characterization of star-free � -languagesvia aperiodicity of syntactic monoid yields the following decidability re-sult.

Theorem 3.12 The problem whether an � -language is definable by LTL is decid-able.

Let us note that the requirement � 5 � �65C� �65 in condition 4 cannot beomitted as noted in [Tho79]. This is documented by the following example.

Example 3.13 Let

� � , � � �

� � , and � � � � be star-free regularexpressions. The languages �

� �

� �� and � �

� � , are not star-free.3

The language �� has been used by Ladner [Lad77] to show that star-free

� -languages form a proper subclass of � -regular languages. The language� can be defined by formula 0 . The modality 0 has been proposed byWolper [Wol83] in order to demonstrate that there are � -languages whichcannot be defined in expressively complete formalisms (the term used at thattime for formalisms with the same expressive power as FOMLO or LTL).Wolper proposed an extension of LTL called Extended Temporal Logic (ETL).ETL can express all � -regular languages. Complexity issues for (severalversions of) ETL has been studied in [SC85, VW94, SV89].

As mentioned above, Buchi automata are able to express the widerclass of languages than LTL formalism. In spite of this, the translation of�� formulae into Buchi automata is very important as it plays a sub-stantial role in an automata-based approach to the model checking problem(see Section 2.4). The first translation (designed even for the more gen-eral fragment �� ) has been described in [WVS83]. A survey oftranslation algorithms together with a tableau-based translation algorithmimplemented in SPIN can be found in [GPVW95]. Improved versions ofthis algorithm are presented in [DGV99, EH00, SB00]. More efficient trans-lation algorithms introduced in [GO01, Tau03] use alternating 1-weak au-tomata as an intermediate formalism.

3.2 Simple fragmentsThe study of an expressive power of simple fragments concentrates on thefragments built up with future modalities only and the symmetric fragments,

3For formal proof we refer to Corollary 5.3. We note that Languages � � and � � representlanguages of finite words that are regular but not star-free.

3.2 SIMPLE FRAGMENTS 47

i.e. the fragments containing the past counterparts of all the included futuremodalities as well.

Before we will give an expressiveness hierarchy covering all these frag-ments, we recall expressiveness and decidability results about simple frag-ments. The results are divided into three groups presented in the followingthree subsections.

3.2.1 Stuttering and its implicationsFirst, we present some results related to the well-known stuttering princi-ple.

Definition 3.14 Let � be a word. A letter � �# � is redundant if $V&?";� �� ,� �# ��<� �# �$8& � , and � is either finite or there is A �! such that � � A �ON�<� �# � . Thecanonical form of � is the word obtained by deletion of all the redundant lettersfrom � . Two words �� are stutter equivalent if they have the same canonicalform. A language � is called stutter closed or stutter-invariant if it is closedunder stutter equivalence, i.e. for every pair of stutter equivalent words � and � �it holds that �1K � iff � � K � .

Theorem 3.15 ([Lam83a]) Every language (of finite or infinite words) express-ible in �� is stutter closed.

Theorem 3.16 ([PW97a, Ete00]) Every stutter closed LTL language (of finite orinfinite words) is expressible in �� .

As all the languages definable in �� are stutter closed, the previoustheorem implies that �� . It also says that an �� language is expressible in �� if and only if it is stutter closed. Thisrelation can be generalized in the following way.

Theorem 3.17 ([Wil98, Wil99]) Let � � �� & and � � be the set con-taining exactly the strict versions of the modalities in � . A language (of finite orinfinite words) defined by a formula of �� is expressible in �� if andonly if the language is stutter closed.

Proof of Theorem 3.16 provides a translation of arbitrary �� for-mula � into an �� formula � �*� � such that � and � �*�� are equivalent ifand only if the language � �*�� is stutter closed. As it is decidable whethertwo formulae are equivalent or not, it is also decidable whether an LTLformula defines a stutter closed language. Complexity of (a more generalproblem covering also) this problem has been studied in [PWW98].

Theorem 3.18 ([PWW98, Wil98]) The problem whether a language defined by afinite nondeterministic automaton, Buchi automaton, or by an �� formula(interpreted over strings or � -words) is stutter closed is � � � � �� -complete.

48 EXPRESSIVENESS

The � � � � �� upper bound for � -languages given �� formulae hasbeen alternatively proven in [Ete00].

As a corollary, we get the decidability of the fragment �� .Corollary 3.19 The problem whether an �� formula defines a language(of finite or infinite words) expressible in �� is � � � � �� -complete.

3.2.2 Forbidden patternsSeveral simple fragments can be characterized by means of forbidden pat-terns. The concept of forbidden patterns has been originally introducedin [CPP93] under the name forbidden configuration. Roughly speaking, a lan-guage � can be defined by a fragment if and only if a minimal DFA recog-nizing the reverse of � does not have a structural property given by thecorresponding forbidden pattern. The method can be used for languagesof finite words only.

Given a set � , an � -labelled digraph is a tuple �� where � is an ar-bitrary set of vertices and � �� is a set of edges. The transitiongraph of a DFA � � � � �� %$ � �� is the � � -labelled digraph � � �� where

� � � �#$ �� %$ � � � $4K�� K � � and � � �#$ �� "$ � & & �So the transition graph of any DFA has a finite number of vertices but po-tentially infinitely many edges.

A pattern is a labelled digraph whose vertices are state variables andwhose edges are labelled with variables for labels of two different types:variables ranged over nonempty strings (denoted by � �� ) and variablesranged over alphabet symbols (denoted �� ). In addition, a patternis occupied by side conditions stating which state variables must be inter-preted as distinct states. The patterns are drawn as graphs and the notationof side conditions is such that all vertices marked by “ � ” must be mutuallydistinct.

We say that � � -labelled digraph matches a pattern if there is an assign-ment to the variables satisfying the type constraints as well as the side con-ditions so that the digraph obtained by replacing each variable by the valueassigned to it is a subgraph of the given digraph.

Let � � ��-�� %& � �� 0O& � be a string. The reverse of � is defined as� � � � � 0 & � � � 0 � � ��I� �%& � ��-�� . Similarly, the reverse of language � isdefined as � � � �/� � �=�LK � & .

The following collection of forbidden patterns has been presentedin [Wil99]. The forbidden patterns characterizing full �� correspondto counter-freeness as discussed in Section 3.1. The forbidden patternsfor �� and � � �� have been deduced in [EW00] with use ofEhrenfeucht-Fraısse games. The characterization of � � � � �� has beenoriginally introduced in [CPP93], where the authors proposed the name


Restricted Temporal Logic (RTL) for the fragment �� . The other pat-terns are easy to obtain.

Theorem 3.20 ([MP71, GPSS80, CPP93, EW00, PW97a]) Let � be one of thefragments �� , �� , �� , � � �� , and � � � . A regular language �

is expressible in � if and only if the transition graph of the minimal DFA recogniz-ing � � does not match the pattern(s) for � depicted in Figures 3.1–3.5. Further,a regular language � is stutter closed if and only if the transition graph of theminimal DFA recognizing � � does not match the pattern depicted in Figure 3.6.

Due to Theorem 3.17, the fragments �� and �� are characterizedby forbidden pattern depicted in Figure 3.6 together with the pattern(s)corresponding to �� or �� respectively.

These characterizations are effective due to the following theorem. Letus note that the number of patterns that must be tested in the case of full�� is bounded by the number of states of the minimal DFA under consid-eration.

Theorem 3.21 ([Wil98]) Let �� be a pattern. The following problem is in� � � � �� . Given an �� formula � , does a transition graph of a minimalDFA recognizing the reverse of language � � �*�� match the pattern �� ?Corollary 3.22 Let � be one of the fragments �� , �� , �� , �� , or �� . The problem whether a language of strings given by an�� formula can be defined by � is � � � � �� -complete.

The � � � � �� -hardness of these problems has been proven in [Wil98] byreduction of the satisfiability problem for �� formulae (which isknown to be � � � � �� -complete [SC85]) to each of the respective problems.

Let us note that characterizations of several LTL fragments in terms ofpatterns forbidden for minimal DFAs recognizing directly a language �

instead of its reverse can be found in [Wil98].

3.2.3 Connection to FOMLO and its implicationsThe identity of �� and ��

has been discussed in Section 3.1 al-

ready. Here we recall another two identities proven in [EVW02]. Somedecidability results implied by these identities will be mentioned as well.

Theorem 3.23 ([EVW02]) A language is expressible in �� if and only if it isexpressible in �� . Further, a language is expressible in �� " � if andonly if it is expressible in �� .Later on4, it has been shown that expressive power of these fragments co-incides with another FOMLO fragments.

4The paper [EVW02] is a journal version a conference paper presented at LICS 1997.

50 EXPRESSIVENESS

�

��

�

��

Figure 3.1: Forbidden pattern for �� .

�

��

�

��


�

��

�

� ��

��

� �

Figure 3.3: Forbidden pattern for � � �� .

��


�

��

��

�

��

�

��

�

��

�

��

� � �

�

� ! �

�"#

� �$&%

Figure 3.5: Forbidden patterns for �� .

� � ��

Figure 3.6: Forbidden pattern for stutter-invariance.


Definition 3.24 The FOMLO fragment �� consists of all FOMLO formulaeof the form �� Q�� Q�� U

� ��U � � , where � does not contain anyquantifier. Similarly, � consists of FOMLO formulae of the form �� U � � ��%U � � Q�

� ��IQ� � � , where � is quantifier-free. By �� we denote a classof languages definable by a � formula as well as by a � formula. By analogy,� � � � �� " � contains languages definable by both � and � formulae withoutpredicate �� .

Theorem 3.25 ([TW98]) A language of finite words is expressible in�� if and only if it is in � � � . Further, a language offinite words is expressible in �� if and only if it is in � � � � �� " � .Let us note that the theorem cannot be extended to � -languages.

The combination of the theorem above and the result presentedin [PW97b] brings another characterization of �� languages.

Definition 3.26 Let � be an alphabet. A product � ��

� 1��

� , where� 5 �V� and 5 K8� , is unambiguous if for every � KE� there is at most onesequence �#� � �� such that � 5 K � �5 and � �G� � � � � �� . A lan-guage of strings over � is unambiguous if it is a disjoint union of unambiguousproducts.

Theorem 3.27 ([TW98]) A language of finite words is definable in �� ifand only if it is unambiguous.

Theorem 3.27 provides an important and fruitful connection between LTLfragments and deep algebraic results. The two following theorems arecorollaries of this connection. For details and other algebraic characteri-zations of the fragments �� and �� we refer to [TW98]and [Wil98].

Theorem 3.28 ([TW98, Wil98]) The fragments �� and�� are decidable (over strings as well as over � -words).

Moreover, the following complexity bounds for decidability over stringsare known.

Theorem 3.29 ([TW98]) The problem of determining whether a given�� formula defines a language of strings expressible in �� is in � � � � � � �� . The problem is � � � � �� -hard at the same time. These boundsremain unchanged if we replace the fragment �� with �� .The exact complexity of the problem for �� and �� isan open question formulated in [TW98].

Theorems 3.17, 3.18, and 3.29 imply that the fragment �� is de-cidable in � � � � � � �� as well.

52 EXPRESSIVENESS

3.2.4 Expressiveness hierarchyThree hierarchies reflecting relative expressive power of LTL fragmentshave been presented so far. Two of them have been introduced in [Wil98].The first contains only the fragments built with some of the modalities�� , and � , while the second consists of symmetric versions of thesefragments. The hierarchy presented in [Mar03a] covers the fragments builtwith the operators �� and symmetric versions of these fragment.

The hierarchy depicted in Figure 3.7 subsumes three hierarchies men-tioned above. An edge between two fragments means that the languagesexpressible in the lower fragment form a strict subclass of the languagesexpressible in the higher fragment. The hierarchy covers all the fragmentsbuilt up with some future modalities and symmetric versions of these frag-ments; every such a fragment is either represented explicitly or it coin-cides with some of the represented fragments due to the relations betweenmodalities described in Subsection 2.1.3.

The shape of the hierarchy is given by definitions of the considered frag-ments, statements presented hereinbefore in this section, straightforwardobservations on expressiveness of the fragments, and the following results.

The following two theorems are formulated and proven in PhD thesesof Markey and Laroussinie.

Theorem 3.30 ([Mar03a]) Fragments �� and �� are strictly lessexpressive than their respective symmetric versions.

The proof can be also modified to show that the fragment �� is strictlyless expressive than its symmetric version.

Theorem 3.31 ([Lar94]) There is a language expressible in �� that is notexpressible in � � �� .

As a corollary of this theorem we get that �� is strictly less expres-sive than �� .

Finally, we present one original result.

Theorem 3.32 Fragment �� is strictly less expressive than �� .Proof: One can easily prove that there are languages definable in�� but not in �� . We demonstrate that every �� languagecan be defined in �� . By � � � we denote a formula

��

� ��The expressions � � � and � � � have analogous meanings. It is sufficient todeal with �� formulae of the form � � � where B � and � is a formulawithout any temporal operator as every � � �� formula can be converted


� � � ��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�

� � � ��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�

��

��

��

��

��

��

��

��

�� " �

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�

��

��

� ��

� ��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

� � ��

��

� ��

� � �

��

��

��

��

��

��

��

��

��

� � � � �

Figure 3.7: Expressiveness hierarchy of simple fragments.

54 EXPRESSIVENESS

into a globally equivalent boolean combination of these formulae. To fin-ish this proof we demonstrate that the following two formulae are initiallyequivalent (assuming that � K �� ):

� � � � 5 � � � �*� �� A word � satisfies � � � �*� � � � � � � � if and only if there exists R such that �ER>" � �� and �-��R�� . Please observe that formula � � � isvalid just for the initial position in an arbitrary word. In general, �-��R��4�� if and only if R!� . Hence, �-��R��3�� is equivalentto �-��R�� and R<� . To sum up, � � � � � � �*� � � � � � � � if and onlyif "�� and �-� �� . We are done as this is exactly the meaning of� � � �� . �

The theorem has some interesting corollaries. First, as the fragments�� and �� have incomparable expressive power, �� isstrictly less expressive than � � �� . Similarly, as the expressiveness of�� and �� is incomparable and there are languages expressiblein �� but not in �� (see Theorem 3.31), we get that frag-ments �� and �� are incomparable too. This immediatelyimplies that the fragment �� is strictly more expressive thanboth � � � �� and �� .5

3.3 Nesting fragmentsOnly a few kinds of nesting fragments have been studied so far. Re-searchers focuses on fragments of the form �� , � � � , �� ,�� , �� , and �� . Fragments of each of thesekinds form a corresponding hierarchy. Two standard questions studiedfor all of these hierarchies is whether the hierarchy is (semantically) strictand whether it is decidable. The precise meaning of the strictness and thedecidability will be given soon.

In Section 7.3 we present an automata-based characterization of lan-guage classes corresponding to fragments of the form �� ,�� , �� , and �� . In fact, this characterizationis formulated for all fragments of a more general form �� ,where � �R>K � � � �=� & .

3.3.1 Fragments �� : Until hierarchyFragments of the form �� form the hierarchy

�� 2� �� 2� ��

5The statement that fragment �� is not as expressive as its symmetric counter-part �� has been already formulated (without any evidence) in [Wil98].

3.3 NESTING FRAGMENTS 55

called until hierarchy.In [EW00] it has been shown that the hierarchy is semantically strict,

i.e. for every R K � � the class of languages definable by �� isstrictly larger than the class of languages definable by �� . Theproof employs a parametrized language �� (over a three-letter alpha-bet) expressible in �� but not in �� (this is provenwith use of an appropriate Ehrenfeucht-Fraısse game designed in the pa-per).

The decidability of the until hierarchy has been proven in [TW01] ap-plying deep results from finite semigroup theory.

Theorem 3.33 ([TW01]) Given a regular or � -regular language � and R K � � ,it is decidable whether � is definable by �� or not.

Corollary 3.34 For every language given by an LTL formula, one can computethe minimal R such that the language is expressible in � � �� .

It is worth mentioning here that the paper [TW01] also deals with de-cidability of fragments of the form �� constituting the since hier-archy. However, languages expressed by these fragments are defined in abit different way: given an alphabet � , an � � �� formula � definesthe language

� � �*�� /�LK � � �#� � �1� 0F& �<� � ��& �

3.3.2 Fragments �� : Until-since hierarchyLet us recall that � � � denotes the fragment � � �� & � � �� .

The strictness of the until-since hierarchy has been shown in [EW00]with use of Ehrenfeucht-Fraısse game.

As the fragment �� coincides with �� , its decidability hasbeen given by Theorem 3.28 already. The decidability of all � � � fragmentsover strings have been proven in [TW02] with use of deep algebraic results.

Theorem 3.35 [TW02] For every R B � , the fragment � � � is decidable overstrings.

Authors of the theorem state that they can prove that fragments � � �and � � � are decidable also over � -words and it is possible that their prooftechnique can be generalized to higher levels of the until-since hierarchy.

3.3.3 Fragments � �� The hierarchy of �� fragments, also known as the next hierarchy ofrestricted temporal logic, has been studied in [Sch00]. The paper works onlywith languages over strings.

56 EXPRESSIVENESS

Two characterizations of � � � � �� fragments have been formulatedand proven. The first one employs the notion of R -rightdeterministic lan-guages while the second one gives a corresponding forbidden pattern.

Definition 3.36 Let � be an alphabet, R B � , � � , � � �� K,� � � , and� � �� . By �#� � � � � ��

�� we denote a language of all strings

�9KL� such that there exists a sequence of numbers � � A � " A � " ��;"A� " � � �satisfying for every ��? @� the following conditions6

� � � A 5��R $<& ��8�;5 ,� � � A �R:$<& � K � 5 for every A 5 " A " A 5 � , where A � � � � � � .

Further, a language of the form �#� � � � � ��

��

�� is called R -rightdeterministic if � ��/� K � �� R & and ��5CNK � 5 holds for every&O�? @� .

� ��

� � �

� ��

�

��

��

� �

Figure 3.8: Forbidden pattern for �� with side condition � �� VR .In particular, � � � for R � � (this is an exception to the definition ofpatterns saying that � ranges over nonempty strings).

Theorem 3.37 ([Sch00]) Let � be a regular language. The following statementsare equivalent:

1. � is definable by �� .2. � is a finite union of R -rightdeterministic languages.

3. The transition graph of the minimal DFA recognizing � � does not matchthe pattern depicted in Figure 3.8.

One can observe that the forbidden pattern for �� coincides with

the forbidden pattern for �� (see Figure 3.3). Moreover, it is easy toprove that the transition graph of a DFA does not match the pattern for�� (see Figure 3.4) if and only if there exists some R K � � such thatthe transition graph does not match the pattern for �� .

The characterization via forbidden patterns together with Theorem 3.21gives us the decidability of the hierarchy.

6We recall that �� denotes the subword �� .

3.3 NESTING FRAGMENTS 57

Corollary 3.38 For every R B � , the problem whether a language of strings givenby an �� formula can be expressed in � � � � � � � � � is � � � � �� -complete.

As in the case of Corollary 3.22, the � � � � �� -hardness can be proven byreduction of the satisfiability problem for �� formulae.

The characterization in terms of forbidden patterns is also applied inthe proof of the fact that the next hierarchy of restricted temporal logic issemantically strict.

We note that the paper [Sch00] provides also forbidden patterns forminimal DFAs recognizing directly a language under examination insteadof its reverse. Furthermore, analogous results are formulated for fragments�� , where the languages expressed by these fragments are definedin the way described at the end of Subsection 3.3.1.

3.3.4 Fragments � �� , � �� , and �� These fragments are studied in Chapters 5, 6, and 7. We here summarizethe main results regarding the hierarchies of the fragments under consid-eration.

The � � �� and �� hierarchies are strict. Further, thehierarchy of �� fragments is strict in the sense that a frag-ment �� is strictly less expressive than each of the fragments�� and �� . In fact, we show a bit stronger state-ment.

Theorem 3.39 Let �� and � be fragments of the form �� ,

�� or �� (not necessarily of the same form) such that � �is syntactically not included in � . Then there is a language expressible in ��which cannot be defined in � .

Given a finite alphabet, a fragment of the form �� definesonly finitely many languages. Hence, every such a fragment is decidable.A decidability of �� fragments is proven with use of -stuttering(for details see [KS02] dealing with languages of strings or Chapter 5 deal-ing with � -languages).

Theorem 3.40 For every B � , the problem whether a language (of finite orinfinite words) given by an �� formula can be expressed in �� is� � � � �� -complete.

Further, Chapter 6 provides a characterization of � -languages express-ible by �� in terms of characteristic patterns7.

7Please note that there is no connection to forbidden patterns.

58 EXPRESSIVENESS

3.4 Other fragments3.4.1 Hierarchy of temporal propertiesThis hierarchy has been presented and studied in [MP90b], [CMP92],and [CP03]. All these papers work with languages of infinite words only.

The characterizations of (canonical or standard) safety, guarantee, obli-gation, response, persistence, and reactivity fragments are based on thecorresponding classes of (not only LTL definable) � -languages. The def-initions of these classes employ four operators constructing � -languagesfrom languages of strings. Let � � �� be a language of nonempty strings.

� The language � � � � consists of all � -words � such that everynonempty prefix of � belongs to � .

� The language � � � � consists of all � -words � such that there exists aprefix of � that belongs to � .

� The language

� � � consists of all � -words � such that infinitely many

prefixes of � belong to � .� The language � � � � consists of all � -words � such that all but finitely

many prefixes of � belong to � .

Definition 3.41 An � -language � is

a safety property iff � � � � � � � for some � � � � ,a guarantee property iff � � � � � � � for some � �D� � ,

an obligation property iff � �� 5�� 5 � � � � � � �5 �� ,

where � �!� and � �5 � � �5 �8� for every ,a response property iff � �

� � � � for some � �D� � ,

a persistence property iff � �<� � � � � for some � �D�8� ,a reactivity property iff � �� 5��

� � �5 � � � � � � �5 �� ,

where � �!� and � �5 � � �5 �8� for every .

The classes of safety, guarantee, obligation, response, persistence, and re-activity properties are closed under intersection and union, the obliga-tion and reactivity classes are also closed under complementation. An � -language is a safety property if and only if its complement is a guaranteeproperty. The same relation holds for response and persistence propertiesas well. The inclusions between the classes are indicated in the hierarchydepicted in Figure 3.9, where an edge between two classes means that thelower class is a strict subclass of the upper class. Moreover, the obligationclass is exactly the intersection of the response and persistence classes.

3.4 OTHER FRAGMENTS 59

Streett

Reactivity

Persistence

co−Büchi

Response

Obligation

Occ. Streett

Safety

Occ. co−Büchi

Guarantee

Büchi

Occ. Büchi Büchi automataTerminal

WeakBüchi automata

GeneralBüchi automata

PSfrag replacements

� 2 �

� 2

2 � �

2 ��

Figure 3.9: The hierarchy of temporal properties.

We now explain the relations between these classes and (canonical andfuture) formulae of corresponding types. All the following statementshold for every �VK � safety, guarantee, obligation, response, persistence,reactivity & .

Theorem 3.42 ([MP90b, CMP92]) Let � be an LTL language of infinite words.The following statements are equivalent:

1. � is a � property.

2. � is definable by a canonical � formula.

3. � is definable by a future � formula.

Hence, every canonical � fragment is expressively equivalent to the corre-sponding future � fragment. Further, as every LTL language is known to beexpressible in the future reactivity fragment �� (see Corollary 3.4),we get that every � -language definable in LTL is a reactivity property. Thiscan be also derived from the following theorem.

60 EXPRESSIVENESS

Theorem 3.43 ([MP90b]) Every LTL formula is initially equivalent to a canoni-cal reactivity formula.

To sum up, every class of � -languages definable by (canonical or future)� fragment coincides with the corresponding class of � properties restrictedto LTL languages. The hierarchy in Figure 3.9 remains strict even under thisrestriction [MP90b].

The decidability of the considered LTL fragments is a consequence ofthe relations between the six property classes and six types of Streett au-tomata.

Definition 3.44 Let � � � � �� %$ � �� 6� � �

� � ��

� � & � be a determin-

istic Street automaton such that � & . Let � � � � � ��

� and � � � � .

For every $ %$ � K � we write �#$ %$�� K � instead of Q MK � such that $ � K � �#$ � � .The automaton � is

a safety automaton iff U $:K � %$ �DK � �#$ %$�� NK � ,a guarantee automaton iff U $4K %$ � K � � �#$ %$ � � NK � ,

an obligation automaton iff there exists a function �4�� R &such that:�#$ %$�� K � , ��#$ � � ��#$�� ,�#$'K � � $ �DK �� #$ %$ � � K � � , � �#$ �@" ��#$�� ,�#$'K � $��DK � � �#$ %$ � � K � � , � �#$ �@"ER ,

a response automaton iff � � � ,a persistence automaton iff

� �� .

Further, every deterministic Street automaton8 is a reactivity automaton.

Theorem 3.45 ([MP90b]) An � -regular language is a � property if and only if itis recognized by a � automaton.

Theorem 3.46 ([MP90b]) It is decidable whether an � -regular language (givenby a deterministic Streett automaton) is a � property.

The decidability of � fragments then follows from the fact that every� -language definable in LTL is � -regular and from the decidability of LTL.

Corollary 3.47 The canonical and future � fragments are decidable over � -words.

The paper [MP90b] presents an outline of translations from canonical �

formulae to � automata and from counter-free � automata to � formulae.8Here the acceptance set is not restricted to the form

� �� .


These translations are based on general constructions described in [LPZ85]and [Zuc86].

Another automata-based characterizations of � properties have beensuggested in [CP03] and are indicated in Figure 3.9.

Theorem 3.48 ([CP03]) An � -regular language is a safety, guarantee, obliga-tion, response, persistence, or reactivity property if and only if it is recognized by adeterministic occurrence co-Buchi, deterministic occurrence Buchi, deterministicoccurrence Streett, deterministic Buchi, deterministic co-Buchi, or deterministicStreett automaton respectively.

3.4.2 Until-release hierarchyThe until-release hierarchy has been defined and studied in [CP03]. Thehierarchy has a strong connection to the hierarchy of temporal propertiesdiscussed above.

Theorem 3.49 ([CP03]) An � -language definable by LTL is a safety, guarantee,response or persistence property if and only if it is definable by a formula of 2 � � ,� 2 � , 2 � , or � 2 respectively.

The relations are depicted in Figure 3.9 too.Further, the equality between LTL � -languages and reactivity proper-

ties definable in LTL (see Theorem 3.43), the definition of reactivity prop-erty, and the previous theorem give us the following.

Theorem 3.50 ([CP03]) An � -language is definable in LTL if and only if it isdefinable by a positive boolean combination of 2 � and � 2 formulae.

This statement directly implies that the hierarchy of 2 � 5 and � 2D5 fragmentscollapses.

Corollary 3.51 An � -language is definable in LTL if and only if it is definable byboth 2 � and � 2 .

The decidability of 2 � 5 and � 265 fragments over � -words is then a directconsequence of the Corollary 3.47, Theorem 3.49, Corollary 3.51, and thedecidability of LTL.

Corollary 3.52 For every , the fragments 2 � 5 and � 2 5 are decidable over infinitewords.

Another interesting aspect of this hierarchy is its connection to termi-nal and weak Buchi automata. It is easy to prove that an LTL � -languageis a guarantee or persistence property if and only if it is recognized by aterminal or weak Buchi automaton respectively. Moreover, automata ofthese types can be constructed directly from formulae of the correspondingfragments � 2 � and � 2 .

62 EXPRESSIVENESS

Theorem 3.53 ([CP03]) For every � -language given by a formula of � 2 � or � 2 one can construct a terminal or weak Buchi automaton recognizing the language,respectively.

The translation is a modification of the original construction of a Buchi au-tomaton for a given �� formula introduced in [WVS83]. Simi-lar modification has been presented in [Sch01] as well.

The theorem has some important consequences in the context of modelchecking. Recall that the property automaton (see Section 2.4) is a Buchi au-tomaton corresponding to negation of a given specification formula. Thus,specification formulae of 2 � � (defining safety properties) can be translatedto terminal property automata while specification formulae of 2 � (defin-ing response properties) can be translated to weak property automata.One can readily confirm that the type of a property automaton carries tothe corresponding product automaton. Several specialized algorithms (ex-plicit as well as symbolic) for non-emptiness check of weak and terminalBuchi automata have been proposed. The specialized symbolic algorithmshave lower asymptotic complexity comparing to general symbolic non-emptiness algorithms. Asymptotic complexity of the specialized explicitalgorithms is linear as in the case of general explicit algorithms. Neverthe-less, the specialized algorithms have still several benefits including a pos-sibility of employing some efficient heuristics, simpler implementations ofpartial order reductions, or possibility of better distribution. To stress thesignificance of the specialized algorithms, authors of [CP03] have studiedspecification patterns system [DAC99] – a collection of the most often verifiedproperties. They have calculated that safety properties (generating termi-nal property automata) comprise 41% and response properties (generatingweak property automata) comprise 54%9 of the properties in the collection.For more information about the specialized algorithms, their benefits, anddiscussion about the complexity of property type determination we referto [CP03].

Another characterization of the � -languages definable in 2 � 5 and � 2�5fragments is given in Subsection 7.3.2. The characterization is formulatedin terms of alternating 1-weak Buchi automata.

3.4.3 Deterministic fragmentThe fragment � �� have been introduced and studied in [Mai00] in thecontext of the properties (of Kripke structures) expressible in both LTL andCTL. As branching time logics are out of the scope of this thesis, we onlygive a brief and intuitive summary of the main results without providingany technicalities.

9The percentage refers to the response properties that are not safety properties.


In fact, the paper works just with ACTL, i.e. the fragment of CTL formu-lae which are in positive normal form and have no existential quantifiers.The fragment �� of ACTL is defined in a similar way as � �� . Thepaper proves the following results.

� An ACTL formula is expressible10 in LTL if and only if it is expressiblein �� .

� The problem whether a given ACTL formula is expressible in LTL ornot is � � � � �� -complete.

� An LTL formula is expressible in ACTL if and only if it is expressiblein �� .

It is known that the logics CTL and LTL have incomparable expres-sive power. Hence, the results mentioned above imply that the expressivepower of �� is strictly lesser than the expressive power of LTL. Thesame result can be achieved using the following characterization.

Theorem 3.54 ([Mai00]) An LTL formula � is expressible in �� if and onlyif there exists a 1-weak Buchi automaton recognizing the language � �*�� .Moreover, for every �� formula � there exists a 1-weak Buchi automa-ton of the size � �%�(�)� � recognizing the language � �*�� .

The paper [Mai00] also provides several references to other papers deal-ing with relations between LTL and CTL.

3.4.4 Flat fragmentThe fragment � � �� has been studied in [Dam99] (together with flatfragments of CTL and CTL � ). It has been shown that � � �� is strictlyless expressive than � � �� .Theorem 3.55 ([Dam99]) There exists an � � �� formula which is not equiv-alent to any formula of � � �� . Moreover, every �� formula is equiva-lent to a formula of � � �� .

Besides the expressive power, the paper studies also the distinguishingpower of flat fragments.

Definition 3.56 Let � �� be � -words and � be an LTL fragment. The words aredistinguishable by fragment � if there exists a formula � of � such that

� � � � if and only if � N� � ��10Here the expressibility is defined in a more general way; we say that a formula � of

CTL or LTL is expressible in a fragment/logic � if there exists a formula � of � such thatfor every Kripke structure � it holds that �� iff �� . The formal semantics of CTLcan be found e.g. in [Eme90].

64 EXPRESSIVENESS

Theorem 3.57 ([Dam99]) Let � �� be an � -words. The words are distinguishableby �� if and only if they are distinguishable by � � �� .

Decidability of � � �� fragment is an open question.

3.5 SuccinctnessThe previous sections give an overview of expressiveness results related toLTL and its fragments. In the following we present several results compar-ing formalisms with respect to their succinctness instead of the raw expres-sive power.

In Section 3.1 we argue that there is no reason to distinguish betweenLTL with modalities � and � and its syntactic supersets as they have thesame expressive power. However, their expressive power is different whenthe succinctness is taken into account.

In the light of the fact that �� and �� are expres-sively equivalent and with respect to the syntactic algorithm [Gab89]translating a formula of �� into an initially equivalent for-mula of �� , the past modalities are often dropped from the logic.However, there are good reasons not to do so. First, the satisfiabilityand model-checking are � � � � �� -complete for � � �� as well as for�� [SC85] (for more information about complexity issues seeChapter 4). Further, some specification formulae are easier to write usingthe past modalities as well [LPZ85]. This statement is formally justified bythe following theorem. The undefined term ‘exponentially more succinct’will be explained by the comment below the theorem.

Theorem 3.58 ([LMS02, Mar03b]) �� can be exponentially moresuccinct than � � � �� .

The proof introduces a parametrized �� formula � � ofthe size � � � such that the size of an initially equivalent formula � � of�� is in � �.� � � . Moreover, the formula � � has � �.� � � distinct sub-formulae, so it cannot be succinctly represented as a logical circuit (DAG).Further, � � is in fact a formula of �� and authors of the statementsay that the proof could be adapted to use a formula of �� .

Theorem 3.58 gives a lower bound of the succinctness gap. The up-per bounds are given by translations of �� formulae into�� . The size of the formulae produced by the Gabbay’s transla-tion [Gab89] is assumed to be nonelementary (it has not been characterizedprecisely so far). Better upper bound has been presented in [Mar03b]; us-ing the results of [LPZ85, MP90a, MP94] a formula of �� can betranslated into an initially equivalent �� formula of (at most) triplyexponential size.

3.5 SUCCINCTNESS 65

To sum up, the succinctness gap between LTL with future modalitiesand LTL with both future and past modalities is at least single exponentialand at most triply exponential. The precise characterization of this suc-cinctness gap is an open question.

The modality � can further improve the succinctness of �� .Theorem 3.59 ([LMS02]) �� can be exponentially more suc-cinct than � � � �� .Let us note that this is only a lower bound.

The following results compare the succinctness of LTL and other for-malism, namely first-order logic and automata over finite or infinite words.

Every LTL formula can be translated into a globally equivalent FOMLOformula of a linear size. However, FOMLO can be much more succinct thanLTL.

Theorem 3.60 ([Mey75, Sto74]) FOMLO can be nonelementarily more suc-cinct than � � � �� .To be more specific, Stockmeyer [Sto74] defines a sequence �*� � � of ��

formulae such that the size of � � is linear with respect to and ev-ery sequence � � � � of initially equivalent �� formulae satisfies

� � � � K �� , where �� .R�� denotes the “tower” � �� of theheight R . The theorem can be also proved using the fact that the satisfiabil-ity problem for � � �� is � � � � �� -complete while the satisfiabilityfor FOMLO is nonelementary [SM73].

In contrast to this result, formulae of �� can be translated into expo-nentially larger formulae of �� . Moreover, this translation isessentially optimal. In the following theorems �� *� � denotes the quanti-fier depth of a FOMLO formula � and � �� denotes the nesting depth ofall temporal operators in an LTL formula � .

Theorem 3.61 ([EVW02]) Every �� formula �� can be translated into aglobally equivalent � � �� formula � of the size ��

� � � ��

suchthat � �� E�� *�� .

Theorem 3.62 ([EVW02]) There is a sequence �*� � � of �� formulae with onepropositional variable such that the size of � � is � � � and every sequence � � � �of initially equivalent �� formulae satisfies � � � � K ��

��.

Similar results hold for �� " � and �� .Theorem 3.63 ([EVW02]) Every �� " � formula �� can be translated into aglobally equivalent �� formula � of the size � �

� � � ��

such that� �� *� � .

66 EXPRESSIVENESS

Theorem 3.64 ([EVW02]) There is a sequence �*� � � of �� " � formulae suchthat the size of � � is � � � and every sequence � � � � of initially equivalent�� formulae satisfies � � � � K � �

��.

Finally, we present some succinctness results regarding finite automata.

Theorem 3.65 ([VW94]) Every � -language defined by an �� for-mula � is recognized by a (nondeterministic) Buchi automaton with � �

� � � � states.

This upper bound on the size of the Buchi automaton is known to be tight.The translation of deterministic counter-free automata over finite words

into LTL given in [Wil99] yields the following upper bound.

Theorem 3.66 ([Wil99]) For every counter-free deterministic finite automatonover finite words there exists an �� formula � such that � defines thelanguage recognized by the automaton and the size of � is � � � � � �� , where is the number of states of the automaton and � is its input alphabet.

3.6 Additional notesThe overview of expressiveness, decidability, and succinctness results pre-sented in this Chapter is far from being complete. For example, we donot mention connections between some of the presented results and thedot-depth hierarchy (discussed for example in [TW98, Sch00]). We also omitthe definition and characterizations of liveness properties (see [CMP92] forsome references).

Many natural questions concerning the expressiveness of LTL frag-ments are still open. Some of them were formulated several years ago,for example:

� Can the decidability results based on forbidden patterns be adaptedfor � -languages?

� Is the fragment � � � � �� decidable?� What is the complexity of the problem whether a language given

by an � � �� formula is expressible in � � �� ? And whatis the complexity of the analogous problem for the fragment�� ? See Theorem 3.29.

These questions have been formulated in [EW00], [Dam99], and [TW98]respectively. Some questions have not been considered before and theymay be easy to solve, for example:

� Are the fragments ��

� � and ��

� �� decidable?

3.6 ADDITIONAL NOTES 67

� What is the complexity of the problem whether a language given bya nondeterministic Buchi automaton is expressible in LTL?

Further, numerous topics for future research can be found in the area ofnesting fragments as only several types of these fragments have been stud-ied.

Finally, there are many open questions about succinctness of variousLTL fragments. The most prominent one is the precise succinctness of�� in a comparison with �� (see Section 3.5).

Chapter 4

Complexity issues

In this chapter we deal with satisfiability, model checking, and modelchecking a path problems for various fragments of LTL. As all these prob-lems are decidable1, we focus on complexity2 of these problems. The chap-ter summarizes the results established or cited in [SC85, LP85, LPZ85, DS02,LMS02, EVW02, Mar04, MS03, Sch03]. The problems are considered in con-text of infinite words or paths.

First of all we define these three problems more precisely. Let � bea fragment of LTL.

Satisfiability. Satisfiability problem for � is the problem to decide whetherfor a given formula �2K � there exists an � -word � such that � � � � .

Model checking. In fact, two versions of this problem are considered inliterature. Up to now we have been discussing the problem whethera given formula �GK � and a given Kripke structure � satisfy � � �� , i.e. whether � is valid for all paths in the Kripke structure. Thisproblem is called the universal model checking for � .Let � � � � � � � � � be a Kripke structure and � a formula. We write� � � � � if there exists a path � � � � �� in � such that � � � � � and� � � � � � � � � � ��8� � � . The existential model checking for � is the problemto decide whether for a given Kripke structure � and a formula � K �it holds that � � � � � , i.e. whether � is valid at least for one path inthe Kripke structure.

Model checking a path. Model checking a path for � is the problem todecide whether a given formula � K � and given finite words � ��(where �8N�� ) satisfy �;� � � � � . In [MS03], the complexity of analo-gous problem for finite words is studied as well.

1We consider model checking of finite-state systems only.2We assume that the reader is familiar with basic terms of computational complexity

theory. We refer to books [Sip97, Pap94] for an introduction to this theory.

70 COMPLEXITY ISSUES

Research focused on computational complexity of LTL model checkingis usually working with existential version of the problem as it is closerto the satisfiability problem. However, the complexity of universal modelchecking can be derived from the complexity results on existential modelchecking as these two problems are dual in the following sense:

� � � � � if and only if � N� � ��Let � be a fragment closed under negation and existential model checkingfor � be in a complexity class � . Universal model checking for the frag-ment is then in complexity class �� 0 � . If � is not closed under negation,the complexity of universal model checking for � can be derived from thecomplexity of existential model checking for the fragment of negated �formulae. For example, universal model checking for � � � � 0 �� is ��

� � -complete as existential model checking for �� is � � -complete. Inthe following we concentrate on existential version of the model checkingproblem.

First, we sum up the complexity results for satisfiability and existentialmodel checking. Then we mention the complexity results of model check-ing a path. Together with various LTL fragments, the FOMLO fragments�� and �� " � are also studied in this chapter.

4.1 Satisfiability and model checkingComplexity of satisfiability and model checking problems for LTL frag-ments was systematically studied for the first time by Sistla and Clark ina conference version of [SC85] published in 1982. The paper shows thatwhile these problems are � � -complete for � � � �� and �� , they are� � � � �� -complete for �� , �� , �� , and � � �� (andalso for the extended temporal logic (ETL) [Wol83]). The � � � � �� upperbounds for existential model checking are achieved due to the followingtheorem.

Theorem 4.1 ([SC85]) Let � be a fragment subsuming �� or � � � �� .Existential model checking for � is polynomial-time reducible to the satisfiabilityproblem for � .

The proof of � � � � �� -completeness of the two problems for�� can be adapted for the fragment �� . A differentalgorithm deciding the satisfiability problem for �� with a bet-ter time complexity has been presented in [LPZ85].

In spite of � � � � �� -hardness, model checking of � � �� propertieshas proved to be feasible in practice. Several explanations of this fact hasbeen provided. A crucial observation formulated in [LP85] says that modelchecking is only linear in the size of a Kripke structure.

4.1 SATISFIABILITY AND MODEL CHECKING 71

Theorem 4.2 ([LP85, VW86]) Given a Kripke structure � � � � � � � � � anda formula � K � � �� , the model checking problem can be solved in time� �%� � � � � � �

� � � � , where � � � � � �<�=$E� ( �� is the number of states and edges inthe structure.

The exponential time complexity in the size of a specification formulais often annotated with arguments that specification formulae are usuallyshort and have very low nesting depths of modalities. Inspired by thisargumentation, Demri and Schnoebelen [DS02] have studied the theoreti-cal complexity of satisfiability and model checking for fragments with lownesting depth of all temporal modalities and/or bounds on the number ofatomic propositions occurring in a formula. Their results are rather nega-tive in the sense that the complexity of satisfiability and model checking forfragments �� , �� , and �� remains unchanged when werestrict the number of atomic propositions to two or bind the nesting depthof all temporal operators by two. On the other hand, the paper shows thatmodel checking for �� & � � is � � -complete while the same problem is� � � � �� -complete for �� . For more results see Table 4.1. The paperdevelops several logspace reductions of satisfiability, 3SAT, and QBF prob-lems to the model checking problem for the fragments studied there. Theflat versions of the considered fragments are studied as well. It is proventhat the flattening has no influence on the complexity of satisfiability andmodel checking.

We have already mentioned that the addition of past modalities � �to the fragment � � � �� does not change complexities of the consideredproblems. This observation brings a question whether allowing past coun-terparts of included future modalities has no influence on complexities ofthe considered problems in general. The results presented in [Mar04] sup-port an assumed positive answer. The paper studies the complexity ofsatisfiability and model checking for �� , �� , and positive(and stratified) fragments built with future and past modalities. For moreresults see Tables 4.1 and 4.2. The paper [Mar04] provides also complexitiesof universal model checking for the considered fragments.

Introducing the modality � the paper [LMS02] also demonstrates thatsatisfiability and model checking for �� are � � � � � � �� -complete. The influence of the temporal operator � on the complexity ofthe considered problems has been studied in [RP86]. Both satisfiability andmodel checking for �� are nonelementary.

The complexity of satisfiability problem for fragments �� , �� " � ,and �� has been studied in [EVW02]. Surprisingly, the problemis � � � � -complete for �� and �� " � (while it is nonelementary for ��

),

and � � -complete for �� . We now analyse the complexity of exis-tential model checking for these fragments.

Theorem 4.3 Existential model checking for �� is �� -complete.


Proof: The existential model checking problem for �� is polynomial-timereducible to the satisfiability problem for �� . The reduction is a straight-forward analogy of the reduction for � � �� described in [SC85] (seeTheorem 4.1). This gives us the upper bound.

We show that the existential model checking problem is � � � � -hardeven for the fragment �� which is smaller than �� . The fragment�� consists of all FOMLO formulae with at most two variables, oneunary predicate, and without the predicate " . The � � � � -hardness of exis-tential model checking for �� is a direct consequence of the followingtwo facts.

1. The satisfiability problem for �� is � � � � -hard [EVW02].

2. The satisfiability problem for a FOMLO fragment with the boundednumber of unary predicates is polynomial-time reducible to the exis-tential model checking problem for the fragment.3 Intuitively, givena FOMLO formula with unary predicates � � �� the re-duction creates a Kripke structure with paths corresponding to all � -words over alphabet �

�� . Hence, the formula is satisfiable

if and only if it is valid for at least one path in the structure. More-over, the Kripke structure has � � states and thus its size depends onlyon . �

Corollary 4.4 Existential model checking for �� " � is in � � � � .

Theorem 4.5 Existential model checking for �� is � � -complete.

Proof: The upper bound can be obtained by a slight modification of anal-ogous result for �� given in [Mar04]. The lower bound is a con-sequence of � � -hardness of existential model checking for �� estab-lished in [SC85]. �

Tables 4.1 and 4.2 give an overview of the complexity results obtainedor cited in the papers described above. The prefix ‘ � � � � ’ before a fragmentmeans that the complexity of satisfiability and model checking is the samefor the flat version of the fragment too. The tables are arranged according tothe modalities used in the fragments; Table 4.1 covers the fragments withfuture modalities only while the other fragments (together with ETL andsome FOMLO fragments) are contained in Table 4.2.

Let us note that complexities of satisfiability and existential modelchecking for many fragments not covered by the tables can be easily de-rived from the results summarized therein. For example, the two problems

3An analogous reduction for LTL fragments with the bounded number of atomic propo-sitions is given in [DS02].

4.1 SATISFIABILITY AND MODEL CHECKING 73

Fragment ( �� ) Satisfiability Existential MC� � �� -complete ��

�

� � � � -complete � � -complete� � �� -complete � � -complete� � �� -complete � � -complete� � � �� -complete � � -complete� � � � ��

� in � , � � -hard� � � � �� -complete� � � �� -complete � � -complete� � � � 0� � � -complete � � -complete� � � �� -complete � � � � �� -complete� � � �� -complete � � � � �� -complete� � � �� -complete � � -complete� � � �� -complete � � � � �� -complete� � � �� in � , � � -hard� � � �� -complete� � � �� -complete � � � � �� -complete� � �� -complete � � -complete� � �� -complete ��

� � -complete � � -complete� � � � � �� -complete � � -complete� � �� -complete � � � � �� -complete� � �� <& � � � � � � � �� -complete � � -complete� � �� <& � � � � -complete � � -complete� � � � ��

� � � � �� -complete � � � � �� -complete� � � � � �� & � � �

�� -complete

� � � �� -complete � � -complete� � � � 0 �� -complete � � � � �� -complete� � � �� -complete � � � � �� -complete� � � �� & � � � � � �� -complete � � � � �� -complete� � � �� & � � � � -complete � � -complete� � � �� -complete � � � � �� -complete� � � �� <& � � � � � -complete� � ��

�

� �� & � � � � -complete � � -complete

Table 4.1: Complexity of satisfiability and existential model checking.


Fragment/Logic Satisfiability Existential MC�� -complete � � -complete�� -complete � � -complete�� -complete � � -complete�� -complete � � � � �� -complete�� -complete � � � � �� -complete�� -complete � � -complete�� 0 � � � � -complete � � � � �� -complete�� -complete � � -complete�� 0�� -complete � � � � �� -complete�� 0 � � � � � -complete � � � � �� -complete�� 0� � � � � � -complete � � � � �� -complete�� -complete � � � � �� -complete�� 0 � � � � -complete � � � � �� -complete�� 0� � � � � -complete � � � � �� -complete�� -complete � � � � �� -complete�� -complete � � � � �� -complete�� -complete � � � � � � �� -complete�� nonelementary nonelementaryETL � � � � �� -complete � � � � �� -complete�� " � � � � � -complete � � � �� -complete � � � � -complete��

nonelementary nonelementaryFOMLO nonelementary nonelementary

Table 4.2: Complexity of satisfiability and existential model checking.

are � � -complete for �� as the fragment subsumes �� , it is sub-sumed in �� , and the problems are � � -complete for both ��and �� .

For more information on the complexity results of model checking forLTL, CTL, and CTL � (and their fragments) we refer to a nicely writtensummary [Sch03]. This paper contains all the basic definitions, theorems,and proof techniques used in the area together with references to manyrelated papers. Besides the results discussed in the paragraphs above,the paper also deals with complexities of the model checking problem for��

�

� � and ��

� �� & � � , and the complexity of symbolic model check-ing (where the size of Kripke structure is defined as a sum of sizes of itsparallel components).

The paper [Sch03] also recapitulates some basic results on program-complexity and formula-complexity of model checking. The last two termshave been defined in [VW86]. The program-complexity of model checking is

4.2 MODEL CHECKING A PATH 75

its complexity measured as a function of the size of a Kripke structure only.By analogy, the formula-complexity is measured in the size of a specificationformula only.

The program-complexity is connected with � � -complete problemwhether a given state is reachable in a given structure. The program-complexity of existential model checking for LTL with all the modali-ties defined so far is in � � as the problem reduces to reachability in thecorresponding product automaton. The reachability problem reduces tothe existential model checking problem for all the fragments subsuming�� . Hence, the program-complexity for these fragments is � � -hard.

The formula-complexity is not higher than the (standard) complexity.Further, for every fragment defined over a finite set of atomic proposi-tions �3� �� , the satisfiability problem reduces to existential model check-ing where the Kripke structure is fixed and generates all infinite wordsover � � . As satisfiability of �� or �� is � � � � �� -complete,the formula-complexity for all the fragments subsuming �� or�� is � � � � �� -hard. To sum up, the formula-complexity forall the fragments subsuming �� or �� and subsumed in�� is � � � � �� -complete. The formula-complexity of existentialmodel checking for �� is � � � � � � �� -complete [LMS02].

4.2 Model checking a path

Roughly speaking, the previous section shows that the model checkingproblem for all LTL fragments with “reasonable” expressive power is� � � � �� -hard. In contrast, model checking a path represents an interestingsubproblem with significantly lower asymptotic complexity. The problemhas been identified only recently by Markey and Schnoebelen in [MS03].

We recall that model checking a path is model checking of finite Kripkestructures with a single path. For brevity of notation, instead of Kripkestructures defining one (infinite) path we work directly with words of theform �;� � , where � �� K�� and � N� � . As CTL interpreted over linearstructures coincides with LTL, the problem whether a given formula �VK�� and a given words � �� satisfy �� can be solved in time� �%� �� (�)� � using the standard algorithm for CTL model checking of finite-state systems [CES86].

The paper [MS03] studies the same problem for other three LTL frag-ments and FOMLO as well. Table 4.3 provides an overview of the com-plexity results presented in the paper. For all the fragments occurring inthe table, the complexities in the middle column correspond to both exis-tential and universal model checking problems.

For some specialized algorithms solving the problem, more accurateevaluations of their complexity, and analogous results for model check-


Fragment/Logic Model checking Model checking a path�� -complete in �

�� -complete in �

�� -complete � -complete�� nonelementary � -completeFOMLO nonelementary � � � � �� -complete

Table 4.3: Complexity of model checking and model checking a path.

ing of compressed paths (defined by grammars) and finite paths, we referto [MS03].

Another algorithm solving the problem of model checking a path for�� formulae is presented in Subsection 6.2.2.

4.3 Additional notesSome of the papers cited in this chapter also deal with the complexity of va-lidity and universal model checking, or provide more detailed complexityanalyses.

The subject area of this chapter still suggests several open questions.The most prominent ones correspond to the lines in Tables 4.1, 4.2, and 4.3where the lower bounds do not match the upper bounds. More precisely,open questions are whether the existential model checking problems for�� , �� , and � � �� are � -complete or they are in a lowercomplexity class. Further, the paper [EVW02] contains a question whethersatisfiability for �� " � (fragment of �� " � formulae with at most unarypredicates) remains �

� � � -hard. A positive answer would imply �� -

hardness of existential model checking for �� " � . The most importantopen questions regarding model checking a path are connected with thecomplexity of this problem for �� and �� . The bestknown algorithms work in polynomial time, but there are no reasonablelower bounds. The authors of [MS03] mention that they have been unableto prove even � -hardness for � � �� or to find a better (memory-efficient or parallel) algorithm even for model checking of finite paths for�� . However, they conjecture that the problems are not � -hard.

Finally, we note that there are still some interesting LTL fragmentswhich have not been studied in context of the satisfiability and modelchecking problems at all. For example, the complexity of these problems for��

�

� �� can be of a particular interest as this fragment subsumes �� and � � ��

�

� � (where these problems are � � -complete) and is subsumed in�� (where these problems are � � � � �� -complete).

Chapter 5

Stuttering principles

This chapter presents the results originally introduced in papers [KS02,KS04, KS05b].

More than twenty years ago Lamport [Lam83b] argued that the valid-ity of �� formulae does not depend on numbers of adjacent copies ofletters in a word. This observation is called stuttering principle. Later thisprinciple became one of the cornerstones of partial order reduction meth-ods. In the following section we recall the stuttering principle and extendit to general �� formulae. Roughly speaking, the general stut-tering theorem says that under certain ‘local-periodicity’ conditions (whichdepend on � and ) one can remove a given subword � from a given word� without influencing the (in)validity of �� formulae (we saythat � is � � � -redundant in � ). In order to give some intuition for generalstuttering, we define other two stuttering principles: letter stuttering (alsoknown as -stuttering) connected with nesting depth of � operators, andsubword stuttering associated with formulae without � operator and withgiven bound on nesting depth of � operator.

Peled and Wilke [PW97a] have proved that if a language definable byLTL is closed under stuttering (i.e. it does not distinguish between wordsthat are the same if we remove all adjacent copies of letters in the words)then the language can be defined even by an LTL formula without any �operator. In Section 5.2 we prove that every LTL language closed under -stuttering can be defined in �� . Further, we show that generalstuttering can be used for characterization of � -regular languages that aredefinable in LTL.

Section 5.3 provides several theoretical applications of general stut-tering theorem. The section addresses some basic problems regardingthree hierarchies of LTL fragments, namely �� , and�� . In particular, the following problems seem to be among themost natural ones:Question 1 Are those hierarchies semantically strict? That is, if we increase

78 STUTTERING PRINCIPLES

� or just by one, do we always obtain a strictly more expressivefragment of LTL?

Question 2 If we take two fragments � � � in the above hierarchieswhich are syntactically incomparable (for example, we can consider�� and �� , or � � � ��

�� and �� ), are

they also semantically incomparable? That is, are there formulae�� K � and � �� K � � such that � �*�� is not expressible in � � and� �*�� is not expressible in � ?

Question 3 In the case of �� hierarchy, what is the semantic in-tersection of �� and � � �� ? That is, what lan-guages are expressible in both fragments?

We provide (positive) answers to Question 1 and Question 2. Here theresults on the �� hierarchy seem to be particularly interesting.As for Question 3, one is tempted to expect the following answer: The se-mantic intersection of �� and �� is exactly the setof languages expressible in �� , where � � � �� & and � � �� & . Surprisingly, this answer turns out to be incorrect. For all�B & , B � we give an example of a language � which is definable both

in �� and � � �� , but not in � � �� . This showsthat the answer to Question 3 is not as simple as one might expect. It isworth mentioning here that the class of languages expressible in both frag-ments �� and � � �� is decidable as these fragmentsare decidable (see Subsection 3.3.4). In fact, we are looking for an answerproviding us better insight into expressiveness of � � �� fragments.

The results concerning Question 1 are closely related to the work ofEtessami and Wilke [EW00]. They prove the strictness of until hierarchy(see Subsection 3.3.1) in the following way: First, they design an appro-priate Ehrenfeucht-Fraısse game for LTL (the game is played on a pair ofwords) which in a sense characterizes those pairs of words that can be dis-tinguished by LTL formulae where the temporal operators are nested onlyto a certain depth. Then, for every R B & they construct a language �� definable by a �� formula and prove that this particular lan-guage cannot be expressed by any formula from � � �� . Here theprevious results about the designed EF game are used. Since the formuladefining �� contains just one � operator and many nested � and� operators, this proof carries over to our �� hierarchy. In fact,[EW00] is a ‘stronger’ result in the sense that one additional nesting levelof � cannot be ‘compensated’ by arbitrarily-deep nesting of � and � . Onthe other hand, the proof does not allow to conclude that, e.g. ��

��

contains a formula which is not expressible in � � �� (because the for-mula defining � � �� contains the nested � modalities).

5.1 A GENERAL STUTTERING THEOREM 79

Our method for solving Questions 1 and 2 is different. The general stut-tering theorem gives us a simple (but surprisingly powerful) tool allowingto prove that a certain formula � is not definable in �� . The prin-ciple is applied as follows: we choose a suitable alphabet � , consider thelanguage � � �*�� , and find an appropriate � K � � �*�� and its subword �such that

� � is � � � -redundant in � ;�!� � N� � � where � � is obtained from � by deletion of the subword � .

If we manage to do that, we can conclude that � is not expressible in�� .

Using this tool, the proofs of answers to Questions 1 and 2 are remark-ably short though it took us some time to find appropriate formulae whichwitness the presented claims. It is worth noting that some of the knownresults about LTL (e.g. the formula ‘ 0 ’ is not definable in LTL) admit aone-line proof if our general stuttering principle is applied.

In section 5.4 we indicate that the general stuttering principle has thepotential to improve the partial order reduction methods.

The last section of this chapter contains additional notes about stutter-ing including the situation on finite words.

5.1 A general stuttering theoremIn this section we formulate and prove the promised general stuttering the-orem for � � �� languages. General stuttering combines and extendstwo independent principles of letter stuttering ( -stuttering) and subwordstuttering, which are applicable to the �� and ��

�� frag-

ments of LTL, respectively. We start by explaining these two principles inSection 5.1.1 and Section 5.1.2. This material has been included for tworeasons. First, the two simplified principles are interesting on their own.In Section 5.2.1 we present special results about letter stuttering which donot hold for general stuttering. Secondly, the remarks and proof sketchesgiven in Section 5.1.1 and Section 5.1.2 should help the reader in gainingsome intuition about the functionality and underlying principles of gen-eral stuttering.

5.1.1 Letter stuttering ( � -stuttering)Letter stuttering is a simple generalization of the well-known principle ofstutter invariance of ��

�� formulae [Lam83b] saying that ��

��

formulae cannot distinguish between one and more adjacent occurrencesof the same letter in a given word. Formally, a letter � �# � of an � -word � iscalled redundant if � �# � � � �# H$ & � and there is A �< such that � �# �4N� � � A � .


The canonical form of � is the � -word obtained by deletion of all redun-dant letters from � . Two � -words � �� are stutter equivalent if they have thesame canonical form. A language is stutter closed if it is closed under stutterequivalence.

Theorem 5.1 ([Lam83b]) Every � � �� language is stutter closed.

Intuitively, it is not very surprising that this principle can be extended to�� formulae (where K � � ). The so-called -stuttering is based ona simple observation that �� formulae cannot distinguish between $:& and more adjacent occurrences of the same letter in a given � -word.Formally, a letter � �# � is -redundant if � �# � � � �# D$,& �� # $ 9$,& �and there is some A �? such that � �# �PN� � � A � . The -canonical form, -stutterequivalence, and -stutter closed languages are defined in the same way asabove.

Theorem 5.2 ( -stuttering) Every �� language is -stutter closed.

Proof: The theorem can be proven directly by induction on . Since it is aconsequence of Theorem 5.9, we do not give an explicit proof here1. �

Theorem 5.2 can be used to show that a given property is not expressiblein �� (or even in LTL). The following corollary is an evidence ofthis statement.

Corollary 5.3 The languages �� - � � � � � and � � � � �"& � are not defin-

able in LTL.

Proof: These languages (already mentioned in Example 3.13) are standardexamples of � -regular languages that are not definable in LTL, i.e. not star-free.

We start with language �� . For the sake of contradiction, let us assume

that there exists a formula � K �� such that ��

� �� *�� . Then

� K �� where � � -depth �*�� . Theorem 5.2 implies that �� is

-stutter closed. This is a contradiction as words � � �- � � � � and � ��- � � � � are -stutter equivalent and � K �

� while �8NK �� .

The proof for � is analogous. Again, we assume that the language isexpressible in LTL. Hence, there is K � � such that � is expressible in�� . Theorem 5.2 gives us that � is -stutter closed. This is nottrue as � -words � � �I � K � and � �I � NK � are -stutter equivalent.�

Let us recall that the language � can be defined by a formula ‘ 0 ’ withthe meaning that holds at every even position [Wol83].

1A direct proof of Theorem 5.2 is of course simpler than the proof of Theorem 5.9. It canbe found in [KS04].


5.1.2 Subword stutteringSince letter stuttering takes into account just the � -depth of LTL formulae, anatural question is whether there is another form of stutter-like invariancedetermined by the � -depth of a given LTL formula. We provide a (positive)answer to this question by formulating the principle of subword stuttering,which is applicable to ��

�� formulae (where �

B & ). The term ‘sub-word stuttering’ reflects the fact that we do not necessarily delete/pumpjust individual letters, but whole subwords. The essence of the idea is for-mulated in the following claim:

Claim 5.4 Let � K �� where �

B & . For all � ��!K � � and � K � �we have that � � � � � � � � iff � � � � � � � .

In other words, �� cannot distinguish between � and more ad-

jacent occurrences of the same subword � in a given word. Note that thereare no assumptions about the length of � .

Claim 5.4 can be easily proven by induction on � . We just sketch thecrucial part of the argument (a full proof is in fact contained in the proof ofTheorem 5.9). Let us suppose that � � � �� , where � ��CK ��

�� .

We want to show that � � � � � � � � iff � � � � � � � . We concentrate just onthe ‘ � , ’ part (the other direction is similar). By induction hypothesis, thefollowing equivalences hold for all � �� " � � �1� :

�#� � ��S� � � � � � iff �#� � ��S� � �� (5.1)�#� � ��S� � � � �� iff �#� � ��S� � �� (5.2)

Let � � � � � � � � �� . Then there is A K � � such that �#� � � � � � � � �� and�#� � � � � � 5 � � � for all � � " A . If A " � � �1� , we immediately obtain� � � � � � � �� by applying (5.1) and (5.2) above. If A B � � �1� , we can imaginethat the word � � � � was obtained from � � � � � by deletion of the first copyof � (from now on, we denote the R

��copy of � in � � � � � by � � R � ). The

situation is illustrated by Figure 5.1. Realize that the (in)validity of � andPSfrag replacements

�

� �

��

Figure 5.1: Intuition for proof of Claim 5.4.

� for any suffix of � � � �/� �� )��S� � � $'&�� is not influenced by deletion ofthe � � &�� subword ( �� contains only future modalities). That is, it


PSfrag replacements

� ��

��

�� letters

Figure 5.2: Illustration of the first condition of Claim 5.5.

suffices to show that for each suffix � � of � we have that � � � � � � � � �implies � � � � � � � � . However, this follows from (5.1) above.

The principle of subword stuttering, as formulated in Claim 5.4, is quitesimple and intuitively clear. Now we refine this principle into a strongerform.

Claim 5.5 Let �EK �� where �

B � . For all � � K � � , � K � , and� K � � such that� � � � � �� 0 � $8& and� is a prefix of � �

we have that � � � � � � iff � � � � � .

The structure of � � � can be illustrated by Figure 5.2. In other words,the � subword has to be repeated ‘basically’ � $1& times as in Claim 5.4, butnow we can ignore the last � 02& letters of � � &�� 3$!&�� . Note that thereis no assumption about the length of � ; if � is ‘short’ and � is ‘large’, it canhappen that the last � 0O& letters actually ‘subsume’ several trailing copiesof � .

Claim 5.5 can also be proven by induction on � . Again, we concentratejust on the crucial step when � � � �� and � ��4K � � � ��

�� . We only

show the ‘ � , ’ part (the other direction is similar). So, let � � � � � � �� .Then there is A K � � such that �#� � � � � � � � and �#� � � �)5�� for all � �? "A . We distinguish three possibilities (the first two of them are handled inthe same way as in Claim 5.4):

(i) A " � �8� . To prove that � � � � � �� , it suffices to show that for everysuffix � � of � we have that

– � � � � � � � implies � � � � � � ,– � � � � � �� implies � � � � �� .

However, this follows directly from induction hypothesis.

5.1 A GENERAL STUTTERING THEOREM 83PSfrag replacements

� �

� ��

��

�

��

Figure 5.3: Situation in case �# 7 � of the proof of Claim 5.5.

(ii) A9B � � �1� . First, realize that the (in)validity of � and � for any suffix of � is not influenced by deletion of the � subword. Hence, it sufficesto show that � � � � � � � implies � � � � � � for each suffix � � of � . Thisfollows from the induction hypothesis in the same way as in (i).

(iii) � � �� A " � � �� . This requires more care. A key observation is that theword � � � can be seen as � � � � � � � � � � , where � � �*� � A , � � � � � � �1� ,and � �*� � � 8� $ � �8� 0 � � � � . Figure 5.3 depicts the situation. Due to theperiodicity of we have that �� G� � � � . Hence, it suffices to showthat � � � � � and � � � � � � � � for every nonempty suffix � � � of � � . Weknow that � � � � � �� and � � � � � � � � � � ; so, if � is ‘sufficiently long’, wecan use induction hypothesis to finish the proof. That is, we need toverify that � � � B � � �*� � � � 0P& �=0 � � 0P& � $>& , but this follows immediatelyfrom the known (in)equalities � � �)�� $ � � ��0 � � � � , � � � �)�� 1� , and� � � � � � � �=0 � �1� .

5.1.3 General stuttering

In this section we combine the previously discussed principles of letterstuttering and subword stuttering into a single ‘general stuttering theorem’which is applicable to � � �� formulae.

Definition 5.6 Let � be an alphabet and � K �� .� A subword � �# A � of a given � K�� is � � � -redundant if the word� �# J$ A � �

A 0 � $<&@$ � is a prefix of � �# A � � .� The relation � � � � � �@� � �� is defined as follows: � � � � � � iff � can be ob-

tained from � by deletion of some (possibly infinitely many) non-overlapping� � � -redundant subwords. The � � � -stutter equivalence is the leastequivalence over � � subsuming the relation � � � � .

� A language � � �@� is � � � -stutter closed if it is closed under� � � -stutter equivalence.


PSfrag replacements

� ��periodic pattern��

�� letters

� letters

Figure 5.4: Structure of an � -word with an � � � -redundant subword.

The structure of an � -word � with an � � � -redundant subword � �# A �is illustrated by Figure 5.4. The � �# A � subword has to be repeated ‘basi-cally’ �E$L& times but we can ignore the last � �<0>& � 0 letters (if � �<0>& � 0 is negative, we must actually prolong the repetition ‘beyond’ the � $ &copies of � �# A � – see Figure 5.4). Note that there are no assumptions aboutthe sizes of � , , and A .

Our goal is to prove that the (in)validity of �� formulae is notinfluenced by deleting/pumping � � � -redundant subwords. First, let usrealize that this result is a proper generalization of both Theorem 5.2 andClaim 5.5. If we compare the ‘periodicity assumptions’ of Theorem 5.2,Claim 5.5, and Definition 5.6, we can observe that

� a letter � �# � is -redundant iff it is consecutively repeated at least $>&times. That is, � �# �� is -redundant iff � �# �$ & $ & � is a prefix of� �# /& � � . For every � K � � we get that � �# �� is -redundant iff � �# /& � is� � � -redundant as � �# $ & $ & �� # $ & � � &�0 �!$ & $ � . In otherwords, the notion of -redundancy coincides with � � � -redundancyfor subwords of length 1.

� the condition of Claim 5.5 matches exactly the definition of � � �� -redundancy.

Before formulating and proving the general stuttering theorem, weneed to state two auxiliary lemmata.

Lemma 5.7 Let � be an alphabet, � K � � , and � K � � . If a subword � �# A � is

�# � � � � -redundant then it is also � � � � � -redundant for all � � � �6� � and� � � � .

�# � � � 9$,& � -redundant then the subword � �# D$,& A � is � � � -redundant.

�# 7 � � � $?& � -redundant then the subword � �# S$ R A � is � � � -redundant forevery �'�ER>" A .


Proof: �# �� follows immediately as A � � implies � � �A 0 � �6$ &O$ �4�

� �A 0 � $ & $ . �# 7 � is also simple – due to the � � $:& � -redundancy of� �# A � we know that the subword is repeated at least on the next � �

A 0� $ ��$ letters. Hence, the subword � �# )$'& A � is repeated at least on thenext � �

A 0 � $ & $ letters and thus it is � � � -redundant. A proof of�# 7 � is similar; if � �# A � is repeated on the next � � $4& � �

A 0 � $ letters,then the subword � �# )$ R A � (where � � R " A ) is repeated on the next� � $:& � �

A 0 � $ 08R � � �A 0 � $ $ A 0<R letters, i.e. � �# )$PR A � is

� � C$ A 02R'08& � -redundant. The � � � -redundancy of � �# %$OR A � followsfrom �# � and R>" A . �

Lemma 5.8 For all �B & , B � , and all � ��<K2� � such that � � � � � � there

exists a surjective function �3� �� 0 � � such that

�# � for all � ��<K � � , where �2� �,"�� , there exists � � � �" � such that� � � � �� ,

�# � for each �OK � � we have that � � � � �� .Proof: Let �

B & , B � and � �� KV� � such that � � � � � � . Let � �� # � A � � � �# � A� � �� be the (finite or infinite) sequence of non-overlapping

� � � -redundant subwords which were deleted from � to obtain � (weassume that � " � " �� ). We say that a given �!K � � is covered by asubword � �# � A � � of � if � � �2� � $ A � 0P& . For each such � we furtherdefine �� <� �@$ A � and �� <�� 0 � $ & . If � is not covered by anysubword of � , we put �� <� and �� . The set of all � ’s that arecovered by the subwords of � is denoted �� . For each �CNK�� , by� � �� we denote the total length of all subwords of � which cover someRT�� .

The function � is defined as follows:

� � � ��0 �� if �'NK �� otherwise.

Figure 5.5 provides an example of a function � .In particular, note that uncovered letters of � are projected to the

“same” letters in � , and covered letters are in fact mapped to uncoveredones by performing one or more jumps of possibly different length. Alsonote that � is not monotonic in general.

First we show that � is well-defined, i.e. for each � K �� there isREK � such that �� MNK�� (here �� denotes �� applied R -times). This is an immediate consequence of the following observation:

For each �PK �� there is RMK � such that �� "�� .


PSfrag replacements

� �

� �

� � 5 � � � � � � � 5 � � � � � � � 5 � � � � � � � 5��

Figure 5.5: An example of a function � constructed in the proof ofLemma 5.8.

Proof of the observation: First, let us realize that �� B � � � �� forevery �9K �� . Now assume that the observation does not hold. Thenthere is �<K �� such that �� for every R K � .Let � �# � A � � be the subword of � covering � , and let � � be the sequenceobtained from � by removing the first $ elements. Since �� :�� for every R K � , all subwords of � � are adjacent and the lengthof each of them is at least �� . Hence, each � � B � is covered by somesubword of � � , which contradicts the assumption that � is infinite.

Proof of �# � : First we show that for every � K � � we have that � � �@$<& � �� $V& . Let us assume that there is some � �PK � � such that � � � ��$3& � �� $V& , and let RGK � � be the least number such that � � �� iseither uncovered or satisfies � �� $ & � � � �� $ & . Observethat such a R must exist, and that � satisfies � � �$ & � � � � � � $ & (otherwisewe get a contradiction with the minimality of R ). Now we distinguish twopossibilities:

� � � � � �$ & �:� & . Let � � � be the least uncovered index greater or equalto �O$ & . It follows easily from the definition of � that � � �P$ & � �� . Hence, � � � � is either equal to � � � $ & � 0 & (if �?NK �� ), orgreater or equal to � � � $ & � (if �OK �� ). Again, this contradicts theassumption that � � ��$<& � � � � � � $<& .

� � � � � �@$ & � B � . Then � �@$ & are covered by the same subword of � .By applying the definition of � we obtain � � � �� and � � � $& �� $9& �� . Moreover, �� $9& �� $9& because � � $& are covered by the same subword of � . If �� $ & � equalsto � or & , we derive a contradiction using the arguments of previouscases. If � � � �� $ & � B � , we have that �� K �� , hence� �� I$ & � � � �� $9& due to the assumption adopted above.Altogether, we derived a contradiction with � � � $,& � � � � � �H$8& .

Now we are ready to finish the proof of �# �� . Let us assume that �# � doesnot hold, and let � K � � be the least number such that �# �� is violated for� and some �3� � " � � � � . Clearly � � � , because � �-�� . Further,


� � � 0G& � B � � � � 0 & due to the claim just proved. This means that either� � � 0 & �� , or � 0 & also violates �# � . In both cases we have a contradictionwith our choice of � .

Proof of �# � : We show that � � � � �� for each �FK � � . We proceedby induction on �� .Basis. �� . This means that � NK �� . Clearly � � � � � � � � � � �because � � � � � is obtained from � � by deletion of all those subwords� �# � A � � of � such that � � � . Hence, we also have � � � � �� by

applying Lemma 5.7 �# �� .Induction step. Let �� and let R3K � be the least number such

that �� >" �� . To simplify our notation, we put � � �� . Clearly � � � � � � � � � � by definition of � . By induction hy-pothesis we have that � � � � � � � � � � � � � � � . Hence, it suffices to showthat � � � � �J0�� is a sequence of � � 0P& � -redundant subwords. Letus assume that � is covered by � �# � A � � . Consider the sequence ofsubwords � �# � A � � �� # � � �� A � � �� 7�From the minimality of R we obtain that these subwords are adjacentand the length of each of them is at least �� . Hence, � � � � � 0 � � canbe seen as a sequence of words

� �# � $ � � � � � �I0 & A � � �� # � � �� $�� I0 & A � � �� 7�Moreover, each of these words is � � 0 & � -redundant byLemma 5.7 �# � . �

Theorem 5.9 (general stuttering) Every �� language is � � � -stutter closed.

Proof: Let � ?K � � and �EK �� . It suffices to prove that for all� ��2K �@� such that � � � � � � we have that � � � � � , � � � � . We proceedby a simultaneous induction on � and (we write � � � � � " � � � iff� � � � and � " , or � � " � and � � ).Basis. � � � and � � . Let � �� K �@� be � -words such that � �

� � �� . Let � denote the sequence of non-overlapping �-�� -redundantsubwords � � � �# � A � � � �# �

A� � �� which were deleted from � to

obtain � (we assume that � "< � " �� ). Since �� formulae

are just ‘Boolean combinations’ of letters and , it suffices to showthat � �-�� -�� . If � � � then it is clearly the case. Now let � � � ,and let R K � � be the least number such that the subwords � �# �

A� �and � �# � �

A� � � are not adjacent (i.e. � � �8 � $

A� ). Hence, ��-�� # � $

A� � and �-�� -redundancy of the subwords in � implies that

� �-�� # � �� # � �� # �� # � ��

� �# � $A� ��<��-��7�


Induction step. Let � GK � � , and let us assume that the theorem holdsfor all � � � such that � � � � �C" � � � . Let � �� K �@� be � -wordssuch that � � � � � � , and let � � � �# � A � � � �# �

A� � �� ( � " � "�� ) be the sequence of non-overlapping � � � -redundant subwords

which were deleted from � to obtain � . We distinguish four possibil-ities:

� � K �� for some � � � � � " � � � . Since every� �# A � from � is � � � � � -redundant by Lemma 5.7 �# �� , we justapply induction hypothesis.

� � � �� . We need to prove that � � � � �� , � � � �� . By

induction hypothesis, � cannot distinguish between � � 0 & � -stutter equivalent � -words. Hence, it suffices to show that�� . If � �E� , then � � �#

� 0!& A � � � � �# � 0E& A� � �� # 0& A � �� are � � � -redundant and due to Lemma 5.7 �# � they

are also � � @0F& � -redundant. Moreover, � � can be obtained from�� by deletion of these subwords.

If � � � , then let R K � � be the least number such that the sub-words � �# �

A� � and � �# � �

A� � � are not adjacent. The � -word

� � can be obtained from �� by deletion of the subwords

�� # � A � � �� # �

A� � �� # � � 01&

A� � �

�� # � 01& A � � ��

The subwords � � �# � A � � � � �# �

A� � ��

�� # �

A� � are � � 0 & � -

redundant by Lemma 5.7 �# � , and the other subwords are� � M0E& � -redundant by applying Lemma 5.7 �# � .

� �� . By induction hypothesis, � �� cannot distinguishbetween � � 0P& � -stutter equivalent � -words. Let � be thefunction of Lemma 5.8 constructed for the considered � � ��(i.e. � � � � �� for every �OK � � ).Now we show that if � � � � � � then also � � � � � � . If � � � � � � ,there is � B � such that �� and for every �T" � we have that�� . By induction hypothesis we get � � � � � � � � . Further, forevery � �J" � �-� � there is �9"E� such that � � � �� . By Lemma 5.8,for every � � " � �-� � there is �T"E� such that �� ,� � �and hence � � � � � � . Altogether, we obtain that � � � � � � .Similarly, we also show that if � � � � � � then � � � � � � . If � � �� , there is � B � such that � � � � � and for every �C"!� we havethat � � � � � . Let � � be the least number satisfying � �-� � ��<� (thereis such a � � because � is surjective). Then � � � � � � by inductionhypothesis. From the definition of � we get that for every � �J"!� �it holds that � � � � � " � �-� � � � � (otherwise we would obtain acontradiction with our choice of � � ). Thus, �� and hence� � � � � � .

5.2 STUTTERING AS A SUFFICIENT CONDITION 89

� � is a ‘Boolean combination’ of formulae of the previous cases.Formally, this case is handled by an ‘embedded’ induction onthe structure of � . The basic step (when � is not of the form �5�or � � � ) is covered by the previous cases. The induction step( � � �1� or � � � � � where we assume that our theorem holdsfor � �� ) follows immediately. �

5.2 Stuttering as a sufficient condition

In Section 5.1 we have shown that formulae of certain LTL fragments areinvariant under certain forms of stutter equivalence of � -words. These re-sults (Theorem 5.2, Claim 5.4, Claim 5.5, and Theorem 5.9) were formulatedas “pumping lemmata”, i.e. necessary conditions which must be satisfiedby languages of the respective LTL fragments. In this section we show thatcertain forms of stutter invariance together with some additional assump-tions in fact characterize certain LTL fragments.

5.2.1 Letter stuttering

It has been proved by Peled and Wilke [PW97a] that every LTL lan-guage closed under stuttering is definable in ��

�� . This proof can

be straightforwardly generalized to -stuttering. Hence, every -stutterclosed LTL property is definable in �� . For the sake of complete-ness, we present this proof explicitly. (Later we formulate further observa-tions which refer to technical details of this proof.)

Theorem 5.10 Let � � � � . The following conditions are equivalent:

(a) � is definable in �� .

(b) � is definable in LTL and -stutter closed.

Proof: The �- � � , �.� � direction follows from Theorem 5.2. We prove theopposite direction. Given an �� formula � and K � � , we con-struct an �� formula � � �*� � and prove that the following observa-tion holds for every alphabet � .

� � �*� � is -stutter closed if and only if � � �*�� *�� .

This is sufficient as every LTL language is definable in �� due toCorollary 3.4.

Let � be the set of letters occurring in � . We set � � �� . Further,

for all K � and �3� we define formulae �� , ��, � � � � , and � � � � � as


follows:�� , �

�� , � � �

��

��

��< � � �

��

� � ��

Observe that

� -depth �� -depth ��

�� -depth �� -depth �� 8 %�

The translation � � �*�� is defined inductively on the structure of � :� � � �- ��8 � � � �*�5� ��

� � � �?+ �� , where� � � � � � 01� � +

�

�� 0 ��8� � � � � �

and

��

�� 5 � � �� 7� � � � +

�

�� 7�

The subformulae �� and � � � 7� � � � of �� are constructed asfollows:

��

��, � ��

�� if �

��

�� < � ��

�� if 5� $4&

�� 7� � � �� if ��

� � � � � � � � � � �� if 1� $:&

One can readily confirm that the � -depth � � � �*� �� equals . We need to provethat if � � �*�� is -stutter closed, then the languages � � �*�� and � � � � � �*� ��are the same (the other implication follows directly from Theorem 5.2).Since � and � � �*�� cannot distinguish between letters which do not belongto � , we can assume that � � � � � � & , where �1NK � represents all lettersnot occurring in � .

As both � � �*� � and � � � � � �*�� are -stutter closed (in the latter case weapply Theorem 5.2), it actually suffices to prove that � and � � �*�� cannotbe distinguished by any -stutter free � -word � K � � (an � -word � is -stutter free if � has no -redundant letters). That is, for every -stutter free� K8� � we show that � � �� iff � � � � � �*� � . We proceed by induction onthe structure of � . All subcases except for � � �� are trivial. Here wedistinguish two possibilities:


�!� � � for some K � . Then ��

� and thus we get � � � ��iff � � � � � iff � � � � � � � � � (by induction hypothesis) iff � � � � � � � � .Hence, this subcase is ‘covered’ by the formula � � � � saying that � isof the form � and that � � � � � holds (the particular case when � � � �corresponds to 01� � ).

�!� �, 5 � � where �� K � , N�<� , &P�? � 9$<& , and �2K � � .Let us first consider the case when 4� � . Then 5 � � � � �� iff 5 �� iff 5 �� (we use induction hypothesis). If @� , then thelast condition is equivalent to 5 � � � � � � � � � �3� � � �� .If �� $:& , then the condition is equivalent to � �� . In both cases, the resulting formula correspondsto �� 7� � � �� .The case when 9K � is handled similarly; we have that 5 � � � � �� iff 5 �� iff 5 �� (by induction hypothesis). If �� thenthe last condition equals 5 ��

��L � ��

�� . If ��

$:& then the condition equals � � � � � � ��

��

�� .

Anyway, the resulting formula corresponds to �� .To sum up, the case when � �< 5 � � is ‘covered’ by the formula �� .�

In general, the size of � � �*�� is exponential in � -depth �*�� . However, thesize of the circuit2 representing � � �*�� is only � �� M$G& � � �(�)� � . To see this,realize the following:

(1) The total size of all circuits representing the formulae � � ��

�� (for

all CK � ) and � � � � � � � � � � � is � �� 9$<& � � �(�� . Moreover, all circuitsrepresenting the formulae �

��

and � � � � � (for all � � � ) arecontained in the circuits representing � � �

�� or � � � � � , respectively.

(2) Assuming that the circuits of (1) and the circuit representing � � � � � areat our disposal, we need to add only a constant number of new nodesto represent the formulae �� 7� � � �� and �� for given K �and &P�? �� $4& . This means that we need to add � �� $ & � � �(�)� � newnodes when constructing the circuit for � � � �� .

(3) Since � contains � �%�(�)� � subformulae of the form �� , the circuit rep-resenting � has � �� 9$<& � � �(�)� � nodes in total.

Theorem 5.11 Let � be an �� formula and K �� . The problem whetherthere is a formula in �� equivalent to � is � � � � �� -complete (assumingunary encoding of ).

2A circuit (or DAG) representing a given LTL formula � is obtained from the syntax treeof � by identifying all nodes which correspond to the same subformula.


Proof: The proof employs the fact that validity problem for �� for-mulae is � � � � �� -complete [SC85].

The observation formulated in proof of Theorem 5.10 directly impliesthat if there exists an � � � �� formula equivalent to � then � �O5 � � �*�� .The circuit representing � � �*�� is of size � �� C$<& � � �(�)� � . The upper boundthen follows from the fact that the validity of formula � � , � � �*�� is decid-able in � � � � �� even if the formula is represented by a circuit [SC85].

The matching lower bound is obtained by reducing the validity prob-lem for �� formulae (similar reduction of validity problem to prob-lem whether a language is stutter closed appears in [PWW98]). For every�� formula � we define a formula

� � ��< :� � �� :� � � � ��

� �� - :� �� )� ��7�Formula � � � � is equivalent to an �� formula if and only if for everyalphabet � a language � � �-� � � �� is -stutter closed. Further, every languagedefined by formula � � � � has the form � � � � � , where � � is a language de-fined by � � . Therefore, either � � is empty or � is not -stutter closed. Tosum up, � � �� is equivalent to an �� formula if and only if � � is notsatisfiable, i.e. if and only if � is valid. �

Theorem 5.10 and the above corollary enable us to extend the statementof Theorem 3.18 to -stuttering.

Corollary 5.12 The problem whether an � -language defined by an ��formula is -stutter closed is � � � � �� -complete (assuming unary encoding of ).

Proof: Let us consider a language � � � � �*�� , where � is an �� formula. Further, let � be the set of letters occurring in � . There are twocases. First, if �� then � is -stutter closed if and only if � is equivalentto an �� formula. Second, if �� we set

� � � � � 0�� 7�

Let us note that the size of � � is linear in the size of � . As � � � � � �*� � � forevery � � � � , the language � is -stutter closed if and only if � � is equiva-lent to an �� formula. In both cases the statement is a consequenceof Theorem 5.11. �

The corollary can be alternatively proved by generalization of the tech-niques developed for (various equivalences including) stutter equivalencein [PWW98].

Finally, let us note that the condition �.� � of Theorem 5.10 cannot beweakened to “ � is an -stutter closed � -regular language”, because there


are � -regular languages which are -stutter closed for all K � � , yet not de-finable in LTL. A concrete example of such a language is � � � �- � � � %5 � � � 'K � & which is clearly -stutter closed for every GK �� , but not � � � -stutter closed for any � K � � (and hence not definable in LTL).

5.2.2 General stutteringIn Section 5.2.1 we have shown that �� languages are exactly -stutter closed LTL languages. A natural question is whether �� languages are fully characterized by the closure property induced by� � � -stuttering. In this section we show that this is not the case. Never-theless, regular � � � -stutter closed languages are inevitably noncounting(see Definition 3.10), and hence expressible in LTL. This means that if � is� -regular and � � � -stutter closed, then � K �� for some � � � .In this section we also show that there is no functional relationship between� � � � � and � � � .

Theorem 5.13 Let � � � � . The following conditions are equivalent:

(a) � is definable in LTL.

(b) � is � -regular and noncounting.

(c) � is � -regular and � � � -stutter closed for some � K � � .

Proof: The equivalence of (a) and (b) is a consequence of several results –see Theorem 3.11 and accompanying comments. The implication (a) � , (c)is given by Theorem 5.9. The implication (c) � , (b) follows from a straight-forward observation that a language violating noncounting property is not� � � -stutter closed for any � K � � . �

A natural question is whether the condition (c) of Theorem 5.13 can beweakened to “ � is � � � -stutter closed for some � K �� ”. The answer isgiven in our next theorem.

Theorem 5.14 For all �B � and B & there is an � � � -stutter closed lan-

guage � � � �� & � which is not definable in LTL.

Proof: Due to Lemma 5.7 �# � , we just need to consider the case when ��,�and � & . We say that a word � K3� � is square-free if it does not con-tain a subword of the form �;� , where � �1� B & . It is known that there areinfinitely many square-free words3 � � �� over the alphabet � �� &[Thu06]. Now observe that for each of these � 5 there is no other word

3The sequence �� is defined inductively by �

�� and � ��

� �� , where �

is a word homomorphism given by � �� , � �� , � �� . The proofin [Thu06] reveals that if � is square-free, then so is � �� .


� K � �� "& � such that � 5 � � � � � � � � � � or � � � � � � � � �5 � � . This means that� � �/�5 � � �; K � � & is �.� /& � -stutter closed. Obviously, � is not � -regularby using standard arguments (pumping lemma for � -regular languages).Thus, � is not definable in LTL. �

Due to Theorem 5.13, we know that if � is � -regular and � � � -stutterclosed, then � is definable in LTL, i.e. there are � � � K � such that � isdefinable in �� . However, it is not clear what is the relationshipbetween � and � � � . One might be tempted to think that � � � canbe expressed (or at least bounded) by some simple functions in � , forexample � � � � and � � . Our next theorem says that there is no suchrelationship.

Theorem 5.15 Let �B � and B & . For all � � � K � � there is an

� � � -stutter closed LTL language � � � �� & � which is not definable in�� .Proof: First, realize that for all � � � K � � there are only finitely many pair-wise non-equivalent �� formulae over the alphabet � �� & .Hence, it suffices to show that for all �

B � and B & there are infinitelymany � � � -stutter closed LTL languages over the alphabet � �� & . Dueto Lemma 5.7 �# � , we just need to consider the case when � �,� and � & .Let � be the language constructed in the proof of Theorem 5.14. Now re-alize that each of the infinitely many finite subsets of � is a �.� /& � -stutterclosed LTL language. �

Finally, let us note that possible generalizations of Theorem 5.14 andTheorem 5.15 cannot cross certain limits – they do not hold for all � K � �and every alphabet � . For example, every �%& �� -stutter closed languageover the alphabet � ��"& is definable in �� . To see this, realize thatthe quotient of � ��"& � under �%& �� -stutter equivalence has exactly eightequivalence classes represented by words �- � � � , �.� � � , � , � � , � � , �I � , � � , and �I �� . Hence, there are exactly �� languages over � ��"&which are �%& �� -stutter closed. Since each equivalence class of the quotientis a language definable in �� , we can conclude that each of these� �� languages is definable in �� .5.3 Answers to Questions 1, 2, and 3Now we are ready to provide answers to Questions 1, 2, and 3 which werestated at the beginning of this chapter (though Question 3 will be left openin fact). We start with a simple observation.

Lemma 5.16 For each B & there is a formula �8K �� which cannot

be expressed in �� .

5.3 ANSWERS TO QUESTIONS 1, 2, AND 3 95

Proof: Let � � � ��"& and B & . Consider the formula � ��

� �� .We show that � � �*�� is not closed under � 0O& )-stutter equivalence (whichsuffices due to Theorem 5.2). It is easy; realize that � � � � K � � �*�� and thefirst occurrence of in this word is � 0P& � -redundant. Since � ��!NK � � �*�� ,we are done. �

A ‘dual’ fact is proven below (it is already non-trivial).

Lemma 5.17 For each �B & there is a formula � K ��

�� which cannot

be expressed in �� .Proof: Let �

B & and let �� & . We define a formula � K��

�� as

� � � �- � � � �- �� - � �� 7�Let us fix an arbitrary K � � , and define a word � K � � by

� � �.� � � � � �� Clearly � � � � and the subword � �-�� $�& $ � � is � � 0P& � -redundant. Asthe word � obtained from � by removing � �-�� $�& $ � � does not model � ,the language � � �*�� is not � � 0P& � -stutter closed. As it holds for every1K � � , the formula � is not expressible in �� . �

The last technical lemma which is needed to formulate answers toQuestions 1 and 2 follows.

Lemma 5.18 For all � GK � � there is a formula � K �� which isexpressible neither in �� (assuming �

B & ), nor in �� (assuming B & ).Proof: If � � � or � � , we can apply Lemma 5.16 or Lemma 5.17,respectively. Now let � B & , and let � � � � �� '& where R �� $4& & . We define formulae � and � as follows:

� �� if � � � � � � � � if � �

� �� if �� &

� �- � � � �- �� - � � � � � � �- � �� =� � �� if � � &

where �� abbreviates��

� �� . The formula � belongs to �� . Letus consider the � -word � defined as

� �� - � � �� $ � if � � �- � � � �� $ � if �� - � � � �� $ � if � "


It is easy to check that � K � � �*�� and that the subword � �-��R�� (whereR � �� $4& & ) is � � 0P& � -redundant as well as � � 0P& � -redundant.As the word � obtained from � by removing � �-��R�� does not satisfy � ,the language � � �*�� is neither � � 0O& � -stutter closed, nor � � 0P& � -stutterclosed. �

The knowledge presented in the three lemmata above allows to con-clude the following:

Corollary 5.19 (Answer to Question 1) The �� , �� , and�� hierarchies are strict.

Corollary 5.20 (Answer to Question 2) Let � and � be classes of�� , �� , or �� hierarchy (not necessarily ofthe same one) such that � is syntactically not included in � . Then there is aformula � K � which cannot be expressed in � .

Although we cannot provide a satisfactory answer to Question 3, wecan at least reject the aforementioned ‘natural’ hypotheses (see the begin-ning of this chapter).

Lemma 5.21 (About Question 3) For all � K �� there is a language defin-able in � � � �� as well as in �� which is not definable in�� .

Proof: We start with the case when � � � � . Let � � � ��"& , and let� � � � �.�� .� �4� � �� and � � � �.�� )� � � . Note that � � K �� and � K �� . Moreover, � � and � are equivalent as they definethe same language � �V� � � � � � � �"& �� . This language is not definable in��

�� as it is not �%& �� -stutter closed; for example, the � -word � �

� �� K � contains a �%& �� -redundant subword � �-�� but � <�< ��2NK � .The above example can be generalized to arbitrary � (using the

designed formulae � � �� ). For given � we define formulae � � K�� and ��EK �� , both defining the same lan-guage � over � � � � � � � �� & , and we give an example of an � -word � K � with an � � $ & � -redundant subword such that � withoutthis subword is not from � . We distinguish three cases.

� �� !� . For K � & �� & we define

�H5?�� -times

� ��

� � �- �� - � � � �- :� � � � � � � �- �9� 5 � �� 7�

The � -word � � �- � � � �� K � , � �-�� is � � $ & � -redundant, and� � �- � � � � � � NK � .

5.4 APPLICATION IN MODEL CHECKING 97

� � � . For K � & �� & we define

�H5?�� -times

� � � �

� � �.�1� � � �.�� .�8�� 5 � �� where

� �5 ��

� -times� ��

� �- � � � �- �� - � � � �9� 5 � �� 7�The � -word � � �.�I � � � � � � �� ?K

� , � �-�� 0 >$G& � is� � $<& � -redundant, and � � � � � NK

� .� � " . For K � & �� & we define

� 5 �� -times

� ��

� �- � � � �- � � � � � � �- � ��

� �� 5 � �� 7�The � -word � � �.� � � ��

� � K � , � �-�� M$G& � is � � $& � -redundant, and � � � NK

� . �

In fact, the previous lemma says that if we take two classes�� and � � �� which are syntactically incomparableand where � � � B & , then their semantic intersection (i.e. the intersec-tion of the corresponding classes of languages) is strictly greater than theclass of languages definable in � � �� where �� & and � � �� & . Another consequence of Lemma 5.21 is that there is gen-erally no “best” way how to minimize the nesting depths of � and � modal-ities in a given LTL formula.

5.4 Application in model checkingIn this section we indicate that letter stuttering and general stuttering prin-ciples can potentially improve partial order reduction methods (see Sub-section 2.4.1).

5.4.1 Letter stutteringMost of the partial order reduction methods designed so far are based onstutter equivalence. Therefore, they can be used only for verification ofstutter closed properties. All such properties are definable in �� . Thisfact contributes to the current situation where many people working inmodel checking believe that it is natural to write specification formulaewithout � modality (this opinion had been originally formulated by Lam-port [Lam83b] long time before the first partial order reduction algorithmhas been suggested). In spite of this, the use of � operator can bring somebenefits.


� Some properties that are stutter closed can be defined by a �� formula in a more readable way. Many patterns of �� formu-lae defining stutter closed properties can be found in [PC03].

� There are some systems (e.g. synchronous hardware) where one tran-sition step has a clear meaning and the study of relations betweensuccessive states makes good sense. In context of such systems, it isobvious that one wants to write and verify some specification formu-lae employing � operator.4 If we know that the formula defines astutter closed property (this can be checked in � � � � �� due to Theo-rem 3.18), we can use a combination of automata-based model check-ing algorithm and classic partial order reduction method. However,these partial order reduction methods cannot be employed if theproperty is not stutter closed. Here is a potential application of -stuttering.

Let �GK �� be a specification formula and � � -depth �*�� . Weknow that � cannot distinguish between � -words that are -stutter equiv-alent. This observation can be seen as the first step towards new partialorder reduction methods (see Subsection 2.4.1). Unfortunately, we do nothave any reduction algorithm based on the -stuttering equivalences yet.

It is worth mentioning that increase of � � -depth �*�� implies less effec-tive reduction (measured by the size of reduced system). This accords withthe fact that for every there exist words which cannot be distinguishedby any �� formula but they can be distinguished by a formulaof �� .

5.4.2 General stutteringMotivation for development of partial order reduction methods based ongeneral stuttering is straightforward as these methods have a potential toimprove actual partial order reduction algorithms designed for �� for-mulae. An evidence is provided by the following example. Moreover, gen-eral stuttering is not limited to � -free formulae.

Example 5.22 Let us consider the Kripke structure defined in Example 2.25 anddepicted in Figure 2.3. Further, assume that we want to check whether the systemsatisfies a specification formula � K � � �� with atomic propositions dependentjust on the value of variable x like, for example, � � 0�� x " � � . In this case, it issufficient to check the reduced structure given by Figure 5.6 as every (word over��

corresponding to some) path in the original structure is �%& �� -stutter equiv-alent to a (word over �

� �� corresponding to some) path in the reduced structure

4We have to say that if one wants to verify systems like synchronous hardware, symbolicmodel checking algorithms are usually the best choice.


��

� ��

� ��

� ��

� ��

� �� . . .

Figure 5.6: The Kripke structure reduced with use of general stuttering.

and vice versa. The original Kripke structure reduced by standard partial orderreduction (based on stutter equivalence) is depicted in Figure 2.4.

As in the case of letter stuttering, any reduction algorithm based ongeneral stuttering has not been suggested yet. The reduced structure in theexample above is made by hand.

As in the case of letter stuttering, the effectiveness of reduction basedon � � � -stutter equivalence decreases with increase of � and/or .

5.5 Additional notesAlthough the results presented in this chapter are formulated in terms ofinfinite words, all of them carry over to finite words. Moreover, some ofthe definitions and proofs working with finite words are simpler. For ex-ample, a letter of a finite word is -redundant if it is immediately followedby $3& copies of the same letter (without other requirements). Further,the � � � -stutter equivalence can be defined as the least equivalence over� � such that if a word � has an � � � -redundant subword then � is equiv-alent to � without the subword. This simpler definition allows to prove thegeneral stuttering theorem for languages of finite words in a shorter andmore transparent way. For details on general stuttering over finite wordswe refer to the paper [KS02] written in this setting.

We also note that the construction of a formula � � �*�� in the proof ofTheorem 5.10 is slightly different when we work with LTL defined overatomic propositions instead of letters. This modified construction of � � �*��


can be found in [KS04] together with all results concerning -stuttering(including precise proof of Theorem 5.2).

The chapter encompasses two questions that were not answered. Ques-tion 3 was already discussed at the beginning of this chapter. A much moreimportant question would be whether the new stuttering principles canhelp to improve current state space reduction methods or model checkingalgorithms in general. A prominent goal for our future research is to cre-ate a reduction method or verification algorithm demonstrating that theanswer is positive.

Another topic for future work is to extend the presented stuttering prin-ciples to LTL with past modalities.

Chapter 6

Characteristic patterns

The chapter is based on the results presented in [KS05a].

In this chapter we introduce a new concept of characteristic patterns1 .Roughly speaking, for each alphabet � and all � K � � we design a finiteset of � � � -patterns, where each � � � -pattern is a finite object represent-ing an � -language over � so that the following conditions are satisfied:

� Each � K � � is represented by exactly one � � � -pattern (conse-quently, the sets of � -words represented by different patterns are dis-joint).

� � -words which are represented by the same � � � -pattern cannot bedistinguished by any formula of �� .

� For each � � � -pattern � we can effectively construct a formula �3K� � �� so that for each � K � � it holds that � � � � if and onlyif � is represented by the pattern � .

Thus, the semantics of each formula � K � � �� is fully character-ized by a finite subset of � � � -patterns, and vice versa. Intuitively, the� � � -patterns represent exactly the information about � -words which de-termines the (in)validity of all � � �� formulae. The patterns are de-fined inductively on � , and the inductive step brings some insight intowhat is actually gained (i.e. what new properties can be expressed) by in-creasing the nesting depth of � by one. We refer to Section 6.1 for furtherremarks which aim at providing better intuition behind � � � -patterns. Inthe same section we also give proper definition, basic theorems about pat-terns, and an evidence that characteristic patterns can be used as a tool forproving further results about the logic LTL and its fragments. In particu-lar, they can be used to construct a short proof of a (somewhat simplified)

1Let us note that these patterns have nothing to do with the forbidden patterns definedin Subsection 3.2.2.

102 CHARACTERISTIC PATTERNS

form of stutter invariance of �� presented in the previous chap-ter. This, in turn, allows to construct simpler proofs of strictness of the�� , �� , and �� hierarchies.

In Section 6.2 we provide an algorithm for model checking of pat-terns and identify three potential applications of characteristics patterns inmodel checking area. For didactic reasons, we work with existential modelchecking problem in the first two cases. However, all ideas can be modifiedfor universal model checking in a straightforward way.

1. Let � K �� be a formula specifying the property to be ver-ified. Characteristic patterns can be used to decompose the formulainto an equivalent disjunction � � +��+4� � of mutually exclusive for-mulae (i.e. we have � 59, � ��65 �5� � for each ). Roughly speaking,each � 5 corresponds to one of the patterns which define the seman-tics of � . Hence, the � 5 formulae are not necessarily smaller or sim-pler than � from the syntactic point of view. The simplification is onsemantic level, because each � 5 “cuts off” a dedicated subset of runsthat satisfy � . Another advantage of this method is its scalability – thepatterns can be constructed also for those and � that are larger thanthe nesting depths of � and � in � . Thus, the patterns can be repeat-edly “refined”, which corresponds to decomposing the constructed� 5 formulae. Another way how to refine the patterns is to enlargethe alphabet � . This is indeed sensible, because in this way we canfurther split the sets of runs of a given system into more manageablesubsets.

This decomposition technique enables the following model checkingstrategy: First try to model-check � . If this does not work (because of,for example, memory overflow), then decompose � into � � +��"+�� and try to model-check the � � �� formulae. This can be donesequentially or even in parallel. If at least one subtask produces apositive answer, we are done (there is a run satisfying � ). Similarly, ifall subtasks produce a negative answer, we are also done (there is nosuch run). Otherwise, we go on and decompose those � 5 for whichour model checker did not manage to answer.

Obviously, the introduced strategy can only lead to better results thanchecking just � , and it is completely independent of the underlyingmodel checker. Moreover, some new and relevant information is ob-tained even in those cases when this strategy does not lead to a def-inite answer – we know that if there is a run satisfying � , it mustsatisfy some of the subformulae we did not manage to model check.The level of practical usability of the above discussed approach canonly be measured by outcomes of practical experiments which are

CHARACTERISTIC PATTERNS 103

beyond the scope of this work.2 For a more detailed explanation ofthe decomposition technique and a discussion of its potential benefitsand drawbacks see Subsection 6.2.1.

Similar decomposition techniques for universal model checking havebeen proposed in [McM99] and [Zha03]. In [McM99], a specificationformula of the form 01� is decomposed into a set of formulae

� 0 �� 5 , ��<�=� 5 is in the range of the variable �?& .

A system satisfies 0�� if and only if it satisfies all formulae of the set.This decomposition technique has been implemented in the SMV sys-tem together with methods aimed at reducing the range of � . This ap-proach has then been used for verification of specific types of infinite-state systems (see [McM99] for more details). In [Zha03], a givenspecification formula � is model-checked as follows: First, a finiteset of formulae � � �� of the form � 5 � 0��N�� , �8� � 5 � is con-structed such that the verified system satisfies � � + �� + � � . The for-mulae � � �� are either given directly by the user, or constructedautomatically using methods of static analysis. The system satisfies� if and only if it satisfies a formula � 5 , � for all . Using thisapproach, the peak memory in model checking has been reduced by13–25% in the three case studies included in the paper.

2. Characteristic patterns could be potentially used also in a differentway: instead of checking whether a given system exhibits a run corre-sponding to a given pattern (this is what we do above), we could firstextract all the patterns that can be exhibited by the system, and thencheck whether there is one for which � holds. This makes sense insituations when we want to check a large number of formulae on thesame system. The patterns fully characterize the system’s behaviour(with respect to properties expressible in a given �� frag-ment), and this information could be re-used when checking the in-dividual formulae. Unfortunately, the set of all patterns exhibited bya given system seems to be computable only in restricted cases. InSubsection 6.2.2 we present an algorithm for model checking a pathbased on characteristic patterns.

3. Subsection 6.2.3 indicates potential improvement of partial order re-duction methods with use of characteristic patterns.

Section 6.3 contains additional notes about patterns including one openquestion.

2Practical implementation of the method is under preparation.


6.1 Definitions and basic theoremsTo get some intuition about characteristic patterns, let us first consider theset of patterns constructed for the alphabet � � � �� & , � �3& , and � �(as we shall see, the � and correspond to the nesting depths of � and � ,respectively). Let � K?� � be an � -word. A letter � �# �� is repeated if there isA ", such that � � A � � � �# � . The �%& �� -pattern of � , denoted �� %& �� , isthe finite word obtained from � by deletion of all repeated letters (for rea-sons of consistent notation, this word is written in parenthesis). For exam-ple, if � � � � �I �I � �I� �I� � � �?�� , then �� %& �� >� �- �I� � . So, the setof all �%& �� -patterns over the alphabet � �� "& , denoted �

� �� %& ��6� �� & � ,has exactly 15 elements which are the following:

�- � � � �- � � � �.�I � � �.� � � �-� � � �-�/�I � �- � � �.�I � �- � � �-� �� .�I� � �.� � � �- � �.� � �.� �Thus, the set � �� & � is divided into 15 disjoint subsets, where each setconsists of all � -words that have a given pattern. It remains to explain whythese patterns are interesting. The point is that ��

�� formulae can

actually express just the order of non-repeated letters. For example, theformula �4� says that either the first non-repeated letter is � , or the firstnon-repeated letter is and the second one is � . So, this formula holds fora given � K � �� & � if and only if �� %& �� equals to

�.� � �.�I � �.� � � �.�I � � �.�I� � �- � � or �- �I� �7�We claim (and later also prove) that � -words of � �� &=� which have thesame �%& �� -pattern cannot be distinguished by any ��

�� formula.

So, a language defined by a formula �3K � � � �� over alphabet � �

� �� & is fully characterized by a subset of � � �� %& ��6� �� &�� . Moreover,for each � K �

� �� %& ��6� �� & � we can construct an �� formula � �

such that for every � K � �� "& � we have that � � � � � iff �� %& �� .For example,

� ��

� � � �< � �- �4� � � ��- +>� � �F� �7�To indicate how this can be generalized to larger � and , we show how

to extract a �.� �� -pattern from a given � K � �� & � . We start by consid-ering an infinite word over the alphabet � � �� %& ��6� �� "& � constructed asfollows:

�� %& �� %& �� %& �� %& �� For example, for � �< �I �I � we get the sequence

�- �I� � �- � � � �.�I � � �- � � �-� �� - � � .

The pattern �� .� �� is obtained from the above sequence by dele-tion of repeated letters (realize that now we consider the alphabet

6.1 DEFINITIONS AND BASIC THEOREMS 105

�� %& ��6� �� & � ). Hence,

�� .� �� - �I� � �.�I � � �- � � �-� � �- �� .Similarly as above, it holds that those � -words of � �� & � which have thesame �.� �� -pattern cannot be distinguished by any �� formula.Moreover, for each � K �

� �� .� ��6� �� & � there is an �� formula� � such that for every � K � �� & � we have that � � � � � iff �� .� �� .

Formally, we consider every finite sequence of �%& �� -patterns, where no�%& �� -pattern is repeated, to be a �.� �� -pattern. This makes the inductivedefinition simpler, but in this way we also introduce patterns that are not“satisfiable”. For example, there is obviously no � K � �� & � such that�� .� �� - � �- � �� .

The last problem we have yet not addressed is how to deal with the �operator. First note that the � operator can be pushed towards letters usingthe following equivalences (see, for example, [Eme90]):

�� - � �*�� - � �� *� � �� - �� )� � �*� � � � � - ��

Note that the nesting depth of � remains unchanged by performing thistransformation. Hence, we can safely assume that the � operator occursin LTL formulae only within subformulae of the form � �� . This isthe reason why we can handle the � operator in the following way: theset �

� �� is defined in the same way as �� . The only

difference is that we start with the alphabet � � � instead of � .Now we present a full formal definition of characteristic patterns.

Definition 6.1 Let � be an alphabet. For all � K � � we define the set�� inductively as follows:

� �� -�� /� KL� � � � �4� � $4& &

� �� $4& � �3� � �� R K � � � �� #� � K

��

�;5@N� � � for N� A &The size of � � �� and the size of its elements are estimated in ournext lemma.

Lemma 6.2 For every K � � , let us define the function �� 5 � � � � � induc-

tively as follows:

�� 5 ��

� � if 5�<�� 5 � 5 �� J$,& �� otherwise

The number of elements of � � �� is bounded by �� %�� , and the

size of each � K �� is bounded by � 9$<& � �

� � ��5�� 5 �%�� .


Proof: Directly from definitions. �

The bounds given in Lemma 6.2 are non-elementary in � . This indi-cates that all of our algorithms are computationally unfeasible from theasymptotic analysis point of view. However, LTL formulae that are usedin practice typically have a small nesting depth of � (usually not largerthan � or � ), and do not contain any � operators. In this light, the boundsof Lemma 6.2 can be actually interpreted as “good news”, because even arelatively small formula � can be decomposed into a disjunction of manyformulae which refine the meaning of � .

To all � K � � and � K �� we associate a unique pattern of�� . This definition is again inductive.

Definition 6.3 Let � K � � . For all � K � � we define the characteristic� � � -pattern of � , denoted �� , and � � � -pattern word of � , de-noted �� , inductively as follows:

� �� -�� -�� ,� �� 4K �

� �� is defined by �� # �9�� 5 � ,� �� $4& � � is the finite word (written in parenthesis) obtained from�� by deletion of all repeated letters.

Words � �� KL�� are said to be � � � -pattern equivalent, written � � � � � � , if�� .

Example 6.4 Let us consider an � -word � � � � �I � �I � �.�I � � . Some examples ofcharacteristic patterns follow. Underlined sequences correspond to �-�� -patterns,where �!� .

�� -�� -�� I � �I � �.�I � � � �� %& �� - �I� �� %& �� - �I� � �.�I � � �.�I � � �.�I � � �- � � � �-� � � �.�I � � �- �/� � �-�/�I �� 7� � �. � �� .� �� - �I� � �.�I � � �- � � � �-� �I � �.� � �- � �� -��/& � � � �� -��/& � � � � � � � � � � � � �I � � � �.�I � �7�� %& /& � � � �- � � � �I � � � �� -��

Theorem 6.5 Let � be an alphabet. For all � K � � and every � K�� there effectively exists a formula � � K �� such that

for every � K � � we have that � � � � � iff �� .

Proof: We proceed by induction on � .


�� If �1K �� -�� , then � is of the form � �� , where each

5 K � . Hence, we put

� � �< � � � �- � � � �- �� 5� � �- � �� 7�

Obviously, � � K �� . Moreover, each � K � � such that � � � �

starts with � �� , which means that �� -�� . Theother direction is also trivial.

� Induction step. Let � K �� $4& �� . This means that � is of the

form � � �� *� � � , where each � 5 K �� and � 5 N� � � for

N� A . By induction hypothesis, for each &M� :�VR there effectivelyexists a formula � � � K �� which satisfies the properties ofour lemma. We put

� � � 0��*� � � + �� + � � � � � � � � ��

�� *� � � + �� + � �� 4� ��

Obviously, � � K �� . Now let � K � � . By induc-tion hypothesis, for all �K �� and & � A � R we have that� 59�� iff �� 5 �9� � � . First we prove that if � � �� , then�� $4& � � � � . So, let � � �;� � , and let us consider the word�� . With the help of induction hypothesis, we can con-clude that � � actually says that

– all patterns of �� which appear in ��

are among � � �� #� � (this is expressed by the subformula0��*� � � + �� +�� ),

– each ��5 appears in �� , and for all &<� " A �R , the first occurrence of �65 precedes the first occurrence of � �(this is expressed by the subformula � � � � � �� *�

�� + ��/+� �� 4� �� )

This means that �� $4& � �>� � as required. The other implica-tion (i.e. �� $4& � �� implies � � � � � ) follows similarly. �

Example 6.6 Let � � � �I � � � �- � � � . Then the formula � � , where � �� .� �� - � � � �.�I � � �- � � �-� �� , is constructed as follows:

� ��

� � � � 0��- :+>��+T� � �T :� �- �:� � � ��- :+T� � �4� ��

�� 0��.��+T :+T� � �>�� .� �: ��?� ��.��+C �� 4� �

� �� 0��- :+T� � �T :� �- �F� �

� � �� 0��-��+> ��8�T�� -��4 �� 0��*� �

�� +��

�� + � �

�� +��

��

�� *� �

�� 4� � �

�� 5�

� ��*� ��

� � � + � � �

��

�� *� �

�� +��

�� + � �

�� 4� � �

��


Let us note that the size of � � for a given �1K �� is exponen-

tial in the size of � . However, if � � is represented by a circuit (DAG), thenthe size of the circuit is only linear in the size of � .

Theorem 6.7 Let � be an alphabet and let � K �� . For all � �� K �@� we havethat � and � cannot be distinguished by any � � � �� formula if and only if� � � � � � .

Proof: The “ � , ” direction follows directly from Theorem 6.5. We prove theother direction. Let � K �� be a formula. As mentioned above,we can safely assume that the � operator occurs only in subformulae of theform � �� , where is a letter. By induction on the structure of � weshow that for every � �� such that � � � � � � we have that � � � � � , � � �� .

� �� It follows directly from Definition 6.3 that � �-�� -�� . This means that � � �< � , � � �, as required.

� Induction step. If � � �� , then � � � �� , where the nestingdepth of � in � is at most . Hence, we can argue in the same wayas in the basic step. The cases when � � �5� or � �� followdirectly from induction hypothesis. Now let � � � �� . We showthat if � � �� , then also � � �� . So, let � � � � . This means there isA K � � such that � � � �� , and for every �" A it holds that � 5 � � � .As �� , the sequence of first occurrences ofletters in �� 0!& � � is the same as in �� 0!& �� .Let A � be the index of the first occurrence of a letter �� 0?& � � �in �� 0E& �� , i.e. �� 0?& �� 0!& � � � . As�TK �� , by induction hypothesis we obtain that � � � � � � .In the same way we can show that � 5 � � � � for every � " A � , becausefor each such � we have that �� 0!& �� 5 � �� 0!& � 5 � forsome " A . This means � � � � � � . �

In other words, Theorem 6.7 says that the information about � which isrelevant with respect to (in)validity of all �� formulae is exactlyrepresented by �� . Thus, characteristic patterns provide a newcharacterization of �� languages.

Corollary 6.8 An � -language � is definable in �� if and only if it isclosed under � � � -pattern equivalence.

This characterization can be used to prove further results about LTL.In particular, a simplified form of general stuttering principle introducedin Section 5.1 follows easily from the presented results on characteristicpatterns:


Lemma 6.9 For all � !K � � � �� K � � � K2� � it holds that if � is a prefixof � � and � �� B � �8� � ��0 � $ 9$<& then � � � � � � � � � .

Proof: Let �� satisfy the conditions of our lemma. We prove that�� . By induction on � .�� . It suffices to realize that �#� � � �# � �,� �# � for �9�8 � . Hence,�� -�� -�� .� Induction step ( � � � ). First we prove that for every �1� "�� 8� it

holds that

�� 0!& �� 5 � � �� 0E& ��5 � �7� (6.1)

The concatenation � 5 � can be seen as a concatenation � � � 5 , where� � � �3� � � � . Further, � 5 is a prefix of �#� � �7� and � �5 � B � � � � � �� 4� 0 � �8�/$<& . Hence,

� � 5 � B � �4� 0 � � �/$,&B � � � � ��0 � $ 9$<&0 � �8�/$<&B � � � � � � 0!& � $ � �8� 0 � $ 9$<& 0 � � �/$8&B � � � � � � 0!& � 0 � � 0E& � $ $<&As � � � � � � �8� , we obtain (6.1) by applying induction hypothesis.We have proven that the first � � � letters of � -words�� 0!& �� and �� 0!& �� are the same.Further, these letters are followed by � � � repeated letters in�� 0!& �� . As �#� � � � � � � � �#� � � � � � , the suffixes�� 0!& �� and �� 0!& �� are the same.Hence, �� . �

The conditions of Lemma 6.9 match the definition of � � � -redundancyof the subword � in an � -word � � � given in Definition 5.6.

Theorem 6.10 Let � ?K � � , � �� K � � and � K �@� . If � is � � � -redundantin �;� � , then �;� � � � � � � � .

Proof: The theorem follows from Lemma 6.9 and the implication � � � � �� , �� that can be easily proven for all � K � � , � � K8� � ,and � KL� � by induction on � . �

Theorem 6.10 is weaker than Theorem 5.9 (general stuttering theorem)which allows to add or remove infinitely many non-overlapping redun-dant subwords. On the other hand, Theorem 6.10 has significantly shorterproof and is still sufficient to prove all results presented in Section 5.3 in-cluding the strictness of �� , �� , and �� hierar-chies and the fact that the class of � -languages which are definable both in�� and � � �� is strictly larger than the class of lan-guages definable in �� .


6.2 Applications in model checkingIn this section, the applicability of results about characteristic patterns toLTL model checking is discussed in greater detail. First of all, we introducean algorithm deciding whether a pattern satisfies an LTL formula or not.

Definition 6.11 Let � K �� be a pattern and � K � � �� be a

formula. We say that � satisfies � , written � � � � , if for every � -word � KL� � wehave that if �� , then � � � � .

Note that Theorem 6.7 implies the following: if �3N� �� , then for every � -word � such that �� we have � N� � � .

Theorem 6.12 Given an � � � -pattern � and an �� formula � , theproblem whether � � � � can be decided in time � �%�(�)� � � �1� � .

1 proc �� /� R �*� #� �2 if � -depth �*�� " �

� � �� then � � � � � �-�� /� R �*� #� �-�� 3 elsif � � then � � � � � � � � � � �4 elsif � K � then � � � � � �*� � � � � ��5 elsif � � �� then � � � � � �*� �� /� R �*� � #� ��6 elsif � � � � � � then � � � � � �-�� /� R �*� � #� � � �� /� R �*� #� ��7 elsif � � �� then � � � � � �-�� /� R �*� � #� 9$<& ��8 elsif � � � � ��9 then do

10 ��<�11 while �# " � �1� � � � �� /� R �*� #� �# � � do12 if �� /� R �*� � #��# � � then ��< D$<&13 else �� 14 fi15 od16 � � � � � �# " � �1� �17 od18 fi

Figure 6.1: An algorithm deciding whether � � � � or not.

Proof: Consider the algorithm of Figure 6.1. The procedure call� � � �� *� #� �� decides whether � � � � or not. The function �4�� returnsthe � such that � K �

� �� . The algorithm is designed for all � and� satisfying � -depth �*�� .

The algorithm cannot assume that the � operators in � have beenpushed inside because this transformation can lead to a formula of the size

6.2 APPLICATIONS IN MODEL CHECKING 111

� �%�(�)� � . Thus, the algorithm pushes the � operators towards letters ‘virtu-ally’: the actual nesting depth of � operators is kept in the third argumentof the � � � �� procedure and it affects the evaluation of the subformulae ofthe form (see the line � ). The correctness of the algorithm follows directlyfrom the semantics of LTL and the idea of characteristic patterns.

The complexity of our algorithm is � �%�(�� 1� � as the procedure � � � �� isinvoked at most once for every subformula and every subpattern. Let usnote that values of � -depth �*� � � and �� for all subformulae � � of � andall subpatterns � � of � can be pre-calculated with the complexity � �%�(�� $ � �1� � .�

In the rest of this section we discuss the three potential applications ofcharacteristic patterns listed at the beginning of this chapter.

6.2.1 Decomposition technique

In this subsection we consider the variant of LTL based on atomic propo-sitions ( �� ) rather than letters. Hence, a formula � is usually interpretedover infinite words over alphabet � ��

� � ��. Please note that we work

with existential version of model checking problem.

Let �3K �� be a formula. If our model checker fails to ver-ify whether the system has a run satisfying � or not (one typical reason ismemory overflow), we can proceed by decomposing the formula � in thefollowing way:

1. First we compute the set � � �� K ��

� �� & .

2. Then, each � KM� is translated into an equivalent LTL formula (using,for example, the algorithm of Theorem 6.5).

A simple way how to implement the first step is to compute the set��

� �� , and then for each element � decide whether � � � � using

the algorithm of Theorem 6.12. In practice, this could be optimized by us-ing a more sophisticated algorithm which takes into account the structureof � and possibly also eliminates unsatisfiable patterns. In the second step,the patterns could be alternatively translated directly into the formalismadopted in the chosen model checker (e.g. Buchi automata or alternatingautomata).

Example 6.13 We illustrate the decomposition technique on a formula � � �=0��1$which is the negation of a typical liveness property 0��=$ . The alphabet is � �� "$ & �� & . To simplify our notation, we use � and � to abbreviate �"$ & and� , respectively. The elements of � � �� .� ��6� � � &�� are listed below (unsatisfiable


patterns have been eliminated). All patterns which satisfy � are listed in the rightcolumn.

��

The formulae corresponding to the patterns of the right column are listed below.3

�� 01�1$�� $ � $�� 01�1$�� 1$<� � �#$<� � �1$ �8� �=0��1$�� $ � � �*�1$<� � $ �8� �=0��1$

So, the formula � is decomposed into an equivalent disjunction � � +>� +>� +>� � .Thus, the original question whether the system has a run satisfying � isdecomposed into R questions of the same type. These can be solved usingstandard model checkers.

We illustrate potential benefits of this method in the context ofautomata-based approach to model checking (see Section 2.4). Here the for-mula � is translated into a Buchi automaton � accepting the � -language� �*�� . Then, the model checking algorithm computes another Buchi au-tomaton called product automaton, which accepts exactly those runs of theverified system which are accepted by � as well. The model checkingproblem is thus reduced to the problem whether the language accepted bythe product automaton is empty or not. The bottleneck of this approach isthe size of the product automaton.

Example 6.14 Let us suppose that a given model checking algorithm does notmanage to check the formula � of Example 6.13. The subtasks given by the � 5formulae constructed in Example 6.13 can be more tractable. Some of the reasonsare illustrated below.

� The size of the Buchi automaton for � 5 can be smaller than the size of � .In Example 6.13, this is illustrated by formula � � (see Figure 6.2). Thecorresponding product automaton is then smaller as well.

� The size of the product automaton constructed for ��5 can be smaller than theone for � even if the size of �� is larger than the size of � . In Example 6.13,this is illustrated by the formula � ; the automata for � and � are almostthe same (see Figure 6.2), but the product automaton for � can be muchsmaller as indicated in Figure 6.3.

3For notation convenience, we simplified the formulae obtained by running the algo-rithm of Theorem 6.5 into a more readable (but equivalent) form.


� � ��

� � � � �

��

�

� � � � ��

�

� � � ��

�

� ��

�

�

Figure 6.2: Buchi automata corresponding to formulae � , � � , and � ofExample 6.13.

�- �

��

� �� !��" " " "

" "

�� ######

� �� !��

� ��

��

�.� ��$ % & '( ) * +

� ��$ % & '( ) * +� ��$ % & '( ) * +

�,-� �

��

��

� �./ �

��

��

��

$ % & '( ) * +

��$ % & '( ) * +

��

�-� ��$ % & '( ) * +

� ��$ % & '( ) * +� ��$ % & '( ) * +

�,-� �

��

��

�

$ % & '( ) * +

��

Figure 6.3: An example of a system to be verified �- � and product automata�.� � and �-� � corresponding to � and � of Example 6.13, respectively.

It is of course possible that some of the � 5 formulae in the constructeddecomposition remain intractable. Let ��5 be such an intractable formula.Then � 5 can be further decomposed by a technique called refinement (since� 5 corresponds to a unique pattern �D5 K �

� ��

� , we can equiva-lently consider pattern refinement). There are two basic ways how to refinethe pattern ��5 . The idea of the first method is to compute the set of � � � � � -patterns, where � � B � and � B , and identify all patterns that satisfythe formula � 5 .Example 6.15 The formula � of Example 6.13 corresponding to the �.� �� -pattern �� can be refined into two � � ��

�� formulae given by

the � � �� -patterns

�� 6�

The other refinement method is based on enlarging the alphabet beforecomputing the patterns. We simply expand the set �� *�� with a new atomicproposition. The choice of the new atomic proposition is of course impor-tant. By a “suitable” choice we mean a choice which leads to a convenientsplit of system’s runs into more manageable units. An interesting problem


(which is a potential topic for future work) is whether suitable new propo-sitions can be identified effectively.

Example 6.16 Let us consider the formula � of Example 6.13 corresponding tothe �.� �� -pattern �� . The original set of atomic propositions �� *��3��"$ & generates the alphabet � �� & , where ��"$ & � � � . If we enrichthe set of atomic propositions with � , we get a new alphabet � �5� � � � �� & ,where � � �"$ ��/& � � �"$=& �� /& �� . Hence, the original letters � �correspond to the pairs of letters � � and � �� , respectively. Thus, the formula� is refined into � � � �� formulae given by the �.� �� -patterns

��

and all those patterns which can be obtained from the above given ones by eitherexchanging the letters � � , or exchanging the letters � �� , or by both exchanges.Hence, the formula � is refined into a disjunction of & � � �9� � � formulae.

Some of the subtasks obtained by refining intractable subtasks can betractable. Others can be refined again and again. Observe that even if wesolve only some of the subtasks, we still obtain a new piece of relevantknowledge about the system – we know that if the system has a run sat-isfying � , then the run satisfies one of the formulae corresponding to thesubtasks we did not manage to solve. Hence, we can (at least) classify andrepeatedly refine the set of “suspicious” runs.

We finish this subsection by listing the benefits and drawbacks of thepresented method.

+ The subtasks are formulated as standard model checking problems.Therefore, the method can be combined with all existing algorithmsand heuristics.


+ With the help of the method, we can potentially verify some systemswhich are beyond the reach of existing model checkers.

+ Even if it is not possible complete the verification task, we get par-tial information about the structure of potential (undiscovered) runssatisfying � . We also know which runs of the system have been suc-cessfully verified.

+ The subtasks can be solved simultaneously in a distributed environ-ment with a very low communication overhead.

+ When we verify more formulae on the same system, the subtasks oc-curring in decompositions of both formulae are solved just once.

– Calculating the decomposition of a given formula can be expensive.On the other hand, this is not critical for formulae with small numberof atomic propositions and small nesting depths of � and � .

– Runtime costs of the proposed algorithm are high. It can happen thatall subtasks remain intractable even after several refinement roundsand we get no new information at all.

6.2.2 Model checking a path using patterns

Model checking a path (see Subsection 2.4.2) has been identified as anotherapplication of characteristic patterns. The problem is to decide whether agiven loop �� satisfies a given formula � or not. It the following we dealwith the case when � is a formula of � � �� . This version of the problemcan be solved in time � �%� �;�8� � �(�)� � . More information about complexityof model checking a path Section 4.2. Here we present a new algorithmbased on characteristic patterns and argue that our algorithm can be moreefficient in some cases.

Let �<K � � �� be a formula and �;� � be a loop, where � ��1K � �

and � N� � . The algorithm first computes a pattern �� and thenit decides whether the pattern satisfies � . First we focus on the patternextraction.

& �� R �� RS$4& �� RS$P� �� RS$ ��

Figure 6.4: A finite-state system with one infinite path.

Let R�� and � � � � � . The loop can be represented by the finite struc-ture given in Figure 6.4 and a function � labelling each state of the structure


with the corresponding letter of the loop, i.e.

� �# �� # H0E& � if &P�? �ER ,� �# 0 R40!& � if R $<&O�? @�ERP$ � .

By � �# � we denote a successor of a state defined by arrow leading from .

1 for �� & to RF$ � do2

� � �# �)�� # � � � � �# �� # �� # ��3 od4 for �� & to � do5

� � �.RS$ � �� the parenthesized word obtained from� � �.RS$ � � � � �.RS$4& � � � �.RS$O� � �� .RS$ � 0O& �by deletion of all repeated letters

6 for A ��,RP$ � 0E& downto & do7

� � � A � �� the word � � � A $4& � with the letter � � � A �added to the beginning and withoutany repetition of this letter

8 od9 od

Figure 6.5: An algorithm for � � � -pattern extraction.

The pattern extraction algorithm given in Figure 6.5 computes a new la-belling function � � . The desired pattern �� ;� � � is stored in � � �%& � af-ter the algorithm terminates. The algorithm is based directly on the defini-tion of characteristic patterns. After the -th iteration of the second for-loop,the labels stored in � � �%& � �� .RS$ � � describe the � -word �� # ��;� � � .More precisely, �� # ��;� � � � � � �%& � �� .R�� .RS$4& � �� .RS$ � � � � .The time complexity of this algorithm is � �%� �;�8� � � $ � � � � � �� , where� � � �� is the maximal size of a pattern in �

� �� (as given inLemma 6.2).

Due to Theorem 6.12, the problem whether �� ;� � � � � � can besolved in � � �� (�)� � time. Hence, the algorithm needs � �%� �;�8� � $� � � � � ��$ �� (�)� � time in total. In the light of this esti-mation, our algorithm seems to be only worse than the bilinear CTL-likealgorithm. However, if we bound the parameters � , , and � � � by con-stants (this is justifiable as these are usually “small”) then our algorithmneeds only � �%� �;� � $ �(�)� � time, while the CTL-like algorithm still requires� �%� �;�8� � �(�)� � time. In other words, our algorithm is better in situations when

� and � � � are small, and � �;�8� is large. Then it pays to extract the charac-teristic pattern from the loop and check the formulae directly on the patternrather than on the loop itself.


6.2.3 Partial order reduction using patterns

Characteristic patterns can also be applied in a more conventional way:to reduce Kripke structures. Intuitively, if we want to decide whether an�� formula is valid for a Kripke stricture, we do not need to ex-amine all runs of the structure. In fact, it is sufficient to consider only thesubset of all runs such that for every run of the structure there is a run inthe subset with the same � � � -pattern.

In Section 5.4 we have shown that general stuttering theorem allows toproduce smaller reduced Kripke structures than those produced by stan-dard partial order reduction methods. While general stuttering principleformulates just a sufficient condition for two words to be indistinguishablein �� , Theorem 6.7 says that two words are indistinguishable byany � � �� formula if and only if the words have the same � � � -pattern. Hence, reduction based on characteristic patterns can producesmaller Kripke structures than the reduction based on general stuttering(and thus also smaller than the standard partial order reduction based onstuttering).

��

� ��

� ��

� ��

� ��

� �� . . .

Figure 6.6: The Kripke structure reduced with use of characteristic patterns.

Example 6.17 Similarly to Example 5.22, we consider the problem to checkwhether the Kripke structure defined in Example 2.25 and depicted in Figure 2.3satisfies a specification formula � K �� with atomic propositions dependentjust on the value of variable x. Thanks to Theorem 6.7, it is sufficient to check thereduced structure given by Figure 6.6. The reduced structure is notably smallerthan the structures depicted in Figures 5.6 and 2.4.


As in the case of reduction based on letter stuttering or general stut-tering, we have to emphasize that the reduced Kripke structure has beenmade by hand and no practical algorithm for partial order reduction usingpatterns has been proposed so far. It is another topic for our future work.

6.3 Additional notesThe results presented in this section do not hold for finite words. The argu-ment is that an � � � �� formula can express a condition on last lettersof a finite word. For example, a finite word satisfies a formula � �- :� � �� if and only if the last letter of the word is . A modification of characteristicpatterns for finite words is a topic for future work.

Another interesting question (which is left open) is whether one coulduse characteristic patterns to prove the decidability of fragments of theform �� over � -words.

Chapter 7

Deeper connections toalternating automata

The chapter is based on the results presented in [PS04].An automata-theoretic approach to the study of temporal logics proved

to be very fruitful. The best example is the well-known fact that each LTLformula can be translated into nondeterministic Buchi automaton that ac-cepts exactly the infinite words satisfying the formula [WVS83, VW94]. Thetranslation was published in 1983 and soon became one of the cornerstonesof the automata-based model checking of LTL properties [VW86]. Approx-imately at the same time it was also shown that there are Buchi automataaccepting languages that are not definable by any LTL formula [Wol83].

Later on, alternating 1-weak Buchi automata (or A1W automata forshort, also known as alternating linear automata or very weak alternat-ing automata) have been identified as the type of automata with the sameexpressive power as LTL. In Section 7.1 we recall two results showing theequivalence of LTL and A1W. The first one is a translation of �� for-mulae into equivalent A1W automata introduced by Muller, Saoudi, andSchupp [MSS88]. This translation produces A1W automata with numberof states linear in the length of input formula contrary to the mentionedtranslation into Buchi automata where the number of states is exponential.The translation of �� into A1W automata has been recently used tobuilt new and more efficient algorithms for translation of �� intonondeterministic Buchi automata [GO01, Tau03]1. The second result is atranslation of A1W automata into equivalent LTL formulae presented in-dependently by Rohde [Roh97] and Loding and Thomas [LT00].

In the light of research on LTL fragments, it is natural to ask for classesof A1W automata with the same expressive power as the studied LTL frag-

1In fact, the paper [GO01] employs alternating 1-weak co-Buchi automata. However,Buchi and co-Buchi acceptance conditions are expressively equivalent for alternating 1-weak automata.

120 DEEPER CONNECTIONS TO ALTERNATING AUTOMATA

ments. It turns out that the translation of A1W automata into LTL men-tioned above is not appropriate for study of such automata classes as itwastes temporal operators. For example, the automaton correspondingto the formula � �.�)� �.� �F� �� is translated into formula � �.� � � �.� �F� �� .In Section 7.2 we present an improved translation of A1W automata intoequivalent LTL formulae. Our translation reduces the nesting depth of �operators and prefers the use of less expressive temporal operators � or 0instead of � operator. We prove that for an A1W automaton produced bythe standard translation of a given �� formula our translationprovides a formula from the same fragment.

In Section 7.3 we identify classes of A1W automata defining the samelanguage classes as some recognized fragments of LTL, namely the frag-ments of the until-release hierarchy [CP03] and fragments of the form�� where � �R>K � � � �=� & .

Section 7.4 indicates several topics for future work.For definition of alternating 1-weak Buchi automata we refer to Subsec-

tion 2.3.3. In that subsection there are also definitions of some terms andnotation used in this chapter, namely the definition of a state with a loopand notation � �� , �� , �� , and � � � .

7.1 Equivalence of LTL and A1W automataIn this section we recall the standard translation of �� formulaeto A1W automata [MSS88] (marked as LTL A1W) and a translation ofA1W automata to �� presented recently in [LT00] (and marked asA1W LTL here). The latter translation has been independently introducedby Rohde in [Roh97].

7.1.1 LTL � A1W translationLet � be an � � �� formula and � be an alphabet. The formula can betranslated into an automaton � such that � �� *�� . The automaton �is defined as � � � � �� %$ �� , where

� the states � � �"$ � %$ � � �1� is a subformula of ��& correspond to thesubformulae of � and their negations,

� the transition function � is defined inductively in the following way:

� �#$�� #$ � �� if �,� , � �#$ � �� . otherwise� �#$ � � � �� #$ � � �� #$ �� #$ � � � � � �#$ � � �� #$�� $ �� #$ �� #$ � � ��?+ � � �#$ � � � ��$ ��

7.1 EQUIVALENCE OF LTL AND A1W AUTOMATA 121

where � denotes the positive boolean formula dual to � defined byinduction on the structure of � as follows:

� . $ � �� $ � � � � � � � �. � $ �� $ � � � + � � � + �

� the set of accepting states � � �"$ � � �� is a subformula of ��& .

We use the notation � � �*�� for the automaton given by the translationof an LTL formula � with respect to an alphabet � . The number of states ofthe automaton � � �*� � is clearly linear in the length of � .

For example, the translation applied on the formula � � �- �4� �� 0 �and the alphabet � �;� �� & produces the automaton depicted on Fig-ure 2.2, where � %$ � %$ %$ stand for $ %$

� � %$�� %$�� , respectively.

7.1.2 A1W � LTL translation

Let � � � � �� %$ � �� be an A1W automaton. For each � K � wedefine an LTL formula � � such that � � �*� � � � � �� . (in particular� � �*� � � �� ). The definition proceeds by induction respecting the or-dering of states; the formula � � employs formulae of the form � � where$1K �� . This is the point where the 1-weakness of the automaton isused. To illustrate the inductive step of the translation, let us consider thesituation depicted on Figure 7.1. The formula corresponding to state � is� � � �- � �� .�� )�� .

PSfrag replacements �

$ �

�

. . . . . .

Figure 7.1: Part of an automaton translated into the formula � � � �- �� .�� )�� .

Before we give a formal definition of � � , we introduce some auxiliaryformulae. Let TK � be a letter and �?�� be a set of states. The formula

� �- �� , :��


intuitively corresponds to a situation when automaton makes transitionunder into the set of states � . Formulae � � and � � defined as

� � � ��

� �- �� & � � � � ��

� �- ��

intuitively correspond to all transitions leading from state � ; � � covers thetransitions with a loop (i.e. the transitions leading to the set of states con-taining � ) while � � cover the others. The definition of � � then depends onwhether � is an accepting state or not.

� � ��

� � � � � if �2NK �� :+ 0 � � if � K �

The proof of the correctness of this translation can be found in [LT00].Given an A1W automaton � with an initial state $ � , by �� we denotethe formula �� .

7.2 Improving A1W � LTL translation

The A1W LTL translation presented in the previous section is not optimal:it wastes temporal operators. The main problem of the translation is thatfor each successor $:K�� of a state � the formula � � contains a subfor-mula �� even if the � operator is not needed. This can be illustrated by anautomaton � on Figure 7.2. The automaton is created by translation of the

PSfrag replacements

�

$

�

�

�

Figure 7.2: The automaton for the formula � �.��>� �:� � .

formula � �.� �L� � � � . The A1W LTL translation provides an equivalentformula �� < � �.�� .� �:� �� in spite of it.

7.2 IMPROVING A1W � LTL TRANSLATION 123

PSfrag replacements1.

2. � �

��

$$

$ � $ �$ $ $ � $ �

��

� �

� ��

� � ��

� �

�

��

��

. . .

. . . . . .

Figure 7.3: The conditions for � -freeness.

Let � � � be a transition and � � � . We now formulate conditionsthat are sufficient to omit the � operator in front of � � (for every $4K � ) in asubformula of � � corresponding to the transition � � � . A set � satisfyingthese conditions is called � -free.

Definition 7.1 Let � � � be a transition of an automaton � . A set � �� &is said to be � -free for � � � if following conditions hold.

1. For each $:K � there is � �� such that $ � � �� .2. Let � � � and for each $TK � let � �� be a set satisfying $ � � �� and$CNK�� . Then there exists a set � � �J� � � � � � � � � �� satisfying � � � � � .

The conditions for � -freeness are illustrated by Figure 7.3. Please note thatit can be the case that � K � . Further, in the first condition it can be the casethat $4K � �� .

It is easy to see that empty set is � -free for every transition. Further,every subset of a � -free set for a transition is a � -free set for the transitionas well. On the other hand, Figure 7.4 demonstrates that the union of two


PSfrag replacements

�

$ � $

$ $ �

. . . . . .

Figure 7.4: The sets �"$ � & 6�"$ & are � -free for � � �"$ � %$ & while the set�"$ � %$ & is not.

� -free sets need not be � -free; in the automaton indicated on the figure, thesets �"$ � & 6�"$ & are � -free for � � �"$ � %$ & while the set �"$ � %$ & is not.

Let �� be an arbitrary but fixed function assigning to each transition� � � a set that is � -free for � � � . We now introduce an improvedA1W LTL translation. Roughly speaking, the translation omits the � op-erators in front of subformulae which correspond to the states in � -freesets given by the function �� . Thereafter we prove that this translationremains correct.

The improved A1W LTL translation exhibits similar structure as theoriginal one. Instead of formulae of the form � �- �� representing a transi-tion under leading from an arbitrary state � to � , we define a specializedformula � �� - �� for each transition � � � .

� �� - �� < � ��

��

� ��

� �� - ��

� �� - �� We also identify some cases when � can be replaced by “weaker” operators� or 0 in a formula �� . To this end we define two special types of states.A state � is of the � -type if there is a transition � � �� & for every !K � .A state � is of the 0 -type if every transition of the form � � � satisfies� K � .


� ��

��

� �� if �� if �� is of � -type�� if �� is of � -type and not of � -type ��"! � �� if �� is not of � -type or � -type# if �� is of � -type� �� if �� is of � -type and not of � -type� �� ! � �� %$&� �� if �� is not of � -type or � -type

The new cases in the definition of � �� make only a cosmetic change compar-ing to the original A1W LTL translation. First, we add a case for stateswithout any loop. This change does not influence the correctness of thetranslation as the condition � NK�� says that �� . and therefore�� is equivalent to � �� as well as to �� )+ 0 � �� . Further, itis easy to check that if a state � is of � -type then � �� , and if � is of0 -type then � �� . . Hence, all cases for �2K �� and �<NK � are equiv-alent to � �� and all cases for �,K �� and � K � are equivalent to�� :+ 0 � �� .

Before we show that the improved translation is equivalent to the orig-inal one (and thus also correct), we prove two auxiliary lemmata.

Lemma 7.2 For each transition � � � of an A1W automaton � the implication� �- �� & �� , � �� - �� holds assuming that � � � ,;� � � for each $4K �� .Proof: Due to the definitions of � �- �� & � and � �� - �� and the assump-tion of the lemma, it is sufficient to show for each � -word � K � � that

if $:K �� and � � � � �- �� ?& � then � � � � � .The first condition for � -freeness gives us that there is � �� such that$ � � �� . From the 1-weakness of the automaton we have that ��NK � �� .Thus, � �� ?& and � � � � �- �� & � implies � � � � �- �� "$ & � . As� � � � �- �� "$ & � and $ � � �� we have that either $4K�� and then � � � � � ,or $1NK � �� and then � � � � � . Anyway, � � � � � + � � holds. At the same time� � � � �- �� & � implies � � � �� . We are done as � � � � � + � � and � � � �� imply � � � � � . �

Lemma 7.3 Let � � � be a transition of an A1W automaton � . Then� �� - �� ?, � � + � � assuming that � � � , � � � for each $ K �� . More-over, if �2NK � then � �� - �� ?, � � on the same assumption.


Proof: Let us suppose that � K � � is an � -word such that � � � � �� - �� .Due to the assumption of the lemma the formula � �� - �� is equivalent to

��

� � � ��

� � ��

Obviously � � � , � � + �� . Let � be the set� � �"$'K �� <� � � � � � & �

For each $ K � , the definition of the formula � � and the assumption � � �G (due to � � � � �� - �� ) imply that there exists a set � �� such that $ � � �� ,$>NK � �� , and � � � � �- �� . The second condition for � -freeness gives us thatthere exists a set � � � � � � � � � � � � � � � �� satisfying � � � � � . As � � � �� for every $!K � � � and � � � � �- �� for each $EK � , we get that � � �� - �� & � as well. To sum up, we have a set � � � such that � �� and� � � � �- �� & � . If �8K � � � then � � � � � . Moreover, 1-weakness of theautomaton implies that �<NK � �� and therefore �2K � . Finally, if �8NK � � � then� � � � � . �

We are now ready to prove the correctness of the improved translation.

Theorem 7.4 Let � � � � �� %$ � �� be an A1W automaton. For every state� K � the equation � �� *� �� holds.

Proof: We show that � � � , � �� holds for every �LK � . The proof proceedsby induction with respect to the ordering on � . If �� then emptyset is the only � -free set for any transition leading from � . Hence � � and � ��are equivalent.

Let us now assume that the equivalence holds for every $2K � �� .The Lemma 7.2 implies � � � , � �� . Lemma 7.3 gives us that � �� implies � � ,and � �� implies � � + � � . As an immediate consequence we get � �� ,;� � . �

Let � be an A1W automaton and $ � its initial state. By � �� wedenote the formula � � � � given by the improved translation which is deter-mined by the function �� .

After it has been proven that the improved translation remains cor-rect, it is only natural to examine the “quality” of formulae it produces.The improved translation has been motivated by the observation that thestandard one wastes � operators. Therefore, we show that the improvedtranslation allows to translate an automaton � � �*�� derived from a formula�2K �� back into a formula from �� . In order to do so,


we define two metrics for A1W automata, namely loop-height and � -height,and show that an automaton � with loop-height � and � -height can betranslated into a formula form � � � �� . Then we prove that an au-tomaton � � �*�� given by the standard LTL A1W translation of a formula�3K �� has loop-height and � -height at most � and , respec-tively. These relations also enable us to define some of the studied LTLfragments via A1W automata.

Definition 7.5 Let � � � � �� %$ � �� be an A1W automaton. For each state� K�� we inductively define its loop-height and � -height (denoted by � � �� and� � �� respectively) as

� � �� #$ �<� $4K � �� & $,& if � K �� #$ �<� $4K � �� & otherwise

� � �� is � -free for

� �� &�&

where maximum over empty set is � and� �� #$ �<� $4K � & � � � � �#$ � $1& � $4K � � � %$>N� � & �7�

We also define loop-height and � -height of the automaton � as the loop-heightand � -height of its initial state, i.e. � � �� #$ � � and � � �� #$ � � .

Intuitively, loop-height of an automaton � holds the maximal height ofstates of � with a loop. The � -height counts the minimal nesting depth of� operators achievable by the improved translation; the definition considerthe minimum over all choices of � -free sets.

Theorem 7.6 Let � be an A1W automaton. There exists a function �� suchthat � �� K ��

�� .

Proof: Please note that � -depth �*� �� does not depend on the choiceof the function �� . Contrary to the � -depth, the � -depth of the result-ing formula depends on the function �� . The function �� satisfying� -depth �*� �� >� � � �� can be derived directly from the definition of� -height; for every transition � � � we set �� )� � , where � isa � -free set for � � � such that the value of � �� is minimal.

It is a straightforward observation that this function satisfies � �� K��

� � �� . �

We should note that the bound on � -depth �*� �� given by � � �� is not tight. The structure of a formula � �� shows that there can be stateswith a loop that are translated into or . and thus they do not bring any


new temporal operators. However, if we remove these states and all tran-sitions of the form � � � such that � contains a state translated into . ,we get an automaton � � that is language equivalent to the original one and� -depth �*� �� .Theorem 7.7 Let � K � � � �� be a formula. Then � � �� *� �� and� � �� *�� for each alphabet � .

Proof: Before we prove the inequalities, we examine the automaton � � �*�� .Let $ � be a state of � � �*�� . States in � ��#$ � � are of the form

1. $ �� or $ � � �� , where � � � is such a subformula of � � that is not inscope of any � operator, or

2. $ � or $ � � , where �� is such a subformula of � � that is not in scope ofany other � operator.

Let us note that some of the states can match both cases, e.g. a state$ ��1K �� #$ � � � �� . Moreover, the definition of a transition func-tion � implies that only the states of the form $ �� or $ � � �� can have aloop.

From the above observations and the definition of loop-height it directlyfollows that � � �� *�� -depth �*� �� .

Let $ � be a state of the automaton and � � �� #$ � � be a set of its suc-cessors of the first form (excluding these of both forms). In order to provethe second inequality of the theorem, we show that for every transition$ � � � the set � � � � � � is � -free. The construction of an automaton� � �*� � implies that if a positive boolean formula � �#$ � � � contains a state$ ��FK � then the state always occurs in the formula

� �#$ �� #$ � � � + � � �#$ � � � ��$ �� 7�

Similarly, if � �#$ � � � contains a state $ � � �� K � then the state always oc-curs in the formula

� �#$ �� #$ � � ��?� � � �#$ � � � +�$ � � �� 7�

We show that each set � � satisfies the conditions for � -freeness for everytransition $ � � � .

1. Let $ �� K � � . The property of � �#$ � � � mentioned above gives usthat there is a set � � � � such that � � � � � �#$ � � � or � � � � � �#$ �� $ �� .Anyway, $ �� . The argumentation for the case $ � � �� K � � issimilar.

7.3 DEFINING LTL FRAGMENTS VIA A1W AUTOMATA 129

2. Let � � � � be such a set that for every $ K � there is a transition$ � � �� such that $,NK � �� . Thus if $ is of the form $ �� , then � �� #$ � � �� . Otherwise, $ is of the form $ � � �� and � �� #$ � � ��6� � �#$ � � �� .Again, the property of � �#$ � � � mentioned above (together with thefact that � �#$ � � � is in positive normal form) implies that there is a set� � � � � � � � � � � � �� satisfying � � � � � � �#$ � � � .

Proving the � -freeness of the considered sets we have demonstratedthat the improved translation allows to omit the � operators in front of thesubformulae corresponding to the successors of $ � of the first form (andnot of both forms). Let us recall that these successors correspond to thesubformulae of the form � � � of the original formula � � that are never inscope of any � operator in � � . Hence, the improved translation with useof the �� function assigning the � -free sets defined above produces theformula � �� *� �� with at most the same � -depth as the original formula� . We are done as � � �� *�� keeps the lowest � -depth achievable by theimproved translation and thus � � �� *� �� -depth �*�� . �

Combining Theorem 7.6 and Theorem 7.7 we get the following twocorollaries.

Corollary 7.8 For each formula � K �� and each alphabet � thereexists a function �� such that � �� *�� K �� .

Corollary 7.9 For each A1W automaton � � � � �� %$ � �� there exists a func-tion �� such that

� � �� B � � �� *� �� and � � �� B � � �� *� �� 7�

7.3 Defining LTL fragments via A1W automataIn this section we define classes of A1W automata matching fragments ofthe form �� , where � �R!K � � � �=� & , and LTL fragmentsfrom the until-release hierarchy [CP03]. All these fragments are given by syn-tactic constraints on LTL formulae. Basically, the classes of A1W automatacan be defined by constraints on transition function and by constraints onthe set of accepting states.

In order to improve the presentation of the following results, we over-load the notation of LTL fragments; we identify an LTL fragment � witha set

� � � �*� � � � K � and � is an alphabet & i.e. with a set of languages defined by formulae from the fragment. Theinterpretation of � is always clearly determined by the context.


7.3.1 Fragments �� In order to identify classes of A1W automata matching all LTL fragmentsof the form �� where � �RMK � � � �=� & , we need to replacethe bound on � -depth �*� �� given by the loop-height of � by boundson � -depth and � -depth of the formula. Therefore we define another metricscalled � -height. The definition of � -height reflects the structure of � �� .

Definition 7.10 Let � � � � �� %$ � �� be an A1W automaton. For each state� K � we inductively define its � -height, written � � �� , as

� � �� #$ �<� $4K �� & $<& if � K �� and

� is not of � -type or 0 -type �� #$ �<� $4K �� & otherwise

where maximum over empty set is � . The � -height of the automaton � is thendefined as the � -height of its initial state, i.e. � � �� #$ � � .

We are now ready to define the classes of A1W automata matching theconsidered LTL fragments. To shorten our notation, a class is formally de-fined as a set of languages accepted by A1W automata rather than a set ofA1W automata.

Definition 7.11 Let � �R>K � � � �=� & . We define �F& � � � �R�� to be the set� � �� <� � is an A1W automaton and � � �� 6� � $ R & .

Theorem 7.12 For all � �R K � � � �=� & it holds that �� :& � � � �R�� .

Proof: Let � K � � �� and � be an alphabet. In the LTL A1Wtranslation every subformula �=� is handled as � � . Theorem 7.7 impliesthat � � �� *��T� and � � �� *��M� � $,R . Further, every state of theautomaton � � �*�� corresponding to a subformula � � has the form $ � � or$ � � � � � . One can readily check that each state $�� is of � -type and eachstate $ � � � � � is of 0 -type. Hence, these states do not increase the � -heightof the automaton. We get � � �� *� �� and thus � � �*�� K �:& � � � �R�� .

Let � be an A1W automaton such that � � �� , � � �� ,and � � �� $ R . Theorem 7.6 says that the automaton can be trans-lated into formula from � � � �� . As the definition of � -heightfollows the improved translation it is easy to check that � �� K�� . Moreover, explicit treatment of � operator has noinfluence on the fact that arbitrary occurrence of � operator can be replacedby � operator. Hence, the automaton can be translated into a formula from��

� � � . Hence, � �� K �� . �


Let us emphasize that Lemma 7.12 covers some distinguished LTL frag-ments. For example, languages defined by an �� fragment (frag-ments of this form constitute the until hierarchy [EW00, TW01]) can be de-fined by A1W automata with � -height at most R and vice versa. In particu-lar, a language can be expressed by a formula from the �� fragment(also called restricted temporal logic [PP04]) if and only if it is recognized byan A1W automaton such that every state with a loop is of � -type or 0 -type.

7.3.2 Until-release hierarchyThe hierarchy consists of fragments � 2J5�'2 � 5 for all . The definition of thefragments does not care about � operators as well as the different expres-siveness of � and � operators. Therefore we employ the standard transla-tions given in Section 7.1.

Intuitively, we show that alternation of � and 2 operators in a formulacorresponds to the alternation of nonaccepting and accepting states in thestructure of an A1W automaton.

Definition 7.13 Let � � � � �� %$ � �� be an A1W automaton. For each K ��we inductively define sets of states � 5 and

5 as follows.

� � � �

� � �� 8�/& .

� � 5 � is the smallest set of states satisfying

– � 5 � 5 � � 5 � and

– if �2NK � and �� 5 � then � K � 5 � .�

5 � is the smallest set of states satisfying

– � 5 � 5 �

5 � and

– if � K � and ��

5 � then � K

5 � .

We also define functions � �

� � �30 � � as

� � �� > 1�/ � � K � 5 & and

� �� > �1�/ )� � K

5 & �

Definition 7.14 For each K � � we define sets � 5 and � 5 as� 5 � � � �� %$ � �� is an A1W automaton and � � �#$ � �@�? �&

�95 � � � �� %$ � �� is an A1W automaton and

� �#$ � �@�! �& �

The classes � 5 and �95 match the classes � 265 and 2 �H5 , respectively. Beforewe give an explicit proof, we present some auxiliary results.

Definition 7.15 Let � � � � �� %$ � �� be an A1W automaton. For each K ��we inductively define sets of states ��5 and

�5 as follows.


� � �� 8�/& .

� � �5 � is the smallest set of states satisfying

– � �5 � �5 � � �5 � and

– if � has no loop or �2NK � , and �� @� � �5 � then �LK � �5 � .�

�5 � is the smallest set of states satisfying

– � �5 � �5 �

�5 � and

– if � has no loop or � K � , and �� @� �5 � then � K

�5 � .

We also define functions � �� 30 � � as

� �� > �1�/ ��7� K � �5 & and

�� > 1�/ )�7�LK

�5 & �

Lemma 7.16 For every A1W automaton � with an initial state $ � there existsan A1W automaton � with an initial state $ �� such that � �� #$ � � � � � �#$ �� and� �� .

Proof: On intuitive level, � 5 counts the maximal alternation of nonaccept-ing and accepting states of the automaton, while � �5 counts just the alter-nation of nonaccepting and accepting states with a loop. Hence, we needto modify an automaton � is such a way that the states without any loopdo not increase the number of alternations of nonaccepting and acceptingstates. To do this, we make an accepting and a nonaccepting copy of eachstate without any loop and we modify transition function such that ev-ery state without any loop in every transition is replaced by one of its twocopies. As acceptance or nonacceptance of states without any loop has noinfluence on language given by the automaton, the modified automatonaccepts the same language as the original one.

Let � � � � �� %$ � �� be an A1W automaton. Let � denote the set ofits states without any loop. We set � � � � �� %$�� , where

� � � � � � � � � � �"$ � %$ �� $4K�� & ,� $ �� $ � if $ � has a loop, $ �� $ �� otherwise,� �� "$ � � $'K�� & .

For every �GK � � , by !�� we denote a state of the original system corre-sponding to the state � :

! �� $ if �� $ � or � � $ �� otherwise

For every � K � � and ,K � , the positive boolean formula � � �� arisesfrom � �#!�� by replacement of every state $:K�� with


� $ � if � K �� , or� $ � otherwise.

It remains to show that � �� #$ � � � � � �#$�� . From the construction of theautomaton � it follows that � �� )� � �� #! �� for every � K � � . As ! �#$�� )�$ � , it is sufficient to show that � �� #$ �� #$ �� . If � � �#$ �� V� , then we aredone as � �� #$�� 3� � � � � �#$�� . In the rest of the proof we show that theequation holds for � � �#$ �� !� as well.

For each state � K �� we define �� to be a transitive closure of�� relation, i.e. �� is the smallest set satisfying

� �� and� if $4K �� then �� #$ � � �� .

Further, by � �� we denote the set of all states with a loop that are in�� .

From the construction of the automaton � it follows that for every state�1K � � such that � � �� <� the following equations hold. Again, maximumover empty set is � .

� � ��

� �#$ �<� $4K � �� & $,& if �2NK � �

� �� $<& if � K � ��

�� J$<& if �2NK � �� #$ �<� $4K � � �� &@$,& if � K � �

If we replace in the above equations the function � � with � �� and the func-tion

� with

� � , the resulting equations hold for each state � with a loop.

Hence, for every state �!K�� with a loop it holds that � �� and � � ��

� �� . In particular, if $ �� has a loop then � �� #$ �� #$ �� .

Let us note that if $ �� has no loop then it is a nonaccepting state. Further,one can prove that if � � �#$ �� 3� , $ �� has no loop, and � � �� #$ �� then � �� #$ �� &�� #$ �� .

Finally, let us assume that � � �#$ �� , $�� has no loop, and � �� #$�� N�� . As $ �� NK � � , then

� �� #$ �� #$ � � $4K � �� #$ �� & (7.1)� �� #$ � � $4K � �� #$ �� & (7.2)B �� #$ � � $4K � �� #$ �� & (7.3)� ��

� �#$ � $,& � $4K � �� #$ �� & (7.4)

� ��

� �#$ �<� $4K � �� #$ �� &@$<& (7.5)� � � �#$ �� (7.6)


where (7.1) follows from the definition of �� , (7.2) is due to the fact thatfor states with a loop the functions � �� and � � coincide, and the equation� � �#$ �<�

� �#$ �H$ & valid for all $9K � � gives us (7.4). To sum up, � �� #$�� B

� � �#$ �� . We are done as it is easy to see that � �� F� � � �� holds for eachstate � of an arbitrary A1W automaton � . �

By analogy, for an A1W automaton � with initial state $ � one can con-struct a language equivalent A1W automaton � with an initial state $ �� suchthat

�� #$ � ��

� �#$ �� .

Theorem 7.17 For each K � � it holds that � 265 � � 5 and 2 � 5 � � 5 .

Proof: We focus on the former equation as the proof of the latter one isanalogous. In order to prove the inclusion � 2 5 � � 5 , we show that forevery alphabet � and a formula �,K � 2J5 the automaton � � � � �*�� givenby standard LTL A1W translation satisfies �� #$ � � , where $ is aninitial state of the automaton. This is sufficient due to Lemma 7.16.

Please note that operators � and 2 are not in scope of any negation in � .Hence, the states of the automaton � � �*�� can be divided into three kindsaccording to the corresponding subformula of � .

1. A subformula of the form � � � � �� or � � � is translated into a state$ �� satisfying $ �� NK � .

2. As � 2 � is seen as an abbreviation for � �*�5� �4� �� , a subformula ofthe form � � � 2 �� or � 2 � is translated into a state $ � � � � � � � K � .

3. A subformula of the form �� that is not covered by the previous casesis translated into a state $ � such that $ � NK � and $ � has no loop.

To sum up, states corresponding to � operator are not accepting while thestates corresponding to 2 operator are accepting. Moreover, states corre-sponding to � or 2 are the only states that can have a loop. From thisobservation and from the structure of the transition function � it followsthat each subformula � of � satisfies

�8K � 2 � � , � �� #$ � �@� A and � K 2 � � � ,

�� #$ � � � A �

In particular, � �� #$ � �? .To prove the inclusion � 2D5 � � 5 we assume that � is an A1W automa-

ton with an initial state $ � satisfying � � �#$ � � � . We show that the formula�� given by the standard A1W LTL translation can be equivalently ex-pressed by a formula from � 2�� .

Here we employ the fact that the formulae �� "�:0 � and �� 2 � �"+ �are equivalent for all subformulae � �� . Therefore, for each state � of the


automaton � the formula � � can be equivalently given as follows:

� � ��

� � � � � if �2NK �� 2 � � �:+ � � if � K �

Using this modified construction, we get a formula that is equivalent to�� . Moreover, � operators correspond to nonaccepting states while 2 op-erators correspond to the accepting ones. Hence, the alternation of nonac-cepting and accepting states in the automaton correspond to the alternationof � and 2 operators in the resulting formula. In other words, the formulais in � 2 �� . �

Theorem 7.17 and Corollary 3.51 give us the following corollary.

Corollary 7.18 An � -language � is definable by LTL if and only if � K � � � .

7.4 Additional notesOur research on deeper connections between A1W automata and LTL frag-ments brought several topics for future work. The most interesting topicsfollow.

One such a topic is a situation on finite words. We think that the im-proved translation works for alternating automata over finite words aswell. However, we suppose that the connection between until-release hier-archy and alternation of nonaccepting and accepting states does not extendto finite words.

In Definition 7.1 we formulate two conditions which allow to decreasethe � -depth of a formula corresponding to a given A1W automaton. As theconditions are quite complicated, it is only natural to ask whether there aresome simpler (or more general) conditions with the same effect. For ex-ample, we have no counterexample showing that the improved translationproduces incorrect results when we define �� to be a set of allstates $4K � � �� & satisfying

1. there is � � � � such that $ � � � , and

2. if $ � � � and $ NK � � then there exists � � � � � � � �"$ & � � � � such that�� .

Unfortunately, we have no proof of correctness of the translation for this�� function.

Another question is a succinctness of A1W automata. Let us considera formula � with a more than one copy of a subformula � , e.g. � � �- +�� .�8� � �� . All copies of the subformula correspond to one state $ � ofthe automaton produced by LTL A1W translation. Therefore we suppose


(but we have no proof yet) that an A1W automaton can be exponentiallymore succinct than arbitrary corresponding LTL formula in some cases.

The last topic we mention here is connected to automata rather than thelogic. In this chapter we work with the alternating Buchi automata that are1-weak. The 1-weakness can be generalized to R -weakness in the followingway. An alternating Buchi automaton is called weak if the set of states �can be partitioned into disjoint sets � � �� such that

� if $4K �� , $4K��O5 , and �LK�� then �� A , and� �O5 � � �� or �O5 � � for every ��"? � ,

where � is a set of accepting states. Moreover, the automaton is called R -weak if � �O5%� �VR for every � " :� . It is known that general alternatingweak automata recognize all � -regular languages, whereas alternating 1-weak automata recognize all � -languages definable by LTL. The definitionof alternating R -weak automata (or A R W automata for short) brings severalinteresting questions:

� What is the expressive power of A R W automata?� Is the hierarchy of classes of A R W automata expressively strict?� For each R , is there any natural extension LTL � of LTL such that A R W

automata define the same languages as LTL � ?

Chapter 8

Conclusions

This thesis provides a wide overview of LTL fragment properties that arerelevant to model checking. With use of this overview one can easily seethe relations between expressiveness of LTL fragments and theoretical com-plexities of the model checking problem for these fragments. This thesisalso covers several fragment properties that lead or can potentially lead toimprovements of the model checking process (e.g. closure under stutteringleads to applicability of partial order reduction methods).

Further, this thesis contains original results divided into three areas:extended stuttering principles, characteristic patterns, and deeper connec-tions between LTL and alternating 1-weak Buchi automata. Some applica-tions of these results in model checking are suggested as well.

8.1 Future workThe sections called Additional notes and located at the end of each chapterinclude a number of interesting topics for future work. Some of these topicsare open questions borrowed from the cited papers. In the near future theauthor plans to concentrate on the development of new model checkingalgorithms and methods employing some of the results presented in thisthesis, namely the letter stuttering principle, the general stuttering princi-ple, and the concept of characteristic patterns.

Bibliography

[AH92] Rajeev Alur and Thomas A. Henzinger. Logics and modelsof real time: A survey. In J. W. de Bakker, C. Huizing, W. P.de Roever, and G. Rozenberg, editors, Proceedings of Real-Time:Theory in Practice, volume 600 of Lecture Notes in Computer Sci-ence, pages 74–106. Springer-Verlag, 1992.

[Arn85] Andre Arnold. A syntactical congruence for rational � -languages. Theoretical Computer Science, 39:333–335, 1985.

[Bur74] Rod M. Burstall. Program proving as hand simulation witha little induction. In Proceedings of International Congress of theInternational Federation for Information Processing, pages 308–312.North-Holland, 1974.

[CE81] Edmund M. Clarke and E. Allen Emerson. Design and synthe-sis of synchronization skeletons using branching time tempo-ral logic. In Proceedings of the Workshop on Logics of Programs,volume 131 of Lecture Notes in Computer Science, pages 52–71.Springer-Verlag, 1981.

[CES86] Edmund M. Clarke, E. Allen Emerson, and A. Prasad Sistla.Automatic verification of finite-state concurrent systems usingtemporal logic specifications. ACM Transactions on Program-ming Languages and Systems, 8(2):244–263, 1986.

[CGP99] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled.Model Checking. The MIT Press, 1999.

[CH91] Sang Cho and Dung T. Huynh. Finite-automaton aperiodicityis PSPACE-complete. Theoretical Computer Science, 88(1):99–116,1991.

[CMP92] Edward Chang, Zohar Manna, and Amir Pnueli. Characteri-zation of temporal property classes. In W. Kuich, editor, Pro-ceedings of the 19th International Colloquium on Automata, Lan-guages and Programming (ICALP’92), volume 623 of Lecture Notesin Computer Science, pages 474–486. Springer-Verlag, 1992.

140 BIBLIOGRAPHY

[CP03] Ivana Cerna and Radek Pelanek. Relating hierarchy of tem-poral properties to model checking. In Proceedings of the30th Symposium on Mathematical Foundations of Computer Science(MFCS’03), volume 2747 of Lecture Notes in Computer Science.Springer-Verlag, 2003.

[CPP93] Joelle Cohen, Dominique Perrin, and Jean-Eric Pin. On the ex-pressive power of temporal logic. Journal of Computer and Sys-tem Sciences, 46(3):271–294, 1993.

[DAC99] Matthew B. Dwyer, George S. Avrunin, and James C. Corbett.Patterns in property specifications for finite-state verification.In Proceedings of the 21st International Conference on SoftwareEngineering (ICSE’99), pages 411–420. IEEE Computer SocietyPress, 1999.

[Dam99] Dennis R. Dams. Flat fragments of CTL and CTL � : Separatingthe expressive and distinguishing powers. Logic Journal of theIGPL, 7(1):55–78, 1999.

[DGV99] M. Daniele, F. Giunchiglia, and M. Y. Vardi. Improved au-tomata generation for linear temporal logic. In Proceedings ofthe 11th International Conference on Computer Aided Verification(CAV’99), volume 1633 of Lecture Notes in Computer Science,pages 249–260. Springer-Verlag, 1999.

[DS02] Stephane Demri and Philippe Schnoebelen. The complexity ofpropositional linear temporal logics in simple cases. Informationand Computation, 174(1):84–103, 2002.

[EH86] E. Allen Emerson and Joseph Y. Halpern. “Sometimes” and“not never” revisited: On branching versus linear time tempo-ral logic. Journal of the ACM, 33(1):151–178, 1986.

[EH00] Kousha Etessami and Gerard J. Holzmann. Optimizing Buchiautomata. In C. Palamidessi, editor, Proceedings of the 11th In-ternational Conference on Concurrency Theory (CONCUR’00), vol-ume 1877 of Lecture Notes in Computer Science, pages 153–168,2000.

[Eme90] E. Allen Emerson. Temporal and modal logic. In J. vanLeeuwen, editor, Handbook of Theoretical Computer Science, vol-ume B: Formal Models and Semantics, chapter 16, pages 995–1072. Elsevier, 1990.

[Ete00] Kousha Etessami. A note on a question of Peled and Wilke onstutter-invariant LTL. Information Processing Letters, 75(6):261–263, 2000.

BIBLIOGRAPHY 141

[EVW02] Kousha Etessami, Moshe Y. Vardi, and Thomas Wilke. First-order logic with two variables and unary temporal logic. Infor-mation and Computation, 179(2):279–295, 2002.

[EW00] Kousha Etessami and Thomas Wilke. An until hierarchy andother applications of an Ehrenfeucht-Fraısse game for temporallogic. Information and Computation, 160:88–108, 2000.

[Gab89] Dov M. Gabbay. The declarative past and imperative future:Executable temporal logic for interactive systems. In B. Ban-ieqbal, H. Barringer, and A. Pnueli, editors, Proceedings of Con-ference on Temporal Logic in Specification, volume 398 of LectureNotes in Computer Science, pages 409–448. Springer-Verlag, 1989.

[GO01] Paul Gastin and Denis Oddoux. Fast LTL to Buchi automatatranslation. In G. Berry, H. Comon, and A. Finkel, editors, Pro-ceedings of the 13th International Conference on Computer AidedVerification (CAV’01), volume 2102 of Lecture Notes in ComputerScience, pages 53–65. Springer-Verlag, 2001.

[God96] Patrice Godefroid. Partial-order methods for the verification of con-current systems: an approach to the state-explosion problem, volume1032 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

[GPSS80] Dov Gabbay, Amir Pnueli, Saharon Shelah, and Jonathan Stavi.On the temporal analysis of fairness. In Conference Record of the7th Annual ACM Symposium on Principles of Programming Lan-guages (POPL’80), pages 163–173. ACM Press, 1980.

[GPVW95] Rob Gerth, Doron A. Peled, Moshe Y. Vardi, and Pierre Wolper.Simple on-the-fly automatic verification of linear temporallogic. In Protocol Specification Testing and Verification, pages 3–18. Chapman & Hall, 1995.

[HKP82] David Harel, Dexter Kozen, and Rohit Parikh. Process logic:Expressiveness, decidability, completeness. Journal of Computerand System Sciences, 25(2):144–170, 1982.

[Hol97] Gerard J. Holzmann. The Model Checker SPIN. IEEE Trans.on Software Engineering, 23(5):279–295, 1997. Special issue onFormal Methods in Software Practice.

[HP95] Gerard Holzmann and Doron Peled. Partial order reductionof the state space. In Proceedings of the 1st SPIN Workshop(SPIN’95), 1995. A position paper.

142 BIBLIOGRAPHY

[HU79] John E. Hopcroft and Jeffrey D. Ullman. Introduction to Au-tomata Theory, Languages, and Computation. Addison-Wesley,1979.

[Kam68] Johan Anthony Willem Kamp. Tense Logic and the Theory of Lin-ear Order. PhD thesis, University of California, Los Angeles,1968.

[Kri63] Saul A. Kripke. Semantical analysis of modal logic. Zeitschriftfur Mathematische Logik und Grundlagen der Mathematik, 9:67–96,1963.

[Kro87] Fred Kroger. Temporal Logic of Programs, volume 8 of EATCSMonographs on Theoretical Computer Science. Springer-Verlag,1987.

[KS02] Antonın Kucera and Jan Strejcek. The stuttering principle re-visited: On the expressiveness of nested X and U operators inthe logic LTL. In J. Bradfield, editor, Proceedings of the 11th An-nual Conference of the European Association for Computer ScienceLogic (CSL’02), volume 2471 of Lecture Notes in Computer Sci-ence, pages 276–291. Springer-Verlag, 2002.

[KS04] Antonın Kucera and Jan Strejcek. An effective characterizationof properties definable by LTL formulae with a bounded nest-ing depth of the next-time operator. Technical Report FIMU-RS-2004-04, Faculty of Informatics, Masaryk University Brno,2004.

[KS05a] Antonın Kucera and Jan Strejcek. Characteristic patterns forLTL. In Proceedings of SOFSEM’05, Lecture Notes in ComputerScience. Springer-Verlag, 2005. To appear.

[KS05b] Antonın Kucera and Jan Strejcek. The stuttering principle re-visited. Acta Informatica, 2005. To appear.

[Lad77] Richard E. Ladner. Application of model theoretic games to dis-crete linear orders and finite automata. Information and Control,33(4):281–303, 1977.

[Lam83a] Leslie Lamport. Specifying concurrent program modules. ACMTransactions on Programming Languages and Systems, 5(2):190–222, 1983.

[Lam83b] Leslie Lamport. What good is temporal logic? In R. E. A. Ma-son, editor, Proceedings of the IFIP Congress on Information Pro-cessing, pages 657–667, Amsterdam, 1983. North-Holland.

BIBLIOGRAPHY 143

[Lar94] Francois Laroussinie. Logique temporelle avec passe pour laspecification et la verification des systemes reactifs. PhD thesis,I.N.P. de Grenoble, 1994.

[LMS02] Francois Laroussinie, Nicolas Markey, and Philippe Schnoebe-len. Temporal logic with forgettable past. In Proceedings ofthe 17th Annual IEEE Symposium on Logic in Computer Science(LICS’02), pages 383–392. IEEE Computer Society Press, 2002.

[LP85] Orna Lichtenstein and Amir Pnueli. Checking that finite stateconcurrent programs satisfy their linear specification. In Con-ference Record of the 12th Annual ACM Symposium on Principles ofProgramming Languages (POPL’85), pages 97–107. ACM Press,1985.

[LPZ85] Orna Lichtenstein, Amir Pnueli, and Lenore Zuck. The gloryof the past. In R. Parikh, editor, Proceedings of the Conferenceon Logics of Programs, volume 193 of Lecture Notes in ComputerScience, pages 196–218. Springer-Verlag, 1985.

[LS95] Francois Laroussinie and Philippe Schnoebelen. A hierarchyof temporal logics with past. Theoretical Computer Science,148(2):303–324, 1995.

[LT00] Christof Loding and Wolfgang Thomas. Alternating automataand logics over infinite words (extended abstract). In J. vanLeeuwen et al., editors, Proceedings of the 1st IFIP InternationalConference on Theoretical Computer Science (IFIP TCS’00), vol-ume 1872 of Lecture Notes in Computer Science, pages 521–535.Springer-Verlag, 2000.

[Mai00] Monika Maidl. The common fragment of CTL and LTL. In D. C.Young, editor, Proceedings of the 41st Annual IEEE Symposium onFoundations of Computer Science (FOCS’00), pages 643–652. IEEEComputer Society Press, 2000.

[Mar03a] Nicolas Markey. Logiques temporelles pour la verification: expres-sivite, complexite, algorithmes. PhD thesis, University of Orleans,2003.

[Mar03b] Nicolas Markey. Temporal logic with past is exponentiallymore succinct. Bulletin of the European Association for Theoreti-cal Computer Science, 79:122–128, 2003.

[Mar04] Nicolas Markey. Past is for free: on the complexity of verifyinglinear temporal properties with past. Acta Informatica, 40(6–7):431–458, 2004.

144 BIBLIOGRAPHY

[McM99] Kenneth L. McMillan. Verification of infinite state systems bycompositional model checking. In Proceedings of the 10th Ad-vanced Research Working Conference on Correct Hardware Designand Verification Methods (CHARME’99), volume 1703 of LectureNotes in Computer Science, pages 219–237. Springer-Verlag, 1999.

[Mey75] Albert R. Meyer. Weak monadic second order theory of suc-cessor is not elementary recursive. In R. Parikh, editor, LogicColloquium, volume 453 of Lecture Notes in Mathmatics, pages132–154. Springer-Verlag, 1975.

[MP71] Robert McNaughton and Seymour Papert. Counter-Free Au-tomata. MIT Press, Cambridge, Mass., 1971.

[MP90a] Oded Maler and Amir Pnueli. Tight bounds on the complexityof cascaded decomposition of automata. In Proceedings of the31st Annual IEEE Symposium on Foundations of Computer Science(FOCS’90), volume II, pages 672–682. IEEE Computer SocietyPress, 1990.

[MP90b] Zohar Manna and Amir Pnueli. A hierarchy of temporalproperties. In Proceedings of ACM Symposium on Principles ofDistributed Computing (PODC’90), pages 377–410. ACM Press,1990.

[MP91] Zohar Manna and Amir Pnueli. Completing the temporal pic-ture. Theoretical Computer Science, 83(1):97–130, 1991.

[MP94] Oded Maler and Amir Pnueli. On the cascaded decomposi-tion of automata, its complexity and its application to logic.Available at <http://www-verimag.imag.fr/PEOPLE/Oded.Maler/Papers/decomp.ps>, 1994.

[MS97] Oded Maler and Ludwig Staiger. On syntactic congruences for� -languages. Theoretical Computer Science, 183(1):93–112, 1997.

[MS03] Nicolas Markey and Philippe Schnoebelen. Model checking apath (preliminary report). In Proceedings of the 14th InternationalConference on Concurrency Theory (CONCUR’03), volume 2761of Lecture Notes in Computer Science, pages 251–265. Springer-Verlag, 2003.

[MSS88] David E. Muller, Ahmed Saoudi, and Paul E. Schupp. Weak al-ternating automata give a simple explanation of why most tem-poral and dynamic logics are decidable in exponential time. InProceedings of the 3rd Annual IEEE Symposium on Logic in Com-puter Science (LICS’88), pages 422–427. IEEE Computer SocietyPress, 1988.

BIBLIOGRAPHY 145

[Pap94] Christos H. Papadimitriou. Computational Complexity.Addison-Wesley, 1994.

[PC03] Dimitrie O. Paun and Marsha Chechik. On closure under stut-tering. Formal Aspects of Computing, 14:342–368, 2003.

[Pel98] Doron Peled. Ten years of partial order reduction. In A. J. Huand M. Y. Vardi, editors, Proceedings of the 10th International Con-ference on Computer Aided Verification (CAV’98), volume 1427 ofLecture Notes in Computer Science, pages 17–28. Springer-Verlag,1998.

[Per84] Dominique Perrin. Recent results on automata and infinitewords. In M. P. Chytil and V. Koubek, editors, Proceedings ofthe 11th Symposium on Mathematical Foundations of Computer Sci-ence (MFCS’84), volume 176 of Lecture Notes in Computer Science,pages 134–148. Springer-Verlag, 1984.

[Pnu77] Amir Pnueli. The temporal logic of programs. In Proceedingsof the 18th Annual IEEE Symposium on Foundations of ComputerScience (FOCS’77), pages 46–57. IEEE Computer Society Press,1977.

[PP86] Dominique Perrin and Jean-Eric Pin. First-order logic and star-free sets. Journal of Computer and System Sciences, 32(3):393–406,1986.

[PP04] Dominique Perrin and Jean-Eric Pin. Infinite words, volume 141of Pure and Applied Mathematics. Elsevier, 2004.

[Pri57] Arthur N. Prior. Time and Modality. Oxford University Press,1957.

[PS04] Radek Pelanek and Jan Strejcek. Deeper connections betweenLTL and alternating automata. Technical Report FIMU-RS-2004-08, Faculty of Informatics, Masaryk University Brno, 2004.

[PW97a] Doron Peled and Thomas Wilke. Stutter-invariant temporalproperties are expressible without the next-time operator. In-formation Processing Letters, 63(5):243–246, 1997.

[PW97b] Jean-Eric Pin and Pascal Weil. Polynomial closure and unam-biguous product. Theory of Computing Systems, 30(4):383–422,1997.

[PWW98] Doron Peled, Thomas Wilke, and Pierre Wolper. An algorith-mic approach for checking closure properties of � -regular lan-guages. Theoretical Computer Science, 195(2):183–203, 1998.

146 BIBLIOGRAPHY

[Roh97] Scott Rohde. Alternating automata and the temporal logic of ordi-nals. PhD thesis, University of Illinois at Urbana-Champaign,1997.

[RP86] Roni Rosner and Amir Pnueli. A choppy logic. In Proceedingsof the 1st Annual IEEE Symposium on Logic in Computer Science(LICS’86), pages 306–313. IEEE Computer Society Press, 1986.

[SB00] Fabio Somenzi and Roderick Bloem. Efficient Buchi automatafrom LTL formulae. In Proceedings of the 12th International Con-ference on Computer Aided Verification (CAV’00), volume 1855of Lecture Notes in Computer Science, pages 248–263. Springer-Verlag, 2000.

[SC85] A. Prasad Sistla and Edmund M. Clarke. The complexity ofpropositional linear temporal logics. Journal of the ACM, 32:733–749, 1985.

[Sch65] Marcel Paul Schutzenberger. On finite monoids having onlytrivial subgroups. Information and Control, 8:190–194, 1965.

[Sch00] Heinz Schmitz. Restricted temporal logic and deterministiclanguages. Journal of Automata, Languages and Combinatorics,4(3):325–342, 2000.

[Sch01] Klaus Schneider. Improving automata generation for lineartemporal logic by considering the automaton hierarchy. In Pro-ceedings of the 8th International Conference on Logic for Program-ming, Artificial Intelligence, and Reasoning (LPAR’01), volume2250 of Lecture Notes in Computer Science, pages 39–54. Springer-Verlag, 2001.

[Sch03] Philippe Schnoebelen. The complexity of temporal logic modelchecking. In Advances in Modal Logic, vol. 4, selected papers from4th Conf. Advances in Modal Logic (AiML’02), pages 437–459.King’s College Publication, 2003.

[Sip97] Michael Sipser. Introduction to the Theory of Computation. PWSPublishing Co., 1997.

[SM73] Larry J. Stockmeyer and Albert R. Meyer. Word problems re-quiring exponential time. In Proceedings of the 5th Annual ACMSymposium on Theory of Computing (STOC’73), pages 1–9, 1973.

[Sto74] Larry J. Stockmeyer. The Complexity of Decision Problems in Au-tomata Theory and Logic. PhD thesis, Massachusetts Institute ofTechnology, 1974.

BIBLIOGRAPHY 147

[SV89] Shmuel Safra and Moshe Y. Vardi. On � -automata and tem-poral logic. In Proceedings of the 21st Annual ACM Symposiumon Theory of Computing (STOC’89), pages 127–137. ACM Press,1989.

[Tau03] Heikki Tauriainen. On translating linear temporal logic intoalternating and nondeterministic automata. Research ReportA83, Helsinki University of Technology, Laboratory for Theo-retical Computer Science, 2003.

[Tho79] Wolfgang Thomas. Star-free regular sets of � -sequences. Infor-mation and Control, 42(2):148–156, 1979.

[Tho81] Wolfgang Thomas. A combinatorial approach to the theory of� -automata. Information and Control, 48(3):261–283, 1981.

[Tho90] Wolfgang Thomas. Automata on infinite objects. In J. vanLeeuwen, editor, Handbook of Theoretical Computer Science, vol-ume B: Formal Models and Semantics, chapter 4, pages 133–191. Elsevier, 1990.

[Thu06] Axel Thue. Uber unendliche Zeichenreihen. Kra. Vidensk. Selsk.Skrifter, I. Mat. Nat. Kl., 1906(7):1–22, 1906.

[TW98] Denis Therien and Thomas Wilke. Over words, two variablesare as powerful as one quantifier alternation: � � � � � � .In Proceedings of the 30th Annual ACM Symposium on Theory ofComputing (STOC’98), pages 234–240. ACM Press, 1998.

[TW01] Denis Therien and Thomas Wilke. Temporal logic and semidi-rect products: An effective characterization of the until hierar-chy. SIAM Journal on Computing, 31(3):777–798, 2001.

[TW02] Denis Therien and Thomas Wilke. Nesting Until and Since inlinear temporal logic. In Proceedings of the 19th Annual Sympo-sium on Theoretical Aspects of Computer Science (STACS’02), vol-ume 2285 of Lecture Notes in Computer Science, pages 455–464.Springer-Verlag, 2002.

[Val91] Antti Valmari. A stubborn attack on state explosion. In E. M.Clarke and R. P. Kurshan, editors, Proceedings of the 2nd Inter-national Conference on Computer Aided Verification (CAV’90), vol-ume 531 of Lecture Notes in Computer Science, pages 156–165.Springer-Verlag, 1991.

[VW86] Moshe Y. Vardi and Pierre Wolper. An automata-theoretic ap-proach to automatic program verification. In Proceedings of

148 BIBLIOGRAPHY

the 1st Annual IEEE Symposium on Logic in Computer Science(LICS’86), pages 322–331. IEEE Computer Society Press, 1986.

[VW94] Moshe Y. Vardi and Pierre Wolper. Reasoning about infinitecomputations. Information and Computation, 115(1):1–37, 1994.

[Weg00] Ingo Wegener. Branching Programs and Binary Decision Di-agrams: Theory and Applications. Society for Industrial andApllied Mathematics, 2000.

[Wil98] Thomas Wilke. Classifying discrete temporal properties. Ha-bilitationsschrift (post-doctoral thesis), 1998.

[Wil99] Thomas Wilke. Classifying discrete temporal properties. InChr. Meinel and S. Tison, editors, Proceedings of the 16thAnnual Symposium on Theoretical Aspects of Computer Science(STACS’99), volume 1563 of Lecture Notes in Computer Science,pages 32–46. Springer-Verlag, 1999.

[Wol83] Pierre Wolper. Temporal logic can be more expressive. Informa-tion and Control, 56:72–99, 1983.

[WVS83] Pierre Wolper, Moshe Y. Vardi, and A. Prasad Sistla. Reason-ing about infinite computation paths (extended abstract). InProceedings of the 24th Annual IEEE Symposium on Foundationsof Computer Science (FOCS’83), pages 185–194. IEEE ComputerSociety Press, 1983.

[Zha03] Wenhui Zhang. Combining static analysis and case-basedsearch space partitioning for reducing peak memory in modelchecking. Journal of Computer Science and Technology, 18(6):762–770, 2003.

[Zuc86] Lenore D. Zuck. Past Temporal Logic. PhD thesis, WeizmannInstitute, 1986.

Documents

Linear Temporal Logic: Expressiveness and Model Checkinganna.fi.muni.cz/papers/src/public/ca6ca64bc134d3211d7f60a5a0bfbcbd.pdf · Vojtech Reh ak.· I thank all the people who have