A Tableau for CTL* Mark Reynolds (DRAFT version 4.0) The University of Western Australia, Perth, Australia.
[email protected]
Abstract. We present a sound, complete and relatively straightforward tableau method for deciding valid formulas in the propositional version of computation tree logic CTL*. This is the first such tableau. CTL* is an exceptionally important temporal logic with applications from hardware design to agent reasoning but there is no easy automated reasoning approach to CTL*. The tableau here is a traditional tree-shaped or top-down style tableau and affords the possibility of reasonably quick decisions on the satisfiability of medium-sized formulas and construction of small models for them. A quick subroutine is given for determining when loops are allowed back up in the tree but much needed further development is left as future work. In particular, a more general repetition prevention mechanism is needed to speed up the task of tableau construction.
1
Introduction
CTL*, or full computation tree logic, was introduced in [9] and [7]. It extends both the simple branching logic, CTL, of [2], and the standard linear temporal logic, PLTL of [16]. The language of CTL*, which is a propositional temporal language, is built recursively from the atomic propositions using the next X and until U operators of PLTL, and the universal path switching modality A of CTL as well as classical connectives. This language is appropriate for describing properties of all paths of states through a transition structure, or applications which can be modelled as such. This standard semantics for CTL* is called the semantics over R-generable models. The main uses of CTL* in computer science are for developing and checking the correctness of complex reactive systems [10] and as a basis of more complex modal languages for reasoning about multi-agent systems [15]. CTL* is also used widely as a framework for comparing other languages more appropriate for specific reasoning tasks of this type. See the description in [4]. These include the purely linear and purely branching sub-languages as well as languages such as that in [1] which allow a limited amount of interplay between these two aspects. Validity of formulas of CTL* is known to be decidable. This was proved in [9] using an automata-theoretic approach. [8] makes use of the specific form of some linear automata to give decision procedure of deterministic double exponential time complexity in the length of the formula. This agrees with the lower bound found in [26].
2
As with other temporal logics and despite these conclusive results, the search for other reasoning methods has been a major undertaking. Even for the basic task of deciding validity (or equally satisfiability), of a CTL* formula, there is interest in finding approaches which are more straightfoward, or more traditional, or more amenable to human understanding, or yield meaningful intermediate steps, etc. See, for example, the complete Hilbert-style axiomatization for CTL* in [19]. Tableaux are another popular style of modal reasoning technique and there has been a substantial amount of work on applying them to temporal logics: see [12] and [22] for surveys. They can be presented in an intuitive way, they are often suitable for automated reasoning and it is often not hard to prove complexity results for their use. It is also often the case that tableau procedures can quickly build models of satisfiable formulas even though the worst case performance is bad. Tableaux were used for modal logics in [14] and [11] and there has been much work since on tableaux for temporal logics [27, 13, 5, 6, 23]. Despite all the interest in tableaux for temporal logic and for reasoning with CTL*, a tableau approach to CTL* has been a long standing open problem. Tableau-style elements do appear in the somewhat intricate CTL* modelchecking systems in [24] and [18] but model-checking is a distinct task from deciding validity: it involves checking whether a given formula holds of a given system, and is used for the verification of implementations. Validity deciders can be used to model-check but model-checkers can not in general decide validity: model-checking is an “easier” or less computationally complex reasoning task. In [24] there is a tableau system for model-checking with predicate CTL*. In [18] there is a complete deductive system for model-checking formulas in predicate CTL* and some of the derivation steps look similar to tableau-building steps. There is a tableau for a related logic called “bundled” CTL* or BCTL* in [20]. BCTL* uses the same language as CTL* but has more satisfiable formulas as the so called limit closure property is not a requirement on its models. However, it is exactly the limit closure property which causes difficulties in reasoning with CTL* [20]. There are good reasons to try to devise a not too complicated tableau-style system for deciding validity in CTL*. Even though there is the seriously inconvenient double exponential lower bound on the complexity, there are reasons to believe that experienced tableau practitioners will be able to use a range of techniques to make fast implementations capable of delivering results for a wide range of practical reasoning problems. A general CTL* tableau can be the basis for searching for more practical sublanguages, and for assisting with humanguided derivations on bigger tasks. It can be the basis of proofs of correctness for alternative reasoning techniques like resolution or rewrite systems. It may assist with model-checking and program synthesis tasks. It may be extended to cope with some predicate reasoning. The tableau construction we describe for CTL* is of the tree, or top-down, form. To decide the validity of φ, we build a tree with the nodes built from sets of formulas from a finite closure set defined from φ. A novel aspect is the fact that
3
the nodes in the tableau are labelled with sets of sets of formulas. We use certain sets of formulas called hues, and then put together sets of hues called colours. This notation reflects some similar ideas in the CTL* axiomatic completeness proof in [19]. The proof of correctness is an interesting mixture of techniques from linear and branching temporal logic, and it has some subtleties. The approach here is significantly modified from that for BCTL* in [20] as that paper presents a bottom-up, or graph-based, tableau system and for BCTL* we do not need any mechanism to check for loops, repetition and limit closure. With CTL* in this paper, on the other hand, issues of looping become complex and are of paramount importance. We will see that there are two types of looping. There is good looping which allows us to put up-links in our tableau tree and help make a finite structure: we give a practical subroutine for checking quickly when this can happen. But there are also bad loops in the form of repetitive branch construction: the same colours coming up again and again along ever lengthening branches without the ability to loop those branches back on themselves. These turn out to be very subtle to deal with and we are only able to give some preliminary results on mechanisms for tackling repetition. The main part of the paper side steps the issue of repetition and just puts a simple but grossly impractical bound on the length of branches allowed. In the latter part of the paper we show that there is potential for making tableau search algorithms much faster by developing repetition checks. In section 2 we give a formal definition of CTL* and give some example valid formulas. In section 3 we describe some of the mechanisms underlying the tableau and the following section 4 gives a loop checking algorithm. Section 5 presents the tableau definition. The next few sections sketch the proof of soundness and correctness. Section 9 describes some preliminary work on speeding up the tableau construction by preventing repetitive branch construction. Complexity and implementation issues are discussed briefly in section 10 before a conclusion. A long version of the paper [21] has full details of the proofs.
2
Syntax and Sematics
The language of (propositional) CTL* is presented here with what is called the logic of R-generable sets of paths on transition structures: this is the standard CTL* logic. 2.1
CTL*
We fix a countable set L of atomic propositions. Definition 1. A transition frame is a pair (S, R) where: S is the non-empty set of states R is a total binary relation ⊆ S × S i.e. for every s ∈ S, there is some t ∈ S such that (s, t) ∈ R.
4
Formulas are defined along ω-long sequences of states. A fullpath in (S, R) is an infinite sequence hs0 , s1 , s2 , ...i of states such that for each i, (si , si+1 ) ∈ R. For the fullpath σ = hs0 , s1 , s2 , ...i, and any i ≥ 0, we write σi for the state si and σ≥i for the fullpath hsi , si+1 , si+2 , ...i. CTL* semantics is defined with respect to the set of all possible fullpaths. Formulas of CTL* are evaluated in transition structures: Definition 2. A (transition) structure is a triple M = (S, R, g) where: (S, R) is a transition frame; g : S → ℘(L) is a labelling of the states with sets of atoms. The formulas of CTL* are built from the atomic propositions in L recursively using classical connectives ¬ and ∧ as well as the temporal connectives X, U and A: if α and β are formulas then so are Xα, αU β and Aα. As well as the standard classical abbreviations, true, ∨, →, ↔, we have linear time abbreviations F α ≡ trueU α and Gα ≡ ¬F ¬α, and we have the path switching modal diamond Eα ≡ ¬A¬α. We shall write ψ ≤ φ if ψ is a subformula of φ. Truth of formulas is evaluated at fullpaths in structures. We write M, σ |= α iff the formula α is true of the fullpath σ in the structure M = (S, R, g). This is defined recursively by: M, σ |= p iff p ∈ g(b0 ), any p ∈ L M, σ |= ¬α iff M, σ 6|= α M, σ |= α ∧ β iff M, σ |= α and M, σ |= β M, σ |= Xα iff M, σ≥1 |= α M, σ |= αU β iff there is some i ≥ 0 such that M, σ≥i |= β and for each j, if 0 ≤ j < i then M, σ≥j |= α M, σ |= Aα iff for all fullpaths σ 0 such that σ0 = σ00 we have M, σ 0 |= α We say that α is valid in CTL* iff for all transition structures M , for all fullpaths σ in M , we have M, σ |= α. Let us write |= α in that case. We say that α is satisfiable in CTL* iff for some transition structure M and for some fullpath σ in M , we have M, σ |= α. Clearly α is satisfiable (in CTL*) iff 6|= ¬α. Note that there are other alternative ways of introducing CTL* semantics. See [3] and [19]. We do not need to go into details here. BCTL* [20] is a related logic which only considers a certain fixed set or bundle of fullpaths in the semantics. See [20] for details and a comparison with CTL*. It is much easier to reason with but it is not a logic with practical uses. 2.2
Examples
We collect five classes of interesting example formulas to illustrate our logic and to test implementations of our tableau technique. Type 1: These formulas are valid in BCTL*. Thus they are also valid in CTL*. They are satisfiable in both CTL* and BCTL*. Their negations are neither satisfiable nor valid in either CTL* or BCTL*. Their negations are the type 5 formulas below.
5
We will see that, as hoped or expected, our tableau will find it easy to build a model, and hence show satisfiability of any type 1 formula. Any structure will do! Many interesting such formulas in our two logics can be gained from the axiomatizations of a related logic, which we call BCTL*, in [25] and of CTL* in [19]. Formulas which appear in these axiom systems and which are valid in CTL* include all the valid formulas of PLTL such as θ1 = G(p → q) → (Gp → Gq), θ2 = Gp → (p ∧ Xp ∧ XGp), θ3 = (pU q) ↔ (q ∨ (p ∧ X(pU q))) and θ4 = (pU q) → F q. There are also S5 axioms such as θ5 = p → AEp and θ6 = Ap → AAp. The main interaction between the path switching and the linear time modalties is the valid formula θ7 = AXp → XAp. There is also a special axiom saying that atomic propositions only depend on states: θ8 = p → Ap (for atom p). Some more interesting valid formulas of CTL*:
θ11
θ9 = E(pU (E(pU q))) → E(pU q) θ10 = (AG(p → qU r) ∧ qU p) → qU r = G(EF p → XF EF p) → (EF p → GF EF p).
We leave it to the reader to verify the validity of these examples using semantic arguments. Type 2: These formulas are valid in CTL* but not valid in BCTL*. They are satisfiable in both CTL* and BCTL*. Their negations are neither satisfiable nor valid in CTL*. However, their negations are satisfiable in BCTL* but obviously not valid in BCTL*. Their negations are type 4 formulas below. Three interesting examples are: θ12 = AG(p → EXp) → (p → EGp), θ13 = AG(Ep → EX((Eq)U (Ep))) → (Ep → EG((Eq)U (Ep))), θ14 = (AG(p → EXr) ∧ AG(r → EXp)) → (p → EG(F p ∧ F r)). These come from [20] where they are related to the so-called limit closure property of CTL*. We will see that, as hoped or expected, our tableau will also find it easy to build a model, and hence show satisfiability of any type 2 formula. Again any CTL* structure will do! Type 3: These formulas are not valid in CTL* nor valid in BCTL* but they are satisfiable in both CTL* and BCTL*. Their negations are not valid in BCTL* or CTL*. However, their negations are satisfiable in BCTL* and CTL*. Their negations are also type 3 formulas. Examples include
θ17
θ15 = p θ16 = p ∧ Xp ∧ F ¬p = AG(p ↔ X¬p) ∧ AG(p → ¬q) ∧ AG(p → ¬r) ∧ AG(q → ¬r) ∧ E(F q ∧ F r) θ18 = AG(EXp ∧ EX¬p) ∧ AG(Gp ∨ (¬r)U (r ∧ ¬p)) The negations of these four formulas are also examples of type 3 formulas.
6
We will see that our tableau will find it easy to build a model, and hence show satisfiability of the type 3 example formulas: the reader can check that they have reasonably small models. Type 4: These formulas are not valid in CTL* nor valid in BCTL*. They are not satisfiable in CTL* but they are satisfiable in BCTL*. Their negations are not valid in BCTL*. However, their negations are valid in CTL* and satisfiable in BCTL* and CTL*. Their negations are type 2 formulas. Examples include ¬θ12 , ¬θ13 and ¬θ14 . We will see that our tableau will find these formulas most challenging. The system presented here does not have an efficient termination check and these formulas are satisfiable in BCTL* so they are only not satisfiable in CTL* due to interesting limit closure issues. Type 5: These formulas are not valid in CTL* nor valid in BCTL*. They are not satisfiable in CTL* nor in BCTL*. Their negations are both valid and satisfiable in both BCTL* and CTL*. Their negations are type 1 formulas. Examples include the negations of all the type 1 examples above. We will see that our tableau can usually terminate reasonably quickly on these formulas showing that they are not satisfiable. This is because of clear cases of termination such as branches not being able to be extended.
3
Preliminaries
Most of the work on temporal tableaux involves a move away from the traditional tree-shaped tableau building process of other modal logics. The standard approach for temporal logics is to start with a graph and repeatedly prune away nodes, according to certain removal rules, until there is nothing more to remove (success) or some failure condition is detected. This approach is seen for the linear PLTL in [27] and [13] and for the simple branching CTL in [5] and [6]. The PLTL tableau in [23] is interesting because of the return to a tree shape. We also return to the tree shape for CTL*. We want to use a tableau approach to decide validity of a formula in CTL*. We will start with a formula φ and determine whether φ is satisfiable in CTL* or not. To decide validity simply determine satisfiabilty of the negation. As in the usual tree-style tableau processes we can non-deterministically build a tree from root to successors and backtrack on our choices if there is no way to continue building. So we have conditions for a successful termination. The main difference here is that the nodes in our tree will be labelled with sets of sets of formulas rather than just sets of formulas. Obviously there is a risk of getting a very large tree to deal with. We discuss complexity and implementation issues briefly in section 10 below. From the closure set for φ, which is just the subformulas and their negations, we will define a certain set of subsets of the closure set called the hues of φ. The colours of φ will be certain sets of hues of φ. The nodes in our tableau graph will each be labelled with one colour. The hue and colour terminology relects some similar notions in the axiomatic completeness proof for CTL* in [19]. Edges in
7
the tableau will be determined by certain conditions on the formulas in the hues in the colours which label each end of the edge. 3.1
Hues and Colours
Fix the formula φ whose satisfiability we are interested in. Definition 3 (closure set). The closure set for φ is clφ = {ψ, ¬ψ|ψ ≤ φ}. Definition 4 (MPC). Say that a ⊆ clφ is maximaly propositionally consistent (MPC) iff for all α, β ∈ clφ, M1) if β = ¬α then (β ∈ a iff α 6∈ a); and M2) if α ∧ β ∈ clφ then (α ∧ β ∈ a iff both α ∈ a and β ∈ a). A hue is supposed to (approximately) capture a set of formulas which could all hold together of one fullpath. Definition 5 (Hue). a ⊆ clφ is a hue for φ iff all these conditions hold: H1) a is MPC; H2) if αU β ∈ a and β 6∈ a then α ∈ a; H3) if αU β ∈ clφ \ a then β 6∈ a; H4) if Aα ∈ a then α ∈ a. Let Hφ be the set of hues of φ. The usual temporal successor relation plays a role in determining allowed steps in the tableau: Definition 6 (rX ). For hues a and b, put arX b iff the following four conditions all hold: R1) Xα ∈ a implies α ∈ b. R2) ¬Xα ∈ a implies ¬α ∈ b. R3) αU β ∈ a and ¬β ∈ a implies αU β ∈ b. R4) ¬(αU β) ∈ a and α ∈ a implies ¬(αU β) ∈ b. The next relation aims to tell whether two hues correspond to fullpaths starting at the same state: Definition 7 (rA ). For hues a and b, put arA b iff the following two conditions both hold: A1) Aα ∈ a iff Aα ∈ b; and A2) for all p ∈ L, p ∈ a iff p ∈ b Now we move up from the level of hues to the level of colours. Could a set of hues be exactly the hues corresponding to all the fullpaths starting at a particular state? Definition 8 (Colour). Non-empty c ⊆ Hφ is a colour (of φ) iff the following two conditions hold. For all a, b ∈ c, C1) arA b C2) if a ∈ c and ¬Aα ∈ a then there is b ∈ c such that ¬α ∈ b.
8
Let Cφ be the set of colours of φ. We define a successor relation RX between colours. It is defined in terms of rX between the component hues and is supposed to approximately capture the successor relation between nodes in terms of the colours which they exhibit. Note that colours will in general have a non-singleton range of successors. Definition 9 (RX ). For all c, d ∈ Cφ , put cRX d iff for all b ∈ d there is a ∈ c such that arX b. It is worth noting that colours and hues can be found in actual transition structures. We will need these concepts in our completeness proof. Definition 10 (actual φ-hue). Suppose (S, R, g) is a transition structure. If σ is a fullpath through (S, R) then we say that h = {α ∈ clφ|(S, R, g), σ |= α} is the actual (φ-) hue of σ in (S, R, g). It is straightforward to see that this is a φ-hue. It is also easy to show that along any fullpath rX holds between one actual hue and its successor. Definition 11 (actual φ-colour). If s ∈ S then the set of all actual hues of all fullpaths through (S, R) starting at s is called the actual (φ-) colour of s in (S, R, g). Again, it is straightforward to show that this is indeed a φ-colour and also that RX holds between the actual colour of any node and of any of its successors. 3.2
Bounds on branch length
Building branches node by node in our tree-shaped tableaux will be straightforward using the mechanisms of colours and hues. The challenges for us will be to do with looping and repetition. In our tableaux there will be “good looping” and “bad looping”. Good looping, will be when we discover that an ancestor of a node can serve as the successor of that node. Our tableaux will stray from being strictly treeshaped in that they will allow us to loop up from nodes to their ancestors. This will be a way of making a finite model which nevertheless has infinite fullpaths. There will be subtle conditions determining when we are alowed to loop up in this way. “Bad looping” on the other hand will be when we determine that we have extended a branch is a certain way which exhibits too much repetition with no allowed loops back up, and so no prospect of terminating this development in a successful and finite way. We will try to refer to this as repetition rather than looping. Again, there will be subtle rules to determine when we have such repetition. This allows us to stop constructing a branch and backtrack to a previous choice, or fail in a finite way. As mentioned, in this paper we will use a simple but not particularly efficient method for terminating the development of repetitive branches. A better method would allow us to report unsatisfiable formulas earlier. It would also allow us to
9
stop making unneccessarily long variations of branches which could be successful and shorter: thus it would help us report satisfiability earlier. The simple method we will just use is imposing a branch length bound based on a function which bounds the size of minimal finite models of a formula in terms of the length of the formula. Say that |φ| is the length of the CTL* formula φ. It has long been known that: Theorem 1 ([9]). There is a formula N () such that if CTL* formula φ is satisfiable then it has a finite model with at most N (|φ|) states. We will not here present any particular N exactly: it will be such a fast growing function that it would be totally impractical to use it in any implementation. For our purposes it suffices to demonstrate that such a function exists and we also give a rough idea of its magnitude and indicate how it could be determined more exactly. The “small model” result sketched in [9] describes (but not explicitly) a function of triple exponential complexity in the length of the formula. However, later work sketched in [17] allow us to conclude that there is also a double exponential function. For the interested reader we briefly outline how a function N with double exponential complexity can be obtained. The crucial result is from [17] where it is shown that for any non-empty Rabin tree automaton there is another automaton which specifies in a deterministic and finite way how to build one particular tree model which is accepted by the first automaton. We assume that the reader is familiar with Rabin tree automata which accept or reject labelled trees with a fixed number n of ordered distinguished successors for each node. See [10] for details. By assuming that the labelling of nodes is by a finite set of atoms from φ which are true at each node, for the CTL* formula φ we can easily find a Rabin Tree automaton which accepts labelled trees if and only if they are models of φ. In fact, from [9], we know that for any CTL* formula φ there is a Rabin Tree Automaton A which accepts the same models ω-trees as φ. Furthermore |φ| the number of transitions in A is O(22 ) and the number of accepting pairs is |φ| O(2 ). And the outdegree of each node is a fixed number of O(|φ|). From A we can find a finite representation of a particular model of φ. This comes via the form of a deterministic transducer which is a Rabin tree automaton with a fixed start state, a deterministic transition function which only makes a transition in response to one label regardless of which successor is chosen, and a degenerate acceptance condition. This will accept exactly one labelled tree. From [17], proof of Proposition 3, we know that there is a deterministic transducer D which recognizes some tree also recognized by A and the number of transitions in D is O((nm)3m ) where n is the number of states in A and m is the number of pairs in the accepting condition. Note that the proof presented there is for a binary tree but we can encode a greater fixed outdegree using several steps to encode each step in the original.
10
Finally we can use D to make a finite structure which is a model of φ. The states are just the states of D. The allowed transitions tell us the accessibility relation from each node. The determined labelling at each state tells us which atoms are true in the tree when D is in that state. This finite strcture, unwinds to exactly the unique tree model accepted by D. They are both thus models of φ. This gives us a finite model for φ (assuming φ is at all satisfiable in CTL*) and a bound on the size of that model in terms of a function of the length of φ. Checking the results more carefully would give us an actual function N (n) which gives us an upper bound on the size of a minimal model for all formulas n n of length n. Clearly N (n) is of O((22 2n )3.2 ), i.e. double exponential. In our tableau we actual use a slightly bigger function to bound the allowed length of branches, namely
Definition 12. Our bound on the length of branches allowed in tableaux will be M (n) = 2n.2n .N (n) in terms of the length n of the input formula. N is any function as described in the theorem above which bounds the size of a minimal finite model of any satisfiable CTL* formula.
3.3
Pseudo-Trees
The tableaux we construct will be roughly tree-shaped albeit the traditional upside down tree with a root at the top: predecessors and ancestors above, successors and descendants below. However, we will allow up-links from a node to one of its ancestors. Each node will be labelled with a colour, with the hues ordered and, unless it is a leaf, it will have one (ordered) successor for each hue. First we define a structure with this basic format and then we add a couple of extra conditions to define a tableau.
11
Definition 13 (COPT). A Coloured Ordered Pseudo-Tree for φ is a tuple (T, s, z) such that: PT1) T is a set (of nodes), with one, rootT ∈ T , called the root; PT2) each node t ∈ T has a finite number |st | of successors, {st (0), st (1), ..., st (|st | − 1)} ⊆ T ; PT3) each node t ∈ T has a unique finite sequence of distinct nodes t0 = rootT , t1 , t2 , ..., tk = t, called the ancestors of t, such that each ti+1 is a successor of ti and, if k > 0, then tk−1 is called the parent of t; PT4) for each t ∈ T , for each i < |st |, either t is the parent of st (i) or st (i) is an ancestor of t; PT5) z : T → Cφ is the colouring; PT6) for each t ∈ T , zt is a map enumerating the hues in z(t) in some order; PT7) for each t ∈ T , for each i < |st |, z(t)RX z(st (i)); PT8) φ ∈ zrootT (0); PT9) for each t ∈ T , either |st | = 0 or there are |st | > 0 hues in z(t); PT10) for all t ∈ T , for all i < |st |, (zt (i))rX (zst (i) (0)); Definition 14 (leaf node). t ∈ T is a leaf node iff |st | = 0. Note that in pseudo-trees we will say that y is a successor of x iff there is some i < |sx | such that sx (i) = y. However, we will reserve the terms ancestors and descendants only for the usual relative distances from the root along the same branch. Both these latter terms are inclusive of the node itself. Parents will have to be ancestors. Definition 15 (tableau path). σ is a path through (T, s, z), iff it is a sequence of nodes from T , with length |σ| ≤ ω, proceeding such that for each j < |σ|, there is some i < |sσj | such that σj+1 = sσj (i) Definition 16 (tableau fullpath). A path σ is a fullpath through (T, s, z), iff it only ends at a leaf node, if it ends at all: i.e. if |σ| = n < ω then σn−1 is a leaf node. The idea of eventualities in hues which need to be fulfilled will be important in our proof: Definition 17 (Eventuality). β ∈ clφ is an eventuality in hue h iff αU β ∈ h. At various places in our proofs we will need to find hue threads, i.e. sequences of hues which lie within sequences of coloured nodes. In this subsection we introduce some tools for dealing with such a situation. Suppose that (T, s, z) is a COPT for φ. Definition 18 (Hue thread). Suppose σ is a path through (T, s, z). A hue thread through σ is a sequence η of hues such that |η| = |σ|, for each j < |η|, ηj ∈ z(σj ) and for each j < |η| − 1, ηj rX ηj+1 .
12
Definition 19 (Fulfilling hue thread). Suppose σ is a path through (T, s, z) and η is a hue thread through σ. We say that η is fulfilling iff either |σ| < ω or |σ| = ω and all the eventualities in each ηi are witnessed by some later ηj ; i.e. if αU β ∈ ηi then there is j ≥ i such that β ∈ ηj . Note that we could add the following condition to the idea of witnessing eventualities but it is redundant: for all k, if i ≤ k < j then α ∈ ηk . The predecessor hue aspect of the definition of the successor relation RX between colours of nodes PT7, ensures, by definition of RX , that any hue in any colour has an rX predecessor in any predecessor colour. In fact it is unique as we now show. This enables us to traceback threads of hues backwards along paths. Lemma 1. If u is a successor of t in a COPT (T, s, z) and h ∈ z(u) then there is a unique hue h0 ∈ z(t) such that h0 rX h. Proof. That such at least one such hue exists follows from the condition PT7 that colours between successors satisfy RX . It is part of the definition of RX that there must be at least one predecessor hue. Now for uniqueness. Suppose for contradiction that there are two such hues h0 and h00 in z(t). Consider a formula from cl(φ) of minimal complexity which distinguishes the two hues. The formula can not be an atom or of the form Aβ because of the rA relation between h0 and h00 . It can not be ¬β nor α ∧ β because hues are MPC. We can not have Xβ because Xβ being in (both) h0 and h00 is determined by the rX relation between the hue and h. Thus the formula must be of the form αU β. Say αU β ∈ h0 but not in h00 . As 0 h and h00 agree on α and β and are also both in relation rX to h we have some cases to consider to get our desired contradiction. We can not have β in either h0 or h00 because then it would be in both and the definition of hue (H3) would tell us that αU β is in both. As αU β ∈ h0 H2 tells us α ∈ h0 and as h00 agrees then α is in h00 . As h0 rX h the definition of rX (R3) tells us that αU β ∈ h. But as h00 rX h, R4 tells us the contrary. We are done. Lemma 2. Each path σ through (T, s, z) has at least one hue thread. Proof. By iteratively tracing predecessor hues backwards from a leaf node, it is easy to see that any finite path has a hue thread. So now consider |σ| = ω. For each i, look at each a ∈ z(σi ). Find the maximum length lai of a thread η of hues starting from a at σi and continuing onwards along σ. The length being 0 if a has no successor hue in σi+1 . So for all i, for all a ∈ z(σi ), lai ≥ 0. For each b = bi+1 ∈ z(σi+1 ) there is some bi ∈ z(σi ) such that bi rX bi+1 so lbi i ≥ lbi+1 + 1 ≥ 1. By induction, for all k ≥ 0, there is bi−k ∈ z(σi−k ) such that i+1 bi−k rX bi−k+1 rX ...rX bi+1 so that lbi−k ≥ k + 1. i−k Thus there is b0 ∈ z(σ0 ) such that lb00 ≥ i + 1.
13
This is true for all i ≥ 0 so we can not have all the lb0 finite for each b ∈ z(σ0 ). (Otherwise choose the maximum of those finite number of finite numbers as i.) Thus there is c0 ∈ z(σ0 ) such that lc00 = ω. Similarly, there is c1 ∈ z(σ1 ) such that lc11 = ω and c0 rX c1 . Otherwise, lc00 is just the maximum of all the lb1 + 1 for b ∈ z(σ1 ) with c0 rX b. By induction there is sequence hc0 , c1 , c2 , ...i with each ci ∈ z(σi ) and ci rX ci+1 as required. Lemma 3. Each path σ through (T, s, z) has only a finite number of hue threads. Proof. Note that if two hue threads (of the same path) agree at any index then they must agree at all lesser indices all the way back to zero. This is because of (iterated application of) the traceback property lemma 1. If the length of φ is |φ| then there are at most 2|φ| distinct φ-hues altogether. Thus each colour contains at most that many hues. Let n be the maximum number of hues in any z(σi ). I claim that there are at most n different hue threads along σ. Suppose for contradiction that there are at least n + 1. Each pair of distinct hue threads through σ has a first index at which they differ. As noted above the hue threads will then differ forever afterwards. Let N be greater than all such first indices. After σN all those ≥ n + 1 hue threads must differ on each index as to which hue they contain. However, there are only at most n different hues. Contradiction. The following condition is rather non-algorithmic in its presentation. In the next section below we give full details of a model-checking style algorithm which we show determines whether this condition holds amongst other things. Definition 20 (Fullpaths fulfilled). We say that a COPT (T, s, z) has fullpaths fulfilled iff for every σ fullpath through (T, s, z), there is a fulfilling hue thread through σ. 3.4
Nominated Threads
Notice that property PT10 puts a special significance on the initial hue in each colour label. This, along with the next condition, helps us ensure that each hue actually has a fullpath witnessing it. We are going to require the following NTP of the tableaux which we construct. Definition 21 (The nominated thread property). We say that a COPT (T, s, z) has the nominated thread property (NTP) iff the following holds. Suppose t ∈ T , 0 < st , st (0) is an ancestor of t and that t0 = st (0), t1 , ..., tk = t is a non-repeating sequence with each tj+1 = stj (0). Let σ be the fullpath ht0 , t1 , ..., tk , t0 , t1 , ..., tk , t0 , t1 , ...i and η be the sequence hzt0 (0), zt1 (0), ..., ztk (0), zt1 (0), ...i of hues in σ. Then η is a fulfilling hue thread for σ.
14
It is straightforward to prove that this is equivalent to checking that each eventuality in zt0 (0) (or in all, or any, zti (0)) is witnessed in at least one of the ztj (0). So it is neither hard to implement nor computationally complex. Later in our completeness proof we will need a more sophisticated version of NTP because some of the fullpaths in our structures will be infinite branches with no up-links. For convenience we discuss this notion here. Consider a COPT (T, s, z) which, like COPTs in general, may have infinite branches. From any node t there is a fullpath σ = ht0 , t1 , t2 , ...i such that t0 = t and each ti+1 = sti (0) and σ only ends at a leaf. We call this the always leftmost fullpath from t. It will have a hue thread η with each ηi = zti (0): call this the always zero hue thread. We use these constructs to define a slight generalisation called NTPI of the NTP which covers the case of infinite branches as well. Definition 22 (NPTI). Say that a COPT has the NPTI iff every always leftmost fullpath has the always zero thread as a fulfilling thread. By following the always leftmost branch (possibly via a few up-links) until it reaches a leaf or starts looping via one up-link and a sequence of leftmost down-links, we can easily establish the following. Lemma 4. If a finite COPT satisfies the NPTI then it satisfies the NTP.
4
How to check that labels are grounded
In this section we will address one of our most important extra conditions which we are putting on COPTs in order to allow them to be a tableau in our decision procedure. This is the condition of labels being grounded (LG). By this we mean that the colour labels of nodes make sense in terms of the fullpaths which pass through them: they could be the actual colours of nodes in structures which model our formula. This notion is intimately connected with the idea that all fullpaths looping around in our tableau must have corresponding sequences of hues which have their eventualities fulfilled. Our main task here is to give an algorithm to check whether the labels are grounded. If a tableau search algorithm tries to add a new up-link to a tableau and finds that LG fails then it will know that the up-link should not be added. In this section we describe a procedure for doing this and show that it does indeed work. The procedure will be somehwhat complicated to describe but is a straightforward polynomial-time algorithm looping around a few times to collect sets of sets of formulas from clφ for each node. In fact, the procedure we describe will be a form of model checking. In a specialised form it can determine the actual hues and colours (for a given φ) of the nodes in a structure (S, R, g). However, our partially completed tableaux contain leaf nodes which we have to treat specially in this groundedness check. In particular we act as if that the actual colour of each leaf node t matches exactly the labelled colour z(t). For the rest of the nodes we work out the resulting actual colours from just the atoms in the labels. If there are no leaf nodes then we are
15
doing model checking of a structure (T, R, g) where R is the successor relation between nodes and g is the labelling restricted to atoms. We need to check that the actual colours match the labelled colours. If there are any differences then they are because of up-links in the non-leaf part of the tableau that should not have been constructed. 4.1
The LG algorithm
Our construction will proceed inductively considering each subformula αk of φ in turn starting at the atoms and building a structure Sk = (T, γ, π). In Sk , γ S will map each node t ∈ T to a set of subsets of j≤k clαj : these we may call the partial hues of t. There will also be a successor relation δ between pairs (t, a) and (t0 , b) with t, t0 ∈ T , a ∈ γ(t) and b ∈ γ(t0 ) to indicate that the partial hue b of t0 is a successor of the partial hue a of t. Enumerate the subformulas of φ as α0 , α1 , ..., αN in some way such that if αi ≤ αj then i ≤ j. Note that the negation of each αi will be in cl(φ) and cl(αi ) ⊆ cl(φ). Note that we keep some inavariant properties while we proceed through the rounds. Definition 23 (Invariant Properties). We ensure that the following hold as we build each Sk : 1) rX holds between partial hues related by δ; 2) (t, d)δ(t0 , d0 ) implies t0 a successor of t; 3) every (t, d) has at least one δ-successor unless t is a leaf 4) if t0 is a successor of t and d0 ∈ γ(t0 ) then there is d ∈ γ(t) such that (t, d)δ(t0 , d0 ); 5) if t is a leaf and h ∈ z(t) then there is d ∈ γ(t) such that d ⊆ h; 6) if αU β ∈ d ∈ γ(t) then there is some sequence (t, d)δ(t1 , d1 )δ...δ(tj , dj ) such that β ∈ dj or tj is a leaf and dj ⊆ h ∈ z(tj ) and αU β ∈ h. We start with each node t containing one partial hue which is empty and the successors of that partial hue will just be the the unique partial hue belonging to each of the node successors of t. Let us be more precise. S−1 = (T, γ, δ) where γ and δ are as follows. For each t ∈ T , γ(t) = {∅}. For each t, t0 ∈ T , if t0 is a successor of t, i.e. there is some i such that st (i) = t0 , then we put (t, ∅)δ(t0 , ∅). As indicated we now proceed inductively considering the αk in order. In each round we update the partial hues at each node. In particular we will add either αk or ¬αk (and it is in cl(φ)) to each partial hue. Depending on the situation at a node we may also “split” a partial hue into two partial hues which agree on all other formulas (so far) but differ on whether they contain αk . So suppose that Sk−1 = (T, γ, δ) has been built and we want to build Sk = (T, γ 0 , δ 0 ) by considering αk . There are several cases depending on the form of αk . αk = p ∈ L. For each node t ∈ T , for each partial hue a ∈ γ(t), we define a new partial hue a0 . Just put p ∈ a0 iff there is some hue b in z(t) with p ∈ b.
16
That is a0 = a ∪ {p}. Otherwise put ¬p ∈ a0 . Let γ 0 (t) = {a0 |a ∈ γ(t)}. As for δ 0 , we say that δ is unchanged but we actually mean that if δ related a pair of pairs including (t, a) then δ 0 relates the corresponding pair of pairs with (t, a) replaced by (t, a0 ). αk = ¬α. For each node t ∈ T , for each a ∈ γ(t), we only need to do something if α ∈ a. In that case put a0 = a ∪ {¬¬α}. Otherwise we do not need to do anything as ¬α will already be in a: put a0 = a. Let γ 0 (t) = {a0 |a ∈ γ(t)}. δ is unchanged. αk = α ∧ β. For each node t ∈ T , for each a ∈ γ(t), if α ∈ a and β ∈ a, we put a0 = a ∪ {α ∧ β}. Otherwise put a0 = a ∪ {¬(α ∧ β)}. Let γ 0 (t) = {a0 |a ∈ γ(t)}. δ is unchanged. αk = Xα. In this case we may need to split a partial hue into two. Let a+ = a ∪ {Xα} and a− = a ∪ {¬Xα}. For each t ∈ T , for each a ∈ γ(t), we will replace a in γ(t) by either a+ or a− or both in γ 0 (t) and we will define δ 0 . To decide which consider the δ successors of (t, a) if it has any. If (t, a)δ(t0 , b) and α ∈ b then we will put a+ in γ 0 (t) and put (t, a+ )δ 0 (t0 , b). However, if (t, a)δ(t00 , c) and ¬α ∈ c then we will put a− in γ 0 (t) and put (t, a− )δ 0 (t00 , c). We may need to do both or just one. We also need to update δ backwards: i.e. if (t0 , b)δ(t, a) then add (t0 , b)δ 0 (t, a+ ) or (t0 , b)δ 0 (t, a− ) or both. If, on the other hand t is a leaf, and so (t, a) has no δ successors then we look at which hues h ∈ z(t) do we have a ⊆ h. We ensure that there will be at least one. If there is such an h containing Xα then we put (t, a+ ) in γ 0 (t) and proceed as above. If (instead or as well) there is such an h containing ¬Xα then we put (t, a− ) in γ 0 (t) and proceed as above. αk = αU β. Again we may need to split hues. In this case we need to work on all the nodes together as δ 0 will connect up paths of new partial hues. For each t ∈ T and each a ∈ γ(t) we will put either a new partial hue a+ = a ∪ {αU β} or a new partial hue a− = a ∪ {¬(αU β)} or both into γ 0 (t). If we can find a path (t0 , a0 )δ(t1 , a1 )δ(t2 , a2 )δ...δ(tn , an ) (with n ≥ 0) such that β ∈ an and for 0 all i < n, α ∈ ai then we include each a+ i in γ (ti ). Furthermore we put each + 0 + (ti , ai )δ (ti+1 , ai+1 ). There is also a slight variant of this if we find a δ-sequence ending at (tn , an ) with tn a leaf and an ⊆ h ∈ z(tn ) with αU β ∈ h. Proceed in the same way. If, however, we can find a path (t0 , a0 )δ(t1 , a1 )δ(t2 , a2 )δ...δ(tn , an ) (with n ≥ 0 0) such that ¬β ∈ ai for all i < n and ¬α ∈ an then we include each a− i in γ (ti ). − 0 − Furthermore we put each (ti , ai )δ (ti+1 , ai+1 ). Most importantly, if we can find a path (t0 , a0 )δ(t1 , a1 )δ(t2 , a2 )δ...δ(tn , an ) (with n ≥ 0) such that ¬β ∈ ai for all i < n and (tn , an ) = (tj , aj ) for some 0 j < n then we may need to include each a− i in γ (ti ). However, we only do this if the loop (tj , aj )δ(tj+1 , aj+1 )δ...δ(tn , an ) is fulfilling in terms of the eventualities which have already been included in the partial hues. That is, if some α0 U β 0 ∈ aj then there is some k with j ≤ k < n such that β 0 ∈ ak . Only if the loop is fulfilling − 0 − 0 do we include each a− i in γ (ti ). Again we also put each (ti , ai )δ (ti+1 , ai+1 ). Again there is a variant of the negative case when tn is a leaf, an ⊆ h ∈ z(tn ) and ¬(αU β) ∈ h.
17
Note that a straightforward induction shows that for every a, either a+ or a or both goes into γ 0 (t). There are also a few extra pairs we need to put in δ 0 because they may not be parts of paths. If ¬α ∈ a and (t, a)δ(t0 , b) then put (t, a− )δ(t0 , b0 ) for each b0 = b+ or b− which is in γ 0 (t0 ). If β ∈ a and (t, a)δ(t0 , b) then put (t, a+ )δ 0 (t0 , b0 ) for each b0 = b+ or b− which is in γ 0 (t0 ). αk = Aα. For each t ∈ T , consider whether α is in all the partial hues in γ(t). If so then we add Aα to all of them. Otherwise add ¬Aα to all of them. A detailed but straightforward check can establish: −
Lemma 5. The invariant properties hold at the end of each round of LG. Now that we have finished finding the sets of partial hues attached to each node in (T, s, z) we check whether SN matches z, i.e. Definition 24. Say that SN matches z iff for each t ∈ T , γ(t) = z(t) as sets of subsets of cl(φ). This allows us to decide whether or not labels are grounded: we will show below that SN matching z will be equivalent to labels are grounded (LG). 4.2
The k-level hypothetical structure
We have a φ-tableau (T, s, z) and an ordering {α0 , α1 , ..., αN } of the subformulas of φ in a non-decreasing complexity order. We think of (T, s, z) as representing a different CTL* structure (T, s, z)∗ called the hypothetical structure of (T, s, z) based on assuming that each leaf t in (T, s, z) is joined to a separate sub-structure which validates its label z(t). This structure (T, s, z)∗ will have slightly specialised semantics for evaluating CTL* formulas. We also use a special definition of fullpaths. A fullpath σ through (T, s, z)∗ is either 1) a normal ω-long fullpath through (T, s, z); or 2) a finite fullpath through (T, s, z) ending at a leaf t along with one of the hues end(σ) from z(t). We write M, σ |= α iff the formula α is true of the fullpath σ in the structure M = (T, s, z)∗. This is defined recursively by: M, σ |= p iff atom p is in some hue in z(σ0 ); M, σ |= ¬α iff M, σ 6|= α M, σ |= α ∧ β iff M, σ |= α and M, σ |= β M, σ |= Xα iff either σ0 is not a leaf and M, σ≥1 |= α or σ0 is a leaf and Xα ∈ end(σ) M, σ |= αU β iff either there is some i ≥ 0 such that M, σ≥i |= β and for each j, if 0 ≤ j < i then M, σ≥j |= α or there is some i ≥ 0 such that σi is a leaf and αU β ∈ end(σ) and for each j, if 0 ≤ j < i then M, σ≥j |= α M, σ |= Aα iff for all fullpaths σ 0 such that σ0 = σ00 we have M, σ 0 |= α
18
Notice that we obviously have exact agreement between standard CTL* semantics on a COPT without leaves and this special semantics on its hypothetical structure: Definition 25 (Transition Structure from Leafless COPT). Suppose COPT (T, s, z) has no leaves. Then we say it represents the following transition structure (T, R, g): R is just the binary successor relation between nodes, tRu iff there is i < |st | such that st (i) = u; and g is the labelling z restricted to atoms; p ∈ g(t) iff there is some hue h in z(t) such that p ∈ h. Lemma 6. If COPT (T, s, z) has no leaves then all fullpaths of (T, s, z)∗ are just normal fullpaths of (T, R, g) and for all α, (T, s, z)∗, σ |= α iff (T, R, g), σ |= α. Now the other complication that we have when using this algorithm is that LG builds up to checking a COPT via a sequence of rounds involving more and more complex formulas. We thus in our proof need to sometimes limit our consideration to the set Ak = {αl , ¬αl |l ≤ k} ⊆ cl(φ) which we call the k-level closure set. Definition 26 (partial hue thread). Say k ≤ N and Sk = (T, γ, δ) and σ is a fullpath. Then a sequence θ of pairs θi = (σi , di ) with di ∈ γ(σi ) is called a partial hue thread (of Sk ) through σ iff each (σi , di )δ(σi+1 , di+1 ) and if σ is finite with σn a leaf then dn ⊆ end(σ). Definition 27 (k-level fulfilling partial hue thread). Say partial hue thread θ is k-level fulfilling iff for all αl of the form αU β such that l ≤ k, for all i, if θi = (σi , di ) and αU β ∈ di then there is j ≥ i such that β ∈ dj , or σ is finite and αU β ∈ end(σ). Lemma 7. At each round of our checking algorithm the following situation holds. Say Sk = (T, γ, δ). Each partial hue d in a node starts some k-level fulfilling hue thread through some fullpath σ. Proof. Every partial hue has some successor but if αU β is put in a partial hue along the thread then there is a finite path before the eventuality β is witnessed. We can build a fulfilling thread by fairly scheduling which eventuality to deal with next if there are several. Now our main results about the LG algorithm. Lemma 8. Say that (T, s, z) is a COPT and that at the start of the k + 1-th round we have Sk = (T, γ, δ). Then: Each fullpath σ through (T, s, z)∗ has a k-level fulfilling partial hue thread θ along it such that each θi = {α ∈ Ak |M, σ≥i |= α}. Proof. By induction on k. Case of k = −1. Each thread is essentially the same as a fullpath because the partial hues are all the initial empty ones.
19
Now the inductive case. Suppose true for k. Consider building Sk+1 = (T, γ 0 , δ 0 ). There are cases depending on the form of αk . Case of αk = p. We don’t make any more partial hue threads. We don’t change whether they are fulfilling. We just add one of p or ¬p to both of each θi and each {α ∈ Ak |M, σ≥i |= α}. Case of αk = ¬α. Similar to atom case. Case of αk = α ∧ β. Similar to atom case. Case of αk = Xα. Consider fullpath σ. After the kth round it had a k-level fulfilling partial hue thread θ such that each θi = {α ∈ Ak |M, σ≥i |= α}. Now each θi will be updated by our algorithm depending on whether α appears in any, some or none of its δ-successor partial hues. First suppose M, σ≥i |= Xα. Thus either M, σ≥i+1 |= α or σi is a leaf and Xα ∈ end(σ). If M, σ≥i+1 |= α, then α ∈ θi+1 and (σi , θi )δ(σi+1 , θi+1 ). Thus LG will make a new partial hue θi+ = θi ∪ {Xα} and put it in γ 0 (σi ). Call this θi0 and note that 0 LG will also put (σi , θi0 )δ 0 (σi+1 , θi+1 ) whatever the latter is exactly. If σi is a leaf and Xα ∈ end(σ) then LG will also make θi0 = θi+ == θi ∪{Xα} and put it in γ 0 (σi ). Next suppose M, σ≥i |= ¬Xα. Thus either M, σ≥i+1 |= ¬α or σi is a leaf and ¬Xα ∈ end(σ). Again we have two sub-cases and these are similar but give us θi0 = θi− . We thus have our new thread θ0 for the Sk+1 with each θi0 = {α ∈ Ak+1 |M, σ≥i |= α}. We can check that it is a thread and we can also check that it is a k + 1-level fulfilling hue thread by noting that we have not introduced any new eventualities that were not dealt with in θ. Case of αk = αU β. Consider fullpath σ. After the kth round it had a k-level fulfilling partial hue thread θ such that each θi = {α ∈ Ak |M, σ≥i |= α}. For each i < ω there are several cases. Suppose M, σ≥i |= αU β. Thus there is j ≥ i such that M, σ≥j |= β and for each m, if i ≤ m < j then M, σ≥m |= α or there is some j ≥ i such that σj is a leaf and αU β ∈ end(σ) and for each m, if i ≤ m < j then M, σ≥m |= α. Suppose first that σj is not a leaf. Thus along θ we find (σi , θi )δ...δ(σj , θj ) with β ∈ θj and for all m, if i ≤ m < j then α ∈ θi . Our algorithm will thus + in round k, make positive versions extending each θm (i ≤ m ≤ j) to θm = + 0 + 0 0 θm ∪ {αU β} with each θm put in γ (σm ). We will also put (σi , θi )δ ...δ (σj , θj+ ). + Also (σj , θj+ ) will be given as δ 0 successors all (one or two) of (σj+1 , θj+1 ) or − + 0 0 (σj+1 , θj+1 ) whichever of them are put in γ (σj+1 ). We also define θi = θi . Suppose next that σj is a leaf. Thus along θ we find (σi , θi )δ...δ(σj , θj ) with αU β ∈ end(σ) and for all m, if i ≤ m < j then α ∈ θi . Our algorithm will + thus in round k, make positive versions extending each θm (i ≤ m ≤ j) to θm = + 0 + 0 0 θm ∪ {αU β} with each θm put in γ (σm ). We will also put (σi , θi )δ ...δ (σj , θj+ ). We also define θi0 = θi+ .
20
The other case is that M, σ≥i |= ¬(αU β). Possibly there is j ≥ i such that σj is not a leaf and M, σ≥j |= ¬α and for all m, if i ≤ m ≤ j, then M, σ≥m |= ¬β. Or possibly there is j ≥ i such that σj is a leaf and αU β is not in end(σ) and for all m, if i ≤ m < j, then M, σ≥m |= ¬β. Finally, it is possible that for all j ≥ i, σj is not a leaf and M, σ≥j |= ¬β. Consider the first sub-case of the three. There is j ≥ i such that σj is not a leaf and M, σ≥j |= ¬α and for all m, if i ≤ m ≤ j, then M, σ≥m |= ¬β. Thus (σi , θi )δ...δ(σj , θj ) and ¬α ∈ θj and and for all m, if i ≤ m ≤ j, then ¬β ∈ θm . Our algorithm will thus in round k, make negative versions extending − − each θm (i ≤ m ≤ j) to θm = θm ∪ {¬(αU β)} with each θm put in γ 0 (σm ). We − 0 − − 0 will also put (σi , θi )δ ...δ (σj , θj ). Also (σj , θj ) will be given as δ 0 successors + − all (one or two) of (σj+1 , θj+1 ) or (σj+1 , θj+1 ) whichever of them are put in − 0 0 γ (σj+1 ). We also define θi = θi . Second sub-case. There is j ≥ i such that σj is a leaf and αU β is not in end(σ) and for all m, if i ≤ m < j, then M, σ≥m |= ¬β. Thus (σi , θi )δ...δ(σj , θj ) and for all m, if i ≤ m ≤ j, then ¬β ∈ θm . Our algorithm will thus in round k, − = θm ∪ {¬(αU β)} make negative versions extending each θm (i ≤ m ≤ j) to θm − 0 0 − with each θm put in γ (σm ). We will also put (σi , θi )δ ...δ 0 (σj , θj− ). We also define θi0 = θi− . Third sub-case: for all j ≥ i, σj is not a leaf and M, σ≥j |= ¬β. Thus (σi , θi )δ(σi+1 , θi+1 )δ... and for all m, if i ≤ m, then ¬β ∈ θm . Eventually, there will be a repeat in this infinite sequence of pairs from the finite set of all nodepartial hue pairs. Say (σl , θl ) = (σj , θj ) for some l, j with i ≤ l < j. Our algorithm will thus in round k, make negative versions extending each θm (i ≤ − − put in γ 0 (σm ). We will also put = θm ∪ {¬(αU β)} with each θm m ≤ j) to θm (σi , θi− )δ 0 ...δ 0 (σj , θj− ). We also define θi0 = θi− . We thus have our new thread θ0 at the end of the (k + 1)th round with each 0 θi = {α ∈ Ak+1 |M, σ≥i |= α}. We can check that it is a thread and we can also check that it is a k + 1-level fulfilling hue thread by noting that we have broken it up into intervals where θi+ is used and others where θi− is used and made sure that the new eventuality β is witnessed at the end of a positive interval and that δ 0 is joined to either successors at the end of intervals. Case of αk = Aα. Consider fullpath σ. After the last round it had a k-level fulfilling partial hue thread θ such that each θi = {α ∈ Ak |M, σ≥i |= α}. For each i < ω there are two cases. Suppose M, σ≥i |= Aα. Thus for all fullpaths σ 0 such that σi = σ00 we have M, σ 0 |= α. By the inductive hypothesis if λ is a hue thread starting at σi , say λ0 = (σi , d) then α ∈ d. Our algorithm ensures that every partial hue starts a thread so α is in all partial hues in γ(σi ). So our algorithm will make a positive version extending θi to θi+ = θi ∪ {Aα}. Suppose M, σ≥i |= ¬(Aα). Thus there is some fullpath σ 0 such that σi = σ00 and we have M, σ 0 |= ¬α. Let π be a k-level fulfilling partial hue thread along 0 σ 0 such that each πi = {α ∈ Ak |M, σ≥i |= α}. This exists by the inductive hypothesis. Thus ¬α ∈ π0 and LG puts θi− = θi ∪ {¬Aα} into γ 0 (σi ). Let θi0 = θi− .
21 0 In each case we also put θi0 δ 0 θi+1 . Of course,every partial hue starts a thread so α is in all partial hues in γ(σi ). So our algorithm will make a positive version extending θi to θi+ = θi ∪ {Aα}. Let θ0 be the new thread. It is fulfilling as θ was and we have not changed which eventualities appear.
Lemma 9. Say that (T, s, z) is a COPT and that at the start of the (k + 1)-th round we have Sk = (T, γ, δ). Then: Each k-level fulfilling partial hue thread θ through Sk lies in a fullpath σ such that each θi = {α ∈ Ak |M, σ≥i |= α}. Proof. By induction on k. Case of k = −1. Each thread is essentially the same as a fullpath because the partial hues are all the initial empty ones. Now the inductive case. Suppose true for k. Consider building Sk+1 = (T, γ 0 , δ 0 ). Suppose that θ is a (k + 1)-level fulfilling partial hue thread through Sk+1 . Let σ be the fullpath which it travels along. We will show by induction that θi = {α ∈ Ak+1 |M, σ≥i |= α}. Let π be the thread of partial hues at the end of the kth round which were each extended to the partial hues in θ respectively. Clearly, π was a thread and it was k-level fulfilling. Thus, each πi = {α ∈ Ak |M, σ≥i |= α}. In round k + 1 we have added either αk or ¬αk to each πi to get θi . We must show that αk gets added iff M, σ≥i |= αk . We proceed by cases on the form of αk . Case of αk = p. Whether we add p or ¬p depends on whether p is in some hue in z(t) which is also the truth condition for M, σ≥i |= p. Case of αk = ¬α. Immediate. Case of αk = α ∧ β. Immediate. Case of αk = Xα. Consider a k + 1-level fulfilling partial hue thread θ through Sk+1 . It grew from a k-level fulfilling partial hue thread through Sk which lies in a fullpath σ such that each θi = {α ∈ Ak |M, σ≥i |= α}. Case of αk = αU β. Each k-level fulfilling partial hue thread θ through Sk lies in a fullpath σ such that each θi = {α ∈ Ak |M, σ≥i |= α}. Show, if αU β ∈ θi then M, σ≥i |= αU β. By checking our algorithm we see that we have only put αU β in a partial hue d at node t and then related that via δ to (t0 , d0 ) if β ∈ d or α ∈ d and αU β ∈ d0 . Thus, by tracing along the thread we may find j ≥ i such that β ∈ θj and for all m, if i ≤ m < j then α ∈ θm . Otherwise, for all j ≥ i, β ∈ θj . But this latter would not allow θ be a fulfilling thread through σ. Thus by the inductive hypothesis, M, σ≥j |= β and for all m, if i ≤ m < j then M, σ≥j |= α. So M, σ≥i |= αU β as required. Now show if ¬(αU β) ∈ θi then M, σ≥i |= ¬(αU β).
22
Case of αk = Aα. We must show that Aα gets added to πi to make θi iff M, σ≥i |= Aα. If Aα gets added by LG then it is because for all partial hues d in σi we have α ∈ d. But (by the last lemma) every fullpath σ 0 with σ00 = σi has a k-level 0 fulfilling partial hue thread ρ along it such that each ρi = {α ∈ Ak |M, σ≥i |= α}. 0 0 Thus ρ0 is a partial hue in σi = σ0 . Thus α ∈ ρ0 . Thus M, σ≥0 |= α. Hence, M, σ≥i |= Aα as required. If however, M, σ≥i |= Aα then for every partial hue d ∈ σi we can find a k-fulfilling partial hue thread starting with d and so conclude that there is a 0 fullpath σ 0 with σi = σ00 and M, σ≥0 |= α. Thus α ∈ d. So our LG algorithm will add Aα to πi to make θi . Now we can concentrate on the result at the end of the final round and see that we have determined the hypothetical model using LG. Lemma 10. Say that (T, s, z) is a COPT and that at the end of the N -th round we have SN = (T, γ, δ). Then SN has determined exactly the colours of node in the hypothetical model (T, s, z)∗. In particular: 1) Each fullpath σ through M has a fulfilling partial hue thread θ along it such that each θi = {α ∈ cl(φ)|M, σ≥i |= α}. And: 2) Each fulfilling partial hue thread θ through M lies in a fullpath σ such that each θi = {α ∈ cl(φ)|M, σ≥i |= α}. Proof. This follows from the previous lemma noting that AN = cl(φ). Definition 28. The hue of a fullpath σ through (T, s, z)∗ is {α ∈ cl(φ)|(T, s, z)∗, σ |= α}. The hypothetical colour of a node t in (T, s, z) is the colour (∈ Cφ ) being the set of hues of fullpaths through (T, s, z)∗ which start at t. Definition 29 (LG). COPT (T, s, z) has its labels grounded (i.e. it satisfies property LG) iff the hypothetical colour of each node t matches its label colour z(t). Lemma 11. If SN matches z then (T, s, z) satisfies LG. Proof. Straightfoward using the previous lemma. Note that we can show that running LG is not needed each time we extend the tableau by replacing a leaf node by giving it leaf successors: it is only when we add up-links that we need check. Nevertheless, for this basic exposition of the tableau we can assume LG is run after each extension and we backtrack and have to try another way of extending the tableau.
23
4.3
Complexity of LG
Finally, we should comment briefly on the complexity of this algorithm which needs to be used during tableau construction every time the colour of a new node matches a colour of one of its ancestors, and so an up-link seems possible. The actual complexity depends on the data structures used to store nodes and their hues. However, we can assume that the tableau stores a list of node-hue pairs being the hues in the label at each node. The algorithm does one round of updating partial hues at each node, for each subformula of φ. So that is |φ| rounds. Each round is a simple check at each node-hue pair although finding loops introduces a polynomial factor.
5
The Tableau
So now we put three extra conditions on a finite COPT to make it a tableau. Definition 30 (tableau). A φ-tableau is a finite COPT (T, s, z) such that: LG) labels are grounded; NTP) the nominated thread property holds; BB) no node has more than M (|φ|) ancestors. A successful tableau is simply one without leaves: Definition 31 (successful tableau). (T, s, z) is successful iff for all t ∈ T , |st | > 0. A tableau algorithm or decision procedure here is any systematic way of finding from all tableaux for φ whether there is a successful one or not. There are clearly only finitely many tableaux for any particular φ so we don’t need to be more prescriptive here about any particular algorithm. Thus we do not really need the following definition but we do make use of it in describing our implementation later: Definition 32 (One node extension). We say that partial φ-tableau (T 0 , s0 , z 0 ) is a one node extension of partial φ-tableau (T, s, z) iff the following all hold. There is some t0 ∈ T ⊆ T 0 . For all t ∈ T \ {t0 }, st and s0t agree. For all t ∈ T \ {t0 }, z(t) = z 0 (t) and zt and zt0 agree. t0 is a leaf node in (T, s, z). |s0t | = n > 0. T 0 = T ∪ {st (0), st (1), ..., st (n − 1)} (possibly not disjoint). In this definition of tableau we have guaranteed termination of any tableau construction algorithm by putting a simple but excessive bound on the length of branches. This allows us to conclude failure in a finite time and to also abbreviate the search for successful tableaux.
6
Soundness
Our work on the LG algorithm above actually takes us very close to the soundess result for the tableau. We can show that when there are no leaves then at the N th stage of LG we have determined the standard colours of nodes in the corresponding standard model.
24
Lemma 12. Say that (T, s, z) is a COPT with no leaves and that at the end of the N -th round we have SN = (T, γ, δ). Define a structure M = (T, R, g) from (T, s, z) in the standard way. Then: 1) Each fullpath σ through M has a fulfilling hue thread θ along it such that each θi = {α ∈ cl(φ)|M, σ≥i |= α}. 2) Each fulfilling hue thread θ through M lies in a fullpath σ such that each θi = {α ∈ cl(φ)|M, σ≥i |= α}. Proof. This follows from the lemma 10 as we know from lemma 6 that the special CTL* semantics on (T, s, z)∗ without leaves just gives the standard CTL* semantics on (T, R, g). Also recall AN = cl(φ). We can also show that when SN matches z and there are no leaves then each fullpath has its actual hues as a thread of hues in the labels and each hue in a label has a fullpath. Lemma 13. Say that (T, s, z) is a COPT with no leaves and that at the end of the N -th round we have SN = (T, γ, δ). Suppose that SN matches z. Define a structure M = (T, R, g) from (T, s, z) in the standard way. Then the actual colour of each node in M is equal to its label colour z(t). Proof. This follows from the previous lemma. This shows soundness. Lemma 14. If φ has a successful tableau then it is satisfiable. Also note that ensuring that NTP holds is not really necessary for a our tableaux to be sound. A COPT with LG will be a model. However, as we will see later we will use the “discipline” of the NTP to make sure that we can be guaranteed of building within our bounds on branch length.
7
Fullpath Fulfillment gives us Loop Groundedness
In this section we prove the following. Lemma 15. If (T, s, z) is a COPT with no leaves satisfying fullpath fulfillment (FF) and the NPTI then it also satisfies LG. This may seem to give us an easier way to determine whether LG holds. It certainly is easier to explain and state the FF property. However, further investigation has not led the author to any simpler way of checking FF than using the LG algorithm presented above. There seems no need to use the FF directly in the tableau decision procedure.
25
So why are we presenting this lemma and its rather intricate proof? Again we need this for the completeness proof. Suppose that (T, s, z) is a leafless COPT for φ. We have seen that we can view the COPT as a transition structure S = (T, R, g) as follows. The successor relation R puts tRt0 iff there is i < st such that t0 = st (i). (T, R) is then a transition frame because the tableau has no leaves. Finally, for each atom p put p ∈ g(t) iff p is in some hue in z(t). Note that fullpaths through (T, s, z) are the same things as fullpaths through (T, R, g). Furthermore, by the fullpath fulfillment property, every fullpath σ through (T, R), has a fulfilling thread η. We can relate fulfilling threads of related fullpaths as eventualties stay unfulfilled until they are witnessed. Lemma 16. If σ is a fullpath through (T, s, z) and η is a fulfilling thread for σ then η≥i is a fulfilling thread for σ≥i . Proof. Straightforward. Also, for each t ∈ T , for each hue h = zt (i) in label z(t) define the standard fullpath for h from t, in (T, R) as ρ which starts at ρ0 = t, moves to ρ1 = st (i) and then always takes ρj+1 = sρj (0). Lemma 17. If the standard path for zt (i) from t is σ then the standard path for zst (i) (0) from st (i) is σ≥1 . Furthermore, for all j > 1, the standard path for zσj (0) from σj is σ≥j . Proof. Straightforward. Lemma 18. If σ is the standard path for h ∈ z(σ0 ) then every eventuality in h is eventually witnessed in one of the hues hh, zσ1 (0), zσ2 (0), ...i along the path. Proof. Follows directly from the NTPI. Lemma 19. For each α ∈ clφ. S1. For every fullpath σ in (T, R), the first element of any fulfilling hue thread for σ agrees with the actual hue of σ on α. S2. For every t ∈ T , for every hue h in z(t), h agrees with the actual hue of the standard path for h on α. Proof. By induction on construction of α. Case of p. S1: Say that the fullpath σ in (T, R) has a hue thread η. ⇒: Say that p ∈ η0 . Thus p appears in one of the hues of z(σ0 ). So p ∈ g(σ0 ) and (T, R, g), σ |= p as required. ⇐: Say that (T, R, g), σ |= p. So p ∈ g(σ0 ) and p must be in some hue in z(σ0 ) which is a colour. Thus p is in all hues in z(σ0 ). Thus p ∈ η0 as required. S2: Suppose t ∈ T and hue h in z(t). Let σ be the standard path for h from t.
26
⇒: Suppose p ∈ h. So p ∈ g(σ0 ) and (T, R, g), σ |= p as required. ⇐: Suppose (T, R, g), σ |= p. So p ∈ g(σ0 ) and p must be in some hue in z(σ0 ) which is a colour. Thus p is in all hues in z(σ0 ) including p ∈ h as required. Case of ¬α. follows by definition. Case of α ∧ β is straightforward. Case of Xα. S1: Say that the fullpath σ in (T, R) has a fulfilling hue thread η. ⇒: Say that Xα ∈ η0 . As η0 rX η1 , α ∈ η1 . By the lemma, η1 is the initial hue of a hue thread η≥1 for σ≥1 . By the IH, (T, R, g), σ≥1 |= α and (T, R, g), σ |= Xα as required. ⇐: Say that (T, R, g), σ |= Xα. Thus (T, R, g), σ≥1 |= α and by the IH α is in the initial hue of the hue thread η≥1 of σ≥1 . But η0 rX η1 , so Xα ∈ η0 as required. S2: Suppose t ∈ T and hue h in z(t). Let σ be the standard path for h from t. ⇒: Suppose Xα ∈ h. Also suppose that h = z( i) so that σ0 = t and σ1 = st (i). From the tableau construction we have zt (i)rX zst (i) (0). Let h0 = zt (i) so that hrX h0 and α ∈ h0 . By the lemma 17 above, σ≥1 is the standard path for h0 from st (i). By IH, (T, R, g), σ≥1 |= α and so (T, R, g), σ |= Xα as required. ⇐: Suppose (T, R, g), σ |= Xα. Thus (T, R, g), σ≥1 |= α and by the IH, α ∈ zst (i) (0). So Xα ∈ h as required. Case of αU β. S1: Say that the fullpath σ in (T, R) has a fulfilling hue thread η. ⇒: Say that αU β ∈ η0 . As η0 rX η1 , either β ∈ η0 or both α ∈ η1 and αU β ∈ η1 . Continuing inductively, as all eventualities in hue threads are eventually witnessed, we have some i ≥ 0 such that β ∈ ηi and for all j < i, α ∈ ηj . By lemma 16 above, for each i, η≥i is a hue thread for σ≥i . By IH, (T, R, g), σ≥i |= β and for all j < i, (T, R, g), σ≥j |= α. Thus (T, R, g), σ |= αU β as required. ⇐: Say that (T, R, g), σ |= αU β. Thus there is i ≥ 0 such that (T, R, g), σ≥i |= β and for all j < i, (T, R, g), σ≥j |= αU . By lemma 16 above, for each i, η≥i is a fulfilling hue thread for σ≥i . By IH, β ∈ ηi and for all j < i, α ∈ ηj . Inductively down from k = i to k = 0, we can use part R4 of the definition of rX to show that αU β ∈ ηk . Thus αU β ∈ η0 as required. S2: Suppose t ∈ T and hue h in z(t). Let σ be the standard path for h from t. ⇒: Suppose αU β ∈ h. By lemma 18 above all the eventualities in h are eventually witnessed in one of the hues hh, zσ1 (0), ...i along σ. Say β ∈ zσi (0) and for all j < i, α ∈ zσj (0) (with a special case omitted for i = 0). By lemma 17 above
27
σ≥j is the standard path for zσj (0) at σj . By IH, (T, R, g), σ≥j |= β and for all j < i, (T, R, g), σ≥i |= α. So (T, R, g), σ |= αU β as required. ⇐: Suppose (T, R, g), σ |= αU β. Thus there is i ≥ 0 such that (T, R, g), σ≥j |= β and for all j < i, (T, R, g), σ≥i |= α. By lemma 17 above σ≥j is the standard path for zσj (0) at σj . By IH, β ∈ zσi (0) and for all j < i, α ∈ zσj (0). But hrX zσ1 (0)rX zσ2 (0)rX .... So by a simple induction using property R4 of the definition of rX , αU β ∈ h as required. Case of Aα. S1: Say that the fullpath σ in (T, R) has a fulfilling hue thread η. ⇒: Say that Aα ∈ η0 . Thus Aα appears in one of the hues of z(σ0 ). So α appears in all of the hues of z(σ0 ). Now suppose that ρ is a fullpath of (T, R) starting at σ0 . Let ζ be the hue thread for ρ so ζ0 ∈ z(ρ0 ) = z(σ0 ). So α ∈ ζ0 . By IH, (T, R, g), ρ |= α. So (T, R, g), σ |= Aα as required. ⇐: Say that (T, R, g), σ |= Aα. Now take any hue h ∈ z(σ0 ). Let ρ be the standard path for h from σ0 so ρ0 = σ0 . So (T, R, g), ρ |= α. By IH, α ∈ h. Thus all hues in z(σ0 ) contain α. As z(σ0 ) is a colour, we must have Aα in all of its hues. Thus Aα ∈ η0 as required. S2: Suppose t ∈ T and hue h in z(t). Let σ be the standard path for h from t. ⇒: Suppose Aα ∈ h ∈ z(σ0 ). Let ρ be any fullpath starting at t = σ0 . Let ζ be a fulfilling hue thread for ρ. So ζ0 ∈ z(ρ0 ) = z(σ0 ) which is a colour. Thus α ∈ ζ0 . By IH, (T, R, g), ρ |= α. So (T, R, g), σ |= Aα as required. ⇐: Suppose (T, R, g), σ |= Aα. Let h0 be any hue in z(σ0 ). Let ρ be the standard path for h0 from σ0 so ρ0 = σ0 . Thus (T, R, g), ρ |= α. By IH, α ∈ h0 . So Aα ∈ h as required. Now we can prove the following. Lemma 20. For each t ∈ T the actual colour of t in (T, R, g) is the same as z(t). Proof. In fact we have shown, for each t ∈ T : 1. For every fullpath σ in (T, R) starting at t the actual hue h of σ in (T, R, g) is in z(t). 2. For every hue h in z(t) there is a fullpath σ through (T, R) starting at t such that the actual hue of σ in (T, R, g) is h.
8
Completeness
In this section we show that if a model exists for φ then a successful tableau exists for φ.
28
Say (S, R, g), σ 0 |= φ where (S, R, g) is any labelled transition structure and σ is any fullpath through (S, R). Without loss of generality we may assume that S has at most N (|φ|) elements. 0
8.1
Unravel and Tidy
We first show that there is a structure (T, s, z) which is almost a tableau for φ but does not necessarily obey the bound on the length of branches BB: in fact, it will be a tree with infinitely many nodes. There will be no up-links but we still need to check that some conditions like label groundedness and nominated threading hold on infinite paths. We simply work by induction to unwind (S, R, g) one node at a time, but only introducing as many successors as there are hues in the actual colour at each node. There are some extra properties to obtain which allow us to keep track of the relationship between nodes in (S, R, g) and the unwinding. Definition 33 (unwound COPT model). An unwound COPT model of φ is a tuple (T, s, z) along with a collection w of maps such that: UW1) (T, s, z) is a COPT for φ; UW2) (there are no up-links), i.e. st (i) is not an ancestor of t; UW3) there are no leaves; FF) fullpaths are fulfilled; NPTI) each always leftmost fullpath has the always zero thread as a fulfilling hue thread; W1) for each t ∈ T , w(t) ∈ S; W2) for each t ∈ T , for each i < |st |, w(t, i) is a fullpath through (S, R, g) starting at w(t); W3) w(rootT ) = σ00 and w(rootT , 0) = σ 0 ; W4) for all t ∈ T , z(t) is the actual colour of w(t) in (S, R, g); W5) for all t ∈ T , for all i < |st |, zt (i) is the actual hue of w(t, i) through (S, R, g); W6) for each t, t0 ∈ T , if t0 is a successor of t then (w(t), w(t0 )) ∈ R; W7) if t0 = st (0) then w(t0 , 0) = w(t, 0)≥1 ; We construct an unwound COPT model step-by-step processing one leaf node at a time. We make a sequence W0 , W1 , ... of finite partial COPTs with corresponding maps w0 , w1 , .. and then take a limit. Each Wi with wi will satisfy the above properties except for UW3. Start with W0 = (T, s, z) with w0 = w as follows. T contains one element root. s is the empty map. z(root) is just the actual colour of σ00 ∈ S and the enumeration zroot can be any enumeration of the hues in that colour as long as zroot (0) is the actual hue of σ 0 . w(root) = s0 . It is easy to see that the properties all hold. Now assume we have a finite Wi = (T, s, z) with w = wi satisfying the properties and we want to extend it to Wi+1 = (T 0 , s0 , z 0 ) with wi+1 = w0 by just adding some nodes after a leaf node. Choose any leaf node, say t in T . Say that the colour of w(t) is z(t) and that z(t) has n hues. We will give t, n successors. For each i < n, choose a new element ei to add as a successor of t in Wi+1 .
29
Let (T 0 , s0 , z 0 ) and w0 be as follows. T 0 = T ∪ {e0 , ..., en−1 }. For each i < n, = ei and w0 (ei ) is the second element w(t, i)1 of the fullpath w(t, i). Each ei will have no successors in Wi+1 . z 0 (ei ) will be the actual colour in (S, R, g) of w0 (ei ). Note that W4 thus holds. ze0 i will enumerate the hues in z 0 (ei ) in any way as long as the first hue ze0 i (0) is the actual hue in (S, R, g) of the first proper suffix w(t, i)≥1 of w(t, i). Finally, for each i < n put w0 (ei , 0) equal to the first suffix w(t, i)≥1 of the fullpath w(t, i) and for each 0 < j < |z 0 (ei )|, choose any fullpath w0 (ei , j) starting at w0 (ei ) and having actual hue ze0 i (j). The properties are all straightforward to check, especially as an thread through a finite fullpath is fulfilling. The limit T = (T, s, z) along with w is defined in the obvious way. T is the union of all the Wi ’s domains. st is defined as in any Wi which contains t when it is not a leaf node. w(t), w(t, i), z(t) and zt are defined as in any Wi which contains t. It is straightforward to show that the limit at ω satisfies the required properties except perhaps FF and NPTI. To show FF, fullpath fulfillment, suppose σ is a fullpath through (T, s). Let ρ be the corresponding sequence of nodes in S via the w map, that is let ρi = w(σi ) for each i < ω. By W6, for each i, (ρi , ρi+1 ) ∈ R and thus ρ is a fullpath through (S, R). For each i, let ηi be the actual hue of ρ≥i through (S, R, g). Clearly, as z(σi ) is the actual colour of ρi in (S, R, g) then it contains the hue ηi . Furthermore, it is easy to check that ηi rX ηi+1 . Finally suppose that αU β ∈ ηi . Thus, (S, R, g), ρi |= αU β and there is j > i such that (S, R, g), ρj |= β and for all i ≤ k < j, (S, R, g), ρk |= α. Thus, β ∈ ηj and for all i ≤ k < j, α ∈ ηk . This proves that eventualities are fulfilled in the sequence η and we have proved fullpath fulfillment. To show NPTI, suppose t0 , t1 , ..., is an ω-sequence with each tj+1 = stj (0). Then we must show that a sequence of hues through the nodes which match the path goes through the first hues, i.e. each eventuality in any zti (0) appears in one of the (not necessarily strictly) later ztj (0). But we have ensured via W7 that for all i, w(ti+1 , 0) is the first proper suffix of w(ti , 0). So let σ = w(t0 , 0) thus w(tn , 0) = σ≥n and ztn (0) is the actual hue of σ≥n in (S, R, g). Clearly eventualities are eventually witnessed in such sequences of actual hues. It is straightforward to show that the unwound ordered hue model is actually a model of φ: s0t (i)
Lemma 21. Every satisfiable CTL* formula φ has tree-shaped model in which each node has at most 2|φ| successors. Proof. Define a successor relation R on T using s in the obvious way. Define a labelling of nodes by atoms by simply restricting hues in z in the usual way. This gives us structure (T, R, g). A truth lemma, equating colours of labels to actual colours at nodes is easy to show, using FF and NPTI. The width, or maximum outdegree of nodes, of the model, i.e. the bound on the number of successors follows from the fact that there are at most 2|φ| hues altogether and so at most that many in any colour.
30
8.2
Loops on always leftmost paths
In the next few stages of the construction, we change (T, s, z) with w so that nodes, x with descendant y say, on the same branch which agree under w (i.e. w(x) = w(y)) are counted as “repeated” nodes and we replace the subtree rooted at the lower node y by a new up-link from y’s parent back up to the original node x. Due to the nominated threading property, however, we are required to pay special attention to the paths which always take the leftmost branch from some node onwards: the always leftmost branches. These are responsible for ensuring that each hue has at least one fullpath which witnesses all of its eventualities. Thus, the next step of our construction is to introduce looping on these special branches taking into account the need to have sufficient witnesses. We say that a node y of (T, s, z) with w can be looped back up at this stage iff y has some ancestor x ∈ T such that w(y) = w(x), zx (0) = zy (0), there is a sequence hx = t0 , t1 , ..., tn = yi with each ti+1 = sti (0), and every eventuality in zx (0) appears in some zti (0). Then we change the tree one such loop at a time into a COPT with a mixture of some up-links and some infinite branches. At each step we will have a COPT (T, s, z) with w satisfying UW1, UW3, FF, NPTI and W1-W7. It is clear that our unwound model is such a structure. Now suppose that we have proceeded to make some up-links and still have such a structure. Find a node y which can be looped back up to an ancestor x such that there is no strict ancestor of y with the same property. That is, we are working from the root downwards when we choose a new loop to make and can thus complete our task of turning all leftmost fullpaths into loops in a countable number of steps. If there are no such nodes then we are done: all always leftmost branches must have been replaced by finite loops. In that case move on to the next stage. Note that there will in general be countably many such branches and we will replace them by countably many loops. So suppose that we have a node y which can be looped back up to ancestor x along an always leftmost branch. Simply, change the structure so that y’s parent (y − say) has x as its leftmost successor instead of y. Take y and the whole sub-tree rooted at y and discard it. The new COPT (T 0 , s0 , z 0 ) clearly satisfies most of our properties. Unfortunately, we have to make further changes to make the new map w0 work and in particular satisfy W7. Note however that we have ensured that W6 continues to hold. To define w0 we simply restrict w to the new smaller T 0 except for changes to w0 (t, 0) for all t such that the always leftmost fullpath from t contained y. Instead, now we have redefine w0 (t, 0) for these nodes so that it is a fullpath being the w image of the new loop ht, st (0), ..., y − , x, ..., y − , x, ..., y − , x, ...i. Because all the eventualities of zt (0) are witnessed along the always zero thread along here
31
the actual hue of w0 (t, 0) is the same at the actual hue of w(t, 0) so we can safely make this change. Now W7 continues to hold. To show that FF still holds we use the same argument as we did above for the unwound model using W6. NPTI holds by construction. 8.3
Cut out useless intervals on always leftmost paths
At this stage some of our finite loops may be too long to fit into the required bound on branch length. To solve this problem we now identify pairs of nodes along these paths which define an interval which can be cut out from the tableau. Basically, the bound is long enough that we can see all witnesses and be guaranteed of passing through nodes with the same w image again. We make cuts between such matching nodes when the interval in between does not add a new witness. Consider a maximal always leftmost branch ht0 , t1 , ..., tn i. Thus, t0 is the root, or t0 = st (k) for some t ∈ T and some k > 0, each ti+1 = sti (0), and there is some j ≤ n such that tj = stn (0). We may be able to make two sorts of cuts: one sort in the (possibly empty) initial ht0 , ..., tj−1 i part of the branch and one sort in the looping htj , ..., tn i part of the branch. There may be multiple cuts to make in one or both parts: we discuss how to make one such cut and then describe how to organise multiple cuts. Suppose 0 < p < q < j but w(tp ) = w(tq ) and ztp (0) = ztq (0). Then we cut out each tp , tp+2 , ..., tq−1 and the sub-tree rooted at each of these. However, we retain the sub-tree rooted at tq and join it just below tp−1 so that tq is now a successor of tp−1 in place of tp . The process for a cut in the looping part is similar but we do not cut if there is an eventuality in stj (0) whose last remaining witness would be cut out. It is straightforward to check that such cuts do not invalidate the listed properties if the structure. In particular, after adjusting w0 again we still have UW1, UW3, FF, NPTI and W1-W7. Each always leftmost branch, now a finite set of nodes, will only have a finite number of such pairs and cutting out the interval will make the branch shorter. Thus if we make such cuts successively on any particular branch then we will have to eventually stop with no more such pairs. 8.4
Loops on other repeated nodes
In this stage of the construction we deal with any other repeats (of w images) along any branches other than always leftmost ones. Any always leftmost paths (now all loops) will either be left untouched by this process or will be thrown away in their entirety. So we iteratively change (T, s, z) with w so that nodes on the same branch which agree under w are counted as repeated nodes and we replace the subtree rooted at the repeat by a new up-link back up to the first such node.
32
We do this one repeat at a time starting at the highest node y on each branch which has an ancestor x such that w(x) = w(y) and also z0 (x) = z0 (y). But if x, ..., y lies on an always leftmost branch then we do not make a cut here. Pick any one such pair x and y so that y is the highest repeat on any branch on which it lies. We will repeatedly remove nodes y of this form, and the whole subtree of their descendents. Each time this operation removes at least one such repeat and never introduces any new highest repeats. Thus we eventually terminate with a tree with no such repeats. This will be a finite model of φ. Thus we describe how to remove one such y. So suppose that we have such an x and y in our latest version of (T, s, z) with w. Now we define the next version (T 0 , s0 , z 0 ) with w0 as follows. From the set of nodes we just remove y and all its descendents to get T 0 . The successor maps are just the restriction of s to the smaller T 0 except that also the parent of y has x as a successor in that place instead of y. z is unchanged but restricted. w is updated to w0 be restriction and then replacement of w0 (t, i) where needed as we have done before. The properties can be checked in a straightforward way. The FF property holds thanks to W6 as before. By construction we have ensured that the always zero thread witnesses all eventualities along the each always leftmost branch. We have also ensured that when we cut out intervals of nodes from such branches, then this property continues to hold. And finally in this stage we have left always leftmost fullpaths untouched unless they are deleted in their entirety. 8.5
Show NTP and LG
From the FF property and lemma 15 we know that our final finite model satisfies LG and from lemma 4 we also have NPI. All that remains for a successful tableau is BB... 8.6
Show that the bound on branch length holds
Note that there are ≤ 2|φ| subformulas of φ so ≤ |φ| eventualities. We can thus show that any always leftmost branch (a path without an uplink) in the final finite tableau can not be longer that M (|φ|) = 2.|φ|.2|φ| .N (|φ|). Say σ is longer. Then there is an element a ∈ S which comes up > 2|φ|2|φ| times as w(σi ). So some hue of the actual colour of a (in (S, R, g)) comes up > 2|φ| times as the first hue in these σi ’s labels. So the interval between some repeat and the next does not add a witness of a new eventuality. It should have been cut. The argument for other branches is similar but simpler as we do not have to worry about repeats being kept: they are all cut. These branches are thus even shorter. It is straightforward to check that all other required properties of a successful φ-tableau hold of our final finite model.
33
The construction sketched above allows us to conclude: Lemma 22. If a CTL* formula is satisfiable then it has a successful tableau. Thus any algorithm which systematically searches through all possible φtableaux for a successful one will thus eventually find one for φ and report that φ is satisfiable as required.
9
A Taste of Future Work: Repetition Checking
We have seen that so far in this paper we have used a very generous and hence inefficient way of limiting the length of branches being constructed in tableaux. Being so generous slows down both negative and positive satisfiability reports. In order to make some sort of working implementation to demostrate the practicality of this tableau it is necessary to have a better way of preventing the construction of wastefully long branches. For want of better terminology we will call such a tool, a “repetition checker”. The task of making a quick and more generally usable repetition checker will be left to be advanced and presented at a later date. In fact, eventually we hope to provide a useful set of criteria for earlier termination of construction of branches depending on the properties of the sequence of colours so far. A simple example of the sort of criterion is the repeated appearance of the same sequence of colours and hues along a non-branching path without being able to construct any up-links. Other more sophisticated ideas are easily suggested but we want to develop a more systematic set of tests before presenting this in future work. For now we will present some preliminary work which can be used in order to allow some faster automated tableau construction. We now describe a situation, during tableau construction, which we will show can be used at an early stage to identify that wasteful branch construction has occurred. The idea is roughly that there is an interval of nodes along a branch which we can already tell could be cut out of any successful tableau which extends the one we have, while still leaving it as a successful tableau. In what follows, note that when we say two tableau nodes x and y have the same colour then we just mean that z(x) = z(y) as sets of hues. The ordering can be different, although often we will further specify that zx (0) = zy (0). Note also that in the interests of readability, terms like “between”, “above” and “below” for tableau nodes will be used in a non-strict sense. Thus node x is above itself and below itself and between x and x. If we need to override this we will use the terminology such as “strictly between”. First some definitions. Definition 34 (Up-link destinations). In the tableau (T, s, z) say that node x is the destination of an up-link from node y iff x is an ancestor of y and also a successor of y. Call y the source of the up-link.
34
Definition 35 (Cutting out an interval). In the tableau (T, s, z) suppose that we have a node y with parent x, both are ancestors of u which is the parent of v. Suppose also that v and y have the same colour and the same first hue. Finally suppose that no nodes between y and u inclusive are the destinations of up-links from below v. Then we say that the COPT (T 0 , s0 , z 0 ) is obtained by cutting out the interval between y and u inclusive iff the following holds: T 0 = T1 ∪ T2 where T1 is all of T except the descendants of y (so y 6∈ T1 ) and T2 is the set of descendants of v; s0 is just s restricted to T 0 except that v replaces y as a particular successor of x (i.e. for all i, if sx (i) = y then s0x (i) = v); z 0 is just the restriction of z to T 0 . Note that for (T 0 , s0 , z 0 ) to be a tableau we would still need to establish LG and the NTP. However, the COPT properties are clear. Note also that cutting out an interval does make the tableau strictly smaller. Even if y = u and u only has v as a successor then we still have removed one node. As we want the detected situation to be preserved however we subsequently extend a tableau, we need to define the situation without reference to leaves in the tableau. Instead we refer to a spanning front of nodes which may well be the set of leaves, or were the set of leaves at some earlier stage of a step-by-step tableau construction algorithm. Definition 36 (Spanning Front). In the tableau (T, s, z) say that F ⊆ T is a spanning front iff for every t ∈ T there is a unique f ∈ F such that f is an ancestor of t or f is a descendant of t. Say v is above F iff there is some f ∈ F which is a descendant of v. So now here comes the main definition. There are six parts. The third part is a slightly complicated aspects to the situation but the first is a simple repeat of a label and the second just says that we don’t have to worry about removing destinations of up-links. In the third part we must consider loops caused by up-links which may be built later as we keep building a successful tableau by extending (T, s, z) further. Some of these up-links may end up between y and u. Thus we have to know that we can move them elsewhere. The fourth part is to preserve the NTP. The final two parts are similar to earlier ones but deal with matching up v as a successor of x so we can cut out the useless interval. Definition 37 (Useless Interval). In the tableau (T, s, z) suppose that there are nodes x with successor y, both ancestors of u with a successor v in that order along a branch. Further suppose that there is a spanning front F such that v is above f ∈ F . Then, if the six part conditions below all hold, then we say that u and y mark a useless interval. Useless Interval, part one: a label repeated: Nodes y and v are labelled with the same colour, and have the same first hue. Useless Interval, part two: no up-links in: There are no up-links from below v but above F (inclusive) to a destination between y and u (inclusive).
35
Useless Interval, part three: future up-links don’t need the useless interval: For every w between y and u inclusive there is a set Fw of nodes, each below v but above F (inclusive) such that for every f ∈ F below v (inclusive) there is a node w0 ∈ Fw between f and v (inclusive) such that for all hues h ∈ z(f ), if h traces back straight to h0 ∈ w then z(w0 ) = z(w) and h also traces back to to h0 ∈ z(w0 ). Furthermore, every eventuality witnessed tracing back from h ∈ z(f ) to h0 ∈ z(w) is also witnessed tracing back from h ∈ z(f ) to h0 ∈ z(w0 ). Useless interval: NTP preservation: If f ∈ F is on an always leftmost branch from any w0 ∈ Fw then either all the eventualities in zw0 (0) are witnessed along the always zero thread by the time we get to f , OR f is on an always leftmost branch from w and all the eventualities seen any any zt (0) for t between w and w0 are witnessed between w0 and f . Useless interval: y and v match: if t is a node which is either in F or not below F and the source of an up-link to a destination above x then for all hues h ∈ z(t), if h traces back straight to h0 ∈ z(v) then h also traces back to to h0 ∈ z(y). Furthermore, every eventuality witnessed tracing back from h ∈ z(t) to h0 ∈ z(y) is also witnessed tracing back from h ∈ z(t) to h0 ∈ z(v). Useless interval: NTP preservation for v to y: Suppose t is a node which is either in F or (not below F and the source of an up-link to a destination above x). Suppose t is on an always leftmost branch from v then either all the eventualities in zv (0) are witnessed along the always zero thread by the time we get to t, OR t is on an always leftmost branch from x and all the eventualities seen any any zd (0) for d between y and v are witnessed between v and t. We claim that in the construction of tableaux to show satisfiability it is not necessary to construct any with useless intervals. To show that this check is correct we assume that we have a successful tableau with such a situation arising. We show that a non-empty set of nodes can be removed from the the tableau while still leaving us with a successful tableau. This process can not continue indefinely so there must be some successful tableau without this situation arising. We can thus narrow our search for successful tableaux by ruling out any which contain a useless interval. Straightforward step by step tableau construction algorithms can thus backtrack if a useless interval is detected. Lemma 23. If φ has a successful tableau with a useless interval then it has a successful one with the nodes in the useless interval removed (and possibly other nodes removed and possibly some transitions rearranged). Proof. So suppose that (T, s, z) is a successful tableau containing a useless interval from y to u as above. We show that the nodes in the interval and most of their descendants can be removed while still leaving us with a successful tableau. Stage One: Moving up-links down. First move each of the up-links with source below F and destination between y to u to the appropriate w0 ∈ Fw instead. We do this one link at a time.
36
We show that each individual move of a loop preserves success. Consider an up-link from z below f ∈ F below v below w in the useless interval, up to w. We know that there is w0 above f but below v which matches w in the way described. We make a new tableau (T 0 , s0 , z 0 ) from (T, s, z) by just changing that one transition: z to w0 instead of z to w. Now we show that (T 0 , s0 , z 0 ) is a successful tableau. The hard part is to show that FF and hence LG still holds after the move. Consider a fullpath σ through the new tableau (T 0 , s0 , z 0 ). We will break up σ into subsequences at each transition from z to w0 . If there is a final infinite such segment (so that transition from z to w0 occurs only finitely) then it is straightforward to traceback to find a suitable hue sequence. So suppose instead that their are infinitely many such segments. Consider one at a time. Say that the kth such segment of σ starts with the transition σe = z to σe+1 = w0 , and finishes with the transition σe+1+i = z to σe+1+i+1 = w0 again. There are no z to w0 transitions between σe+1 and σe+1+i . Corresponding to that segment we make a path ρk in the old structure which is slightly longer because it loops up to w first and then comes straight down to w0 before proceeding as σ does (in the kth segment) until we get to z again. Suppose that the nodes in order down the direct branch from w to w0 are: π = hw, ..., v, ..., w0 i where π0 = w and πn−1 = w0 . So for each j = 0, ..., n − 1, ρkj is πj . Then, for j = 0, ..., i, ρkn+j = σe+1+j . Thus ρkn+i = σe+1+i = z. Note that there is an initial segment ρ0 being exactly the same as the start of σ starting at the root and ending at z at the start of the first z − w0 transition. Next concatenate the ρk together in order to make a fullpath ρ through (T, s, z). Note that the segments fit together as they end at z and start at w. By our inductive hypothesis, (T, s, z) is a tableau satisfying the fullpath fulfillment property so there is a fulfilling hue thread η through ρ. Now, for the kth segment hσe+1 = w0 , ..., σe+1+i = zi of σ let us consider the segment of η threading through the kth segment ρk of ρ. Say that this latter is hρg = w, ..., ρg+n = w0 , ..., ρg+n+p = f, ..., ρg+n+i = zi. Thus ηg+n+i at z traces back along the latter part of the kth segment of ρ to ηg+n+p at f and back to ηg+n at w0 . And by then it has seen all the eventualities that it is going to see as far back as ηg at w anyway. By our condition on useless loops it must further traceback to the same hue at w along the direct path: that is, ηg = ηg+n . Finally they both must thus respectively traceback to the same hue along the identical transitions z − w and z − w0 . This allows us to conclude that we can make a hue thread consisting of the concatenation of parts of segments of η as follows. The kth segment is just hηg+n , ..., ηg+n+i i. Furthermore, we can conclude that this threads through σ and is fulfilling as required. Now check NTP still holds of (T 0 , s0 , z 0 ) after we have moved z − w to z − w0 . The non-trivial case is when we have a sequence ht0 = s0z (0) = w0 , t1 , ..., tk = zi
37
such that each ti+1 = sti (0). Thus we have to check that the always zero hue thread is fulfilling for the new infinite fullpath. Thus f is on an always leftmost path from w0 and we have two cases. In the first case, we see all the eventualities in zw0 (0) are witnessed along the thread by f and so before z. the other case is that f is on an always leftmost branch from w. Thus, w0 and z are also on that branch. As (T, s, z) is a tableau satisfying the NTP, we see all the eventualities in zw (0) along the always zero thread along that path by the time we get to z. Some are seen after w0 (and so also seen in (T 0 , s0 , z 0 )) but others might be seen between w and w0 . However, NTP preservation condition tells us we see all those eventualities on the always zero thread from w0 down to f anyway. So we are done. Stage Two: Cutting out the useless interval. The second main part of the proof is to check that the success of the tableau is not destroyed by cutting out the nodes between y and u inclusive and all their descendants apart from v and its. Again we need to check that we have preserved fullpath fulfillment. Consider a fullpath σ in the model (T 0 , s0 , z 0 ) after the cut. We will break σ at each transition from x to v and at each transition which goes from a node below v to a node which is not below v. Clearly these sort of breaks alternate. If there is a final infinite such segment (so that σ stays forever from some point onwards either always below v or always in the part of the tableau which is not below v) then it is straightforward to traceback to find a suitable hue sequence. The final segment is also a fullpath and so fulfilled in the tableau before the cut. So suppose instead that their are infinitely many such segments. Each of them is a path in the old fullpath-fulfilled tableau but they alternate as to which part of the old tableau they are contained in. We can make one ω-long fullpath ρ in the old tableau by putting a path hy, ..., ui in between each segment which ends at x and the next segment which starts at v. We can thus find a fulfilling hue thread through ρ and thus by restriction a hue thread through each segment of ρ. By the y and v matching part of the definition of a useless interval, we know that the hue in v at the end of the each added hy, ..., ui path will match the hue in y at the start of each such path. We can thus cut each corresponding finite thread of hues out of η and leave it as a hue thread through σ. Because this part of the definition also tells us that all the eventualities are witnessed in the rest of the segment anyway, we also know that we do not lose any important witnesses by such cutting. Thus η 0 is a fulfilling hue thread as required. Note that the nominated threading property will still hold after the cut because of the second NTP preservation condition. The non-trivial case is when we have a sequence ht0 = se (0), t1 , ..., tk = ei such that each ti+1 = sti (0) containing x and v. Thus we have to check that the always zero hue thread is
38
fulfilling for the new infinite fullpath. There are two cases depending on whether an element of F appears in the sequence or not. If f ∈ F does appear then put t = f . Otherwise let t = e which is not below F and is the source of an up-link to a destination above x. Thus t is on an always leftmost branch from v. By the last part of the definition of a useless interval, we have a further two cases. Possibly all the eventualities in zv (0) are witnessed along the always zero thread by the time we get to t. This mean all that are in zt0 (0) are witnessed too. The other case is that t is on an always leftmost branch from x and all the eventualities seen any any zd (0) for d between y and v are witnessed between v and t. So we are done then as well. 9.1
Some simple examples
Example One: immediate repeat of a one-hue colour. Suppose non-root node t is the parent of node t0 and they both have the same colour which only consists of one hue. Suppose also that we do not already have an up-link from t0 to t: if we did we would not need to worry about terminating this branch. Then we can use the above condition to show that there is a useless interval and we can backtrack in our tableau building. To see why let us name the parent of t as x, put y = u = t and put v = t0 . Also let F = {t0 }. It is a simple matter to check through the six conditions. Instances of this situation come up frequently in building tableaux for our example formulas. The repetition check is put to good use. Example Two: immediate repeat of multi-hue colour with id tracebacks. Suppose non-root node t is the parent of node t0 and they both have the same colour. Furthermore suppose that each hue h ∈ z(t0 ) traces back to itself h ∈ z(t). Suppose also that we do not already have an up-link from t0 to t: if we did we would not need to worry about terminating this branch. Then we can use the above condition to show that there is a useless interval and we can backtrack in our tableau building. To see why let us name the parent of t as x, put y = u = t and put v = t0 . Also let F = {t0 }. Again it is a simple matter to check through the six conditions. Instances of this check appear in building tableaux for examples θ9 to θ14 .
10
Complexity and Implementation Issues
Say that the length of φ is |φ| = l. Thus φ has ≤ l subformulas and clφ contains at most 2l formulas. Since each hue contains, for each α ≤ φ at most one of α l or ¬α, there are at most ≤ 2l hues. Thus there are less than 22 colours.
39
The implementation of CTL*-TAB is relatively straightforward (but no version robust enough for public release has yet been constructed). This uses some basic repetition checking derived from the check given earlier in the paper. A prototype implementation written by the author shows that for many interesting, albeit relatively small, formulas, the actual performance is nowhere near as bad as the the theoretical upper bounds above. There are some preliminary results Figure 1. The number of colours is not used directly by the algorithm but gives an idea of how much choice there is when we need to do backtracking at various nodes. Please note that the results presented in the table here are preliminary and may be improved as minor adjustments are made to the working of the algorithm. This table may be updated in new versions of this technical report from time to time. The current implementation makes use of a few enhancements which are important in reaching some of the quick decisions. For example, preprocessing of hues to eliminate those without any successor hues does make the algorithm faster (useful for ¬θ1 ). Also, the search for successful tableaux can be done in a step-by-step way looking first for depth 1 tableaux, then depth 2, then depth 3 etc. (useful for θ10 , θ11 , θ12 , θ17 ). Finally, we can also search in a way that starts off with restrictions on the number of hues in a label colour and then gradually relaxes the restrictions.
11
Conclusion
We have provided a simple, sound and complete tableau system for the propositional full computational tree logic CTL*. This is the first such. Even though there is an existing decision procedure for CTL* (based on automata) there are many potential uses of new tableaux systems for CTL*. We can often extract counter-models and formal proofs from tableaux. They could be a base for developing, or proving correctness of, other techniques such as resolution or term rewriting. They may give indications of simpler more reasonable sub-languages. Tableaux help manual proofs of validity. They can be extended to help with reasoning in the predicate case, for example for software verification. Although this tableau approach is usable in interesting ways already there is much work to do to make more practical use of this. Worst case performance is necessarily bad (double exponential) because of the complexity of the decision problem but there is great potential for vast improvements in running times in general or on certain classes of formulas. The first task is to have a general and efficient repetition detection mechanism. This needs to be developed and proved correct to replace the wasteful but simple bound based on maximum size of model for formulas of certain input length. We have not mentioned directions for other improvements in this paper but important tasks include making use of preprocessing of relationships between hues, or at least remembering properties such as which ones do not have successor
40
formula length # hues # colours # tab. steps model size θ sat’bl? θ1 25 16 276 3 1 yes θ2 19 12 270 3 1 yes θ3 35 10 24 7 1 yes θ4 9 8 20 3 1 yes θ5 9 5 2 3 1 yes θ6 8 4 2 3 1 yes θ7 9 18 30 3 1 yes θ8 6 3 2 3 1 yes θ9 20 10 8 3 1 yes θ10 22 35 290 1233 2 yes θ11 46 30 8190 3 1 yes θ12 29 39 258 135 2 yes θ13 51 234 4596 354 2 yes θ14 50 1506 > 280 > 1.4.106 2 yes θ15 1 2 2 4 2 yes θ16 9 6 18 5 3 yes θ17 55 164 > 16.106 110 6 yes θ18 39 357 > 257 ? ? yes ¬θ1 26 16 276 1 NA no ¬θ2 20 12 270 769 NA no ¬θ3 36 10 24 33 NA no ¬θ4 10 8 20 216 NA no ¬θ5 10 5 2 1 NA no ¬θ6 9 4 2 1 NA no ¬θ7 10 18 30 9 NA no ¬θ8 7 3 2 1 NA no ¬θ9 21 10 8 27 NA no ¬θ10 23 35 290 216 NA no ¬θ11 47 30 8190 ? ? no ¬θ12 30 39 258 ? ? no ¬θ13 52 234 4596 ? ? no ¬θ14 51 1506 > 280 ? ? no ¬θ15 2 2 2 3 1 yes ¬θ16 10 6 18 3 1 yes ¬θ17 56 164 > 16.106 3638 2 yes ¬θ18 40 357 > 257 308239 2 yes Fig. 1. Deciding satisfiability using CTL*-TAB
41
hues. Developing ways of reasoning ahead with partially determined colours and hues will also be useful.
References 1. O. Bernholtz and O. Grumberg. Buy one, get one free !!! In D. Gabbay and H. Ohlbach, editors, Temporal Logic, Proceedings of ICTL ’94, number 827 in LNAI, pages 210–224. Springer-Verlag, 1994. 2. E. Clarke and E. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Proc. IBM Workshop on Logic of Programs, Yorktown Heights, NY, pages 52–71. Springer, Berlin, 1981. 3. E. Emerson. Alternative semantics for temporal logics. Theoretical Computer Science, 26:121–130, 1983. 4. E. Emerson. Automated temporal reasoning for reactive systems. In F. Moller and G. Birtwistle, editors, Logics for Concurrency, pages 41–101. Springer Verlag, 1996. 5. E. Emerson and E. C. Clarke. Using branching time temporal logic to synthesise synchronisation skeletons. Sci. of Computer Programming, 2, 1982. 6. E. Emerson and J. Halpern. Decision procedures and expressiveness in the temporal logic of branching time. J. Comp and Sys. Sci, 30(1):1–24, 1985. 7. E. Emerson and J. Halpern. ‘Sometimes’ and ‘not never’ revisited: on branching versus linear time. J. ACM, 33, 1986. 8. E. Emerson and C. Jutla. Complexity of tree automata and modal logics of programs. In 29th IEEE Foundations of Computer Science, Proceedings. IEEE, 1988. 9. E. Emerson and A. Sistla. Deciding full branching time logic. Information and Control, 61:175 – 201, 1984. 10. E.A. Emerson. Temporal and modal logic. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B. Elsevier, Amsterdam, 1990. 11. M. Fitting. Proof methods for modal and intuitionistic logics. Reidel, 1983. 12. R. Gor´e. Tableau methods for modal and temporal logics. In M. D’Agostino, D. Gabbay, R. H¨ ahnle, and J. Posegga, editors, Handbook of Tableau Methods, pages 297–396. Kluwer Academic Publishers, 1999. 13. G. Gough. Decision procedures for temporal logics. Technical Report UMCS-8910-1, Department of Computer Science, University of Manchester, 1989. 14. G. Hughes and M. Cresswell. An Introduction to Modal Logic. Methuen, London, 1968. 15. Xiangyu Luo, Kaile Su, Abdul Sattar, Qingliang Chen, and Guanfeng Lv. Bounded model checking knowledge and branching time in synchronous multi-agent systems. In AAMAS ’05: Proceedings of the fourth international joint conference on Autonomous agents and multiagent systems, pages 1129–1130, New York, NY, USA, 2005. ACM. 16. A. Pnueli. The temporal logic of programs. In Proceedings of the Eighteenth Symposium on Foundations of Computer Science, pages 46–57, 1977. Providence, RI. 17. A. Pnueli and R. Rosner. On the synthesis of a reactive module. In Proceedings of the Sixteenth Symposium of Principles of Programming Languages, pages 179 – 190. ACM, 1989. 18. Amir Pnueli and Yonit Kesten. A deductive proof system for CTL*. In Lubos Brim, Petr Jancar, Mojm´ır Kret´ınsk´ y, and Anton´ın Kucera, editors, CONCUR, volume 2421 of Lecture Notes in Computer Science, pages 24–40. Springer, 2002.
42 19. M. Reynolds. An axiomatization of full computation tree logic. J. Symbolic Logic, 66(3):1011–1057, 2001. 20. M. Reynolds. A tableau for bundled CTL*. Journal of Logic and Computation, 17:117–132, 2007. 21. M. Reynolds. A tableau for CTL*, long version. Technical report, CSSE, UWA, January, 2009. See http://www.csse.uwa.edu.au/∼mark/research/Online/StarTab.html 22. M. Reynolds and C. Dixon. Theorem-proving for discrete temporal logic. In M. Fisher, D. Gabbay, and L. Vila, editors, Handbook of Temporal Reasoning in Artificial Intelligence, pages 279–314. Elsevier, 2005. 23. S. Schwendimann. A new one-pass tableau calculus for PLTL. In Harrie C. M. de Swart, editor, Proceedings of International Conference, TABLEAUX 1998, Oisterwijk, LNAI 1397, pages 277–291. Springer, 1998. 24. C. Sprenger. Deductive Local Model Checking. PhD thesis, Swiss Federal Institute of Technology, Lausanne, Switzerland, 2000. 25. C. Stirling. Modal and temporal logics. In S. Abramsky, D. Gabbay, and T. Maibaum, editors, Handbook of Logic in Computer Science, Volume 2, pages 477–563. OUP, 1992. 26. M. Vardi and L. Stockmeyer. Improved upper and lower bounds for modal logics of programs. In 17th ACM Symp. on Theory of Computing, Proceedings, pages 240–251. ACM, 1985. 27. P. Wolper. The tableau method for temporal logic: an overview. Logique et Analyse, 28:110–111, June–Sept 1985.
