Safety alternating automata on data words

Safet y Alternating Automata on Data W ords RANKO LAZI ´ C Department of Computer Sc i ence, Uni versity of Wa rwick, UK A data w ord is a sequence of pairs of a l etter f rom a finite al phab et and an elemen t f r om an infinite set, where the latter can only be compared for equality . Safet y one-wa y alternating automata with one register on infinite data wo rds are considered, their nonemptiness is shown ExpSp ace -complete, and their inclusion decidable but not primitive recursive. The same com- plexit y bounds are obtained for sat isfiabili t y and refinemen t, resp ectiv ely , f or the safet y fragmen t of linear temp oral logic with freeze quan tification. Dropping the safety restriction, adding past temporal operators, or adding one more register, each causes undecidabilit y . Categories and Sub ject Descriptors: F.4.1 [ Mathematica l Logic and F o rmal Languages ]: F ormal Languages— De cision pr oblems ; F. 1.1 [ Computati on by Abstract Devices ]: Mo dels of Computation— A utomata General T erms: Algorithms, V erification 1. INTRODUCTION Context. Log ics and auto mata for words and trees ov er finite alphabe ts are r el- atively well-understo o d. Mo tiv ated partly by the need for formal verification and synthesis of infinite-state sys tems , and the sea rch for a utomated r easoning tech- niques for XML, ther e is an a ctive and bro ad res earch progra mme on logics a nd automata for w or ds and tr e es which hav e richer structure. Segoufin’s sur vey [Sego ufin 2006 ] is a summar y of the substantial progre ss made on reas oning ab out data words and data trees. A data word is a word ov er a finite alphab et, with an equiv alence relatio n o n word p ositions . Implicitly , every word po sition is la b elled by a n element (“datum”) from an infinite set (“data domain”), but since the infinite set is eq uipp ed only with the equality pr edicate, it suffices to know w hich word p ositions ar e lab elled by equal data, and that is wha t the equiv alence relation r e presents. Similar ly , a data tree is a tree (countable, unr anked and or dered) whose every no de is la belle d by a letter from a finite alphab et, with an eq uiv alence relation on the s et of its no des. It has b een no nt rivia l to find s a tisfactory sp ecification for ma lisms even for da ta words. First-order logic was considered in [Bo ja ´ nczyk et a l. 200 6; David 2004 ], and related a uto mata were studied further in [B j¨ o rklund and Sch wen tic k 2 007]. The This paper is a revised and extended version of [Lazi´ c 2006]. This r esearc h was supported by grants from the EPSRC (GR/S52759/01 ) and the In tel Corpor a- tion, and by ENS Cachan. Pe rmi ssion to m ak e digital/hard copy of all or part of this m aterial without fee f or p ersonal or classro om use pr o vided that the copies are not made or dis tr i buted for pr ofit or commercial adv an tage, the A CM cop yright/serv er notice, the title of the publication, and i ts date appear, and notice is given that cop ying is by per mission of the ACM, Inc. T o copy otherwise, to republish, to post on servers, or to r edistribute to lists requires prior sp ecific p ermissi on and/or a f ee. c  20YY ACM 0000-0000/20YY/0000-0001 $5.00 ACM Journal N ame, V ol. V , No. N, Mon th 20YY, Pages BD. 2 · R. Lazi´ c logic has v a riables which ra nge over w ord p ositions ( { 0 , . . . , l − 1 } or N ), a unary predicate for each letter from the finite alphab et, and a binary predicate x ∼ y for the equiv alence relation that represe n ts equality of data la be ls . F O 2 ( ∼ , < , +1 ) denotes suc h a logic with tw o v ar iables a nd bina r y predic a tes x + 1 = y a nd x < y . Over finite and over infinite da ta words, satisfiability for FO 2 ( ∼ , < , +1 ) was prov ed decida ble and at least a s hard as rea chabilit y for Petri nets [Bo ja ´ nczyk et al. 20 06]. The latter pro blem is ExpSp a ce -hard [Lipton 1976], but its e le - men tarity is still a n op en q ues tion. Elementary complexity of satisfiability can be obtained at the price o f substantially reducing the navigational p ow er: ov er fi- nite data words, NE xpTime -completeness for FO 2 ( ∼ , < ) was e s tablished in [David 2004] and 3 NE xpTime -mem b ership for FO 2 ( ∼ , + 1 ) follows from [Bo ja ´ nczyk et al. 2006]. In the other direc tion, if FO 2 ( ∼ , < , +1 ) is ex tended by one mo re v ariable, +1 b eco mes expre s sible using < , but satisfiability was shown undecidable alr eady for FO 3 ( ∼ , + 1 ) [Bo ja ´ nczyk et a l. 200 6]. An alternative approa ch to r easoning ab out data words is based on automata with reg isters [Ka minski and F rancez 1 994]. A r egister is used for storing a datum for later equalit y compa risons (i.e. an equiv alence class fo r later mem b ership test- ing). Nonemptiness of one-way no ndeterministic reg is ter automa ta ov er finite data words has relatively low complexity: N P -complete [Sak amoto and Ikeda 2000 ] or PSp ace -complete [Demri and Lazi´ c 2009], depending o n technical details o f their definition. Unfortunately , such automata fail to provide a satisfactor y notion of regular la ng uage of finite data words, as they ar e no t clo s ed under complement [Kaminski a nd F r ancez 1 9 94] and their nonuniv ersality is undecidable [Neven et al. 2004]. T o overcome those limitations, o ne-wa y alternating automata with 1 r egis- ter (for short, 1ARA 1 ) w ere prop ose d in [Demri and La zi´ c 2 009]: they are closed under Boo lean ope r ations, their nonemptiness ov er finite data w ords is decidable, and future-time fra gments of tempo r al logics such as L TL or the mo dal µ -calculus extended by 1 register are eas ily transla table to s uch automata. How ever, no nempti- ness for 1ARA 1 turned out to b e not primitive r ecursive ov er finite data words, and undecidable (more precise ly , Π 0 1 -hard) ov er infinite ones with the weak a cceptance mechanism [Muller et a l. 1 986] a nd thus als o with B ¨ uchi or co-B ¨ uchi acceptance. Contribution. W e co nsider one- wa y a lternating a uto mata with 1 regis ter with the safety acceptance mechanism ov er infinite data words (i.e. data ω - words). The languages o f such automa ta a re safety pro p e r ties [Alp ern and Schneider 1987 ]: every rejected data ω - word has a finite prefix such that every other data ω - word which extends it is als o r ejected. (Over finite data words, safety is not a r estriction.) The main r e sult is that nonemptiness of safety 1ARA 1 is in ExpSp a ce . W e say that a sentence of L TL is s afety iff each o ccurrence of the ‘until’ op erato r is under an o dd num ber of negations. In particula r, each ‘even tually’ (resp., ‘alwa ys’) must be under an o dd (resp., even) num ber of negations. By showing that the safety fragment of future-time L TL with 1 reg ister is trans latable in lo garithmic spa ce to s afety 1ARA 1 , and that s atisfiability for the fragment is ExpS p a ce -hard, we conclude E xpSp ace -completeness of b o th pro blems. The ExpSp a ce upp er b ound is surprising since even decidability is fragile: by [Demri and Lazi´ c 20 09, Theo rem 5 .2], satisfiability for future-time L TL with 1 register on da ta ω - words is Π 0 1 -hard, and from the pr o of of [Demri and Lazi´ c 20 0 9, AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wo rds · 3 Theorem 5.4], the same is tr ue fo r the safety fragment if past tempo r al ope rators or o ne more register are added (cf. re la ted undecidability res ults in [Neven et al. 2004; David 20 04]). Mor e ov er, nonemptiness of sa fet y forward (i.e. down ward a nd right ward) alter na ting a utomata with 1 r egister o n da ta tr ees was shown decidable but no t elemen tary [Jurdzi ´ nski and Lazi´ c 200 7]. Another setting where decidability [Ouaknine and W orrell 2 0 06] was obtained by restr ic ting to safet y sentences is that o f metric temp ora l logic o n timed ω -words, but the complex it y is aga in not elementary [Bouyer et al. 2008]. The pro of of ExpSp a ce -membership is in tw o stages. The first consists of tr ans- lating a giv en sa fet y 1 ARA 1 A to a no ndeterministic automaton with faulty co un ters C A which is o n ω -words ov er the a lphab et of A and which is nonempty iff A is . The co unters o f C A are fa ulty in the s ense that they are sub ject to incrementing error s, i.e. they can sp ontaneously increase a t any time. Although a no nemptiness- preserving trans la tion from 1ARA 1 with weak a cceptance to co unt er a utomata with incre men ting erro rs w as given in [Demri a nd Lazi´ c 200 9], applying it to s afety 1ARA 1 pro duces automata with the B¨ uc hi acceptance mechanism, wher e the latter ensures that certain lo ops cannot r ep eat infinitely due to inc r ementing er rors . T o obtain safety automata, we enrich the instruction set by nondeterministic tr ans- fers . When applied to a counter c and a set of counters C , such an instruction transfers the v alue o f c to the counters in C , nondeter ministica lly splitting it. Thus we obtain C A whose nonemptiness amounts to existence of a n infinite computation from the initial sta te. How ever, a further observ ation on the r e sulting automata is required: the coun ters of such an automaton are nonempt y subsets o f a certain set (essentially , the set of states of the given safety 1 ARA 1 ), a nd it suffices to use nondeterministic transfers which are simultaneous for all co unters and which hav e a certain distributivity prop e r ty in ter ms of the pa r tial-order structure of the se t of all co unt ers . The seco nd stage of the pro of is then an inductive counting a rgument which shows that C A is nonempty iff it has a co mputation from the initial sta te of leng th doubly exp onential in the size of A . Some of the techniques are also us e d in the pro of that termination of channel machines with o c currence testing and insertion error s is pr imitive r ecursive [Bo uyer et al. 200 8]. Although co unt ers are simpler resource s than channels, the clas s o f ma chines considered do not hav e instructions which corresp o nd to the nondeterministic transfers , a nd the sets of channels and messages (which a re counterparts to the s ets of counters) hav e no s pe cial structure. W e also show that languag e inclusion b etw een tw o safety 1ARA 1 is decidable, and hence that r efinement (i.e., v alidit y of implication) b etw een tw o sentences of safety future-time L TL with 1 register is also decidable. Since the safety fragment is closed under conjunctions and disjunctions, it follows that satisfiability is decida ble for Bo olea n combinations of sa fet y sentences. The latter is th us a comp eting logic to F O 2 ( ∼ , < , +1 ) on data ω -w ords. They ar e inco mpa rable in expres siveness: there exist pr op erties inv olving the past (e.g . ‘every b is preceded b y an a with the same datum’) which are expressible in FO 2 ( ∼ , < , +1 ) but not by a Bo olean combination of safety sentences (not even in future- time L TL with 1 r egister), and the reverse is true o f some c o nstraints inv olving more than 2 word p ositions (e.g. ‘whenever a is follo wed by b with the same datum, c do e s not o ccur in b etw een’). Howev er, AC M Journal Name, V ol. V, No. N, Month 20YY. 4 · R. Lazi´ c as p ointed out ab ov e, it is not k nown whether satis fia bilit y for FO 2 ( ∼ , < , +1 ) is elementary , where a s we esta blis h that a lr eady s atisfiability for negations o f sa fet y sentences is no t pr imitiv e recursive, and hence also universalit y for safety 1ARA 1 . 2. PRELIMINARIE S In this sectio n, we define sa fet y o ne-wa y alternating a utomata a nd sa fet y future- time linear temp ora l lo gic with 1 regis ter on data ω -w ords, as w ell as the c la ss of c o unt er auto mata that will b e used in the pro of o f E xpSp ace -mem b ership in Section 3. W e also show some o f their ba sic pro per ties, in particular a log arithmic- space translation fr o m the linear temp oral logic to the alternating automata. 2.1 Data W ords A data ω -wor d σ o ver a finite alpha bet Σ is an ω -w ord s tr( σ ) ov er Σ together with an equiv alence r e lation ∼ σ on N = { 0 , 1 , . . . } . W e wr ite N / ∼ σ for the set of all classes of ∼ σ . F or i ∈ N , we write σ ( i ) fo r the letter a t po sition i , a nd [ i ] ∼ σ for the class that contains i . When σ is under sto o d, we may write simply ∼ instead o f ∼ σ . W e shall s ometimes r efer to classes of ∼ as ‘data’. In some places , we s hall also need the concept of a finite data word. F or i > 0, the i -prefix of a data ω -word σ is the finite data word who s e letters are σ (0) · · · σ ( i − 1) and who s e equiv alence rela tion is ∼ σ restricted to { 0 , . . . , i − 1 } . 2.2 Register Automata The definition of safety o ne-wa y alterna ting 1-reg ister automata b elow is based o n the more g eneral o ne o f weak tw o-wa y alterna ting reg ister auto ma ta in [Demri and Lazi´ c 20 09]. A configur ation of such an automaton a t a p osition i of a data ω -word σ will consist of one o f finitely man y automaton states and a r egister v alue D ∈ N / ∼ . F rom it, dep ending on the state, the letter σ ( i ), and whether D = [ i ] ∼ (denoted ↑ ) or D 6 = [ i ] ∼ (denoted 6 ↑ ), the automaton chooses a pair Q ′ , Q ′ ↓ of sets of states. The resulting set of config urations a t the next word p o sition is {h q ′ , D i : q ′ ∈ Q ′ } ∪ {h q ′ , [ i ] ∼ i : q ′ ∈ Q ′ ↓ } , i.e. the states in Q ′ are asso ciated with the o ld register v alue, and the s ta tes in Q ′ ↓ with the class of p ositio n i . F o llowing [Br zozowski a nd Leiss 1980], what c hoices of pairs of sets o f states are poss ible will b e sp ecified in each case b y a p ositive Bo olean formula. That forma lis ation, in co ntrast to lis ting all p o ssible s uch choices, w ill enable a loga rithmic-space transla tion from safety future-time L TL with 1 r egister. An infinite run of the automaton will consist, for each j ∈ N , of a set F j of all configuratio ns at p osition j . F o r each j , F j +1 will b e the union o f some sets of configuratio ns ch ose n as ab ov e for each configuratio n in F j . Hence, a configuration will b e rejecting when its set of possible choices is empt y , a nd it will b e accepting when it can choose Q ′ = Q ′ ↓ = ∅ . The definition of infinite r uns will ensure that they cannot contain rejecting configura tions, so the s a fet y acce pta nce mec hanism will amount to each infinite r un b eing cons ide r ed accepting. F ormally , for a finite set Q , let ↓ Q = { ↓ q : q ∈ Q } , and let B + ↓ ( Q ) deno te the set o f all p ositive Bo olean formulae over Q ∪ ↓ Q , where we ass ume that Q and ↓ Q a re disjoint: ϕ ::= q | ↓ q | ⊤ | ⊥ | ϕ ∧ ϕ | ϕ ∨ ϕ AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wo rds · 5 q q ′ q ′′ b c a ↓ a b c a b 6 ↑ c Fig. 1. A register automaton A safety one-way alternating automaton with 1 r e gister (sho rtly , safety 1ARA 1 ) A is a tuple h Σ , Q, q I , δ i such that: —Σ is a finite alphab et; — Q is a finite set of states, and q I ∈ Q is the initial state; — δ : ( Q × Σ × {↑ , 6 ↑} ) → B + ↓ ( Q ) is a tr a nsition function. Satisfaction of a p ositive Bo olea n form ula over Q ∪ ↓ Q by a pair of sets Q ′ , Q ′ ↓ ⊆ Q is defined by structur a l r ecursion: Q ′ , Q ′ ↓ | = q def ⇔ q ∈ Q ′ Q ′ , Q ′ ↓ | = ⊤ Q ′ , Q ′ ↓ | = ↓ q def ⇔ q ∈ Q ′ ↓ Q ′ , Q ′ ↓ 6| = ⊥ Q ′ , Q ′ ↓ | = ϕ ∧ ϕ ′ def ⇔ Q ′ , Q ′ ↓ | = ϕ and Q ′ , Q ′ ↓ | = ϕ ′ Q ′ , Q ′ ↓ | = ϕ ∨ ϕ ′ def ⇔ Q ′ , Q ′ ↓ | = ϕ or Q ′ , Q ′ ↓ | = ϕ ′ A config uration o f A for a data word σ is an elemen t o f Q × ( { j : 0 ≤ j < | σ |} / ∼ ). F or a p os ition 0 ≤ i < | σ | , a nd finite s ets F and F ′ of co nfigurations, we write F σ,i − → F ′ iff, for each h q , D i ∈ F , ther e e x ist Q h q,D i , Q h q,D i ↓ ⊆ Q whic h satis fy the formula δ ( q , σ ( i ) , ↑ ) if D = [ i ] ∼ , or the fo r mula δ ( q , σ ( i ) , 6 ↑ ) if D 6 = [ i ] ∼ , such that F ′ = {h q ′ , D i : h q , D i ∈ F ∧ q ′ ∈ Q h q,D i } ∪ { h q ′ , [ i ] ∼ i : h q , D i ∈ F ∧ q ′ ∈ Q h q,D i ↓ } W e s ay tha t A accepts a data ω -w ord σ ov er Σ iff it has a n infinite run F 0 σ, 0 − → F 1 σ, 1 − → · · · wher e F 0 = {h q I , [0] ∼ i} consis ts of the initial configura tion. W e write L( A ) for the langua ge of A , i.e. the s et of all data ω -w ords ov er Σ that A accepts. Example 2.1. A safet y 1ARA 1 with alphabet { a, b, c } and three states is depicted in Figure 1. It rejects a da ta ω -w ord iff there is an o ccurrence of a , a subsequent o ccurrence of b with the same datum, and an o ccurrence o f c b etw een them. The automaton is deterministic, except for the universal branching fro m state q at letter a . When b ehaviour do es not dep end on whe ther the cla ss in the reg ister equals the class o f the current po sition, the tw o cases are not s hown s eparately . In particular, w e hav e δ ( q, a, ↑ ) = δ ( q , a, 6 ↑ ) = q ∧ ↓ q ′ . The absence of a transition from q ′′ lab elled by b and ↑ means that we have rejection in that cas e, i.e. δ ( q ′′ , b, ↑ ) = ⊥ . A set L of da ta ω -words o ver an a lphab et Σ is called safety [Alper n and Schneider 1987] iff it is clos ed under limits o f finite pre fix es, i.e . for ea ch data ω -w ord σ , if for each i > 0 there exis ts σ ′ i ∈ L with the i -pr efixes of σ and σ ′ i equal, then σ ∈ L . 1 1 Hence, a set is s afet y i ff it is closed wi th resp ect to the Cant or metric, where the distance betw een t wo words is inv ersely prop ortional to the length of their longest common prefix. AC M Journal Name, V ol. V, No. N, Month 20YY. 6 · R. Lazi´ c Proposition 2.2. The language of e ach safety 1ARA 1 is safety. Proof. Suppo se that A is a safety 1ARA 1 , and for each i > 0 ther e exists σ ′ i ∈ L( A ) s uch that the i -pr efixes o f σ and σ ′ i are equal. F o r each i , let F ′ i, 0 σ ′ i , 0 − → F ′ i, 1 σ ′ i , 1 − → . . . b e an infinite run of A with F ′ i, 0 = {h q I , [0] ∼ σ ′ i i} . F or each 0 ≤ j ≤ i , let F † i,j be o btained from F ′ i,j by re placing ea ch cla s s D ′ of σ ′ i with the class D of σ such that D ′ ∩ { 0 , . . . , i − 1 } = D ∩ { 0 , . . . , i − 1 } . Now, consider the tree for med by all the sequences h F † i,j : 0 ≤ j ≤ i i for i > 0. The tree is finitely branchin g, so by K¨ onig’s Lemma, it c o ntains a n infinite pa th h F j : j ∈ N i . It remains to observe that F 0 σ, 0 − → F 1 σ, 1 − → . . . and F 0 = { h q I , [0] ∼ σ i} . Given sa fet y 1ARA 1 A 1 and A 2 with alphab et Σ, it is easy to co ns truct an automaton which recognises L( A 1 ) ∩ L ( A 2 ) (res p., L( A 1 ) ∪ L ( A 2 )). It suffices to form a disjoint union of A 1 and A 2 , and add a new initial state q I such that δ ( q I , a, ?) = δ ( q 1 I , a, ?) ∧ δ ( q 2 I , a, ?) (resp., δ ( q I , a, ?) = δ ( q 1 I , a, ?) ∨ δ ( q 2 I , a, ?)) for each a ∈ Σ a nd ? ∈ {↑ , 6 ↑ } , where q 1 I and q 2 I are the initia l states of A 1 and A 2 . W e th us obtain: Proposition 2.3. Safety 1AR A 1 ar e close d under finite interse ctions and finite unions, in lo garithmic sp ac e. 2.3 Linear T emporal Logi c Safety L TL ↓ 1 ( X , R ) will deno te the s a fet y frag men t of future-time linea r tempo ral logic with 1 register, whos e syntax is given b elow. Each formula is over a finite alphab et Σ, over w hich the atomic for mulae a range. By r estricting o urselves to formulae in nega tion nor mal form, the safety restr iction amounts to the ‘relea se’ tempo ral op erato r b eing av a ila ble instea d of its dua l ‘until’. The for mulae may also contain the ‘next’ temp oral op erator . A freeze quantification ↓ φ binds each free o ccurrence of ↑ in φ . Such an o ccur rence will ev aluate to true iff the word po sition at the time of the freeze qua nt ification and the word p osition when the o ccurrence of ↑ is ev aluated are in the sa me class . φ ::= a | ⊤ | ⊥ | φ ∧ φ | φ ∨ φ | X φ | φ R φ | ↓ φ | ↑ | 6 ↑ The ‘always’ tempor al o per ator can b e in tro duced b y re garding G φ as an abbrevi- ation fo r ⊥ R φ . F or a data ω -word σ over a finite alphabet Σ, a p osition i ∈ N , a reg is ter v alue D ∈ N / ∼ , a nd a for mula φ ov er Σ, wr iting σ, i | = D φ will mean that φ is satisfied by σ at i with res pe c t to D . The satisfa ction rela tion is defined as follows, wher e we o mit the Bo olean c a ses. σ , i | = D a def ⇔ σ ( i ) = a σ , i | = D X φ def ⇔ σ, i + 1 | = D φ σ , i | = D φ R ψ def ⇔ either for all k ≥ i, σ, k | = D ψ , or for some j ≥ i, σ , j | = D φ a nd for all k ∈ { i, . . . , j } , σ, k | = D ψ σ , i | = D ↓ φ def ⇔ σ, i | = [ i ] ∼ φ σ , i | = D ↑ def ⇔ i ∈ D AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wo rds · 7 σ , i | = D 6 ↑ def ⇔ i / ∈ D If φ is a sentence, i.e. contains no free o ccurrence of ↑ , w e may omit D since it is irrelev ant and write σ, i | = φ . Let L( φ ) denote the la nguage o f φ , i.e. the se t of all data ω -w ords ov er Σ such tha t σ, 0 | = φ . Example 2.4. Consider the following s e ntence φ ov er a lphab et { a, b , c } : G ( b ∨ c ∨ ↓ XG ( a ∨ b ∨ XG ( a ∨ c ∨ 6 ↑ ))) W e hav e σ, 0 | = φ iff, for each o ccurrence of a in σ and each later o ccurrence of c , there is no later still o ccur rence of b with the same datum as the o ccurrence o f a , i.e. iff σ is accepted by the automaton in Example 2 .1 . Theorem 2. 5. F or e ach sent enc e φ of safety L TL ↓ 1 ( X , R ) , a safety 1ARA 1 A φ with the same alphab et and L( φ ) = L( A φ ) is c omputable in lo garithmi c sp ac e. Proof. The translation is a stra ig htf orward adaptation of the classical one fr om L TL to a lternating automata (cf. e.g. [V a r di 1 9 96]). T o define A φ with alphab et Σ of φ , let the set of s ta tes Q co nsist o f all q φ ′ such that φ ′ is either φ , or ψ for a subform ula X ψ of φ , o r a subformula ψ R χ of φ . L e t the initial state b e q φ . The transition function is obtained b y r e s tricting to Q the function defined b elow by s tructural r ecursion over the s et of all q φ ′ where φ ′ is a subfor mula of φ . The dual ca s es are omitted, a nd ? ranges over {↑ , 6 ↑} . In the formula for ↓ ψ , each o ccurrence of a state q ′ without ↓ is s ubs tituted by ↓ q ′ . δ ( q a , a, ?) def = ⊤ δ ( q ψ ∧ χ , a, ?) def = δ ( q ψ , a, ?) ∧ δ ( q χ , a, ?) δ ( q a , a ′ , ?) def = ⊥ , for a ′ 6 = a δ ( q X ψ , a, ?) def = q ψ δ ( q ⊤ , a, ?) def = ⊤ δ ( q ψ R χ , a, ?) def = δ ( q χ , a, ?) ∧ ( δ ( q ψ , a, ?) ∨ q ψ R χ ) δ ( q ↑ , a, ↑ ) def = ⊤ δ ( q ↓ ψ , a, ?) def = δ ( q ψ , a, ↑ )[ ↓ q ′ /q ′ : q ′ ∈ Q ] δ ( q ↑ , a, 6 ↑ ) def = ⊥ That A φ is computable in logarithmic space follows by obser ving that, for each subformula φ ′ of φ , a ∈ Σ, a nd ? ∈ {↑ , 6 ↑} , a single traversal of φ ′ suffices for computing δ ( q φ ′ , a, ?). Equality o f the lang uages of φ and A φ is implied by the following claim: for each s ubformula φ ′ of φ , data ω -w ord σ over Σ, p osition i ∈ N , a nd regis ter v alue D ∈ N / ∼ , we hav e σ, i | = D φ ′ iff, for some Q ′ , Q ′ ↓ ⊆ Q such that Q ′ , Q ′ ↓ | = δ ( q φ ′ , σ ( i ) , ↑ ) if D = [ i ] ∼ , or such that Q ′ , Q ′ ↓ | = δ ( q φ ′ , σ ( i ) , 6 ↑ ) if D 6 = [ i ] ∼ , A φ has an infinite run from p osition i + 1 of σ , sta rting with {h q ′ , D i : q ′ ∈ Q ′ } ∪ { h q ′ , [ i ] ∼ i : q ′ ∈ Q ′ ↓ } (If q φ ′ is a state o f A φ , the latter is equiv alent to A φ having a run from p ositio n i of σ , starting with {h q φ ′ , D i} .) The claim is prov a ble b y structur a l induction on φ ′ . W e trea t explicitly the tw o interesting ca ses: φ ′ = ψ R χ and φ ′ = ↓ ψ . Suppo se σ, i | = D ψ R χ . If σ, j | = D ψ for some j ≥ i , and σ, k | = D χ for a ll k ∈ { i, . . . , j } , then by the inductive hypothesis: (i) for some Q ′ , Q ′ ↓ ⊆ Q such that Q ′ , Q ′ ↓ | = δ ( q ψ , σ ( j ) , ↑ ) if D = [ j ] ∼ , o r such that Q ′ , Q ′ ↓ | = δ ( q ψ , σ ( j ) , 6 ↑ ) if D 6 = [ j ] ∼ , A φ has an infinite run F ′ j +1 σ,j +1 − → F ′ j +2 σ,j +2 − → AC M Journal Name, V ol. V, No. N, Month 20YY. 8 · R. Lazi´ c · · · with F ′ j +1 = {h q ′ , D i : q ′ ∈ Q ′ } ∪ { h q ′ , [ j ] ∼ i : q ′ ∈ Q ′ ↓ } (ii) for all k ∈ { i, . . . , j } , for some Q k , Q k ↓ ⊆ Q such that Q k , Q k ↓ | = δ ( q χ , σ ( k ) , ↑ ) if D = [ k ] ∼ , o r such that Q k , Q k ↓ | = δ ( q χ , σ ( k ) , 6 ↑ ) if D 6 = [ k ] ∼ , A φ has an infinite run F k k +1 σ,k +1 − → F k k +2 σ,k +2 − → · · · with F k k +1 = {h q ′ , D i : q ′ ∈ Q k } ∪ {h q ′ , [ k ] ∼ i : q ′ ∈ Q k ↓ } Letting F † l = {h q ψ R χ , D i} ∪ S k ∈{ i,...,l − 1 } F k l for each l ∈ { i, . . . , j } , a nd F † l = S k ∈{ i,...,j } F k l ∪ F ′ l for each l ≥ j + 1, we hav e by (i) a nd (ii) that F † i σ,i − → F † i +1 σ,i +1 − → · · · and F † i = {h q ψ R χ , D i} , as required. If σ, k | = D χ for all k ≥ i , the argument is simpler. F or the converse, supp ose A φ has an infinite r un F † i σ,i − → F † i +1 σ,i +1 − → · · · with F † i = {h q ψ R χ , D i} . If there exists j ≥ i with h q ψ R χ , D i / ∈ F † j +1 , consider the minimum such j . Since δ ( q ψ R χ , a, ?) = δ ( q χ , a, ?) ∧ ( δ ( q ψ , a, ?) ∨ q ψ R χ ), w e obtain: (iii) for s o me Q ′ , Q ′ ↓ ⊆ Q such that Q ′ , Q ′ ↓ | = δ ( q ψ , σ ( j ) , ↑ ) if D = [ j ] ∼ , or such that Q ′ , Q ′ ↓ | = δ ( q ψ , σ ( j ) , 6 ↑ ) if D 6 = [ j ] ∼ , we have {h q ′ , D i : q ′ ∈ Q ′ } ∪ { h q ′ , [ j ] ∼ i : q ′ ∈ Q ′ ↓ } ⊆ F † j +1 (iv) for all k ∈ { i , . . . , j } , for some Q k , Q k ↓ ⊆ Q suc h that Q k , Q k ↓ | = δ ( q χ , σ ( k ) , ↑ ) if D = [ k ] ∼ , or such that Q k , Q k ↓ | = δ ( q χ , σ ( k ) , 6 ↑ ) if D 6 = [ k ] ∼ , we have {h q ′ , D i : q ′ ∈ Q k } ∪ { h q ′ , [ k ] ∼ i : q ′ ∈ Q k ↓ } ⊆ F † k +1 By consider ing subruns star ting with the sets of configur ations in (iii) a nd (iv), and the inductive hypothesis, it follows that σ , j | = D ψ , and σ, k | = D χ for all k ∈ { i , . . . , j } , so σ , i | = D ψ R χ as require d. If h q ψ R χ , D i ∈ F † j +1 for all j ≥ i , the argument is again simpler . F or case φ ′ = ↓ ψ , w e hav e σ, i | = D ↓ ψ iff σ, i | = [ i ] ∼ ψ . By the inductiv e hypothesis, that is iff: (v) for some Q † , Q † ↓ ⊆ Q such that Q † , Q † ↓ | = δ ( q ψ , σ ( i ) , ↑ ), A φ has a n infinite run from p os ition i + 1 of σ , starting with {h q ′ , [ i ] ∼ i : q ′ ∈ Q † ∪ Q † ↓ } . On the other hand, A φ having an infinite r un from p osition i + 1 of σ , star ting with {h q ′ , D i : q ′ ∈ Q ′ } ∪ { h q ′ , [ i ] ∼ i : q ′ ∈ Q ′ ↓ } for some Q ′ , Q ′ ↓ ⊆ Q such that Q ′ , Q ′ ↓ | = δ ( q ↓ ψ , σ ( i ) , ↑ ) if D = [ i ] ∼ , or such that Q ′ , Q ′ ↓ | = δ ( q ↓ ψ , σ ( i ) , 6 ↑ ) if D 6 = [ i ] ∼ , is equiv alent to: (vi) for s ome Q ′ , Q ′ ↓ ⊆ Q such that Q ′ , Q ′ ↓ | = δ ( q ψ , σ ( i ) , ↑ )[ ↓ q ′ /q ′ : q ′ ∈ Q ], A φ has a n infinite run from p o sition i + 1 of σ , star ting with {h q ′ , D i : q ′ ∈ Q ′ } ∪ {h q ′ , [ i ] ∼ i : q ′ ∈ Q ′ ↓ } It re mains to obser ve that Q ′ , Q ′ ↓ | = δ ( q ψ , σ ( i ) , ↑ )[ ↓ q ′ /q ′ : q ′ ∈ Q ] iff Q ′ ↓ = Q † ∪ Q † ↓ for s ome Q † , Q † ↓ | = δ ( q ψ , σ ( i ) , ↑ ), so (v) and (vi) are equiv alent. AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wo rds · 9 2.4 Counter Automat a W e introduce b elow a class of no ndeterministic automata on ω -words which have ε transitions and N -v alued co unt ers . The set of coun ters of such a n a utomaton will hav e struc tur e: there will b e a finite set called the basis of the a utomaton, and each counter will b e a nonempt y subset of the basis. In the course of a tr ansition, the automaton will b e able e ither to increment a counter, or to decrement a counter if nonzero, or to p erform a simultaneous no ndeterministic tra nsfer with r esp ect to a mapping f fr om c o unt ers to sets of co unters. The latter transfer s the v alue of each counter c to the counters in f ( c ), nondeterministically splitting it. Ho wev er, only mappings which satisfy a distributivity constraint in terms of the s tructure o f the set of co un ters may b e used. The obser v ation that simultaneous nondeter ministic transfers ar ising fr o m trans- lating safet y 1ARA 1 are dis tributive (cf. the pro o f of Theorem 3 .2), a nd tha t dis- tributivity enables nonemptiness of the counter a utomata to b e decided in space exp onential in basis size (cf. the pr o of of Theorem 3.3), ar e key c o mpo nents o f the pap er. W e shall only consider automata with no cycles o f ε tra ns itions, and they will recognise safety languages , so every infinite run will accept some ω - word. The automata will b e faulty in the se ns e that their counters may e r roneous ly increase a t any time. F ormally , for a finite s et X and C ⊆ P ( X ) \ {∅} , let L ( C ) b e the set of all instructions: — h inc , c i and h dec , c i for c ∈ C ; — h transf , f i for mappings f : C → P ( C ) which ar e distributive as follows: when- ever c ∈ C , c ⊆ S k i =1 c i , a nd c ′ i ∈ f ( c i ) fo r each i = 1 , . . . , k , there exists c ′ ∈ f ( c ) such tha t c ′ ⊆ S k i =1 c ′ i . A s afety p owerset c ounter automaton with nondeterministic tr ansfers and incr e- menting err ors (s ho rtly , safety IPCANT ) C is a tuple h Σ , Q, q I , X , C, δ i such that: —Σ is a finite alphab et; — Q is a finite set of states, and q I is the initial state; — X is a finite set ca lled the b asis , and C ⊆ P ( X ) \ {∅} is the set of counters; — δ ⊆ Q × (Σ ⊎ { ε } ) × L ( C ) × Q is a transition r elation which do es not contain a cycle o f ε tra nsitions. A configura tion of C is a pair h q , v i , where q ∈ Q and v is a counter v alua tion, i.e. v : C → N . W e say that h q , v i ha s a n erro r-free trans ition la be lle d by w ∈ Σ ⊎ { ε } and p erforming l ∈ L ( C ) to h q ′ , v ′ i , and we write h q , v i w, l − → √ h q ′ , v ′ i , iff h q , w , l , q ′ i ∈ δ a nd v ′ can b e o btained from v by l . The latter is defined as follows: —instructions h inc , c i and h dec , c i have the standard interpretations, where h dec , c i is firable iff v ( c ) > 0; — v ′ can b e obtained from v by h tr ansf , f i iff there exist K c c ′ ≥ 0 for each c ∈ C and c ′ ∈ f ( c ), such that: for e ach c ∈ C , v ( c ) = P c ′ ∈ f ( c ) K c c ′ for e ach c ′ ∈ C, v ′ ( c ′ ) = P f ( c ) ∋ c ′ K c c ′ AC M Journal Name, V ol. V, No. N, Month 20YY. 10 · R. Lazi´ c in particular, h t ransf , f i is fir able iff v ( c ) = 0 whenev er f ( c ) = ∅ . F or counter v aluations v and v √ , we write v ≤ v √ iff, fo r all c , v ( c ) ≤ v √ ( c ). T o allow transitions of C to contain incre menting er rors , we define h q , v i w, l − → h q ′ , v ′ i to mean that there e x ist v √ and v ′ √ with v ≤ v √ , h q , v √ i w, l − → √ h q ′ , v ′ √ i and v ′ √ ≤ v ′ . W e say tha t C accepts an ω -word w ov er Σ iff C has a run h q 0 , v 0 i w 0 ,l 0 − → h q 1 , v 1 i w 1 ,l 1 − → · · · where h q 0 , v 0 i is the initial configur ation h q I , 0 i and w = w 0 w 1 . . . . Example 2.6. Given Y ⊆ X , let f Y ( c ) = ∅ if c ∩ Y 6 = ∅ , and f Y ( c ) = { c } otherwise. Observe that f Y is distributive. The ins tr uction h transf , f Y i is fir able iff each counter which intersects Y is zero , and it do es not change the v alue o f any counter. Hence, we may write h ifz ∩ , Y i instea d of h tra nsf , f Y i . Suppo se C = {{ x } : x ∈ X } , i.e. the set of counters has no structure. The instruction h ifz ∩ , Y i is firable iff each counter { x } for x ∈ Y is zero. Obser ve that every f : C → P ( C ) is distributive. F o r instance, given c ∈ C a nd nonempty C ′ ⊆ C , let f c,C ′ ( c ) = C ′ and f c,C ′ ( c ′ ) = { c ′ } for c ′ 6 = c . The instruc tio n h tra nsf , f c,C ′ i nondeterministically distributes the v alue of c to the counters in C ′ . F or C as ab ov e, let us say that a tra nsition h q , v i w, l − → h q ′ , v ′ i is lazy iff either h q , v i w, l − → √ h q ′ , v ′ i , o r l is of the form h dec , c i , v ( c ) = 0 and v ′ = v . Thus, in lazy transitions, only incr ementing error s which enable dec rements of counters with v alue 0 may o c cur. The following s traightforw ar d prop osition shows that restric ting to lazy transitions do es no t affect the langua ges of safety IPCANTs. Proposition 2.7. Whenever h q , v i w, l − → h q ′ , v ′ i is a tr ansition of a safety IP- CANT C and v † ≤ v , ther e exist s a lazy t r ansition h q , v † i w, l − → h q ′ , v ′ † i of C such that v ′ † ≤ v ′ . A set L of ω -w ords over an alpha bet Σ is called safety [Alper n and Schneider 1987] iff it is clo sed under limits of finite prefixes , i.e. for ea ch ω -w ord w , if fo r ea ch i > 0 there exists w ′ i ∈ L such that the i -prefixes of w and w ′ i are equa l, then w ∈ L . F or ea ch safet y IP CANT, the tree of all its lazy runs is finitely br anching, so by simplifying the arg ument in the pro of of Prop os itio n 2 .2, and by Pro p o sition 2.7, we o btain: Proposition 2.8. The language of e ach safety IPCANT is safety. 3. UPPER BOUND This s ection contains a tw o-stage pro o f that nonemptiness of sa fet y 1 ARA 1 is in ExpSp ace . The fir st theo rem b elow shows that each such auto ma ton A is tr ans- latable to a safety IPCANT C A of at mo st exp onential size, but whose basis size is p olynomia lly (in fact, linearly ) b ounded. Nonemptiness is preserved, since C A accepts exactly the string pro jections of data ω -w ords in the lang ua ge of A . By the second theorem, nonemptiness o f C A is decidable in spac e ex po nential in its ba sis size and p olyno mial (in fact, p olyloga rithmic) in its alphab et size a nd num ber of states, so spa ce ex po nent ial in the size o f A s uffice s ov era ll. W e start with a piece of no ta tion and a lemma ab out IPCANT. Supp os e C is a set of counters ov er a ba sis X . F or counter v aluations v √ and v , let us write AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wor ds · 11 v √ ⊑ v iff ther e exists v † ≤ v which can be obtained from v √ by p erforming h transf , c 7→ { d : c ⊆ d }i . The lemma states that ⊑ is down wards compatible with every simultaneous no ndeterministic transfer. Lemma 3.1. Whenever v √ ⊑ v and v ′ is obtainable fr om v by some h tran sf , f i with distributive f , ther e exists v ′ √ obtainable fr om v √ by h tran sf , f i and su ch that v ′ √ ⊑ v ′ . Proof. W e use the following s ho rthand: e v = S c ∈ C {h c, 1 i , . . . , h c, v ( c ) i} . The assumptions ar e e q uiv alen t to existence o f: an injective ι : f v √ → e v such that c ⊆ d whenever ι h c, i i = h d, j i , and a bijective β : e v → e v ′ such that f ( d ) ∋ d ′ whenever β h d , j i = h d ′ , j ′ i . F or ea ch h c, i i ∈ f v √ , we hav e c ⊆ d where ι h c, i i = h d, j i , a nd f ( d ) ∋ d ′ where β h d, j i = h d ′ , j ′ i , so by distr ibutivit y of f , there exists c ′ ∈ f ( c ) such that c ′ ⊆ d ′ . Hence, there exist a co unter v aluation v ′ √ and a bijective β √ : f v √ → f v ′ √ such that c ′ ∈ f ( c ) and c ′ ⊆ d ′ whenever β √ h c, i i = h c ′ , i ′ i and ( β ◦ ι ) h c, i i = h d ′ , j ′ i . It remains to o bserve tha t β ◦ ι ◦ β − 1 √ is a n injection from f v ′ √ to e v ′ . Theorem 3. 2. Given a safety 1ARA 1 A , a safety IPCANT C A is c omputable in p olynomial sp ac e, such that C A and A have the same alphab et, the b asis size of C A is line ar in the numb er of states of A , and L( C A ) = { str( σ ) : σ ∈ L( A ) } . Proof. The pro of is a n ada ptation o f the pro of of [Demr i a nd L azi´ c 200 9, Theo - rem 4.4], where it was shown how to translate in p oly nomial space weak 1ARA 1 to B ¨ uchi nondeterministic counter automa ta with ε transitio ns and incrementing er - rors, and whose instructions a re increments, decre ments and ze r o tests of individual counters. W e show b elow essentially that, since A is safety , zero tests of individua l counters, cycles o f ε transitions and the B ¨ uchi acceptance condition ca n be elim- inated us ing nondeterministic transfers with a suitable ba s is and set o f co unt ers , resulting in a sa fet y IPCANT. Let A = h Σ , Q, q I , δ i . W e first in tro duce a n abstra ction which maps a finite set F of configurations of A at a p osition i of a data word σ over Σ to a triple h a, Q ↑ , ♯ i such that: a = σ ( i ), Q ↑ is the set of all states that o ccur in F paired with [ i ] ∼ , and for ea ch nonempty R ⊆ Q , ♯ ( R ) is the n umber o f data D 6 = [ i ] ∼ for which R is the se t of a ll states that o ccur in F pair ed with D . Thus, the a bstraction records only the letter at p ositio n i , a nd equalities amo ng the datum at p o s ition i a nd data in configur a tions in F . W e then o bserve that nonemptiness of A is equiv alent to existence of an infinite sequence of abstra ct tr ansitions which star ts from a triple of the form h a, { q I } , 0 i . I n o ther words, sear ching for a data ω -word σ ov er Σ and an infinite run of A on σ can b e p erformed one p osition at a time, while keeping in memory only the informa tion r ecorded by the abstra ction. F ormally , we define H A to b e the set of a ll tr iple s h a, Q ↑ , ♯ i for which a ∈ Σ, Q ↑ ⊆ Q , a nd ♯ : P ( Q ) \ {∅ } → N . F or a data w or d σ ov er Σ, a p o sition 0 ≤ i < | σ | , and finite se t F of configurations, let h ( σ, i, F ) = h σ ( i ) , Q F, [ i ] ∼ ↑ , ♯ F, [ i ] ∼ i , where, for each nonempty R ⊆ Q : Q F, D ↑ = { q : h q , D i ∈ F } ♯ F, D ( R ) = |{ D ′ 6 = D : Q F, D ′ ↑ = R }| AC M Journal Name, V ol. V, No. N, Month 20YY. 12 · R. Lazi´ c T o obtain a succes s or of a member of H A , for ea ch configur a tion that it represents, sets o f states whic h satisfy the a ppropriate p ositive Bo olean for mula in A are c hosen, and then tw o cases ar e distinguished: either the da tum at the nex t po s ition o ccurs in the next set of co nfig urations, or not. Thus, we write h a, Q ↑ , ♯ i → h a ′ , Q ′ ↑ , ♯ ′ i iff, for ea ch q ∈ Q ↑ , there e x ist Q q , Q q ↓ | = δ ( q, a, ↑ ), and for each nonempt y R ⊆ Q , j ∈ { 1 , . . . , ♯ ( R ) } and q ∈ R , there exist Q R,j,q , Q R,j,q ↓ | = δ ( q, a, 6 ↑ ), such that: —either ♯ ′ = ♯ † [ Q ′ ↑ 7→ ♯ † ( Q ′ ↑ ) − 1], —or Q ′ ↑ = ∅ and ♯ ′ = ♯ † , where, for ea ch no nempt y R ′ ⊆ Q , ♯ † ( R ′ ) is defined as |{h R, j i : S q ∈ R Q R,j,q = R ′ }| +  1 , if S q ∈ Q ↑ Q q ∪ S q ∈ Q ↑ Q q ↓ ∪ S R,j S q ∈ R Q R,j,q ↓ = R ′ 0 , other wise W e claim the following cor resp ondence b etw een infinite sequences of transitions in H A from initia l tr iples a nd infinite runs of A from initial configuratio ns : (*) h a 0 , Q 0 ↑ , ♯ 0 i → h a 1 , Q 1 ↑ , ♯ 1 i → · · · is an infinite s equence of transitio ns in H A such tha t Q 0 ↑ = { q I } a nd ♯ 0 = 0 iff A has an infinite r un F 0 σ, 0 − → F 1 σ, 1 − → · · · on a data ω -w ord σ over Σ such that F 0 = { h q I , [0] ∼ i} and h a i , Q i ↑ , ♯ i i = h ( σ , i , F i ) for e ach i ∈ N . One dir ection is straightforward, s ince h ( σ, 0 , {h q I , [0] ∼ i} ) = h σ (0) , { q I } , 0 i , a nd F σ,i − → F ′ implies h ( σ, i , F ) → h ( σ, i + 1 , F ′ ). F or the o ther dir ection, supp ose h a 0 , Q 0 ↑ , ♯ 0 i → h a 1 , Q 1 ↑ , ♯ 1 i → · · · is an infinite sequence of transitions in H A , Q 0 ↑ = { q I } and ♯ 0 = 0 . F or each i ∈ N , let σ i be a data word ov er Σ of length i + 1 a nd F i be a set of configur ations for σ i with h a i , Q i ↑ , ♯ i i = h ( σ i , i, F i ), chosen as follows: —W e take str( σ 0 ) = a 0 , ∼ σ 0 = { h 0 , 0 i} , and F 0 = { h q I , { 0 }i} . —Given σ i and F i , we choose σ i +1 and F i +1 for which σ i is the ( i + 1)-pr efix of σ i +1 , h a i +1 , Q i +1 ↑ , ♯ i +1 i = h ( σ i +1 , i + 1 , F i +1 ), and F i σ i ,i − → F i +1 . Now, let σ † be the limit of the σ i , i.e. such that for ea ch i ∈ N , σ i is the ( i + 1)-prefix of σ † . F o r each i ∈ N , let F † i be the unique se t of config urations for σ † that satisfies F i = { h q , D ∩ { 0 , . . . , i } i : h q , D i ∈ F † i } Observe that | F † i | = | F i | , so F † i is finite. Moreov er, h ( σ † , i, F † i ) = h ( σ i , i, F i ), so h ( σ † , i, F † i ) = h a i , Q i ↑ , ♯ i i . Finally , s ince F i σ i ,i − → F i +1 , we have F † i σ † ,i − → F † i +1 . The nondeter ministic pro ce dure b elow guesses an infinite sequence h a 0 , Q 0 ↑ , ♯ 0 i → h a 1 , Q 1 ↑ , ♯ 1 i → · · · of transitions in H A such that Q 0 ↑ = { q I } and ♯ 0 = 0 in the fol- lowing manner: whenever the main lo op has b een per formed i times and execution is at the end of step (2), a , Q ↑ and the co un ters c stor e a i , Q i ↑ and ♯ i (resp ectively), and all the counters d hav e v alue 0. In the notatio n of the definitio n ab ov e o f transitions in H A , each d ( R ′ , R ′ ↓ ) is use d to count the num ber of pairs h R , j i such that S q ∈ R Q R,j,q = R ′ and S q ∈ R Q R,j,q ↓ = R ′ ↓ . If o ne or more ch oices in s teps (3) or (4) ar e not p oss ible, the pro ce dur e blo cks. AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wor ds · 13 (0) Set c ( R ) := 0 for each nonempt y R ⊆ Q , and d ( R, R ↓ ) := 0 for each R, R ↓ ⊆ Q . (1) Set Q ↑ := { q I } . (2) Cho ose a ∈ Σ. (3) While c ( R ) > 0 for so me nonempty R ⊆ Q , do: —decrement c ( R ); —for e a ch q ∈ R , choose Q q , Q q ↓ | = δ ( q, a, 6 ↑ ); —increment d ( S q ∈ R Q q , S q ∈ R Q q ↓ ). (4) F o r each q ∈ Q ↑ , choo se Q q , Q q ↓ | = δ ( q , a, ↑ ). (5) Incr ement c ( S q ∈ Q ↑ Q q ∪ S q ∈ Q ↑ Q q ↓ ∪ S d ( R,R ↓ ) > 0 R ↓ ). (6) While d ( R, R ↓ ) > 0 for so me R, R ↓ ⊆ Q , decr ement d ( R, R ↓ ), and increment c ( R ) if R is nonempty . (7) E ither cho ose nonempty Q ↑ with c ( Q ↑ ) > 0 a nd decrement c ( Q ↑ ), or Q ↑ := ∅ . (8) Rep ea t from (2). By (*), we hav e that the pro cedure has an infinite execution such that the le tter s chosen in step (2) ar e a 0 , a 1 , . . . iff A ac c e pts a data ω -word σ such that a i = σ ( i ) for each i ∈ N . Therefor e, in the rema inder of the pr o of, we show that the pr o cedure is implemen table by a sa fet y IPCANT C A which is computable in p o lynomial space and who s e bas is size is linear in | Q | . F or R, R ↓ ⊆ Q , let R = {∗} ∪ { q : q ∈ R } R, R ↓ = { ∗} ∪ { q : q ∈ R } ∪ { q ↓ : q ∈ R ↓ } W e define the basis of C A as Q ∪ Q, Q (where we as sume disjointness), a nd the counters of C A are: R for e a ch R ⊆ Q , a nd R, R ↓ for each R, R ↓ ⊆ Q . The set of counters o f C A is thus es s ent ially P ( Q ) ∪ P ( Q ) 2 . Note that, compa red to the pro cedure ab ov e, C A has the ex tr a counter ∅ . The states of C A are us ed for cont ro l, a nd for storing the letters from Σ as well as the elements and subsets of Q . Step (0) is implemented by default, and steps (1), (2), (4) and (8) ar e straig h tforward. Step (3) can b e p erformed by a s ingle simultaneous nondeterministic tra ns fer, with the ma pping { R 7→ { S q ∈ R Q q , S q ∈ R Q q ↓ : ∀ q ∈ R ( Q q , Q q ↓ | = δ ( q, a, 6 ↑ )) } , R, R ↓ 7→ { R, R ↓ } : R, R ↓ ⊆ Q } whose distributivit y is a key comp onent of the pa per . T o show that it holds , suppo se R ⊆ S k i =1 R i , and Q i,q , Q i,q ↓ | = δ ( q, a, 6 ↑ ) for ea ch i ∈ { 1 , . . . , k } and q ∈ R i . Given q ∈ R , let i q be s uch that q ∈ R i q . W e then hav e, as req uir ed: S q ∈ R Q i q ,q , S q ∈ R Q i q ,q ↓ ⊆ S k i =1 S q ∈ R i Q i,q , S q ∈ R i Q i,q ↓ The following is a n implementation o f step (5): —Set R ′ := S q ∈ Q ↑ Q q ∪ S q ∈ Q ↑ Q q ↓ . AC M Journal Name, V ol. V, No. N, Month 20YY. 14 · R. Lazi´ c —F or each q ∈ Q , either p erform the transfer that verifies that each R, R ↓ with q ∈ R ↓ is zero (cf. Example 2.6), or choos e R , R ↓ ⊆ Q with q ∈ R ↓ , decrement R, R ↓ , increment R , R ↓ and set R ′ := R ′ ∪ { q } . —Increment R ′ . F or step (6), we use the transfer with the mapping { R 7→ { R } , R, R ↓ 7→ { R } : R , R ↓ ⊆ Q } which is dis tributive s ince R, R ↓ ⊆ S k i =1 R i , R i ↓ implies R ⊆ S k i =1 R i . Finally , in step (7), if Q ↑ := ∅ is p erfo rmed, then either ∅ is decremented or not. Observe therefore that the auxilia ry counter ∅ is transferr ed to ∅ , ∅ in step (3), that ∅ , ∅ is transferred to ∅ in s tep (6), and that those tw o counters do not affect anything else. In step (2), C A per forms an a transition, and all other tra nsitions ar e ε . How ever, the only cycle in the transition g raph of C A corres p o nds to the lo o p (2)–(8), so the requirement of no cycles of ε transitions is met. The only nontrivial asp ect of co mputing C A in space p olyno mial in the size of A is the implementation o f step (3). How ever, for each R ⊆ Q , the set { S q ∈ R Q q , S q ∈ R Q q ↓ : ∀ q ∈ R ( Q q , Q q ↓ | = δ ( q , a, 6 ↑ )) } can b e output by itera ting ov er a ll mappings q 7→ h Q q , Q q ↓ i fr om R to P ( Q ) 2 . Each such mapping ca n b e stored in space 2 | Q | 2 , and deciding Q q , Q q ↓ | = δ ( q, a, 6 ↑ ) amounts to ev aluating a prop ositional formula. It remains to s how that incrementing err ors cannot cause C A to a ccept an ω - word a 0 a 1 . . . which it do es not a ccept without incre men ting er rors . Informally , that is the case b ecaus e incrementing err o rs in runs o f C A amount to introductions of spur ious threads in to co rresp onding runs of A , which ca n only make acc e ptance harder. Suppo se C A accepts an ω -word a 0 a 1 . . . , i.e. the implementation of the pro c edure ab ov e has a n infinite exe c utio n E which may cont ain incr ementin g e r rors and w hich chooses in step (2) the letters a 0 , a 1 , . . . . Belo w, we define an error -free infinite execution E √ such that the letters chosen in step (2) are a lso a 0 , a 1 , . . . , a nd we show by inductio n that the following are satisfied b efore each step: (i) v √ ⊑ v (cf. Lemma 3.1), where v and v √ are the current c ounter v aluations in E and E √ (resp ectively); (ii) Q √ ↑ ⊆ Q ↑ , if Q ↑ and Q √ ↑ are defined, where they are the curr ent v alues of the v ariable in E a nd E √ (resp ectively). Initially , we have that v and v √ equal 0 , and that Q ↑ and Q √ ↑ are undefined, so the inductive base is tr iv ial. W e also have that v √ ⊑ v and v ≤ v ′ imply v √ ⊑ v ′ , i.e. the ⊑ re lation is prese r ved by incr ementing errors in the seco nd ar g ument. Steps (1) and (2). E √ per forms the same tr ansitions as E . Steps (3) and (6). E √ per forms the transfers a s in Lemma 3.1. AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wor ds · 15 Step ( 4). F or ea ch q ∈ Q √ ↑ ⊆ Q ↑ , the s ame Q q and Q q ↓ are chosen in E √ as in E . Step ( 5). F or each q ∈ Q , if there exist R √ and R √ ↓ ∋ q such that v √ ( R √ , R √ ↓ ) > 0, we hav e b y (i) that there exist R and R ↓ ∋ q such that v ( R, R ↓ ) > 0. It follows that R ′ √ ⊆ R ′ , wher e R ′ is the v alue of the v ariable a fter the implementation of step (5) is executed in E , and R ′ √ is the v alue after the unique error- free execution in E √ . Hence, (i) is preserved. Step ( 7). Let ι : f v √ → e v b e a n injection (cf. the pro o f of Lemma 3.1), and Q ↑ be the v alue chosen in E . If Q ↑ is decremented and ι h Q √ ↑ , i i = h Q ↑ , j i for some Q √ ↑ , i a nd j (in particula r, Q √ ↑ ⊆ Q ↑ ), then choose such Q √ ↑ in E √ and decrement Q √ ↑ . Otherwise, choose ∅ in E √ without decrementing. That completes the definitio n o f E √ and the pro o f. Theorem 3. 3. Nonemptiness of safety IPCANT is de cidabl e in sp ac e exp onen- tial in b asis size and p olylo garithmic in alphab et size and numb er of lo c ations. Proof. Suppo se C = h Σ , Q, q I , X , C, δ i is a safety IPCANT. By Pro po sition 2 .7, C is nonempty iff it has an infinite seq uence o f lazy transitions fr om the initial configuratio n. W e define po sitive in teger s α i and U i for i = 0 , . . . , | X | as follows: α 0 = | Q | U 0 = 1 α i +1 = 2( | X | − i ) α i U | C | i U i +1 = 3 α i U | C | i Let m = 2 α | X | U | C | | X | . W e shall show: (I) If C ha s a sequence of m − 1 la zy tra ns itions from the initial co nfig uration, then it has a n infinite se q uence. Therefore, nonemptiness o f C ca n b e decided nondeter ministically by guess ing a sequence of m − 1 lazy tr ansitions from the initial co nfig uration. In every such sequence, each transitio n incr e ases the sum o f all counters by at most 1, so no counter ca n exceed m − 1. Since m < 2 2 2 | X | 2 + | X | log(3 | Q | ) and | C | < 2 | X | , a single configuratio n can be stored in s pace 2 O ( | X | 2 ) O (log | Q | ). T o guess a sequence of length m − 1 , it suffices to store at most tw o configurations, the num ber of tra nsitions guessed so far, a nd a fixed n umber of v ariables b o unded by |C | = 2 2 O ( | X | ) O ( | Σ | · | Q | ) for indexing the transition rela tion o f C . Hence, nonemptiness o f C is decidable nondeterministically in space 2 O ( | X | 2 ) O (log ( | Σ | · | Q | )), so by Savitch’s Theorem, there is a deterministic a lgorithm of spa c e complexity 2 O ( | X | 2 ) O (log ( | Σ | · | Q | ) 2 ). T o show (I), suppose C has a s equence of lazy tra ns itions S = h q 1 , v 1 i w 1 ,l 1 − → · · · w m − 1 ,l m − 1 − → h q m , v m i fro m the initial configura tion, but no infinite seque nce . By careful rep eated use s o f the pigeonhole principle a nd the distributivity o f simul- taneous no ndeterministic transfers, we s ha ll obtain the con tradictio n that S must contain tw o equa l configura tio ns. T o start with, some sta te m ust o ccur amo ng q 1 , . . . , q m at least m/ | Q | times, so let q ∈ Q and J 0 ⊆ { 1 , . . . , m } b e such that | J 0 | = m/α 0 U | C | 0 and q j = q fo r each j ∈ J 0 . W e cla im: AC M Journal Name, V ol. V, No. N, Month 20YY. 16 · R. Lazi´ c (II) There exist an enumeration x 1 , . . . , x | X | of X , and for i = 1 , . . . , | X | , mappings u i : C i → { 0 , . . . , U i − 1 } where C i = { c ∈ C : x i ∈ c ∧ x 1 , . . . , x i − 1 / ∈ c } , and subse ts J i of { 1 , . . . , m } of size m /α i U | C | i , such that the following prop erty holds for each 0 ≤ i ≤ | X | : for all j ∈ J i , w e have that q j = q and that for a ll 1 ≤ i ′ ≤ i and c ∈ C i ′ , v j ( c ) = u i ′ ( c ). W e es tablish (II) b y proving the pr op erty inductively o n i a nd simultaneously picking x i , u i and J i . The cas e i = 0 is trivia l. Assume that 0 ≤ i < | X | and that x i ′ , u i ′ and J i ′ for i ′ = 1 , . . . , i hav e b een pick ed so that the pr o p erty ho lds for i . Let us call a subs e quence of S an i -subse quenc e iff there exist cons ecutive j, j ′ ∈ J i (i.e. where there is no j ′′ ∈ J i with j < j ′′ < j ′ ) such that the subsequence b egins at h q j , v j i and ends at h q j ′ , v j ′ i . Let J ′ i ⊆ J i consist of the b eginning po sitions of the | J i | / 2 = m/ 2 α i U | C | i shortest i -subs e quences. The length of the longest of those i -subseque nce s must b e at most 2 α i U | C | i , since otherwis e ther e would b e at least | J i | / 2 i -subsequences of leng th more than m/ ( | J i | / 2). Let S † = h q j , v j i w j ,l j − → · · · w j ′ − 1 ,l j ′ − 1 − → h q j ′ , v j ′ i be an i -subsequence with j ∈ J ′ i . W e hav e j ′ − j ≤ 2 α i U | C | i , q j = q j ′ = q , and for all 1 ≤ i ′ ≤ i and c ∈ C i ′ , v j ( c ) = v j ′ ( c ) = u i ′ ( c ). Recalling that u i ′ : C i ′ → { 0 , . . . , U i ′ − 1 } , we obtain P i i ′ =1 P c ∈ C i ′ v j ′ ( c ) ≤ P i i ′ =1 | C i ′ | U i ′ . T o make pr ogres s, we prov e: (II I) There exists x ′ j 6 = x 1 , . . . , x i such that, for each c with x ′ j ∈ c and x 1 , . . . , x i / ∈ c , v j ( c ) ≤ 2 α i U | C | i + P i i ′ =1 | C i ′ | U i ′ . Suppo se the contrary: for ea ch x ′ 6 = x 1 , . . . , x i , ther e exists c x ′ such that x ′ ∈ c x ′ , x 1 , . . . , x i / ∈ c x ′ , and v j ( c x ′ ) > 2 α i U | C | i + P i i ′ =1 | C i ′ | U i ′ . Let H b e a directed acyc lic graph o n { j, . . . , j ′ } × C , defined by letting the successors of h k , d i b e: — ∅ , if k = j ′ ; — {h k + 1 , d ′ i : d ′ ∈ f ( d ) } , if l k is of the form h tran sf , f i ; — {h k + 1 , d i} , o therwise. Now, for c ∈ C and k ∈ { j, . . . , j ′ } , let H ( c, k ) b e the set o f all d such that h k , d i is reachable in H fro m h j, c i . W e have P d ∈ H ( c,k ) v k ( d ) ≥ v j ( c ) − ( k − j ) b y induction on k . In particula r , for e a ch x ′ 6 = x 1 , . . . , x i , we hav e P d ∈ H ( c x ′ ,j ′ ) v j ′ ( d ) ≥ v j ( c x ′ ) − ( j ′ − j ) > P i i ′ =1 | C i ′ | U i ′ ≥ P i i ′ =1 P c ∈ C i ′ v j ′ ( c ), so there is some d x ′ ∈ H ( c x ′ , j ′ ) such that x 1 , . . . , x i / ∈ d x ′ . Let H x ′ be a path in H fro m h j, c x ′ i to h j ′ , d x ′ i . F or k ∈ { j, . . . , j ′ } , let H x ′ ( k ) denote the counter at p os ition k in H x ′ . Consider a ny c with x 1 , . . . , x i / ∈ c . Observe that c ⊆ S { c x ′ : x ′ ∈ c } . Let H c be a path in H fr o m h j, c i , obtained as follows. Assuming that k ∈ { j, . . . , j ′ − 1 } and H c ( k ) ⊆ S { H x ′ ( k ) : x ′ ∈ c } : —if l k is of the form h transf , f i , by distributivity o f f a nd the definition of H , we can pick H c ( k + 1 ) ⊆ S { H x ′ ( k + 1 ) : x ′ ∈ c } ; —otherwise, we hav e H x ′ ( k + 1 ) = H x ′ ( k ) for e ach x ′ ∈ c , and the only po ssibility is H c ( k + 1 ) = H c ( k ). Since H c ( j ′ ) ⊆ S { H x ′ ( j ′ ) : x ′ ∈ c } , we conclude that x 1 , . . . , x i / ∈ H c ( j ′ ). AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wor ds · 17 Using the paths H c , we now sho w tha t, fro m the final config uration of S † , the instructions in S † can be p erfo rmed rep eatedly to obtain a n infinite sequence of lazy transitions , whic h is a con tradiction, so (I I I) ho lds. Mor e precisely , since v j ( d ) = v j ′ ( d ) for all 1 ≤ i ′ ≤ i a nd d ∈ C i ′ , and H c ( j ) = c for all c , by (IV) b e low from v j ′ for k = j, . . . , j ′ − 1, ther e exist lazy transitions h q j , v j ′ i w j ,l j − → · · · w j ′ − 1 ,l j ′ − 1 − → h q j ′ , v ′ j ′ i such that v ′ j ′ ( d ) ≤ v j ′ ( d ) for all d / ∈ { H c ( j ′ ) : x 1 , . . . , x i / ∈ c } . But { H c ( j ′ ) : x 1 , . . . , x i / ∈ c } ⊆ { c : x 1 , . . . , x i / ∈ c } , so (IV) can b e applied from v ′ j ′ for k = j, . . . , j ′ − 1, etc. (IV) Supp ose k ∈ { j, . . . , j ′ − 1 } , and v ′ k is a counter v aluation such that v ′ k ( d ) ≤ v k ( d ) fo r a ll d / ∈ { H c ( k ) : x 1 , . . . , x i / ∈ c } . There exis ts a lazy transition h q k , v ′ k i w k ,l k − → h q k +1 , v ′ k +1 i such that v ′ k +1 ( d ) ≤ v k +1 ( d ) for all d / ∈ { H c ( k + 1) : x 1 , . . . , x i / ∈ c } . T o show (IV), we disting uish b etw een tw o ca s es: —If l k is of the form h tr ansf , f i , let K d d ′ ≥ 0 for each d ∈ C and d ′ ∈ f ( d ) satisfy for e ach d ∈ C, v k ( d ) = P d ′ ∈ f ( d ) K d d ′ for e ach d ′ ∈ C , v k +1 ( d ′ ) = P f ( d ) ∋ d ′ K d d ′ F or d ∈ C such that v ′ k ( d ) ≤ v k ( d ), pick any K ′ d d ′ ≥ 0 such that v ′ k ( d ) = P d ′ ∈ f ( d ) K ′ d d ′ and K ′ d d ′ ≤ K d d ′ for each d ′ ∈ f ( d ). F or d ∈ C such that v ′ k ( d ) > v k ( d ), we hav e d = H c ( k ) for some c with x 1 , . . . , x i / ∈ c , so we can s et K ′ d d ′ = K d d ′ for all d ′ ∈ f ( d ) \ { H c ( k + 1) } , and K ′ d H c ( k +1) = K d H c ( k +1) + v ′ k ( d ) − v k ( d ). Now, for ea ch d ′ ∈ C , let v ′ k +1 ( d ′ ) = P f ( d ) ∋ d ′ K d d ′ , so that h q k , v ′ k i w k ,l k − → h q k +1 , v ′ k +1 i lazily . Since K ′ d d ′ > K d d ′ implies d ′ ∈ { H c ( k + 1) : x 1 , . . . , x i / ∈ c } , we hav e v ′ k +1 ( d ′ ) ≤ v k +1 ( d ′ ) for a ll d ′ / ∈ { H c ( k + 1) : x 1 , . . . , x i / ∈ c } . —Otherwise, v ′ k +1 is uniquely determined by the lazy transitio n h q k , v ′ k i w k ,l k − → h q k +1 , v ′ k +1 i , and has the r e quired prop er t y as H c ( k + 1) = H c ( k ) for a ll c . F or ea ch j ∈ J ′ i , let x ′ j 6 = x 1 , . . . , x i be a s in (I I I). F or each c with x ′ j ∈ c and x 1 , . . . , x i / ∈ c , we hav e v j ( c ) < U i +1 . Let x i +1 be s uch that there exists J ′′ i ⊆ J ′ i of size | J ′ i | / ( | X | − i ) = m/α i +1 with x i +1 = x ′ j for a ll j ∈ J ′′ i . Thus, for all j ∈ J ′′ i and c ∈ C i +1 , we hav e v j ( c ) < U i +1 . Then let u i +1 : C i +1 → { 0 , . . . , U i +1 − 1 } b e such that there exists J i +1 ⊆ J ′′ i of s ize m/α i +1 U | C | i +1 with v j ( c ) = u i +1 ( c ) for a ll j ∈ J i +1 and c ∈ C i +1 . That completes the inductiv e pro o f of (I I). Since m = 2 α | X | U | C | | X | , w e have from (II) that S contains t wo equal configur ations, so C has an infinite seq uence of lazy transitions fro m the initial configura tio n. That is a c o ntradiction, s o (I) is shown. By Theo rems 3.2, 3.3 and 2.5 , we obtain: Corollar y 3. 4 . Safety 1ARA 1 nonemptiness and safety L TL ↓ 1 ( X , R ) satisfiabil- ity ar e in E xpSp ace . AC M Journal Name, V ol. V, No. N, Month 20YY. 18 · R. Lazi´ c 4. LOW ER BOUND Theorem 4. 1. Safety 1AR A 1 nonemptiness and safety L TL ↓ 1 ( X , R ) satisfiability ar e ExpSp a ce -har d. Proof. By Theorem 2 .5, it s uffices to show ExpSp a ce -hardness o f satisfiability for safet y L TL ↓ 1 ( X , R ). W e shall r educe fr o m the halting problem for T uring machines with exp onentially long tap es. Mor e pr ecisely , a T uring machine M is a tuple h Σ , a B , Q, q I , δ i such that: —Σ is a finite alphab et, and a B ∈ Σ deno tes the blank symbol; — Q is a finite set of states, and q I ∈ Q is the initial state; — δ : Q × Σ → Q × Σ × {− 1 , 1 } is the transition function. If the size o f M is n , we co nsider its computation on a tap e of length 2 n . More formally , a co nfiguration of M is of the form h q , i, w i where q ∈ Q is the machine state, 0 ≤ i < 2 n is the head po s ition, and w ∈ Σ 2 n is the tap e conten ts. The initial configuratio n is h q I , 0 , a 2 n B i . A configura tion h q , i, w i has a tra ns ition iff 0 ≤ i + o < 2 n where h q ′ , a, o i = δ ( q , w ( i )). In that case, we wr ite h q , i, w i → h q ′ , i + o, w [ i 7→ a ] i . Since M can halt by requesting to move the head o ff a n edge of the tap e , it do es not need to have a sp ecial halting state. The following pro ble m is ExpSp ace -complete: g iven M = h Σ , a B , Q, q I , δ i of size n , is the computation fro m the initial config uration with tap e length 2 n infinite? (T o reduce in p olynomia l time from the same problem with tap e length 2 n k , extend the machine by unre a chable states until it is of size n k .) W e shall show that a sentence φ M of sa fet y L TL ↓ 1 ( X , R ) is computable in space logar ithmic in n , s uch that the answer to the decision pr oblem is ‘yes’ iff φ M is sa tisfiable. Let b Σ = { b a : a ∈ Σ } . The alphab et of φ M is e Σ = Q ⊎ { 0 d , 1 d : d ∈ { 1 , . . . , n }} ⊎ Σ ⊎ b Σ. T o enco de a tap e cell, we write its p osition in binar y followed by its conten ts. A configuratio n h q , i, w i is then enco ded by the w ord below, wher e b Σ is used to mark the conten ts at head p osition. Let w ( i, i ) = d w ( i ) , and w ( j, i ) = w ( j ) for j 6 = i . q 0 1 · · · 0 n − 1 0 n w (0 , i ) 0 1 · · · 0 n − 1 1 n w (1 , i ) · · · 1 1 · · · 1 n − 1 1 n w (2 n − 1 , i ) The computation o f M from the initial co nfig uration with tap e length 2 n is infinite iff there exists a data ω -word σ ov er e Σ such that: (i) str( σ ) is a sequence of enco dings o f config urations o f M ; (ii) str( σ ) b egins with the enco ding of the initial co nfiguration h q I , 0 , a 2 n B i ; (iii) for every tw o consecutive enco dings in s tr( σ ) of configur ations h q , i, w i and h q ′ , i ′ , w ′ i , w e hav e h q , i, w i → h q ′ , i ′ , w ′ i . Hence, it s uffices to co nstruct φ M such tha t σ satisfies φ M iff (i)–(iii) hold and: (iv) for every enco ding in σ of a tape cell, all the letters b d and w ( j, i ) are in the same class; (v) for every tw o enco ding s in σ of tape cells with positio ns j a nd j ′ (o ccuring in one o r tw o configura tion enco dings), their classes are the sa me iff j = j ′ . The purp os e of (iv) and (v) is to ena ble navigation thr ough σ for c hecking (i)–(iii) in φ M , whos e size will b e only p o lynomial in n . AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wor ds · 19 F or (i), we can split it into the following constraints, ea ch of which is straight- forward to expr ess: —the first letter is a state of M ; —every s tate of M is succeeded by 0 1 · · · 0 n − 1 0 n ; —every b n is succ e eded b y an e lement of Σ ⊎ b Σ; —for every b d not succeeded by 1 d +1 · · · 1 n , b d o ccurs n + 1 po sitions la ter (the next po sition ha s the sa me binar y digit d ); —for every 0 d succeeded by 1 d +1 · · · 1 n , 1 d 0 d +1 · · · 0 n o ccurs n + 1 po sitions later (the nex t po s ition has the opp os ite binary digit d ); —1 1 · · · 1 n − 1 1 n follow ed by an element of Σ ⊎ b Σ are succee ded b y a s tate of M ; —betw een every t wo consecutive o ccurrences o f states of M , there is exactly one o ccurrence of an element o f b Σ. Prop erties (ii) a nd (iv) are also straightforward. B efore (iii), let us consider (v), which is e q uiv alen t to the following conjunction: (v.1) for every tw o enco dings of ta p e cells, if their classes are the s ame then their po sitions are the s ame; (v.2) for every enco ding of a tap e cell, so me tap e cell in the next co nfiguration enco ding has the sa me class . The more inv olved is (v.1). It amounts to requir ing that, for all d ∈ { 1 , . . . , n } and b ∈ { 0 , 1 } , it is not the case that ther e is an o ccurrenc e of b d and a subsequent o ccurrence of (1 − b ) d with the s a me datum: V n d =1 V 1 b =0 G ( b d ∨ ↓ XG ((1 − b ) d ∨ 6 ↑ )) where a abbreviates W { a ′ : a ′ ∈ e Σ \ { a }} . Prop erty (iii) is now equiv alent to a sserting that the following hold for all q ∈ Q and a ∈ Σ, where h q ′ , a ′ , o i = δ ( q , a ): (iii.1) whene ver q o ccurs with b a in the same configuratio n enco ding, the next o c- currence of a state of M is q ′ ; (iii.2) fo r every o ccurr ence of some b ∈ Σ in a configura tion enco ding which co nt ains q and b a , the next o ccurr ence in the s a me cla ss of an element o f Σ ⊎ b Σ is an o ccurrence of b or b b ; (iii.3) fo r ev ery o ccurr ence o f b a in a configur ation e nco ding containing q , the next o ccurrence in the same cla ss of an element of Σ ⊎ b Σ is an o ccur rence of a ′ , and n po sitions earlier (if o = − 1) or later (if o = 1 ) an element o f b Σ o ccurs. The mo st inv olved is (iii.3), and the tw o cas es of o = − 1 and o = 1 ar e s imilar. Letting b Σ and b Σ abbreviate W { b : b ∈ b Σ } and W { b : b ∈ e Σ \ b Σ } (resp ectively), (iii.3) with o = − 1 is expres sed by: G  q ⇒ ¬  b Σ U  b a ∧ ↓ X  b Σ U  b Σ ∧ X n ¬ ( a ′ ∧ ↑ )    AC M Journal Name, V ol. V, No. N, Month 20YY. 20 · R. Lazi´ c T o obtain a s ent ence of s afety L TL ↓ 1 ( X , R ) in the strict sense , we conv ert to nega tion normal form: G  q ∨  b Σ R  b a ∨ ↓ X  b Σ R  b Σ ∨ X n ( a ′ ∧ ↑ )    T o output e Σ and φ M given M as ab ove, a fixed num ber o f counters which a re bo unded b y n suffice. 5. INCLUSION AND RE FINEMENT Using well-quasi-ordering s , the pro ofs of Theor ems 3.2 and 3.3 , and that sa tisfia- bilit y over finite data words fo r L TL ↓ 1 ( X , F ) is not primitive rec ur sive [Demri and Lazi´ c 20 0 9, Theor em 5.2], we obtain the result b elow. W e remark that, in a similar manner, one can show that the following “mo del- chec king” problems a re decidable and not primitiv e recursive: whether the languag e of a B ¨ uchi one-wa y nondeter ministic register automaton (with any num ber of reg is- ters) is included in the lang uage of a safety 1ARA 1 or a safety L TL ↓ 1 ( X , R ) sentence. Theorem 5. 1. The fol lowi ng pr oblems ar e de cidable and not primitive r e cursive: —inclusion for safety 1AR A 1 ; —r efinement for safety L TL ↓ 1 ( X , R ) . Proof. By Theorem 2 .5, it suffices to es tablish tha t inclusion for safety 1ARA 1 is decida ble and that re finement fo r s a fet y L TL ↓ 1 ( X , R ) is not primitive r ecursive. F or the for mer, suppos e A 1 = h Σ , Q 1 , q 1 I , δ 1 i a nd A 2 = h Σ , Q 2 , q 2 I , δ 2 i a r e sa fety 1ARA 1 , where we need to deter mine whether L( A 1 ) ⊆ L( A 2 ). Let A 2 = h Σ , Q 2 , q 2 I , δ 2 i b e the dual automaton to A 2 , so that ea ch formula δ 2 ( r , a , ?) is the dual to δ 2 ( r , a , ?), i.e. obtained b y r e placing every ⊤ w ith ⊥ , every ∧ with ∨ , a nd vice versa. Let L( A 2 ) denote the langua ge of A 2 with resp ect to c o-safety ac ceptance: a data ω -word σ ov er Σ is in L( A 2 ) iff A 2 has a finite run F 0 σ, 0 − → F 1 σ, 1 − → · · · ∅ where F 0 = {h q 2 I , [0] ∼ i} . Co nsidering A 2 (resp., A 2 ) as a w eak alternating a utomaton whose e very sta te is of even (resp., o dd) parity , we hav e by [L¨ oding and Thomas 2000 , Theorem 1] that L ( A 2 ) is the c o mplement of L( A 2 ). Now, let A ∩ be the automa ton for the intersection of A 1 and A 2 , obtained by adding a new initial state. More precisely , assuming that Q 1 and Q 2 are disjoint and do no t contain q I , let A ∩ = h Σ , { q I } ∪ Q 1 ∪ Q 2 , q I , δ ∩ i , where δ ∩ = {h q I , a, ? i 7→ δ 1 ( q 1 I , a, ?) ∧ δ 2 ( q 2 I , a, ?) : a ∈ Σ , ? ∈ {↑ , 6 ↑ }} ∪ δ 1 ∪ δ 2 The acceptance condition of A ∩ is inherited from A 1 and A 2 : a da ta ω -word σ over Σ is in L( A ∩ ) iff A ∩ has a n infinite run F 0 σ, 0 − → F 1 σ, 1 − → · · · where F 0 = {h q I , [0] ∼ i} and there exists i such that F i contains only states in Q 1 . W e then hav e that L( A ∩ ) = L( A 1 ) ∩ L( A 2 ), so L( A ∩ ) is empty iff L( A 1 ) ⊆ L( A 2 ). Let C ∩ be the IP CANT computed fro m A ∩ as in the pro of of Theor em 3.2, exc ept that the following s tep is added b etw een steps (6 ) and (7), wher e q 2 ∅ is a new state and implementation is similar to that of step (5): (6 1 2 ) If c ( R ) = 0 for all R which intersect Q 2 , then pa ss thr ough q 2 ∅ . AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wor ds · 21 W e th us ha ve that L( A ∩ ) is nonempty iff C ∩ has an infinite run h q 0 , v 0 i w 0 ,l 0 − → h q 1 , v 1 i w 1 ,l 1 − → · · · where h q 0 , v 0 i is the initial co nfig uration and there e x ists i such that q i = q 2 ∅ . W e define  to b e the following quasi-o rdering on config urations o f C ∩ : h q , v i  h q ′ , v ′ i iff q = q ′ and v ≤ v ′ . By Dickson’s Lemma [Dickson 1913],  is a wel l-qu asi- or dering : for every infinite sequence s 0 , s 1 , . . . , there e x ist i < j such that s i  s j . Now, c o nsider the following pro cedure: (i) Let S consist of the initial configuration of C ∩ . (ii) Let S ′ be the set of all successor s of configurations in S by lazy transitions. (iii) If for all s ′ ∈ S ′ there ex ists s ∈ S with s  s ′ , then stop. Otherwise, set S to S ∪ S ′ , and re pea t from (ii). Since  is a well-quasi-ordering , the pro cedure terminates. Let S last denote the v alue of S a t the termination. It is a finite set, a nd by Pro po sition 2.7, its up ward closure ⇑ S last = { s ′ : ∃ s ∈ S last ( s  s ′ ) } is the s e t of all co nfigurations which C ∩ can r each from the initial co nfiguration. T o conclude decidabilit y of inclus io n for sa fet y 1ARA 1 , it remains to show tha t we can decide whether ⇑ S last contains a configuratio n whose state is q 2 ∅ and from which C ∩ has an infinite run. But that is the case iff S last contains such a configur ation, and for a n y config uration h q , v i , we hav e b y the pro of of Theorem 3.3 that C ∩ has an infinite run from h q , v i iff it has a sequence of m − 1 lazy tra nsitions from h q , v i , where m is as computed in that pro of. W e now turn to showing that already v alidit y for safet y L TL ↓ 1 ( X , R ) is not primitive recursive. W e reduce (in logar ithmic spa ce) from satisfiability over finite data words for L TL ↓ 1 ( X , F ), which is not primitive recursive by [Demri and Lazi´ c 200 9, Theo- rem 5.2]. In negation nor mal for m, the latter log ic differs fro m safety L TL ↓ 1 ( X , R ) by having tempo r al ope r ators ¯ X , F and G instead of R . Over finite data w ords, X and its dua l ¯ X are distinct: a t a n y final word p ositio n and for any φ , X φ is false wherea s ¯ X φ is true. Consider the following tr a nslation fro m for m ulae of L TL ↓ 1 ( X , F ) in nega tion norma l form with alphab et Σ to form ulae of co-sa fet y L TL ↓ 1 ( X , R ) with alphab et Σ ⊎ {×} . Only c a ses where the co nstruct is mo dified are shown. t ( X φ ) = X ( t ( φ ) ∧ W a ∈ Σ a ) t ( F φ ) = ( W a ∈ Σ a ) U ( t ( φ ) ∧ W a ∈ Σ a ) t ( ¯ X φ ) = X ( t ( φ ) ∨ × ) t ( G φ ) = ( t ( φ ) ∧ W a ∈ Σ a ) U × Given a s entence φ , we have that a da ta ω -w ord σ ov er Σ ⊎ {× } sa tis fie s ψ φ = t ( φ ) ∧ ( W a ∈ Σ a ) ∧ ( ⊤ U × ) iff there ex ists i > 0 such that the i - prefix o f σ do es not contain × and satisfies φ , and σ ( i ) = × . It r emains to observe that the dual of ψ φ is a s e n tence of sa fet y L TL ↓ 1 ( X , R ), which is v alid over data ω -words iff φ is sa tisfiable ov er finite data words. 6. CONCLUDING REMARKS Satisfiability (ov er timed ω -words) for the s afety fragment of metric temp or al logic (MTL) was shown decidable in [Ouaknine and W or rell 2 006], and nonelementary in [Bouyer et a l. 2 008] b y reducing from termination of c hannel machines with empti- ness testing and ins ertion err ors. It would b e interesting to inv estigate whether AC M Journal Name, V ol. V, No. N, Month 20YY. 22 · R. Lazi´ c ideas in the pro of o f Theorem 3.3 a b ove can b e combined with those in the pro of o f primitive recur siveness of ter mina tion of channel machines with o ccurrence testing and insertio n errors [Bouyer et al. 200 8] to obtain tha t satisfiability for s afety MTL is pr imitive recursive. Another op en question is whether nonemptiness of safety forw ard alternating tree automata with 1 r e gister [Jur dzi ´ nski a nd Lazi´ c 2007] is primitive r ecursive. AC KNOWLEDGMENTS I am gr ateful to St´ ephane Demri and Ja mes W o rrell for he lpful discuss ions. REFERENCES Alpern, B. and S chneider, F. B. 1987. Recognizing safety and livene ss. Distr. Comput. 2, 3, 117–126. Bj ¨ orklund, H. a n d Schwentick, T. 2007. On notions of regularity for data languages. In F undamentals of Comput. The ory (FCT), 16th Int. Symp. Lect. Notes Comput. Sci., vol. 4639. Springer, 88–99. Boja ´ nczyk, M. , D a vid, C. , Muscholl, A. , Schwentick, T. , and Seg ou fin, L. 2006. Tw o- v ariable l ogic on data trees and X ML r easoning. In 25th A CM SIGACT-SIGMOD-SIGAR T Symp. on Princ. of D atab ase Systems (PODS) . ACM, 10–19. Boja ´ nczyk, M. , Muscholl, A. , Schwentick, T. , Segou f in, L. , and Da vid, C. 2006. Tw o- v ariable logic on words with data. In 21th IEEE Sy mp. on Lo gic in Comput. Sci. (LICS) . IEEE Comput. So c., 7–16. Bouyer, P. , Markey, N. , Ouaknine, J. , Schnoebelen, P. , and Worrell, J. 2008. On termina- tion f or fault y c hannel m ac hines. In 25th Int. Sy mp. on The or. Asp. of Comput. Sci. (ST A CS) . IBFI, Sc hloss Dagstuhl, German y , 121–132. Brzozo wski, J. A. and Leiss, E. L. 1980. On equations for regular languages, finite automata, and sequen tial net works. The or. Comput. Sci . 10, 1, 19–35. Da vid, C. 2004. Mots et donn´ ees infinies. M.S. thesis, Labor atoire d’Informatique Algorithmique: F ondemen ts et Applications, Paris. Demri, S . a n d Lazi ´ c, R. 2009. L TL with the freeze quan tifier and register automata . A CM T r ans. On Comp. Lo gic 10, 3. Dickson, L. 1913. Finiteness of the odd perf ect and primitive abundant n umbers with dis tinct factors. Amer. J. Math. 35 , 413–422. Jurdzi ´ nski, M. and Lazi ´ c, R. 2007. Alternation-free mo dal mu -calculus for data trees. In 22nd IEEE Symp. on L o gic in Comput. Sci. (L ICS) . IEEE Comput. Soc., 131–140. Kaminski, M. and Francez, N. 1994. Finite-memory automata. The or. Comput. Sci. 134, 2, 329–363. Lazi ´ c, R. 2006. Safely fr eezing L TL. In FSTTCS: F ound. of Softw. T e chnolo gy and The or. Comput. Sci., 26th Int. Conf. Lect. Notes Comput. Sci., vol. 4337. Springer, 381–392. Lipton, R. J . 1976. The reacha bili t y problem requires exponent ial space. T ech. Rep. 62, Y ale Unive rsi t y . L ¨ oding, C. and Thomas, W. 2000. Alternating automat a and logics ov er infinite words. In The or. Comput. Sci ., Int. Conf. (IFIP TCS) . Lect. Notes Comput. Sci., vol. 1878. Springer, 521–535. Muller, D. E. , Saoudi, A. , and Schupp, P. E. 1986. Alternating automata, the weak m onadic theory of the tree, and its complexit y . In Automata, L ang. and Pr o gr am., 13th Int. Col l. (ICALP) . Lect. Notes Comput. Sci., vol. 226. Springer, 275–283. Neven, F. , Schwentick, T. , and Vianu, V. 2004. Finite state mac hines for strings ov er infinite alphabets. ACM T r ans. O n Comp. L o gic 5, 3, 403–435. Ouaknine, J. and Worrell, J. 2006. Safety metric temporal logic is full y decidable. In T o ols and Algo rithms for the Constr. and Anal. of Sy stems (T ACAS), 12th Int. Conf. Lect. Notes Comput. Sci., vol. 3920. Springer, 411–425. AC M Journal Name, V ol. V, No. N, Month 20YY. Safety Alternating Automata on Da t a Wor ds · 23 Sakamoto, H. a nd Ikeda, D. 2000. In tractability of decision problems f or finite-memory au- tomata. The or. Comput. Sc i . 231, 2, 297–308. Segoufin, L. 2006. Automata and logics for words and trees ov er an infinite alphabet. In Compu t. Sci. L o gic (CSL ), 20th Int. Works. Lect. Notes Comput. Sci., vol. 4207. Springer, 41–57. V ardi, M. Y. 1996. An automata-theoret ic approac h to linear temp oral logic. In Banff Higher Or der Works. Lect. Notes Comput. Sci., vol. 1043. Springer, 238–266. Receiv ed F ebruary 2008; revised March 2009; accepted A pril 2010 AC M Journal Name, V ol. V, No. N, Month 20YY.