Enriched MU-Calculi Module Checking

Logical Methods in Computer Science V ol. 4 (3:1) 2008, pp. 1–21 www .lmcs-online.org Submitted Sep . 24, 2007 Published Jul. 29, 2008 ENRICHED µ –CALCULI MODULE CHE CKING ∗ ALESSAND RO FERRANTE a , ANIELLO MURANO b , AND MIMMO P ARENTE c a,c Universit` a di Salerno, Via Po nte don Melillo, 84084 - Fisciano (SA), Italy e-mail addr ess : { ferran te,paren te } @dia.unisa.it b Universit` a di Napoli “F ederico I I ”, Dipartimento d i Scienze Fisic h e, 80126 N apoli, Italy e-mail addr ess : murano@na.inf n.it Abstra ct. The mod el c h ecking problem for o p en systems has b een widely stu died in the literature, for b oth ﬁnite–state ( mo dule che cking ) and inﬁnite–state ( pushdown m o dule che cking ) systems, with resp ect to CTL and CTL ∗ . I n th is pap er, we further inv estigate this p roblem with respect to the µ -calculus enric h ed with nominals an d graded mo dalities ( hybrid gr ade d µ -c al cul us ), in b oth the ﬁ nite–state and inﬁ nite-state settings. Using an automata-theoretic approac h , we s how that hybrid gr ade d µ -c alculus mo dule che cking is solv able in exp onential time, while hybrid gr ade d µ -c alculus pushdown mo dul e che cking is solv able in double-ex p onential time. These results are also tight since they match the known low er b ounds for CTL . W e also inv estigate the module c hec king p roblem with respect to the hybrid graded µ -calculus enriched with inv erse programs ( F ul ly enriche d µ -c alculus ): by show ing a reduct ion from the tiling problem, w e show its undecidability . W e conclude with a short ov erview of the mo del chec king problem for the F ully enric hed µ -calculus and the fragmen t s obtained by droppin g at least one of th e additional constructs. 1. Introduction Mo del-che cking is a f ormal metho d, ap p lied in system design, to automatically verify the ongoing behavio r of r e active s ystems ([CE81, Q S81]). In this veriﬁcatio n tec hnique the b ehavio r of a system, formally describ ed by a mathematical mod el, is c hec ked against a b ehavio ral constrain t, usu ally sp e ciﬁed b y a form ula in an appropr iate temp oral logic (for a surve y , see [CGP99]). In the pr o cess of m o deling a system, w e distinguish b et w een close d and op en sys- tems [HP85]. While th e b ehavio r of a closed system is completely determined b y the state of the system, the b eha vior of an op en system dep e nds on the ongoing inte raction with its environmen t [Hoa85]. In mo del chec king op en s y s tems, introduced and called mo dule- che cking in [KVW01], one should chec k the system with r esp ect to arbitrary environmen ts and should tak e into account uncertain t y regarding the environmen t. In suc h a framew ork, the op en ﬁnite–state system is describ ed b y a lab eled state–transition graph , called in fact 1998 ACM Subje ct C l assiﬁc ation: F.1.1, F.1.2, F.3.1, D.2.4. Key wor ds and phr ases: Finite state mac hine, tree automaton, push d o wn automaton, intera ctive and reactiv e computation, logics of programs, mo dal logic, µ - calculus, formal v eriﬁcation, mo del chec k ing. ∗ The pap er is based on [FM07] and [FMP07]. LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.216 8/LMCS-4 (3:1) 2008 c  A. F errante , A. Murano, and M. Parente CC  Crea tive Commons 2 A. FERRA N TE, A. MURANO, AND M. P ARE N TE mo dule , whose set of states is partitioned in to system states (wh ere the system mak es a transition) and envi r onment states (where the envi ronment make s a transition). Giv en a mo dule M , d escribing the system to b e veriﬁed, and a temp oral logic formula ϕ , sp ecifying the desired b ehavior of the system, mo du le chec king asks w hether for all p ossible environ- men ts, M satisﬁes ϕ . Therefore, in mo dule c hec king it is not suﬃcien t to chec k whether the full compu tation tree obtained b y u nwinding M (that corresp onds to the in teraction of M with a maximal environmen t) s atisﬁes ϕ , but it is also necessary to v erify th at all trees obtained from the f u ll computation tree b y pru ning some su btrees ro oted in nod es corresp ondin g to c hoices disabled by the en vironmen t (those trees represent the in terac- tions of M with all the p o ssible environmen ts), satisfy ϕ . W e collect all su c h trees in a set named exec ( M ). It is wo rth noticing that eac h tree in exec ( M ) represents a “memoryful” b ehavio r of the environmen t. Indeed, the u n winding of a mo dule M ind uces duplication of no des, whic h allo w diﬀerent pr uning of subtr ees. T o see an example, consider a t wo-drink disp en s er mac hine that serv es, u p on customer request, tea or coﬀee. The mac hin e is an op en system and an environmen t f or the system is an inﬁn ite line of thirst y p eo ple. Sin ce eac h p e rson in the line can pr efer b oth tea and coﬀee, or only tea, or only coﬀee, eac h p erson suggests a diﬀeren t disabling of the external choice s. Accordingly , ther e are man y diﬀerent p ossible environmen ts to consider. In [KV97, K VW01], it has b een s ho wn that while for linear–time logics mod el and mo dule c hec kin g coincide, mo d ule c hec king for sp e ciﬁcation giv en in CTL and CTL ∗ is exp onential ly harder than mo del c hec king in the size of the for- m ula and preserves the linearit y in the size of the mo del. Ind eed, CTL and CTL ∗ mo dule c h ec kin g is Expt ime –complete an d 2Exptime –complete, resp ectiv ely . In [BMP05, AMV07 ], the mo dule chec king tec hniqu e h as b e en extended to inﬁ nite-state systems by considering op en pushdown systems ( OPD , for short). These are pushd own sys- tems augmente d with ﬁ n ite information that allo ws u s to partition the s et of conﬁgurations in to system and envir onment conﬁ gurations. T o see an example of an op en pushdown sys - tem, consider the ab o v e tw o-drink disp enser mac h ine, with the additional constrain t that a coﬀee can b e serv ed only if the n u m b er of coﬀees serv ed up to that time is smaller than th at of teas served. Suc h a mac hine can b e clearly mo deled as an op en push d o wn system (the stac k is used to guaran tee the inequalit y b et w een serv ed coﬀees and teas). In [BMP05], it has b een sho wn that pushdo wn mod ule c hec king is 2Exptime –complete f or CTL and 3Exptime –complete for CTL ∗ . Thus, for p ushdown systems, and for sp eciﬁcation give n in CTL and CTL ∗ , mo dule c hec kin g is exp onen tially harder than mo del chec king with r esp ect to the size of the form ula, wh ile it preserves the exp onential complexit y with resp ect to th e size of the mo del [W al96, W al00]. Among the v arious f ormalisms us ed for sp ecifying pr op erties, a v alid candidate is the µ -c alculus , a ve ry p ow erful p rop ositional mo dal logic augmented with least and greatest ﬁxp oint operators [Koz83] (for a recen t sur v ey , s ee also [BS06]). The F ul ly enriche d µ – c alculus [BP04] is th e extension of the µ –calculus with inverse pr o gr ams , g r ade d mo dalities , and nominals . In tuitiv ely , inv erse programs allo w us to tra v el b ac kwards along accessibilit y relations [V ar98], nomin als are prop ositional v ariables interpreted as sin gleton sets [SV01], and graded mod alities en ab le statemen ts ab out the num b er of successors of a state [KSV02]. By dropping at least one of the additional constru cts, we get a fr agment of the F ully enric h ed µ -calculus. In particular, b y inhibiting bac kward modalities w e get the fragment we call hybrid gr ade d µ -c alculus . In [BP04 ], it has b een sh own that s atisﬁability is un d ecidable in the F u l ly enriche d µ –c alculus . O n the other hand, it has b een sh o w n in [SV01, BLMV06] that satisﬁability for eac h of its fragmen ts is decidable and Exptime -complete (for more ENRICHED µ –CALCULI MODULE CHECKING ∗ 3 details, see also [BLMV08]). The upp er b ound result is based on an a utomata–theo retic approac h via two-way gr ade d alternating p arity tr e e automata ( 2G APT ) , along w ith the fact that eac h fragment of th e F ully enriched µ -calculus enj o y s the qu asi-for est mo del pr op erty . In tuitiv ely , 2 GAPT generalize alternating automata on inﬁnite tree s as inv erse programs and graded modalities enric h the standard µ –calculus: 2 GAPT c an mov e up to a n o de’s predecessor and m o ve do wn to at le ast n or al l but n successors. Moreo v er, a qu asi-forest is a forest w here no d es can hav e ro ots as successors and ha ving q u asi-forest mo del prop ert y means that an y satisﬁable form ula has a quasi-forest as mo d el. Using 2 GAPT and the quasi-forest mo del pr op erty , it has b een s h o wn in [SV01, BLMV06] that giv en a formula ϕ of a fragmen t of the F ully enric hed µ -calculus, it is p o ssible to co nstruct a 2 GAPT accepting all trees enco din gs 1 quasi-forests mo deling ϕ . Then, the exp o nen tial-upp er b ound follo ws from the fact that the emptiness pr oblem for 2 GAPT is solv able in Ptime [KPV02]. In th is pap er, we fur th er inv estigate the mo dule c h ec kin g problem and its inﬁ nite- state extension, with resp ect to the hybrid g r ade d µ - c alculus . T o s ee an example of m o dule c h ec kin g a ﬁnite-stat e op en sys tem w.r.t. an h ybrid graded µ -calculus sp eciﬁcation, consider again the ab ov e t w o-drink disp e nser mac h ine with the follo wing extra feature: whenev er a customer can c ho ose a drink , he can also call the customer service or the security serv ice. Supp ose al so that by taking one of th ese tw o new c hoices, the dr ink-disp e nser mac hine stops disp e nsing drinks, u p to the moment the customer ﬁnishes op erating w ith the service. Assume that, for the labeled stat e–transition grap h mo deling the system, we lab el by cho ose the c ho osin g state and by the nominals o c and o s the states in whic h the interactio n with the customer a nd the sec urit y s er v ices start, resp ect iv ely . Mo reo ver, supp ose we wa n t to c h ec k the follo win g p rop erty: “whenever the customer comes at a c hoice, he can c ho ose for b oth the customer and the security services”. This pr op ert y can b e formalized by the h ybrid graded µ –calculus formula ν x. (( choose → h 1 , call i ( o c ∨ o s )) ∧ [0 , − ] x ), wh ic h reads “it is alw ays true that whenev er the drink–disp enser is in the cho ose state, th er e are at least 2 c al l –successors in whic h ( o c ∨ o s ) holds”. Clearly , the consid ered op en system d o es not satisfy this formula. Indeed, it is not satisﬁed b y the p articular b eha vior that chooses alw ays the same ser v ice. By exp loiting an automata–theoretic appr oac h via tr ee automata, w e show that hybrid graded µ –calculus mo du le c hecking is decidable and solv able in Expt ime in the size of the form ula and Ptime in the size of the system. T h us, as in general, w e pay an exp o nen tial– time blo wup with resp ec t to the mo del c hec king problem (and o nly w.r.t. the size of th e form ula) for the mo du le c hec kin g in vestig ation. In particular, we reduce the addressed mo d- ule chec king problem to the emptiness p roblem for graded alternating parity tree automata ( GAPT ). In more details, giv en a mo del M and an hybrid graded µ -calculus formula ϕ , we ﬁrst construct in p o lynomial time a B ¨ uc hi tree automaton ( N B T ) A M accepting exec ( M ) . The construction of A M w e prop o se here extends that used in [KVW01] b y also taking into accoun t that M must b e unw ound in a quasi-forest, rather than a tr ee, with b o th no des and edges lab e led. T hus, the set exec ( M ) is a s et of quasi-forests, and the automaton A M w e construct w ill accept all trees en co d ings of all quasi-forests of exec ( M ). F r om the form ula side, acc ordingly to [BLMV0 6], w e can construct in a p olynomial time a GAPT A 6| = ϕ accepting all mo dels that do not satisfy ϕ , with the in ten t to chec k th at n on e of these mo dels are in exec ( M ). Th us, we c hec k that M mo dels ϕ for ev ery p ossible choic e of the 1 Encod ing is done by using a new ro ot no de that connects all roots of the quasi-forest and new atomic prop ositions which are used to en cod e programs and successor nod es correspond ing to nominals. 4 A. FERRA N TE, A. MURANO, AND M. P ARE N TE en vironmen t by c hec kin g w hether the L ( A M ) ∩ L ( A 6| = ϕ ) is emp ty . The results follo w from the fac t that an NBT is a particular case of GAPT , wh ic h are clo sed under in tersection and ha ve the emptiness problem s olv able in Exptime [BLMV06]. W e also sho w a lo w er b ound matc hing the ob tained upp er b ound by usin g a reduction from the m o dule c hec king for CTL , kno wn to b e Exptime -hard. By exp loiting again an automata-theoreti c app roac h , w e sho w that h ybr id graded µ - calculus pus hdo wn mo d ule c hec king is d ecidable and solv able in 2Exptime in the s ize of the form ula and Exptime in the size of the system. Thus, as in general, with r esp ect to the ﬁnite–state mo del c hecking case w e pay an exp onentia l–time blo wup in the size of b o th the system and the form ula for the use of pushd o w n systems, and an another exp onentia l–time blo wup in the size of the form ula for the mo dule c h ecking inv estigation. Our approac h allo w us do n ot take th e trivial 2E xptime result on b oth the size of the system and the form ula, whic h can b e easily obtained b y co m bining the al gorithms existing in the literature along with that one we in tro duce in this p ap er for the ﬁnite–state case. W e solv e the h ybrid graded µ -calculus p ushdown modu le c hec kin g by usin g a reduction to th e emptiness problem for nondeterministic pu shdown parit y tree auto mata ( PD–NPT ) . The algorithm w e prop o se extends th at give n for the ﬁnite-state case. In particular, giv en an OPD S , a mo dule M induced by the conﬁgur ations of S , and an hybrid graded µ -calculus formula ϕ , w e ﬁ r st construct in p olynomial time a push do wn B ¨ uc hi tree automaton ( PD–NBT ) A M , accepting exec ( M ). F rom th e form ula side, accordingly to [BLMV06], we can construct in a p ol ynomial time a GAPT A 6| = ϕ accepting all m o dels that d o not satisfy ϕ . Thus, w e can c h ec k t hat M mo dels ϕ for every p ossible choice of the en vironmen t by c hec kin g w hether L ( A M ) ∩ L ( A 6| = ϕ ) is empt y . By sho wing a non-trivial exp onentia l redu ction of 2 GAPT into NPT , w e show a 2Expt ime u pp er b oun d for the addressed prob lem. Since the pushd o wn mo dule chec king pr oblem for CTL is 2Exptime -h ard, we get that the addressed p roblem is then 2Exptime -complete. As regarding the F ully enric hed µ -calculus, w e also inv estigate the mo dule c hec kin g problem in a “rewind ” framew ork in the follo wing sense. As far as b ackw ard mo dalities concern, ev erytime the system goes back to an environmen t’s no de, he is a lw a ys able to redeﬁne a new prun ing c hoice. Giv en a mod ule M and a F ully enric hed µ -calculus formula ϕ , w e solv e the rewind mo du le c hec king p roblem b y c hec king that all trees in exec ( M ), alw a ys taking the same c h oice in duplicate environmen t no d es, satisfy ϕ . By showing a reduction from the tiling problem [Ber66], w e sh o w that the addr essed pr ob lem is und ecidable. W e co nclude the p ap er with short consid erations on th e mo del chec king on a ll of th e fragmen ts of th e F u lly enr iched µ -calculus. In particular we sho w the p roblem to b e Exp- time -complete for a p ushd own system whic h is allo wed to p ush one sym b ol p er time on to the stac k, with resp ec t to an y fragmen t not in cluding the graded mo dalit y: for the fragmen ts with th e graded mo dalit y , w e sho w a 2Exptime up p er b ound. The rest of the pap er is organize d as follo ws. In Sect ion 2, w e giv e all the n ecessary preliminaries, Section 3 con tains the deﬁn ition of m o dule c hec king w.r.t. h ybrid graded µ -calculus, and Sectio n 4 con tains d eﬁnitions an d kno wn results ab o ut 2 GAPT and PD – NPT . I n Sections 5 and 6, w e giv e our main results on m o dule c hec king for the hybrid graded µ -calculus. In Section 7, w e show the undecidabilit y result for the F u lly en ric hed mo dule c hec king and conclud e in Section 8 with some complexit y considerations on mo d el c h ec kin g with all the fragments of the F ully enric hed µ -calculus. ENRICHED µ –CALCULI MODULE CHECKING ∗ 5 2. Preliminaries In this sec tion, w e r ecall deﬁnitions of labeled forests and h ybrid graded µ –ca lculus. W e refer to [BLMV06] f or more tec hnical deﬁ n itions and motiv ating examples. 2.1. Lab eled F orests. F or a ﬁ nite set X , we denote the size of X by | X | , the set of words o ver X b y X ∗ , the emp t y wo rd by ε , and w ith X + w e denote X ∗ \ { ε } . Giv en a w ord w in X ∗ and a sym b ol a of X , we use w · a to denote the word w a . Let I N b e the set of p osit iv e in tegers. F or n ∈ I N, let N den ote the set { 1 , 2 , . . . , n } . A for est is a set F ⊆ N + suc h that if x · c ∈ F , where x ∈ N + and c ∈ N , then also x ∈ F . The elemen ts of F are called no des , and w ords consisting of a single natural n um b er are r o ots of F . F or eac h ro ot r ∈ F , the set T = { r · x | x ∈ N ∗ and r · x ∈ F } is a tr e e of F (the tree r o ote d at r ). F or x ∈ F , the no des x · c ∈ F where c ∈ N are the suc c essors of x , d enoted sc ( x ), and x is their pr e de c e ssor . The n um b er of successors of a no de x is called th e de gr e e of x ( deg ( x )). The degree h of a forest F is the maxim um of the degrees of all n o des in F and the n um b er of ro ots. A f orest with degree h is an h -ary forest. A full h -ary forest is a forest havi ng h ro ots and all n o des with degree h . Let F ⊆ N + b e a forest, x a no de in F , and c ∈ N . As a con ven tion, we tak e x · ε = ε · x = x , ( x · c ) · − 1 = x , and c · − 1 as un deﬁned. W e call x a le af if it h as no successors. A p ath π in F is a wo rd π = x 1 x 2 . . . of F suc h that x 1 is a ro o t of F and for ev ery x i ∈ π , either x i is a leaf (i.e., π end s in x i ) or x i is a predecessor of x i +1 . Giv en t w o alph ab ets Σ 1 and Σ 2 , a (Σ 1 , Σ 2 )–lab eled f orest is a triple h F , V , E i , wh ere F is a forest, V : F → Σ 1 maps eac h no de of F to a letter in Σ 1 , and E : F × F → Σ 2 is a partial fu nction that maps eac h pair ( x, y ), w ith y ∈ sc ( x ), to a letter in Σ 2 . As a p articular case, we consid er a forest w ithout lab els on edges as a Σ 1 –lab eled forest h F , V i , and a tr e e as a forest con taining exactly one tree. A quasi–for est is a forest wh ere eac h node ma y also ha v e roots as su ccessors. F or a no de x of a quasi–forest, w e set chil dr en ( x ) as sc ( x ) \ N . All the other deﬁn itions regarding forests easily exte nd to qu asi–forests. Notice that in a qu asi–forest, s in ce eac h no de can ha v e a ro ot as successor, a ro ot can also ha v e sev eral p redecessors, wh ile ev ery other no d e has just one. Clearly , a quasi–forest can alw a ys be tr an s formed into a f orest by remo ving ro ot successors. 2.2. Hybrid Graded µ –Calculus. Let AP , V ar , Pr o g , and Nom b e ﬁnite and pairwise disjoin t sets of atomic pr op ositions , pr op ositional variables , atom ic pr o gr ams (whic h allo w to tra vel the system along accessibilit y relations), and nominals (which are p articular atomic prop ositions int erpreted as singleton sets). Th e set of hybrid gr ade d µ –c alculus formulas is the smallest set suc h that • true and fa lse are formulas; • p and ¬ p , for p ∈ AP , are formulas; • o and ¬ o , for o ∈ Nom , are formulas; • x ∈ V ar is a formula; • if ϕ 1 and ϕ 2 are form ulas, α ∈ P r og , n is a non negativ e in teger, and y ∈ V ar , then th e follo wing are also formulas: ϕ 1 ∨ ϕ 2 , ϕ 1 ∧ ϕ 2 , h n, α i ϕ 1 , [ n, α ] ϕ 1 , µy .ϕ 1 ( y ), an d ν y . ϕ 1 ( y ) . Observe that we u se p ositiv e normal form, i.e., negation is applied only to atomic prop ositions. 6 A. FERRA N TE, A. MURANO, AND M. P ARE N TE W e call µ and ν ﬁxp oint op er ators . A prop o sitional v ariable y o ccurs fr e e in a form ula if it is not in the scop e of a ﬁxp oint op e rator. A sentenc e is a formula that c on tains no free v ariables. W e refer often to the gr ade d mo dalities h n, α i ϕ 1 and [ n, α ] ϕ 1 as resp ect iv ely atle ast formulas and a l lbut formula s and a ssume that the in tegers in these op erators are giv en in b inary co ding: the con tribu tion of n to the length of the formulas h n, α i ϕ and [ n, α ] ϕ is ⌈ log n ⌉ rather than n . The semantics of the h ybrid graded µ –calc ulus is d eﬁned with resp ect to a Kripke structur e , i.e., a tu p le K = h W , W 0 , R, L i wh ere W is a non–empt y set of states , W 0 ⊆ W is the set of initial states, R : Pr o g → 2 W × W is a f u nction that assigns to eac h atomic program a transition r elation o v er W , and L : AP ∪ Nom → 2 W is a lab eling fun ction that assigns to eac h atomic prop o sition and nominal a set of states suc h that the sets assigned to n omin als are singletons and su bsets of W 0 . If ( w , w ′ ) ∈ R ( α ), w e sa y that w ′ is an α –suc c essor of w . Informally , an atle ast formula h n, α i ϕ holds at a state w o f K if ϕ h olds in at least n + 1 α –successors of w . Dually , the al lbut formula [ n , α ] ϕ holds in a state w of K if ϕ holds in all but at most n α –successors of w . Note th at ¬h n , α i ϕ is equiv alen t to [ n, α ] ¬ ϕ , a nd the mo dalities h α i ϕ a nd [ α ] ϕ of the standard µ –calculus can b e expressed as h 0 , α i ϕ and [0 , α ] ϕ , r esp ectiv ely . T o formalize seman tics, we introdu ce v aluations. Give n a Kr ipk e structure K = h W , W 0 , R , L i and a set { y 1 , . . . , y n } of v ariables in V ar , a valuat ion V : { y 1 , . . . , y n } → 2 W is an assignmen t of subsets of W to the v ariables y 1 , . . . , y n . F or a v aluatio n V , a v ariable y , and a set W ′ ⊆ W , w e d enote by V [ y ← W ′ ] the v aluatio n obtained from V b y assigning W ′ to y . A form ula ϕ w ith fr ee v ariables among y 1 , . . . , y n is int erpreted o v er K as a mapping ϕ K from v aluations to 2 W , i.e., ϕ K ( V ) d enotes the set of p oin ts that satisfy ϕ u nder v aluation V . The mapping ϕ K is deﬁned inductive ly as follo w s : • true K ( V ) = W and fa lse K ( V ) = ∅ ; • for p ∈ AP ∪ Nom , we h av e p K ( V ) = L ( p ) and ( ¬ p ) K ( V ) = W \ L ( p ); • for y ∈ V ar , we ha v e y K ( V ) = V ( y ); • ( ϕ 1 ∧ ϕ 2 ) K ( V ) = ϕ K 1 ( V ) ∩ ϕ K 2 ( V ) and ( ϕ 1 ∨ ϕ 2 ) K ( V ) = ϕ K 1 ( V ) ∪ ϕ K 2 ( V ); • ( h n, α i ϕ ) K ( V ) = { w : |{ w ′ ∈ W : ( w , w ′ ) ∈ R ( α ) and w ′ ∈ ϕ K ( V ) }| ≥ n + 1 } ; • ([ n, α ] ϕ ) K ( V ) = { w : |{ w ′ ∈ W : ( w , w ′ ) ∈ R ( α ) and w ′ 6∈ ϕ K ( V ) }| ≤ n } ; • ( µy .ϕ ( y )) k ( V ) = T { W ′ ⊆ W : ϕ K ([ y ← W ′ ]) ⊆ W ′ } ; • ( ν y .ϕ ( y )) k ( V ) = S { W ′ ⊆ W : W ′ ⊆ ϕ K ([ y ← W ′ ]) } . F or a state w of a Kripk e stru ctur e K , we say that K satisﬁes ϕ at w if w ∈ ϕ K . In what follo ws, a form ula ϕ c ounts up to b if the maximal inte ger in atle ast and a l lbut formulas used in ϕ is b − 1. 3. Hybrid gra ded µ -calculu s m odule Che cking In this pap er we consider op en systems, i.e., systems that interac t w ith their en vi- ronment an d whose b ehavio r dep ends o n this in teraction. The (glo bal) b ehavi or of such a system is describ ed b y a mo dule M = h W s , W e , W 0 , R, L i , wh ic h is a Kripk e structur e where the set of states W = W s ∪ W e is partitioned in system states W s and envir onment states W e . Giv en a mo du le M , we assu me that its states are order ed and the n um b er of successors of eac h s tate w is ﬁnite. F or eac h w ∈ W , we denote by succ ( w ) the ord ered tuple (p ossibly empt y) of w ’s α -succe ssors, for all α ∈ P r og . When M is in a sys tem state w s , th en all ENRICHED µ –CALCULI MODULE CHECKING ∗ 7 states in succ ( w s ) are p ossible next states. On the other hand , when M is in an environmen t state w e , the p ossible next state s (that are in succ ( w e )) dep end on the current environmen t. Since the b eha vior of the environmen t is n ot predictable, we ha v e to consider all the p ossible sub–tuples of succ ( w e ). The only constrain t, s ince we consider environmen ts that cannot blo c k the system, is that not all the trans itions from w e are disabled. The set of all (maximal) computations of M , starting from W 0 , is describ ed b y a ( W , P r og )–lab eled q u asi–forest h F M , V M , E M i , called c omputation quasi–for est , whic h is obtained by u n winding M in the usual w ay . The prob lem of deciding, for a give n branc h ing– time formula ϕ o ver AP ∪ N om , whether h F M , L ◦ V M , E M i satisﬁes ϕ at a ro ot no de, d e- noted M | = ϕ , is th e usual mo del–che cking pr oblem [CE81, Q S 81]. On the other hand , for an op en system M , the quasi–forest h F M , V M , E M i corresp ond s to a v ery sp eciﬁc environ- men t, i.e., a maximal en vironmen t that never r estricts the set of its next states. T herefore, when w e examine a branching–t ime form u la ϕ w.r.t. M , the form ula ϕ should hold not only in h F M , V M , E M i , but in all quasi-forests obtained by pru ning from h F M , V M , E M i subtrees ro o ted at c hildren of en vironmen t no d es, as well as inhibiting some of their jump s to ro o ts (that is, successor nod es lab eled with n ominals), if there are an y . The set of these quasi–forests, whic h collects all p ossib le b eha viors of the environmen t, is denoted by exec ( M ) and is form ally d eﬁned as f ollo ws. A quasi–forest h F , V , E i ∈ exec ( M ) iﬀ • for eac h w i ∈ W 0 , w e h a v e V ( i ) = w i ; • for eac h x ∈ F , w ith V ( x ) = w , s ucc ( w ) = h w 1 , . . . , w n , w n +1 , . . . , w n + m i , and succ ( w ) ∩ W 0 = h w n +1 , . . . , w n + m i , there exists S = h w ′ 1 , . . . , w ′ p , w ′ p +1 , . . . , w ′ p + q i sub -tuple of succ ( w ) such that p + q ≥ 1 and the follo wing hold: − S = succ ( w ) if w ∈ W s ; − childr en ( x ) = { x · 1 , . . . , x · p } and, for 1 ≤ j ≤ p , we hav e V ( x · j ) = w ′ j and E ( x, x · j ) = α if ( w , w ′ j ) ∈ R ( α ); − for 1 ≤ j ≤ q , let x j ∈ N su c h that V ( x j ) = w ′ p + j , then E ( x, x j ) = α if ( w, w ′ p + j ) ∈ R ( α ). In th e follo wing, w e consider quasi–forests in exec ( M ) as lab e led with (2 AP ∪ N om , P r og ), i.e., taking the lab el of a no d e x a s L ( V ( x )). F or a mo dule M and a form ula ϕ of the h ybrid graded µ –calculus, w e sa y that M r e actively satisﬁes ϕ , denoted M | = r ϕ (where “r” stands f or r e actively ), if all quasi-forests in exec ( M ) satisfy ϕ . The problem of deciding whether M | = r ϕ is called hybrid gr ade d µ –c alculus mo dule che cking . 3.1. Op en Pushdo wn Systems ( OPD ). An OPD o v er AP , N om and P r og is a tu ple S = h Q, Γ , ♭, C 0 , ∆ , ρ 1 , ρ 2 , E nv i , w here Q is a ﬁnite set of (con trol) states , Γ is a ﬁ nite stack alphab et , ♭ 6∈ Γ is the stack b ottom symb ol . W e set Γ ♭ = Γ ∪ { ♭ } , C on f = Q × (Γ ∗ · ♭ ) to b e the set of (pushdown) c onﬁgur ations , and for eac h conﬁguration ( q , A · γ ), w e set top (( q , A · γ )) = ( q , A ) to b e a top c onﬁgur ation . The f unction ∆ : P r og → 2 ( Q × Γ ♭ ) × ( Q × Γ ∗ ♭ ) is a ﬁnite set o f transition rules such that ♭ is a lw a ys present at the b ottom of th e stac k and nowhere else (th us wheneve r ♭ is read, it is p ushed bac k). Note that w e mak e this assumption also ab out the v arious push do wn automata we use later. T h e set C 0 ⊆ C onf is a ﬁn ite set of initial c onﬁgur ations , ρ 1 : AP → 2 Q × Γ ♭ and ρ 2 : N om → C 0 are lab eling functions asso ciating resp ectiv ely to eac h atomic prop o sition p a set of top conﬁgurations in whic h p holds and to eac h nominal exactly one initial conﬁguration. Finally , E nv ⊆ Q × Γ ♭ sp eciﬁes the set of envir onment c onﬁgur ations . Th e size |S | of S is | Q | + | ∆ | + | Γ | . 8 A. FERRA N TE, A. MURANO, AND M. P ARE N TE The OPD mov es in accordance with the transition relation ∆. Thus, (( q , A ) , ( q ′ , γ )) ∈ ∆( α ) implies that if the OPD is in state q and th e top of the stac k is A , it can mo v e along with an α –tr ansition to state q ′ , and su b stitute γ for A . Also n ote that the p ossib le op erations of the system, the lab eling functions, an d the d esignation of co nﬁgurations as en vironmen t conﬁgur ations, are all dep enden t only on th e current con trol state an d the top of the stac k. An O PD S induces a mo du le M S = h W s , W e , W 0 , R, L i , w here: • W s ∪ W e = C onf , i.e. the set of pu s hdo wn conﬁgurations, and W 0 = C 0 ; • W e = { c ∈ C onf | top ( c ) ∈ E nv } . • (( q , A · γ ) , ( q ′ , γ ′ · γ )) ∈ R ( α ) iﬀ there is (( q , A ) , ( q ′ , γ ′ )) ∈ ∆( α ); • L ( p ) = { c ∈ C onf | top ( c ) ∈ ρ 1 ( p ) } f or p ∈ AP ; L ( o ) = ρ 2 ( o ) f or o ∈ N om . The hybrid gr ade d ( µ -c alculus) pushdown mo dule che cking problem is to decide, for a giv en OPD S and an enric hed µ –calculus formula ϕ , wh ether M S | = r ϕ . 4. Tree Automa t a 4.1. Two -w a y Graded Alternating P arity T ree Automata ( 2 GAPT ) . These au- tomata ha v e b een introd u ced and deeply inv estigated in [BLMV06]. In th is section w e just recall the main deﬁnitions and results a nd refer to the lite rature for more details. Intu- itiv ely , 2 GAPT are an extension of nond etermin istic tree automata in su c h a w a y that a 2 GAPT can send sev eral copies of itself to the same successor ( alternating ), s end copies of itself to the predecessor ( two-way ), sp ecify a num b er n of successors to wh ic h copies of itself are s en t ( gr ade d ), and accept tr ees along with a p arity ac c eptanc e c onditio n . T o giv e a more formal d eﬁnition, let us r ecall s ome tec hnicalities fr om [BLMV06]. F or a giv en set Y , let B + ( Y ) b e th e set of p ositiv e Bo olean formulas o v er Y (i.e., Boolean form ulas bu ilt from elemen ts in Y using ∧ and ∨ ), w here we also allo w the formulas true and fa lse and ∧ has precedence o v er ∨ . F or a set X ⊆ Y and a f ormula θ ∈ B + ( Y ), we sa y that X s atisﬁes θ iﬀ assigning true to elemen ts in X and assigning false to elemen ts in Y \ X makes θ true . F or b > 0 , let h [ b ] i = {h 0 i , h 1 i , . . . , h b i} , [[ b ]] = { [0] , [1] , . . . , [ b ] } , and D b = h [ b ] i ∪ [[ b ]] ∪ {− 1 , ε } . Intuitiv ely , D b collect s all p o ssible dir ections in wh ic h the automaton can p ro ceed. F ormally , a 2 GAPT on Σ-lab eled trees is a tuple A = h Σ, b , Q , δ , q 0 , F i , where Σ is the input alphab et , b > 0 is a counting b ound , Q is a ﬁnite set of states, δ : Q × Σ → B + ( D b × Q ) is a transition function, q 0 ∈ Q is an initial state, and F is a parit y acceptance condition (see b elo w). In tuitiv ely , an atom ( h n i , q ) (resp. ([ n ] , q )) means that A sends copies in s tate q to n + 1 (resp. all but n ) diﬀerent successors of the cur ren t n o de, ( ε, q ) mea ns that A sends a copy (in state q ) to the curr en t n o de, and ( − 1 , q ) means that A sen ds a copy to the predecessor of the current no d e. A run of A on an input Σ-lab eled tree h T , V i is a tree h T r , r i in whic h eac h node is lab eled by an element of T × Q . In tuitiv ely , a no d e in T r lab eled by ( x, q ) d escrib es a cop y of th e automaton in state q that reads the no d e x of T . Run s start in the initial state and satisfy the transitio n relat ion. Th us, a ru n h T r , r i with ro ot z h as to satisfy the follo wing: ( i ) r ( z ) = (1 , q 0 ) for th e ro ot 1 of T and ( ii ) for all y ∈ T r with r ( y ) = ( x, q ) and δ ( q , V ( x )) = θ , there is a (p o ssibly emp t y) set S ⊆ D b × Q , suc h that S sa tisﬁes θ , and for all ( d, s ) ∈ S , the f ollo wing hold: • If d ∈ {− 1 , ε } , then x · d is deﬁned, and th ere is j ∈ N su c h that y · j ∈ T r and r ( y · j ) = ( x · d, s ); ENRICHED µ –CALCULI MODULE CHECKING ∗ 9 • If d = h n i , there are at least n + 1 d istinct ind exes i 1 , . . . , i n +1 suc h that for all 1 ≤ j ≤ n + 1, th ere is j ′ ∈ N su c h that y · j ′ ∈ T r , x · i j ∈ T , and r ( y · j ′ ) = ( x · i j , s ). • If d = [ n ], there are at least deg ( x ) − n distinct indexes i 1 , . . . , i deg ( x ) − n suc h that for all 1 ≤ j ≤ deg ( x ) − n , there is j ′ ∈ N suc h that y · j ′ ∈ T r , x · i j ∈ T , and r ( y · j ′ ) = ( x · i j , s ). Note that if θ = true , then y do es n ot need to hav e su ccessors. This is the reason why T r ma y hav e leav es. Also, sin ce th ere exists no set S as requir ed for θ = false , we cannot ha v e a r un that take s a transition w ith θ = false . A run h T r , r i is ac c epting if a ll its inﬁnite paths satisfy the a cceptance condition. In the parity acceptance condition, F is a set { F 1 , . . . , F k } such that F 1 ⊆ . . . ⊆ F k = Q and k is called the index of the automaton. An inﬁ nite path π on T r satisﬁes F if th er e is an ev en i suc h that π con tains inﬁn itely man y sta tes from F i and ﬁ nitely m an y states from F i − 1 . An automaton ac c epts a tree iﬀ there exists an accepting run of th e automaton on the tree. W e d enote by L ( A ) the set of all Σ-lab e led trees that A accepts. The emptiness problem for an automaton P is to decide whether L ( P ) = ∅ . A 2 GAPT is a GAPT (i.e., “ one–way ”) if δ : Q × Σ → B + ( D b \ {− 1 } × Q ) and a 2 APT (i.e., “ non-gr ade d ”) if δ : Q × Σ → B + ( {− 1 , ε, 1 , . . . , h } × Q ). As a particular case of 2 APT , we also consid er nondeterministic parit y tree automata ( NPT ) [KVW00]. F ormally , an NPT on Σ-lab e led trees is a tup le A = h Σ, D , Q , δ , q 0 , F i , w here Σ , Q, q 0 , and F are as in 2 AP T , D is a ﬁnite set of br anching de gr e e and δ : Q × Σ × D → 2 Q ∗ is a transition function satisfying δ ( q , σ , d ) ⊆ Q d , for eac h q ∈ Q , σ ∈ Σ, and d ∈ D . Finally , w e also consider B¨ uchi ac c eptanc e c ondition F ⊆ Q , w hic h s imply is a sp ecia l parit y condition {∅ , F , Q } . Thus, we use in the follo wing the acron ym N BT to den ote nondeterministic B ¨ uc hi tr ee automata on Σ-lab e led trees. The follo wing results on 2 GAPT w ill b e useful in the rest of the pap er. Theorem 1. [BLMV06] The e mptiness pr oblem f or a GAPT A = h Σ , b, Q, δ, q 0 , F i c an b e solve d in time line ar in the size of Σ and b , and exp onential in the index of the automaton and numb er of states. Lemma 1. [BLMV06] Giv e n two GAPT A 1 and A 2 , ther e exists a GAPT A such that L ( A ) = L ( A 1 ) ∩ L ( A 2 ) and whose size is line ar in the size of A 1 and A 2 . W e no w r ecall a result on GAPT and hybrid graded µ -calculus form ulas. Lemma 2 ([BLMV06]) . Given an hybrid gr ade d µ -c alculus sentenc e ϕ with ℓ atleast sub- sentenc es and c ounting up to b , it is p ossible to c onstruct a GAPT with O ( | ϕ | 2 ) states, index | ϕ | , and c ounting b ound b that ac c epts exactly e ach tr e e that enc o des a quasi-for e st mo del of ϕ . 4.2. Nondeterministic Pushdo wn Parit y T ree Automata ( P D–NPT ). A PD–NPT (without ε -transitions), on Σ-lab eled fu ll h -ary trees, is a tuple P = h Σ , Γ , ♭, Q, q 0 , γ 0 , ρ, F i , where Σ is a ﬁnite input alphab et, Γ, ♭ , Γ ♭ , and Q are a s in OPD , ( q 0 , γ 0 ) is t he initial conﬁguration, ρ : Q × Σ × Γ ♭ → 2 ( Q × Γ ∗ ♭ ) h is a transition function, and F is a parit y acceptance condition o v er Q . Intuitiv ely , when P is in state q , r eading an inp u t node x lab eled by σ ∈ Σ, and the stac k con tains a word A · γ ∈ Γ ∗ · ♭ , th en P chooses a tuple h ( q 1 , γ 1 ) , . . . , ( q h , γ h ) i ∈ ρ ( q , σ, A ) and splits in h copies suc h that for eac h 1 ≤ i ≤ h , a cop y in conﬁguration ( q i , γ i · γ ) is sen t to the no d e x · i in the in put tree. A run of P on a Σ-lab eled full h -ary tree h T , V i is a ( Q × Γ ∗ · ♭ )-lab eled tr ee h T , r i such that 10 A. FERRA N TE, A. MURANO, AND M. P ARE N TE • r ( ε ) = ( q 0 , γ 0 ), and • for eac h x ∈ T with r ( x ) = ( q , A · γ ), there is h ( q 1 , γ 1 ) , . . . , ( q h , γ h ) i ∈ ρ ( q , V ( x ) , A ) su c h that, f or all 1 ≤ i ≤ h , we h av e r ( x · i ) = ( q i , γ i · γ ). The n otion of accepting path is deﬁned w ith resp ect to the control states that app ear inﬁnitely often in the p ath (thus without taking in to accoun t any stac k cont en t). Th en, the notions giv en for 2 GAPT rega rding acc epting run s, ac cepted trees, and ac cepted languages, along with the parit y acceptance condition, easily extend to PD–NP T . In the follo wing, w e denote with PD–NBT a PD–NPT with a B ¨ uchi condition. W e no w recall t wo useful results on the intro d uced automata. Prop osition 4.1 ([KPV02]) . The emptiness pr oblem for a PD–NPT on Σ -lab ele d ful l h -ary tr e es, having index m , n states, and tr ansition function ρ , c an b e solve d in time exp onential in n · m · h · | ρ | . Prop osition 4.2 ([BMP05]) . Given a PD–NBT P = h Σ , Γ , Q , q 0 , γ 0 , ρ , Q i on Σ -lab ele d ful l h -ary tr e es, and an NPT A = h Σ , Q ′ , q ′ 0 , δ, F ′ i , ther e is a PD–NPT P ′ on Σ -lab ele d ful l h -ary tr e es, such th at L ( P ′ ) = L ( P ) ∩ L ( A ) . Mor e over, P ′ has | Q | · | Q ′ | states, the same index as A , and the si ze of the tr ansition r elation is b ounde d by | ρ | · | δ | · h . 5. Deciding Hy brid Grad ed µ -calc ulus Modul e Checking In this section, we solv e th e mod ule c hecking problem for the hybrid graded µ –calculus. In particular, w e show that this problem is decidable and Exptime –complete. F or the upp er b ound , w e give an algorithm based on an automata–t heoretic approac h, by extendin g an idea of [KVW01]. F or th e lo w er b ound , w e give a reduction from the m o dule c hecki ng problem for CTL , kno wn to b e Exp time –hard. W e start w ith the up p er b ound. Let M b e a mo dule and ϕ an h ybrid graded µ –calculus formula. W e decide the mo du le c h ec kin g problem for M against ϕ by building a GAPT A M×6| = ϕ as the intersectio n of t w o automata. Essentiall y , th e ﬁrst au tomaton, denoted b y A M , is a B¨ uchi automa ton that accepts trees enco ding of lab eled qu asi–forests of exec ( M ), and the second automaton is a GAPT A 6| = ϕ that accepts all trees enco din g of lab eled quasi–forests that do not satisfy ϕ (i.e, ¬ ϕ is satisﬁed at all initial n o des). T hus, M | = r ϕ iﬀ L ( A M×6| = ϕ ) is emp t y . The construction of A M prop osed here extends that giv en in [K VW01] for solving the mo dule c hec king problem for ﬁnite–state op en systems w ith resp ect to CTL and CTL ∗ . The extension concerns the h andling of forest mo d els instead of trees and formulas of the h yb rid graded µ –calculus. Before sta rting, th ere are a few tec hn ical diﬃculties to b e o v ercome. First, w e notice that exec ( M ) con tains quasi–forests, with lab els on b o th edges and n o des, while B ¨ uchi automata can only accept trees with lab els on nod es. This p roblem is o ve rcome b y us in g the follo wing thr ee step transf ormation (1) mo v e th e lab el of eac h edge to the target no de of the edge (form ally using a new prop ositional s ym b ol p α , for eac h atomic pr ogram α ), (2) substitute edges to ro ots with new p rop ositional symb ols ↑ α o (whic h represents an α – lab eled ed ge from the current no de to the unique ro ot n o de lab eled by the n ominal o ), and (3) add a n ew ro ot, lab ele d w ith a new s ym b ol r o ot , and connect it with the old ro o ts of the qu asi–forest. ENRICHED µ –CALCULI MODULE CHECKING ∗ 11 Let AP ′ = AP ∪ { p α | α ∈ P r og } ∪ {↑ α o | α ∈ P r og and o ∈ N om } , w e denote with h T , V ′ i the (2 AP ′ ∪ N om ∪ { r o ot } )–lab eled tree encod ing of a quasi–forest h F , V , E i ∈ exec ( M ), obtained using the ab o v e transformation. Another tec hnical d iﬃcult y to h andle is r elate to th e fact that quasi–forests of exec ( M ) (and th u s their enco ding) may not share th e same structure, since they are obtained by p r un- ing some subtrees from the computation quasi–forest h F M , V M , E M i of M . Let h T M , V ′ M i the c omputat ion tr e e of M obtained from h F M , V M , E M i using the ab o v e enco ding. By extending an idea of [KVW01 ], w e solv e the tec hnical problem by considering eac h tr ee h T , V ′ i , enco ding of a quasi–forest of e xec ( M ), as a (2 AP ′ ∪ N om ∪ { r o ot , ⊥} )–lab eled tree h T M , V ′′ i (where ⊥ is a f resh prop o sition name not b el onging to AP ∪ N om ∪ { r o ot } ) su c h that for eac h no de x ∈ T M , if x ∈ T then V ′′ ( x ) = V ′ ( x ), otherwise V ′′ ( x ) = {⊥} . Thus, w e lab el eac h no de pruned in the h T M , V ′ M i with {⊥} and recur siv ely , w e lab el with {⊥} its subtrees. In th is wa y , all trees enco ding qu asi–forests of exec ( M ) ha v e the s ame s tr ucture of h T M , V ′ M i , and they d iﬀer only in th eir lab e ling. Accordingly , w e can think of an environmen t as a strategy f or placing {⊥} in h T M , V ′ M i , with the aim of preven ting the s y s tem to satisfy a desired prop e rt y while not considering the no des lab e led with ⊥ . Moreo ver, the environmen t can also disable jumps to ro o ts. This is perf orm ed by removing from no des corresp onding with environmen t states some of ↑ α o lab els. Notice that since w e consider en vironmen ts that do not blo c k the s y s tem, eac h no d e asso ciated w ith an en vironmen t state has at least one su ccessor not lab eled by {⊥} , unless it has ↑ α o in its lab el. Let u s d enote by d exec ( M ) th e s et of all (2 AP ′ ∪ N om ∪ { r o ot , ⊥} )–lab eled h T M , V ′′ i trees obtained from h F , V , E i ∈ exec ( M ) in the ab o ve describ ed manner. The required NBT A M m ust accept all and only the (2 AP ′ ∪ N om ∪ { r o ot , ⊥} )–lab eled t rees in d exec ( M ). The automaton A M = h Σ , D , Q , δ, q 0 , F i is deﬁned for a mo d u le M = h W s , W e , W 0 , R, L i as follo ws: • Σ = 2 AP ′ ∪ N om ∪ { r o ot , ⊥} • D = S w ∈ W | succ ( w ) \ W 0 | (that is, D con tains, for eac h state in W , the num b er of its successors, but its j umps to r o ots). • Q = ( W × {⊥ , ⊤ , ⊢ } ) ∪ { q 0 } , with q 0 6∈ W . Th us ev ery state w of M ind uces thr ee states ( w, ⊥ ), ( w, ⊤ ), and ( w , ⊢ ) in A M . Intuitiv ely , when A M is in state ( w , ⊥ ), it can r ead only ⊥ , in s tate ( w, ⊤ ), it can read only letters in 2 AP ∗ ∪ N om , and in state ( w , ⊢ ), it can read b oth letters in 2 AP ∗ ∪ N om and ⊥ . I n this last case, it is left to the en vironmen t to decide whether the transition to a state of the form ( w , ⊢ ) is enabled. The thr ee typ es of states are used to ensure that the en vironment enables all transitions from enabled system states, enables at least one transition from eac h enabled environmen t state, and disables tran s itions from disabled states. • The transition f unction δ : Q × Σ × D → 2 Q ∗ is deﬁned as follo w s . L et x ∈ T b e a no de of the in p ut tree. − if r o ot ∈ V ( x ) then (let W 0 = { w 1 , . . . , w m } ) δ ( q 0 , r o ot , m ) = {h ( w 1 , ⊤ ) , . . . , ( w m , ⊤ ) i} , that is δ ( q 0 , r o ot , m ) con tains exactly one m –tuple of all the ro ots of the forest. In this case, all tr ansitions cannot b e disabled; − if r o ot 6∈ V ( x ), let V ( x ) = w and succ ( w ) \ W 0 = h w 1 , . . . , w n i b e the set of non–r o ots suc c essors of w , then we ha v e 12 A. FERRA N TE, A. MURANO, AND M. P ARE N TE ∗ for w ∈ W e ∪ W s and g ∈ {⊢ , ⊥} w e ha v e δ (( w, g ) , ⊥ , n ) = {h ( w 1 , ⊥ ) , . . . , ( w n , ⊥ ) i} , that is δ (( w , g ) , ⊥ , n ) contai ns exactly one n –tuple of all n on–ro ots successors of w . In this case, all tr an s itions to s uccessors of w are recursive ly disabled; ∗ for w ∈ W s and g ∈ {⊤ , ⊢} w e ha v e δ (( w, g ) , L ( w ) , n ) = {h ( w 1 , ⊤ ) , . . . , ( w n , ⊤ ) i} , that is, δ (( w, g ) , L ( w ) , n ) cont ains exactly one n –tuple of all n on–ro ots successors of w . In this case all transitions to successors of w are enabled; ∗ for w ∈ W e and g ∈ {⊤ , ⊢} with L ( w ) ∩ {↑ α o | α ∈ P r og and o ∈ N om } = ∅ (i.e., w has n o jumps to ro o ts or all of them hav e b een disabled), w e h a v e δ (( w, g ) , L ( w ) , n ) = { h ( w 1 , ⊤ ) , ( w 2 , ⊢ ) , . . . , ( w n , ⊢ ) i , h ( w 1 , ⊢ ) , ( w 2 , ⊤ ) , . . . , ( w n , ⊢ ) i , . . . h ( w 1 , ⊢ ) , ( w 2 , ⊢ ) , . . . , ( w n , ⊤ ) i} , that is, δ (( w, g ) , L ( w ) , n ) cont ains n diﬀeren t n –tuples of all n on–ro ots successors of w . When A M pro ceeds according to the i –th tu ple, the environmen t can d isable all transitions to successors of w , except that to w i ; ∗ for w ∈ W e and g ∈ {⊤ , ⊢} with L ( w ) ∩ {↑ α o | α ∈ P r og and o ∈ N om } 6 = ∅ (i.e., w has at least one jump to r o ots enabled), we hav e δ (( w, g ) , L ( w ) , n ) = {h ( w 1 , ⊢ ) , . . . , ( w n , ⊢ ) i} , that is δ (( w , g ) , L ( w ) , n ) conta ins one n –tuple of n on–ro ots successors of w , that can b e successiv ely disabled. Notice that δ is not deﬁned when n is diﬀeren t from the n um b er of non–ro o ts successors of w , and when the input does not meet the restriction imp osed by the ⊤ , ⊢ , and ⊥ annotations or b y the lab eli ng of w . The automaton A M has 3 · | W | + 1 state s, 2 | AP |·| R | + 2 symb ols, and the size of the transition relation | δ | is b ounded b y | R | ( | W | · 2 | R | ). W e recall that a n o de lab eled by either {⊥} or { r o ot } stands for a no d e that actually do es not exist. Th us, we ha v e to tak e this into accoun t w hen we int erpret formulas of the h ybrid graded µ –calculus ov er trees h T M , V ′ i ∈ d exec ( M ). In ord er to ac hieve this, as in [KVW01] we deﬁn e a fun ction f that transforms the inp ut formula ϕ in a formula of the h ybrid graded µ –calculus ϕ ′ = h 0 , α i f ( ϕ ) (where α ∈ P r og is an arbitrary at omic program), that restricts path quantiﬁcati on to only p aths that nev er visit a state lab el ed with {⊥} . The fun ction f w e consider extends that giv en in [KVW01 ] and is ind uctiv ely deﬁn ed as follo ws: • f ( true ) = true and f ( false ) = false ; • f ( p ) = p and f ( ¬ p ) = ¬ p for all p ∈ AP ∪ N om ; • f ( x ) = x for all x ∈ V ar ; • f ( ϕ 1 ∨ ϕ 2 ) = f ( ϕ 1 ) ∨ f ( ϕ 2 ) and f ( ϕ 1 ∧ ϕ 2 ) = f ( ϕ 1 ) ∧ f ( ϕ 2 ) for all h ybr id graded µ –calculus form ulas ϕ 1 and ϕ 2 ; • f ( µx.ϕ ( x )) = µx.f ( ϕ ( x )) and f ( ν x.ϕ ( x )) = ν x.f ( ϕ ( x )) for all x ∈ V ar and h yb rid graded µ –calculus formulas ϕ ; ENRICHED µ –CALCULI MODULE CHECKING ∗ 13 • f ( h n, α i ϕ ) = h n, α i ( ¬⊥ ∧ f ( ϕ )) for n ∈ I N and for all atomic pr ograms α and hybrid graded µ –calculus formulas ϕ ; • f ([ n, α ] ϕ ) = [ n, α ]( ¬⊥ ∧ f ( ϕ )) for n ∈ I N and for all atomic programs α and hybrid graded µ –calculus form ulas ϕ . By deﬁnition of f , it follo w s that for eac h formula ϕ and h T , V i ∈ d e xec ( M ), h T , V i satisﬁes ϕ ′ = h 0 , α i f ( ϕ ) iﬀ the 2 AP ′ ∪ N om –lab eled forest, obtained from h T , V i r emo vin g the no d e lab eled with { r o ot } and all nod es lab eled b y {⊥} , satisﬁes ϕ . Therefore, w e solv e the m o dule c hec king problem of M against an h yb rid graded µ –calculus form ula ϕ b y chec king (for its negati on) that in d exec ( M ) = L ( A M ) does not exist any t ree h T , V i satisfying ¬ ϕ ′ = [0 , α ] f ( ¬ ϕ ) (note th at | f ( ¬ ϕ ) | = O ( |¬ ϕ | )). W e reduce the latter to chec k the emptiness of a GA PT A M×6| = f ( ϕ ) that is deﬁned as th e in tersectio n of the NB T A M with a GAP T A 6| = f ( ϕ ) accepting exac tly the 2 AP ′ ∪ N om ∪ { r o ot , ⊥} trees enco dings of quasi–forests not satisfying f ( ϕ ). By Lemma 2, if ϕ is an h ybrid graded µ –calculus f ormula, then A 6| = f ( ϕ ) has O ( | ϕ | 2 ) s tates, in dex | ϕ | , and counting b ound b . Th er efore, b y Lemm a 1, A M×6| = f ( ϕ ) has O ( | W | + | ϕ | 2 ) states, in d ex | ϕ | , and counting b ound b . By recalling that the emp tiness problem for a GA PT can b e decided in exp onen tial-time (Th eorem 1), we obtain that the mo dule chec king p roblem for hybrid graded µ –calculus formula s is solv able in exp o nen tial- time. T o sho w a tight low er b ound w e recall that CTL mo dule c hec king is Exptime –hard [KVW01] and eve ry CTL formula can b e linearly tran s formed in a mo dal µ –calculus form u la [Jur98]. This leads to the m o dule c h ecking problem w .r.t. mo d al µ –calculus formulas to b e Exptime –hard and thus to the follo wing resu lt. Theorem 2. The mo dule che cking pr oblem with r esp e ct to hybrid gr ade d µ –c alculus formulas is Exptime –c omplete. 6. Deciding Hy brid Grad ed µ -calculus PD-modul e Chec king In this section, w e sho w that h yb rid graded push do wn mo du le chec king is decidable and solv able in 2Exptime . S ince CTL p ushdown mo du le c hec king is 2Exptime –hard, we get that the add ressed pr ob lem is 2Exptime –complete. F or the u pp e r b ound, the algorithm w orks as follo ws. Giv en an O PD S and the mo dule M S induced by S , b y com bining and extending the constructions giv en in [BMP05] and Section 5, we ﬁrst build in p olynomia l– time a PD–NBT A S accepting eac h tree that encod es a quasi–forest b elonging to exec ( M S ). Then, giv en an hybrid graded µ –calculus f ormula ϕ , acco rding to [B LMV06], we build in p olynomial–time a GAPT A 6| = ϕ (Lemma 2) accepting all m o dels that d o not satisfy ϕ , w ith the in ten t of chec king that none of these mo dels are in exec ( M S ). Then, accordingly to the basic idea of [KVW01], we c hec k that M S | = r ϕ by c h ec kin g w hether L ( A S ) ∩ L ( A 6| = ϕ ) is empt y . Finally , we get th e result b y using an exp onen tial–ti me redu ction of the latter to the emptiness p roblem for P D–NPT , whic h from Prop osition 4 .1 can b e solv ed in Exptime . As a k ey step of the ab ov e reduction, w e use th e exp o nen tial–t ime translation from GAPT in to NP T sho w ed in Lemm a 5. Let us start dealing with A S . Before buildin g th e automaton, there are some tec hnical diﬃculties to o v ercome. First, notice that A S is a P D–NBT and it can on ly deal w ith trees h a v in g lab els on no des. Also, quasi–forests of exec ( M S ) m a y not share the same structure, since th ey are obtained by prun ing su btrees fr om the compu tation quasi–forest h F M S , V M S , E M S i of M S . As in Section 5, w e solv e this pr oblem b y considering 2 AP ′ ∪ N om ∪ 14 A. FERRA N TE, A. MURANO, AND M. P ARE N TE { r o ot , ⊥} –lab eled trees enc o ding of quasi–forests h F , V , E i ∈ exec ( M S ), w here AP ′ = AP ∪ { p α | α ∈ P r og } ∪ {↑ α o | α ∈ P r og and o ∈ N om } . Another tec h nical d iﬃcult y to handle with is related to the fact th at qu asi–forests of exec ( M S ) (and th us t heir enco d ings) may not b e full h –ary , since the n o des of the OPD from w hic h M S is ind uced ma y ha v e d iﬀeren t degrees. T ec hn ically , we need this prop ert y since the emptin ess p roblem for PD –NPT to whic h we reduce our pr oblem has b ee n solve d in the lite rature only for PD–NP T w orking on f ull trees. Similarly as we did for pruned no des, w e transform eac h tree enco ding of a quasi–forest of exec ( M S ) into a full h –ary tree by adding missing no des lab eled w ith {⊥} . Th er efore the prop osition ⊥ is u sed to denote b oth “disabled” states and “completion” states. In this w a y , all trees enco dings of quasi–forests of exec ( M S ) are all full h –ary trees, and they diﬀer only in their lab eli ng. Let us d enote with d exec ( M S ) the set of all 2 AP ′ ∪ N om ∪ { r o ot , ⊥} –lab eled full h –ary trees obtained from h F M S , V M S , E M S i usin g all the transf orm ations d escrib ed ab o v e. In [BMP05] it has b een shown how to build a PD–NBT accepting full h –ary tr ees em b edded in an OPD co rresp on d ing to all b eha viors of the en vironmen t. In p articular, the PD–NBT constr u cted there already tak es in to accoun t the ab ov e transform ation regarding {⊥} –labeled no d es. By extendin g the constru ction p rop osed there in the same w a y the construction show ed in Section 5 extends the classical construction of A M prop osed in [KVW01], it is not h ard to s h o w that the follo wing result holds. Lemma 3. Given an O PD S = h Q, Γ , ♭, C 0 , ∆ , ρ 1 , ρ 2 , E nv i with br anching de g r e e h , we c an build a PD–NBT A S = h Σ , Γ , ♭, Q ′ , q ′ 0 , γ 0 , δ, Q i , which ac c e pts exactly d exec ( M S ) , such that Σ = 2 AP ′ ∪ N om ∪ { r o ot , ⊥} , | Q ′ | = O ( | Q | 2 · | Γ | ) , and | δ | is p olynomial ly b ounde d by h · | ∆ | . Let us no w go bac k to the hybrid graded µ –c alculus formula ϕ . Using the function f in tro d uced in Sectio n 5 a nd Lemma 2, w e get that giv en an h ybrid graded µ –calculus form ula ϕ , w e can build in p olynomial–time a GAPT A 6| = f ( ϕ ) accepting all mo dels of ¬ ϕ ′ = [0 , α ] f ( ¬ ϕ ) (as done in Section 5). By using the classical E xptime transformation from GAPT to GNPT [KS V02] and a simple Expt ime transformation from GNPT to N PT , we directly get a 3Exptime algorithm for the hybrid graded µ –ca lculus pushd o w n m o dule chec king. T o obtain an exp onenti al–time improv emen t, here we sho w a not trivial Expt ime transf ormation f r om 2 GAPT to NPT . Th e translation we prop o se uses the notions of str ate gies , pr omises and annotatio ns , w hic h we now recall. Let A = h Σ , b, Q , δ, q 0 , F i b e a 2 GAPT w ith F = h F 1 , . . . , F k i and h T , V i b e a Σ-labeled tree. Recall that D b = h [ b ] i ∪ [[ b ]] ∪ {− 1 , ε } and δ : ( Q × Σ) → B + ( D b × Q ). F or eac h con trol state q ∈ Q , let index ( q ) b e the minimal i su ch that q ∈ F i . A str ate gy tr e e for A on h T , V i is a 2 Q × D b × Q -lab eled tree h T , str i suc h that, d eﬁned head ( w ) = { q : ( q , d, q ′ ) ∈ w } as the set of sour c es of w , it holds that ( i ) q 0 ∈ head ( str ( r o ot ( T ))) and ( ii ) for eac h n o de x ∈ T and state q , the set { ( q , q ′ ) : ( q , d, q ′ ) ∈ str ( x ) } satisﬁes δ ( q , V ( x )). A pr omise tr e e for A on h T , V i is a 2 Q × Q -lab eled tree h T , pro i . W e sa y that p ro fulﬁl ls str for V if the states promised to b e visited b y p ro satisfy the obligations ind uced by str as it runs on V . F orm ally , p ro fu lﬁlls str for V if for ev ery no d e x ∈ T , the follo win g h old: “for ev ery ( q, h n i , q ′ ) ∈ str ( x ) (resp. ( q , [ n ] , q ′ ) ∈ str ( x )), at least n + 1 (resp deg ( x ) − n ) successors x · j of x ha v e ( q , q ′ ) ∈ p ro ( x · j )”. An annotation tr e e for A on h T , str i and h T , pro i is a 2 Q ×{ 1 ,...,k }× Q -lab eled tree h T , a nn i suc h that for eac h x ∈ T and ( q , d 1 , q 1 ) ∈ str ( x ) the follo w in g hold: • if d 1 = ε , then ( q , index ( q 1 ) , q 1 ) ∈ ann ( x ); ENRICHED µ –CALCULI MODULE CHECKING ∗ 15 • if d 1 ∈ { 1 , . . . , k } , th en for all d 2 ∈ { 1 , . . . , k } and q 2 ∈ Q such that ( q 1 , d 2 , q 2 ) ∈ ann ( x ), w e h a ve ( q , min( d 1 , d 2 ) , q 2 ) ∈ ann ( x ); • if d 1 = − 1 and x = y · i , th en for all d 2 , d 3 ∈ { 1 , . . . , k } and all q 2 , q 3 ∈ Q satisﬁng ( q 1 , d 2 , q 2 ) ∈ ann ( y ) as w ell as ( q 2 , d 3 , q 3 ) ∈ str ( y ) and ( q 2 , q 3 ) ∈ pro ( x ), w e ha v e that ( t, min( index ( q 1 ) , d 2 , index ( q 3 )) , q 3 ) ∈ ann ( x ); • if d 1 ∈ [[ b ]] ∪ h [ b ] i , y = x · i , and ( q , q 1 ) ∈ p ro ( y ), then for all d 2 , d 3 ∈ { 1 , . . . , k } and q 2 , q 3 ∈ Q su ch that ( q 1 , d 2 , q 2 ) ∈ ann ( y ) and ( q 2 , − 1 , q 3 ) ∈ str ( y ), it holds th at ( t, min( index ( q 1 ) , d 2 , index ( q 3 )) , q 3 ) ∈ ann ( x ). A down ward path in duced by str , pro , and an n on h T , V i is a sequence h x 0 , q 0 , t 0 i , h x 1 , q 1 , t 1 i , . . . suc h t hat x 0 = r oot ( T ), q 0 is the initia l state of A and, for eac h i ≥ 0, it holds that x i ∈ T , q i ∈ Q , and t i = h q i , d, q i +1 i ∈ st r ( x i ) ∪ ann ( x i ) is such that either (i) d ∈ { 1 , . . . , k } and x i +1 = x i , or (ii) d ∈ h [ b ] i ∪ [[ b ]] and there exists c ∈ { 1 , . . . , deg ( x i ) } suc h that x i +1 = x i · c and ( q i , q i +1 ) ∈ p ro ( x i +1 ). In the ﬁrst case w e set index ( t i ) = d and in the second case we set index ( t i ) = min { j ∈ { 1 , . . . , k } | q i +1 ∈ F j } . Moreo ver, for a do wn w ard path π , w e set index ( π ) as the minimum ind ex th at app e ars inﬁnitely often in π . Finally , w e sa y that π is ac c epting if index ( π ) is ev en. The follo wing lemma r elates languages accepted by 2 GAPT with strategies, promises, and annotations. Lemma 4 ([BLMV06]) . L et A b e a 2GAPT . A Σ -lab ele d tr e e h T , V i is ac c epte d by A iﬀ ther e exist a str ate gy tr e e h T , str i , a pr omise tr e e h T , p ro i for A on h T , V i such that p ro fulﬁl ls str for V , and an annotation tr e e h T , ann i for A on h T , V i , h T , str i and h T , p ro i such that every downwar d p ath induc e d by str , p ro , and a nn on h T , V i is ac c epting. Giv en an alphab et Σ for th e inpu t tree of a 2 GAP T with transition function δ , let D δ b b e the su bset conta ining only the element s of D b app earing in δ . Then w e d enote by Σ ′ the extended alph ab et for the com b ined trees, i.e., Σ ′ = Σ × 2 Q × D δ b × Q × 2 Q × Q × 2 Q ×{ 1 ,...k }× Q . Lemma 5. L e t A b e a 2GAPT running on Σ –lab ele d tr e es with n states, index k and c ounting b ound b that ac c epts h -ary tr e es. It is p ossible to c onstruct in exp onential-time an NPT A ′ running on Σ ′ –lab e le d h -ary tr e es that ac c epts a tr e e iﬀ A ac c epts its pr oje ction on Σ . Pr o of. Let A = h Σ , b, Q, q 0 , δ, F i w ith F = h F 1 , . . . , F k i . By Lemma 4, w e construct A ′ as the in tersectio n of t w o NBT A ′ , A ′′ , and an NPT A ′′′ . In p articular, all th ese automata ha v e size exp onen tial in the size of A . Moreo ver, since eac h NBT u ses as accepting all its states, it is easy to in tersect in p ol ynomial-time all of them by using a classical automata pro duct. These automata are d eﬁned as f ollo ws. Given a Σ ′ -lab eled tree T ′ = h T , ( V , str , p ro , ann ) i , (1) A ′ accepts T ′ iﬀ str is a strategy for A on h T , V i and p ro f ulﬁlls str for V , (2) A ′′ accepts T ′ iﬀ ann is an annotation f or A on h T , V i , h T , str i and h T , pro i , and (3) A ′′′ accepts T ′ iﬀ ev ery do wnw ard path induced by str , p ro , and ann on h T , V i is ac- cepting. The automaton A ′ = h Σ ′ , D ′ , Q ′ , q ′ 0 , δ ′ , F ′ i wo rks as follo ws: on reading a no de x lab eled ( σ , η , ρ, ω ), then it locally chec ks whether η satisﬁes the deﬁn ition of strategy for A on h T , V i . In particular, when A ′ is in its initial state, we c hec k that η cont ains a transition starting from the initial state of A . Moreo ver, the automaton A ′ sends to eac h c h ild x · i the pairs of states that h a v e to b e con tained in pro ( x · i ), in order to v erify that pro fulﬁ lls str . T o obtain this, we set Q ′ = 2 Q × Q ∪ { q ′ 0 } , D ′ = { 1 , . . . , h } and F ′ = {∅ , Q ′ } . T o deﬁ ne δ ′ , we 16 A. FERRA N TE, A. MURANO, AND M. P ARE N TE ﬁrst giv e the follo wing deﬁ nition. F or eac h no d e x ∈ T lab el ed ( σ, η , ρ, ω ), w e s et S ( η ) = {h S 1 , . . . , S deg ( x ) i ∈ (2 Q × Q ) deg ( x ) such that [for e a ch ( q , h m i , p ) ∈ η there is P ⊆ { 1 , . . . deg ( x ) } with | P | = m + 1 such that for all i ∈ P, ( q , p ) ∈ S i ] and [for e a ch ( q , [ m ] , p ) ∈ η there is P ⊆ { 1 , . . . deg ( x ) } with | P | = deg ( x ) − m such that for all i ∈ P, ( q , p ) ∈ S i ] } to b e the set of all tuples w ith size deg ( x ), eac h fulﬁl ling all graded mo dalities in s tr ( x ). Notice that | S ( η ) | ≤ 2 hn 2 . Then we hav e δ ′ ( q , ( σ, η , ρ , ω ) , deg ( x ) ) =      S ( η ) if ∀ p ∈ head ( η ) , { ( d, p ′ ) | ( p, d, p ′ ) ∈ η } satisﬁes δ ( p, σ ) and [( q = q 1 0 and q 0 ∈ head ( η )) or ( q 6 = q 1 0 and q ⊆ ρ )] false otherwise. Hence, in A ′ w e h a ve | Q ′ | = 2 n 2 , | δ ′ | ≤ 2 n 2 ( k +1) , and index 2. A ′′ = h Σ ′ , D ′′ , Q ′′ , q ′′ 0 , δ ′′ , F ′′ i wo rks in a similar w a y t o A ′ . That is, for eac h no d e x , it ﬁrs t lo cally c hec ks whether the constraints of the ann otations are veriﬁed; th en it sends to the c hildren of x th e strategy and ann otation asso ciated with x , in order to successive ly v erify wh ether the promises associated with th e children nod es are consisten t with the annotation of x . Th erefore, in A ′′ w e ha v e Q ′′ = 2 Q × D δ b × Q × 2 Q ×{ 1 ,...,k }× Q , q ′′ 0 = ( ∅ , ∅ ), F ′′ = {∅ , Q ′′ } , D ′′ = { 1 , . . . , h } , an d for a state ( η pr ev , ω pr ev ) and a letter ( σ, η , ρ, ω ) we ha ve δ ′′ (( η prev , ω prev ) , ( σ , η , ρ, ω ) , deg ( x )) =      h ( η , ω ) , . . . , ( η , ω ) i if the lo cal conditions for the annotations are veriﬁed false otherwise. Hence, in A ′′ w e h a ve | Q ′′ | ≤ 2 n 2 ( | δ | + k ) , | δ ′′ | ≤ h · 2 n 2 ( | δ | + k ) , and ind ex 2. Finally , to deﬁne A ′′′ w e start by constructing a 2 APT B wh ose size is p olynomial in the size of A and accepts h T , ( V , str , pro , ann ) i iﬀ there is a non accepting do wn w ard path (w.r.t. A ) ind uced b y str , p ro , and a nn on h T , V i . Th e automaton B = h Σ ′ , Q B , q B 0 , δ B , F B i (which in p articular do es not need d irection − 1) essentiall y c ho oses, in eac h state, the do wn w ard path to wa lk on, and u ses an integ er to store the in dex of the state. W e use a sp ec ial state ♯ not b elongi ng to Q to indicate that B p ro ceeds in accordance with an annotation instead of a strategy . Ther efore, Q B = (( Q ∪ { ♯ } ) × { 1 , . . . , k } × Q ) ∪ { q B 0 } . T o deﬁne th e transition f unction on a no de x , let us in tro duce a fu nction f that for ea c h q ∈ Q , strategy η ∈ 2 Q × D δ b × Q , and annotation ω ∈ 2 Q ×{ 1 ,...,k }× Q giv es a formula satisﬁed along down ward paths consisten t with η and ω , starting fr om a n o de r eac hable in A with the state q . That is, in eac h no d e x , the function f either p ro ceeds according to the ann otation ω or the str ategy η (note that f d o es not c hec k that the d o wn w ard path is consisten t with an y p romise). F ormally , f is deﬁ n ed as follo ws, wh ere index ( p ) is the minimum i such that p ∈ F i : f ( q , η , ω ) = _ ( q,d ,p ) ∈ ω d ∈{ 1 ,...,k } h ε, ( ♯, d, p ) i ∨ _ ( q,d ,p ) ∈ η d ∈h [ b ] i∪ [[ b ]] _ c ∈{ 1 ,...,deg ( x ) } h c, ( q , index ( p ) , p ) i Then, w e ha v e δ B ( q B 0 , ( σ, η , ρ, ω )) = f ( q 0 , η , ω ) and δ B (( q , d, p ) , ( σ, η , ρ , ω )) = ( false if q 6 = ♯ and ( q , p ) 6∈ ρ f ( p, η , ω ) otherwise. . ENRICHED µ –CALCULI MODULE CHECKING ∗ 17 A do wn w ard p ath π is non accepting for A if the m inim um index that app ears inﬁnitely often in π is od d . T h erefore, F B = h F B 1 , . . . , F B k +1 , Q B i where F B 1 = ∅ and, f or all i ∈ { 2 , . . . , k + 1 } , w e ha v e F B i = { ( q , d, p ) ∈ Q B | d = i − 1 } . Th us, | Q B | = k n ( n + 1) + 1, | δ B | = k · | δ | · | Q B | , and the in dex is k + 2. Th en, since B is alternating, we can easily complemen t it in p olynomial-time in to a 2 APT B that accepts a tree iﬀ all d o wn w ard p aths induced by str , pro , and ann on h T , V i are accepting. Finally , follo wing [V ar98] we construct in exp onen tial-time th e desired automaton A ′′′ . By applying the transformation giv en by Lemma 5 to the automaton A ¬ ϕ ′ deﬁned ab o v e, we ob tain in exp onentia l time in the size of ϕ , an N PT that accepts all the trees enco ding of quasi–forests that do n ot satisfy ϕ . F rom Prop osit ion 4.2, th en we can b uild a PD–NPT A S ×6| = ϕ with size p ol ynomial in the size of S and exp onentia l in the size of ϕ such that L ( A S ×6| = ϕ ) = L ( A S ) ∩ L ( A ¬ ϕ ′ ). Hence, from P r op osition 1 w e obtain that h ybrid graded µ –calculus push do wn m o dule c hec k in g can b e solv ed in Exptime in the s ize of S and in 2Exptime in the size of ϕ . Finally , from the fact that CTL p u shdown mo dule c h ec kin g is kno wn to b e 2Exptime –hard with resp ec t to the size of ϕ an d Exptime –hard with r esp ect to the size of S [B MP05], we obtain th e follo wing theorem. Theorem 3. The hybrid gr ade d µ –c alculus pushd own mo dule che c king pr oblem is 2Exptime – c omplete with r esp e ct to the size of the formula and Exptime –c omplete with r esp e c t to the size of the system. 7. Full y Enriched µ -calcul us Modul e Che cking In th is sectio n, w e consider a m emoryless restriction of the mo d ule chec king pr oblem and in v estigate it with resp ect to f orm ulas of the F u lly enric hed µ -calculus. Giv en a form ula ϕ , a memoryless mo dule che cking p roblem c h ec ks whether all trees in exec ( M ), alwa ys taking the same choice in duplicate en vironmen t no d es, s atisfy ϕ . In this section, we show that the (memoryless) mo du le c hec kin g pr ob lem for F ully enriched µ -calculus is un decidable. F u lly enriched µ –calculus is th e extension of h y b rid graded µ –calculus with inverse pr o g r ams . Essent ially , inv erse programs allo w us to sp ecify p rop erties ab o ut predecessors of a state. Giv en an atomic program a ∈ P r og , we denote its inv erse program with a − and the synt ax of the fully enric hed µ –calculus is s im p ly obtained f rom th e one we in tro duced for hybrid graded µ –calculus, by allo wing b o th atomic and inv erse p rograms in the graded mo dalities. Similarly , th e seman tics of fully enr ic h ed µ –calculus is giv en, identica lly to the one for hybrid graded µ –calculus, with r esp ect to a Kripke structur e K = h W, W 0 , R, L i in whic h, to deal with in verse p rograms, w e deﬁne, for all a ∈ P r og , R ( a − ) = { ( v, w ) ∈ W × W suc h that ( w , v ) ∈ R ( a ) } . Let u s note t hat, since th e fully enric hed µ –calculus do es not enjoy the f orest mo del prop erty [BP04], w e cannot unwind a Kripk e stru cture in a forest. Ho wev er, it is alw a ys p ossible to unwind it in an equiv alen t acyclic graph that w e call c omputation gr aph . In order to ta k e in to acc oun t all the p ossible beh aviors of the environmen t, w e co nsider all the p ossible sub graphs of the computation graph obtained disablin g some transitions f r om en vironmen t no des but one. W e denote with g r aphs ( M ) the set of this graphs. G iv en a F ully enric hed µ –calculus formula ϕ , we hav e that M | = r ϕ iﬀ K | = ϕ for all K ∈ g r aphs ( M ). T o show the un decidabilit y of the addressed p roblem, w e need some further deﬁn itions. An (inﬁnite) grid is a tuple G = h I N 2 , h, v i suc h that h and v are deﬁned as h ( h x, y i ) = 18 A. FERRA N TE, A. MURANO, AND M. P ARE N TE h x + 1 , y i and v ( h x, y i ) = h x, y + 1 i . Given a ﬁnite set of typ es T , w e will call tile on T a function ˆ ρ : I N 2 → T that asso ciates a type from T to eac h ve rtex of an inﬁnite grid G , and w e call tile d inﬁnite grid the tu ple h G, T , ˆ ρ i . A grid mo del is a n inﬁnite Kr ipk e stru cture K = h W , { w 0 } , R, L i , o n the set of atomic pr ograms P r og = { l − , v } , suc h that K can b e mapp ed on a grid in suc h a wa y that w 0 corresp onds to the vertex h 0 , 0 i , R ( v ) corresp o nds to v and R ( l − ) corresp onds to h . W e say that a grid mo del K “corresp onds” to a tiled inﬁnite grid h G, T , ˆ ρ i if ev ery state of K is lab eled with only one atomic prop ositi on (and zero or more nominals) and th ere exists a bijectiv e f unction ρ : T → AP such that, if w x,y is the s tate of K corresp onding with the no de h x, y i of G , then ρ ( ˆ ρ ( h x, y i )) ∈ L ( w x,y ). Theorem 4. The mo dule che cking pr oblem for ful ly enriche d µ –c alculus is unde cidable. Pr o of. T o s ho w the result, w e us e a r eduction from the tiling p roblem (also known as dom ino problem), kn o wn to b e undecidable [Ber66]. The tiling pr oblem is deﬁn ed as follo ws. Let T b e a ﬁnite set of t yp es, and H , V ⊆ T 2 b e tw o relations describing the t yp es that cannot b e vertic ally and horizon tally adjacen t in an inﬁnite grid. The tiling problem is to decide wh ether there exists a tiled inﬁnite grid h G, T , ˆ ρ i such that ˆ ρ preserve s the r elations H and V . W e call such a tile fun ction a le gal tile for G on T . In [BP04 ], Bonatti a nd Peron show ed un decidabilit y for the satisﬁability problem for fully enr ic hed µ –calculus by also using a r ed uction from the tiling problem. Hence, giv en a set of types T and relations H and V , they b uild a (alternation free) fully enriched µ – calculus form ula ϕ such that ϕ is satisﬁable iﬀ the tiling problem has a solution in a tiled inﬁnite grid, w ith a legal tile ρ on T (with resp ect to H and V ). In particular, the f orm ula they build can b e only satisﬁable on a grid mo del K corresp onding to a tiled inﬁ n ite grid with a legal tile ρ on T . In the r eduction w e p rop ose here, we use the form ula ϕ u sed in [BP04]. It r emains to deﬁ ne th e mo d ule. Let { G 1 , G 2 , . . . } b e the set of all the inﬁ nite tiled grids on T (i.e. , G i = h G, T , ˆ ρ i i ), we build a mo dule M suc h that g raphs ( M ) cont ains, for eac h i ≥ 1, a grid mo dels corresp ond- ing to G i . Therefore, we can decide the tiling problem b y c h ec kin g whether M | = r ¬ ϕ . Indeed, if M | = r ¬ ϕ , then all grid mo dels corresp o nding to G i do n ot s atisfy ϕ and, th ere- fore, there is no solution for th e tiling prob lem. On the other side, if M 6| = r ¬ ϕ , then there exists a mo d el for ϕ ; since ϕ can b e satisﬁed only on a grid mo del corresp ond ing to a tiled inﬁnite grid with a legal tile on T with resp ec t to H and V , w e ha v e that th e tiling p r oblem has a solution. F ormally , let T = { t 1 , . . . , t m } b e the set of t yp es, th e mo dule M = h W s , W e , W 0 , R, L i with r esp ect to atomic programs P r og = { l − , v } , atomic pr op ositions AP = T , and nomi- nals N om = { o 1 , . . . , o m } , is deﬁ n ed as follo ws: • W s = ∅ , W e = { x 1 , . . . , x m , y 1 , . . . , y m } and W 0 = { x 1 , . . . , x m } ; • for all i ∈ { 1 , . . . m } , L ( t i ) = { x i , y i } and L ( o i ) = { x i } ; • R ( v ) = {h x i , x j i| i, j ∈ { 1 , . . . , m }} ∪ {h y i , y j i| i, j ∈ { 1 , . . . , m }} ; • R ( l − ) = {h x i , y j i| i, j ∈ { 1 , . . . , m }} ∪ {h y i , x j i| i, j ∈ { 1 , . . . , m }} Notice that we du plicate the set of no des lab el ed with tiles since w e cannot ha v e p airs of no d es in M labeled with more than one atomic program (in our case, with b oth v and l − ). Moreo ve r the c hoice of lab el ing no des x i with nominals is arbitrary . Finally , fr om the fact that the mo du le con tains only en vironmen t no des, it immediately follo ws that, for eac h i , the grid mo del corresp ond ing to the inﬁnite tiled grid G i is conta ined in g raphs ( M ). ENRICHED µ –CALCULI MODULE CHECKING ∗ 19 µ -calculus Pushdown Single–Push Finite–State extensions Mo del Checking Mo del Checking Mo del Checking prop ositiona l Exptime –Complete [W al96] Exptime –Co mplete UP ∩ co–UP [Wil01] hybrid Exptime –Complete Exptime –Complete UP ∩ co–U P graded 2Exptime 2Exptime Exptime full ? Exptime –Complete UP ∩ co–U P hybrid graded 2E xptime 2Exptime Exptime full hybrid ? Exptime –Complete UP ∩ co–U P full g raded ? 2Exptime Exptime F ully enriched ? 2 Exptime Exptime Figure 1: Resu lts on Mo del Ch ec kin g Problem. 8. Notes on Full y Enriche d µ -calcul us Model Checking In this s ection, for the sake of completeness, w e inv estigate the mo del chec king problems for F u lly en ric hed µ -calculus and its fragmen ts, for both p ushdown and ﬁn ite-states systems. In particular, we ﬁrst consider the mod el chec king pr oblem for formulas of the µ – calculus enr ic h ed with n ominal ( hybrid µ –c alculus ) or graded mo d alities ( gr ade d µ –c alculus ) or b oth, for pus h do wn systems ( PDMC , for short) an d ﬁ nite states systems ( FS MC , f or short), i.e. Krip k e structures. In particular, we sho w that for graded µ –ca lculus, PDMC is solv able in 2Exptime an d FS MC is solv able in Expt ime . Moreo ver we sh o w that for h ybrid µ –ca lculus PDMC is Exptime –complete and FS MC is in U P ∩ co–UP , thus matc hin g the kno wn results for (prop o sitional) µ –calculus mo del c hec k in g (see [W al96 ] for PDMC and [Wil01 ] for FSMC ), and that, for h y b rid graded µ –calculus, PDMC is s olv able in 2Expt ime and F SMC is solv able in Exp time . By considering also µ -calc ulus enr iched (among the others) with inv erse p rograms, w e also co nsider PD MC w.r .t. a reduced p ushdown system that, in eac h transition, can increase the size of the s tac k by at most one ( single–push system ). T o this aim, we deﬁne a single–push system with thr ee stac k op e rations: for A ∈ Γ, sub ( A ) c hanges the top of the stac k into A , push ( A ) push es the sym b ol A on the top of the stac k, and pop () p ops the top sym b ol of the stac k. F ormally , a single–push system S is a pus h do wn system in wh ic h the transition function is ∆ : P r og → 2 ( Q × Γ ♭ ) × ( Q ×{ sub,push, pop }× Γ) . F or consistency r easons, w e assume th at if the top of the stac k is ♭ then sub ( A ) = push ( A ) an d p op () has no eﬀect. W e call the mo del c hec king problem for single–push systems single–p ush mo del che cking ( SPMC , for short). In this case, we sho w that for full h ybrid µ –calculus ( µ -calculus enriched with inv erse p rograms and nominals), SPMC is Exptime –complete and FSMC is in UP ∩ co–UP , and that for F ully enric hed and full graded µ –calculus ( µ -calculus enric hed with in verse programs and graded mo dalities), SPMC is in 2Expt ime a nd FSMC is in Exptime . In Figure 8 we rep ort known and new resu lts on mo d el c h ec kin g p roblems f or the F u lly enric hed µ –calculus and its fragmen ts. T o p ro v e our r esults, we simply r ule out inv erse pr ograms and nominals from the input form ula. In particular, w e ﬁ rst obs erv e that, from a mo del c h ec kin g p o in t of view, c hec king a formula with in verse p rograms on a graph (ﬁnite or inﬁnite) is equiv alen t to c hec k the form ula in “forward” on the graph en r ic h ed with opp osite edges. That is, we consider in v ers e pr ograms in the f orm ula as sp ec ial atomic p rograms to b e c hec ked on the opp osite edges we hav e added in the graph . Note that this observ ation do e s not app ly to PDMC . 20 A. FERRA N TE, A. MURANO, AND M. P ARE N TE Indeed, to transform previous conﬁgurations to inv erse next conﬁgurations, w e need to limit the p ow er of a PDMC to b e single push . Thus, we obtain the follo wing result. Lemma 6. L e t X µ b e an enrichment of the µ - c alculus with inverse pr o gr ams. Then a SPMC (r esp., FSMC ) w.r.t. X µ c an b e r e duc e d i n line ar time to SPMC (r esp., FS MC ) w.r.t. X µ without inverse pr o gr ams. Pr o of. Here we o nly show the pro of for FSMC since the one for SPMC is similar. Let K = h W , W 0 , R, L i b e a m o del that uses atomic programs from P r og , and le t ϕ b e a form ula of X µ . Then, we deﬁne a new mo d el K ′ and a new form u la ϕ ′ as follo w s: K ′ = h W , W 0 , R ′ , L i uses atomic programs from the set P r og ′ = P r og ∪ { ˆ a s.t. a ∈ P r og } (it do e sn’t u s e in v ers e programs) and h as the transition relation d eﬁned as R ′ ( a ) = R ( a ) and R ′ (ˆ a ) = R ( a − ) for all a ∈ P r og . On the other side, ϕ ′ is a formula of X µ without inv erse programs equal to ϕ except for the fact th at a − is changed in to ˆ a for all a ∈ P r og . Th us it can b e easily seen that K | = ϕ iﬀ K ′ | = ϕ ′ and this completes the pro of of this lemma. F u rthermore, from the mo del chec king p oint of view, one can consider eac h n omin al in the input form ula as a particular atomic p rop osition. T h us we obtain the follo wing result. Lemma 7. L et X µ b e the µ -c alculus enriche d with nominals and p ossibly with gr ade d mo dal- ities. Then PDMC , SPMC and F SMC w.r.t. X µ c an b e r e sp e ctively r e duc e d in line ar time to PDMC , SPMC and FS MC w.r.t. X µ without nominals. Pr o of. In this case too, w e sho w the pro of only for FSMC . Let K = h W , W 0 , R, L i b e a mo del that u s es atomic prop ositi ons from AP and nominals from N om , an d let ϕ b e a form ula of X µ . Then, we consider the n ew mo del K ′ = h W , W 0 , R, L i that u s es atomic prop ositions fr om the set AP ′ = AP ∪ N om ( K ′ do es not use nominals); moreo v er, let ϕ ′ b e the form ula ϕ in terpreted as a form ula of X µ without nominals on the set of atomic prop ositions AP ′ . T hen, it is easy to see that K | = ϕ iﬀ K ′ | = ϕ ′ . F r om Lemmas 6 an d 7 and the fact th at for prop ositional µ –ca lculus PD MC is Ex- ptime –Complete [W al96] and FSMC is in UP ∩ co –UP [Wil0 1], w e directly ha v e that h ybrid µ –calculus PDMC is Exptime –Complete, (full) hybrid µ –calculus SPMC is solv- able in Exptime and (full) hybrid µ –calculus FSMC is in UP ∩ co–UP . No w, in [W al96] it has b een show ed that µ -calculus PDMC is Exptime –hard. The pro of u sed there can b e easily adapted to hand le single–push systems without in curring in an y complexit y blo wup. Th us, w e obtain the follo wing result. Theorem 5. Hybrid µ –c alculus PDMC is Exptime –Complete, (ful l) hybrid µ –c alculus SPMC is Exptime –Complete and (f u l l) hybrid µ –c alculus FSMC is in UP ∩ co–UP . Finally , from Lemmas 6 and 7 we h a ve th at hybrid graded µ –calculus PDMC can b e reduced in linear time to graded µ –calculus PDMC , F ully enric hed µ –calculus SPMC can b e reduced in linear time to graded µ –calculus SPMC (note that SPMC is a sp ecial case of PDMC ) and F u lly enric hed µ -calculus FSMC can b e reduced in linear time to graded µ - calculus FSMC . S ince mo del c h ec king is a sp ecial case of m o dule c h ecking, from Theorems 2 and 3 we hav e the follo w ing resu lt. Theorem 6. PD MC is solvable in 2Exptime f or (hybrid) gr ade d µ –c alculus, SPMC is solvable in 2Exp time for F ul ly enriche d µ - c alculus and FSM C is solvable in Exptime for F ul ly enriche d µ -c alculus. ENRICHED µ –CALCULI MODULE CHECKING ∗ 21 Referen ces [AMV07] A. Aminof, A. Murano, and M.Y. V ardi, Pushdown m o dule che cking with imp erfe ct information , CONCUR ’07, LNCS, vol. 47 03, Springer-Verlag, 2007, pp. 461–476. [Ber66] R. Berger, The unde cidability of the domino pr oblem , Mem. AMS 66 (1966), 1–72. [BLMV06] P .A. Bonatti, C. Lutz, A. Murano, and M.Y. V ardi, The c omplexity of enriche d µ -c alcul i , ICALP ’06, LNCS, vol. 40 52, 2006, pp. 540–551. [BLMV08] , The c omplexity of enriche d µ -c al culi , T o appear in Logical Metho ds in Computer S cience (2008), 1–27, http://www .na.infn.it/ ∼ m urano/pubblicazioni/jo urnal-version-enric h ed.p df. [BMP05] L. Bozzelli, A. Murano, and A. Peron, Push down mo dule che cking , LP AR , 2005 , p p. 504–51 8. [BP04] P .A. Bonatti and A. Pero n, On the unde ci dabil ity of lo gics with c onvers e, nominals, r e cursion and c ounting , Artiﬁcial Intelligence 158 : 1 (2004), 75–96. [BS06] J. Bradﬁeld and C. Stirling, M o dal µ -c alculi , Handbo ok of Modal Logi c (Blackburn, W olter, and v an Benthem, eds.), Elsevier, 2006, pp. 722–756 . [CE81] E.M. Clark e and E.A. Emerson, Design and synthesis of synchr onization skeletons using br anch- ing time temp or al lo gi c , Proc. of W ork. on Logic of Programs, LNCS, vol. 131, 1981 , pp. 52–71. [CGP99] E.M. Clarke, O . Grumberg, and D.A. P eled, Mo del che cking , MIT Press, Cam bridge, MA, USA , 1999. [FM07] A. F errante and A. Murano, Enr iche d µ –c alculus mo dule che cking , FOSSA CS’07, LNCS, vol. 4423, 2007, p. 183197. [FMP07] A. F erran te, A. Murano, and M. Pa rente, Enriche d µ –c al culus pushdown m o dule che cking , LP A R ’07, LNAI, vo l. 4790, 2007, pp. 438–453 . [Hoa85] C.A.R. Hoare, Communic ating se quential pr o c esses , 1985. [HP85] D. Harel and A. Pnueli, On the development of r e active systems , Logics and Mo dels of Concurren t Systems, NA TO Adv anced Summer Institu t es, v ol. F–13 , S pringer–V erlag, 1985, pp . 477– 498. [Jur98] Marcin Jurdzi ´ nski, De ci ding the winner in p arity games is in UP ∩ c o-UP , In formation Pro cessing Letters 68 (1998), no. 3, 119–124. [Koz83] D. Kozen, R esults on the pr op ositional m u–c alculus. , Theoretical Computer Science 27 (1983), 333–354 . [KPV02] O. Kupferman, N . Piterman, and M.Y. V ardi, Pushdown sp e ciﬁc ations , LP AR , 2002, pp. 262–277. [KSV02] O. Ku pferman, U . S attler, and M. Y. V ardi, The c om plexity of the gr ade d µ –c alculus , CADE ’02, LNAI, vol. 2392, 2002, pp. 423–4 37. [KV97] O. Ku pferman and M.Y. V ardi, Mo dule che cking r evisite d , CA V ’96, LNCS, vol. 1254, S p ringer- Verlag, 1997, pp. 36–47. [KVW00] O. Kupferman, M.Y. V ardi, and P . W olp er, An automata–the or etic appr o ach to br anching–time mo del che cking , Journal of AC M 47 (2000), no. 2, 312–360. [KVW01] , Mo dule che cking , Information & Computation 164 (2001), 322–344. [QS81] J.P . Queille and J. Sifakis, Sp e ciﬁc ation and veriﬁc ation of c oncurr ent systems in c esar , 5 th Symp. on Programming, LNCS, vol. 137 , 1981, pp . 337– 351. [SV01] U. Sattler and M.Y. V ardi, The hybrid m u–c alculus , IJCAR ’01, LNAI, vol. 2083, 2001, pp. 76–91. [V ar98] M.Y. V ardi, R e asoning ab out the p ast with two–way automata , ICALP ’98, LN CS, vol . 1443, 1998, pp. 628–641. [W al96] I. W alukiewicz, Pushdown pr o c esses: Games and Mo del Che cking , CA V ’96, LN CS, vol. 1102, Springer–Verlag, 1996, pp. 62–74. [W al00] , M o del che cking ctl pr op erties of pushdown systems , FSTTCS ’00, LNCS, vol. 19 74, Springer–V erlag, 2000, pp. 127–138 . [Wil01] T. Wilke, A lternating tr e e automata, p arity games, and mo dal µ –c alculus , Bull. S o c. Ma th. Belg. 8 (2001), no. 2. This work is licensed un der the Creative Commons Att ribution-No Derivs License. T o view a copy of this license, visit http ://cr eativ ecommons.org/licenses/by-nd/2.0/ or se nd a letter to Creative Commons , 559 Nathan Abbott Wa y , S tanford, California 94305, USA.

Enriched MU-Calculi Module Checking

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment