The final publication is available at IEEE via http://dx.doi.org/10.1109/TIME.2015.12 1530-1311/15 A. Molinari, A. Montanari, A.Peron Complexity of ITL model checking: some well-behaved fragments of the interval logic HS In proceedings of 22nd International Symposium on Temporal Representation and Reasoning (TIME), Pages 90-100 © 2015 IEEE Complexity of ITL model checking: some well-behaved fragments of the interval logic HS Alberto Molinari and Angelo Montanari Adriano Peron Department of Mathematics and Department of Electrical Engineering and Computer Science Information Technology University of Udine, Italy University of Napoli Federico II, Italy Email: [email protected]; [email protected] Email: [email protected] 6 1 0 2 Abstract—Model checking has been successfully used in and multi-agent systems, e.g., [2], [7], [18], [20], [25], but, many computer science fields, including artificial intelligence, unfortunately, also undecidable. n a theoretical computer science, and databases. Most of the AprominentpositionamongITLsisoccupiedbyHalpern proposedsolutionsmakeuseofclassical,point-basedtemporal J and Shoham’s modal logic of time intervals, abbreviated logics,whilelittleworkhasbeendoneintheintervaltemporal 3 logic setting. Recently, a non-elementary model checking algo- HS [8]. HS features one modality for each of the 13 1 rithmforHalpernandShoham’smodallogicoftimeintervals possible ordering relations between pairs of intervals (the HS over finite Kripke structures (under the homogeneity so-called Allen’s relations [1]), apart from the equality O] assumption)andanEXPSPACEmodelcheckingprocedurefor relation. In [8], it has been shown that the satisfiability two meaningful fragments of it have been proposed. In this problem for HS interpreted over all relevant (classes of) L paper, weshow that moreefficient model checkingprocedures linear orders is highly undecidable. Since then, a lot of . canbedevelopedforsomeexpressiveenoughfragmentsofHS. s workhasbeendoneonsatisfiabilityforHSfragments,which c [ Keywords-Interval Temporal Logic; Model Checking; Com- showed that undecidability rules over them [3], [10], [13]. plexity However,meaningfulexceptionsexist,e.g.,theintervallogic 1 oftemporalneighbourhoodAAandthelogicofsub-intervals v 2 I. INTRODUCTION D [4]–[6], [17]. 0 Model checking algorithms allow one to verify a formal Inthispaper,wefocusourattentiononthemodelchecking 2 specification of the desired properties of a system against problem for HS (not on satisfiability checking), which only 3 a model of its behaviour. In the standard formulation, sys- very recently entered the research agenda for ITLs. 0 tems are described as (finite) labelled state-transition graphs In [16], Montanari et al. addressed the model checking . 1 (Kripke structures) and point-based, linear or branching problem for full HS over finite Kripke structures (under the 0 temporal logics (e.g., LTL or CTL) are used to constrain homogeneity assumption [21]). They introduced the basic 6 the way in which the truth value of the state-labelling elements of the picture, namely, the interpretation of HS 1 : proposition letters changes along the paths of the Kripke formulas over (abstract) interval models, the mapping of v structure. finite Kripke structures into (abstract) interval models, and i X Point-based temporal logics are well-suited for a variety the notion of track descriptor, and they proved a small r of application domains; however, there are some relevant model theorem showing the non-elementary decidability of a temporal features, such as actions with duration, accom- the problem. In [14], Molinari et al. gave a lower bound plishments, and temporal aggregations, that are inherently to the complexity of the problem, which is EXPSPACE- “interval-based”andthuscannotbeexpressedbythem.Here hard, if a succinct encoding of formulas is used, PSPACE- intervaltemporallogics(ITLs),thattakeintervals,insteadof hard otherwise. In [15], Molinari et al. showed that model points, as their primitive entities, come into play, providing checking for the HS fragment AABBE (resp., AAEEB), analternativesettingforreasoningabouttime[8],[23],[24]. whose modalities allow one to access intervals which are To check interval properties of computations, one needs to met by/meet the current one, or are prefixes (resp., suffixes) collect information about states into computation stretches: or right/left-extensions of it, is in EXPSPACE. Moreover, this amounts to interpret each finite path of a Kripke they proved that the problem is NEXP-hard, if a succinct structure as an interval, and to suitably define its labelling encoding of formulas is used, NP-hard otherwise. Finally, on the basis of the labelling of the states that compose they showed that formulas that satisfy a (constant) bound it. Such an increase in expressiveness makes ITLs well to the nesting depth of B (resp., E ) modalities can be h i h i suited for a number of applications in the areas of formal checked in polynomial working space. verification, computational linguistics, databases, planning, In [11], [12], Lomuscio and Michaliszyn studied the This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License http://creativecommons.org/licenses/by-nc-nd/4.0/" TableI ALLEN’SRELATIONSANDCORRESPONDINGHSMODALITIES. Allen’srelation HS Definitionw.r.t.intervalstructures Example x y MEETS hAi [x,y]RA[v,z] ⇐⇒ y=v v z BEFORE hLi [x,y]RL[v,z] ⇐⇒ y<v v z STARTED-BY hBi [x,y]RB[v,z] ⇐⇒ x=v∧z<y v z FINISHED-BY hEi [x,y]RE[v,z] ⇐⇒ y=z∧x<v v z OCVOENRTLAAINPSS hhODii [[xx,,yy]]RRDO[[vv,,zz]] ⇐⇐⇒⇒ xx<<vv∧<zy<<yz v vz z model checking problem for epistemic extensions of some Allen’s relation, except for equality [8]. Table I depicts 6 HSfragments.Theirsemanticassumptionsdifferfromthose of the 13 Allen’s relations, together with the corresponding madein[16],makingitdifficulttocomparethetworesearch HS (existential) modalities. The other 7 relations are the lines. In [11], they focused their attention on the fragment 6 inverse relations (given a binary relation R, the inverse BED, whose modalities allow one to respectively access relationR issuchthatbRaifandonlyifaRb)andequality. prefixes, suffixes, and sub-intervals of the current interval, ThelanguageofHSconsistsofasetofpropositionletters extended with epistemic modalities. They considered a re- AP, the Boolean connectives and , and a temporal ¬ ∧ stricted form of model checking, which verifies the given modality for each of the (non trivial) Allen’s relations, specification against a single (finite) initial computation namely, A , L , B , E , D , O , A , L , B , E , h i h i h i h i h i h i h i h i h i h i interval (not all possible ones), and proved that it is a D , and O . h i h i PSPACE-completeproblem.Moreover,theyshowedthatthe HS formulas are defined by the following grammar: problem for the purely temporal fragment of the logic is in PTIME. This last result does not come as a surprise as it ψ ::=p ψ ψ ψ X ψ X ψ, |¬ | ∧ |h i |h i trades expressiveness for efficiency: BED modalities allow where p AP and X A,L,B,E,D,O . In the one to access only sub-intervals of the initial one, whose ∈ ∈ { } following, we will make use of the standard abbreviations number is quadratic in the length (number of states) of of propositional logic. Furthermore, for all X, dual univer- the initial interval. In [12], they showed that the picture sal modalities [X]ψ and [X]ψ are respectively defined as drastically changes with HS fragments that allow one to X ψ and X ψ. access infinitely many tracks/intervals. In particular, they ¬h i¬ ¬h i¬ Given any subset of Allen’s relations X , ,X , we proved that this is the case with the fragment ABL, whose 1 n { ··· } denotebyX X theHSfragmentthatfeaturesmodalities modalities allow one to access intervals which are met by 1 n ··· X , , X only. (resp., extend to the right, follow) the current one, extended 1 n h i ··· h i We assume the strict semantics of HS: only intervals with epistemic modalities: the problem turns out to be consisting of at least two points are allowed (no point- decidable with a non-elementary upper bound. In this paper, we improve on the results in [15] by intervals)1. Under this assumption, all HS modalities can identifying some well-behaved HS fragments, which are beexpressedintermsofmodalities A , B , E , A , B , h i h i h i h i h i still expressive enough to capture meaningful interval prop- and E [23]. HS can be viewed as a multi-modal logic h i erties and computationally more efficient. The rest of the with these 6 primitive modalities, and its semantics can be paper is organized as follows. In Section II we provide defined over a multi-modal Kripke structure, called here an some background knowledge. In Section III we give an abstractintervalmodel,inwhich(strict)intervalsaretreated overview of the main results of the paper and relate them as atomic objects and Allen’s relations as binary relations to known ones. Then, in Section IV we study the existential between pairs of intervals. and universal fragments of AABE, while in Section V we Definition 1 (Abstract interval model [14]): An abstract analyze the fragments AABE and AB. Conclusions provide interval model is a tuple A =(AP,I,AI,BI,EI,σ), where: a short assessment of the work and outline future research AP is a finite set of proposition letters; • directions. I is a possibly infinite set of atomic objects (worlds); • A , B , E are three binary relations over I; II. PRELIMINARIES • I I I σ :I 2AP isa(total)labelingfunction,whichassigns A. The interval temporal logic HS • 7→ a set of proposition letters to each world. An interval algebra to reason about intervals and their In the interval setting, I is interpreted as a set of intervals relative order was first proposed by Allen in [1]. A system- and A , B , and E as Allen’s interval relations A (meets), atic logical study of interval representation and reasoning I I I was then done by Halpern and Shoham, who introduced the 1Strict semantics can be easily “relaxed” to include point-intervals. All interval temporal logic HS featuring one modality for each resultswearegoingtoproveholdforthenon-strictsemanticsaswell. as they will be mapped into strict intervals. Finally by ρ ρ 0 vp0 vq1 we denote the concatenation of the tracks ρ and ρ. · 0 An abstract interval model (over Trk ) can be naturally K associatedwithafiniteKripkestructurebyinterpretingevery Figure1. TheKripkestructureKEquiv. track as an interval bounded by its first and last states [14]. Definition 4: The abstract interval model induced by a finite Kripke structure K = (AP,W,δ,µ,w ) is A = 0 K B (started-by), and E (finished-by), resp., and σ assigns to (AP,I,A ,B ,E ,σ), where: each interval the set of proposition letters that hold over it. I I I Given an abstract interval model A = (AP,I,A ,B ,E , • I=TrkK, σ) and an interval I I, the truth of an HS formulIa ovIerII • AI ={(ρ,ρ0)∈I×I|lst(ρ)=fst(ρ0)}, is inductively defined∈as follows: • BI ={(ρ,ρ0)∈I×I|ρ0 ∈Pref(ρ)}, •• AA,,II ||==¬pψiffifpf∈it σis(In)o,tftorureanthyapt A∈,AIP|=; ψ; •• EσallI:=ρI7→{(Iρ2.,AρP0)is∈suIc×h tIh|atρ0σ∈(ρS)u=ff(ρw)}∈,states(ρ)µ(w), for A,I =ψ φ iff A,I =ψ and A,I =φ; ∈ T • | ∧ | | Relations A ,B , and E are interpreted as Allen’s relations A,I = X ψ,forX A,B,E ,iffthereexistsJ I I I I • | h i ∈{ } ∈ A,B, and E, respectively. Moreover, according to the def- such that IX J and A,J =ψ; A,I = X ψ,IforX A,|B,E ,iffthereexistsJ I inition of σ, p ∈ AP holds over ρ = v0···vn iff it holds • such|thaht JiX I and∈A{,J =ψ.} ∈ over all the states v0,··· ,vn of ρ. This conforms to the I | homogeneity principle, according to which a proposition Satisfiabilityandvalidityaredefinedasusual:anHSformula letter holds over an interval iff it holds over all of its ψ issatisfiableifthereareanintervalmodelA andaworld/ subintervals. interval I such that A,I = ψ; ψ is valid, denoted = ψ, if Since K has loops (δ is left-total), the number of tracks | | A,I =ψ for all worlds/intervals I of any interval model A. of K, and thus the number of intervals of A , is infinite. | K Satisfiability of an HS formula over a finite Kripke B. Kripke structures and abstract interval models structure can be given in terms of induced abstract interval Finite state systems are usually modelled as finite Kripke models. structures.In[16],theauthorsdefineamappingfromKripke Definition 5: Let K be a finite Kripke structure, ρ be a structures to abstract interval models that makes it possible track in Trk , and ψ be an HS formula. We say that the K to specify properties of systems by means of HS formulas. pair (K,ρ) satisfies ψ, denoted by K,ρ = ψ, iff it holds Definition 2: A finite Kripke structure K is a tuple | that A ,ρ =ψ. K (AP,W,δ,µ,w ), where AP is a set of proposition letters, | 0 The model checking problem for HS over finite Kripke W isafinitesetofstates,δ W W isaleft-totalrelation structures is the problem of deciding whether K =ψ. ⊆ × between pairs of states, µ : W 2AP is a total labelling | Definition 6: Let K be a finite Kripke structure and ψ 7→ function, and w W is the initial state. 0 be an HS formula. We say that K models ψ, denoted by ∈ For all w W, µ(w) is the set of proposition letters that K = ψ, iff for all initial tracks ρ Trk it holds that ∈ K hold at w, while δ is the transition relation that constrains K,ρ| =ψ. ∈ the evolution of the system over time. | Some examples of meaningful properties of tracks that Example 1: Figure 1 depicts the finite Kripke structure can be expressed in HS can be found in [14]. K = ( p,q , v ,v ,δ,µ,v ), where µ(v ) = p , Equiv 0 1 0 0 µ(v ) = q {, and}δ{= (v},v ),(v ,v ),(v ,v ),(v ,v{ )} III. THEGENERALPICTURE 1 0 0 0 1 1 0 1 1 { } { } [16]. The initial state v is denoted by a double circle. In [14], Molinari et al. showed that, given a finite Kripke 0 Definition 3: AtrackρoverafiniteKripkestructureK = structure K and a bound k on the structural complexity of (AP,W,δ,µ,w )isafinitesequenceofstatesv v ,with HS formulas (that is, on the nesting depth of E and B 0 0 n ··· n 1, such that for all i 0, ,n 1 , (v ,v ) δ. modalities),itispossibletoobtainafiniterepresentationfor i i+1 ≥ ∈{ ··· − } ∈ Let Trk be the (infinite) set of all tracks over a finite A , which is equivalent to A with respect to satisfiability K K K KripkestructureK.Foranytrackρ=v v Trk ,we ofHSformulaswithstructuralcomplexitylessthanorequal 0 n K ··· ∈ define: ρ =n+1, ρ(i)=v , states(ρ)= v , ,v to k. Then, by exploiting such a representation, they proved i 0 n | | { ··· }⊆ W, intstates(ρ) = v , ,v W, fst(ρ) = v and that the model checking problem for (full) HS is decidable 1 n 1 0 { ··· − } ⊆ lst(ρ) = v . If fst(ρ) = w , ρ is called an initial track. (the given algorithm has a non-elementary upper bound). n 0 Let ρ(i,j) = v v , for 0 i < j ρ 1, be a Moreover, they showed that the problem for the fragment i j ··· ≤ ≤ | | − subtrack of ρ. Pref(ρ) = ρ(0,i) 1 i ρ 2 and AABE, and thus for full HS, is PSPACE-hard (EXPSPACE- { | ≤ ≤ | |− } Suff(ρ)= ρ(i, ρ 1) 1 i ρ 2 are the sets of all hardifasuitablesuccinctencodingofformulasisexploited). { | |− | ≤ ≤| |− } proper prefixes and suffixes of ρ, respectively. Notice that In [15], Molinari et al. devised an EXPSPACE model the length of tracks, prefixes, and suffixes is greater than 1, checking algorithm for the fragments AABBE and AAEBE, thatneedstoconsideronlyasubsetofrelativelyshorttracks: theresource.Formally,ifr r holdsoversometracks(the 0 1 ∧ for any given bound k on the complexity of formulas, they only possible cases are w w , w w , and w w ), then in 3 4 3 6 3 8 defined an equivalence relation over tracks of finite index, any possible subsequent interval of length 2 e e holds, 0 1 ∨ and they showed that model checking can be restricted to that is, or are executed, or p holds, if we P0 P1 p P¬ track representatives of bounded length. In addition, they consider tracks longer than 2. On the co∈ntrary, if only one V proved that the problem is NP-hard (if a suitable succinct process asks for the resource, then S can arbitrarily delay encoding of formulas is exploited, the algorithm remains in its allocation, that is, K =[A] r [A](e p) . 6| 0 → 0∨ p P¬ EXPSPACE, but a NEXPTIME lower bound can be given). Finally, it holds that K = x B x (in AA∈BE), that | (cid:0)0 → h i 0 V (cid:1) Here, we identify some well-behaved HS fragments, is, any initial track satisfying x (any such track involves 0 namely, AABE (and AABE), AABE, and AA, which are states w , w , w , and w only) can be extended to the ∀ ∃ 0 1 6 7 still expressive enough to capture meaningful interval prop- right in such a way that the resulting track still satisfies x . 0 erties of state-transition systems and whose model checking Thisamountstosaythatthereexistsacomputationinwhich problem exhibits a considerably lower computational com- starves. Notice that S and can continuously interact 1 0 P P plexity. The simple example below shows some of these without waiting for . This is the case, for instance, when 1 P fragments at work. does not ask for the shared resource at all. 1 P Example 2: Let K = (AP,W,δ,µ,w0), with AP = InFigure3,wesummarizeknown(whiteboxes)andnew r0,r1,e0,e1,x0 , be the Kripke structure of Figure 2, that (grey boxes) results about complexity of model checking { } models the interactions between a scheduler S and two for HS fragments. The new results are presented in the processes, 0 and 1, which possibly ask for a shared next two sections. In Section IV, we deal with the fragment P P resource. At the initial state w0, S has not received any AABE,includingformulasofAABEinwhichonlyuniver- ∀ request from the processes yet, while in w1 (resp., w2) only sal modalities are allowed and negation can be applied to 0 (resp., 1) has sent a request, and thus r0 (resp., r1) propositional formulas only. We first provide a coNP model P P holds. As long as at most one process has sent a request, S checking algorithm for AABE, and then we show that the ∀ is not forced to allocate the resource (w1 and w2 have self modelcheckingproblemforthepurepropositionalfragment loops). At w3, both 0 and 1 are waiting for the shared PropiscoNP-hard.Thetworesultsallowustoconcludethat P P resource, and hence both r0 and r1 hold there. State w3 has the model checking problem for both Prop and AABE is ∀ transitions only towards w4, w6, and w8. At w4 (resp., w6) coNP-complete. In addition, upper and lower bounds to the 1 (resp., 0) can access the resource: e1 (resp., e0) holds complexity of the problem for AA (the logic of temporal P P in w4w5 (resp., w6w7). However, a faulty transition may be neighbourhood) directly follow. In [15], the authors show taken from w3: in w8 and w9 both 0 and 1 are using the that the EXPSPACE model checking algorithm for AABBE P P resource (both e0 and e1 hold in w8w9). Finally, from w5, can be suitably tailored to check formulas with a constant w7, and w9 the system can only move to w0, where S waits nesting depth of B modalities in polynomial space. Thus, h i for new requests from 0 and 1. as a particular case, the model checking problem for AABE P P Now, let P be the set r0,r1,e0,e1 and let x0 be an isinPSPACE.SinceAAisafragmentofAABEandPropis { } auxiliary proposition letter labelling the states w0, w1, w6, a fragment of AA, complexity of model checking for AA is and w7, where S and 0, but not 1, are active. in between coNP and PSPACE. In Section V, we focus our P P It holds that K = [A]ψ (equivalently, K = [E]ψ) iff ψ attention on AABE and we prove that the model checking | | holds over any (reachable) computation sub-interval. problem for AB is PSPACE-hard. PSPACE-completeness of It can also be checked that K =[E] (e0 e1) (this for- AABE (and AB) immediately follows. From this, we get for 6| ¬ ∧ mulaisin AABE),i.e.,mutualexclusionisnotguaranteed, freeastrengtheningofthelowerboundtothecomplexityof ∀ asthefaultytransitionleadingtow8maybetakenatw3,and themodelcheckingproblemforAABBE(inthenon-succinct then both 0 and 1 access the resource in w8w9 (e0 e1 case), which turns out to be PSPACE-hard. P P ∧ holds). On the contrary, it holds that K = [A] r A e IV. THEFRAGMENTS AABE,AA,ANDProp | 0 → h i 0 ∨ ∀ hAihAie0 (in AA and AABE). Such a fo(cid:0)rmula expresses In this section, we first deal with the universal and exis- the following reachability property: if r0 holds over some tentialfragmentsofAABE,respectivelydenoted by AABE (cid:1) ∀ interval, then there is always a way to reach an interval and AABE, whose formulas are defined as follows: ∃ over which e holds. Obviously, this does not mean that 0 ψ ::=β ψ ψ [A]ψ [B]ψ [E]ψ [A]ψ all possible computations will necessarily lead to such an | ∧ | | | | interval; however, the system will never fall in a state from (resp., ψ ::=β ψ ψ A ψ B ψ E ψ A ψ), which it is no more possible to satisfy requests from . | ∨ |h i |h i |h i |h i 0 P It also holds that K = [A] r r [A](e e where β ::=p β β β β β with p AP. 0 1 0 1 | ∧ → ∨ ∨ | ∨ | ∧ |¬ |⊥|> ∈ p) (in AA and AABE). Indeed, if both processes The intersection of AABE and AABE is the set of p P¬ (cid:0) ∀ ∃ sen∈d a request to S (state w ), then it immediately allocates purepropositionalformulas(Prop).Negationsoccurinpure 3 V (cid:1) S xw00 P1 P0 P0, P1 wr12 r0w,1x0 r0,wr14,e1 r0,r1w,6e0,x0 r0,r1w,8e0,e1 r0w,3r1 we15 e0w,7x0 e0w,9e1 Figure2. Asimplestate-transitionsystem. succinctHS nonELEMENTARY[14] d = (vin,S,vfin), where vin = fst(ρ), S = intstates(ρ), EXPSPACE-hard[14] v =lst(ρ) (we also say that ρ is associated with d). The fin hardness ideaisthat,torepresentatrack,wecanrestrictourattention nonELEMENTARY[14] succinctAABE tothefirststate,thelaststate,andthesetofstatesoccurring EXPSPACE-hard[14] in between, ignoring information about the ordering and EXPSPACE[15] nonELEMENTARY[14] succinctAABBE HS multiplicity of their occurrences. NEXP-hard[15] PSPACE-hard[14] The notion of descriptor element bears analogies with an hardness EXPSPACE[15] nonELEMENTARY[14] abstraction technique for discrete time Duration Calculus AABBE AABE PSPACE-hard PSPACE-hard[14] proposed by Hansen et al. in [9], which on its turn is hardness connected to Parikh images [19] (the notion of descriptor hardness element can be seen as a qualitative analogue of this). AABE PSPACE-complete AB PSPACE-complete We say that a descriptor element d is witnessed (in K) if PSPACE[15] upper-bound AA coNP-hard hardness there exists a track ρ ∈ TrkK such that d is the descriptor elementforρ.InsteadofconsideringtracksofK,whichare hardness infinitelymany,themodelcheckingalgorithm“enumerates” AABE coNP-complete Prop coNP-complete ∀ the descriptor elements witnessed in K, which are finitely upper-bound many. In [15], we proved that if a descriptor element d is Figure3. ComplexityofmodelcheckingforHSfragments. witnessed,thenthereexistsatrackoflengthatmost2+W 2 | | associatedwithit,andthustheaboveenumerationinvolvesa non-deterministic polynomial time computation: to generate propositional formulas only, and formulas with modalities a (all) witnessed descriptor element(s) with initial state v, can be combined only by conjunctions (in AABE) or dis- wejustneedtonon-deterministicallyvisittheunravellingof junctions(in AABE).Thenegationofany ∀AABEformula K from v up to depth 2+ W 2. ∃ ∀ | | canbetransformedintoanequivalent AABEformula(ofat The procedure Check (Algorithm 1) takes as input a ∃ most double length), and vice versa, by using De Morgan’s KripkestructureK,aformulaψ of AABE,andawitnessed ∃ laws and the equivalences [X]ψ X ψ and ψ ψ. descriptor element d = (vin,S,vfin) and it returns Yes if ≡¬h i¬ ¬¬ ≡ We now outline a non-deterministic algorithm to decide and only if there exists a track ρ TrkK associated with d ∈ the model checking problem for a AABE formula ψ. As such that K,ρ =ψ. The procedure is recursively defined as ∀ | usual, the algorithm searches for a counterexample to ψ. As follows. we already pointed out, ψ is equivalent to a suitable for- If it is called on a Boolean combination β of proposition ¬ mula ψ0 of the dual fragment AABE. Hence, the algorithm letters (base of the recursion), VAL(β,d) evaluates β over ∃ looks for an initial track of the finite Kripke structure that d in the standard way. The evaluation can be performed in satisfies ψ0. deterministic polynomial time, and if VAL(β,d) returns , > Forthesatisfiabilitycheck,weapplythenon-deterministic thenthereexistsatrackassociatedwithd(oflengthatmost procedure Check (Algorithm 1). Such a procedure uses an quadratic in W ) that satisfies β. | | abstract representation of tracks called descriptor element. If ψ = ψ ψ , where ψ or ψ feature some temporal 0 00 0 00 ∨ A descriptor element for a finite Kripke structure K = modality, the procedure non-deterministically calls itself on (AP,W,δ,µ,w0) is a triple belonging to W 2W W. ψ0 or ψ00 (the construct Either c1 Or c2 EndOr denotes a × × The descriptor element for a track ρ Trk is the triple non-deterministic choice between commands c and c ). K 1 2 ∈ Algorithm 1 Check(K,ψ,(vin,S,vfin)) Theorem 1: For any AABE formula ψ and any wit- ∃ ifψ=β then /βisaBooleancombinationofpropositions nessed descriptor element d = (vin,S,vfin), the procedure ifVAL(β,(vin,S,vfin))=>then Check(K,ψ,d) has a successful computation iff there ex- YeselseNo ists a track ρ associated with d such that K,ρ =ψ. elsEeiitfheψr=ϕ1∨ϕ2 then Proof: (Soundness) The proof is by indu|ction on the returnCheck(K,ϕ1,(vin,S,vfin)) structure of the formula ψ. Or returnCheck(K,ϕ2,(vin,S,vfin)) • ψisaBooleancombinationofpropositionsβ:letρbea EndOr witnesstrackford;ifcheck(K,β,d)hasasuccessful elseifψ= A ϕthen h i computation,thenVAL(β,d)istrueandsoK,ρ =ψ. (rvetfuirnn,SC0h,evcf0ikn()K←,ϕ,a(Dvefsinc,rSE0l,(vKf0i,nv)f)in,FORW) • ψ =ϕ1∨ϕ2:ifcheck(K,ψ,d)hasasuccessful|com- elseifψ= A ϕthen putation, then, for some i 1,2 , check(K,ϕi,d) h i ∈ { } (vi0n,S0,vin)←aDescrEl(K,vin,BACKW) hasasuccessfulcomputation.Bytheinductivehypoth- returnCheck(K,ϕ,(vi0n,S0,vin)) esis, there exists ρ Trk associated with d such that elseifψ= B ϕthen ∈ K (vi0n,S0,vhf0iin)←aDescrEl(K,vin,FORW) /vi0n=vin K,ρ|=ϕi, and thus K,ρ|=ϕ1∨ϕ2. Either ψ = A ϕ:ifcheck(K,ψ,d)hasasuccessfulcompu- anedigfe(voi0fnK,St0h∪en{vf0in},vfin)=(vin,S,vfin)and(vf0in,vfin)is • tationh,thienthereexistsawitnessedd0 =(vi0n,S0,vf0in), returnCheck(K,ϕ,(vi0n,S0,vf0in)) with vi0n = vfin, such that check(K,ϕ,d0) has a else successful computation. By the inductive hypothesis, No there exists a track ρ, associated with d, such that 0 0 Or (vi00n,S00,vf00in)←aDescrEl(K,vi00n,FORW), K,ρ0 |= ϕ. If ρ is a track associated with d (which where(vf0in,vi00n)isanedgeofK non-deterministicallychosen is witnessed by hypothesis), we have that lst(ρ) = if concat (vi0n,S0,vf0in),(vi00n,S00,vf00in) = (vin,S,vfin) fst(ρ0)=vfin and, by definition, K,ρ|=ψ. then (cid:16) (cid:17) ψ = B ϕ: if check(K,ψ,d) has a successful com- returnCheck(K,ϕ,(vi0n,S0,vf0in)) • putatihoni, then we must distinguish two possible cases. else (i) There exists d = (v ,S ,v ), witnessed by No 0 in 0 f0in EndOr a track with (vf0in,vfin) ∈ δ, such that (vin,S0 ∪ elseifψ= E ϕthen v ,v )=d,andcheck(K,ϕ,d)hasasuccess- Symmetrichtoiψ= B ϕ { f0in} fin 0 h i ful computation. By the inductive hypothesis, there ex- ists a track ρ, associated with d, such that K,ρ =ϕ. 0 0 0 | Hence K,ρ v =ψ and ρ v is associated with 0 fin 0 fin If ψ = A ψ (respectively, A ψ ), the procedure · | · h i 0 h i 0 d. looks for a new descriptor element for a track start- (ii) There exist d = (v ,S ,v ), witnessed by a 0 in 0 f0in ing from the final state (respectively, leading to the ini- track, and d = (v ,S ,v ), witnessed by a track tial state) of the current descriptor element d. To this 00 i00n 00 f00in aswell,suchthat(v ,v ) δ,concat(d,d )=d, aim, we use the procedure aDescrEl(K,v,FORW) (resp., andcheck(K,ϕ,df0)inhasi00nasu∈ccessfulcompu0tat0i0on.By 0 aDescrEl(K,v,BACKW)) which non-deterministically re- the inductive hypothesis, there exists a track ρ, associ- 0 turns a descriptor element (v ,S ,v ), with v = v i0n 0 f0in i0n atedwithd0,suchthatK,ρ0 =ϕ.HenceK,ρ0 ρ00 =ψ, (resp., v = v), witnessed in K by exploring forward | · | f0in where ρ00 is any track associated with d00 and ρ0 ρ00 is (resp.,backward)theunravellingofK fromv (resp.,from · i0n associated with d. v )2.Itscomplexityispolynomialin W ,sinceitneedsto f0in | | The case ψ = A ϕ (resp., ψ = E ϕ) can be dealt with examine the unravelling of K from v up to depth 2+ W 2. h i h i | | as ψ = A ϕ (resp., ψ = B ϕ). If ψ = B ψ0, the procedure looks for a new descrip- h i h i h i tor element d and eventually calls itself on ψ and d (Completeness)Theproofisbyinductiononthestructure 1 0 1 only if the current descriptor element d results from the of the formula ψ. “concatenation” of d1 with a suitable descriptor element ψ is a Boolean combination of propositions β: if ρ is d2: if d1 = (vi0n,S0,vf0in) and d2 = (vi00n,S00,vf00in), then • associated with d and K,ρ =β, then VAL(β,d)= concat(d1,d2) returns (vi0n,S0 ∪{vf0in,vi00n}∪S00,vf00in). andthuscheck(K,ψ,d)ha|sasuccessfulcomputatio>n. Noticethatifρ1 andρ2 aretracksassociatedwithd1 andd2, ψ = ϕ1 ϕ2: if there exists a track ρ associated respectively,thenρ1·ρ2 isassociatedwithconcat(d1,d2). • with d suc∨h that K,ρ |= ϕ1 ∨ ϕ2, then K,ρ |= ϕi, The following theorem proves soundness and complete- for some i 1,2 . By the inductive hypothesis, ness of the Check procedure. check(K,ϕ∈,d){has}a successful computation, and i hence check(K,ψ,d) has a successful computation. 2By forward (respectively, backward) unravelling of a Kripke structure ψ = A ϕ: if there exists a track ρ, associated with gKra=ph((AWP,,δW),(δre,sµp,ewct0iv)elfyr,om(Wv,δ∈),Wwh,ewreeδreisfetrhetointhveersuenroafveδl)lifnrgomofvt.he • d, suchh ithat K,ρ = A ϕ, then, by definition, there | h i Algorithm 2 ProvideCounterex(K,ψ) (rvetiunr,nS,Cvhfeinck)(←K,atDoe∃sAcArBEEl((¬Kψ,w),0(,vFinOR,SW,)vfin)) x1,x2w,1>x3,x4 x1,x2w,2>x3,x4 x1,x2w,3>x3,x4 x1,x2w,4>x3,x4 exists a track ρ, with fst(ρ) = lst(ρ) = v , such x1,x2w,0x3,x4 fin that K,ρ = ϕ. If d = (v ,S ,v ) is the descrip- | 0 fin 0 f0in tor element for ρ, then, by the inductive hypothesis, check(K,ϕ,d) has a successful computation. Since x2,wx1⊥3,x4 x1,wx2⊥3,x4 x1,wx3⊥2,x4 x1,wx4⊥2,x3 0 there exists a computation where the non-deterministic Figure 4. Kripke structure KVar associated with a SAT formula with calltoaDescrEl(K,vfin,FORW)returnsthedescrip- variablesVar= x1,x2,x3,xS4AT. torelementd forρ,itfollowsthatcheck(K,ψ,d)has { } 0 a successful computation. ψ = B ϕ: if there exists a track ρ, associated with d, by an initial track), and thus ProvideCounterex(K,ψ) • h i such that K,ρ = B ϕ, there are two possible cases. has a successful computation. | h i (i) K,ρ = ϕ, with ρ = ρ vfin for some ρ TrkK. AsforthecomplexityProvideCounterex(K,ψ)runs | · ∈ If d0 = (vin,S0,vf0in) is the descriptor element for in non-deterministic polynomial time (it is in NP) since the ρ, by the inductive hypothesis, check(K,ϕ,d0) has number of recursive invocations of the procedure Check is a successful computation. Since there is a computation O(ψ )andeachinvocationrequirestimepolynomialin W where aDescrEl(K,vin,FORW) returns d0 and both wh|ile|generating descriptor elements. Therefore, the mo|del| (fovlf0lionw,svftihna)t ∈chδecaknd(K(v,ψin,,dS)0h∪as{vaf0isnu}c,cevsfsifnu)l c=omdp,ui-t checking problem for ∀AABE belongs to coNP. We conclude the section by proving that the model tation. checking problem for AABE is coNP-complete. Such a (ii) K,ρ |= ϕ with ρ = ρ·ρ˜ for some ρ,ρ˜ ∈ TrkK. result is an easy corolla∀ry of the following theorem. Letd =(v ,S ,v )andd =(v ,S ,v )bethe 0 in 0 f0in 00 i00n 00 f00in Theorem 2: LetK beaKripkestructureandβ Propbe descriptorelementsforρandρ˜,respectively.Obviously, ∈ a Boolean combination of proposition letters. The problem it holds that concat(d,d ) = d. By the inductive 0 00 ofdecidingwhetherK =βisNP-hard(underaLOGSPACE hypothesis, check(K,ϕ,d0) has a successful compu- 6| reduction). tation.Sincebothρandρ˜arewitnessed,thereisacom- Proof: We provide a LOGSPACE reduction from the putation where the calls to aDescrEl(K,vin,FORW) NP-complete SAT problem to the considered problem. and aDescrEl(K,vi00n,FORW) non-deterministically Let β be a Boolean formula over a set of variables return d and d , respectively, and (v ,v ) δ is 0 00 f0in i00n ∈ Var = x ,...,x . We build a Kripke structure, KVar = non-deterministically chosen. Hence, check(K,ψ,d) { 1 n} SAT (AP,W,δ,µ,w ), with: has a successful computation. 0 AP =Var; The case ψ = A ϕ (resp., ψ = E ϕ) can be dealt with • h i h i W = w w‘ ‘ , , 1 i n ; as ψ = A ϕ (resp., ψ = B ϕ). • { 0}∪{ i | ∈{> ⊥} ≤ ≤ } h i h i δ = (w ,w ),(w ,w ) (w ,w ),(w ,w ) It is worth pointing out that Check(K,ψ,d) cannot deal • { 0 1> 0 1⊥ }∪{ n> n> n⊥ n⊥ }∪ (w‘,wm ) ‘,m , , 1 i n 1 ; with B and E modalities. In [14], to cope with them, { i i+1 | ∈{> ⊥} ≤ ≤ − } h i h i µ(w )=AP; Molinari et al. introduced the notion of track descriptor. • 0 for 1 i n, µ(w )=AP and µ(w )=AP x . The procedure ProvideCounterex(K,ψ) (Algorithm • ≤ ≤ i> i⊥ \{ i} 2) has a successful computation iff K 6|= ψ, where ψ is See Fig. 4 for an example of KSVAaTr, for Var ={x1,..,x4}. a AABE formula, to AABE( ψ) is the AABE formula Itisimmediatetoseethatanyinitialtrackρofanylength ∀ ∃ ¬ ∃ equivalent to ψ, and w is the initial state of K. induces a truth assignment to the variables of Var: for any 0 ¬ On the one hand, if ProvideCounterex(K,ψ) has xi ∈ Var, xi evaluates to > iff xi ∈ w states(ρ)µ(w). a successful computation, then there exists a witnessed Viceversa,foranypossibletruthassignment∈tothevariables T descriptor element d = (v ,S,v ), where v is w (the in Var, there exists an initial track ρ that induces such an in fin in 0 initial state of K), such that check(K,to AABE( ψ),d) assignment: we include in the track the state wi> if xi is ∃ ¬ has a successful computation. This means that there exists assigned to >, wi⊥ otherwise. a track ρ, associated with d, such that K,ρ = ψ, and Let γ = β. It holds that β is satisfiable iff there exists thus K 6|= ψ. On the other hand, if K 6|= ψ|, th¬en there an initial tra¬ck ρ ∈ TrkKSVAaTr such that KSVAaTr,ρ |= β, that exists an initial track ρ such that K,ρ = ψ. Let d be the is, iff KVar = γ. To conclude, we observe that KVar can | ¬ SAT 6| SAT descriptorelementforρ;check(K,to AABE( ψ),d)has be built with logarithmic working space. ∃ ¬ a successful computation: some non-deterministic instance It immediately follows that checking whether K = β 6| of aDescrEl(K,w0,FORW) returns d (as it is witnessed for β Prop is NP-complete, so model checking for ∈ formulas of Prop is coNP-complete. Moreover, since a where Boolean combination of proposition letters in Prop is also φ(x ,x , x ) i=0 n n 1 1 a AABEformula,ProvideCounterex(K,ψ)isat least − ··· as∀hard as checking whether K = β for β Prop. Thus, ξi =hBi (hAixiaux)∧ξi−1 i>0∧Qi =∃. ProvideCounterex(K,ψ) is6| NP-comple∈te, hence the [B](cid:0)(hAixiaux)→ξi−1(cid:1) i>0∧Qi =∀ model checking problem for ∀AABE is coNP-complete. BothKQVBarF an(cid:0)dξ canbebuiltbyus(cid:1)inglogarithmicworking From the lower bound for Prop, it immediately follows space. We will show (proof of Theorem 3) that ψ is true if that model checking for AA is coNP-hard (and we already and only if KVar =ξ. QBF | know from [15] that it is in PSPACE). As a preliminary step, we introduce some technical defi- nitions and prove the auxiliary Lemma 1. Given a Kripke structure K = (AP,W,δ,µ,w ) and an V. PSPACE-HARDNESSOFTHEFRAGMENTAABE 0 AB formula ψ, we denote by p‘(ψ) the set of proposi- tion letters occurring in ψ and by K the structure p‘(ψ) In [15], Molinari et al. showed how to extract from the | obtained from K by restricting the labelling of each state proposed model checking algorithm for AABBE a model to p‘(ψ), namely, the Kripke structure (AP,W,δ,µ,w ), 0 checking algorithm for AABE which works in polynomial where AP = AP p‘(ψ) and µ(w) = µ(w) p‘(ψ), (not exponential) space. It benefits from the fact that AABE ∩ ∩ for all w W. Moreover, for v W, we denote by lackstheB modality.Here,weprovethatthereisnowayto ∈ ∈ reach(K,v) the subgraph of K, with v as its initial state, improve such an algorithm by showing that model checking consistingofallandonlythestateswhicharereachablefrom for AB is a PSPACE-hard problem (Theorem 3). PSPACE- v, namely, the Kripke structure (AP,W ,δ ,µ,v), where 0 0 0 completeness of AABE (and AB) immediately follows. As W = w W there exists ρ Trk with fst(ρ) = v a by-product, model checking for AABBE is PSPACE-hard 0 { ∈ | ∈ K and lst(ρ)=w , δ =δ (W W ), and µ(w)=µ(w), 0 0 0 0 as well (in [15], we only proved that it is NP-hard in the } ∩ × for all w W . As usual, we say that two Kripke structures 0 non-succinct case). ∈ K = (AP,W,δ,µ,w0) and K0 = (AP0,W0,δ0,µ0,w00) are We provide a reduction from the QBF problem (i.e., isomorphic (K K for short) iff there is a bijection 0 the problem of determining the truth of a fully-quantified ∼ f :W W suchthat(i)f(w )=w ;(ii)forallu,v W, Boolean formula in prenex normal form)—which is known 7→ 0 0 00 ∈ (u,v) δ iff (f(u),f(v)) δ ; (iii) for all v W, 0 to be PSPACE-complete (see, for example, [22])—to the ∈ ∈ ∈ model checking problem for AB formulas over finite µ(v) = µ0(f(v)). Finally, if AK = (AP,I,AI,BI,EI,σ) is the abstract interval model induced by a Kripke structure K Kripkestructures.WeconsideraquantifiedBooleanformula and ρ Trk , we denote σ(ρ) by L(K,ρ). K ψ = Q x Q x Q x φ(x ,x , ,x ), where ∈ n n n 1 n 1 1 1 n n 1 1 Let K and K be two Kripke structures. The following − − ··· − ··· 0 Q , , for i = 1, ,n, and φ(x ,x , ,x ) is i n n 1 1 lemma states that, for any AB formula ψ, if the same set of ∈ {∃ ∀} ··· − ··· a quantifier-free Boolean formula. Let Var = x ,...,x n 1 propositionletters,restrictedtop‘(ψ),holdsovertwotracks { } be the set of variables of ψ. We define the Kripke structure ρ Trk and ρ Trk , and the subgraphs consisting of KQVBarF =(AP,W,δ,µ,w0) as follows: the∈statesKreachab0l∈efromK,0respectively,lst(ρ)andlst(ρ0)are AP =Var start xiaux 1 i n ; isomorphic, then ρ and ρ0 are equivalent with respect to ψ. • W = w‘ ∪{1 i}∪{n, ‘ | ≤, ≤, } , Lemma 1: GivenanABformulaψ,twoKripkestructures • w0,w{1,sxiink| ; ≤ ≤ ∈ {⊥1 ⊥2 >1 >2}}∪ K = (AP,W,δ,µ,w0) and K0 = (AP0,W0,δ0,µ0,w00), and • i{f n=0, δ =}{(w0,w1),(w1,sink),(sink,sink)}; two tracks ρ∈TrkK and ρ0 ∈TrkK0 such that if n>0, L(K p‘(ψ),ρ)=L(K0p‘(ψ),ρ0) and δ={(w0,w1),(w1,wx>n1),(w1,wx⊥n1)}∪ | | {(wx>i1,wx>i2),(wx⊥i1,wx⊥i2)|1≤i≤n}∪ reach(K|p‘(ψ),lst(ρ))∼reach(K|0p‘(ψ),lst(ρ0)), (w‘ ,wm ) ‘ , ,m , ,n i 2 {{(wxx>i12,sxini−k1),(|wx⊥∈12{,⊥si2nk>),2(}sink∈,s{in⊥k1)}>.1} ≤ ≤ }∪ it holPdrsotohfa:tTKhe,ρpr|=ooψf is⇐b⇒y stKru0c,tρu0ra|=l iψnd.uction on ψ. µ(w )=µ(w )=Var start ; • 0 1 ∪{ } ψ = p, with p AP (p‘(p) = p ). If K,ρ = p, µ(w‘ ) = Var x , for 1 i n, ‘ • ∈ { } | {µ>(w1x,‘i>)2=};(Var ∪x{ i)aux}x , fo≤r 1 ≤i n an∈d tihmemnepdia∈telyL(fKoll,oρw)satnhdathpen∈ceL(pK∈0p‘(Lψ)(,Kρ|0p)‘,(ψa)n,dρ)th.uIst ‘∈{x⊥i 1,⊥2}; \{ i} ∪{ iaux} ≤ ≤ pψ∈=L(φK0(,pρ‘0()φa)n=d Kp‘0(,ψρ)0)|=. Ifp.K,ρ =| φ, then K,ρ = µ(sink)=Var. • ¬ | ¬ 6| φ. By the inductive hypothesis, K ,ρ = φ and thus 0 0 6| An example of such a Kripke structure where Var = K ,ρ = φ. 0 0 | ¬ x,y,z is given in Figure 5. ψ = φ φ . If K,ρ = φ φ , then K,ρ = φ . { } • 1 ∧ 2 | 1 ∧ 2 | 1 From ψ, we obtain the AB formula ξ = start → ξn, Since, by hypothesis, L(K|p‘(ψ),ρ) = L(K|0p‘(ψ),ρ0) x,y,wzx>,1xaux x,y,wzx>,2xaux x,y,wzy>,1yaux x,y,wzy>,2yaux x,y,wzz>,1zaux x,y,wzz>,2zaux w0 w1 x,y,z,start x,y,z,start sink x,y,z y,zw,x⊥x1aux y,zw,x⊥x2aux x,zw,y⊥y1aux x,zw,y⊥y2aux x,yw,z⊥z1aux x,yw,z⊥z2aux Figure5. KripkestructureKx,y,z associatedwithaquantifiedBooleanformulawithvariablesx,y,z. QBF and reach(K , lst(ρ)) reach(K ,lst(ρ)), istheisomorphismbetweenreach(K ,lst(ρ))and irteahcohld(Ks that|pL‘,(l(ψsKt)(|ρp)‘()φ1),ρ)∼r=eacLh((KK|0p|0p‘‘(φ(ψ1)),,lρs0t)(ρa0)n)d, dreefiacnhit(ioKn|0po‘(fψi)s,olmsto(ρrp0)h)i.smSi,n(clestf(ρ()ls,tf(sρt|p()‘ρ)()ψ=)) lsδt(iρm0)p,libeys since p‘(|φp‘1()φ1)⊆ p‘(ψ). B∼y the induct|i0pv‘e(φh1)ypothe0sis, (lst(ρ0),fst(ρ0)) ∈ δ0. It follows that L(K∈|p‘(φ),ρ) = Kthe0,sρis0 f|=olloφw1.s.The same argument works for φ2. The Lto(Kre|0ap‘c(hφ(),Kρ00p)‘(aφn)d,lrste(aρc0h))(.KF|pin‘(aφll)y,,lst(ρ))isisomorphic ψ = A φ. If it holds that K,ρ = A φ, then there | • h i | h i aexnidstsKa,ρtra=ckφρ, w∈ithTrpk‘K(φs)uc=h tpha‘(tψf)s.t(Bρ)y =hyplsott(hρe)- L(K|p‘(φ),ρ·ρ)=L(K|p‘(φ),ρ)∩L(K|p‘(φ),ρ)= sHise,ncree,atchhe(|rKe|pe‘x(iψs)ts,lsat(tρra)c)k∼ρ reacThr(kK|0p,‘(wψi)t,hlsfts(tρ(0ρ))). L(K|0p‘(φ),ρ0)∩L(K|0p‘(φ),ρ0)=L(K|0p‘(φ),ρ0·ρ0) 0 ∈ K0 0 and reach(K p‘(φ),lst(ρ ρ)) is isomorphic to (=ian≤)lsits(o|ρρm0|)o,−rpshu1ics,hmft(bhρea(ttwi)|e)ρe|n==reaρc|0ρh(0i(|)K,apnw‘d(hψe)fro,elrstfa(lρl)is)0atnh≤de rKe0a,cρh0(·Kρ0|0p|=‘(φφ),|lasntd(ρt0h·eρr0e)f)o.rBe·yKth0,eρi0n|d=uchtBivieφh.ypothesis, | reach(K ,lst(ρ)). It immediately follows that 0p‘(ψ) 0 L(K p‘(φ)|,ρ) =L(K0p‘(φ),ρ0). Theorem 3: The model checking problem for AB over We n|ow prove that |reach(K ,lst(ρ)) is isomor- finiteKripkestructuresisPSPACE-hard(underLOGSPACE p‘(φ) phic to reach(K0p‘(φ),lst(ρ0)|). To this end, it suf- reductions). fices to prove th|at the restriction of the isomor- Proof: We prove that the quantified Boolean formula pfh0,isims afn itsoomthoerpshtiastmesboeftwreeeanchr(eKac|ph‘((φK),pl‘s(tφ()ρ,)l)s,t(sρa)y) ψiff =KQxBQn,F·n··x,xn1Q|=n−ξ1xbny−i1n·d·u·cQti1oxn1oφn(xtnhe,xnnu−m1b,·e·r·oxf1)vairsiabtrluees and reach(K0p‘(φ),lst(ρ0)) (notice that| the Kripke n ∈ N of ψ. In the following, φ(xn,xn−1,···x1){xi/υ}, structure rea|ch(K ,lst(ρ)) is a subgraph of with υ , , denotes the formula obtained from p‘(φ) ∈ {> ⊥} rfe0(alcsht((ρK))|p‘(=ψ),llsstt((ρρ|)0))).. FNiersxtt,,itifhowldsitshaatnfy(lsstt(aρte))o=f υφ.(xItn,isxnw−o1r,th··n·oxt1ic)inbgythreaptlKacQxinBng,Fxna−ll1,·o··c,cxu1rraenndceKsQxoBnf−F1x,·i··,bxy1 raesatacthe(oKf|pr‘e(aφ)c,hl(sKt(0ρp)‘)(φ,)t,hlsetn(ρf0)()w,)as=frofm0(twhe) e=xiswte0ncies warx>en2is1o,mwox⊥rnp1h1ic,wwx⊥hn2en1,th·e·y·,awrex>1r1e,swtrxi>c12te,dwtx⊥o11t,hwex⊥s1t2a,tseisnwkx>(n1i−.e1.,, of a track from lst|(ρ) to w, it follows that there is an thel−eftmost−partof−bothKripkestructuresiseliminated),and isomorphictrack(w.r.t.f)fromlst(ρ)tow .Moreover, thelabellingofstatesissuitablyrestrictedaswell.Moreover, 0 0 iafn(dwt,hwus)(∈wδ0,,fth(wen))wbeδl0oanngdsfto(wre)a=chf(K0(w|p‘)(φb)e,llosntg(ρs)t)o, othnelyprthoepotsriatcioknwl0ewtte1rsxatiiasufixesisstsaartitsfiaendd,bfyorthie=twno,·t·r·ac,k1s, reach(K0p‘(φ),lst(ρ0∈)). We can thus conclude that, for wx>i1wx>i2 and wx⊥i1wx⊥i2 only. any two |states v,v of reach(K ,lst(ρ)), it holds 0 p‘(φ) (Case n=0) ψ equals φ and it has no variables. The states | that (v,v ) is an edge iff (f (v),f (v )) is an edge ofreach(0K0p‘(φ),lst(ρ0)).Byt0heind0uct0ivehypothesis, ofLKeQ∅tBuFs aasresuWme=φ{two0b,ew1tr,usei.nkA}llainnditiξal=trsatcakrsto→f lφe.ngth K0,ρ0 |=φ a|nd hence K0,ρ0 |=hAiφ. greater than 2 trivially satisfy ξ, as start does not hold ψ = B φ. If K,ρ = B φ, then K,ρ ρ = φ, • with ph‘(ψi) = p‘(φ), |whehreiρ ρ Trk ·and| ρ is on them. As for w0w1, it is true that KQ∅BF,w0w1 |= φ, · ∈ K since φ is true (its truth does not depend on the proposition either a single state or a proper track. In analogy to lettersthatholdonw w ,becauseithasnovariables).Thus 0 1 the previous case, let ρ Trk such that ρ = ρ and, for all 0 i < 0ρ∈, f(ρ(Ki0)) = ρ(i),|w|here| f0| KQ∅BF |= ξ. Vice versa, if KQ∅BF |= ξ, then, in particular, ≤ | | 0 KQ∅BF,w0w1 |=φ. But φ has no variables, hence it is true. f(WQ◦oCnrCeamsad=eusiesl∀atniQ,nψagn≥nu==dishQf1∃o)tn:rwxbLonoeQctthansuw−ess1e,xcdpnoer−nop1sveien·d·det·ihrnQegt1htowxen1oφqwi(umhxaenpntl,thiixcfieanret−dQio1nn,Bs·=o.·o·∃lxe1ao)nr. iqEa(Ist=nulsdefewnξoKnKcx>ll−eQnQox2x,1BnwBn)K,F,·aFs··Q(··nx·r,Bnde,xtxh,c,1F·1a·a,·,twli,wlnx01tK0wh,wpQawx1at1Bnw0rtw,wtFxh>·i·nxc>e1·1,nuww1xolwx1>xn>an,nrl12x>,ywn2||==0sKwuwQxc[⊥[x1BBncBn1w−e],]F·((sx1>·((s·n¬h1,o|xA=wrh1iAox,>xξwnfi2nnwxw0−−nwx>x>12−nn1.1a11−wuAia1xnx>u)snxK1→)|=waQx∨x>Bncξnξ,2oFnξ·n·n−n·−s,−2x|=e2)21)-. ( ) If the formula ψ is true, then, by definition, there A xn 1aux). ⇒ ¬h i − exists υ , such that if we replace all occur- qtmrheunauatclnaetψsifiφ0oe0(fd=x∈xnBn−Qo1{oi,nn>l·−e·aφ1·⊥nx(xxn}1fn−)o,1rxm=·n·u−·lφaQ1(.,1x·Bxn·1·y,φxx01nt(h)−xe1nb,−yi·n1·dυ,·u·,xc·w1t·i)xve{e1xg)neh/tiysυpth}oaethstefuroscuirhes- KtKhQQexx(rBBnn⇐,,FF····K)··,,Qxxx11IBnf,,,F·ww··w00,xwwe111,wwh|x0⊥a=wnv1e1hwB|=Kx>inQ1(xhBnA,(F·h|·i=·A,xxin1xa(nuhAxa|=ui∧xx)nξξn∧a,−ux1ξi))tn.−∧h1H.oeξlndnLcs−ee1t,theuoais-rt tKK“wianlQQ1ieixxWntfBBnniteoa−−meFFdfl11o,,pKt··fsr··rrQ··taoxo”,,cBxxnvmk11,esF·,·t·atψwρ,|ht=xe000a1iswtn)a.ξKon100KfdQ,|x=QKBnxξwBn,QnF0·ξx·h,F−n··Bn0·e,·−−1xFr,1e1x1,=1,·|·=.ξ·w,0xIξhξf1ne=.−ri(Lte1c{eosdwtxrtor00anueer/sssatpυncon}dono→.ndtwsIiitns10daξgfetan0orir−tsleolfa1oytwwghisese0sntatetaohwrrnbiatdoc-t, KQξKBchno0oQQynxx−nld−BBnns1−s,i1LFF)·d·1x·ee,,·antmrx·hn·−1am,dx,1tt1wha·te·0hK·w|u1=QQxs,fi1Bnw1r,KFs·Kxξ·x>t·Q01Qxn.x,1φxBnBnwc1−(B−FFa,xx>11ysw,nn,2·e··,0···txw,h,xx(n|e=11t1−hw,ei1w|=x>n,nξd001·nowu·s−tc·10htt1|,a=eiv{xrrex1t|=n)i{hξ/→snxy>−pnξs}no1/ξy−t{>n0mhx(1−e}am{ns1sxi/,esn>ti,bnrs/i}eaψc>fm)o0t.}raeru(enl==eyI)dt.., t(hρen=itwt0rwiv1ia),llywehohldavsethtoatsKhoQxwBn,F··t·h,axt1,KρQxBn|=,F···ξ,x.1,Owth0wer1wi|s=e tHrueen.ce, ψ = ∃xnQn−1xn−1···Q1x1φ(xn,xn−1,···x1) is hsBidie(r(hwAiwxnwau1x;)o∧thξenrw−1is)e,(=weξcno)n.siIdferυw=w>w, 1w.eIncothne- ◦ Case Qn =∀: 0 1 x>n 0 1 x⊥n ( ) Assume that both ψ = Q x Q x φ(x , first case (the other is symmetric), we must prove that 0 n 1 n 1 1 1 n ⇒ − − ··· KthoshionQnaxllActdyBness,F·Kn·w·teQ,hxexeBnad1−th,F1twaKo,v·0Q·xe·sw,Bnhxs1,oF1·hw·w,·ow,x>wxtn0110hn,wa,wt|10=b0Kyw|=Qxt(1hBnhwAe,F·ξ·x>·ini0nn,1−xxd1n1|u=,(acw=uti0hxvAw)eξi1n∧hw−xynxξ1>pnn{ao1−xut|h=xn1e../sξ>HiInst},e−)nti1.rtc.ievhN,ioaolwlwdlyes, xxξlξKannnnQsx−−−−.Bn1111W,F.)·,,·.···Te·,·x,hs·T1xihs,o,1owx)cw{10atx)wnht{nih1xsb/awen>tx>/esK}n⊥n1hQdox}a|=Bn,wn,Fad·n·riξ·ten,eψxx−1t0as0r1,uucw=tfealfi0yncqwdQeua1ssaKnn|−=iQtxnti1oBnfix[t,FeBh·n·de·p−],(xr1∃B(o1h·vo,cA·ewoa·ils0Qeexwat.h1nn1xaawt1fuoφx⊥xrn(b)1mxo→|unt=h-, -- pL‘((KξQnx−Bn−1F{1,x··n·,/x>1|}p)‘(=ξn−{1x{1x,n·/·>·},)x,nw−001w,10x)1=aux{,x·n·−·1,,x·n·−·1,xau1x}},, [ξBn−c(](a⇐1(shea)AnadinIxfdKnQxbKaBnyuQx,Fx·Bna·)·p,F,·x→·p·1l,y,xwξi1nn0g−w|1=t1h)w.eHx⊥iξnn1e,dn|=uctchet,ξeinvnK−eQx1KhBn.yQ,FRx·p·Bn·eo,,aFx·t·hs1·oe,,xnsw1iis,n0wwgtw01awwisc1xi>enn,1twh||==ee - L(KQxBn,F···,x1|p‘(ξn−1{xn/>}),w0w1wx>n1wx>n2)={xn−1,..,x1}, a∃gnedt tQhat Qxn−1xn−Q1··x·Qφ1(xx1φ,x(xn,x,n−1,,x···),xx1/){xn/>ar}e -rreeaacchh((KKQQxxBnBn−,FF··1·,,·x··1,|xp1‘|(pξ‘n(−ξn1−{x1n{x/n>/}>),}w),x>wn210)),is isomorphic to ttrruuee;. thnu−s1∀nx−n1Q·n·−·1x1n−11···nQ1nx−1φ1(x··n·,xn1−1{,·n··⊥,x}1) is bKbyeQxllBniLn,F·e·g·m,xom1f,atwh10e,wtr1KawQcxx>kBnn,1F·ww··,x>xwn12,ww|=0w1w1ξwn−x>2n11awnax>dsn2oxf|=naniξysn0ρ−in1s.utcHhheenthclaae-t, In this paper, weVidIe.nCtifiOeNdCsLoUmSeIOHNSS fragments, namely, 0 1 x>n x>n AABE, AABE, and AA, whose model checking problem w w w 1w 2 Pref(ρ). ∀ 0 1 x>n x>n ∈ turns out to be (computationally) much simpler than that of Now, if n = 1, then ξ = φ(x ) and it holds that n 1 n full HS and of other, already-studied fragments of it, and KQxBn,F···,x1,w0w1wx>n1 |=ξn−−1. comparable to that of point-based temporal logics (as an If n > 1, either ξn 1 = B (( A xn 1aux) ξn 2) or example, the model checking problem for AABE has the − h i h i − ∧ − ξn 1 = [B](( A xn 1aux) ξn 2). same complexity as that for LTL). We also showed that −In the firsht icase−, since→KQxBn−,F···,x1,w0w1wx>n1wx>n2 |= thesefragmentsareexpressiveenoughtocapturemeaningful B (( A xn 1aux) ξn 2),thereareonlytwopossibilities: properties of state-transition systems, such as, for instance, hKKInQQxxiBBbnn,,oFF····ht··h,,xxic11a,,swwe−00sww, 11KwwQxxxB>>nnn,F11∧··ww·,xxx>>1nn−22,wwwxx>⊥0nnw11−−111w|x=>|=n1((h|=hAAihiBxxnin(−(−h1A1aauiuxxx)n)∧−∧ξ1naξu−nx2−)o2∧r. mresuAetuasracfloherxdfciulruteuscriteoionwn,sos.rtakOt,enwreethaaecrheoanbceiulritrhyea,nnatdlny,dewnxeopnlao-rrseitnalgrovoatwtkiioonngm. afoinr ξ ). other well-behaved fragments of HS; on the other hand, we n 2 −