lambda-Coloring of Graphs

A Classification of Symbolic Transition Systems THOMAS A. HENZINGER University of California, Berkeley RUPAK MAJUMDAR University of California, Berkeley and JEAN-FRANÇOIS RASKIN Université Libre de Bruxelles, Belgium Authors’ addresses: Thomas A. Henzinger, Department of Electrical Engineering and Computer Sciences, University of California at Berkeley, CA 94720-1770, USA. Email: tah@eecs.berkeley.edu. URL: http://www.eecs.berkeley.edu/~tah Rupak Majumdar, Department of Electrical Engineering and Computer Sciences, University of California at Berkeley, CA 94720-1770, USA. Email: rupak@eecs.berkeley.edu. URL: http://www.eecs.berkeley.edu/~rupak Jean-François Raskin, Département d’Informatique, Faculté des Sciences, Université Libre de Bruxelles, Belgium. Email: jfr@ulb.ac.be. URL: http://www.ulb.ac.be/di/ssd/jfr A preliminary version of this paper appeared in the Proceedings of the 17th Annual Symposium on Theoretical Aspects of Computer Science (STACS), Lecture Notes in Computer Science 1770, Springer-Verlag, 2000, pages 13–34. This research was supported in part by the DARPA grant F33615-C-98-3614, the MARCO grant 98-DT-660, the NSF grants CCR-9988172, CCR-0085949, and CCR-0225610, and the Belgian National Fund for Scientific Research (FNRS). Permission to make digital/hard copy of all or part of this material without fee for personal or classroom use provided that the copies are not made or distributed for profit or commercial advantage, the ACM copyright/server notice, the title of the publication, and its date appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific permission and/or a fee. c 2006 ACM 1529-3785/2006/0700-0001 $5.00 ACM Transactions on Computational Logic, Vol. V, No. N, February 2006, Pages 1–31. 2 · T.A. Henzinger et al. We define five increasingly comprehensive classes of infinite-state systems, called STS1–STS5, whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid systems. STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolically by iteratively applying predecessor and boolean operations on state sets, starting from a finite number of observable state sets. Any such iteration is guaranteed to terminate in that only a finite number of state sets can be generated. This enables model checking of the µ-calculus. STS2 These are the systems with finite similarity quotients. They can be analyzed symbolically by iterating the predecessor and positive boolean operations. This enables model checking of the existential and universal fragments of the µ-calculus. STS3 These are the systems with finite trace-equivalence quotients. They can be analyzed symbolically by iterating the predecessor operation and a restricted form of positive boolean operations (intersection is restricted to intersection with observables). This enables model checking of all ω-regular properties, including linear temporal logic. STS4 These are the systems with finite distance-equivalence quotients (two states are equivalent if for every distance d, the same observables can be reached in d transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new state sets are generated. This enables model checking of the existential conjunction-free and universal disjunction-free fragments of the µ-calculus. STS5 These are the systems with finite bounded-reachability quotients (two states are equivalent if for every distance d, the same observables can be reached in d or fewer transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new states are encountered (this is a weaker termination condition than above). This enables model checking of reachability properties. Categories and Subject Descriptors: D.2.4 [Software Engineering]: Software/Program Verification; F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning about Programs General Terms: Formal Verification, Temporal Logics Additional Key Words and Phrases: Model Checking, Symbolic Algorithms, State Equivalences, Hybrid Automata 1. INTRODUCTION Algorithmic verification methods (“model checking”) were originally invented for the analysis of finite-state systems, whose state spaces can be explored exhaustively. Much recent interest has concerned the application of such methods to infinite-state systems. There are two important approaches. Methods of the first kind reduce an infinite-state system to an “equivalent” finite-state system —often a quotient system— and then explore the resulting finite quotient space. We call these methods reductionist. A well-known representative of the reductionist approach is the region-graph method for timed automata [Alur and Dill 1994]: every timed automaton is bisimilar to a finite graph of clock regions, each representing an equivalence class of infinitely many clock states; model checking a timed automaton can therefore be reduced to model checking its region graph. Methods of the second kind explore the infinite state space directly, by manipulating a data type called region, whose members represent possibly infinite sets of states. We call ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 3 these methods symbolic.1 A typical representative of the symbolic approach is the clock-zone method for timed automata [Henzinger et al. 1994]: the symbolic model checking of timed automata manipulates clock zones, each representing a boolean combination of clock constraints, where a clock constraint bounds a clock value or the difference between two clock values (a single clock zone, therefore, may correspond to a union of many clock regions). While sometimes optimal in theoretical complexity, reductionist methods usually experience state explosion and are often outperformed in practice by symbolic methods. It is easy to see why: a symbolic method never distinguishes states that are considered equivalent by the reductionist approach, but when answering a specific verification question, a symbolic method performs an analysis of the given infinite state space that may be considerably less detailed than would be required for constructing the entire finite quotient system. In a sense, the symbolic method performs no more work than necessary for answering the specific question, whereas the reductionist method provides a worst-case upper bound on the amount of work to be performed. Regions (state sets) in symbolic model checking might be implemented as predicates in some constraint language, for example, as constraints on the booleans, integers, or reals. A region algebra supports individual operations on regions. For model checking, we are particularly interested in boolean operations on regions (such as set intersection and set difference) as well as the predecessor operation Pre, which, given a target region, computes the region of all states with successors in the target region. The iteration of these operations may generate an infinite number of distinct regions. The main concern with symbolic methods, therefore, is termination. We refer to procedures that may or may not terminate as “semialgorithms.” In this paper, we study restricted classes of infinite-state transition systems for which certain forms of iteration terminate after a finite number of region operations, and yet yield sufficient information for checking unbounded temporal properties of the system. In particular, we argue that the semi-algorithms for model checking various temporal logics can be seen as instances of generic closure semialgorithms, which refine a partition of the state space by applying the Pre operator together with a possibly limited selection of boolean region operators. Hence, if a closure semi-algorithm terminates, so do the corresponding semi-algorithms for model checking. Second, we show that the closure semi-algorithms terminate exactly when certain equivalence relations on the infinite state space have finite index. Thus, to obtain symbolic model-checking procedures for infinite-state systems, it suffices that the corresponding equivalence relations have finite index. In other words, while the algorithms themselves are completely symbolic, their guarantees of termination are given by a reductionist argument (existence of an “equivalent” finite quotient). For example, while in theory there are infinitely many clock constraints for timed automata, the clock-zone method can be shown to compute only 1 Our usage of the term “symbolic” is considerably broader than the narrow usage commmon in some model-checking communities, where “symbolic” often means “based on binary-decision diagrams” (BDDs) [Burch et al. 1992]. Note that BDDs are but one data structure for representing state sets (in this case, finite boolean state sets). Similarly, our usage of the term “region” is more general than the clock regions of timed automata: while the latter is a set of clock states of a specific shape, we denote by “region” any representable set of states. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 4 · T.A. Henzinger et al. clock constraints that define blocks (unions) of the finitely many clock regions which represent bisimilarity classes of states. Reduction is not part of the algorithm, but part of its correctness proof. We propose a classification of infinite-state systems into five increasingly general classes, depending on which equivalence relations have finite index. The first class of infinite-state systems are those with finite bisimilarity quotients. Timed automata fall into this class. On systems with finite bisimilarity quotients, we can symbolically model check all µ-calculus formulas, including the formulas of the branching temporal logics Ctl and Ctl∗ [Emerson 1990]. The second class of infinite-state systems are those with finite similarity quotients. On these, we can model check all existential and universal formulas of the µ-calculus (and of branching temporal logics). A formula is existential (resp. universal) if it is in positive normal form (i.e., negations occur only in front of atomic propositions) and contains only existential (resp. universal) path quantifiers. Infinite-state systems of the third class have finite trace-equivalence quotients. On these, all ω-regular properties, expressed by Büchi automata or linear temporal-logic formulas, can be model checked. The fourth class constitute systems with finite distance-equivalence quotients. Distance equivalence distinguishes two states u and v if there is an observable p and a number n, such that from u a state satisfying p can be reached in n transitions, but from v no p-state can be reached in exactly n transitions. On systems with finite distance-equivalence quotients, we can model check the existential conjunction-free and universal disjunction-free formulas of the µ-calculus. Finally, the fifth class contains systems with finite bounded-reachability quotients. Bounded-reach equivalence distinguishes two states u and v if there is an observable p and a number n, such that from u a state satisfying p can be reached in n transitions, but from v no p-state can be reached in n or fewer transitions. These are the well-structured transition systems of [Finkel and Schnoebelen 1998], and they permit the model checking of reachability properties. This classification provides a syntax-independent way for proving the termination of symbolic model-checking algorithms for infinite-state systems. Examples can be found from subclasses of hybrid automata: while timed automata fall into the first class (finite bisimilarity [Alur and Dill 1994]), two-dimensional rectangular automata fall into the second class (finite similarity [Henzinger et al. 1995]), higherdimensional rectangular automata fall into the third class (finite trace equivalence [Henzinger et al. 1998; Henzinger and Kopke 1996]), and networks of timed and rectangular automata fall into the fifth class (finite bounded reachability [Abdulla and Jonsson 1998]). While in each of these four specific cases, termination of the symbolic approach has been proved individually [Henzinger et al. 1994; Henzinger et al. 1995; Henzinger and Majumdar 2000; Abdulla and Jonsson 1998], in this paper we provide termination proofs for symbolic model-checking algorithms for the entire classes 1–5. It should be mentioned that we know of no natural representatives for the fourth class of infinite-state systems. However, the closure properties of classes 1–3 immediately give rise to a more general class, which, however, does not encompass all well-structured transition systems (class 5): bisimilarity classes are closed under Pre, intersection, and difference; similarity classes, under Pre and intersection; trace-equivalence classes, under Pre and intersection with observACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 5 ables; distance-equivalence classes, under Pre only. This motivates the definition of class 4. 2. SYMBOLIC TRANSITION SYSTEMS We say that a transition system is “symbolic” if it comes equipped with an algebra of regions which permits the effective computation of certain operations on regions. Definition: Symbolic transition system. A symbolic transition system S = (Q, δ, R, p·q, P ) consists of a (possibly infinite) set Q of states, a (possibly nondeterministic) transition function δ : Q → 2Q which maps each state to a set of successor states, a (possibly infinite) set R of regions, an extension function p·q : R → 2 Q which maps each region to a set of contained states, and a finite set P ⊆ R of observables, such that the following six conditions are satisfied: S (1) The set P of observables covers the state space Q; that is, {ppq | p ∈ P } = Q. Moreover, for each observable p ∈ P , there is a complementary observable p ∈ P such that ppq = Q \ ppq. (2) For each region σ ∈ R, there is a region Pre(σ) ∈ R such that pPre(σ)q = {u ∈ Q | (∃v ∈ δ(u) : v ∈ σ)}; (3) (4) (5) (6) furthermore, the function Pre : R → R is computable. For each pair σ, τ ∈ R of regions, there is a region And (σ, τ ) ∈ R such that pAnd(σ, τ )q = pσq ∩ pτ q; furthermore, the function And : R × R → R is computable. For each pair σ, τ ∈ R of regions, there is a region Diff (σ, τ ) ∈ R such that pDiff (σ, τ )q = pσq\pτ q; furthermore, the function Diff : R × R → R is computable. All emptiness questions about regions can be decided; that is, there is a computable function Empty : R → B such that Empty(σ) iff pσq = ∅. All membership questions about regions can be decided; that is, there is a computable function Member : Q × R → B such that Member (u, σ) iff u ∈ pσq. The tuple RS = (P ,Pre,And,Diff ,Empty) is called the region algebra of S. Remark: Abstract interpretation. In a symbolic transition system, the semantics is lifted from individual states to sets of states. Hence the region algebra of a symbolic transition system can be viewed as the collecting semantics (in the sense of abstract interpretation [Cousot and Cousot 1977]) of the concrete semantics of the transition system. Remark: Duality. We take an existential view of symbolic transition systems. T The dual, universal view requires (1) {ppq | p ∈ P } = ∅, (2–4) closure of R under computable functions Pre, And, and Diff such that pPre(σ)q = {u ∈ Q | (∀v ∈ δ(u) : v ∈ σ)}, pAnd(σ, τ )q = pσq ∪ pτ q, and pDiff (σ, τ )q = Q\pDiff (τ, σ)q, and (5) a computable function Empty for deciding all universality questions about regions (that is, Empty(σ) iff pσq = Q). The tuple RS = (P, Pre, And, Diff , Empty) is the dual ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 6 · T.A. Henzinger et al. region algebra of S. All results of this paper have an alternative, dual formulation. 2.1 Example: Polyhedral Hybrid Automata A polyhedral hybrid automaton H of dimension m, for a positive integer m, consists of the following components [Alur et al. 1996]: Continuous variables. A set X = {x1 , . . . , xm } of real-valued variables. We write Ẋ for the set {ẋ1 , . . . , ẋm } of dotted variables (which represent first derivatives during continuous change), and we write X ′ for the set {x′1 , . . . , x′m } of primed variables (which represent values at the conclusion of discrete change). A linear constraint over X is an expression of the form k0 ∼ k1 x1 + · · · + km xm , where ∼ ∈ {<, ≤, =, ≥, >} and k0 , . . . , km are integer constants. A linear predicate over X is a boolean combination of linear constraints over X. Let Lm (X) be the set of linear predicates over X. Given a predicate φ over X, and a valuation x ∈ Rm for the variables in X, we write φ[X := x] for the truth value that results from evaluating φ at x. Discrete locations. A finite, directed multigraph (V, E). The vertices in V are called locations; the edges in E are called jumps. Invariant and flow conditions. Two vertex-labeling functions inv and flow . For each location v ∈ V , the invariant condition inv (v) is a conjunction of linear constraints over X, and the flow condition flow (v) is a conjunction of linear constraints over Ẋ. While the automaton control resides in location v, the variables may evolve according to flow (v) as long as inv (v) remains true. Update conditions. An edge-labeling function update. For each jump e ∈ E, the update condition update(e) is a conjunction of linear constraints over X ∪ X ′ . The predicate update(e) relates the possible values of the variables at the beginning of the jump (represented by X) and at the conclusion of the jump (represented by X ′ ). The polyhedral hybrid automaton H is a rectangular automaton [Henzinger et al. 1998] if —all linear constraints that occur in invariant conditions of H have the form x ∼ k, for x ∈ X and k ∈ Z; —all linear constraints that occur in flow conditions of H have the form ẋ ∼ k, for x ∈ X and k ∈ Z; —all linear constraints that occur in jump conditions of H have the form x ∼ k or x′ = x or x′ ∼ k, for x ∈ X and k ∈ Z; —if e is a jump from location v to location v ′ , and update(e) contains the conjunct x′ = x, then both flow (v) and flow (v ′ ) contain the same constraints on ẋ. The rectangular automaton H is a singular automaton if each flow condition of H has the form ẋ1 = k1 ∧ . . . ∧ ẋm = km . The singular automaton H is a timed automaton [Alur and Dill 1994] if each flow condition of H has the form ẋ1 = 1 ∧ . . . ∧ ẋm = 1. The polyhedral hybrid automaton H defines the symbolic transition system SH = (QH , δH , RH , p·qH , PH ) with the following components: ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 7 —QH = V × Rm ; that is, every state (v, x) consists of a location v (the discrete component of the state) and values x for the variables in X (the continuous component). —(v ′ , x′ ) ∈ δH (v, x) if either (1) there is a jump e ∈ E from v to v ′ such that update(e)[X, X ′ := x, x′ ] is true, or (2) v ′ = v and there is a real ∆ ≥ 0 and a differentiable function f : [0, ∆] → Rm with first derivative f˙ such that f (0) = x and f (∆) = x′ , and for all reals ε ∈ (0, ∆), both inv (v)[X := f (ε)] and flow (v)[Ẋ := f˙(ε)] are true. In case (2), the function f is called a flow function. —RH = V × Lm (X); that is, every region (v, φ) consists of a location v (the discrete component of the region) and a linear predicate φ over X (the continuous component). —p(v, φ)qH = {(v, x) | x ∈ Rm and φ[X := x] is true}; that is, the extension function maps the continuous component φ of a region to the valuations for the variables in X which satisfy the predicate φ. Consequently, the extension of every region consists of a location and a polyhedral subset of Rm . —PH = V × {true}; that is, only the discrete component of a state is observable. It requires some work to see that SH is indeed a symbolic transition system. First, notice that the linear predicates over X are closed under all boolean operations, and that satisfiability is decidable for the linear predicates. Second, the Pre operator is computable on RH , because all flow functions can be replaced by straight lines [Alur et al. 1996]. 2.2 Background Definitions The symbolic transition systems are a special case of transition systems. A transition system S = (Q, δ, ·, p·q, P ) has the same components as a symbolic transition system, except that no regions are specified and the extension function is defined only for the observables (that is, p·q : P → 2Q ). ∼ is a family of relations which contains State equivalences. A state equivalence = ∼S on the states of S. The for each transition system S an equivalence relation = ∼ = equivalence problem for a class C of transition systems asks, given two states u and v of a transition system S from the class C, whether u ∼ =S v. The state S equivalence ∼ =a is as coarse as the state equivalence ∼ =b if u ∼ =b v implies u ∼ =Sa v for all transition systems S. The equivalence ∼ =a is coarser than ∼ =b if ∼ =a is as coarse as ∼ =a . Given a transition system S = (Q, δ, ·, p·q, P ) =b is not as coarse as ∼ =b , but ∼ and a state equivalence ∼ =, the quotient system is the transition system S/∼ = = ∼ ∼ (Q/∼ , δ/ , ·, p·q/ , P ) with the following components: = = = ∼S —the states in S/∼ = are the equivalence classes of = ; —τ ∈ δ/∼ = (σ) if there is a state u ∈ σ and a state v ∈ τ such that v ∈ δ(u); —σ ∈ ppq/∼ = if there is a state u ∈ σ such that u ∈ ppq. The quotient construction is of particular interest to us when it transforms an infinite-state system S into a finite-state system S/∼ =. State logics. A state logic L is a logic whose formulas are interpreted over the states of transition systems; that is, for every L-formula ϕ and every transition ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 8 · T.A. Henzinger et al. system S, there is a set [[ϕ]]S of states of S which satisfy ϕ. The L model-checking problem for a class C of transition systems asks, given an L-formula ϕ and a state u of a transition system S from the class C, whether u ∈ [[ϕ]]S . Two formulas ϕ and ψ of state logics are equivalent if [[ϕ]]S = [[ψ]]S for all transition systems S. The state logic La is as expressive as the state logic Lb if for every Lb -formula ϕ, there is an La -formula ψ which is equivalent to ϕ. The logics La and Lb are equally expressive if La is as expressive as Lb , and Lb is as expressive as La . The logic La is more expressive than Lb if La is as expressive as Lb , but Lb is not as expressive as La . Every state logic L induces a state equivalence, denoted ∼ =L : for all states u and v of a transition system S, define u ∼ =SL v if for all L-formulas ϕ, we have u ∈ [[ϕ]]S iff v ∈ [[ϕ]]S . We say that the state logic L preserves the state equivalence ∼ = if ∼ =L is as S ∼ ∼ ∼ coarse as =, and L defines = over a class C of transition systems if =L coincides with ∼ if for every =S for all transition systems S in C. The state logic L admits abstraction S }; L-formula ϕ and every transition system S, we have [[ϕ]]S = {σ | σ ∈ [[ϕ]]S/∼ =L that is, a state u of S satisfies an L-formula ϕ iff the ∼ =L equivalence class of u satisfies ϕ in the quotient system. Consequently, if L admits abstraction, then every L model-checking question on a transition system S can be reduced to an L model-checking question on the induced quotient system S/∼ =L . Below, we shall repeatedly prove the L model-checking problem for a class C of transition systems to be decidable by observing that for every transition system S from C, the quotient system S/∼ =L has finitely many states and can be constructed effectively. Symbolic semi-algorithms. A symbolic semi-algorithm takes as input the region algebra RS = (P , Pre, And, Diff , Empty) of a symbolic transition system S = (Q, δ, R, p·q, P ), and generates regions in R using the operations P , Pre, And, Diff , and Empty. Depending on the input S, a symbolic semi-algorithm on S may or may not terminate. The dual of a symbolic semi-algorithm is obtained by replacing the operators Pre, And, Diff , and Empty with their duals Pre, And, Diff , and Empty, respectively. 2.3 Preview In sections 3–7 of this paper, we shall define five increasingly comprehensive classes STS1–STS5 of symbolic transition systems. In each case i ∈ {1, . . . , 5}, we will proceed in four steps: 1 Definition: Finite characterization. We give a state equivalence ∼ =i and define the class STS(i) to contain precisely the symbolic transition systems S for which the equivalence relation ∼ =Si has finite index (i.e., there are finitely many ∼ =Si ∼ ∼ equivalence classes). Each state equivalence =i is coarser than its predecessor =i−1 , which implies that STS(i − 1) ( STS(i) for i ∈ {2, . . . , 5}. 2 Algorithmics: Symbolic state-space exploration. We give a symbolic semialgorithm Ai that terminates precisely on the symbolic transition systems in the class STS(i). This provides an operational characterization of the class STS(i) which is equivalent to the denotational definition of STS(i). The symbolic semialgorithm Ai is called a closure semi-algorithm, because it closes the finite set P of observables under certain operations. The termination of the closure semialgorithm Ai is proved by observing that, if given the region algebra of a symbolic ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 9 transition system S as input, then the extensions of all regions generated by Ai are ∼ =Si blocks (i.e., unions of ∼ =Si equivalence classes). If S is in the class STS(i), then there are only finitely many ∼ =Si blocks, and the closure semi-algorithm Ai terminates upon having constructed a representation of the quotient system S/ ∼ =i . The closure semi-algorithm Ai can therefore be used to decide the ∼ =i equivalence problem for the class STS(i) of symbolic transition systems. 3 Verification: Decidable properties. We give a state logic L i which admits abstraction and defines the state equivalence ∼ =i over the class STS(i) of symbolic transition systems. Since the finite ∼ =i quotient can be constructed effectively using the closure semi-algorithm Ai , it follows that the Li model-checking problem for the class STS(i) is decidable. However, model-checking algorithms that rely on the explicit construction of quotient systems are usually impractical. Hence, we also present a symbolic semi-algorithm Bi that, given the region algebra of a symbolic transition system S from STS(i), and an Li -formula ϕ, computes the region [[ϕ]]S . The symbolic semi-algorithm Bi is called a model-checking semi-algorithm, because it directly solves all Li model-checking questions for the class STS(i). The termination of the model-checking semi-algorithm Bi is proved by observing that Bi never generates any regions that are not generated by the closure semi-algorithm Ai . However, for a given system S and formula ϕ, the model-checking semi-algorithm Bi often generates fewer regions than the closure semi-algorithm Ai and is thus preferable in practice. 4 Example: Hybrid systems. The interesting members of the class STS(i) are those symbolic transition systems which have infinitely many states. In four out of the five cases STS1–STS5, following [Henzinger 1996], we provide certain kinds of polyhedral hybrid automata as examples. In this way, we obtain uniform decidability proofs and uniform symbolic model-checking algorithms for several classes of hybrid automata. 3. CLASS-1 SYMBOLIC TRANSITION SYSTEMS The class-1 systems are characterized by finite bisimilarity quotients. The region algebra of a class-1 system has a finite subalgebra that contains the observables and is closed under Pre, And, and Diff operations. This enables the model checking of all µ-calculus properties. Infinite-state examples of class-1 systems are provided by the singular hybrid automata, and by the bakery protocol for mutual exclusion. 3.1 Finite Characterization: Bisimilarity Definition: Bisimilarity. Let S = (Q, δ, ·, p·q, P ) be a transition system. A binary relation  on the state space Q is a simulation on S [Milner 1971] if u  v implies the following two conditions: 1. For each observable p ∈ P , we have u ∈ ppq iff v ∈ ppq. 2. For each state u′ ∈ δ(u), there is a state v ′ ∈ δ(v) such that u′  v ′ . ∼S v, if there is a symmetric simulation Two states u, v ∈ Q are bisimilar, denoted u = 1 ∼1 is called bisimilarity.  on S such that u  v. The state equivalence = Definition: Class STS1. A symbolic transition system S belongs to the class STS1 if the bisimilarity relation ∼ =S1 has finite index. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 10 · T.A. Henzinger et al. Symbolic semi-algorithm Closure1 Input: a region algebra R = (P, Pre, And, Diff , Empty). T0 := P ; for i = 0, 1, 2, . . . do Ti+1 := Ti ∪ {Pre(σ) | σ ∈ Ti } ∪ {And (σ, τ ) | σ, τ ∈ Ti } ∪ {Diff (σ, τ ) | σ, τ ∈ Ti } until pTi+1 q ⊆ pTi q. The termination test pTi+1 q ⊆ pTi q, which is shorthand for {pσq | σ ∈ Ti+1 } ⊆ {pσq | σ ∈ Ti }, is decided as follows: for each region σ ∈ Ti+1 check that there is a region τ ∈ Ti such that both Empty(Diff (σ, τ )) and Empty(Diff (τ, σ)). Fig. 1. Partition refinement. 3.2 Symbolic State-Space Exploration: Partition Refinement The bisimilarity relation of a finite-state system can be computed by partition refinement [Kanellakis and Smolka 1990]. The symbolic semi-algorithm Closure1 of Figure 1 applies this method to infinite-state systems [Bouajjani et al. 1990; Henzinger 1995]. The semi-algorithm Closure1 inductively constructs regions, starting from the observables, by applying the three operations Pre, And, and Diff . It terminates when no new regions are generated. Suppose that the input given to Closure1 is the region algebra of a symbolic transition system S = (Q, δ, R, p·q, P ). Then each Ti , for i ≥ 0, is a finite set of regions; that is, Ti ⊆ R. By induction it is easy to check that for all i ≥ 0, the extension of every region in T i is a ∼ =S1 S ∼ block. Thus, if =1 has finite index, then Closure1 terminates. Conversely, suppose that Closure1 terminates with pTi+1 q ⊆ pTi q. From the definition of bisimilarity it follows that if for each region σ ∈ Ti , we have u ∈ pσq iff v ∈ pσq, then u ∼ =S1 v. S ∼ This implies that =1 has finite index. Theorem 1A For all symbolic transition systems S, the symbolic semi-algorithm Closure1 terminates on the region algebra RS iff S belongs to the class STS1. Corollary 1A The ∼ =1 (bisimilarity) equivalence problem is decidable for the class STS1 of symbolic transition systems. 3.3 Decidable Properties: Branching Time Definition: µ-calculus. The formulas of the µ-calculus [Kozen 1983] are generated by the grammar2 ϕ ::= p | p | x | ϕ ∨ ϕ | ϕ ∧ ϕ | ∃ ϕ|∀ ϕ | (µx : ϕ) | (νx : ϕ), for constants p from some set Π, and variables x from some set X. The constructor is a “next-state” modality; the µ and ν constructors are least and greatest fixpoint quantifiers. Let S = (Q, δ, ·, p·q, P ) be a transition system whose observables include all constants; that is, Π ⊆ P . Let E : X → 2Q be a mapping from the variables to sets of states. We write E[x 7→ ρ] for the mapping that agrees with 2 We define all formulas to be in positive normal form, where only constants are negated. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 11 E on all variables, except that x ∈ X is mapped to ρ ⊆ Q. Given S and E, every formula ϕ of the µ-calculus defines a set [[ϕ]]S,E ⊆ Q of states: [[p]]S,E = ppq; [[p]]S,E = Q\ppq; [[x]]S,E  = E(x);  [[ϕ1 ∨ ϕ2 ]]S,E = [[ϕ1 ]]S,E ∪ [[ϕ2 ]]S,E ; ∧ ∃ ∩∃ [[∀ ϕ]]S,E = {u  ∈ Q | ( ∀ v ∈ δ(u) : v ∈ [[ϕ]]S,E )}; [[ µν x : ϕ]]S,E = ∩ ∪ {ρ ⊆ Q | ρ = [[ϕ]]S,E[x7→ρ] }. A variable x is called free in a formula ϕ if there is an occurrence of x in ϕ that is not in the scope of some µx or νx. A µ-calculus formula is closed if it has no free variables. If we restrict ourselves to the closed formulas of the µ-calculus, then we obtain a state logic, denoted Lµ1 : the state u ∈ Q satisfies the Lµ1 -formula ϕ if u ∈ [[ϕ]]S,E for any variable mapping E; that is, [[ϕ]]S = [[ϕ]]S,E for any and all E. Remark: Duality. For every Lµ1 -formula ϕ, the dual Lµ1 -formula ϕ is obtained by replacing the constructors p, p, ∨, ∧, ∃ , ∀ , µ, and ν by p, p, ∧, ∨, ∀ , ∃ , ν, and µ, respectively. Then, [[ϕ]]S = Q\[[ϕ]]S . It follows that the answer of the model-checking question for a state u ∈ Q and an Lµ1 -formula ϕ is complementary to the answer of the model-checking question for u and the dual formula ϕ. The following facts about the distinguishing and expressive powers of the µ-calculus are well-known. First, Lµ1 preserves ∼ =1 (bisimilarity); indeed, the state equivalence defined by Lµ1 over the class STS1 of symbolic transition systems with finite bisimµ ilarity quotients is exactly ∼ =1 [Browne et al. 1988]. Second, L1 is very expressive (see [Janin and Walukiewicz 1996] for a characterization); in particular, L µ1 is more expressive than the temporal logics Ctl and Ctl∗ [Emerson 1990], which like Lµ1 define bisimilarity over the STS1 systems. Third, Lµ1 admits abstraction [Alur and Henzinger 1998] (the proof is by induction on Lµ1 -formulas). It follows that that the Lµ1 model-checking problem is decidable for the STS1 systems. However, we now present a model-checking algorithm for Lµ1 over STS1 systems which avoids the construction of bisimilarity quotients. The definition of Lµ1 naturally suggests a model-checking algorithm for finite-state systems, where each fixpoint can be computed by successive approximation [Emerson and Lei 1986; Burch et al. 1992]. The symbolic semi-algorithm ModelCheck of Figure 2 applies this procedure to infinite-state systems. Suppose that the input given to ModelCheck is the region algebra of a symbolic transition system S = (Q, δ, R, p·q, P ), a µ-calculus formula ϕ, and any mapping E : X → 2R from the variables to sets of regions. Then for each recursive call of ModelCheck, each T i , for i ≥ 0, is a finite set of regions from R, and each recursive call returns a finite set of regions from R. It is easy to check that all of these regions are also generated by the semi-algorithm Closure1 on input RS . Thus, if Closure1 terminates, then so does ModelCheck. Furthermore, S if it terminates, then ModelCheck returns S a set [ϕ]E ⊆ R of regions such that {pσq | σ ∈ [ϕ]E } = [[ϕ]]S,E , where E(x) = {pσq | σ ∈ E(x)} for all x ∈ X. In particular, if ϕ is closed, then a state u ∈ Q satisfies ϕ iff Member (u, σ) for some region σ ∈ [ϕ]E . Theorem 1B For all symbolic transition systems S in STS1 and every L µ1 -formula ϕ, ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 12 · T.A. Henzinger et al. Symbolic semi-algorithm ModelCheck Input: a region algebra R = (P, Pre, And, Diff , Empty), a formula ϕ ∈ Lµ 1, and a mapping E with domain X. Output: [ϕ]E := if ϕ = p then return {p}; if ϕ = p then return {Diff (q, p) | q ∈ P }; if ϕ = x then return E(x); if ϕ = (ϕ1 ∨ ϕ2 ) then return [ϕ1 ]E ∪ [ϕ2 ]E ; if ϕ = (ϕ1 ∧ ϕ2 ) then return {And(σ, τ ) | σ ∈ [ϕ1 ]E and τ ∈ [ϕ2 ]E }; if ϕ = ∃ ϕ′ then return {Pre(σ) | σ ∈ [ϕ′ ]E }; if ϕ = ∀ ϕ′ then return P \\{Pre(σ) | σ ∈ (P \\[ϕ′ ]E )}; if ϕ = (µx : ϕ′ ) then T0 := ∅; for i = 0, 1, 2, . . . do ′ Ti+1 := S [ϕ ]E[x7→Ti ] S until {pσq | σ ∈ Ti+1 } ⊆ {pσq | σ ∈ Ti }; return Ti ; if ϕ = (νx : ϕ′ ) then T0 := P ; for i = 0, 1, 2, . . . do ′ Ti+1 := S [ϕ ]E[x7→Ti ] S until {pσq | σ ∈ Ti+1 } ⊇ {pσq | σ ∈ Ti }; return Ti . The pairwise-difference operation T \\T ′ between two finite sets T and T ′ of regions is computed inductively as follows: T \\∅ = T ; T \\({τ } ∪ T ′ ) = {Diff (σ, τ ) | σ ∈ T }\\T ′ . S S The termination test {pσq | σ ∈ T } ⊆ {pσq | σ ∈ T ′ } is decided by checking that ′ Empty(σ) for each region σ ∈ (T \\T ). Fig. 2. Model checking. the symbolic semi-algorithm ModelCheck terminates on the region algebra R S and the input formula ϕ. Corollary 1B The Lµ1 model-checking problem is decidable for the class STS1 of symbolic transition systems. Remark: Duality. Model checking of Lµ1 -formulas on STS1 systems can also be performed by the dual of the semi-algorithm ModelCheck. Suppose that the input given to the dual semi-algorithm ModelCheck is the dual region algebra of a symbolic transition system S = (Q, δ, R, p·q, P ), and the Lµ1 -formula ϕ. If S belongs to the class T STS1, then ModelCheck terminates with the output T ⊆ R such that [[ϕ]]S = {pσq | σ ∈ T }. 3.4 Example: The Bakery Protocol Consider the 2-process bakery protocol [Lamport 1974] for mutual exclusion, which is presented as a collection of guarded commands in Figure 3. The program counters of the two processes, pc 1 and pc 2 , each range over three locations: pc i = N if process i is not in its critical section; pc i = W if process i is waiting to enter its ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 13 var pc1 , pc2 : {N, W, C} var y1 , y2 : N [] pc1 = N → pc1 , y1 := W, y2 + 1 [] pc1 = W ∧ (y2 = 0 ∨ y1 ≤ y2 ) → pc1 := C [] pc1 = C → pc1 , y1 := N, 0 [] pc2 = N → pc2 , y2 := W, y1 + 1 [] pc2 = W ∧ (y1 = 0 ∨ y2 < y1 ) → pc2 := C [] pc2 = C → pc2 , y2 := N, 0 Fig. 3. The 2-process bakery protocol. critical section; and pc i = C if process i is in its critical section. The protocol uses two variables y1 and y2 , which range over the natural numbers and represent the “tokens” of the two processes. A state of the protocol, therefore, is a quadruple of values in {N, W, C}2 × N2 . The observables are the boolean formulas over the program counters, in particular, the observable pinit = (pc 1 = N ∧ pc 2 = N ) is the initial region, and q mutex = (pc 1 = C ∧ pc 2 = C) is the region that violates mutual exclusion. The values of the tokens are not observable. The bisimilarity relation of this infinite-state system has finite index. To see this, define the binary relation ≈ on states as follows: for all states u and v, let u ≈ v iff (1) u(pc i ) = v(pc i ) for i = 1, 2; (2) u(yi ) = 0 iff v(yi ) = 0 for i = 1, 2; and (3) u(y1 ) ≤ u(y2 ) iff v(y1 ) ≤ v(y2 ), where u(x) denotes the value of variable x in state u. By a simple case enumeration, it can be checked that ≈ is a bisimulation (i.e., a symmetric simulation). Moreover, the relation has finite index (the number of equivalence classes is 72). Thus, the 2-process bakery protocol is in STS1. By Theorem 1A, the closure semi-algorithm Closure1 terminates on the region algebra of the protocol. By Theorem 1B, the model-checking semialgorithm ModelCheck terminates as well for all Lµ1 -formulas. In particular, the region [[pinit ∧ (µx : q mutex ∨ ∃ x)]] can be computed to be empty in a finite number of steps. This proves that there is no sequence of transitions that leads from an initial state to a state that violates mutual exclusion; thus the protocol guarantees mutual exclusion. 3.5 Example: Singular Hybrid Automata The fundamental theorem of timed automata [Alur and Dill 1994] shows that for every timed automaton, the (time-abstract) bisimilarity relation has finite index. The proof can be extended to the singular automata [Alur et al. 1995]. It follows that the symbolic semi-algorithm ModelCheck, which has been implemented for polyhedral hybrid automata in the tool HyTech [Henzinger et al. 1995], decides all Lµ1 model-checking questions for singular automata. The singular automata form a maximal class of hybrid automata in STS1. This is because there is a 2D (two-dimensional) rectangular automaton whose bisimilarity relation is state equality [Henzinger 1995]. Theorem 1C The singular automata belong to the class STS1. There is a 2D rectangular automaton that does not belong to STS1. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 14 · T.A. Henzinger et al. Symbolic semi-algorithm Closure2 Input: a region algebra R = (P, Pre, And, Diff , Empty). T0 := P ; for i = 0, 1, 2, . . . do Ti+1 := Ti ∪ {Pre(σ) | σ ∈ Ti } ∪ {And (σ, τ ) | σ, τ ∈ Ti } until pTi+1 q ⊆ pTi q. The termination test pTi+1 q ⊆ pTi q is decided as in Figure 1. Fig. 4. Intersection refinement. 4. CLASS-2 SYMBOLIC TRANSITION SYSTEMS The class-2 systems are characterized by finite similarity quotients. The region algebra of a class-2 system has a finite subalgebra that contains the observables and is closed under Pre and And operations. This enables the model checking of all existential and universal µ-calculus properties. Infinite-state examples of class-2 systems are provided by the 2D rectangular hybrid automata. 4.1 Finite Characterization: Similarity Definition: Similarity. Let S be a transition system. Two states u and v of S are similar, denoted u ∼ =S2 v, if there are two simulations 1 and 2 on S such that u 1 v and v 2 u. The state equivalence ∼ =2 is called similarity. Definition: Class STS2. A symbolic transition system S belongs to the class STS2 if the similarity relation ∼ =S2 has finite index. Since similarity is coarser than bisimilarity [van Glabbeek 1990], the class STS2 of symbolic transition systems is a proper extension of STS1. 4.2 Symbolic State-Space Exploration: Intersection Refinement The symbolic semi-algorithm Closure2 of Figure 4 is an abstract version of the method presented in [Henzinger et al. 1995] for computing the similarity relation of an infinite-state system. A different algorithm for computing simulation quotients is given in [Bustan and Grumberg 2003]. Suppose that the input given to Closure2 is the region algebra of a symbolic transition system S = (Q, δ, R, p·q, P ). Given two states u, v ∈ Q, we say that v simulates u if u  v for some simulation  on S. For i ≥ 0 and u ∈ Q, define \ Sim i (u) = {pσq | σ ∈ Ti and u ∈ pσq}, where the set Ti of regions is computed by Closure2. By induction it is easy to check that for all i ≥ 0, if v simulates u, then v ∈ Sim i (u). Thus, the extension of every region in Ti is a ∼ =S2 block, and if ∼ =S2 has finite index, then Closure2 terminates. Conversely, suppose that Closure2 terminates with pT i+1 q ⊆ pTi q. From the definition of simulations it follows that if v ∈ Sim i (u), then v simulates u. This implies that ∼ =S2 has finite index. Theorem 2A For all symbolic transition systems S, the symbolic semi-algorithm ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 15 Closure2 terminates on the region algebra RS iff S belongs to the class STS2. Corollary 2A The ∼ =2 (similarity) equivalence problem is decidable for the class STS2 of symbolic transition systems. 4.3 Decidable Properties: Negation-free Branching Time Definition: Negation-free µ-calculus. The negation-free µ-calculus consists of the µ-calculus formulas that are generated by the grammar ϕ ::= p | x | ϕ ∨ ϕ | ϕ ∧ ϕ | ∃ ϕ | (µx : ϕ) | (νx : ϕ), for constants p ∈ Π and variables x ∈ X. The state logic Lµ2 consists of the closed formulas of the negation-free µ-calculus. The state logic Lµ2 consists of the duals of all Lµ2 -formulas. The following facts about the distinguishing and expressive powers of the negationfree µ-calculus and its dual are well-known. First, both Lµ2 and Lµ2 preserve ∼ =2 (similarity); indeed, the state equivalence defined by Lµ2 (respectively, Lµ2 ) over the class STS2 of symbolic transition systems with finite similarity quotients is µ exactly ∼ =2 [Loiseaux et al. 1995]. Therefore the µ-calculus L1 with negation is more µ µ expressive than either L2 or L2 . Second, the negation-free µ-calculus Lµ2 is more expressive than the existential fragments of Ctl and Ctl∗ [Emerson 1990], which also define similarity over the STS2 systems. The dual logic Lµ2 is more expressive than the universal fragments of Ctl and Ctl∗ , which again define similarity over the STS2 systems. Third, both Lµ2 and Lµ2 admit abstraction [Alur and Henzinger 1998]. It follows that the Lµ2 and Lµ2 model-checking problems are decidable for the STS2 systems. However, we now show that the procedure ModelCheck from Figure 2 decides the model-checking problems for Lµ2 and Lµ2 over STS2 systems without constructing similarity quotients. If we apply the symbolic semi-algorithm ModelCheck to the region algebra of a symbolic transition system S and an input formula from Lµ2 , then the cases ϕ = p and ϕ = ∀ ϕ′ are never executed. It follows that all regions which are generated by ModelCheck are also generated by the semi-algorithm Closure2 on input RS . Thus, if Closure2 terminates, then so does ModelCheck. Theorem 2B For all symbolic transition systems S in STS2 and every L µ2 -formula ϕ, the symbolic semi-algorithm ModelCheck terminates on the region algebra R S and the input formula ϕ. Corollary 2B The Lµ2 and Lµ2 model-checking problems are decidable for the class STS2 of symbolic transition systems. 4.4 Example: 2D Rectangular Hybrid Automata For every 2D rectangular automaton, the (time-abstract) similarity relation has finite index [Henzinger et al. 1995]. It follows that the symbolic semi-algorithm ModelCheck, as implemented in HyTech, decides all Lµ2 and Lµ2 model-checking questions for 2D rectangular automata. The 2D rectangular automata form a maximal class of hybrid automata in STS2. This is because there is a 3D rectangular automaton whose similarity relation is state equality [Henzinger and Kopke 1996]. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 16 · T.A. Henzinger et al. Theorem 2C The 2D rectangular automata belong to the class STS2. There is a 3D rectangular automaton that does not belong to STS2. 5. CLASS-3 SYMBOLIC TRANSITION SYSTEMS The class-3 systems are characterized by finite trace-equivalence quotients. The region algebra of a class-3 system has a finite subalgebra that contains the observables and is closed under Pre operations and those And operations for which one of the two arguments is an observable. This enables the model checking of all linear temporal properties. Infinite-state examples of class-3 systems are provided by the rectangular hybrid automata. 5.1 Finite Characterization: Traces Definition: Trace equivalence. Let S = (Q, δ, ·, p·q, P ) be a transition system. A trajectory of S is a finite sequence θ = u0 u1 . . . un of states ui ∈ Q such that ui+1 ∈ δ(ui ) for all 0 ≤ i < n. The first state u0 is called the source of the trajectory θ, the last state un is its sink, and the length of the trajectory is n. An observation is a set of observables. Every state u ∈ Q induces an observation, denoted by hhuii = {p ∈ P | u ∈ ppq}. A trace from state u is a finite sequence of observations which is induced by some trajectory with source u; that is, ϑ = π0 π1 . . . πn is a trace from u ∈ Q if there exists a trajectory u0 u1 . . . un of S such that (1) u0 = u and (2) hhui ii = πi for all 0 ≤ i ≤ n. The observables in the last observation πn are called the targets of the trace ϑ, and its length is n. Two states u, v ∈ Q are trace equivalent, denoted u ∼ =S3 v, if every trace from u is a trace from v, and vice versa. The state equivalence ∼ =3 is called trace equivalence. Definition: Class STS3. A symbolic transition system S belongs to the class STS3 if the trace-equivalence relation ∼ =S3 has finite index. Since trace equivalence is coarser than similarity [van Glabbeek 1990], the class STS3 of symbolic transition systems is a proper extension of STS2. 5.2 Symbolic State-Space Exploration: Observation Refinement Trace equivalence can be characterized operationally by the symbolic semi-algorithm Closure3 of Figure 5. Suppose that the input given to Closure3 is the region algebra of a symbolic transition system S = (Q, δ, R, p·q, P ). By induction it is easy to check that for all i ≥ 0, the extension of every region in Ti is a ∼ =S3 block. Thus, S if ∼ =3 has finite index, then Closure3 terminates. Conversely, suppose that Closure3 terminates with pTi+1 q ⊆ pTi q. Suppose further that there are two states u, v ∈ Q and a trace π0 π1 . . . πn from u which is not a trace from v. For 1 ≤ j ≤ n, let π̂j be the region that results from conjoining by And the observables in the finite set πj (note that for every observable p ∈ P , either p ∈ πj or p ∈ πj ). Then Ti contains the region And(π̂0 , Pre(And (π̂1 , Pre(· · · , And(π̂n−1 , Pre(π̂n )))))), which contains u but not v. It follows that if for each region σ ∈ Ti , we have u ∈ pσq iff v ∈ pσq, then u ∼ =S3 v. This implies that ∼ =S3 has finite index. Theorem 3A For all symbolic transition systems S, the symbolic semi-algorithm Closure3 terminates on the region algebra RS iff S belongs to the class STS3. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 17 Symbolic semi-algorithm Closure3 Input: a region algebra R = (P, Pre, And, Diff , Empty). T0 := P ; for i = 0, 1, 2, . . . do Ti+1 := Ti ∪ {Pre(σ) | σ ∈ Ti } ∪ {And (σ, p) | σ ∈ Ti and p ∈ P } until pTi+1 q ⊆ pTi q. The termination test pTi+1 q ⊆ pTi q is decided as in Figure 1. Fig. 5. Observation refinement. u v p p ... p p p p p p Fig. 6. Trace equivalence does not imply ω-trace equivalence. Corollary 3A The ∼ =3 (trace) equivalence problem is decidable for the class STS3 of symbolic transition systems. Remark: Infinite traces. We have defined trace equivalence based on finite traces only. An ω-trajectory of S is an infinite sequence u0 u1 u2 . . . of states such that all finite prefixes of θ are trajectories of S. An ω-trace from state u ∈ Q is an infinite sequence of observations which is induced by some ω-trajectory of S with source u. Two states u, v ∈ Q are ω-trace equivalent if every trace and ω-trace from u is also a trace or ω-trace from v, and vice versa. As transition systems may not be finitely branching, trace equivalence does not imply ω-trace equivalence. To see this, consider the states u and v of Figure 6, which are trace equivalent but not ωtrace equivalent. This is because u and v agree on all finite traces of the form {p} n , for n ≥ 1, but only u has the ω-trace {p}ω . Note that Algorithm Closure3 does not terminate on the symbolic transition system from Figure 6. The following lemma shows that if Algorithm Closure3 terminates, then trace equivalence and ω-trace equivalence coincide. Lemma 3a For all states u and v of a symbolic transition system S in the class STS3, if u ∼ =S3 v, then u and v are ω-trace equivalent. Proof. Suppose that Algorithm Closure3 terminates, and consider two states u and v that are trace equivalent. We show that every ω-trace from u is also an ω-trace from v. Consider an ω-trace ϑ = π0 π1 π2 . . . from u. By way of contradiction, ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 18 · T.A. Henzinger et al. suppose that there is no ω-trajectory with source v which induces the ω-trace ϑ. For each n ≥ 1, denote the prefix π0 π1 . . . πn of ϑ by ϑn . We build the following subtree T of the unfolding of the transition function from state v: the root of T is hvi; the nodes of T have the form hu0 u1 . . . un i, where u0 u1 . . . un is a trajectory with source v which induces the trace ϑn ; there is an edge in T from hu0 u1 . . . un i to hu0 u1 . . . un+1 i if un+1 ∈ δ(un ). We say that a node z of T is infinitely reaching if z has a descendant at distance n for all n ≥ 1; and z is infinitely branching if z has infinitely many immediate descendants (at distance 1). Since u and v are trace equivalent, for each n ≥ 1, there is a trajectory with source v which induces ϑn . It follows that the root of T is infinitely reaching. However, since there is no ωtrajectory with source v which induces ϑ, the tree T has no infinite path. By König’s lemma, T must contain a node z which is both infinitely reaching and infinitely branching. For each n ≥ 1, there must exist f (n) ≥ n such that z has an immediate successor h. . . uf (n) i which is the root of a subtree of height f (n) but not f (n) + 1. Then Algorithm Closure3 should have separated all states u f (n) , for n ≥ 1, into different equivalence classes, and hence could not have terminated. 5.3 Decidable Properties: Linear Time Definition: Deterministic µ-calculus. The deterministic µ-calculus (also called “L1 ” in [Emerson et al. 1993]) consists of the µ-calculus formulas that are generated by the grammar ϕ ::= p | x | ϕ ∨ ϕ | p ∧ ϕ | ∃ ϕ | (µx : ϕ) | (νx : ϕ), for constants p ∈ Π and variables x ∈ X. The state logic Lµ3 consists of the closed formulas of the deterministic µ-calculus. The state logic Lµ3 consists of the duals of all Lµ3 -formulas. Following [Emerson et al. 2001], we show that Lµ3 has the same expressive power as existentially interpreted Büchi automata. We recall a few definitions. A Büchi automaton [Thomas 1990] is a tuple B = (S, Φ, →, s0 , F, B), where S is a finite set of states, Φ is a finite input alphabet, → ⊆ S ×Φ×S is a labeled transition relation, s0 ∈ S is the start state, F ⊆ S is a set of finite accepting states, and B ⊆ S is a set of Büchi accepting states. The automaton B accepts a finite word w0 w1 . . . wn ∈ Φ∗ if there is a finite sequence s0 s1 . . . sn+1 of states si ∈ S, beginning from the start wi state s0 , such that (1) si →s i+1 for all 0 ≤ i ≤ n, and (2) sn+1 ∈ F . The automaton B accepts an infinite word w0 w1 w2 . . . ∈ Φω if there is an infinite sequence s0 s1 s2 . . . wi of states, beginning with s0 , such that (1) si →s i+1 for all i ≥ 0, and (2) si ∈ B for infinitely many i ≥ 0. The state logic ∃Büchi has a formula of the form ∃B for every Büchi automaton B with Φ = 2Π ; that is, each input letter is a set of constants. Then, given a transition system S = (Q, δ, ·, p·q, P ) with Π ⊆ P , and a state u ∈ Q, let u ∈ [[∃B]]S if there exist a trace or ω-trace ϑ = π0 π1 π2 . . . from u, and a finite or infinite word ̟ = w0 w1 w2 . . . with the same length as ϑ, such that (1) wi ⊆ πi for all i ≥ 0, and (2) the word ̟ is accepted by B. If (1) and (2), then we say that the trace or ω-trace ϑ is accepted by the Büchi automaton B. Lemma 3b The state logics Lµ3 and ∃Büchi are equally expressive. Proof. The proof is based on the following constructions. By induction on the structure of an Lµ3 -formula ϕ, we can construct a Büchi automaton Bϕ such that ∃Bϕ ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 19 is equivalent to ϕ; see [Emerson et al. 2001] for details. Conversely, given a Büchi automaton B, we construct an Lµ3 -formula ϕB such that for all transition systems S, a state u of S satisfies ϕ iff some trace or ω-trace from u is accepted by B ϕ . Let B = (S, 2P , →, s0 , F, B) be a Büchi automaton over the alphabet 2P . For notational convenience, we present the formula ϕB in equational form [Cleaveland et al. 1992]; it can be easily converted into the standard fixpoint representation by unrolling the equations and binding variables with least and greatest fixpoint quantifiers. For a V set π ⊆ P of observables, let π̃ be the conjunction π of the observables in π. For each automaton state s ∈ S, we introduce a variable xs ∈ X. If s ∈ F is a finite accepting state, then xs = π̃. If s 6∈ F , then the equation for xs is _ π xs =λ {π̃ ∧ ∃ xs′ | s → s′ } where λ = ν if s ∈ B is a Büchi accepting state, and λ = µ otherwise. The top-level variable is xs0 , where s0 is the start state of the automaton. The correctness of the procedure follows from [Bhat and Cleaveland 1996] (an equivalent construction is given in [Dam 1994]). The state logic ∃Büchi, by its very definition, preserves ω-trace equivalence. Moreover, as every finite trace can be specified by a Büchi automaton, over the class STS3 of symbolic transition systems with finite trace-equivalence quotients, by Lemma 3a, the state equivalence defined by ∃Büchi is exactly ∼ =3 (trace equivalence). By Lemma 3b, it follows that both the deterministic µ-calculus Lµ3 and its dual Lµ3 also preserve ω-trace equivalence, and the state equivalence defined by Lµ3 (respectively, Lµ3 ) over the STS3 systems is ∼ =3 . Therefore the negationfree µ-calculus Lµ2 with unrestricted conjunction is more expressive than Lµ3 , and Lµ2 is more expressive than Lµ3 . Since Büchi automata are more expressive than the linear temporal logic Ltl [Wolper 1983], by Lemma 3b, the deterministic µcalculus Lµ3 is more expressive than the existential interpretation of Ltl, which also defines trace equivalence over the STS3 systems. For example, the existential Ltl formula ∃(pUq) (“on some trace, p until q”) is equivalent to the L µ3 -formula (µx : q ∨ (p ∧ ∃ x)) (notice that one argument of the conjunction is a constant). The dual logic Lµ3 is more expressive than the usual, universal interpretation of Ltl, which again defines trace equivalence over the STS3 systems. For example, the universal Ltl formula ∀(pWq) (“on all traces, either p forever, or p until q”) is equivalent to the Lµ3 -formula (νx : p ∧ ∀ (q ∨ x)) (notice that one argument of the disjunction is a constant). Finally, both Lµ3 and Lµ3 admit abstraction [Alur and Henzinger 1998]. It follows that the Lµ3 and Lµ3 model-checking problems are decidable for the STS3 systems. However, we now show that the procedure ModelCheck from Figure 2 decides the model-checking problems for Lµ3 and Lµ3 over STS2 systems without constructing trace-equivalence quotients. If we apply the symbolic semi-algorithm ModelCheck to the region algebra of a symbolic transition system S and an input formula from Lµ3 , then all regions which are generated by ModelCheck are also generated by the semi-algorithm Closure3 on input RS . Thus, if Closure3 terminates, then so does ModelCheck. Theorem 3B For all symbolic transition systems S in STS3 and every L µ3 -formula ϕ, the symbolic semi-algorithm ModelCheck terminates on the region algebra R S and ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 20 · T.A. Henzinger et al. the input formula ϕ. Corollary 3B The Lµ3 and Lµ3 model-checking problems are decidable for the class STS3 of symbolic transition systems. Remark: Ltl model checking. The Ltl model-checking problem for a class C of transition systems asks, given an existential (respectively, universal) Ltl formula ∃ψ (respectively, ∀ψ) and a state u of a transition system from the class C, whether some (respectively, all) ω-traces from u satisfy ψ [Emerson 1990]. Our results suggest a symbolic procedure for Ltl model checking over STS3 systems [Henzinger and Majumdar 2000]. Suppose that S is a symbolic transition system in the class STS3, and ∃ψ is an existential Ltl formula (for a universal Ltl formula, take the negation). First, convert ψ into a Büchi automaton Bψ using a tableau construction [Wolper 1983], and then into an equivalent Lµ3 -formula ϕψ in equational form (introduce one variable xs per state s of Bψ , as in the proof of Lemma 3B). Second, run the symbolic semi-algorithm ModelCheck on the inputs RS and ϕψ .3 It will terminate with a representation of the set of states that satisfy ∃ψ in S. While ModelCheck provides, in this way, a symbolic semi-algorithm for model checking Ltl, traditionally a different method has been used for the symbolic model checking of Ltl formulas [Clarke et al. 1994]. Given a state u of a finite-state transition system S, and an existential Ltl formula ∃ψ, the model-checking question can be answered by constructing the product of S with the tableau automaton B ψ , and then checking the nonemptiness of a Büchi condition on the product structure. A Büchi condition is an Ltl formula of the form ✷✸φ, where φ is a boolean combination of observables; therefore Büchi nonemptiness can be checked symbolically by evaluating the equivalent Lµ3 -formula χ = (νx1 : (µx2 : (∃ x2 ) ∨ (φ ∧ ∃ x1 ))). To extend this method to infinite-state systems, we need to be more formal. Let S = (Q, δ, R, p·q, P ) be a symbolic transition system, and let Bψ = (S, 2P , →, s0 , ∅, B) be a Büchi automaton. Notice that since we interpret Ltl only over ω-traces, the set F of finite accepting states of the Büchi automaton is empty. The product structure Sψ = (S × Q, δψ , S × R, p·qψ , S × P ) is the following symbolic transition system with state space S × Q, region set S × R, and observable set S × P : the π extension p(s, σ)qψ is the set {s}×pσq of states, and (s′ , u′ ) ∈ δψ (s, u) iff (1) s → s′ ′ and u ∈ δ(u), and (2) u ∈ ppq for all observables p ∈ π. Since the state space of the Büchi automaton Bψ is finite, it is easy to check that Sψ is again a symbolic transition system. Furthermore, W for all states u ∈ Q, we have u ∈ [[∃Bψ ]]S iff (s0 , u) ∈ [[✷✸φ]]Sψ , where φ = s∈B,p∈P (s, p). Let DirectCheck be the instance of the symbolic semi-algorithm ModelCheck which evaluates the Lµ3 -formula ϕψ on the region algebra of the symbolic transition system S, and let ProductCheck be the instance of ModelCheck which evaluates the Lµ3 -formula χ on the region algebra of the product structure Sψ . We show that 3 In practice, we run a variant of Lµ 3 -formula ϕψ [Cleaveland et al. ModelCheck directly on the equational representation of the 1992]. This is because in equational form, the size of ϕ ψ is linear in the size of the Büchi automaton Bψ (and exponential in the size of the Ltl formula ψ). Conversion of ϕψ into fixpoint representation would involve another exponential. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 21 there is a direct correspondence between the regions computed by ProductCheck and the regions computed by DirectCheck; in fact, the algorithm DirectCheck mimics the evaluation of χ with respect to Sψ . To see this, we first write the formula χ in equational form as x1 =ν x2 and x2 =µ ((∃ x2 ) ∨ (φ ∧ ∃ x1 )). Now we introduce two sets of variables, {xs1 | s ∈ S} and {xs2 | s ∈ S}. For j = 1, 2, we use the variable xsj to track the value of xj W on the product structure W at the automaton state s, that is, at each step, x1 = {xs1 | s ∈ S} and x2 = {xs2 | s ∈ S}. With these new variables, the equations for χ become xs1 =ν xs2 for all s ∈ S, and W W ′ ′ π π xs2 =µ {π̃ ∧ ∃ xs1 | s → s′ } for all s ∈ B, and xs2 =µ {π̃ ∧ ∃ xs2 | s → s′ } s0 for all s ∈ S\B. The top-level variable is x1 . From this, it is clear that these two methods are equivalent in the regions they compute. It follows that ProductCheck terminates iff DirectCheck does. Corollary 3B∗ For all symbolic transition systems S in STS3, and every existential Ltl formula ∃ψ, the symbolic semi-algorithm ProductCheck terminates for S and ψ. 5.4 Example: Rectangular Hybrid Automata For every rectangular automaton, the (time-abstract) trace-equivalence relation has finite index [Henzinger et al. 1998]. It follows that the symbolic semi-algorithm ModelCheck, as implemented in HyTech, decides all Lµ3 and Lµ3 model-checking questions for rectangular automata. The rectangular automata form a maximal class of hybrid automata in STS3. This is because for simple generalizations of rectangular automata, the reachability problem is undecidable [Henzinger et al. 1998]. Theorem 3C The rectangular automata belong to the class STS3. There is a polyhedral hybrid automaton that does not belong to STS3. 6. CLASS-4 SYMBOLIC TRANSITION SYSTEMS We define two states of a transition system to be “distance equivalent” if for every distance d, the same observables can be reached in d transitions. The class-4 systems are characterized by finite distance-equivalence quotients. The region algebra of a class-4 system has a finite subalgebra that contains the observables and is closed under Pre operations. This enables the model checking of all existential conjunction-free and universal disjunction-free µ-calculus properties, such as the property that an observable can be reached in an even number of transitions. 6.1 Finite Characterization: Equi-distant Targets Definition: Distance equivalence. Let S be a transition system. Two states u and v of S are distance equivalent, denoted u ∼ =S4 v, if for every trace from u with length n and target p, there is a trace from v with length n and target p, and vice versa. The state equivalence ∼ =4 is called distance equivalence. Definition: Class STS4. A symbolic transition system S belongs to the class STS4 if the distance-equivalence relation ∼ =S4 has finite index. Figure 7 shows that distance equivalence is coarser than trace equivalence: the states u and v are distance equivalent but not trace equivalent. It follows that the ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 22 · T.A. Henzinger et al. v p u p ☛ ❯ p q ☛ q ❯ p ❄ ❄ q Fig. 7. q Distance equivalence is coarser than trace equivalence. Symbolic semi-algorithm Closure4 Input: a region algebra R = (P, Pre, And, Diff , Empty). T0 := P ; for i = 0, 1, 2, . . . do Ti+1 := Ti ∪ {Pre(σ) | σ ∈ Ti } until pTi+1 q ⊆ pTi q. The termination test pTi+1 q ⊆ pTi q is decided as in Figure 1. Fig. 8. Predecessor iteration. class STS4 of symbolic transition systems is a proper extension of STS3. 6.2 Symbolic State-Space Exploration: Predecessor Iteration The symbolic semi-algorithm Closure4 of Figure 8 computes the subalgebra of a region algebra RS that contains the observables and is closed under the Pre operation. Suppose that the input given to Closure4 is the region algebra of a symbolic transition system S = (Q, δ, R, p·q, P ). For i ≥ 0 and two states u, v ∈ Q, define u ∼Si v if for every trace from u with length n ≤ i and target p, there is a trace from v with length n and target p, and vice versa. By induction it is easy to check that S for all i ≥ 0, the extension of every region in Ti , as computed by Closure4, T S is a ∼i S S S ∼ block. Since ∼i is as coarse as ∼i+1 for all i ≥ 0, and =4 is equal to {∼i | i ≥ 0}, if ∼ =S4 has finite index, then ∼ =S4 is equal to ∼Sj for some j ≥ 0. Then, Closure4 will terminate in j iterations. Conversely, suppose that Closure4 terminates with pTi+1 q ⊆ pTi q. In this case, if for all regions σ ∈ Ti , we have u ∈ pσq iff v ∈ pσq, then u ∼ =S4 v. This is because if u can reach an observable p in n transitions, but v cannot, then there is a region in Ti , namely, Pre n (p), such that u ∈ pPre n (p)q and v 6∈ pPre n (p)q. It follows that ∼ =S4 has finite index. Theorem 4A For all symbolic transition systems S, the symbolic semi-algorithm Closure4 terminates on the region algebra RS iff S belongs to the class STS4. Corollary 4A The ∼ =4 (distance) equivalence problem is decidable for the class STS4 of symbolic transition systems. 6.3 Decidable Properties: Conjunction-free Linear Time Definition: Conjunction-free µ-calculus. The conjunction-free µ-calculus conACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 23 sists of the µ-calculus formulas that are generated by the grammar ϕ ::= p | x | ϕ ∨ ϕ | ∃ ϕ | (µx : ϕ) for constants p ∈ Π and variables x ∈ X. The state logic Lµ4 consists of the closed formulas of the conjunction-free µ-calculus. The state logic Lµ4 consists of the duals of all Lµ4 -formulas. Definition: Conjunction-free temporal logic. The formulas of the conjunctionfree temporal logic L✸ 4 are generated by the grammar ϕ ::= p | ϕ ∨ ϕ | ∃ ϕ | ∃✸≤d ϕ | ∃✸ϕ, for constants p ∈ Π and nonnegative integers d ≥ 0. Let S = (Q, δ, ·, p·q, P ) be a transition system whose observables include all constants; that is, Π ⊆ P . The L✸ 4 -formula ϕ defines the set [[ϕ]]S ⊆ Q of satisfying states: [[p]]S = ppq; [[ϕ1 ∨ ϕ2 ]]S = [[ϕ1 ]]S ∪ [[ϕ2 ]]S ; [[∃ ϕ]]S = {u ∈ Q | (∃v ∈ δ(u) : v ∈ [[ϕ]]S )}; [[∃✸≤d ϕ]]S = {u ∈ Q | there is a trajectory of S with source u, length at most d, and sink in [[ϕ]]S }; [[∃✸ϕ]]S = {u ∈ Q | there is a trajectory of S with source u and sink in [[ϕ]]S }. µ Note that the L✸ x). 4 -formula ∃✸ϕ is equivalent to the L4 -formula (µx : ϕ ∨ ∃ Moreover, the constructor ∃✸≤d is definable from ∃ and ∨; however, it will be essential in the ∃ -free fragment of L✸ 4 we will consider below. Remark: Duality. For every L✸ 4 -formula ϕ, the dual formula ϕ is obtained by replacing the constructors p, ∨, ∃ , ∃✸≤d , and ∃✸ by p, ∧, ∀ , ∀✷≤d , and ∀✷, respectively. The semantics of the dual constructors is defined as usual, such that ✸ [[ϕ]]S = Q\[[ϕ]]S . The state logic L✸ 4 consists of the duals of all L4 -formulas. It follows that the answer of the model-checking question for a state u ∈ Q and an L✸ 4 -formula ϕ is complementary to the answer of the model-checking question for u and the L✸ 4 -formula ϕ. The following easy facts about the conjunction-free µ-calculus, conjunction-free temporal logic, and their duals are relevant in our context. First, the state equivalence induced by both Lµ4 and Lµ4 is ∼ =4 (distance equivalence). Therefore the deterministic µ-calculus Lµ3 is more expressive than Lµ4 , and Lµ3 is more expressive than Lµ4 . Second, the conjunction-free µ-calculus Lµ4 is more expressive than the µ ✸ conjunction-free temporal logic L✸ 4 , and L4 is more expressive than L4 , both of which also induce distance equivalence. For example, the property that an observable p can be reached in an even number of transitions can be expressed in Lµ4 by the formula (µx : p ∨ ∃ ∃ x), for which there is no equivalent L✸ 4formula [Wolper 1983]. Third, both Lµ4 and Lµ4 admit abstraction. It follows that the Lµ4 and Lµ4 model-checking problems are decidable for the STS4 systems. As usual, we now show that the procedure ModelCheck from Figure 2 decides the model-checking problems for Lµ4 and Lµ4 over STS4 systems without constructing distance-equivalence quotients. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 24 · T.A. Henzinger et al. u0 p u1 p u2 p p p . . . . p Fig. 9. Bounded-reach equivalence is coarser than distance equivalence. If we apply the symbolic semi-algorithm ModelCheck of to the region algebra of a symbolic transition system S and an input formula from Lµ4 , then all regions which are generated by ModelCheck are also generated by the semi-algorithm Closure4 on input RS . Thus, if Closure4 terminates, then so does ModelCheck. Theorem 4B For all symbolic transition systems S in STS4 and every L µ4 -formula ϕ, the symbolic semi-algorithm ModelCheck terminates on the region algebra R S and the input formula ϕ. Corollary 4B The Lµ4 and Lµ4 model-checking problems are decidable for the class STS4 of symbolic transition systems. 7. CLASS-5 SYMBOLIC TRANSITION SYSTEMS We define two states of a transition system to be “bounded-reach equivalent” if for every distance d, the same observables can be reached in d or fewer transitions. The class-5 systems are characterized by finite bounded-reach-equivalence quotients. Equivalently, for every observable p there is a finite bound np such that all states that can reach p can do so in at most np transitions. This enables the model checking of all reachability and (by duality) invariance properties. The transition systems in class 5 have also been called “well-structured” [Abdulla et al. 1996]. Infinite-state examples of class-5 systems are provided by networks of timed automata. 7.1 Finite Characterization: Bounded-distance Targets Definition: Bounded-reach equivalence. Let S be a transition system. Two states u and v of S are bounded-reach equivalent, denoted u ∼ =S5 v, if for every trace from u with length n and target p, there is a trace from v with length at most n and target p, and vice versa. The state equivalence ∼ =5 is called bounded-reach equivalence. Definition: Class STS5. A symbolic transition system S belongs to the class STS5 if the bounded-reach-equivalence relation ∼ =5S has finite index. Figure 9 shows that bounded-reach equivalence is coarser than distance equivalence: ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 25 Symbolic semi-algorithm Reach Input: a region algebra R = (P, Pre, And, Diff , Empty). for each p ∈ P do T0 := {p}; for i = 0, 1, 2, . . . do Ti+1 := Ti ∪ {Pre(σ) | σ ∈ Ti } S S until {pσq | σ ∈ Ti+1 } ⊆ {pσq | σ ∈ Ti } end. S S The termination test {pσq | σ ∈ Ti+1 } ⊆ {pσq | σ ∈ Ti } is decided as in Figure 2. Fig. 10. Predecessor aggregation. all states ui , for i ≥ 0, are bounded-reach equivalent, but no two of them are distance equivalent. It follows that the class STS5 of symbolic transition systems is a proper extension of STS4. 7.2 Symbolic State-Space Exploration: Predecessor Aggregation The symbolic semi-algorithm Reach of Figure 10 starts from the observables and repeatedly applies the Pre operation, but its termination criterion is more easily met than the termination criterion of the semi-algorithm Closure4; that is, Reach may terminate on more inputs than Closure4. Indeed, we shall show that, if the input is the region algebra of a symbolic transition system S = (Q, δ, R, p·q, P ), then Reach terminates iff S belongs to the class STS5. Furthermore, upon termination, p u∼ =S5 v iff for each observable p ∈ P and each region σ ∈ Ti , we have u ∈ pσq iff v ∈ pσq. An alternative characterization of the class STS5 can be given using well-quasiorders on states [Abdulla et al. 1996; Finkel and Schnoebelen 1998]. A quasi-order on a set A is a reflexive and transitive binary relation on A. A well-quasi-order on A is a quasi-order  on A such that for every infinite sequence a0 , a1 , a2 , . . . of elements ai ∈ A there exist indices i and j with i < j and ai  aj . A set B ⊆ A is upward-closed if for all b ∈ B and a ∈ A, if b  a, then a ∈ B. If  is a wellquasi-order on A, then every infinite increasing sequence B0 ⊆ B1 ⊆ B2 ⊆ · · · of upward-closed sets Bi ⊆ A eventually stabilizes; that is, there exists an index i ≥ 0 such that Bj = Bi for all j ≥ i. To see this, we reason by contradiction: if not, then we can find an infinite sequence b0 ∈ B0 , b1 ∈ B1 \B0 , . . ., bi ∈ Bi \(B0 ∪. . .∪Bi−1 ), . . . such that there are no indices i, j for which bi  bj , leading to a contradiction. Theorem 5A For all symbolic transition systems S, the following three conditions are equivalent: 1. S belongs to the class STS5. 2. The symbolic semi-algorithm Reach terminates on the region algebra RS . 3. There is a well-quasi-order  on the states of S such that for all observables p and all nonnegative integers d, the set [[∃✸ ≤d p]]S is upward-closed. Proof. (2 ⇒ 1) Define u ∼S≤n v if for all observables p ∈ P , for every trace from ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 26 · T.A. Henzinger et al. . . . . . . . . Fig. 11. 12 13 21 11 21 p 11 1− An STS5 system on which Lµ 4 model checking does not terminate. u with length n and target p, there is a trace from v with length at most n and target p, and vice versa. Note that ∼S≤n has finite index for all n ≥ 0. Suppose that the semi-algorithm Reach terminates, for each observable p ∈ P , in at most i iterations. Then for all n ≥ i, the equivalence relation ∼S≤n is equal to ∼S≤i . Since T ∼ =S5 is equal to {∼S≤n | n ≥ 0}, it has finite index. (1 ⇒ 3) Define the quasi-order u S5 v if for all observables p ∈ P and all n ≥ 0, for every trace from u with length n and target p, there is a trace from v with length at most n and target p. Then each set [[∃✸≤d p]]S , for an observable p ∈ P and a nonnegative integer d ≥ 0, is upward-closed with respect to S5 . Furthermore, if ∼ =S5 has finite index, then S5 is a well-quasi-order. This is because u ∼ =S5 v implies S u 5 v: if there were an infinite sequence u0 , u1 , u2 , . . . of states such that for all i ≥ 0 and j < i, we have uj 6S5 ui , then no two of these states would be ∼ =S5 equivalent. (3 ⇒ 2) This part of the proof follows immediately from the stabilization property of well-quasi-orders [Abdulla et al. 1996]. 7.3 Decidable Properties: Bounded Reachability Definition: Bounded-reachability logic. The bounded-reachability logic L ✸ 5 consists of the L✸ 4 -formulas that are generated by the grammar ϕ ::= p | ϕ ∨ ϕ | ∃✸≤d ϕ | ∃✸ϕ, for constants p ∈ Π and nonnegative integers d. The state logic L ✸ 5 consists of the duals of all L✸ -formulas. 5 The following easy facts about bounded-reachability logic and its dual are relevant ✸ ∼ in our context. First, the state equivalence induced by both L✸ 5 and L5 is =5 (bounded-reach equivalence). Therefore the conjunction-free temporal logic L ✸ 4 ✸ ✸ is more expressive than L✸ 5 , and L4 is more expressive than L5 . For example, the property that an observable p can be reached in exactly d transitions can be expressed in L✸ . . . ∃ p with d next operators, for which there 4 by the formula ∃ ✸ is no equivalent L✸ -formula. Second, both L✸ 5 5 and L5 admit abstraction. Since for STS5 systems the bounded-reach-equivalence quotient can be constructed using the symbolic semi-algorithm Reach, we have the following theorem. ✸ Theorem 5B The L✸ 5 and L5 model-checking problems are decidable for the class STS5 of symbolic transition systems. ✸ A direct symbolic model-checking semi-algorithm for L✸ 5 and, indeed, L4 is easily derived from the semi-algorithm Reach. Then, if Reach terminates, so does model ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 27 checking for all L✸ 4 -formulas, including unbounded ∃✸ properties. The extension to L✸ is possible, because ∃ properties pose no threat to termination. However 4 the same is not true for Lµ4 . Figure 7.3 shows a symbolic transition system from the class STS5 for which the evaluation of the Lµ4 -formula (µx : p ∨ ∃ ∃ x) using the symbolic semi-algorithm ModelCheck does not terminate (note that in this example, the symbolic semi-algorithm Reach with Pre replaced by Pre 2 , which uses a more relaxed termination criterion, does not terminate either). We show that this is not suprising as Lµ4 is undecidable on STS5 systems. To establish this result, we proceed as follows. Given a two-counter machine M , we define a symbolic transition system SM which belongs to the class STS5, and which encodes the computations of M such that the Lµ4 -formula (µx : pfin ∨ ∃ ∃ x) characterizes exactly the set of configurations of M from which there is a halting computation. Let M = hK, C, D, Ii be a two-counter machine, where K = {ℓ0 , . . . , ℓm } is a finite set of control locations with initial location ℓ0 and final location ℓm , the nonnegative integer variables C and D are the two counters, and I is a function that labels each nonfinal location with an instruction (increment a counter, decrement a counter, or test a counter for zero) and a successor location (in the case of zero-test there are two successor locations). A configuration of M is a triple γ = hℓ, c, di, where ℓ ∈ K is the value of the program counter, which indicates the current control location, and c, d ∈ N are the values of the two counters C and D. The configuration γ is final if ℓ = ℓm . We write Γ for the set of configurations of M , and Γfin ⊆ Γ for the set of final configurations. If γ 6∈ Γfin , then M (γ) denotes the successor configuration of γ, which results from γ by executing the instruction I(ℓ). A computation of M from configuration γ is a finite sequence γ0 , γ1 , . . . , γk of configurations such that (1) γ0 = γ and (2) γi+1 = M (γi ) for all 0 ≤ i < k. The computation is halting if γk ∈ Γfin . The problem of deciding if a two-counter machine has a halting computation from the initial configuration hℓ0 , 0, 0i is undecidable [Hopcroft and Ullman 1979]. We define the symbolic transition system SM = (Q, δ, R, p·q, P ) which encodes the computations of M as follows. —The state space Q = Γ × {1, 2} contains two copies for each configuration of M . —The transition function δ is defined as follows: (γ ′ , j ′ ) ∈ δ(γ, j) if either (1) γ 6∈ Γfin and j = 1 and γ ′ ∈ Γfin and j ′ = 1 (that is, every copy 1 of a nonfinal configuration has a transition to every copy 1 of a final configuration); or (2) γ 6∈ Γfin and j = 1 and γ ′ = γ and j ′ = 2 (that is, every copy 1 of a nonfinal configuration has a transition to the copy 2 of the same configuration); or (3) γ 6∈ Γfin and j = 2 and γ ′ = M (γ) and j ′ = 1 (that is, every copy 2 of a nonfinal configuration has a transition to the copy 1 of the successor configuration). —The regions in R are the Presburger formulas. More precisely, a region is a firstorder formula over the free variables pc, C, D, J, where pc is interpreted over the set K of control locations, C and D are interpreted as nonnegative integers, and J is interpreted over the set {1, 2}. The program counter pc occurs only in atomic subformulas of the form pc = ℓ, for constants ℓ ∈ K; the two counters C and D occurs only in atomic subformulas from (N, =, +, 0, 1); and the copy designator J occurs only in atomic subformulas of the form J = 1 or J = 2. The extension of a region σ is the set of states that satisfy the formula σ. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 28 · T.A. Henzinger et al. —The only observables in P are the formula pc = ℓm , which we abbreviate to pfin , and its negation. Note that ppfin q = Γfin × {1, 2}. We now establish three properties of SM . Lemma 5a SM is a symbolic transition system. Proof. The Presburger formulas are trivially closed under all boolean operations, and the emptiness (satisfiability) and membership (satisfaction) problems are decidable for the Presburger formulas [Cooper 1972; Berman 1980]. So, it remains to be shown that for every Presburger formula σ, we can construct a Presburger formula Pre(σ) such that a state (γ, j) satisfies Pre(σ) iff there is a state (γ ′ , j ′ ) ∈ δ(γ, j) which satisfies σ. Following the definition of δ, we construct Pre(σ) as a disjunction of three parts. The first two parts are simple and left to the reader. The third part is a disjunction over all instructions of M . Suppose that in location ℓi , the instruction C := C + 1 is executed and leads to location ℓi+1 . Then the corresponding disjunct of Pre(σ) is (∃pc ′ , C ′ , D′ , J ′ : pc = ℓi ∧ J = 2 ∧ pc ′ = ℓi+1 ∧ C ′ = C + 1 ∧ D ′ = D ∧ J ′ = 1 ∧ σ[pc, C, D, J := pc ′ , C ′ , D′ , J ′ ]), where the last conjunct results from σ by replacing the four free variables with their primed versions. Lemma 5b The symbolic transition system SM is in the class STS5. Proof. We show that the symbolic semi-algorithm Reach terminates for both observations in P . Every state that can reach a state in ppfin q can do so in at most two transitions, because the first copy of every nonfinal configuration has a transition to the first copy of every final configuration. Every state that can reach a state in ppfin q can do so in zero transitions, that is, pPre(pfin )q ⊆ ppfin q, because there are no outgoing transitions from final configurations. Lemma 5c For all configurations γ of M , there exists a halting computation of M from γ iff the symbolic transition system SM has a trace from (γ, 1) with even length and target pfin . Proof. The left-to-right direction follows directly from the construction of SM . For the right-to-left direction, we reason by induction on the even length k of the trace. Base case (k = 0): the configuration γ itself is final, and therefore there is a halting compution (of length 0) from γ. Inductive case (k > 0): by the construction of SM , the configuration γ cannot be final, and a trace from (γ, 1) with length k and target pfin must begin with the three states (γ, 1), (γ, 2), (M (γ), 1) followed by an even number of transitions. By the induction hypothesis, there is a halting computation of M from M (γ), and therefore also from γ. This reduces the halting problem for a two-counter machine M to the problem of checking if the state (hℓ0 , 0, 0i, 1) of the symbolic transition system SM satisfies the Lµ4 -formula (µx : pfin ∨ ∃ ∃ x). Theorem 5B∗ The Lµ4 and Lµ4 model-checking problems are undecidable for the class STS5 of symbolic transition systems. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems q ✛ Fig. 12. u0 p ✛ · 29 u1 p ✛ Reach equivalence is coarser than bounded-reach equivalence. 7.4 Example: Networks of Timed Automata A network of timed automata [Abdulla and Jonsson 1998] consists of a finite-state controller and an arbitrarily large set of identical 1D timed automata. The continuous evolution of the system increases the values of all variables. The discrete transitions of the system are specified by a set of synchronization rules. Formally, a network of timed automata is a triple (C, H, Λ), where C is a finite set of controller locations, H is a 1D timed automaton, and Λ is a finite set of rules of the form r = (hc, c′ i, e1 , . . . , en ), where c, c′ ∈ C and e1 , . . . , en are jumps of H. The rule r is enabled if the controller location is c and there are n timed automata H1 , . . . , Hn whose states are such that the jumps e1 , . . . , en , respectively, can be performed. The rule r is executed by simultaneously changing the controller location to c′ and the state of each Hi , for 1 ≤ i ≤ n, according to the jump ei . The following result is proved in [Abdulla and Jonsson 1998]. Theorem 5C The networks of timed automata belong to the class STS5. There is a network of timed automata that does not belong to STS4. 8. GENERAL SYMBOLIC TRANSITION SYSTEMS For studying reachability questions on symbolic transition systems, it is natural to consider the following fragment of bounded-reachability logic. ✸ Definition: Reachability logic. The reachability logic L✸ 6 consists of the L5 formulas that are generated by the grammar ϕ ::= p | ϕ ∨ ϕ | ∃✸ϕ, for constants p ∈ Π. ∼ The reachability logic L✸ 6 induces the state equivalence =6 , which can be defined as follows. Definition: Reach equivalence. Let S be a transition system. Two states u and v of S are reach equivalent, denoted u ∼ =S6 v, if for every trace from u with target p, there is a trace from v with target p, and vice versa. The state equivalence ∼ =6 is called reach equivalence. Reach equivalence is coarser than bounded-reach equivalence: in Figure 12, all states ui , for i ≥ 0, are reach equivalent, but no two of them are bounded-reachequivalent. Therefore the reachability logic L✸ 6 is less expressive than the boundedreachability logic L✸ . For every symbolic transition system R with k observables, 5 k the reach-equivalence relation ∼ has at most 2 equivalence classes and, there=R 6 fore, finite index. Since the reachability problem is undecidable for many kinds of symbolic transition systems (including Turing machines and polyhedral hybrid automata [Alur et al. 1995]), it follows that there cannot be a general algorithm for computing the reach-equivalence quotient of symbolic transition systems. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. 30 · T.A. Henzinger et al. REFERENCES Abdulla, P. and Jonsson, B. 1998. Verifying networks of timed automata. In TACAS 98: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science 1384. Springer-Verlag, 298–312. Abdulla, P., Čerāns, K., Jonsson, B., and Tsay, Y.-K. 1996. General decidability theorems for infinite-state systems. In Proceedings of the 11th Annual Symposium on Logic in Computer Science. IEEE Computer Society Press, 313–321. Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T., Ho, P.-H., Nicollin, X., Olivero, A., Sifakis, J., and Yovine, S. 1995. The algorithmic analysis of hybrid systems. Theoretical Computer Science 138, 3–34. Alur, R. and Dill, D. 1994. A theory of timed automata. Theoretical Computer Science 126, 183–235. Alur, R. and Henzinger, T. 1998. Computer-Aided Verification: An Introduction to Model Building and Model Checking for Concurrent Systems. Draft. Alur, R., Henzinger, T., and Ho, P.-H. 1996. Automatic symbolic verification of embedded systems. IEEE Transactions on Software Engineering 22, 181–201. Berman, L. 1980. The complexity of logical theories. Theoretical Computer Science 11, 71–77. Bhat, G. and Cleaveland, R. 1996. Efficient model checking via the equational µ-calculus. In Proceedings of the 11th Annual Symposium on Logic in Computer Science. IEEE Computer Society Press, 304–312. Bouajjani, A., Fernandez, J.-C., and Halbwachs, N. 1990. Minimal model generation. In CAV 90: Computer-Aided Verification. Lecture Notes in Computer Science 531. Springer-Verlag, 197–203. Browne, M., Clarke, E.M., and Grumberg, O. 1988. Characterizing finite Kripke structures in propositional temporal logic. Theoretical Computer Science 59, 115–131. Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., and Hwang, L.J. 1992. Symbolic model checking: 1020 states and beyond. Information and Computation 98, 142–170. Bustan, D. and Grumberg, O. 2003. Simulation-based minimization. ACM Transactions on Computational Logic 4, 181–206. Clarke, E.M., Grumberg, O., and Long, D. 1994. Verification tools for finite-state concurrent systems. In A Decade of Concurrency: Reflections and Perspectives. Lecture Notes in Computer Science 803. Springer-Verlag, 124–175. Cleaveland, R., Klein, M., and Steffen, B. 1992. Faster model checking for the modal µcalculus. In CAV 92: Computer-Aided Verification. Lecture Notes in Computer Science 663. Springer-Verlag, 410–422. Cooper, D.C. 1972. Theorem proving in arithmetic without multiplication. Machine Intelligence 7, 91–100. Cousot, P. and Cousot, R. 1977. Abstract interpretation: A unified lattice model for the static analysis of programs by construction or approximation of fixpoints. In Proceedings of the Fourth Annual Symposium on Principles of Programming Languages. ACM Press, 238–252. Dam, M. 1994. Ctl∗ and Ectl∗ as fragments of the modal µ-calculus. Theoretical Computer Science 126, 77–96. Emerson, E. 1990. Temporal and modal logic. In Handbook of Theoretical Computer Science, J. van Leeuwen, Ed. Vol. B. Elsevier Science Publishers, 995–1072. Emerson, E., Jutla, C., and Sistla, A. 1993. On model checking for fragments of µ-calculus. In CAV 93: Computer-Aided Verification. Lecture Notes in Computer Science 697. SpringerVerlag, 385–396. Emerson, E., Jutla, C., and Sistla, A. 2001. On model checking for the µ-calculus and its fragments. In Theoretical Computer Science 258, 491–522. Emerson, E. and Lei, C. 1986. Efficient model checking in fragments of the propositional µcalculus. In Proceedings of the First Annual Symposium on Logic in Computer Science. IEEE Computer Society Press, 267–278. ACM Transactions on Computational Logic, Vol. V, No. N, February 2006. A Classification of Symbolic Transition Systems · 31 Finkel, A. and Schnoebelen, P. 1998. Well-structured Transition Systems Everywhere. Tech. Rep. LSV-98-4, Laboratoire Spécification et Vérification, ENS de Cachan, France. Henzinger, M., Henzinger, T., and Kopke, P. 1995. Computing simulations on finite and infinite graphs. In Proceedings of the 36th Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, 453–462. Henzinger, T. 1995. Hybrid automata with finite bisimulations. In ICALP 95: Automata, Languages, and Programming. Lecture Notes in Computer Science 944. Springer-Verlag, 324– 335. Henzinger, T. 1996. The theory of hybrid automata. In Proceedings of the 11th Annual Symposium on Logic in Computer Science. IEEE Computer Society Press, 278–292. Henzinger, T., Ho, P.-H., and Wong-Toi, H. 1995. HyTech: The next generation. In Proceedings of the 16th Annual Real-time Systems Symposium. IEEE Computer Society Press, 56–65. Henzinger, T. and Kopke, P. 1996. State equivalences for rectangular hybrid automata. In CONCUR 96: Concurrency Theory. Lecture Notes in Computer Science 1119. Springer-Verlag, 530–545. Henzinger, T., Kopke, P., Puri, A., and Varaiya, P. 1998. What’s decidable about hybrid automata? Journal of Computer and System Sciences 57, 94–124. Henzinger, T. and Majumdar, R. 2000. Symbolic model checking for rectangular hybrid systems. In TACAS 00: Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science 1785. Springer-Verlag, 142–156. Henzinger, T., Nicollin, X., Sifakis, J., and Yovine, S. 1994. Symbolic model checking for real-time systems. Information and Computation 111, 193–244. Hopcroft, J. and Ullman, J. 1979. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley Publishing Company. Janin, D. and Walukiewicz, I. 1996. On the expressive completeness of the propositional µcalculus with respect to the monadic second order logic. In CONCUR 96: Concurrency Theory. Lecture Notes in Computer Science 1119. Springer-Verlag, 263–277. Kanellakis, P. and Smolka, S. 1990. CCS expressions, finite-state processes, and three problems of equivalence. Information and Computation 86, 43–68. Kozen, D. 1983. Results on the propositional µ-calculus. Theoretical Computer Science 27, 333–354. Lamport, L. 1974. A new solution of Dijkstra’s concurrent programming problem. Communications of the ACM 17, 453–455. Loiseaux, C., Graf, S., Sifakis, J., Bouajjani, A., and Bensalem, S. 1995. Property-preserving abstractions for the verification of concurrent systems. Formal Methods in System Design 6, 11–44. Milner, R. 1971. An algebraic definition of simulation between programs. In Second International Joint Conference on Artificial Intelligence. The British Computer Society, 481–489. Thomas, W. 1990. Automata on infinite objects. In Handbook of Theoretical Computer Science, J. van Leeuwen, Ed. Vol. B. Elsevier Science Publishers, 133–191. van Glabbeek, R. 1990. Comparative Concurrency Semantics and Refinement of Actions. Ph.D. Thesis, Vrije Universiteit te Amsterdam, The Netherlands. Wolper, P. 1983. Temporal logic can be more expressive. Information and Control 56, 72–99. Received January 2001; revised July 2002; accepted June 2003 ACM Transactions on Computational Logic, Vol. V, No. N, February 2006.