I N F S Y S

R E S E A R C H

R E P O R T

Institut fur Informationssysteme

Abtg. Wissensbasierte Systeme

Technische Universitat Wien

Treitlstraße 3

A-1040 Wien, Austria

Tel: +43-1-58801-18405

Fax: +43-1-58801-18493

sek@kr.tuwien.ac.at

www.kr.tuwien.ac.at

INSTITUT FUR INFORMATIONSSYSTEME

ABTEILUNG WISSENSBASIERTESYSTEME

ON ACTL FORMULAS HAVING

DETERMINISTIC COUNTEREXAMPLES

Francesco BUCCAFURRIGeorg GOTTLOB

Thomas EITERNicola LEONE

INFSYS RESEARCHREPORT1843-99-01

JANUARY 1999

INFSYS RESEARCH REPORT

INFSYS RESEARCHREPORT1843-99-01, JANUARY 1999

ON ACTL FORMULAS HAVING DETERMINISTIC

COUNTEREXAMPLES

Francesco Buccafurri,1 Thomas Eiter,2 Georg Gottlob,3 Nicola Leone3

Abstract. In case anACTL formula� fails over a labeled transition graphM , it is most useful toprovide a counterexample, i.e., a computation tree ofM witnessing the failure. If there exists asingle pathin M which by itself witnesses the failure of�, then� has adeterministic counterex-ample. We show that, givenM and�, whereM 6j= �, it is NP-hard to determine whether thereexists a deterministic counterexample. Moreover, it is PSPACE-hard todecide whether anACTLformula� always admits a deterministic counterexample if it fails. This means thatthere exists nosimple characterization of theACTL formulas that guarantee deterministic counterexamples. Con-sequently, we studytemplatesof ACTLformulas, i.e., skeletons of modal formulas whose atoms aredisregarded. We identify the (unique) maximal setDET of templates whose instances (obtainedby replacing atoms with arbitrary pure state formulas) always guarantee deterministic counterexam-ples. We show that for eachACTLformula� which is an instance of a template ? 2 DET, and foreach Kripke structureM such thatM 6j= �, a single path ofM witnessing the failure by itself canbe computed in polynomial time.

1DIMET, Universita di Reggio Calabria, I-89100 Reggio Calabria, Italy. E-mail: bucca@ns.ing.unirc.it2Institut und Ludwig Wittgenstein Labor fur Informationssysteme, Technische Universitat Wien, Treitlstraße 3,

A-1040 Wien, Austria. E-mail: eiter@kr.tuwien.ac.at3Institut und Ludwig Wittgenstein Labor fur Informationssysteme, Technische Universitat Wien, Paniglgasse 16,

A-1040 Wien, Austria. E-mail: (leonejgottlob)@dbai.tuwien.ac.at

Copyright c 1999 by the authors

INFSYS RR 1843-99-01 I

Contents

1 Introduction 11.1 Counterpaths and deterministic counterexamples . . . . .. . . . . . . . . . . . . . . . . . 11.2 Deterministic counterexamples may not exist . . . . . . . . .. . . . . . . . . . . . . . . . 21.3 Main research questions addressed . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . 31.4 Main results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 31.5 Structure of the paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . 4

2 Preliminaries 4

3 Multi-Paths and Counterexamples 63.1 Multi-Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 63.2 Counterexamples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 8

4 Deterministic Counterexamples 94.1 Deterministic counterexamples andc-deterministic formulas . . . . . . . . . . . . . . . . . 104.2 Complexity of recognizingc-deterministic formulas . . . . . . . . . . . . . . . . . . . . . . 114.3 ACTLtemplates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5 Templates inDET are c-deterministic 145.1 Computing a counterpath forDET-instances . . . . . . . . . . . . . . . . . . . . . . . . . 18

6 All c-deterministic Templates are inDET 21

7 Discussion and Conclusion 44

INFSYS RR 1843-99-01 1

1 Introduction

ACTL is a well-known particular fragment of Computational Tree Logic (CTL), which is a propositionalbranching-time temporal logic [2]; see [7, 6] for a rich background on this and further such logics.ACTLfor-mulas are specified and evaluated overKripke structureswhich model finite-state systems. Besides Booleanconnectives,ACTLprovides linear-time and branching time operators. The linear-time operators allow forexpressing properties of a particular evolution of the systems given by a series of events in time. Branchingtime operators allow to take into account the existence of multiple possible future scenarios, starting from agiven system state at a point in time. The temporal order defines an evolution tree, which branches from thatpoint towards the future. Thus, every point in time has a unique past, but, in general, more than one future.Each branch of the tree amounts to a particular evolution series.

The elementary linear-time operators areX (next time),U (until), andV (unless, releases). Informally,X� means that� is true at the next point in time;�1U�2 means that�1 is true until�2 is true; and�1V�2means that truth of�2 releases truth of�1. Further operators such asF� (sometimes�),G� (always�) canbe derived from the elementary operators.ACTLhas the branching time operatorA, by which it is possibleto expressnecessaryproperties for an evolution tree. Informally,A� means that� is true for all branches ofthe tree. Note that in fullCTL, a dual operatorE for expressingpossibleproperties (true along some branch)is provided.

1.1 Counterpaths and deterministic counterexamples

The task of an automaticACTLmodel checker is the verification of a givenACTL formula� on a KripkeStructureM . In caseM does not satisfy� (denoted byM 6j= �), the more advanced implemented modelcheckers (e.g. McMillan’s SMV system [10]) provide more information. In particular, as a witness for thefailure, a finite representation of an infinite computation path� of M is provided. This path represents acounterexample to� inM . In the ideal case, such a path� witnessesby itselfthatM 6j= �, in other terms, allinformation needed to disprove thatM j= � is already contained in�. In this case, we call� acounterpath.

To make the above concepts precise, we give in Section 3 a formal definition of the concept ofcounterex-ample. Roughly, a counterexample to anACTLformula� on structureM is a computation tree representedas amulti-pathdisproving thatM j= �. In case this multi-path has no true branching, and thus actually rep-resents a unique path, we speak about adeterministic counterexample. A counterpath for� in M is then theunique path corresponding to a deterministic counterexample. Note that if there exists such a counterpath�,then it holds thatM� 6j= �, whereM� is the Kripke structure induced by�, i.e., the structure whose statesare all those states ofM that also occur in�, where the states are, moreover, labeled by the same labels asin M , and whose transitions are those that occur in�.

Example 1.1 Let M amount to the labeled transition graph in Figure 1, and consider the formula� =A(trueUa1), which can be written shortly asAFa1. s0L(s0) = ; s2L(s1) = fa2g L(s2) = fa1gs1Figure 1: Labeled transition graph representing structureM (initial states0)

2 INFSYS RR 1843-99-01

It holds thatM 6j= �: Along the path� = [s0; s1; s1; : : :], the atoma1 is false at each stage�(i) of�, i � 0. This impliesM;� j= :Fa1. Thus,� witnesses the failure of� in M . Note that the informationcontained in� alone is sufficient for disproving�; we do not have to consider elements ofM (states ortransitions) outside� to show thatM 6j= �. Thus� is a counterpath of�.

1.2 Deterministic counterexamples may not exist

A counterpath provides very useful, compactly presented, and self-contained information to a system de-signer or verifier, allowing him or her to locate a design error in a most comfortable way. It would thus bemost desirable to be able to compute a (representation of a) counterpath in polynomial time whenever anACTLformula� fails over a structureM .

Unfortunately, as shown by the example below, ifM 6j= �, a counterpath (or, equivalently, a determinis-tic counterexample) does not necessarily exist. s1L(s1) = ;s0 s2L(s0) = fag L(s2) = fag

Figure 2: Another transition graph representing structureM (initial states0)Example 1.2 Let M amount to the labeled transition graph in Figure 2. Considerthe formula� =A(trueUA(falseVa)), which can be abbreviated asAFAGa. It is easy to verify thatM 6j= �. Indeed,there is a path� = [s0; s0; : : :] starting from the initial state where always the nested formulaAGa doesnot hold, as, for eachi � 0, there exists a path starting at�(i) where sometimesa is not true (e.g., onthe path�0 = [s0; s1; s2; s2; : : :] a is not true ats1). The path� itself is not a complete counterexample.To disprove thatM j= �, it is necessary to consider a further path for each state of� (here alwayss0) inorder to show that the subformulaAGa does not hold. This gives rise to a multi-path�, which we writeas follows:� = [[s0; s1; s2; s2; : : :]; [s0; s1; s2; s2; : : :]; : : :]. This multi-path� is a counterexample for�in M , and not the single path�. Note that� is nota deterministic counterexample, but a truly branchinginfinite tree. Note, furthermore, that no single path is a counterexample for�. Therefore, no deterministiccounterexample exists in this case, and thus no counterpathwitnessing thatM 6j= � exists.

Besides the above very simple example, many other cases can be found in which each counterexample isa truly branching computation tree. They include formulas of the shapeAF�_AF (e.g.,AFa1 _AFa2on the structureM in Fig. 1),AF(AG�_AG:�), which informally states that any evolution must commitat some point about a condition� being true or false, andAF�_AG , which states that either� becomestrue at some stage or always holds.

Thus, in many cases the “counterexample path” output by anACTLmodel checker such as McMillan’ssystem [10] is not a complete counterexample, but only one path – usually the main path or “backbone” –of a counterexample. Such a path may help to track the design or implementation error, but it does by itselfnot necessarily explain why the formula fails, and one may need to consider states and transitions outsidethat path in order to track the flaw.

INFSYS RR 1843-99-01 3

DET ::= PSF j ( DET^ DET) j ( DET_ PSF) j ( PSF_ DET) j AX(DET ) j A(PSF VDET ) j UDET

UDET ::= A(DET UPSF ) j A(PSF UUDET ) j (UDET _ PSF ) j (PSF _ UDET )PSF ::= (PSF ^ PSF ) j (PSF _ PSF ) j :(PSF ) j ?

Table 1: BNF Grammar for deterministic templates

1.3 Main research questions addressed

Given that deterministic counterexamples (and counterpaths) are useful, but do not always exist, the follow-ing questions naturally arise:� Is there an efficient method of deciding whether anACTL formula� has a deterministic counterexample(and thus a counterpath) on a given Kripke structureM , whereM 6j= �?� Is there a simple characterization of thoseACTL formulas whichguaranteedeterministic counterexam-ples? In other terms, is there an efficient method for tellingwhether a formula� has the property thatwheneverM 6j= � holds for a structureM , then there exists a deterministic counterexample (and thus acounterpath) witnessing this?� If the above fails, how can we efficiently identify large classes of formulas that guarantee deterministiccounterexamples?� Can we efficientlycomputedeterministic counterexamples in case they exist? If this is not generallypossible, then maybe for large classes ofACTLformulas?

1.4 Main results

Our main results are shortly summarized as follows:� We give, in Section 2, a precise definition of the concepts of deterministic counterexample and of therelated concept ofcounterpath.� We show that givenM and�, whereM 6j= �, it is NP-hard to determine whether there exists a determin-istic counterexample (Theorem 4.2).� As a consequence, even in case counterpaths exist,computinga counterpath is a hard problem. Therefore,unless NP=P, for everyACTL model-checkerMC that works in polynomial time and produces “single-path counterexamples” in case of failure, there exist infinitely many Kripke structuresM and formulas�, such thatM 6j= � and the counterexample path output byMC represents a partial (and not a complete)counterexample even though there exists a counterpath (i.e., a path representing a complete counterexample).� It is PSPACE-hard to decide whether anACTL formula � in case of failure always admits a determin-istic counterexample (Theorem 4.1). This means that there exists no simple characterization of theACTLformulas that guarantee deterministic counterexamples.� Consequently, we studytemplatesof ACTL formulas, i.e., skeletons of modal formulas whose atoms aredisregarded and replaced by the symbol?. As main result of this paper, we identify the (unique) maximalsetDET of templates whose instances, obtained by replacing?’s with arbitrary pure state formulas, alwaysguarantee deterministic counterexamples (Theorem 4.3). The setDET of templates is given by the BNFgrammar in Table 1. For example, the templatesAX(?), A(?VAX(?))), and(? ^A(?VAX(?))) are in

4 INFSYS RR 1843-99-01DET, as well asA(?U?),A(?UA(?U?)), A(A(?VAX(?))U(? ^ ?)). On the other hand, the templateA(?UA(?V?)) of the formula� = A(trueUA(falseVa)) in Example 1.2 is not inDET, and also thetemplateA(trueUA(falseV?)) of the formulaA(trueUa1) _A(trueUa2) = AFa1 _AFa2 mentionedabove is not inDET.

Obviously, it is recognizable in polynomial time (and in fact in linear time) whether a template belongstoDET, and whether anACTLformula� is an instance of some template inDET. In particular, we prove:� If � is an instance of a template ? 2 DET, then, for each structureM such thatM 6j= �, there exists

a deterministic counterexample, and thus a counterpath inM witnessing this failure.� If ? is a template not contained inDET, then there exist an instance� of �� and a structureM suchthatM 6j= � but there exist no deterministic counterexample for� in M .� We show that for eachACTL formula � which is an instance of a template ? 2 DET, and for each

Kripke structureM such thatM 6j= �, a counterpath, i.e., a single path ofM witnessing the failure, can becomputed in polynomial time.

1.5 Structure of the paper

After this introduction, some preliminaries and notation are given in Section 2. In Section— 3, the formaldefinition of counterexamples is provided, for which multi-paths are introduced. Thereafter, we turn ourattention in Section 4 to deterministic counterexamples and multi-paths. After proving that recognizingdeterministicACTLformulas is intractable, we define the classDET of templates; furthermore, we formallystate the characterization ofc-deterministic templates, which is the first main result of this paper. Sections 5–6 are devoted to the proof of this result and to the computation of counterpaths forDET-instances, whichis the second main result. The paper is closed in Section 7 with a discussion and an outlook on future work.

2 Preliminaries

Definition 2.1 (ACTL formulas) Let A be a set of atomic propositions. Then,ACTL is the set ofstateformulas onA inductively defined as follows:

(1) Any Boolean formula over atoms fromAP built using the connectives ;_; and: is a pure stateformula.

(2) if � and are state formulas, then(� _ ), and(� ^ ) arestate formulas;

(3) if � and are state formulas, thenX�, �U and�V arepath formulas;

(4) if � is a path formula, thenA(�) is a state formula. 2Intuitively, path formulas describe properties of evolution series because they use temporal operators

next time, until, and unless.Notation. For any setsD1 andD2 of formulas, we shall use the following notation:AX(D1) = fAX( ) j 2 D1g;AU(D1;D2) = fA( 1U 2) j 1 2 D1; 2 2 D2g;

INFSYS RR 1843-99-01 5AV(D1;D2) = fA( 1V 2) j 1 2 D1; 2 2 D2g;D1^D2 = f( 1^ 2) j 1 2 D1; 2 2 D2g;D1_D2 = f( 1_ 2) j 1 2 D1; 2 2 D2g:Given a formula� or a set of formulasS, we will denote byAP (�) (resp.,AP (S)) the set of atomic

propositions occurring in� (resp.,S). We will usetrueandfalseas shorthand for pure state formulas whichare tautologies and contradictions, respectively. We shall omit or add parentheses in formulas following theusual conventions.

The formal definition of the semantics ofACTL refers to particularKripke structures. Informally, theyare labeled finite transition graphs.

Definition 2.2 (Kripke Structure) A Kripke structureis a quintupleM = (A;S0; S;R; L) such that:� A is a finite set of atomic propositions, denotedA(M);� S is a finite set of states, denotedS(M);� S0 � S is a finite set of initial states, denotedS0(M);� R � S � S is a transition relation, denotedR(M);� L : S ! 2A is a mapping assigning each state ofS the set of atomic propositions true in that state;Lis calledlabel function, and is denoted byL(M). 2

For convenience, we often denote byMs the Kripke structure which is identical toM exceptS0(Ms) =fsg wheres 2 S(M), i.e.,s is the unique initial state. Furthermore, we will sometimesfocus on structuresM such thatS0(M) = fs0g and(s; s0) =2 R(M), for all s 2 S(M), i.e.,M has a unique initial states0,ands0 is not reachable from any state inM . We refer to such structures asconic.

The dynamic temporal evolution is modeled by infinite paths in the Kripke structure.

Definition 2.3 (path) A path� of a Kripke structureM is an infinite sequence� = [s0; s1; � � �; si; � � �] suchthat for eachi � 0 (si; si+1) 2 R. Given an integeri � 0 and a path� we denote by�(i) the i-th state of�. Given an integerj � 0 and a path�, the j-suffix�j of � is the path[�(j); �(j +1); � � �]. Clearly,� = �0and�(i) = �i(0). 2

The semantics ofACTLis now defined through an entailment relationj=, which can be applied on statess and paths� for evaluating state and path formulas, respectively.

Definition 2.4 (satisfaction) Let s and� be a generic state and path inM , respectively. Then, the satisfac-tion relationj= for state and path formulas, respectively, on a Kripke structureM is inductively defined asfollows.

1. M; s j= p, if p 2 L(M)(s), for any atomic propositionp 2 A;

2. M; s j= :�, if M; s 6j= �, where� is a state formula;

3. M; s j= �1 _ �2, if M; s j= �1 orM; s j= �2, where�1 and�2 are state formulas;

4. M; s j= �1 ^ �2, if M; s j= �1 andM; s j= �2, where�1, �2 are state formulas;

6 INFSYS RR 1843-99-01

5. M; s j= A( ), if M;� j= for all paths� such that�(0) = s;6. M;� j= X�, if M;�(1) j= �;

7. M;� j= �1U�2, if there exists an integerk � 0 such thatM;�(k) j= �2 andM;�(j) j= �1, for all0 � j < k;

8. M;� j= �1V�2, if for everyk � 0,M;�(j) 6j= �1 for all 0 � j < k impliesM;�(k) j= �2We writeM j= � if M; s0 j= �, for every initial states0 2 S0(M), 2

Intuitively, a state formula holds along a path, if it is trueat its first state;�1U�2 is true, if�1 is truealong the path until some state is reached at which�2 is true; and�1V�2 is true, if there is no stage suchthat�2 is false and�1 is false at all previous previous states. Note thatU andV are dual operators:�1U�2is true precisely if:�1V:�2 is false.

3 Multi-Paths and Counterexamples

If an ACTLformula� is not true in a structureM , then there must be some evidence which proves the failureof the formula. For a pure state formula�, an initial states0 at which� is false is a witness of this fact; if�is of the formAX , where is a pure state formula,then a path� starting at somes0 2 S0 such that isfalse at�(1) is such a witness. The falsity of formulasA(�1U�2),A(�1V�2) where the�i are pure stateformulas is witnessed similarly by a path�.

Intuitively, a path� as described is acounterexamplefor the truth of� in M . It appears that for morecomplex formulas� which involve nestedA quantifiers, a single path� may not be by itself witness that� fails in M . To formally capture this, nesting of paths must be taken into account. This motivates thedefinition of multi-paths, which serve as a basis for a formaldefinition of counterexamples [1].

3.1 Multi-Paths

Informally, a multi-path represents an infinite treeT , which has a designated branch as a backbone (calledmain path). The branches of the tree which spring off from the main pathat a certain stage are collected in atree, which is recursively represented as a multi-path. Thus, multi-paths can be inductively defined. Observethat this representation of a tree is different from the usual inductive definition in which a tree is built byassigning child nodes to a parent node. The main advantage ofthe multi-path concept is the preservation ofthe nesting of paths, which is lost in the standard tree definition.

Preliminary to the formal definition of multi-paths, we introduce multi-sequences.

Definition 3.1 (multi-sequence)Let S be a set of states. Then,� for every states 2 S, � = s is a finite multi-sequence inS;� if �0;�1; : : : are countably infinite many multi-sequences inS, then� = [�0;�1; : : :] is a multi-sequence inS.

For any multi-sequence�, its i-th element is denoted by�(i), for all i � 0; moreover, itsorigin, denotedor(�), is or(�) = s, if � = s is a single state, andor(�) = or(�(0)), otherwise. 2

INFSYS RR 1843-99-01 7

Next we introduce the notion ofmain sequenceof a multi-sequence. Informally, it is the sequenceformed by the origins of all elements in a multi-sequence.

Definition 3.2 (main-sequence)Given a multi-sequence�, themain sequence of�, denoted by�(�), is� s, if � = s is finite;� the sequence[or(�(0)); or(�(1)); or(�(2)); : : :], otherwise. 2Multi-paths are multi-sequences which model nested paths inM .

Definition 3.3 (multi-path) A multi-sequence� is amulti-pathinM , if either� is finite, or�(�) is a pathin M and for everyi � 0, �(i) is a multi-path inM .

The main sequence of a multi-path� is called themain pathof �. 2Note that multi-paths generalize paths. Indeed, a path can be seen as an infinite multi-path� such that

each element�(i) is a state.An infinite multi-path� represents intuitively an evolving computing tree, whose branches are the main

path�(�) and all paths of form�0�1 where�0 = �(�)(0); : : : ; �(�)(i � 1) is a finite prefix of�(�) and�1 is a branch of the multi-path�(i), where�(i) must be infinite.

Example 3.1 Assuming properM , the multi-sequence� = [[s0; s1; s1; : : :]; s2; s2; : : :] is a multi-path,which represents two paths�1 = [s0; s1; s1; : : :] and�2 = [s0; s2; s2; : : :] starting ats0 (Figure 3). �2 isthe main path�(�) of �. The multi-path� = [[s0; s1; s1; : : :]; s2; [s0; s1; s1; : : :]; s2; [s0; s1; s1; : : :]; : : :]has main path�(�) = [s0; s2; s0; s2; : : :] and represents the computation tree in which from�(�) at everyeven stage�(�)(2k) a path[s0; s1; s1; : : :] branches off; hence,� contains besides�(�) all paths of form[(s0; s2)i; s0; s1; s1; : : :], i � 0. 2

... ... ...

s1 s2s1s1s1s1...

s1 s1 s2s2 s0 s0�2�1 s2s1s1... ...

s1 s2 s2 s0s0Figure 3: Branching paths

An important note is that in general, a multi-path� may not directly reflect in its structure a trulybranching computation tree. In fact, the definition allows fake branching, in the sense that two nestedbranching paths may amount to the same path in the structure.For example, in the multi-path� =[s0; s1; [s2; s3; s4; : : :]s3; s4; : : :], the branchs2; s3; s4; : : : is identical to the remainder of the main paths2; s3; s4; : : :. This is not a shortcoming of our definition, but an importantfeature; it allows to expressthat a particular path is a subpath of another one. In an extended vocabulary for multi-paths, this could beexpressed more elegantly; however, we disregard such an extension here. Note that for our purposes, we canrestrict to multi-paths which have effective finite representations [1].

8 INFSYS RR 1843-99-01

3.2 Counterexamples

We are now prepared to formalize the notion of counterexample. Intuitively, a counterexample for a formula� is a special multi-path� originating at an initial state demonstrating the falsity of �. Since counterexam-ples are defined inductively, we need the concept of a local counterexample, which may origin at an arbitrarystate rather than an initial state. For the technical definition of local counterexamples, we use an operationfor merging two multi-paths into a single one.

Definition 3.4 (merge) Let �1 and�2 be two multi-paths such thator(�1) = or(�2). Themergeof �1and�2, denoted by�1 � �2, is the multi-path recursively defined as follows:�1 � �2 = 8><>: �1; if �2 is finite;[�1;�2(1);�2(2); : : :]; if �2 is infinite and�2(0) is finite;[�1 � �2(0);�2(1);�2(2); : : :]; otherwise. 2Intuitively, the trees represented by�1 and�2 are merged at their common root.

Example 3.2 Merging � = [[s0; s11 ; s12 ; : : :]; s21 ; s23 ; : : :] and�0 = [s0; s31 ; s32 ; : : :] yields� � �0 = [�; s31 ; s32 ; : : :] = [[[s0; s11 ; s12 ; : : :]; s21 ; s22 ; : : :]; s31 ; s32 ; : : :]; while�0 � � = [�0 � [s0; s11 ; s12 ; : : :]; s21 ; s22 ; : : :]= [[�0; s11 ; s12 ; : : :]; s21 ; s22 ; : : :]= [[[s0; s31 ; s32 ; : : :]; s11 ; s12 ; : : :]; s21 ; s22 ; : : :]:The two merges essentially represent the same branching of three paths�i = [s0; si1 ; si2 ; : : :] for i 2f1; 2; 3g, starting froms0. 2Note that merging�1 and�2 by adding�1 as first element to�2 does not work, since in general, this leadsto a set of paths different from those in�1 and�2; the result may even not be a multi-path.

Definition 3.5 (l-counterexample) Let M be a Kripke structure and� be anACTL formula onA(M). Amulti-path� in M is a local (l-) counterexample for� if, depending on the structure of�, the followingholds:� if � is a pure state formula:� = s is a state andM; s 6j= �;� otherwise, if

1. � = A(�1U�2): � is an infinite multi-path and either

1.1 there existsk � 0 such that�(k) is an l-counterexample for�1 _ �2, �(i) is an l-counterexample for�2, for each0 � i � k, and�(j) is a state, forj > k; or

1.2 �(i) is a l-counterexample for�2, for eachi � 0;

2. � = A(�1V�2): � is an infinite multi-path and there exists ak such that every�(j), 0 � j < k,is an l-counterexample for�1, �(k) is an l-counterexample for�2, and every�(`) is a state, for` > k;

3. � = AX�1: � is an infinite multi-path,�(1) is an l-counterexample for�1, and�(i) is a state,for eachi 6= 1;

INFSYS RR 1843-99-01 9

4. � = �1 _ �2: � = �1 ��2, where�i, i = 1; 2, is an l-counterexample for�i;5. � = �1 ^ �2: � is an l-counterexample for either�1 or �2. 2

Recall thatM 6j= � if there exists an initial states0 at which� is false. Hence, we introduce a notion of“global” counterexample.

Definition 3.6 (counterexample) Let M be a Kripke structure and� be a formula onA(M). Any l-counterexample� for � in M such thator(�) 2 S0(M) is called acounterexample for� in M . 2

Example 1.1 illustrates this definition. Let us consider some more examples.

Example 3.3 Reconsider the Kripke structureM from Figure 1, and let = A(falseVA(trueUa1)). Alsothis formula is false onM . Intuitively, this is witnessed by path� again. However, from the formal defini-tion,� is not a counterexample of , as it does not respect witness paths for the subformulaA(trueUa1) of . The multi-path� = [[s0; s1; : : :]; s1; s1; : : :] is a proper counterexample for according to the definition,as well as any multi-path[s0; (s1; )i; [s1; s1; : : :]; s1; s1; : : :], wherei � 0.

Finally, also the formula� = A(trueUA(falseVa1)) is false inM ; again, intuitively the path� =[s0; s1; s1; : : :] shows this. Formally, the multi-path[[s0; s1; s1; : : :], [s1; s1; : : :]; [s1; s1; : : :]; : : :] is a coun-terexample for�; in fact, it is the unique counterexample. 2

The following result states that l-counterexamples appropriately model the failure of a formula in a state.

Theorem 3.1 ([1]) LetM be a Kripke structure,� a formula onA(M), ands 2 S(M). Then,M; s 6j= � ifand only if there exists an l-counterexample� for � such thator(�) = s.Corollary 3.2 ([1]) For any Kripke structureM and formula� onA(M),M 6j= � if and only if there existsat a counterexample� for � in M .

As discussed earlier, in many cases a counterexample for a formula is (essentially) a single path. Thisis true e.g. for the formulas considered in the Examples 1.1 and 3.3. However, as Example 1.2 and thefollowing example show, there are different cases in which atruly branching tree is needed.

Example 3.4 Consider the structureM as in Figure 1 again, but now the formula� = A(trueUa1) _A(trueUa2). Clearly,M 6j= �: For everyai, i = 1; 2, there is an infinite path�i = s0; si; si; : : : whichnever reaches a state at whichai is true; hence, every disjunctAFai in � is false. A counterexample for� is the multi-path� = [[s0; s1; s1; : : :]; s2; s2; : : :], which results by merging the�i’s into � = (�1 � �2).Notice that no counterexample for� exists that is an ordinary path, and that�1 � �2, �2 � �1 are the only(isomorphic) counterexamples for�. 24 Deterministic Counterexamples

In this section, we formalize our intuition of a single path counterexample from the previous section. Forthis purpose, we introduce first the concept of a deterministic multi-path. Such a path is built over a singlepath in the structure, which exactly prescribes the next state in each transition throughout the multi-path.

10 INFSYS RR 1843-99-01

4.1 Deterministic counterexamples andc-deterministic formulas

Definition 4.1 (deterministic multi-path) A multi-path� is deterministic, if one of the following applies:

1. � is finite (i.e., a single state);

2. � is a path; or

3. for eachi � 0, either

3.1 �(i) is a state, or

3.2 �(�(i)) coincides with�(�)i (thei-suffix of �(�)) and�(i) is deterministic. 2Informally, a multi-path is deterministic if the main pathsof its elements are suffixes of its main path,

and this is recursively true also for the multi-paths of the sequence. Thus, while in general, multi-pathsrepresent evolutions with branching, deterministic multi-paths have only artificial branching, and representessentially a single path.

Example 4.1 Consider the multi-path� = [s0; s1; s2; s3; [s4; s5; s4; [s5; s4; s5; s4; :::]s4; s5; :::]s5; s4; s5; s4; :::]:As can be seen, this multi-path is deterministic. The path[s5; s4; s5; s4; :::] nested into�(4)(3) representsa path branching from the main path of�(4). However, this path coincides with the suffix�(�(4))3 ofthe main path of�(4). Hence, it does not represent an alternative evolution. In this sense, a deterministicmulti-path represents only deterministic evolutions.

Observe that the multi-path�0 = [[s0; s1; s2; s3; s2; s3; :::]; s4; s5; s6; s5; s6; s5; :::] is not deterministic.2Definition 4.2 (deterministic counterexample and counterpath) A counterexample� for an ACTL for-mula� in a structureM is deterministic, if � is a deterministic multi-path. The main path�(�) of anydeterministic counterexample� for � in M is acounterpathfor � in M . 2

As easily verified, the counterexamples for the formulas presented in Examples 1.1 and 3.3 are deter-ministic counterexamples, and the “intuitive” counterexamples there are the respective counterpaths.

As for counterexamples, it is of particular interest to havea deterministic counterexample at hand, sincesuch a counterexample is in generally easier to understand than an arbitrary counterexample. Moreover,the description of such counterexamples can be simplified. Observe that McMillan’s SMV procedure [10]returns a single path� rather than a counterexample as used here when anACTL formula fails. This pathplays a similar role as the main path of our notion of a counterexample�. If � and� grasp the samewitness, then�(�) should coincide with�, and it contains in fact all relevant information which is neededfor witnessing the failure of�. From�, a counterexample respecting the (artificial) branching ofpaths asrequired from the structure of� can be reconstructed.

We thus direct our attention to the existence of deterministic counterexamples.

Definition 4.3 (c-deterministic) An ACTL formula� is c-deterministic, if M 6j= � implies that a deter-ministic counterexample for� exists inM , for every Kripke structureM .

INFSYS RR 1843-99-01 11

4.2 Complexity of recognizingc-deterministic formulas

Unfortunately, recognizingc-deterministic formulas is complex in general, which is expressed by the fol-lowing result.

Theorem 4.1 Deciding whether a given ACTL formula� is c-deterministic isPSPACE-hard.

Proof. This result is proved by a reduction from the unsatisfiability problem forACTLformulas on structuresM whereR(M) is total, i.e. 8s9s0:R(s; s0) holds. This problem is PSPACE-complete by results of Vardiand Kupferman (see [9]).

Let � be an arbitraryACTL-formula, and leta be a fresh atom not occurring in�. Let the formula bedefined as follows: = AXa _AX(:a ^ �):It holds that is c-deterministic if and only if� is unsatisfiable over structuresM whereR(M) is total.

To prove this, suppose first that� is unsatisfiable over allM whereR(M) is total. LetM be any structure(whereR(M) is not necessarily total) such thatM 6j= . This implies thatAXa has a counterexample inM , which is a simple path� represented by a pairP;C whereP is a path (prefix) andC a cycle inM . Theassumption on� implies that:a ^ � is globally false (and in particular, at�(1)) in the structureM� whichis naturally induced by� in M . Consequently,� is a counterpath for in M�, and thus also inM . Thismeans that is c-deterministic.

Now suppose that� is satisfiable on some structureM with totalR(M). Hence, a states0 2 S0(M)exists such thatM; s0 j= �. LetM 0 be the structure corresponding to the labeled transition graph in Figure 4.Ms0L(s00) = fgs00s01L(s01) = fag

Figure 4: StructureM for = AXa _AX(:a ^ �) (initial states00)It holds thatM 0 6j= . Indeed, the path�1 = [s00; s1; s1; : : :] is a counterpath for 1 = AXa, and

any path�2 = [s00; s0; : : :] is a counterpath for 2 = AX(:a ^ �); thus, their merge� = �1 � �2 isa counterexample for . Clearly, any counterexample for in M 0 must contain boths0 ands1; thus, adeterministic counterexample for in M 0 is impossible, which means that is notc-deterministic. 2

This result implies that a polynomial-sized and polynomial-time checkable proof witnessing that a for-mula isc-deterministic is illusive, and thus we may abandon the search for an appealing syntactical charac-terization ofc-deterministic formulas.

A related, in practice perhaps more important issue is whether the existence of a deterministic coun-terexample for a formula can be efficiently decidedad hoc, i.e., given anACTL formula� and a structureM , decide whether� has a deterministic counterexample inM (and, if so, return a counterpath representedin a suitable way). As it turns out, also this problem is intractable.

Theorem 4.2 Given a Kripke structureM and an ACTL-formula�, deciding whether� has a deterministiccounterexample (equivalently, a counterpath) inM is NP-hard.

12 INFSYS RR 1843-99-01

Proof. We describe a polynomial-time transformation of deciding whether a given directed graphG =(V;E) has a Hamiltonian circuit, which is well-known NP-complete[8], into this problem. Recall that aHamiltonian circuit is a sequenceC = vi1 ; : : : ; vin of all the verticesV = fv1; : : : ; vng such that an edge isdirected fromvij to vij+1 and fromvin to vi1 .

We constructM and� as follows. The setS of states ofM is V , which is also the setA of atomicpropositions and the setS0 of initial states. The transition relationR is E, and eachv 2 V has the labelL(v) = fvg.

The formula� is as follows:� = A�trueU� _v2V �v ^ _w2V nfvgAXA(vV:w)���Intuitively, a deterministic counterexample for� in M is an infinite path� such that in each state�(i) = v,the path must be continued in states�(i+1), �(i+2), . . . , such that all other verticesw 6= v appear beforev may reappear.

We claim thatG has a Hamiltonian circuit if and only if� has a counterpath inM .()) LetC = vi1 ; : : : ; vin be a Hamiltonian circuit ofG. We claim that the path� = (vi1 ; vi2 ; : : : ; vin ; )1is a counterpath of�. To verify this, we have to show that the formula_v2V v; where v = v ^ � _w2V nfvgAXA(vV:w)�is false in each state�(i), i � 0, and that a local counterexample witnessing this fact can bebuilt over�i.

For eachv 2 V such thatv 6= �(i), v is false at�(i) and thus�(i) is a local counterexample for vover�i. For thev 2 V such thatv = �(i), we must show that for eachw 2 V n fvg, the suffix�i is alocal counterpath of the formulaAXA(vV:w); that is, that the suffix�i+1 is a local counterexample ofA(vV:w). Clearly, this is true for thew 2 V n fvg such thatw = �(i+1); anyw0 2 V n fv; wg occurs as�(i+k), where1 < k < n, andv is false at�(i+k�1); thus,�i+1 is a local counterexample forA(vV:w).This proves that

Wv2V v is false in�(i), and that�i is a local counterpath for eachAXA(vV:w) wherew 2 V n fvg. Thus,� is a counterpath for� in M .(() Suppose that� has a counterpath� in M . We show that the prefix�(0),. . . ,�(n � 1) of � is aHamiltonian circuit ofG. Let v 2 V be the node such that�(0) = v. Then,� is a counterpath for theformula v from above. This implies that� is a counterpath for the formulaAXA(vV:w), for eachw 2 V n fvg. Thus,�1 is a local counterpath forA(vV:w). Hence,w must occur in�, andv must be falsein each state�(i) where1 � i < kw and�(kw) is the first occurrence ofw in �. Consequently,�(n) is thefirst possible position for a second occurrence ofv in �.

Now considerv(i) = �(i), wherei > 0. By similar arguments, we obtain that eachw 2 V n fv(i)goccurs in�i, and thatw must occur in�i before any possible further occurrence ofv(i) after�i(0) = �(i).It follows that�(0), �(1),. . . ,�(n� 1) are all pairwise different, and that�(n) = �(0) holds. This meansthat�(0),. . . ,�(n� 1) is a Hamiltonian circuit inG, and completes the proof of the claim.

SinceM and� are constructible in polynomial time fromG, the result is proved. 24.3 ACTL templates

In the light of the previous results, we look intostructural propertiesof formulas which guarantee theexistence of a deterministic counterexample whenever a formula does not hold in a structure. This leads

INFSYS RR 1843-99-01 13

us to considertemplatesof ACTL formulas – formulas, in which the particular atomic propositions aremeaningless, i.e., they can be substituted by arbitrary pure state formulas. Intuitively, a template expressesthe structure of a formula in terms of linear-time and branching time operators. A pure state formula alwayshas a deterministic counterexample (given by a single state); however, the application of these operators andBoolean connectives might destroy this property.

In the following, we shall identify the class of templates which are deterministic, i.e., each instantiation of a template ? obtained by filling in pure state formulas, has always a deterministic counterexample if is not true. As it turns out, this class is decidable, and in fact efficiently recognizable.

More formally, templates are defined as follows.

Definition 4.4 (template) A template ? is anACTL formula over “?” as single atomic proposition. Thetemplate of anACTL formula , denoted ?, is the template obtained by uniformly substituting “?” for allatomic propositions in .1

Observe that for anyACTL formula , its template ? is unique. As with ordinary formulas, we shalloften omit or introduce parentheses as usual.

Example 4.2 The template of = A(aVAX(b ^ c)) is ? = A(?VAX(? ^ ?)), and the template of� = A((b _ :c)U a) ^AX(c ^ a)) is �? = A((? _ :?)U?) ^AX(? ^ ?)). 2Definition 4.5 (T?,PSF ) We denote byT? we denote the set of allACTL templates and byPSF � T?the set of pure state formulas on the atomic proposition?.

We next define a subsetDET � T? of templates in terms of the least fixpoint of a continuous operatorwhich is applied to a pair of sets of templates. The main effort in the rest of the paper will be the proof thatthis setDET is precisely the set of all deterministic templates.

Definition 4.6 (operator�) The operator� : 2T? � 2T? ! 2T? � 2T?is defined as follows:�(S1; S2) = (S01; S02);

whereS01 = PSF [ S1^S1 [ S1_PSF [ PSF_S1 [AX(S1) [ AV(PSF ; S1) [ S2S02 = AU(S1;PSF ) [ AU(PSF ; S2) [ S2_PSF [ PSF_S2Obviously,� is a continuous operator on a complete lattice, and hence by Kleene’s Theorem, the least

fixpoint �1 = (S11 ; S12 ) exists and is the limit of the sequence�0 = (;; ;), �i+1 = �(�i), i � 0.

Definition 4.7 (DET) We defineDET = S11 as the first component of the least fixpoint�1 = (S11 ; S12 )of �.

Example 4.3 As easily checked, the sample templates in Section 1 generated by the grammar in Table 1are inDET. In fact, it is easy to see thatDET coincides with the language generated by that grammar.Further templates belonging toDET are:AXAX?,AXA(?U(? _ :?)),A(AX ?U(? ^ ?)),A(:(? _?)VAX?),A(?V(: ?_A(?U?))),A(A(?U?)U?). On the other hand, the templatesA(AX(?)V?) andA(?U(? ^AX(?))) are not inDET.

1Alternatively, we could define that maximal pure state formulas in are replaced by?, rather than atoms. However, thedefinition ofDET and the BNF grammar in Table 1 would become more complex, while the main results are not affected.

14 INFSYS RR 1843-99-01

Instantiations of templates are defined as follows.

Definition 4.8 (instantiation) An ACTL formula� over atomsAP , where? =2 AP , is an instantiationofa template ? 2 T?, if � results by substituting each occurrence of? in ? with a (possibly different) purestate formula overAP .

Example 4.4 An instantiation ofA(?V(: ? _A(?U?)) isA(falseV(:req _A(trueUack))), which ex-presses that a request is always finally acknowledged (see [5] for this formula). Instantiations ofA((? _:?)U?) ^AX(? ^ ?)) areA((b _ :c)U (b ^ a)) ^AX(c ^ a)) andA((a _ :a)U a) ^AX(a ^ :a)),i.e.,A(trueU a) ^AX(false)).

To formulate our main result, we formally define the notion ofdeterministic template as follows.

Definition 4.9 (c-deterministic template) An ACTL formula� is c-deterministic, if M 6j= � implies thata deterministic counterexample for� exists inM , for every Kripke structureM . A template ? is c-deterministic, if each instantiation� of ? is c-deterministic.

The first of the main results of this paper can now be stated as follows.

Theorem 4.3 Let ? 2 T?. Then, ? is c-deterministic if and only if ? 2 DET.

From this result and the inductive definition ofDET, we easily obtain the following corollary con-cerning the recognition of deterministic templates; observe that membership of a template inDET can bechecked in a single bottom up pass of the formula tree, in which each step is unambiguous.

Corollary 4.4 Given a template ? 2 T?, deciding whether ? is c-deterministic is possible inO(j ?j)time, wherej ?j is the length of ?.

The proof of Theorem 4.3 is rather technical, and involves detailed case studies. It is given in Sections 5(if-part) and 6 (only-if part).

5 Templates inDET are c-deterministic

In this section, we prove that all instances of templates inDET arec-deterministic. The proof proceedsalong the inductive definition ofDET. However, it appears that the property ofc-determinism is not strongenough to allow the induction step go through smoothly for all templates. We can remedy this problem byrevealing that a strengthened version ofc-determinism is satisfied by some of the templates, which hasthebenign property of being establishable in the induction step comparatively easy. We start with some usefuldefinitions.

Definition 5.1 (strongly c-deterministic) An ACTL formula� is stronglyc-deterministic, if � is c-deter-ministic and the following two conditions hold for any Kripke structureM :

1. if � is a deterministic l-counterexample� for � inM , then every path� of form � = s0; : : : ; sk; �(�)in M such thats0 2 S0(M) and� has l-counterexamples ats0; : : : ; sk is a counterpath of�; and

2. if � is a path inM such that�(0) 2 S0(M) and every�(i), i � 0, is the origin of some l-counterexample for� in M , then� is a counterpath for� in M .

INFSYS RR 1843-99-01 15

A template ? is stronglyc-deterministic, if every instantiation� of ? is stronglyc-deterministic.

Example 5.1 The formula� = A(aUb) is stronglyc-deterministic: a local counterexample� for � is apath�, and at the state�(0), the atomb is false. By adding a prefixs0; : : : ; sk�1 of states to� such thatb isfalse in each statesi, we clearly obtain a path�0 = s0; : : : ; sk�1; � witnessing thataUb is false, i.e.,�0 is acounterpath for�. Thus, item 1 of strongc-determinism is satisfied. Also item 2 is satisfied:b must be falseat the origin of any local counterexample of�; thus, if� is a path as described in item 2,b is false at eachstate�(i). This means that� is a counterexample (and thus a counterpath) for�.

It is easy to see that this holds if the atomsa andb are replaced by arbitrary pure state formulas; thus,the templatesA(?U?) and all templates inAU(PSF ;PSF) are stronglyc-deterministic.

On the other hand, the formula� = A(aVb), even if it isc-deterministic (as we shall see below), is notstrongly c-deterministic, since it fails to satisfy item 2 of the definition. Indeed, consider a path� whereeach�(i) is the origin of a local counterexample for�, in which a is false andb is true. Then,b is truein each state of�. However, a counterexample for� must involve a state at whichb is false. Thus,� isnot a counterpath for� and item 2 fails. It is easy to see from this that no template inAV(PSF ;PSF ) isstronglyc-deterministic. Similarly, it is easy to see thatAXa is not stronglyc-deterministic (both item 1and 2 may fail), and that no template inAX(PSF ) is stronglyc-deterministic.

As for more complex formulas, e.g., the templatesA(?U(?U?)) andA(?U?) _ ? are stronglyc-deterministic. This will be formally proven below. 2

The next theorem shows that the templates in the classDET are sound with respect to the propertyof c-determinism, i.e., each template in this class isc-deterministic. In fact, in the proof of the result weestablish a little more, namely that all templates in the subsetS12 � DET are stronglyc-deterministic.

Theorem 5.1 Every template inDET is c-deterministic.

Proof. We establish the result proving by induction on the stages�i = (Si1; Si2), i � 0, that every template ? 2 Si1 is c-deterministic and every template ? 2 Si2 is stronglyc-deterministic.(Basis) The casei = 0 is trivial, sinceS01 = S02 = ;.(Induction) Consideri + 1 and assume the statement holds fori. Let ? be any template such that ? 2Si+11 n Si1 (resp., ? 2 Si+12 n Si2).

To complete the proof it suffices to show that ? is c-deterministic (resp., stronglyc-deterministic), i.e.each instantiation� of ? is c-deterministic (resp., stronglyc-deterministic).

Let M be any Kripke structure such thatM 6j= �. Then, we have to prove that a deterministic coun-terexample for� exists inM . From the definition of�, the following cases for ? are possible.� ? 2 PSF � Si+11 . (In this case,i = 0.) Each counterexample of� in M is finite, and thusdeterministic.� ? 2 Si1 ^ Si1 � Si+11 . Thus,� = 1^ 2, where both 1 and 2 are c-deterministic by inductionhypothesis. SinceM 6j= �, eitherM 6j= 1 or M 6j= 2. In both cases, the statement follows from theinduction hypothesis.� ? 2 Si1_PSF [ PSF_Si1 � Si+11 . Then,� = 1_ 2. Assume 2 is a pure state formula and 1 isan instantiation of a template inSi1; the other case (vice versa) is similar. By the induction hypothesis, 1 isc-deterministic.

SinceM 6j= �, there exists a counterexample� = �1 ��2 inM such that�1 is a counterexample for 1and�2 is a counterexample for 2. Since 2 is a pure state formula,�2 is finite; thus, by definition of merge

16 INFSYS RR 1843-99-01

(Def. 3.4)� = �1. Further,or(�) is a state where 2 is false. Clearly,Mor(�) 6j= 1. Moreover, since 1is c-deterministic, it admits a deterministic counterexample� 1 also inMor(�). Clearly,or(� 1) = or(�),sinceor(�) is the only initial state ofMor(�). As or(�) 2 S0(M), � 1 is a counterexample for 1 in Mtoo. Hence the deterministic multi-path� 1 � or(� 1) is a counterexample for 1_ 2 in M . Thus,� isc-deterministic.� ? 2 AX(Si1) � Si+11 . Consequently,� is of shapeAX( 1), where 1 is an instantiation of a templatein Si1. Suppose� is a counterexample for�. By definition of counterexample,�(1) is a l-counterexamplefor 1 and�(0) is a state. By the induction hypothesis, 1 is c-deterministic. Thus, 1 has a deterministiccounterexample in every Kripke structure in which it fails,and hence also inM�(�)(1). Denote by� 1 anysuch deterministic counterexample. Consider now the multi-path�� defined as follows:��(0) = �(0),��(1) = � 1 , ��(i) = �(� 1)(i � 1), for eachi > 1. Clearly,��(1) is a l-counterexample for 1 in M .Hence,�� is a counterexample for�; clearly, it is deterministic.� ? 2 AV(PSF ; Si1) � Si+11 . Then� = A( 1V 2), where 1 is a pure state formula and 2 isc-deterministic by the induction hypothesis. Let� be a counterexample for� in M . By definition ofcounterexample,� is such that there exists ak � 0 and�(k) is a l-counterexample for 2, and�(i) is al-counterexample for 1, for 0 � i < k. Since 1 is a pure state formula,�(i), for 0 � i < k, is a statewhere 1 is false. Moreover, since 2 is c-deterministic, there exists a deterministic counterexample� 2 for 2 in Mor(�(k)). Hence, the multi-path�� such that��(i) = �(i), for each0 � i < k, ��(k) = � 2 , and��(i + k) = �(� 2)(i), for i > 1, is a counterexample for� in M . Since�� is deterministic, it followsthat� is c-deterministic.� ? 2 Si2 � Si+11 . By the induction hypothesis.� ? 2 AU(Si1;PSF) � Si+12 . We first show that� is c-deterministic.� is of the formA( 1U 2),where 1 is c-deterministic by the induction hypothesis and 2 is a pure state formula. Let� be a coun-terexample for� in M . By definition of counterexample,� is such that either (1)�(i) is a counterexamplefor 2, for eachi � 0, or (2) there exists ak � 0 such that�(k) is a counterexample for 1_ 2, �(i) is acounterexample for 2 (and thus it is a state), for each0 � i � k and�(j) is a state, for eachj > k.

In case (1), since 2 is a pure state formula,�(i) is a state, for eachi > 0, and, hence, it is a deterministiccounterexample. Consider now case (2). As shown above, eachtemplate inSi1 _ PSF , is c-deterministic,and thus 1_ 2 is c-deterministic. Hence, 1 _ 2 has a deterministic counterexample also inM�(�)(k).Let � 1_ 2 be any such deterministic counterexample. Consider now themulti-path�� defined as follows:��(i) = �(i) for each0 � i < k, ��(k) = � 1_ 2 , ��(j) = �(� 1_ 2)(j � k), for j > k. Clearly,��(k)is a counterexample for 1_ 2 in M . Hence,�� is a counterexample for� in M . Further, as can be easilychecked,�� is deterministic.

Now we prove that� satisfies item 1 of Definition 5.1. Consider a path� = s0; : : : ; sk; �(�), as there,where� is a deterministic l-counterexample for� in M . Recall that� = A( 1U 2), where 1 is, by theinduction hypothesis,c-deterministic and 2 is a pure state formula.Msi 6j= � implies that 2 is false atsi,for eachi = 0; : : : ; k, Since� is a deterministic counterexample for� in Mor(�), either

2.1 there exists aj � 0 such that�(j) is a counterexample for 1_ 2 and�(i), for each0 � i < j, is al-counterexample for 2 (and thus a state), or

2.2 �(i), is a l-counterexample for 2 for eachi � 0 (hence� is a path).

In either case, the multi-path�� = [s0; : : : ; sk;�(0);�(1); : : :] is a counterexample for� in M (recall thats0 2 S0(M)), which is clearly deterministic. Since� = �(��) item 1 of Definition 5.1 is satisfied.

INFSYS RR 1843-99-01 17

To show that� satisfies also item 2 of Definition 5.1, consider any path� such that�(0) 2 S0(M) and�(i) is the origin of some l-counterexample for� in M , for eachi � 0. Thus, 2 is false in each state�(i),for i � 0. Hence,� is a counterpath for� in M .� ? 2 AU(PSF ; Si2) � Si+12 . Then� is of the shapeA( 1U 2), where 1 is a pure state formulaand 2 is stronglyc-deterministic by the induction hypothesis. We have to prove that also� is stronglyc-deterministic. We first show that� is c-deterministic. Consider thus a counterexample� for �. Then,either

8.1 there exists ak � 0 such that�(k) is a counterexample for 1_ 2 and�(i) is a counterexample for 2, for each0 � i < k, or

8.2 �(i) is a counterexample for 2, for eachi � 0.

In the case (8.1), by definition of counterexampleMor(�(i)) 6j= 2, for each0 � i � k. Consider now anydeterministic counterexample� 2 for 2 in Mor(�(k)). Such a counterexample exists, since 2 is stronglyc-deterministic (thusc-deterministic). Hence, by item 1 of Definition 5.1, it follows that for every path�j =[or((�)(j)); :::; or((�)(k � 1)); �(� 2 )(0); �(� 2 )(1); :::], for all 0 � j � k, there exists a deterministiccounterexample�j for 2 inMor(�(j)) such that�(�j) = �j. Hence, the multi-path�� such that��(i) = �i,for 0 � i < k, ��(k) = � 2 , and��(i+ k) = �(� 2)(i), for i > 0, is a counterexample for�. Moreover, ascan be easily verified, each�j , for 0 � j < k, is deterministic.

In the case (8.2), by definition of counterexampleMor(�(i)) 6j= 2, for eachi � 0. Since 2 is stronglyc-deterministic, it satisfies item 2 of Definition 5.1. Thus, each suffix�(�)j is a counterpath for 2. Hence, forany deterministic counterexamples of��i of 2 such that�(��i) = �(�)i, i � 0, the deterministic multi-path[ ��0; ��1; :::; ��i; :::] is a deterministic counterexample for�.

It remains to prove that� satisfies items 1 and 2 of Definition 5.1. Let� = s0; s1; : : : ; sk; �(�) be apath as in item 1 for a deterministic l-counterexample� of � in M . Recall that� = A( 1U 2), where 1is a pure state formula and 2 is, by the induction hypothesis, stronglyc-deterministic. Sincesi is origin ofsome l-counterexample for� in M , it follows Msi 6j= 2, for each0 � i � k. Furthermore, since� is adeterministic counterexample for�, either

8.10 there exists aj � 0 such that�(j) is a counterexample for 1_ 2 and�(i) is a counterexample for 2, for each0 � i < j, or

8.20 �(i) is a counterexample for 2, for eachi � 0.

In any case, 2 has a deterministic l-counterexample�� ator(�) such that�(��) = �(�). Since 2 is stronglyc-deterministic, item 1 of Definition 5.1 implies that for each i = 0; : : : ; k a deterministic l-counterexample�i for 2 exists atsi such that�(�i) = �i. Hence, the multi-path�0 = [�0; : : : ;�k; ��(0); ��(1); : : :] is adeterministic counterexample for� in M . Since�(�0) = �, � is a counterpath for� in M ; thus, item 1 issatisfied.

To show that� satisfies also item 2 of Definition 5.1, let� be a path inM such that�(0) 2 S0(M)and each�(i) is origin of a l-counterexample for� in M , i � 0. Then, each�(0) must be the origin of al-counterexample for 2. Since 2 is stronglyc-deterministic, it follows from item 2 of Definition 5.1 thateach suffix�i of �, i � 0, is a counterpath for 2 inM , i.e., a corresponding deterministic l-counterexample�i for 2 exists inM at�(i). Thus,� = [�0;�1; : : :] is a deterministic counterexample for� in M suchthat� = �(�). This means� is a counterpath for� in M , and item 2 of Definition 5.1 is satisfied.

18 INFSYS RR 1843-99-01� ? 2 Si2 _ PSF [ PSF _ Si2 � Si+12 . The proof that ? is c-deterministic is analogous to the case ? 2 Si1 _PSF [PSF _ Si1 above. The verification of points 1 and 2 in Definition 5.1 is straightforward.2The proof of the previous theorem intuitively explains why the only possible nesting for�2 in an until�1U�2 is another until operator. On the other hand, if the formula�2 in �1U�2 is a pure state formula, then�1 can be anyc-deterministic formula.Concerning nesting into an unlessA( 1V 2), it is not possible to nest an arbitrary non-pure state

formula in the left position. In this case, strongc-determinism does not ensure that the formula isc-deterministic. Recall that a counterexample forA( 1V 2) is a multi-path� = [�(0);�(1); : : :] suchthat�(0),. . . ,�(k � 1) prove the falsity of 1 and�(k) the falsity of 2. Trying to construct from� adeterministic counterexample�� for A( 1V 2), we have to replace each�(i), 0 � i � k, with a suitabledeterministic counterexample��(i). We can do so easily for alli < k: Since 1 is stronglyc-deterministic,for any deterministic counterexample��(k�1) for 1 we can find appropriate��(0),. . . ,��(k�2) by exploit-ing the property in item 1 of Definition 5.1. However, it may happen that every possible��(k � 1) missessome state from�(k) which is necessary to refute 2; thus, a deterministic counterexample�� can not bebuilt.

5.1 Computing a counterpath forDET-instances

In Section 4, we have shown that deciding whether an arbitrary formula � has a counterpath on a givenstructureM is intractable in general, and so is computing a counterpath. Since instances ofDET-templatesalways have a counterpath if they are false inM , the question whether there is an (efficient) procedurefor computing any counterpath is natural. Note that existence of a counterpath does not a priori mean thatcomputing a counterpath is easy; this could still be a difficult problem.

Our second main result shows that this is not the case. Let forany pathP = s0; s1; : : : ; sk in a structureM denotejP j the length ofP (= k + 1), and let for any formula denotedA( ) theA-nesting depth of (wheredA( ) = 0 for every pure state formula ).

Theorem 5.2 Let be such that ? 2 DET. If M 6j= , then has a counterpath inM which is eithera single state (if ? 2 PSF ), or representable asP;C whereP is a finite path (prefix) andC a cycle inM such thatjP j + jCj � dA( )jS(M)j. Moreover, given andM , suchP andC can be computed inpolynomial time.

Proof. The first part (existence of a representationP;C as described) is shown following the induction inthe proof of Theorem 4.3. For each instance� of a template ? 2 Si1 [ Si2, we can construct the desiredrepresentationP;C from the main path of the deterministic counterexample constructed in the proof there,exploiting that deterministic counterexamples�0 used in the constructions have representationsP 0; C 0 asdescribed. We omit repeating all these constructions in detail, and focus here on the relevant facts thatestablishP;C:

1. In cases where� is of the form�1 _ �2, �1 ^ �2, a counterpath for� is immediately obtained by theinduction hypothesis.

2. In cases where� is of the formAX�1, A(�1V�2), and in some cases ofA(�1U�2), the deter-ministic counterexample� constructed for� is of the form[�(0); : : : ;�(k);�(k + 1); : : :] where

INFSYS RR 1843-99-01 19�(0),. . . ,�(k� 1) are states except if�? 2 AU(PSF ;DET nPSF), �(k) is a deterministic coun-terexample for a formula 0 such thatdA( 0) < dA(�), and all�(j) are states,j > k. Two subcasesarise, depending on the formula 0:2.1 dA( 0) = 0, i.e., 0? 2 PSF . Then,� is a simple path inM , and the states�(j), j > k, in �

are meaningless (i.e., the suffix[�(k);�(k+1) : : :] can be replaced by any infinite path startingat�(k)). Thus, a counterpath for� can be represented byP;C such thatjP j+ jCj � jS(M)j �dA(�)jS(M)j:

2.2 dA( 0) > 0. Then, 0 can be assumed to have a counterpathP 0; C 0 as in the induction hypoth-esis, andP;C is given bys0; : : : ; sk�1,P 0; C 0, wheresi = or(�(i)), for i = 0; : : : ; k � 1. Fora minimalk, it holds thatk � jS(M)j, and we obtainjP j+ jCj = k + jP 0j+ jC 0j � jS(M)j+ dA( 0)jS(M)j � dA(�)jS(M)j:

3. In the case where� = A( 1U 2), a deterministic counterexample� may be constructed such thateach�(i) is a counterexample for 2. In the case where ?2 2 PSF , � is a simple path inM , whichcan be replaced by a prefix-cycle pairP;C such thatjP j+ jCj � jS(M)j � dA(�)jS(M)j (cf. 2.1);otherwise, if ?2 2 DET n PSF , thenP;C is given byP 0; C 0 representing�(�(0)), and by theinduction hypothesisjP j+ jCj = jP 0j+ jC 0j = � dA( 2)jS(M)j � dA(�)jS(M)j.

This concludes the proof of the first part of the theorem. For computingP;C in polynomial time (secondpart of Theorem 5.2) we describe an algorithm which proceedsin two steps. Suppose that� andM are givenfor input.

Step 1. Label each states 2 S with the setF (s) = f�0 j �0 is a subformula of� such thatM; s 6j= �0g:It is well-known that this labeling is possible in polynomial time (in fact inO(j�j(jS(M)j+ jR(M)j)time) [3].

Step 2. Construct a counterpath for�, which is either a single state orP;C representing an infinite path,using the following procedure:

ProcedureCOUNTERPATH

Input : Labeled graphG = (S;R; F ),DET instance�, states 2 S s.t.� 2 F (s).Output : s, if �? 2 PSF ; otherwise,P;C representing a counterpath� for � starting ats.Execute COUNTERPATH(G;�; s0) for some arbitrarys0 2 S such that� 2 F (s0), and return theresult.

COUNTERPATH proceedstop-down, and constructs the output either directly, or by making a recursivecall; thus, COUNTERPATH extends an initially empty prefixP0 to P1 � P2 � � � � repeatedly until it iseventually completed with a cycle. In general, different choices exist for extendingPi to Pi+1. The crucialfact is that membership of�? in DET guarantees a “don’t care” nondeterminism, i.e., no backtracking isnecessary. IfPi is properly extended toPi+1, then it can be finally completed with a cycle.

We now describe how COUNTERPATH proceeds for�? =2 PSF , depending on the structure of�. Weconsider the different possible cases:

20 INFSYS RR 1843-99-01� � = 1^ 2. Then, either 1 2 F (s) or 2 2 F (s) (or both). Call either COUNTERPATH(G; 1 ; s) orCOUNTERPATH(G; 2 ; s), respectively, and return the result.� � = 1_ 2. If ?1 2 PSF , then call COUNTERPATH(G; 2 ; s); otherwise, call COUNTERPATH(G; 1 ; s).Return the result.� � = AX( 1). Choose anys0 such that(s; s0) 2 R and 1 2 F (s0). If ?1 =2 PSF , then callCOUNTERPATH(G; 1 ; s0) and return the result; otherwise, complete the paths; s0 to an arbitrary prefix-cycle pathP;C (whereP may be void) containing at mostjS(M)j states.� � = A( 1V 2). Determine any nodes0 reachable by a (possible empty) paths = s0; s1; : : : ; sk = s0in R such that 1V 2 2 F (si), for all i = 0; : : : ; k � 1 and 2 2 F (s0). If ?2 =2 PSF , then callCOUNTERPATH(G; 2 ; s0), and returns0; : : : ; sk�1; P 0; C 0 whereP 0; C 0 is the result of the call; otherwise,if ?2 2 PSF , then completes0; : : : ; sk to any prefix-cycle pathP;C having at mostjS(M)j states andreturn it.� � = A( 1U 2). If there exists a prefix-cycle pairP;C = s0; s1; : : : ; sk in G such thatk < jS(M)j and 2 2 F (si), for eachi = 0; : : : ; k then returnP;C (this can be efficiently determined).

In the other case, determine any states0 which is reachable froms by a paths = s0; : : : ; sk = s0 suchthat 2 2 F (si), for all i = 0; : : : ; k and 1 2 F (sk). Now, if both ?1 ; ?2 2 PSF , then complete the paths0; : : : ; sk to an arbitray prefix-cycle pairP;C such thatjP j+ jSj � jS(M)j and return it.

Otherwise, call COUNTERPATH(G; 1 ; s0), if ?1 =2 PSF , and call COUNTERPATH(G; 2 ; s0), if ?2 =2PSF ; note that only one of the two cases can apply. ReturnP;C = s0; : : : ; sk�1; P 0; C 0 whereP 0; C 0 isthe result of the call.

The correctness of the procedure COUNTERPATH(G;�; s) follows from the proof of Theorem 5.1. It isnot hard to see that each of the cases in the body of COUNTERPATH can be completed in polynomial time(modulo recursion). Since the recursion depth is bounded bythe formula lengthj�j, it follows that someP;C can be constructed in polynomial time. Using proper data structures (in particular for the maximalstrongly conneceted components in subgraphs ofR induced by labelings inF ), each case can be handled inO(jS(M)j+jR(M)j) time, i.e., in linear time in the size ofM . Thus, the procedure COUNTERPATH(G;�; s)takesO(j�j(jS(M)j + jR(M)j)) time.

Since, as remarked above, also the construction ofG = (S;R; F ) is possible inO(j�j(jS(M)j +jR(M)j)) time, it follows that someP;C can be computed fromM and� in O(j�j(jS(M)j + jR(M)j))time. This proves the second part and the result. 2Remarks. (1) We remark that the representationP;C of the path� returned by COUNTERPATH can beadorned in order to provide more information about the failure of subformulas. In particular, for an unlessA(�1V�2) the stagesk in � demonstrating the failure of�1V�2 can be marked, and similarly for an untilA(�1U�2); if �2 is false in each state of�, this could be marked at�(0). An adorned cycle-prefix pairP;C can be seen as a compact representation of a deterministic counterexample, which, different from acounterpath, retains all structural information of the underlying multi-path.

(2) There are instances� of templates inDET and structuresM such that for any prefix-cycle pairP;C of an arbitrary counterpath for� in M , the sizejP j+ jCj is(dA(�)jS(M)j); the prefixP may cyclethrough states inM for a number of times that is bounded bydA(�), which can not be expressed by an(infinite) cycle.

INFSYS RR 1843-99-01 21

6 All c-deterministic Templates are inDETThe proof of the converse of Theorem 5.1 is based on the observation that particular instantiations of non-deterministic templates can be used to derive the result. The structure of these instantiations allows to buildstructures in which no deterministic counterexamples exist in a systematic way.

Definition 6.1 (disjoint and positive instantiation) A disjoint instantiationof a template ? 2 T? is aninstantiation� of ? which can be built starting from pure state formulas such that ^,_,A(�U�),A(�V�) areonly applied to formulas�1 and�2 having disjoint sets of atomic propositions, i.e.AP (�1)\AP (�2) = ;.

An instantiation� is positive, if each occurrence of an atom in� is under an even number of negations.

Notice that in a positive template instantation�, each subformula: which is not in the scope of anothernegation is logically equivalent to a monotone (negation-free) Boolean formula overAP ( ). Observe alsothat: 6� true and: 6� falseholds in this case.

Positive disjoint instantiations have the nice property that with respect to counterexamples, any partof a Boolean combination� of formulas�1; : : : ; �m can be “projected out” in suitable structures, i.e., tocounterexamples for a simplified formula�0 give rise to counterexamples for�. This is particularly usefulfor showing that� is notc-deterministic if any of�1; : : : ; �m is notc-deterministic.

Lemma 6.1 Let� be a positive disjoint instantiation of�? 2 T? which is a monotone Boolean combinationof distinct formulas�1; : : : ; �m (each of which is considered as atom and used only once). Let�+ be anynonempty formula which results by removing arbitrary subformulas from�. LetM+ be any structure suchthatR(M+) is total, i.e., each state reaches some state, andAP (M+) = AP (�+). Then, there exists astructureM coinciding withM+ exceptAP (M) = AP (�) andL(M+)(s) � L(M)(s), for each states,such that (1)M; s j= � iff M+; s j= �+ holds for each states, and (2) for each path�, it holds that� is alocal counterpath for� in M iff � is a local counterpath for�+ in M+.

Proof. Since� is positive, all�i are positive. Thus, every formula�i which does not occur in�+ can be madeglobally true inM+ by includingAP (�i) in the label of each states; otherwise, sinceAP (�i)\AP (M+) =;, �i is false in each state ofM+.

Let M result fromM+ by making each�i globally true such that�i occurs in a maximal subformula that is pruned from� and is connected in� by conjunction. (Any other other pruned�j occurs in amaximal pruned subformula which is connected by disjunction; it is globally false inM+ and thus also inM .) It is not hard to see that thisM satisfies the property stated in the lemma. 2

The next lemma informally states that for any positive disjoint instantiation of a template inDET, wecan always find a structure such that the formula is true in it,but false if we proceed long enough from aninitial state. Observe that this property is not true for allformulas that are instantiations of templates inDET. Consider e.g. the formula� = A(falseVa), wherea is an atomic proposition. This formula is aninstance of the templateA(?V?), which belongs toDET. A counterexample for� is a path� along whicha is false in some state�(i). Here, it is impossible to prefix� with a sequences0; : : : ; sk of states such thatalong the resulting pathfalseVa becomes true.

Definition 6.2 (single-path structure) A conic structureM is called asingle-pathstructure, ifM has asingle path� starting at the initial state, and each state inM occurs in it.

An immediate consequence of this definition is that for any single-path structureM and non pure-stateformula it holds thatM 6j= just in case where�(M) is a counterpath for .

22 INFSYS RR 1843-99-01

Lemma 6.2 For every positive disjoint instantiation of a template ? 2 DET, there exist a single-pathstructureM and ak � 1 such thatM j= and�(M)k is a local counterpath for (resp.,�(M)(k) 6j= if ? 2 PSF ), where�(M) denotes the unique infinite path inM .

Proof. We prove the statement by induction on the stagei � 0 of �i = (Si1; Si2) in which ? first occurs.(Basis) The casei = 0 is trivial.(Induction) Assume that the statement holds fori and consider the possible cases for ? 2 Si+11 [ Si+12wherei+ 1 > 0. By the induction hypothesis, it remains to consider ? =2 Si1 [ Si2.� ? 2 PSF . (In this case,i = 1.) LetM have the statess0 ands1, wheres0 is the unique initial state, andthe transitions(s0; s1), (s1; s1). LetL(M)(s0) = AP ( ) andL(M)(s1) = ;. Clearly,M is a single-pathstructure such thatM j= , andM;�(M)1(0) 6j= . Thus the statement holds.� ? 2 AX(Si1). Thus, = AX( 1). By the induction hypothesis, a single-path structureM with initialstates0 and ak � 1 exist for 1 which satisfy the statement of the lemma. Letk� be the least suchk. Ifk� > 1 we are done, sinceM is a single-path structure where also satisfies the statement of the lemma.Otherwise (i.e., ifk� = 1), we can modifyM by adding a new states00 which reachess0 and has an arbitrarylabel. Denote byM 0 the resulting single-path structure with initial states00. Since�(M 0)1 = �(M), it holdsthatM 0 j= . Furthermore,�(M 0)1 is a local counterpath for , since�(M 0)2 = �(M)1. Hence thestatement holds.� ? 2 AV(PSF ; Si1). Let = A( 1V 2). By induction hypothesis, for 2 exist a single-path structureM and an indexk � 1 such that the property of the lemma holds. We modifyM by addingAP ( 1) to everystate label inM . It is easy to see that the resulting structureM 0 satisfiesM 0 j= because 1 is globally truealong�(M 0). Furthermore,�(M 0)k is still a local counterpath for 2 (resp.,�(M 0)(k) 6j= 2) since is adisjoint positive instantiation. Hence, the statement holds.� ? 2 AU(Si1;PSF ). Thus, = A( 1U 2). Consider the single-path structureM with statess0ands1, wheres0 is the initial state, transitions(s0; s1), (s1; s1) and labelingL(M)(s0) = AP ( 2) andL(M)(s1) = ;. ThisM andk = 1 prove the statement for . Indeed,M j= since 2 is true ins0. Further,�(M)1 is a local counterpath for since 2 is globally false along it.� ? 2 AU(PSF ; Si2). Thus, = A( 1U 2). By induction hypothesis, for 2 exist a single-pathstructureM and an indexk � 1 as in the lemma. Without loss of generality, no atomic proposition fromAP ( 1) occurs in any state label ofM . Since is a positive disjoint instantiation, it is easy to see thatMandk witness the statement also for . Indeed,M j= since 2 is true in the initial state ofM . Furthermore,�(M)k is a local counterpath for , since it is a local counterpath for 2 (resp., 2 is false in�(M)(k)) and 1 is globally false along it.� ? 2 Si1_PSF [ PSF_Si1. Thus, = 1_ 2. Assume that ?1 =2 PSF ; the case ?2 =2 PSF issimilar. By induction hypothesis, for 1 exist a single-path structureM and an indexk � 1 as stated inthe lemma. Without loss of generality, no atomic proposition fromAP ( 2) occurs in any state label ofM .Since is a positive disjoint instantiation, it is easy to see thatM andk witness the statement also for .Indeed,M j= sinceM j= 1. Further,�(M)k is a local counterpath for since it is a local counterpathfor 1 (resp., 1 is false in�(M)(k)) and 2 is globally false along it. Thus, the statement holds.� ? 2 Si1^Si1. Thus, = 1^ 2, and w.l.o.g. ?1 =2 PSF . By induction hypothesis, for 1 exist asingle-path structureM and an indexk � 1 as stated in the lemma. We modifyM by adding to every statelabel the set of atomic propositions appearing in 2. It is easy to see that the resulting structureM 0 andk

INFSYS RR 1843-99-01 23

witness the statement also for . Clearly,M 0 j= sinceM 0 j= 1 andM 0 j= 2 since 2 is globally truein M 0. Furthermore,�(M 0)k is a local counterpath for since it is a local counterpath for 1. Thus, thestatement holds. This concludes the proof. 2

The next lemma informally says that for any positive disjoint instantiation of a template inDET, it ispossible to find a single-path structure which does not satisfy , but is always satisfied if we proceed longenough on the single path. This lemma is in a sense complementary to the previous lemma. Similar as there,the property is not true for arbitrary instantiations of templates fromDET. E.g., a single-path structurefalsifying = A(trueUa) does not contain any “suffix” structure in which holds.

Prior to the lemma, we introduce the notion ofk-structure.

Definition 6.3 (k-structure) A k-structurefor a positive disjoint instantiation of a template ? 2 T? isany conic structureM such thatM 6j= and for each path� in M starting ats0, there exists an indexk � 1such thatM;�i(0) j= , for eachi � k. 2

We will usek-structures repeatedly in constructions of structures which do not have deterministic coun-terexamples for formulas involving the until operator.

Lemma 6.3 Each positive disjoint instantiation of any template ? 2 DET has somek-structureM . Infact, always single-pathk-structuresM do exist.

Proof. As previously, we prove the statement by induction on the stagei � 0 of �i = (Si1; Si2) in which ?first occurs.(Basis) The casei = 0 is trivial.(Induction) Assume that the statement holds fori, and consider the possible cases for ? 2 Si+11 [ Si+12 ,wherei+ 1 > 0. By the induction hypothesis, it remains to consider ? =2 Si1 [ Si2.� ? 2 PSF . (In this case,i = 1.) LetM have the statess0 ands1, wheres0 is the unique initial state,and the transitions(s0; s1), (s1; s1). LetL(M)(s0) = ; andL(M)(s1) = AP ( ). Clearly,M is a singlepath structure such thatM 6j= , andM;�(M)1(0) j= . Thus the statement holds.� ? 2 AX(Si1). Let = AX( 1). By induction hypothesis, there exist a single-path structureM andan indexk � 1 such thatM 6j= 1 andM;�(M)i(0) j= 1 for all i � k. Lets0 be the initial state ofM . WemodifyM by changing the initial state to a new states with arbitrary label and adding the transition(s; s0).Clearly, the resulting structureM 0 is single-path andM 0 6j= . From the induction hypothesis, it followsthat for eachi � k + 1,M 0; �(M 0)i(0) j= 1. Hence, the statement holds.� ? 2 AV(PSF ; Si1). Let = A( 1V 2). Let s0 be the initial state of a single-path structureM for 2 andk � 1 as stated in the lemma, which exist by the induction hypothesis. SinceM 6j= 2, it followsM 6j= . Furthermore,M;�(�)i(0) j= 2 impliesM;�(�)i(0) j= , for eachi � k. Thus the statementholds.� ? 2 AU(Si1;PSF). Let = A( 1U 2). Let for 1 beM andk � 1 as stated in the lemma, whichexist by induction hypothesis. Without loss of generality,M includesAP ( 2) in each state labelL(s) exceptfor the initial states0, which contains no atomic proposition fromAP ( 2). Then,M; s0 6j= 2, and sinceM 6j= 1, it follows M 6j= . Furthermore,M;�(M)i(0) j= for all i � k since 2 is true in�(M)i(0).Thus, the statement holds.

24 INFSYS RR 1843-99-01� ? 2 AU(PSF ; Si2). Let = A( 1U 2). Let for 2 beM andk � 1 as stated in the lemma, whoseexistence follows from the induction hypothesis. Without loss of generality, we assume that the initial states0 of M contains no atomic proposition fromAP ( 1). SinceM j= 2, it follows M 6j= . Furthermore,sinceM;�(M)i(0) j= 2 it follows thatM;�(M)i(0) j= , for all i � k. Thus the statement holds.� ? 2 Si1_PSF [ PSF _ Si1. Let = 1_ 2. Assume ?1 =2 PSF ; the case ?2 =2 PSF is similar. Letfor 1 beM andk � 1 as stated in lemma, which exist by induction hypothesis. Assume without loss ofgenerality that no atomic proposition fromAP ( 2) occurs in any label ofM . Then, it is easy to see thatMandk witness the statement for .� ? 2 Si1^Si1. Let = 1^ 2. Let for 1 beM andk � 1 as stated in the lemma, which exist by theinduction hypothesis. Assume without loss of generality that ?1 =2 PSF , and that each label ofM includesAP ( 2). Since 2 is globally true inM , it is easy to see thatM andk witness the statement also for . Thisconcludes the proof. 2

In the next lemma, we show that a large class of templates inT? nDET which involve nesting into theuntil operatorU or the unless operatorV, respectively, are not deterministic. We establish this byprovingthat positive disjoint instantiations of these templates are not c-deterministic. Prior to that, we introducesome useful concepts.

Definition 6.4 (left- and right-structures) A left-structureM for a positive disjoint instantiation� = A is a conic structure with initial states0 andAP (M) = AP (�), which satisfies, depending on the linear-timeoperator guarding , the following properties (see Figure 5):s00 s0�� ��1s00 s0��1 s00 s0�� ��2(b) (c)(a)

Figure 5: Left-structures for (a)� = AX�1, (b)� = A(�1V�2), and (c)� = A(�1U�2)s00 s0�� ��1s00 s0��1 s00 s0�� ��2k k k(b) (c)(a)k

Figure 6: Right-structures for (a)� = AX�1, (b)� = A(�1V�2), and (c)� = A(�1U�2)If � = AX(�1), then only one transition(s0; s00) leaving froms0 exists, and� s00 is the initial state of another structure, denoted by��1 ,

INFSYS RR 1843-99-01 25� s0 does not appear in the set of states of��1 ,� ��1 6j= �1.If � = A(�1V�2), then� s0 is the initial state of another structure, denoted by��1 , such that��1 6j= �1;� there is only one transition froms0 to a states00 not belonging to��1 , which is the initial state of

another structure, denoted by��, such that�� 6j= �;� the sets of states of��1 and�� are disjoint.

For� = A(�1U�2),M is similar as for� = A(�1V�2), but with the roles of�1 and�2 exchanged.Right-structuresfor � are particular left structures, such that all structures��, ��1 , and��2 involved—

with the exception of��1 for � = A(�1V�2)—arek-structures (see Figure 6). 2Left- and right-structures will be used as components for the left-nested and right-nested formulas 1

and 2, respectively, in the constructions of structuresM witnessing the fact that formulasA( 1U 2) arenot c-deterministic in general, and similarly for formulasA( 1V 2).

We note the following proposition.

Proposition 6.4 LetM be any left-structure for a positive disjoint instantiation �. ThenM 6j= �.

Proof. For � = AX(�1), this is obvious. To see this for� = A(�1V�2), let � be a counterexamplefor � in �� (which exists by Theorem 3.1), and let�0 be a counterexample for�1 in ��1 (starting ats0).Then, the multi-path[�0;�(0);�(1); � � �] is a counterexample for�. In case� = A(�1U�2), let � be acounterexample for� in �� (which exists by Theorem 3.1), and let�0 be a counterexample for�2 in ��2(starting ats0). Then, the multi-path[�0;�(0);�(1); � � �] is a counterexample for�. 2Definition 6.5 (fusion of structures) Let M1 andM2 be conic structures with initial statess10 ands20, re-spectively, having disjoint sets of states. Then, thefusion of M1 andM2 is the conic structureM ob-tained by taking the union ofM1 andM2, wheres10 ands20 are merged into a single states0 with labelL(s0) = L(s10) [ L(s20). 2Lemma 6.5 Let be a positive disjoint instantiation of a template ? 2 T? such that either

1. = A( 1U 2), where ?1 ==2 PSF and ?2 2 DET n PSF , or

2. = A( 1V 2), where ?1 62 PSF , and ?2 2 DET.

Then, is notc-deterministic.

Proof. To prove the statement, we have to find a structureM such that bothM 6j= and each counterexamplefor in M is not a deterministic multi-path. We will construct such aM starting from left- and right-structuresM1 andM2 for the subformulas 1 and 2, respectively. Unless stated otherwise, such structureswill have disjoint sets of states. We observe the following fact.Fact. For each 1, some left-structure exists, and for each 2, by Lemma 6.3 some right-structure exists.

(Recall that right-structures are particular left-structures, and thus Lemma 6.3 implies also the existenceof left-structures for each 2. However, for each 2 simple left-structures can be found.)

Technically, we prove the statement in the lemma first for thecase in which 1 and 2 are either of theformA or pure state formulas. By exploiting Lemma 6.1, we can then conclude that the statement is truein general. Thus, according to ?1 and ?2 , we consider the following cases (1) and (2).

26 INFSYS RR 1843-99-01

(1) = A( 1U 2), where ?1 = A ?1 62 PSF and ?2 = A ?2 2 DET n PSF . We constructM asthe fusion of a left-structureM1 for 1 and a right-structureM2 for 2 with initial states0, and modifyMaccording to the linear time operatorsX,V, andU, guarding 1 and 2, respectively. The following casesare possible:� 1 = AX( 1;1) and 2 = AX( 2;1). We modifyM as follows. In each states of the structure� 1;1 inM1 (see Def. 6.4), we includeAP ( 2;1) (i.e., in its labelL(s)), and in each state of� 2;1 in M2, we includeAP ( 1;1) (see Figure 7).

� 1;1AP ( 2;1) AP ( 1;1)M1

M2 s0 k� 2;1Figure 7: TheX-X case:A( 1U 2), where 1 = AX( 1;1) and 2 = AX( 2;1)

Clearly, these additions preserve the existence of counterexamples for 1;1 in � 1;1 and for 2;1 in � 2;1 ,respectively, sinceAP ( 1;1) andAP ( 2;1) are disjoint.

It holds thatM 6j= , sinceM1 6j= 1 andM2 6j= 2. Indeed, we can find a counterexample for 1_ 2 simply by merging a counterexample for 1 in M1 with a counterexample for 2 in M2. Clearly, thiscounterexample is not deterministic.

It remains to show that no deterministic counterexample for in M exists. First observe that no coun-terexample for 1 is in M2. Indeed, for every multi-path� in M2, �(1) cannot be a counterexample for 1;1, since each state ofM1 excepts0 contains the setAP ( 1;1). Similarly, there is no counterexample for 2 is in M1. Hence, each counterexample for involving counterexamples for both 1 and 2 cannot bedeterministic.

By Definition 3.5, any counterexample for must involve counterexamples for 2. Now we showthat every counterexample for involving only counterexamples for 2 is not deterministic. Clearly, thisconcludes the proof. Towards a contradiction, suppose� is a deterministic counterexample such that�(i) isa counterexample for 2, for everyi � 0. Since 2 is globally true inM1, �(�) must lead intoM2, and thusinto � 2;1 . However,� 2;1 is ak-structure, which means that 2 is eventually true. This raises the desiredcontradiction.� 1 = AX( 1;1) and 2 = A( 2;1V 2;2). We modifyM in the following way. We add to every statesof M1 excepts0 the setAP ( 2). Similarly, we add to every state ofM2 excepts0 the setAP ( 1). Finally,we add in every other state of� 2;1 in M2 (see definition of right-structure), includings0, the setAP ( 2;2)(see Figure 8).

It easy to see that after these additions,M1 6j= 1 andM2 6j= 2 still hold. Thus,M 6j= . Moreover, nocounterexample for 1 is in M2. Indeed, for every multi-path� in M2, �(1) cannot be a counterexamplefor 1;1, since each state ofM2 except contains the setAP ( 1;1). Finally, no counterexample for 2 is inM1. Indeed, a counterexample for 2 must contain a counterexample for 2;2. However, this is impossible,since 2;2 is globally true inM1. Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition 3.5 a counterexamplefor must involve counterexamples for 2.

INFSYS RR 1843-99-01 27

M1M2� 2;1AP ( 2)

AP ( 2;2)AP ( 1)

AP ( 1) [ AP ( 2;2)s0k� 2

� 1

Figure 8: TheX-V case:A( 1U 2), where 1 = AX( 1;1) and 2 = A( 2;1V 2;2)Now we show that every counterexample for involving only counterexamples for 2 is not deterministic.Clearly, this concludes the proof. Towards a contradiction, suppose� is a deterministic counterexampleinvolving only counterexamples for 2. By Definition 3.5,� is such that�(i) is a counterexample for 2,for eachi � 0. But such a counterexample cannot be deterministic. Indeed, � cannot lead into� 2 , sinceit is a k-structure of 2. On the other hand, it cannot lead intoM1 or � 2;1 , since a counterexample for 2must contain a counterexample for 2;2, and 2;2 is globally true in� 2;1 . Hence, every counterexample for in M is not deterministic.� 1 = AX( 1;1) and 2 = A( 2;1U 2;2). We modifyM as follows. We add to every state ofM1 excepts0 the setAP ( 2), and to every state ofM2 excepts0 the setAP ( 1). Finally, we add in every state of� 2;2in M2 includings0 the setAP ( 2;1) (see Figure 9).

It easy to see that after these additionsM1 6j= 1 andM2 6j= 2 still hold. Thus,M 6j= . Moreover, nocounterexample for 1 is inM2. Indeed, for every multi-path� inM2, �(1) cannot be a counterexample for 1;1, since each state ofM2 excepts0 contains the setAP ( 1;1). Finally, no counterexample for 2 is inM1.Indeed, since each state ofM1 containsAP ( 2;1), a counterexample for 2 in M1 could only be a multi-path� such that�(i) is a counterexample for 2;2, for eachi � 0. But this is impossible, since for everymulti-path� in M1, each state appearing in�(i), for i � 1 containsAP ( 2;2). Hence, a counterexamplefor involving counterexamples for both 1 and 2 cannot be deterministic. Definition 3.5 request that acounterexample for must involve a counterexample for 2. Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towards acontradiction, suppose� is a deterministic counterexample for such that�(i) is a counterexample for 2,for everyi � 0. But such a counterexample cannot be deterministic. Indeed, it can neither lead intoM1 norinto � 2 , since this is ak-structure of 2. Furthermore, it cannot lead into� 2;2 . Indeed, a counterexamplefor 2 cannot involve a counterexample for 2;1 as� 2;2 contains in each state the setAP ( 2;1). Thus, sucha counterexample could only be a multi-path� such that�(i) is a (deterministic) counterexample for 2;2,for eachi � 0. But this is not possible, since� 2;2 is ak-structure of 2;2. Hence, no counterexample for in M is deterministic.

28 INFSYS RR 1843-99-01M2M1 AP ( 2)

AP ( 2;1)AP ( 1)

AP ( 1) [ AP ( 2;1)s0k

k� 2;2� 1� 2

Figure 9: TheX-U case:A( 1U 2), where 1 = AX( 1;1) and 2 = A( 2;1U 2;2)� 1 = A( 1;1V 1;2) and 2 = AX( 2;1). We modifyM as follows. We add to every state ofM1excepts0 the setAP ( 2) and to every state ofM2 excepts0 the setAP ( 1). Moreover, we add tos0 thesetAP ( 1;2). Finally, we add in every other state of� 1;1 in M1 (see definition of left-structure), the setAP ( 1;2) (see Figure 10).

M2M1 AP ( 1;2)AP ( 2) [ AP ( 1;2) � 1;1

AP ( 1)AP ( 2) s0 � 2;1 k� 1Figure 10: TheV-X case:A( 1U 2), where 1 = A( 1;1V 1;2) and 2 = AX( 2;1)

After these additions,M1 6j= 1 andM2 6j= 2 still hold. Thus,M 6j= . Moreover, no counterexamplefor 2 is in M1. Indeed, for every multi-path� in M1, �(1) cannot be a counterexample for 2;1, sinceeach state ofM1 excepts0 contains the setAP ( 2;1). Finally, no counterexample for 1 is inM2. Indeed,a counterexample for 1 must contain a counterexample for 1;2, but this is impossible, since each statein M2 containsAP ( 1;2). Hence, a counterexample for involving counterexamples for both 1 and 2cannot be deterministic. By Definition 3.5, a counterexample for must involve counterexamples for 2.Now we show that every counterexample for involving only counterexamples for 2 is not deterministic.This, clearly, concludes the proof. Towards a contradiction, suppose� is a deterministic counterexample

INFSYS RR 1843-99-01 29

involving only counterexamples for 2. Definition 3.5 implies that�(i) is a counterexample for 2, for eachi � 0. But such a counterexample cannot be deterministic. Indeed, � cannot lead intoM1 and not intoM2,since� 2;1 is ak-structure of 2;1. This proves the statement.� 1 = A( 1;1V 1;2) and 2 = A( 2;1V 2;2). We modifyM as follows. We add to every state ofM1excepts0 the setAP ( 2). Then, we add to every state ofM2 excepts0 the setAP ( 1). Moreover, we addto s0 the setAP ( 1;2). Finally, we add in every state of� 2;1 in M2, includings0, the setAP ( 2;2) (seeFigure 11).

M1

M2

AP ( 1)AP ( 2) AP ( 1) [ AP ( 2;2)� 1;1AP ( 2)AP ( 1;2) [AP ( 2;2) s0� 1 � 2;1k� 2

Figure 11: TheV-V case:A( 1U 2), where 1 = A( 1;1V 1;2) and 2 = A( 2;1V 2;2)It easy to see that, also after these additions,M1 6j= 1 andM2 6j= 2. Thus,M 6j= . Moreover, no

counterexample for 1 is inM2. Indeed, 1;2 is globally true inM2. Similarly, no counterexample for 2 is inM1. Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic.By Definition 3.5, a counterexample for must involve a counterexample for 2. Now we show that

every counterexample for involving only counterexamples for 2 is not deterministic. This, clearly, con-cludes the proof. Towards a contradiction, suppose� is a deterministic counterexample for 2 such that�(i)is a counterexample for 2, for eachi � 0. But such a counterexample cannot be deterministic. Indeed, �cannot lead intoM1, and it cannot lead into� 2 since it is ak-structure of 2. On the other hand, it cannotlead into� 2;1 , since a counterexample for 2 must contain a counterexample for 2;2 and 2;2 is globallytrue in� 2;1 . Hence, every counterexample for in M is not deterministic.� 1 = A( 1;1V 1;2) and 2 = A( 2;1U 2;2). We modifyM as follows. We add to every state ofM1excepts0 the setAP ( 2). Then, we add to every state ofM2 excepts0 the setAP ( 1). Moreover we addto s0 the setAP ( 1;2)[AP ( 2;1). Finally, we add in every other state of� 2;2 in M2 the setAP ( 2;1) (seeFigure 12).

It easy to see that, also after these additions,M1 6j= 1 andM2 6j= 2. Thus,M 6j= . Moreover, nocounterexample for 1 is inM2. Indeed, a counterexample for 1 must contain a counterexample for 1;2.

30 INFSYS RR 1843-99-01

M1

M2

AP ( 1)AP ( 2) AP ( 1) [ AP ( 2;1)� 1;1AP ( 2)AP ( 1;2) [ AP ( 2;1) k� 2;2s0� 1k� 2

Figure 12: TheV-U case:A( 1U 2), where 1 = A( 1;1V 1;2) and 2 = A( 2;1U 2;2)But this is impossible, since each state inM2 containsAP ( 1;2). Finally, no counterexample for 2 is inM1. Indeed, since each state ofM1 contains the setAP ( 2;1), a counterexample for 2 in M1 could onlybe a multi-path� such that each element�(i) is a counterexample for 2;2, for eachi � 0. But this isimpossible, since 2;2 is globally true inM1.

Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be deterministic.By Definition 3.5 a counterexample for must involve a counterexample for 2. Now we show that everycounterexample for involving only counterexamples for 2 is not deterministic. This, clearly, concludesthe proof. Towards a contradiction, suppose� is such a deterministic counterexample, i.e.,�(i) is a coun-terexample for 2, for eachi � 0. But such a counterexample cannot be deterministic. Indeed, it cannot leadinto � 2 , since this is ak-structure of 2. On the other hand, it cannot lead into� 2;2 . Indeed, a counterex-ample for 2 cannot involve a counterexample for 2;1 as� 2;2 contains in each state the setAP ( 2;1). Thus,such a counterexample could only be a multi-path� such that�(i) is a (deterministic) counterexample for 2;2, for eachi � 0. But this is not possible, since� 2;2 is ak-structure of 2;2. Hence, no counterexamplefor in M is deterministic.� 1 = A( 1;1U 1;2) and 2 = AX( 2;1). We modifyM in the following way. We add to every state ofM1 excepts0 the setAP ( 2) and to every state ofM2 excepts0 the setAP ( 1). Finally, we add in everystate of� 1;2 in M1 the setAP ( 1;1) (see Figure 13).

It easy to see that, also after these additions,M1 6j= 1 andM2 6j= 2. Thus,M 6j= . Moreover, nocounterexample for 2 is in M1. Indeed, for every multi-path� in M1, �(1) cannot be a counterexamplefor 2;1, since each state ofM1 excepts0 contains the setAP ( 2;1). Finally, no counterexample for 1 isin M2. Indeed, since each state ofM2 contains the setAP ( 1;1), a counterexample for 1 in M2 couldonly be a multi-path� such that each element�(i) is a counterexample for 1;2, for eachi � 0. But thisis impossible, since for every multi-path� in M2, each state appearing in�(i) contains the setAP ( 1;2),

INFSYS RR 1843-99-01 31

M2M1 AP ( 1;1)AP ( 2) [ AP ( 1;1) � 1;2

AP ( 1)AP ( 2) s0� 1 k� 2;1Figure 13: TheU-X case:A( 1U 2), where 1 = A( 1;1U 1;2) and 2 = AX( 2;1)

for eachi � 1. Hence, a counterexample for involving counterexamples for both 1 and 2 cannot bedeterministic. By Definition 3.5 a counterexample for must involve a counterexample for 2. Now weshow that every counterexample for involving only counterexamples for 2 is not deterministic. This,clearly, concludes the proof. Towards a contradiction, suppose� is a deterministic counterexample suchthat�(i) is a counterexample for 2, for eachi � 0. But such a counterexample cannot be deterministic.Indeed,� cannot lead intoM1, since 2 is globally true inM1, and it cannot lead intoM2, since� 2;1 is ak-structure of 2;1. Thus, the statement is proven.� 1 = A( 1;1U 1;2) and 2 = A( 2;1V 2;2). We modifyM in the following way. We add to every stateofM1 excepts0 the setAP ( 2). Then, we add to every state ofM2 excepts0 the setAP ( 1). Moreover, weadd tos0 the setAP ( 1;1)[AP ( 2;2). Finally, we add to every other state of� 2;1 in M2 the setAP ( 2;2)(see Figure 14).

It easy to see that after these additions,M1 6j= 1 andM2 6j= 2 hold. Thus,M 6j= . Moreover, nocounterexample for 1 is in M2. Indeed, 1;1 is globally true inM2 and for every multi-path� in M2,�(i), for i � 1, cannot be a counterexample for 1;2, since each state ofM2 excepts0 contains the setAP ( 1;2). Finally, no counterexample for 2 is in M1. Indeed, 2;2 is globally true inM1. Hence, acounterexample for involving counterexamples for both 1 and 2 cannot be deterministic. By Definition3.5, a counterexample for must involve a counterexample for 2. Now we show that every counterexamplefor involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towardsa contradiction, suppose� is a deterministic counterexample for such that�(i) is a counterexample for 2, for eachi � 0. Such a counterexample cannot be deterministic. Indeed,� can neither lead intoM1(cf. above) nor into� 2;1 , since a counterexample for 2 must contain a counterexample for 2;2 whichis globally true in� 2;1 . Furthermore,� cannot lead into� 2 , since it is ak-structure of 2. Hence, nocounterexample for in M is deterministic.� 1 = A( 1;1U 1;2) and 2 = A( 2;1U 2;2). We modifyM in the following way. We add to everystate ofM1 excepts0 the setAP ( 2) and to every state ofM2 excepts0 the setAP ( 1). Moreover, we addin s0 the setAP ( 1;1) [ AP ( 2;1). Finally, we add in every other state of� 2;2 in M2 (see definition ofright-structure) the setAP ( 2;1) (see Figure 15).

It easy to see that after these additions,M1 6j= 1 andM2 6j= 2 hold. Thus,M 6j= . Moreover, nocounterexample for 1 is inM2. Indeed, 1;1 is globally true inM2 and for every multi-path� in M2, �(i),

32 INFSYS RR 1843-99-01

� 2;1M1

M2

AP ( 1)AP ( 2) AP ( 1) [ AP ( 2;2)AP ( 2)

s0� 1k� 2

AP ( 1;1) [AP ( 2;2) � 1;2

Figure 14: TheU-V case:A( 1U 2), where 1 = A( 1;1U 1;2) and 2 = A( 2;1V 2;2)for i � 1, cannot be a counterexample for 1;2, since each state ofM2 excepts0 contains the setAP ( 1;2).Similarly, no counterexample for 2 is in M1. Hence, a counterexample for involving counterexamplesfor both 1 and 2 cannot be deterministic. By Definition 3.5, a counterexample for must involve acounterexample for 2. Now we show that every counterexample for involving only counterexamples for 2 is not deterministic. This, clearly, concludes the proof. Towards a contradiction, let� be a deterministiccounterexample for such that�(i) is a counterexample for 2, for eachi � 0. But such a counterexamplecannot be deterministic. Indeed,� cannot lead intoM1, and furthermore, it cannot lead into� 2 , since thisis ak-structure of 2. Finally, it also cannot lead into� 2;2 . Indeed, a counterexample for 2 cannot involvea counterexample for 2;1, as� 2;2 contains in each state the setAP ( 2;1). Thus, such a counterexamplecould only be a multi-path� such that�(i) is a (deterministic) counterexample for 2;2, for eachi � 0.But this is not possible, since� 2;2 is ak-structure of 2;2. Hence, every counterexample for in M is notdeterministic.

(2) The second case is = A( 1V 2), where ?1 = A ?1 =2 PSF and either ?2 = A ?2 2 DET or ?2 2 PSF .In this case, we consider all possible shapes of the template ?1 . In each case, we construct a structureM such that bothM 6j= and each counterexample for in M is not deterministic. The structureM is

obtained by a modification of the structureM which we define next.LetM 0 be a single-path structure as stated in Lemma 6.2 for formula 2. Thus,M 0 j= 2. Furthermore,

there exists an indexk � 1 such that�(M 0)k is a local counterpath for 2 (resp., 2 is false in�(M 0)(k)).Without loss of generality,k is the least index having this property. Denote bysi = �(M 0)(i), for i =0; : : : ; k, the firstk + 1 states appearing in�(M 0). Note that thesi (hence also the suffixes�(M 0)i) arepairwise distinct. Furthermore,sk is the initial state of a structureM+ induced bysk in M 0 (i.e., the suffix�(M 0)k) such thatM+ 6j= 2.

INFSYS RR 1843-99-01 33

M1

M2

AP ( 1)AP ( 2;1) [ AP ( 2;2)� 1;2AP ( 2)AP ( 1;1) [AP ( 2;1)

AP ( 1) [ AP ( 2;1)� 1 � 2;2 kk� 2

s0

Figure 15: TheU-U case:A( 1U 2), where 1 = A( 1;1U 1;2) and 2 = A( 2;1U 2;2)LetM0 be a left-structure for 1. We take copiesM1; : : : ;Mk�1 and repeatedly take the fusion ofMi

with the substructure ofM 0 induced by the statesi in M 0, for i = 0; : : : ; k � 1. The repeatedly so revisedstructureM 0 is the desired structureM with initial states0 (cf. Figure 16).

We now consider the possible types of ?1 .� 1 = AX( 1;1), i.e., = A(AX( 1;1)V 2). To constructM , we modify the above structureM asfollows. Include in the label of each state not appearing in�(M 0)k the setAP ( 2). Note that this additiondoes not affect the existence of (local) counterexamples for 1 starting ats0; s1; : : : ; sk�1, sinceAP ( 1)andAP ( 2) are disjoint. Finally, we add the setAP ( 1) in every state ofM 0 (thus, to each state appearingin �(M 0)). This addition preserves the existence of counterexamples for 1 starting withs0; s1; : : : ; sk�1,since 1 involves the next-time operator. Furthermore,�(M 0)k is still a local counterpath for 2, sinceAP ( 1) andAP ( 2) are disjoint. The resulting conic structure with initial states0 isM (see Figure 16).

We can see thatM 6j= . Indeed, there exists a multi-path�2, such that�2(i) is a l-counterexample for 1, for 0 � i � k � 1 (recall that each statesi is origin of a l-counterexample for 1), and�2(k) is a localcounterexample for 2 with main path�(M 0)k. Clearly, this multi-path is not deterministic. Moreover,nodeterministic counterexample for is in M . Indeed, each counterexample for needs a counterexamplefor 2. But all paths starting with the initial states0 cannot be a local counterpath for 2. Indeed, eachpath� not reaching states beyondsk cannot be a counterpath for 2, since the label of each state appearingin � would contain the setAP ( 2). On the other hand, the only path starting withs0 and reachingskis �(M 0). However, asM 0 was chosen according to Lemma 6.2, this path cannot be a counterpath for 2. Hence, we need a counterexample whose first element is a counterexample for 1. Clearly, we cannotfind a counterexample for 1 along the path�(M 0), since each state in it containsAP ( 1). Hence, eachcounterexample for necessarily contains branching, that is, it is not deterministic.� ?1 = A( ?1;1V ?1;2). Then, = A(A( 1;1V 1;2)V 2). To constructM , we modify the above structure

34 INFSYS RR 1843-99-01

. . .

M 0

M0M1Mk�1 sk

s1s0

sk�1

left-structure for 1�0 1�1 1�k�1 1

AP ( 1)AP ( 2)

Figure 16: Nesting into unless, theX case: = A(AX( 1;1)V 2)

INFSYS RR 1843-99-01 35

. . .. . .

M 0Mk�1M1

�0 1�1 1�k�1 1

�0 1;1�1 1;1�k�1 1;1AP ( 2)

s1s0 left-structureM0 for 1

AP ( 1;2)

sk�1sk

Figure 17: Nesting into unless, theV case: = A(A( 1;1V 1;2)V 2)M as follows. We add in each state not appearing in�(M 0)k the setAP ( 2). Note that this addition doesnot affect the existence of counterexamples for 1 starting withs0; s1; : : : ; sk�1, sinceAP ( 1) andAP ( 2)are disjoint. Finally, we add the setAP ( 1;2) in every state appearing in�(M 0). This addition preserves theexistence of counterexamples for 1;1 (hence, for 1) starting withs0; s1; : : : ; sk�1. Furthermore,�(M 0)k isstill a local counterpath for 2, sinceAP ( 2) andAP ( 1;2) are disjoint. The resulting conic structure withinitial states0 isM (see Figure 17).

We can see thatM 6j= . Indeed, there exists a multi-path�2, such that�2(i) is a l-counterexample for 1, for 0 � i � k � 1 (recall that each statesi is origin of a l-counterexample for 1), and�2(k) is a localcounterexample for 2 with main path�(M 0)k. Clearly, this multi-path is not deterministic. Moreover,nodeterministic counterexample for inM exists. Indeed, each counterexample for needs a counterexamplefor 2. It holds that every path starting ats0 cannot be a counterpath for 2. Indeed, each path� not reachingthe statesk cannot be a counterpath for 2, since the label of each state appearing in� would contain the set

36 INFSYS RR 1843-99-01AP ( 2).On the other hand, the only path starting ats0 and reachingsk is �(M 0). AsM 0 was chosen according

to Lemma 6.2, this path cannot be a counterpath for 2 by construction. Hence, we need a counterexamplesuch that the first element is a counterexample for 1. Clearly, we cannot find a counterexample for 1 alongthe path�(M 0), since each state in it containsAP ( 1;2) (and a counterexample for 1 necessarily containsa counterexample for 1;2). Hence, each counterexample for necessarily contains branching, that is, it isnot deterministic.� 1 = A( 1;1U 1;2), i.e., = A(A( 1;1U 1;2)V 2). We modify the structureM from above asfollows. We add to each state not appearing in�(M 0)k the setAP ( 2). Note that this addition does notaffect the existence of local counterexamples for 1 starting ats0; s1; :::; sk�1, sinceAP ( 1) andAP ( 2)are disjoint. Furthermore, add the setAP ( 1;1) in every state appearing in�(M 0). This addition preservesthe existence of counterexamples for 1;2 (hence for 1) starting ats0; s1; :::; sk�1. Finally, we add in everystate appearing in�(M)k the setAP ( 1;2). Clearly, after this addition�(M 0)k is still a local counterpathfor 2, sinceAP ( 1) andAP ( 2) are disjoint. The resulting conic structure with initial states0 isM (seeFigure 18).

We can see thatM 6j= . Indeed, there exists a multi-path�2, such that�2(i) is a l-counterexamplefor 1, for 0 � i � k � 1, and�2(k) is a counterexample for 2 with main path�(M 0)k. Clearly, thismulti-path is not deterministic. Moreover, no deterministic counterexample for exists inM . Indeed, eachcounterexample for needs a counterexample for 2. Every path� starting at the initial states0 cannot be acounterpath for 2. Indeed, if� does not reach the statesk, it cannot be a counterpath for 2, since the labelof each state appearing in� would contain the setAP ( 2). On the other hand, the only path starting ats0and reachingsk is �(M 0)k. SinceM 0 was chosen according to Lemma 6.2, it is not a counterpath for 2.Hence, we need a counterexample whose first element is a counterexample for 1. Clearly, we cannot finda counterexample for 1;1 along the path�(M 0), since each state in it contains the setAP ( 1;1). Hence, acounterexample for 1 could only be a multi-path� such that�(i) is a counterexample for 1;2, for eachi � 0. But such a counterexample cannot be found along the path�(M 0). Indeed, along its suffix�(M 0)kthe formula 1;2 is always true.

Hence, each counterexample for necessarily contains branching, that is, it is not deterministic.

This concludes the proof for the case in which ?1 , ?2 have formA or ?2 2 PSF .For the case of a general ?1 , we observe that Lemma 6.1 can be exploited: the instantiation 1 is a

monotone Boolean combination of positive disjoint instantiations 1;1; : : : ; 1;m (each of which occurs onlyonce) such that w.l.o.g. 1;1 is of the formA . We proceed then for 1 as for 1;1, but use the structureM from Lemma 6.1 for� = 1 instead of the structureM+ for �+ = 1;1 (observe thatM+ can alwaysbe chosen such thatR(M+) is total). For the general case of 2, we proceed analogously. This proves theresult. 2Theorem 6.6 Let be any positive disjoint instantiation of a template ? 2 T?. If ? =2 DET, then isnot c-deterministic.

Proof. We proceed by induction on the number of universal quantifiersA appearing in , which is denotedby nA( ).(Basis) The casenA( ) = 0 is trivial, since ? belongs toPSF � DET.(Induction) Assume that the statement is true for every such thatnA( ) < k. We have to show that eachpositive disjoint instantiation of ? 2 T? n DET such thatnA( ) = k is not c-deterministic, i.e., thatthere is a structureM such that bothM 6j= and each counterexample for in M is not deterministic.

INFSYS RR 1843-99-01 37

. . .. . .

M 0Mk�1M1

�0 1�1 1sk�k�1 1

�0 1;2�1 1;2�k�1 1;2AP ( 2)

s1s0

sk�1

left-structureM0 for 1

AP ( 1)AP ( 1)

AP ( 1;1)

Figure 18: Nesting into unless, theV case: = A(A( 1;1V 1;2)V 2)

38 INFSYS RR 1843-99-01

The formula is either of the formA , or a Boolean combination of formulas 1; : : : ; m. We considerthe possible cases.� = AX�, wherenA(�) = k�1. By Definition 4.7, ? 62 DET if and only if�? 62 DET. Thus, sincenA(�) = k�1, the induction hypothesis implies that� is notc-deterministic. Hence, there exists a structureM 0 such that bothM 0 6j= � and no counterexample for� in M 0 is deterministic. Without loss of generality,M 0 is conic and has the initial states00. Let the conic structureM with initial states0 result by connectinga new states0 to M 0 via the transition(s0; s00). Clearly,M 6j= . Furthermore, each counterexample�for is such that�(1) is a counterexample for�. Sinceor(�(1)) = s00, �(1) cannot be deterministic, byhypothesis. Hence,� is not deterministic.� = A( 1V 2), wherenA( 1) +nA( 2) = k� 1. By the definition ofDET, the following two casescover each such that ? =2DET:

1. ?1 62 PSF and ?2 2 DET. This case has been already proven in Lemma 6.5.

2. ?2 62 DET. By the induction hypothesis, 2 is not c-deterministic. Thus, there exists a structureM such thatM 6j= 2 and no counterexample inM is deterministic. We modifyM by adding in eachstate the setAP ( 1). Clearly, no local counterexamples for 1 can be found inM . However,M 6j= .Moreover, each counterexample for in M must start with a counterexample for 2. Hence, it is notdeterministic.� = A( 1U 2), wherenA( 1) + nA( 2) = k � 1. Due to the intricate possibilities of nesting into an

until fromDET, this case requires a careful analysis of several subcases.The following cases exhaust eachpossibility of ? =2 DET:

1. ?1 =2 PSF and ?2 2 DET n PSF ;

2. ?1 =2 DET and ?2 2 PSF ;

3. ?2 =2 DET;

4. ?1 2 PSF and ?2 2 AX(DET);5. ?1 2 PSF and ?2 2 AV(PSF ;DET);6. ?1 2 PSF and ?2 2 S12 ^ S12 ;

7. ?1 2 PSF and ?2 2 PSF ^ S12 [ S12 ^ PSF .

We now consider these cases.

1. ?1 62 PSF and ?2 2 DET n PSF . This case has been already proven in Lemma 6.5.

2. ?1 62 DET and ?2 2 PSF . Since ?1 =2 DET, by the induction hypothesis a structureM existssuch thatM 6j= 1 and no counterexample for 1 in M is deterministic. Without loss of generality,Mis conic with initial states0 andAP ( 2) \AP (M) = ;.Clearly,M 6j= , sinceM 6j= 2. Modify nowM by adding to each state excepts0 the setAP ( 2).SinceAP ( 1) \ AP ( 2) = ;, still M 6j= 1 holds. Moreover, sinceL(M)(s0) \ AP ( 2) = ;,

INFSYS RR 1843-99-01 39kk

AP ( 1)kMk�1

M1M0s1sk�1s0

skFigure 19: Nesting ofPSF andAX(T?) into until: = A( 1UAX( 2;1)).

alsoM 6j= 2 holds. Thus,M 6j= . It holds that each counterexample for in M must contain acounterexample for 1, and thus it is not deterministic. Indeed, in any alternative counterexample�for the element�(i) would a local counterexample for 2, for everyi � 0. Since all states ofMexcepts0 containAP ( 2), this is impossible.

3. ?2 62 DET. By the inductive hypothesis, there exists a structureM such that bothM 6j= 2 andeach counterexample for 2 in M is not deterministic. W.l.o.g.,M is conic with initial states0 andAP ( 1) \AP (M) = ;.Clearly,M 6j= , where = A( 1U 2), sinceM 6j= 1 andM 6j= 2. We can conclude that eachcounterexample for in M is not deterministic. Indeed, if� is a counterexample for in M , �(0)must be a l-counterexample for 2. Moreoveror(�(0)) = s0. Hence,�(0) is a counterexample for 2 in M . Consequently,�(0) and hence also� cannot be deterministic.

4. ?1 2 PSF and ?2 2 AX(DET). Let M 0 be a single-path structure andk � 1 for formula 2 as described in Lemma 6.2. Thus,M 0 j= 2, and�(M 0)k is a local counterpath for 2 (resp.,M 0; �(M 0)(k) 6j= 2). Let k w.l.o.g. be the least such index.

Let s0; s1; : : : ; sk denote the firstk + 1 states appearing in�(M 0). Thesesi are pairwise distinct.Clearly,sk is the first state of the suffix�(M 0)k. We assume w.l.o.g.L(M 0)(sk) \ AP ( 1) = ;. Let

40 INFSYS RR 1843-99-01

k� 2;1s00s0 AP ( 1)AP ( 1) [AP ( 2;2)Figure 20: Nesting ofPSF andAV(T?) into until: = A( 1UA( 2;1V 2;2))M0 be ak�structure for 2 such that the initial state has an empty label. Lemma 6.3 implies that such

aM0 exists; observe thatM0 6j= 2. LetM1; : : : ;Mk�1 be copies ofM0. For i = 0; : : : ; k � 1 werepeatedly take the fusion ofMi with the structure induced bysi in M 0. Since the initial state ofMihas an empty label, these fusions do not change any label inM 0. Finally, we add to every state exceptsk the setAP ( 1). The resulting structure is the desiredM (see Figure 19).

First observe thatM 6j= . Indeed, each statesi, for 0 � i � k is origin of a local counterexamplefor 2. Furthermore,sk is also origin of a local counterexample for 1. It remains to show that nodeterministic counterexample is inM . In any counterexample� for the element�(0) must be acounterexample for 2. This implies that a counterpath for cannot reach statesk. Indeed, the onlypath reaching statesk is�(M 0), which by construction is not a counterpath for 2. Thus, a counterpath� for could only lead into some structureMi, where0 � i � k � 1. However, in eachMi formula 1 is globally true. Hence� would have to satisfy that�j , for eachj � 1, is a local counterpathfor 2. Since eachMi is a k-structure for 2, this is impossible. This proves that no deterministiccounterexample for exists inM .

5. ?1 2 PSF and ?2 2 AV(PSF ;DET). Thus, 2 = A( 2;1V 2;2), where 2;1 is a pure stateformula and 2;2 is c-deterministic by Theorem 5.1.

LetM be ak-structure for 2 with initial states00. Such a structure exists by Lemma 6.3, and w.l.o.g.AP (M) \ AP ( 1) = ;. We modifyM by adding a new initial states0 with empty label and thetransitions(s0; s00) and(s0; s0). Then, we add to each state the setAP ( 1) and tos0 the setAP ( 2;2)(see Figure 20).

The path[s0; s00; :::] is a counterpath for 2. Thus, the multi-path[[s0; s00; :::]; [s0; s00:::]; :::] is a coun-terexample for the . It holds that no deterministic counterexample for exists inM . Indeed, sinceAP ( 1) is contained in each state, any counterexample for must contain infinitely many counterex-amples for 2. Sinces00 is the initial state of ak-structure for 2, no counterpath for is possiblewhich reachess00. Hence, the only possibility for a counterpath of is � = [s0; s0; s0; :::]. Sinces0containsAP ( 2;2), this is impossible. Thus, non deterministic counterexample for exists.

6. ?1 2 PSF and ?2 2 S12 ^ S12 . Thus, ?2 = �1^�2, where�1 = A(�1;1U�1;2) and�2 =A(�2;1U�2;2); moreover, each�i;j , i; j 2 f1; 2g is an instantiation of a template inDET.

We construct the requested structureM in the following way. LetM 0 be a single-path structure asstated in Lemma 6.2 for formula�2. Thus,M 0 j= �2. Furthermore, there exists an indexk � 1 suchthat�(M 0)k is a local counterpath for�2 (and hence for 2). Letk w.l.o.g. be the least such index. Lets0; s1; ::::; sk, denote the firstk+1 states appearing in�(M 0); observe that they are pairwise distinct.Clearly,sk is the first state of the suffix�(M 0)k. Since is a positive disjoint instantiation, we canalways assume that no atomic proposition fromAP ( 1) [AP (�1) occurs in any state ofM 0.

INFSYS RR 1843-99-01 41

. . .. . .

M 0kkk

kkkM0M1

Mk�1

AP (�2) AP (�1;1)

AP (�1)AP ( 1)

s0s1sk�1sk

�0�1�1�1�k�1�1

�0�1;2�1�1;2�k�1�1;2

Figure 21: Right-Nesting ofS12 ^ S12 into until: = A( 1U(�1 ^ �2)), where�1 = A( 1;1U 1;2) and�2 = A( 2;1U 2;2).

42 INFSYS RR 1843-99-01

k k��2 ��2;2AP ( 1) [ AP (�1)AP (�2;1)

s1AP (�2)AP (�1) [ AP (�2)s0s2

Figure 22: Right-Nesting ofPSF ^ S12 into until: = A( 1U(�1 ^ �2)), �2 = A(�2;1U�2;2)Let M0 be a right-structure for�1. Since�?1 2 DET, such a structure exists (cf. Lemma 6.3). Weremark that, by definition of right-structure,M0 6j= �1. Let M1; : : : ;Mk�1 be copies ofM0. Fori = 0; : : : ; k � 1 we repeatedly take the fusion ofMi and the structure induced by the statesi in M 0.Next, we add in every states0; : : : ; sk�1 the setAP (�1;1). Note that after this addition, each structureMi still satisfiesMi 6j= �1, for i = 1; : : : ; k � 1. Indeed, sinceAP (�1;1) \ AP (�1;2) = ; for �i�1;2 ,still �i�1;2 6j= �1;2 holds.

Now we add in every state belonging to structuresMi, for 0 � i � k�1, including statess0; :::; sk�1,the setAP ( 1). SinceAP ( 1) \ AP ( 2) = ;, this has no effect on the properties ofMi describedabove. Moreover, we add in every state belonging to the structuresMi, for 0 � i � k � 1, exceptthe statess0; :::; sk�1, the setAP (�2). SinceAP (�1) \ AP (�2) = ;, this addition preserves theexistence of counterexamples for�1 in the structuresMi. Finally, we add in every state occurring inthe path�(M 0)k, the setAP (�1). After this addition,�(M 0)k is still a local counterpath for formula�2. The resulting structure is the desiredM (see Figure 21).

First observe thatM 6j= . Indeed, each statesi, for 0 � i � k�1 is origin of a local counterexamplefor �1 and thus for 2. Furthermore,sk is also origin of a local counterexample for�2, and then for 2. Moreover,sk is a local counterexample for the formula 1.Now we show that no deterministic counterexample for exists inM . By Definition 3.5, in anycounterexample� for the element�(0) must be a counterexample for 2. Hence, a counterpathfor cannot reach statesk. Indeed, the only path reaching statesk is �(M 0). This path is nota counterpath for 2 by construction:�(M 0) does not contain any local counterpath for�1, and,moreover,�(M 0) is not an counterpath for�2. Thus, a counterpath� for could only lead into somestructureMi, where0 � i � k � 1. Since in eachMi formula 1 is globally true, the suffix�i mustbe a local counterpath for 2, for eachi � 1. Since each state inMi except the initial statesi containsAP (�2), this counterpath for 2 can only be a counterpath for�1. But this is impossible, since aright-structure for formula�1 cannot contain a deterministic counterexample� such that�(i) is acounterexample for�1, for eachi � 0. Thus, it follows that no deterministic counterexample for exists inM .

INFSYS RR 1843-99-01 43

7. ?1 2 PSF and ?2 2 PSF ^ S12 [ S12 ^ PSF . Thus, 2 = �1^�2. Assume that�1 is a purestate formula and�2 = A(�2;1U�2;2), where�2;1 and�2;2 are instantiations of templates inDET.The other case (vice versa) is similar.

LetM2 be a right-structure for the formula�2 = A(�2;1U�2;2). We modifyM2 by addingAP ( 1)[AP (�1) to each state and by further addingAP (�2;1) to the initial states0. Observe that after thismodificationM2 6j= �2 still holds. We now add two new statess1, s2 and connect them via(s0; s1) and(s1; s2); their labels areL(s1) = AP (�2) andL(s2) = AP (�1) [AP (�2) = AP ( 2). Furthermore,we add the loop(s2; s2). The resulting structure is the desiredM (see Figure 22).

It holds thatM 6j= . Indeed, there exists a counterexample� for where�(0) is a counterexamplefor 2, and�(1) is a counterexample for both 1 and 2. Furthermore, no deterministic counterex-ample for exists inM . To see this, observe that no path� leading into��2 or into��2;2 can be acounterpath for , as 1 and�1 are always true there and��2 , ��2;2 arek-structures for�2;2 (con-sequently,�2 is not globally false). Thus, only� = [s0; s1; s2; s2; :::] remains as a candidate for acounterpath for . To eliminate�, assume towards a contradiction that� = �(�) for some deter-ministic counterexample� for . The first element�(0) of every counterexample� for must be acounterexample for 2 = �1 ^ �2; since�1 is true ins0, it must be a counterexample of�2. Along�, however,�2;2 is not always false, which means that�(0) must involve a counterexample for�2;1.Along �, however,�2;1 is by construction always true. This raises a contradiction, and proves that inM no deterministic counterexample for exists.� ? = �?1^�?2 or ? = �?1_�?2, wherenA(�?1) + nA(�?2) = k. Thus, can be viewed as a monotone

Boolean combination of formulas 1; : : : ; m. By applying Lemma 6.1, if one of the i is notc-deterministiceither by the induction hypothesis or by one of the already considered cases, then is notc-deterministic aswell. To complete the proof, by the inductive definition ofDET and Lemma 6.1 it remains to consider thecase = 1 _ 2 where ?1 = A ?1 2 DET and ?2 = A ?2 2 DET.

We construct a conic structureM having three statess0; s1, ands2 such thatM 6j= and no deterministiccounterexample for exists inM . The initial state iss0 and reaches boths1 ands2, which have loops(s1; s1) and(s2; s2), respectively. The labels of the states depend on the outermost linear-time operators in ?1 and ?2 . By commutativity of logical conjunction, it suffices to consider the following cases:� 1 = A( 1;1U 1;2), 2 = A( 2;1U 2;2). DefineL(M)(s0) = AP ( 1;1)[AP ( 2;1),L(M)(s1) =AP ( 1) [AP ( 2;1), L(M)(s2) = AP ( 1;1) [AP ( 2) (see Figure 23).s1 s2s0AP ( 1) [ AP ( 2;1)AP ( 1;1) [AP ( 2)AP ( 1;1) [ AP ( 2;1)

Figure 23: Disjunction of 1 = A( 1;1U 1;2) and 2 = A( 2;1U 2;2)It easy to see thatM 6j= . Indeed, froms0 start both a counterpath forA( 1;1U 1;2) and a coun-terpath forA( 2;1U 2;2). The path�1 = [s0; s1; s1; :::] is a counterpath forA( 2;1U 2;2), sincethe formula 2;2 is always false along it. Similarly, the path�2 = [s0; s2; s2; :::] is a counterpathfor A( 1;1U 1;2), since the formula 1;2 is always false along it. On the other hand,�1 cannot bea counterpath forA( 1;1U 1;2), since therein 1;1 is always true and 1;2 is not always false. By

44 INFSYS RR 1843-99-01

symmetry,�2 cannot be a counterpath forA( 2;1U 2;2). Hence, each counterexample for inM notdeterministic.� 1 = A( 1;1U 1;2), 2 = A( 2;1V 2;2). SetL(M)(s0) = AP ( 1;1) [ AP ( 2;2), L(M)(s1) =AP ( 1), andL(M)(s2) = AP ( 1;1) [ AP ( 2;2). ThisM witnesses that is not deterministic. Weomit the details.� 1 = A( 1;1V 1;2), 2 = A( 2;1V 2;2). SetL(M)(s0) = AP ( 1;2) [ AP ( 2;2), L(M)(s1) =AP ( 1;2), andL(M)(s2) = AP ( 2;2).� 1 = AX( 1;1), 2 = AX( 2;1). SetL(M)(s0) = ;, L(M)(s1) = AP ( 1;1), andL(M)(s2) =AP ( 2;1).� 1 = AX( 1;1), 2 = A( 2;1U 2;2). SetL(M)(s0) = AP ( 2;1), L(M)(s1) = AP ( 1), andL(M)(s2) = AP ( 2).� 1 = AX( 1;1), 2 = A( 2;1V 2;2). SetL(M)(s0) = AP ( 2;2), L(M)(s1) = AP ( 1;1), andL(M)(s2) = AP ( 2;2). 2

The main result of this paper on templates, Theorem 4.3, follows from Theorems 5.1 and 6.6.

7 Discussion and Conclusion

For the class ofACTLformulas which are positive disjoint instantiations, the results in the preceding sectionsgive a complete characterization of thec-deterministic fragment. This class is given by those formulas such that ? 2DET. Observe that this class is efficiently recognizable.

This result can be extended by the same proof technique to more general classes of formulas , as longas certain independency properties hold on the pure state formulas. Introduce for each occurrence of amaximal pure state formula� in a new propositional atomp�, and consider the formulaF ( ) = ^�2MP ( )(p� $ �);whereMP ( ) is a list of all occurrences of maximal pure state formulas in . Call pure state independent,if for every truth value assignment to the atomic propositions p�, the formulaF ( ) is satisfiable. Observethat every positive disjoint instantiation is pure state independent.

Then, along the same line of proof as above we can show the following.

Theorem 7.1 Let be any pure state independent formula. Then, is c-deterministic if and only if ? 2DET.

However, testing pure state independence is complex in general; this amounts to evaluating the quanti-fied Boolean formula (QBF)� = 8P�9AP:F ( ), whereP� is the collection of all atomic propositionsp�introduced for occurrences of maximal pure state formulas,andAP is the collection of all atomic proposi-tions in . This problem is complete for the class�p2 of the polynomial hierarchy (cf. [8] for�p2). Indeed,the evaluation of the QBFs8X9Y: is in�p2 [8], and the QBF� is constructible in polynomial time from .On the other hand, consider a QBF8X9Y: , where is of the formy1^ 0 wherey1 2 Y . Then, theACTL

INFSYS RR 1843-99-01 45

formula = (AXx1) ^ � � � ^ (AXxn) ^ (AX ), whereX = fx1,. . . ,xng, is pure state independent, justif 8X9Y: is true. Since deciding the latter is�p2-hard, also deciding pure state independence is�p2-hard.

Our results can be adapted for the concept of witness [5] in the existential fragment ofCTL (denotethis by ECTL), i.e., a portion of a computation tree which witnesses the truth of a formulaE�. Since onany structureM it holds thatM j= E� if and only ifM 6j= A:�, the existence of deterministic witnesses(formally defined in the same vein as counterexamples) is related to the existence of deterministic counterex-amples. As well-known [6], the equivalences:A(�V ) = E(:�U: ) and:A(�U ) = E(:�V: )hold. It follows that a formula in the existentialCTL-fragment has always a deterministic witness (callthisw-deterministic), if and only if the formula obtained by dualization of and negating all elementaryatomic propositions, isc-deterministic. As a consequence, all instantiations of anECTL-template ? (de-fined as obvious) have deterministic witnesses (call thisw-deterministic), just if the dual templated( ?) isc-deterministic. As a consequence, we obtain the following characterization of the class ofw-deterministicECTL-templates.

Theorem 7.2 Let ? be an ECTL-template. Then, ? isw-deterministic if and only ifd( ?) 2 DET.

Several issues remain for further work. One issue is the consideration of linear time operators whichare derived from the basic operatorsX;V;U. The most important such operators areF (sometimes) andG(globally, always) defined asF� = trueU�;,G� = falseV�. It is easily recognized from the definition ofDET and our results that these operators correspond toc-deterministic templates. However, the use of thesetemplates in nesting remains to be explored. The characterization of the class ofc-deterministic templatesACTLenriched by derived linear time operators is as an interesting issue.

Finally, an extension of our study by fairness constraints [4] would be interesting. In the general frame-work, path quantifiers do not range over all infinite paths, but instead over paths along which the fairnessconstraints, expressed by formulas, must be satisfied infinitely often. E.g., fair schedules in a system ofconcurrent infinite processes, represented through a Kripke structure, can be expressed easily through fair-ness constraints. Our results do not immediately carry overto this case. Techniques applied in [5] might beuseful.

References

[1] F. Buccafurri, T. Eiter, G. Gottlob, and N. Leone. Enhancing Symbolic Model Checking by AI Techniques.Technical Report 9701, Institut fur Informatik, Universitat Gießen, Germany, September 1997. Abstract in:Proc.2nd Workshop on Trends in Theoretical Informatics, Albrecht and G. Nemeth (eds), Budapest, March 1997.

[2] E. Clarke and E. Emerson. Skeletons for Branching Time Temporal Logic. In Logic in Programs: WorkshopProceedings, number 131 in LNCS. Springer, 1981.

[3] E. Clarke, E. Emerson, and A. Sistla. Automatic Verification of Finite-State Concurrent Systems Using TemporalLogic Specifications.ACM Transactions on Programming Languages and Systems, 8(2):244–263, 1986.

[4] E. Clarke, O. Grumberg, and D. Long. Verification Tools for Finite-State Concurrent Systems. In J. de Bakker,W. de Roever, and G. Rozenberg, editors,A Decade of Concurrency - Reflections and Perspectives, number 803in LNCS, pages 124–175. Springer, 1994.

[5] E. Clarke, O. Grumberg, K. McMillan, and K. Zhao. Efficient Generation of Counterexamples and Witnesses inSymbolic Model Checking. InProc. 32nd ACM/SIGDA Design Automation Conference 1995 (DAC ’95). ACMPress, 1994. Also Technical Report CMU-CS-94-204, Carnegie Mellon University, Pittsburgh, PA, 1994.

46 INFSYS RR 1843-99-01

[6] E. Clarke, O. Grumberg, and D. Long. Model Checking. In M. Broy, editor, Deductive Program Design, volume152 ofNATO ASI Series F. Springer, 1996.

[7] E. Emerson. Temporal and Modal Logics. In J. van Leeuwen, editor,Handbook of Theoretical Computer Science,volume B, chapter 16. Elsevier Science Publishers B.V. (North-Holland), 1990.

[8] M. Garey and D. S. Johnson.Computers and Intractability – A Guide to the Theory of NP-Completeness. W. H.Freeman, New York, 1979.

[9] O. Kupferman and M. Y. Vardi. An automata-theoretic approach to modularmodel checking. Manuscript basedon LICS ’95 and CONCUR ’95 abstracts, 1998, submitted for publication.

[10] K. McMillan. Symbolic Model Checking. Kluwer, 1993.