on actl formulas having linear counterexamples
TRANSCRIPT
Journal of Computer and Systems Sciences, 62(3):463–515, 2001.
On ACTL Formulas Having Linear Counterexamples
Francesco Buccafurri� Thomas Eitery Georg Gottlobz Nicola LeonezAbstract
In case anACTL formula� fails over a transition graphM , it is most useful to provide a coun-terexample, i.e., a computation tree ofM witnessing the failure. If there exists asingle pathin Mwhich by itself witnesses the failure of�, then� has alinear counterexample. We show that, givenM and�, whereM 6j= �, it is NP-hard to determine whether there exists a linear counterexample.Moreover, it is PSPACE-hard to decide whether anACTLformula� always admits a linear counterex-ample if it fails. This means that there exists no simple characterization of theACTL formulas thatguarantee linear counterexamples. Consequently, we studytemplatesof ACTL formulas, i.e., skele-tons of modal formulas whose atoms are disregarded. We identify the (unique) maximal setLIN oftemplates whose instances (obtained by replacing atoms with arbitrary pure state formulas) alwaysguarantee linear counterexamples. We show that for eachACTL formula� which is an instance of atemplate ? 2 LIN, and for each Kripke structureM such thatM 6j= �, a single path ofM witnessingthe failure by itself can be computed in polynomial time.
Keywords: Model checking, verification, counterexamples,linear counterexamples, counterpaths, tem-poral reasoning, ACTL, branching time logics.
1 Introduction
ACTL is a well-known particular fragment of Computational Tree Logic (CTL), which is a propositionalbranching-time temporal logic [2]; see [7, 5] for a rich background on this and further such logics.ACTLformulas are specified and evaluated overKripke structureswhich model finite-state systems. BesidesBoolean connectives,ACTLprovides linear-time and branching time operators. The linear-time operatorsallow for expressing properties of a particular evolution of the systems given by a series of events in time.Branching time operators allow to take into account the existence of multiple possible future scenarios,starting from a given system state at a point in time. The temporal order defines an evolution tree, whichbranches from that point towards the future. Thus, every point in time has a unique past, but, in general,more than one future. Each branch of the tree amounts to a particular evolution series.�DIMET, Universita di Reggio Calabria, loc. Feo di Vito, I-89100 Reggio Calabria, Italy. E-mail: [email protected] and Ludwig Wittgenstein Labor fur Informationssysteme, Technische Universitat Wien, Favoritenstraße 9-11, A-1040 Wien, Austria. E-mail: [email protected] . Phone: +431-58801-18460, Fax: +431-58801-18493.zInstitut and Ludwig Wittgenstein Labor fur Informationssysteme, Technische Universitat Wien, Favoritenstraße 9-11, A-1040 Wien, Austria. E-mail: (leonejgottlob)@dbai.tuwien.ac.at
1
The elementary linear-time operators areX (next time),U (until), andV (unless, releases). Informally,X� means that� is true at the next point in time;�1U�2 means that there exists a prefix of the computa-tion path such that�2 is true at the last state and�1 is true at all previous states of this prefix; and�1V�2means that truth of�1 releases truth of�2. Further operators such asF� (sometimes�),G� (always�)can be derived from the elementary operators.ACTLhas the branching time operatorA, by which it ispossible to expressnecessaryproperties for an evolution tree. Informally,A� means that� is true forall branches of the tree. Note that in fullCTL, a dual operatorE for expressingpossibleproperties (truealong some branch) is provided.
1.1 Counterpaths and linear counterexamples
The task of an automaticACTLmodel checker is the verification of a givenACTLformula� on a KripkeStructureM . In caseM does not satisfy� (denotedM 6j= �), advanced model checkers (e.g. McMillan’sSMV system [11], or the debugger described by Hojati et al. [9]) provide more information. In particular,as a witness for the failure, a finite representation of an infinite computation path� of M is provided.This path represents a counterexample to� in M . In the ideal case, such a path� witnessesby itselfthatM 6j= �, in other terms, all information needed to disprove thatM j= � is already contained in�. In thiscase, we call� a counterpath.
To make the above concepts precise, we give in Section 3 a formal definition of the concept ofcoun-terexample. Roughly, a counterexample to anACTL formula � on structureM is a computation treerepresented as amulti-pathdisproving thatM j= �. In case this multi-path has no true branching, andthus actually represents a unique path, we speak about alinear counterexample. A counterpath for� inM is then the unique path corresponding to a linear counterexample. Note that if there exists such a coun-terpath�, then it holds thatM� 6j= �, whereM� is the Kripke structure induced by�, i.e., the structurewhose states are all those states ofM that also occur in�, where the states are, moreover, labeled by thesame labels as inM , and whose transitions are those that occur in�.
Example 1.1 LetM amount to the transition graph in Figure 1, where initial states are colored black,and consider the formula� = A(trueUa1), which can be abbreviated asAFa1.s0 s2L(s1) = fa2g L(s2) = fa1gs1 L(s0) = ;
Figure 1: Transition graph representing structureM (initial states0)It holds thatM 6j= �: Along the path� = [s0; s1; s1; : : :℄, the atoma1 is false at each stage�(i) of �,i � 0. This impliesM;� j= :Fa1. Thus,� witnesses the failure of� in M . Note that the information
contained in� alone is sufficient for disproving�; we do not have to consider elements ofM (states ortransitions) outside� to show thatM 6j= �. Thus� is a counterpath of�.
2
1.2 Linear counterexamples may not exist
A counterpath provides very useful, compactly presented, and self-contained information to a systemdesigner or verifier, allowing him or her to locate a design error in a most comfortable way. It would thusbe most desirable to be able to compute a (representation of a) counterpath in polynomial time wheneveranACTLformula� fails over a structureM .
Unfortunately, as shown by the example below, ifM 6j= �, a counterpath (or, equivalently, a linearcounterexample) does not necessarily exist. s1L(s1) = ;s0 s2L(s0) = fag L(s2) = fag
Figure 2: Another transition graph representing structureM (initial states0)Example 1.2 LetM amount to the transition graph in Figure 2, and consider� = A(trueUA(falseVa)),which can be abbreviated asAFAGa. It is easy to verify thatM 6j= �. Indeed, there is a path� = [s0; s0; : : :℄ starting from the initial state where always the nested formula AGa does not hold,as, for eachi � 0, there exists a path starting at�(i) where sometimesa is not true (e.g., on the path�0 = [s0; s1; s2; s2; : : :℄ a is not true ats1). The path� itself is not a complete counterexample. Todisprove thatM j= �, it is necessary to consider a further path for each state of� (here alwayss0)in order to show that the subformulaAGa does not hold. This gives rise to a multi-path�, which wewrite as follows:� = [[s0; s1; s2; s2; : : :℄; [s0; s1; s2; s2; : : :℄; : : :℄. It consists of a computation tree withmain branch[s0; s0; : : :℄ in which at each stage a branch[s0; s1; s2; s2; : : :℄ starts. This multi-path� is acounterexample for� in M , and not the single path�. Note that� is nota linear counterexample, but atruly branching infinite tree. Note, furthermore, that no single path is a counterexample for�. Therefore,no linear counterexample exists in this case, and thus no counterpath witnessing thatM 6j= � exists.
Besides the above very simple example, many other cases can be found in which each counterexample is atruly branching computation tree. They include formulas ofthe shapeAF�_AF (e.g.,AFa1_AFa2on the structureM in Fig. 1),AF(AG� _ AG:�), which informally states that any evolution mustcommit at some point about a condition� being true or false, andAF� _AG , which states that either� becomes true at some stage or always holds.
From these observations, we can infer that in many cases a simple “counterexample path” output byanACTLmodel checker such as McMillan’s system [11] can not be afull counterexample, but onlyonepath – usually the main path or “backbone” – of a counterexample. Such a path may help to track thedesign or implementation error, but it does by itself not necessarily explain why the formula fails, and onemay need to consider states and transitions outside that path in order to track the flaw. The debugger in[9] constructs a counterexample for anACTLformula� unwinding the formula. A counterpath would bedesirable, since the unwinding can be done along it, withoutreference to other parts of the structure.
3
1.3 Main research questions addressed
Given that linear counterexamples (and counterpaths) are useful, but do not always exist, the followingquestions naturally arise:Æ Is there an efficient method of deciding whether anACTL formula� has a linear counterexample
(and thus a counterpath) on a given Kripke structureM , whereM 6j= �?Æ Is there a simple characterization of thoseACTLformulas whichguaranteelinear counterexamples?In other terms, is there an efficient method for telling whether a formula� has the property thatwheneverM 6j= � holds for a structureM , then there exists a linear counterexample (and thus acounterpath) witnessing this?Æ If the above fails, how can we efficiently identify large classes of formulas that guarantee linearcounterexamples?Æ Can we efficientlycomputelinear counterexamples in case they exist (and, related to this, efficientlyrecognizethem) ? If this is not generally possible, then maybe for large classes ofACTLformulas?
1.4 Main results
Our main results are shortly summarized as follows:� We give, in Section 2, a precise definition of the concepts of linear counterexample and of therelated concept ofcounterpath.� We show that givenM and�, whereM 6j= �, it is NP-hard to determine whether there exists alinear counterexample (Theorem 4.2).� As a consequence, even in case counterpaths exist,computinga counterpath is a hard problem.Therefore, unless NP=P, for everyACTL model-checkerMC that works in polynomial time andproduces “single-path counterexamples” in case of failure, there exist infinitely many Kripke struc-turesM and formulas�, such thatM 6j= � and the counterexample path output byMC representsa partial (and not a complete) counterexample even though there exists a counterpath (i.e., a pathrepresenting a complete counterexample).� It is PSPACE-hard to decide whether anACTL formula� in case of failure always admits a linearcounterexample (Theorem 4.1). This means that there existsno simple characterization of theACTLformulas that guarantee linear counterexamples.� Consequently, we studytemplatesof ACTL formulas, i.e., skeletons of modal formulas whoseatoms are disregarded and replaced by the symbol?. As main result of this paper, we iden-tify the (unique) maximal setLIN of templates whose instances, obtained by replacing?’s witharbitrary pure state formulas, always guarantee linear counterexamples (Theorem 4.3). The setLIN of templates is given by the BNF grammar in Table 1. For example, the templatesAX(?),A(?VAX(?))), and (? ^ A(?VAX(?))) are inLIN, as well asA(?U?), A(?UA(?U?)),andA(A(?VAX(?))U(? ^ ?)). On the other hand, the templateA(?UA(?V?)) of the formula
4
� = A(trueUA(falseVa)) in Example 1.2 is not inLIN, and also the templateA(?U?)_A(?U?)of the formulaA(trueUa1) _A(trueUa2) = AFa1 _AFa2 mentioned above is not inLIN.
LIN ::= PSF j ( LIN ^ LIN ) j ( LIN _ PSF) j ( PSF_ LIN ) j AX(LIN ) j A(PSF VLIN ) j ULIN
ULIN ::= A(LIN UPSF ) j A(PSF UULIN ) j (ULIN _ PSF ) j (PSF _ ULIN )PSF ::= (PSF ^ PSF ) j (PSF _ PSF ) j :(PSF ) j ?
Table 1: BNF Grammar for linear templates
Obviously, it is recognizable in polynomial time (and in fact in linear time) whether a templatebelongs toLIN, and whether anACTL formula � is an instance of some template inLIN. Inparticular, we prove:� If � is an instance of a template ? 2 LIN, then, for each structureM such thatM 6j= �,
there exists a linear counterexample, and thus a counterpath inM witnessing this failure.� If ? is a template not contained inLIN, then there exist an instance� of ? and a structureM such thatM 6j= � but there exists no linear counterexample for� in M .� We show that for eachACTLformula� which is an instance of a template ? 2 LIN, and for eachKripke structureM such thatM 6j= �, a counterpath, i.e., a single path ofM witnessing the failure,can be computed in polynomial time (Theorem 5.2).� Finally, we show that recognizing a valid counterpath for anarbitraryACTL formula� is possiblein polynomial time. This follows from the fact that the problem can be easily reduced to a modelchecking problemM 0 j= �, which can be solved in polynomial time (Theorem 5.3).
Note that it could be the case that systems like McMillan’s doalways yield a valid counterpath in casethe input formula� is an instance of a template inLIN, i.e., they would be (sound and)completeforgenerating counterpaths on the class ofLIN instances. Our results may serve as a starting point fordetermining the exactACTL fragments on which such systems are complete with respect togenerationof counterpaths. Furthermore, the a priori knowledge that linear counterexamples do always exist forinstances ofLIN templates may be exploited in the design of more efficient algorithms than those whichhandle the general case of arbitraryACTL formulas like the one employed in McMillan’s system. Theseissues are beyond the scope of the paper and left for further work.
1.5 Structure of the paper
After this introduction, some preliminaries and notation are given in Section 2. In Section 3, the formaldefinition of counterexamples is provided, for which multi-paths are introduced. Thereafter, we turn ourattention in Section 4 to linear counterexamples and multi-paths. After proving that recognizing linearACTL formulas is intractable, we define the classLIN of templates; furthermore, we formally state thecharacterization of -linear templates, which is the first main result of this paper. Sections 5–6 are devotedto the proof of this result and to the computation of counterpaths forLIN-instances, which is the secondmain result. The paper is closed in Section 7 with a discussion and an outlook on future work.
5
2 Preliminaries
Definition 2.1 (ACTL formulas) LetA be a set of atomic propositions. Then, ACTL is the set ofstateformulas onA inductively defined as follows:
(1) Any Boolean formula over atoms fromA built using the connectives;_; and: is a pure stateformula; a pure state formula is astate formula;
(2) if � and are state formulas, then(� _ ), and(� ^ ) arestate formulas;
(3) if � and are state formulas, thenX�, �U and�V are path formulas;
(4) if � is a path formula, thenA(�) is astate formula. 2Intuitively, path formulas describe properties of evolution series because they use temporal operators nexttime, until, and unless.
Notation. For any setsD1 andD2 of formulas, we shall use the following notation:AX(D1) = fAX( ) j 2 D1g;AU(D1;D2) = fA( 1U 2) j 1 2 D1; 2 2 D2g;AV(D1;D2) = fA( 1V 2) j 1 2 D1; 2 2 D2g;D1 ^D2 = f( 1 ^ 2) j 1 2 D1; 2 2 D2g;D1 _D2 = f( 1 _ 2) j 1 2 D1; 2 2 D2g:Given a formula� or a setS of formulas, we will denote byAP (�) (resp.,AP (S)) the set of atomicpropositions occurring in� (resp.,S). We will usetrue and falseas shorthand for pure state formulaswhich are tautologies and contradictions, respectively. We shall omit or add parentheses in formulasfollowing the usual conventions.
The formal definition of the semantics ofACTLrefers to particularKripke structures. Informally, theyare finite transition graphs with labeled states.
Definition 2.2 (Kripke Structure) A Kripke structureis a quintupleM = (A;S0; S;R; L) such that:� A is a finite set of atomic propositions, denotedA(M);� S is a finite set of states, denotedS(M);� S0 � S is a finite set of initial states, denotedS0(M);� R � S � S is a transition relation, denotedR(M);� L : S ! 2A is a mapping assigning to each state ofS the set of atomic propositions true in thatstate;L is calledlabel function, and is denoted byL(M). 2
For convenience, we often denote byMs the Kripke structure which is identical toM exceptS0(Ms) =fsgwheres 2 S(M), i.e.,s is the unique initial state. Furthermore, we will sometimesfocus on structures
6
M such thatS0(M) = fs0g and(s; s0) =2 R(M), for all s 2 S(M), i.e.,M has a unique initial states0,ands0 is not reachable from any state inM . We refer to such structures asconic.
Note that many authors (e.g. [7, 10]) require that the transition relationR(M) in a Kripke structureMis total, i.e.8s9s0:R(s; s0) holds. This restriction would let the main results of this paper unaffected. Weshall come back to this issue and discuss it in more detail in Section 7.
The dynamic temporal evolution is modeled by infinite paths in the Kripke structure.
Definition 2.3 (path) A path� of a Kripke structureM is an infinite sequence� = [s0; s1; ���; si; ���℄ suchthat for eachi � 0 (si; si+1) 2 R(M). Given an integeri � 0 and a path� we denote by�(i) the(i+1)-th state of�.1 Given an integerj � 0 and a path�, the j-suffix�j of � is the path[�(j); �(j + 1); � � �℄.Clearly,� = �0 and�(i) = �i(0). 2The semantics ofACTL is now defined through an entailment relationj=, which can be applied on statess and paths� for evaluating state and path formulas, respectively.
Definition 2.4 (satisfaction) Lets and� be a state and a path inM , respectively. Then, the satisfactionrelation j= for state and path formulas, respectively, on a Kripke structureM is inductively defined asfollows.
1. M; s j= p, if p 2 L(M)(s) for any atomic propositionp 2 A;
2. M; s j= :�, if M; s 6j= � where� is a state formula;
3. M; s j= �1 _ �2, if M; s j= �1 or M; s j= �2 where�1 and�2 are state formulas;
4. M; s j= �1 ^ �2, if M; s j= �1 andM; s j= �2 where�1, �2 are state formulas;
5. M; s j= A( ), if M;� j= for all paths� in M such that�(0) = s;6. M;� j= X�, if M;�(1) j= �;
7. M;� j= �1U�2, if there exists an integerk � 0 such thatM;�(k) j= �2 andM;�(j) j= �1 forall 0 � j < k;
8. M;� j= �1V�2, if for everyk � 0 it holds thatM;�(j) 6j= �1 for all 0 � j < k impliesM;�(k) j= �2.We writeM j= � if M; s0 j= �, for every initial states0 2 S0(M). 2Intuitively, a state formula holds along a path, if it is trueat its first state;�1U�2 is true, if �1 is truealong the path until some state is reached at which�2 is true; and�1V�2 is true, if there is no stage suchthat�2 is false and�1 is false at all previous states. Note thatU andV are dual operators:�1U�2 is trueprecisely if:�1V:�2 is false.
1Thus, the first state of a path� is denoted by�(0).7
3 Multi-Paths and Counterexamples
If an ACTL formula� is not true in a structureM , then there must be some evidence which proves thefailure of the formula. For a pure state formula�, an initial states0 at which� is false is a witness of thisfact; if � is of the formAX , where is a pure state formula,then a path� starting at somes0 2 S0 suchthat is false at�(1) is such a witness. The falsity of formulasA(�1U�2),A(�1V�2) where the�i arepure state formulas is witnessed similarly by a path�.
Intuitively, a path� as described is acounterexamplefor the truth of� in M . It appears that for morecomplex formulas� which involve nestedA quantifiers, a single path� may not be by itself witness that� fails in M . To formally capture this, nesting of paths must be taken into account. This motivates thedefinition of multi-paths, which serve as a basis for a formaldefinition of counterexamples [1].
3.1 Multi-Paths
Informally, a multi-path represents an infinite treeT , which has a designated branch as a backbone (calledmain path). The branches of the tree which spring off from the main pathat a certain stage are collectedin a tree, which is recursively represented as a multi-path.Thus, multi-paths can be inductively defined.Observe that this representation of a tree is different fromthe usual inductive definition in which a treeis built by assigning child nodes to a parent node. The main advantage of the multi-path concept is thepreservation of the nesting of paths, which is lost in the standard tree definition.
Preliminary to the formal definition of multi-paths, we introduce multi-sequences.
Definition 3.1 (multi-sequence)LetS be a set of states. Then,� for every states 2 S, � = s is a finite multi-sequence inS;� if �0;�1; : : : are countably infinitely many multi-sequences inS, then� = [�0;�1; : : :℄ is a multi-sequence inS.
For any multi-sequence�, its (i+1)-th element is denoted by�(i), for all i � 0;2 moreover, itsorigin,denotedor(�), is or(�) = s, if � = s is a single state, andor(�) = or(�(0)), otherwise. 2Next we introduce the notion ofmain sequenceof a multi-sequence. Informally, it is the sequence formedby the origins of all elements in a multi-sequence.
Definition 3.2 (main-sequence)For any multi-sequence�, themain sequence of�, denoted by�(�),is � s, if � = s is finite;� the sequence[or(�(0)); or(�(1)); or(�(2)); : : :℄, otherwise. 2Multi-paths are multi-sequences which model nested paths inM .
2Thus,�(0) is the first element of the multi-sequence�.
8
Definition 3.3 (multi-path) A multi-sequence� is a multi-path in M , if either� is finite, or�(�) is apath inM and for everyi � 0, �(i) is a multi-path inM .
The main sequence of a multi-path� is called themain pathof �. 2Note that multi-paths generalize paths. Indeed, a path can be seen as an infinite multi-path� such thateach element�(i) is a state.
An infinite multi-path� represents intuitively an evolving computing tree, whose branches are themain path�(�) and all paths of form�0�1 where�0 = �(�)(0); : : : ; �(�)(i � 1) is a finite prefix of�(�) and�1 is a branch of the multi-path�(i), where�(i) must be infinite.
Example 3.1 Assuming properM , the multi-sequence� = [[s0; s1; s1; : : :℄; s2; s2; : : :℄ is a multi-path,which represents two paths�1 = [s0; s1; s1; : : :℄ and�2 = [s0; s2; s2; : : :℄ starting ats0 (Figure 3). �2is the main path�(�) of �. The multi-path� = [[s0; s1; s1; : : :℄; s2; [s0; s1; s1; : : :℄; s2; [s0; s1; s1; : : :℄;: : :℄ has main path�(�) = [s0; s2; s0; s2; : : :℄ and represents the computation tree in which from�(�) atevery even stage�(�)(2k) a path[s0; s1; s1; : : :℄ branches off; hence,� contains besides�(�) all pathsof form [(s0; s2)i; s0; s1; s1; : : :℄, i � 0. 2
... ... ...
s1 s2s1s1s1s1...
s1 s1 s2s2 s0 s0�2�1 s2s1s1... ...
s1 s2 s2s0 s0Figure 3: Branching paths
An important note is that in general, a multi-path� may not directly reflect in its structure a trulybranching computation tree. In fact, the definition allows fake branching, in the sense that two nestedbranching paths may amount to the same path in the structure.For example, in the multi-path� =[s0; s1; [s2; s3; s4; : : :℄; s3; s4; : : :℄, the branchs2; s3; s4; : : : is identical to the remainder of the main paths2; s3; s4; : : :. This is not a shortcoming of our definition, but an importantfeature; it allows to expressthat a particular path is a subpath of another one. In an extended vocabulary for multi-paths, this could beexpressed more elegantly; however, we disregard such an extension here. Note that for our purposes, wecan restrict to multi-paths which have effective finite representations [1].
3.2 Counterexamples
We are now prepared to formalize the notion of counterexample. Intuitively, a counterexample for aformula � is a special multi-path� originating at an initial state demonstrating the falsity of �. Sincecounterexamples are defined inductively, we need the concept of a local counterexample, which mayorigin at an arbitrary state rather than an initial state. For the technical definition of local counterexamples,we use an operation for merging two multi-paths into a singleone.
9
Definition 3.4 (merge) Let�1 and�2 be two multi-paths such thator(�1) = or(�2). Themergeof�1and�2, denoted by�1 � �2, is the multi-path recursively defined as follows:�1 � �2 = ( �1; if �2 is finite;[�1 � �2(0);�2(1);�2(2); : : :℄; otherwise. 2Intuitively, the trees represented by�1 and�2 are merged at their common root.
Example 3.2 Merging � = [[s0; s11 ; s12 ; : : :℄; s21 ; s23 ; : : :℄ and�0 = [s0; s31 ; s32 ; : : :℄ yields� ��0 = [�; s31 ; s32 ; : : :℄ = [[[s0; s11 ; s12 ; : : :℄; s21 ; s22 ; : : :℄; s31 ; s32 ; : : :℄; while�0 � � = [�0 � [s0; s11 ; s12 ; : : :℄; s21 ; s22 ; : : :℄= [[�0; s11 ; s12 ; : : :℄; s21 ; s22 ; : : :℄= [[[s0; s31 ; s32 ; : : :℄; s11 ; s12 ; : : :℄; s21 ; s22 ; : : :℄:The two merges essentially represent the same branching of three paths�i = [s0; si1 ; si2 ; : : :℄ for i 2f1; 2; 3g, starting froms0. 2Note that�(�1 ��2) = �(�2) in case�2 is infinite and�(�1 ��2) = �(�1) otherwise. We remark thatmerging�1 and�2 by adding�1 as first element to�2 does not work, since in general, this leads to a setof paths different from those in�1 and�2; the result may even not be a multi-path.
Definition 3.5 ( -counterexample) LetM be a Kripke structure and� be an ACTL formula onA(M).A multi-path� inM is a local ( -) counterexample for� if, depending on the structure of�, the followingholds:� if � is a pure state formula:� = s is a state andM; s 6j= �;� otherwise, if
1. � = A(�1U�2): � is an infinite multi-path and either
1.1 there existsk � 0 such that�(k) is an `-counterexample for�1 _ �2, �(i) is an `-counterexample for�2, for each0 � i < k, and�(j) is a state, forj > k; or
1.2 �(i) is a `-counterexample for�2, for eachi � 0;
2. � = A(�1V�2): � is an infinite multi-path and there exists ak such that every�(j), 0 �j < k, is an`-counterexample for�1, �(k) is an`-counterexample for�2, and every�(m)is a state, form > k;
3. � = AX�1: � is an infinite multi-path,�(1) is an `-counterexample for�1, and�(i) is astate, for eachi 6= 1;
4. � = �1 _ �2: � = �1 ��2, where�i, i = 1; 2, is an`-counterexample for�i;5. � = �1 ^ �2: � is an`-counterexample for either�1 or �2. 2
Recall thatM 6j= � if there exists an initial states0 at which� is false. Hence, we introduce a notion of“global” counterexample.
10
Definition 3.6 (counterexample) Let M be a Kripke structure and� be a formula onA(M). Any `-counterexample� for � in M such thator(�) 2 S0(M) is called acounterexample for� in M . 2Example 1.1 illustrates this definition. Let us consider some more examples.
Example 3.3 Reconsider the Kripke structureM from Figure 1, and let = A(falseVA(trueUa1)).Also this formula is false onM . Intuitively, this is witnessed by the path� = [s0; s1; s1; : : :℄ again. How-ever, from the formal definition,� is not a counterexample of , as it does not respect witness paths forthe subformulaA(trueUa1) of . The multi-path� = [[s0; s1; : : :℄; s1; s1; : : :℄ is a proper counterexam-ple for according to the definition, as well as any multi-path[s0; (s1; )i; [s1; s1; : : :℄; s1; s1; : : :℄, wherei � 0.
Finally, also the formula� = A(trueUA(falseVa1)) is false inM ; again, intuitively the path� =[s0; s1; s1; : : :℄ shows this. Formally, the multi-path[[s0; s1; s1; : : :℄, [s1; s1; : : :℄; [s1; s1; : : :℄; : : :℄ is acounterexample for�; in fact, it is the unique counterexample. 2The following result states that`-counterexamples appropriately model the failure of a formula in a state.
Theorem 3.1 ([1]) LetM be a Kripke structure,� a formula onA(M), ands 2 S(M). Then,M; s 6j= �if and only if there exists an-counterexample� for � such thator(�) = s.Corollary 3.2 ([1]) For any Kripke structureM and formula� onA(M), M 6j= � if and only if thereexists a counterexample� for � in M .
As discussed earlier, in many cases a counterexample for a formula is (essentially) a single path. Thisis true e.g. for the formulas considered in the Examples 1.1 and 3.3. However, as Example 1.2 and thefollowing example show, there are different cases in which atruly branching tree is needed.
Example 3.4 Consider the structureM as in Figure 1 again, but now the formula� = A(trueUa1) _A(trueUa2). Clearly,M 6j= �: For everyai, i = 1; 2, there is an infinite path�i = s0; si; si; : : : whichnever reaches a state at whichai is true; hence, every disjunctAFai in � is false. A counterexample for� is the multi-path� = [[s0; s1; s1; : : :℄; s2; s2; : : :℄, which results by merging the�i’s into� = (�1 ��2).Notice that no counterexample for� exists that is an ordinary path, and that�1 � �2, �2 � �1 are the only(isomorphic) counterexamples for�. 24 Linear Counterexamples
In this section, we formalize our intuition of a single path counterexample from the previous section. Forthis purpose, we introduce first the concept of a linear multi-path. Such a path is built over a single pathin the structure, which exactly prescribes the next state ineach transition throughout the multi-path.
4.1 Linear counterexamples and -linear formulas
Definition 4.1 (linear multi-path) A multi-path� is linear, if one of the following applies:
11
1. � is finite (i.e., a single state); or
2. for eachi � 0, either
2.1 �(i) is a state, or
2.2 �(�(i)) coincides with�(�)i (thei-suffix of�(�)) and�(i) is linear. 2Informally, a multi-path is linear if the main paths of its elements are suffixes of its main path, and thisis recursively true also for the multi-paths of the sequence. Thus, while in general, multi-paths representevolutions with branching, linear multi-paths have only artificial branching, and represent essentially asingle path.
Example 4.1 Consider the multi-path� = [s0; s1; s2; s3; [s4; s5; s4; [s5; s4; s5; s4; : : :℄; s4; s5; : : :℄; s5; s4; s5; s4; : : :℄:As can be seen, this multi-path is linear. The path[s5; s4; s5; s4; : : :℄ nested into�(4)(3) represents apath branching from the main path of�(4). However, this path coincides with the suffix�(�(4))3 of themain path of�(4). Hence, it does not represent an alternative evolution. In this sense, a linear multi-pathrepresents only linear evolutions.
Observe that the multi-path�0 = [[s0; s1; s2; s3; s2; s3; : : :℄; s4; s5; s6; s5; s6; s5; : : :℄ is not linear. 2We remark that we could have equivalently defined linear multi-paths in terms of bisimilarity of branchingcomputations. Recall that two processes are (weakly)bisimilar [12], if there exists somebisimulationonthem, i.e., a binary relationB on processes such that wheneverB(P;Q) andP can perform some transition� to becomeP 0, thenQ can perform the same transition� to become someQ0 such thatB(P 0; Q0) holds,and, vice versa, ifQ can becomeQ0 by some transition�, thenP can become someP 0 by transition�such thatB(P 0; Q0) holds. Every infinite multi-path� (thus, also every path) represents a processP thatcan become the process[�(1);�(2); : : :℄ by the transition� = or(�) and any processP 0 that�(0) canbecome (by the same transition). We may then call an infinite multi-path� linear, if it is bisimilar tosome (simple) path�. This notion of linearity is, as easily seen, equivalent to the one in Definition 4.1; infact, under this notion� is linear if and only if it is bisimilar to its main path�(�).Definition 4.2 (linear counterexample and counterpath)A counterexample� for an ACTL formula�in a structureM is linear, if � is a linear multi-path. The main path�(�) of any linear counterexample� for � in M is acounterpathfor � in M . 2As easily verified, the counterexamples for the formulas presented in Examples 1.1 and 3.3 are linearcounterexamples, and the “intuitive” counterexamples there are the respective counterpaths.
As for counterexamples, it is of particular interest to havea linear counterexample at hand, since sucha counterexample is in generally easier to understand than an arbitrary counterexample. Moreover, thedescription of such counterexamples can be simplified. Observe that McMillan’s SMV procedure [11]returns a single path� rather than a counterexample as used here when anACTLformula fails. This pathplays a similar role as the main path of our notion of a counterexample�. If � and� grasp the samewitness, then�(�) should coincide with�, and it contains in fact all relevant information which is needed
12
for witnessing the failure of�. From�, a counterexample respecting the (artificial) branching ofpaths asrequired from the structure of� can be reconstructed.
We thus direct our attention to the existence of linear counterexamples.
Definition 4.3 ( -linear) An ACTL formula� is -linear, if M 6j= � implies that a linear counterexamplefor � exists inM , for every Kripke structureM .
4.2 Complexity of recognizing -linear formulas
Unfortunately, recognizing -linear formulas is complex in general, which is expressed by the followingresult.
Theorem 4.1 Deciding whether a given ACTL formula� is -linear isPSPACE-hard.
Proof. This result is proved by a reduction from the unsatisfiability problem forACTL formulas onstructuresM whereR(M) is total. This problem is PSPACE-complete by results of Kupferman andVardi (see [10]).
Let � be an arbitraryACTL-formula, and leta be a fresh atom not occurring in�. Let the formula bedefined as follows: = AXa _AX(:a ^ �):It holds that is -linear if and only if� is unsatisfiable over structuresM whereR(M) is total.
To prove this, suppose first that� is unsatisfiable over allM whereR(M) is total. LetM be anystructure (whereR(M) is not necessarily total) such thatM 6j= . This implies thatAXa has a coun-terexample inM , which is a simple path� represented by a pairP;C whereP is a path (prefix) andC acycle inM . The assumption on� implies that:a ^ � is globally false (and in particular, at�(1)) in thestructureM� which is naturally induced by� in M . Consequently,� is a counterpath for in M�, andthus also inM . This means that is -linear.
Now suppose that� is satisfiable on some structureM 0 with totalR(M 0). Hence, a states00 2 S0(M 0)exists such thatM 0; s00 j= �. LetM be the structure corresponding to the transition graph in Figure 4.L(s1) = fags1 s00 M 0L(s0) = ;s0
Figure 4: StructureM for = AXa _AX(:a ^ �) (initial states0)It holds thatM 6j= . Indeed, every path�1 = [s0; s00; : : :℄ is a counterpath for 1 = AXa, and the
path�2 = [s0; s1; s1; : : :℄ is a counterpath for 2 = AX(:a ^ �); thus, their merge� = �1 � �2 isa counterexample for . Clearly, any counterexample for in M must contain boths00 ands1; thus, alinear counterexample for in M is impossible, which means that is not -linear.
This result implies that a polynomial-size and polynomial-time checkable proof witnessing that a for-mula is -linear is illusive, and thus we may abandon the search for anappealing syntactical characteriza-tion of -linear formulas.
13
A related, in practice perhaps more important issue is whether the existence of a linear counterexamplefor a formula can be efficiently decidedad hoc, i.e., given anACTLformula� and a structureM , decidewhether� has a linear counterexample inM (and, if so, return a counterpath represented in a suitableway). As it turns out, also this problem is intractable.
Theorem 4.2 Given a Kripke structureM and an ACTL-formula�, deciding whether� has a linearcounterexample (equivalently, a counterpath) inM is NP-hard.
Proof. We describe a polynomial-time transformation of deciding whether a given directed graphG =(V;E) has a Hamiltonian circuit, which is well-known NP-complete[8], into this problem. Recall that aHamiltonian circuit is a sequenceC = vi1 ; : : : ; vin of all the verticesV = fv1; : : : ; vng such that an edgeis directed fromvij to vij+1 and fromvin to vi1 .
We constructM and� as follows. The setS of states ofM is V , which is also the setA of atomicpropositions and the setS0 of initial states. The transition relationR isE, and eachv 2 V has the labelL(v) = fvg.
The formula� is as follows:� = A�trueU� _v2V �v ^ _w2V nfvgAXA(vV:w)���Intuitively, a linear counterexample for� in M is an infinite path� such that in each state�(i) = v, thepath must be continued in states�(i+ 1), �(i+ 2), . . . , such that all other verticesw 6= v appear beforev may reappear.
We claim thatG has a Hamiltonian circuit if and only if� has a counterpath inM .()) LetC = vi1 ; : : : ; vin be a Hamiltonian circuit ofG. We claim that the path� = (vi1 ; vi2 ; : : : ; vin)1is a counterpath of�. To verify this, we have to show that the formula_v2V v; where v = v ^ � _w2V nfvgAXA(vV:w)�is false in each state�(i), i � 0, and that a local counterexample witnessing this fact can bebuilt over�i.
For eachv 2 V such thatv 6= �(i), v is false at�(i) and thus�(i) is a local counterexample for vover�i. For thev 2 V such thatv = �(i), we must show that for eachw 2 V n fvg, the suffix�i isa local counterpath of the formulaAXA(vV:w); that is, that the suffix�i+1 is a local counterexampleof A(vV:w). Clearly, this is true for thew 2 V n fvg such thatw = �(i + 1); anyw0 2 V n fv; wgoccurs as�(i+ k), where1 < k < n, andv is false at�(i+ k� 1); thus,�i+1 is a local counterexamplefor A(vV:w). This proves that
Wv2V v is false in�(i), and that�i is a local counterpath for eachAXA(vV:w) wherew 2 V n fvg. Thus,� is a counterpath for� in M .(() Suppose that� has a counterpath� in M . We show that the prefix�(0),. . . ,�(n � 1) of � is aHamiltonian circuit ofG. Let v 2 V be the node such that�(0) = v. Then,� is a counterpath for theformula v from above. This implies that� is a counterpath for the formulaAXA(vV:w), for eachw 2 V n fvg. Thus,�1 is a local counterpath forA(vV:w). Hence,w must occur in�, andv must befalse in each state�(i) where1 � i < kw and�(kw) is the first occurrence ofw in �. Consequently,�(n) is the first possible position for a second occurrence ofv in �.
14
Now considerwi := �(i), wherei > 0. By similar arguments, we obtain that eachw 2 V n fwigoccurs in�i, and thatw must occur in�i before any possible further occurrence ofwi after�i(0) = �(i).It follows that�(0), �(1),. . . ,�(n� 1) are all pairwise different, and that�(n) = �(0) holds. This meansthat�(0),. . . ,�(n� 1) is a Hamiltonian circuit inG, and completes the proof of the claim.
SinceM and� are constructible in polynomial time fromG, the result is proved.
4.3 ACTL templates
In the light of the previous results, we look intostructural propertiesof formulas which guarantee theexistence of a linear counterexample whenever a formula does not hold in a structure. This leads us toconsidertemplatesof ACTL formulas – formulas, in which the particular atomic propositions are mean-ingless, i.e., they can be substituted by arbitrary pure state formulas. Intuitively, a template expresses thestructure of a formula in terms of linear-time and branchingtime operators. A pure state formula alwayshas a linear counterexample (given by a single state); however, the application of these operators andBoolean connectives might destroy this property.
In the following, we shall identify the class of templates which are linear, i.e., each instantiation of atemplate ? obtained by filling in pure state formulas, has always a linear counterexample if is not true.As it turns out, this class is decidable, and in fact efficiently recognizable.
More formally, templates are defined as follows.
Definition 4.4 (template) A template ? is an ACTL formula over “?” as single atomic proposition. Thetemplate of an ACTL formula , denoted ?, is the template obtained by uniformly substituting “?” forall atomic propositions in .3
Observe that for anyACTL formula , its template ? is unique. As with ordinary formulas, we shalloften omit or introduce parentheses as usual.
Example 4.2 The template of = A(aVAX(b ^ )) is ? = A(?VAX(? ^ ?)), and the template of� = A((b _ : )U a) ^AX( ^ a)) is �? = A((? _ :?)U?) ^AX(? ^ ?)). 2Definition 4.5 (T?,PSF ) We denote byT? the set of all ACTL templates and byPSF � T? the set ofpure state formulas on the atomic proposition?.Instantiations of templates are defined as follows.
Definition 4.6 (instantiation) An ACTL formula� over atomsAP , where? =2 AP , is aninstantiationofa template ? 2 T?, if � results by substituting each occurrence of? in ? with a (possibly different) purestate formula overAP .
Example 4.3 An instantiation ofA(?V(:?_A(?U?)) is A(falseV(:req _A(trueUa k))), which ex-presses that a request is always finally acknowledged (see [6] for this formula). Among the instantiationsofA((? _:?)U?) ^AX(? ^ ?)) are A((b _ : )U (b ^ a)) ^AX( ^:a)) andA((a _ :a)U a) ^AX(a ^ :a)), i.e.,A(trueU a) ^AX(false)). 2
3Alternatively, we could define that maximal pure state formulas in are replaced by?, rather than atoms. However, thedefinition ofLIN and the BNF grammar in Table 1 would become more complex, while the main results are not affected.
15
Linear templates are now defined by abstraction from -linear formulas.
Definition 4.7 ( -linear template) A template ? is -linear, if each instantiation� of ? is -linear.
Examples of -linear templates are given in Example 4.4 below.
We next define a subsetLIN � T? of templates in terms of the least fixpoint of a continuous operatorwhich is applied to a pair of sets of templates. The main effort in the rest of the paper will be the proofthat this setLIN is precisely the set of all -linear templates.
Definition 4.8 (operator�) The operator� : 2T? � 2T? ! 2T? � 2T?is defined as follows:�(S1; S2) = (S01; S02);
whereS01 = PSF [ S1^S1 [ S1_PSF [ PSF_S1 [AX(S1) [ AV(PSF ; S1) [ S2S02 = AU(S1;PSF ) [ AU(PSF ; S2) [ S2_PSF [ PSF_S2Obviously,� is a continuous operator on a complete lattice, and hence by Kleene’s Theorem, the leastfixpoint �1 = (S11 ; S12 ) exists and is the limit of the sequence�0 = (;; ;), �i+1 = �(�i), i � 0.
Definition 4.9 (LIN) We defineLIN = S11 as the first component of the least fixpoint�1 = (S11 ; S12 )of�.
Example 4.4 As easily checked, the sample templates in Section 1 generated by the grammar in Table 1are inLIN. In fact, it is easy to see thatLIN coincides with the language generated by that grammar.Further templates belonging toLIN are: AXAX(?), AXA(?U(? _ :?)), A((AX(?))U(? ^ ?)),A((:(? _ ?))VAX(?)), A(?V((:?) _ A(?U?))), and A(A(?U?)U?). On the other hand, thetemplatesA((AX(?))V?) andA(?U(? ^AX(?))) are not inLIN.
The first of the main results of this paper can now be stated as follows.
Theorem 4.3 Let ? 2 T?. Then, ? is -linear if and only if ? 2 LIN.
From this result and the inductive definition ofLIN, we easily obtain the following corollary concerningthe recognition of linear templates; observe that membership of a template inLIN can be checked in asingle bottom up pass of the formula tree, in which each step is unambiguous.
Corollary 4.4 Given a template ? 2 T?, deciding whether ? is -linear is possible inO(j ?j) time,wherej ?j is the length of ?.
The proof of Theorem 4.3 is rather technical, and involves detailed case distinctions. It is given inSections 5 (if-part) and 6 (only-if part).
16
5 Templates inLIN are -linear
In this section, we prove in Theorem 5.1 that all instances oftemplates inLIN are -linear. The proofproceeds along the inductive definition ofLIN.
It appears that using an inductive inductive argument, we can establish that any next-time formulaAX�1 is -linear provided that�1 is, and similarly that nesting any -linear formula�1 (resp.,�2) intothe left argument of an untilA(�1U�2) (resp., right argument�2 of an unlessA(�1V�2)) results in a -linear formula, if�2 (resp.,�1) is a pure state formula. However, it appears that -linearity is not strongenough to allow the induction step go through smoothly for all templates, and in particular for nestingnon-pure state formula into the right argument of an until. We can remedy this problem by revealing thata strengthened version of -linearity is satisfied by some of the templates, and exploitthat this strongerproperty can be established in the induction step comparatively easy.
Definition 5.1 (strongly -linear) An ACTL formula� is strongly -linear, if � is -deterministic and thefollowing two conditions hold for any Kripke structureM :
1. if � is a linear`-counterexample for� in M , then every path� of form� = s0; : : : ; sk; �(�) in Msuch thats0 2 S0(M) and� has`-counterexamples ats0; : : : ; sk is a counterpath of�; and
2. if � is a path inM such that�(0) 2 S0(M) and every�(i), i � 0, is the origin of some-counterexample for� in M , then� is a counterpath for� in M .
A template ? is strongly -linear, if every instantiation� of ? is strongly -linear.
Example 5.1 The formula� = A(aUb) is strongly -linear: a local counterexample� for � is a path�, and at the state�(0), the atomb is false. By adding a prefixs0; : : : ; sk�1 of states to� such thatb isfalse in each statesi, we clearly obtain a path�0 = s0; : : : ; sk�1; � witnessing thataUb is false, i.e.,�0is a counterpath for�. Thus, item 1 of strong -linearity is satisfied. Also item 2 is satisfied:b must befalse at the origin of any local counterexample of�; thus, if� is a path as described in item 2,b is falseat each state�(i). This means that� is a counterexample (and thus a counterpath) for�.
It is easy to see that this holds if the atomsa andb are replaced by arbitrary pure state formulas; thus,the templatesA(?U?) and all templates inAU(PSF ;PSF) are strongly -linear.
On the other hand, the formula� = A(aVb), even if it is -linear (as we shall see below), is notstrongly -linear, since it fails to satisfy item 2 of the definition. Indeed, consider a path� where each�(i) is the origin of a local counterexample for�, in whicha is false andb is true. Then,b is true ineach state of�. However, a counterexample for� must involve a state at whichb is false. Thus,� is nota counterpath for� and item 2 fails. It is easy to see from this that no template inAV(PSF ;PSF) isstrongly -linear. Similarly, it is easy to see thatAXa is not strongly -linear (both item 1 and 2 mayfail), and that no template inAX(PSF ) is strongly -linear.
As for more complex formulas, e.g., the templatesA(?U(?U?)) andA(?U?)_? are strongly -linear.This will be formally proven below. 2In Theorem 5.1 we now show that the templates in the classLIN are sound with respect to the propertyof -linearity, i.e., each template in this class is -linear. In fact, in the proof of the result we establish alittle more, namely that all templates in the subsetS12 � LIN are strongly -linear.
17
Strong -linearity helps us in building a counterpath for an until formula = A( 1U 2), where 2is another until formulaA( 2;1U 2;2), inductively from a counterpath for 2. As 2 is strongly -linear,we obtain by item 1 of Definition 5.1 a counterpath for 2 if we can reach from some initial states0over a sequence of states in which 2 fails some local counterpath� for 2. Now if � is an arbitrarycounterexample for which involves the failure of 1 _ 2 at some point�(k), then in case 1 is a purestate formula we can simply take as this sequences0 = or(�(0)), or(�(1)), . . . ,or(�(k� 1)) and for�we takeanycounterpath for 2 that starts inor(�(k)) – such a counterpath will exist and its origin willdisprove 1; note that the latter will not be true in general if a counterexample for 1 involves a path. Incase� shows failure of 2 at each stage, then we are guaranteed by item 2 of Definition 5.1 that�(�) isa counterpath for . Intuitively,A( 1U 2) inherits strong -linearity from 2, as any counterexample for involves an initial (or infinite) sequence of counterexamples for 2 and 1 needs no path for refutation.This is similar for any disjunction 2 = �1 _ �2 of an until formula�1 and a pure state formula�2, butfails for every such conjunction�1 ^ �2: failure of�2 might release failure of�1 at a statesi in a prefixs0; : : : ; sk to a counterpath for 2, and prevent that somesj wherej < i has a counterexample in theresulting path.
We illustrate this by the following example. Consider the formula = A(aUA(bU )), and let� bea counterexample for in a structureM . Suppose that� shows failure ofa _ A(bU ) at some stagek � 0 and that�(i) is a counterexample forA(bU ) for all 0 � i < k. Then,a is false in the initialstage of�(k), which is a path such that eitherb _ is false at some stagej and is false at all previousstages, or is false at every stage. Since�(i) is for every0 � i < k a counterexample forA(bU ),the formula must be false at the initial stage of�(i). Now the path� obtained by prefixing�(k) withor(�(0)),. . . ,or(�(k � 1)) is a counterpath for : indeed, each suffix�i for 0 � i < k is a counterpathforA(bU ) (as predicted by item 1 of Definition 5.1) and�k is a counterpath fora_A(bU ). Otherwise,suppose� is such that�(i) for i � 0 is a counterexample forA(bU ). Clearly, the right argument isfalse at the origin of�(i). Thus,A(bU ) is false along the path� = [or(�(0)); or(�(1)); : : :℄ = �(�) (aspredicted by item 2 of Definition 5.1) because never becomes true, which means that� is a counterpathfor . Thus, in both cases, has a counterpath inM . However, no counterpath for = A(aU(A(bU )^b)) may be obtained from a counterexample� for : e.g.,�(0) may be a counterexample for�1 =A(bU ) and�(1) for both �2 = d and 1 = a (thus fora _ (�1 ^ �2)), while �2 and�1 are true ator(�(0)) andor(�(1)), respectively. It is then impossible to build a counterpathfor by prefixing a pathstarting ator(�(1)) with or(�(0)) (cf. also proof of Theorem 6.7, case 4.4).
Let us now see whether we can obtain a similar result for an unless formulaA( 1V 2) by swapping,like above, the left and right argument in a until. It appearsthat it is not possible to nest anything elsethan a pure state formula into 1 without losing -linearity. Would we do so, then even strong -linearitywould not ensure that the formula is -linear. Recall that a counterexample forA( 1V 2) is a multi-path� = [�(0);�(1); : : :℄ such that�(0),. . . ,�(k�1) prove the falsity of 1 and�(k) the falsity of 2. Tryingto construct from� a linear counterexample�� for A( 1V 2), we have to replace each�(i), 0 � i � k,with a suitable linear counterexample��(i). We can do so easily for alli < k: Since 1 is strongly -linear,for any linear counterexample��(k � 1) for 1 we can find appropriate��(0),. . . ,��(k � 2) by exploitingthe property in item 1 of Definition 5.1. However, it may happen that every possible��(k � 1) missessome state from�(k) which is necessary to refute 2; thus, a linear counterexample�� can not be built.
For example, consider = A(A(aUb)V ), i.e., nesting ofA(aUb) (which is strongly -linear), andthe structureM corresponding to the transition graph in Figure 5. Observe thatM 6j= , which is wit-
18
s0 s2L(s2) = fbgL(s0) = fa; gL(s0) = fa; g s1Figure 5: Transition graph representing structureM (initial states0)
nessed by the multi-path� = [[s0; s0; s0; : : :℄; [s1; s1; s1; : : :℄; s2; s2; : : :℄. Indeed, the paths�(0) and�(1) are counterexamples forA(aUb), asb is always false along them, and�(2) = s2 is a counterexam-ple for (i.e.,k = 2). Clearly this multi-path is not linear. In this case, strong -linearity of the formulaA(aUb) does not help us to construct a counterpath for from �. While the path� = [s0; s1; s1; : : :℄obtained by prefixing�(1) = [s1; s1; : : :℄ with s0 = or(�(0)) is a counterpath forA(aUb), it is not acounterpath for , because is always true along it. Observe also that has no counterpaths inM at all.Indeed, any counterpath� must contain as suffix the path[s2; s2; : : :℄, since� must witness the falsity of . On the other hand, clearly no path inM with suffix [s2; s2; : : :℄ is a counterpath forA(aUb).Theorem 5.1 Every template inLIN is -linear.
Proof. We establish the result proving by induction on the stages�i = (Si1; Si2), i � 0, that everytemplate ? 2 Si1 is -linear and every template ? 2 Si2 is strongly -linear.
(Basis) The casei = 0 is trivial, sinceS01 = S02 = ;.(Induction) Consideri + 1 and assume the statement holds fori. Let ? be any template such that ? 2 Si+11 n Si1 (resp., ? 2 Si+12 n Si2).
To complete the proof it suffices to show that ? is -linear (resp., strongly -linear), i.e. each instanti-ation� of ? is -linear (resp., strongly -linear).
LetM be any Kripke structure such thatM 6j= �. Then, we have to prove that a linear counterexamplefor � exists inM . From the definition of�, the following cases for ? are possible.� ? 2 PSF � Si+11 . (In this case,i = 0.) Each counterexample of� in M is finite, and thus
linear.� ? 2 Si1 ^ Si1 � Si+11 . Thus,� = 1 ^ 2, where both 1 and 2 are -linear by inductionhypothesis. SinceM 6j= �, eitherM 6j= 1 orM 6j= 2. In both cases, the statement follows fromthe induction hypothesis.� ? 2 Si1 _ PSF [ PSF _ Si1 � Si+11 . Then,� = 1 _ 2. Assume 2 is a pure state formulaand 1 is an instantiation of a template inSi1; the other case (vice versa) is similar. By the inductionhypothesis, 1 is -linear.
SinceM 6j= �, henceM; s0 6j= 1 andM; s0 6j= 2 for some initial states0. Moreover, since 1 is -linear, it admits a linear counterexample� 1 also inMs0 .4 Clearly,or(� 1) = s0 and� 1 is acounterexample for 1 in M too. Hence the linear multi-path� 1 � s0 = � 1 is a counterexamplefor 1 _ 2 in M . Thus,� is -linear.
4Recall that, for any structureM and states 2 S(M), Ms denotes the structure resulting fromM with the set of initialstates redefined tofsg.
19
� ? 2 AX(Si1) � Si+11 . Consequently,� is of shapeAX( 1), where 1 is an instantiation of atemplate inSi1. SinceM 6j= �, there must exist a path� such that�(0) 2 S0(M) andM;�(1) 6j= 1. By the induction hypothesis, 1 is -linear. Thus, 1 has a linear counterexample, say� 1 ,also inM�(1). Consider now the multi-path� defined as follows:�(0) = �(0), �(1) = � 1 , and�(i) = �(� 1)(i� 1) if 1 is not a pure state formula, and�(i) = �(i) otherwise, for eachi > 1.Clearly,�(1) is a`-counterexample for 1 in M . Hence,� is a counterexample for�; clearly, it islinear.� ? 2 AV(PSF ; Si1) � Si+11 . Then� = A( 1V 2), where 1 is a pure state formula and 2 is -linear by the induction hypothesis. SinceM 6j= �, there exists a path� and ak � 0 with�(0) 2 S0(M) such thatM;�(k) 6j= 2 andM;�(i) 6j= 1 for every0 � i < k. Since 2 is -linear,by the induction hypothesis there exists a linear counterexample� 2 for 2 in M�(k). Hence, themulti-path� such that�(i) = �(i), for each0 � i < k, �(k) = � 2 , and�(i + k) = �(� 2)(i),if 2 is not a pure state formula, and�(i+ k) = �(i+ k) otherwise, fori � 1, is a counterexamplefor � in M . Since� is linear, it follows that� is -linear.� ? 2 Si2 � Si+11 . By the induction hypothesis.� ? 2 AU(Si1;PSF) � Si+12 . We show first that� is -linear.� is of the formA( 1U 2), where 1 is -linear by the induction hypothesis and 2 is a pure state formula. Let� be a counterexamplefor � in M . By definition of counterexample,� is such that either
7.1 �(i) is a counterexample for 2, for eachi � 0, or
7.2 there exists ak � 0 such that�(k) is a counterexample for 1 _ 2, �(i) is a counterexamplefor 2 (and thus it is a state), for each0 � i < k and�(j) is a state, for eachj > k.
In case 7.1, since 2 is a pure state formula,�(i) is a state, for eachi > 0, and, hence, it is a linearcounterexample. Consider now case 7.2. As shown above, eachtemplate inSi1 _PSF , is -linear,and thus 1 _ 2 is -linear. Hence, 1 _ 2 has a linear counterexample also inM�(�)(k). Let� 1_ 2 be any such linear counterexample. Consider now the multi-path�� defined as follows:��(i) = �(i) for each0 � i < k, ��(k) = � 1_ 2 , ��(j) = �(� 1_ 2)(j � k), for j > k.Clearly,��(k) is a counterexample for 1 _ 2 in M . Hence,�� is a counterexample for� in M .Further, as can be easily checked,�� is linear.
After proving that� is -linear, we prove that� satisfies item 1 of Definition 5.1. Consider a path� = s0; : : : ; sk; �(�), as there, where� is a linear`-counterexample for� in M . Recall that� = A( 1U 2), where 1 is, by the induction hypothesis, -linear and 2 is a pure state formula.Msi 6j= � implies that 2 is false atsi, for eachi = 0; : : : ; k, Since� is a linear counterexamplefor � in Mor(�), either
(�) there exists aj � 0 such that�(j) is a counterexample for 1 _ 2 and�(i), for each0 � i < j, is a`-counterexample for 2 (and thus a state), or
(�) �(i), is a`-counterexample for 2 for eachi � 0 (hence� is a path).
In either case, the multi-path�� = [s0; : : : ; sk;�(0);�(1); : : :℄ is a counterexample for� in M(recall thats0 2 S0(M)), which is clearly linear. Since� = �(��) item 1 of Definition 5.1 issatisfied.
20
To show that� satisfies also item 2 of Definition 5.1, consider any path� such that�(0) 2 S0(M)and�(i) is the origin of some-counterexample for� in M , for eachi � 0. Thus, 2 is false ineach state�(i), for i � 0. Hence,� is a counterpath for� in M .� ? 2 AU(PSF ; Si2) � Si+12 . Then� is of the shapeA( 1U 2), where 1 is a pure stateformula and 2 is strongly -linear by the induction hypothesis. We have to prove that also� isstrongly -linear. We first show that� is -linear. Consider thus a counterexample� for �. Then,either
8.1 there exists ak � 0 such that�(k) is a counterexample for 1 _ 2 and�(i) is a counterex-ample for 2, for each0 � i < k, or
8.2 �(i) is a counterexample for 2, for eachi � 0.
In the case (8.1), by definition of counterexampleMor(�(i)) 6j= 2, for each0 � i < k. Considernow any linear counterexample� 2 for 2 in Mor(�(k)). Such a counterexample exists, since 2 isstrongly -linear (thus -linear). Hence, by item 1 of Definition 5.1, it follows that for every path�j = [or((�)(j)); . . . ,or((�)(k � 1)); �(� 2 )(0); �(� 2 )(1); : : :℄, for all 0 � j � k, there existsa linear counterexample�j for 2 in Mor(�(j)) such that�(�j) = �j. Hence, the multi-path��such that��(i) = �i, for 0 � i < k, ��(k) = � 2 , and ��(i + k) = �(� 2)(i), for i > 0, is acounterexample for�. Moreover, as can be easily verified, each�j , for 0 � j < k, is linear.
In the case (8.2), by definition of counterexampleMor(�(i)) 6j= 2, for eachi � 0. Since 2 isstrongly -linear, it satisfies item 2 of Definition 5.1. Thus, each suffix �(�)j is a counterpath for 2. Hence, for any linear counterexamples of��i of 2 such that�(��i) = �(�)i, i � 0, the linearmulti-path[ ��0; ��1; : : : ; ��i; : : :℄ is a linear counterexample for�.
After proving that� is -linear, it remains to prove that� satisfies items 1 and 2 of Definition 5.1.Let � = s0; s1; : : : ; sk; �(�) be a path as in item 1 for a linear`-counterexample� of � in M .Recall that� = A( 1U 2), where 1 is a pure state formula and 2 is, by the induction hypothesis,strongly -linear. Sincesi is origin of some -counterexample for� in M , it followsMsi 6j= 2, foreach0 � i � k. Furthermore, since� is a linear counterexample for�, either
(�) there exists aj � 0 such that�(j) is a counterexample for 1 _ 2 and�(i) is a counterex-ample for 2, for each0 � i < j, or
(�) �(i) is a counterexample for 2, for eachi � 0.
In any case, 2 has a linear -counterexample�� at or(�) such that�(��) = �(�). Since 2 isstrongly -linear, item 1 of Definition 5.1 implies that for eachi = 0; : : : ; k a linear -counterexample�i for 2 exists atsi such that�(�i) = �i. Hence, the multi-path�0 = [�0; : : : ;�k; ��(0);��(1); : : :℄ is a linear counterexample for� in M . Since�(�0) = �, � is a counterpath for� in M ;thus, item 1 is satisfied.
To show that� satisfies also item 2 of Definition 5.1, let� be a path inM such that�(0) 2 S0(M)and each�(i) is origin of a`-counterexample for� in M , i � 0. Then, each�(0) must be theorigin of a `-counterexample for 2. Since 2 is strongly -linear, it follows from item 2 of Defi-nition 5.1 that each suffix�i of �, i � 0, is a counterpath for 2 in M , i.e., a corresponding linear
21
`-counterexample�i for 2 exists inM at �(i). Thus,� = [�0;�1; : : :℄ is a linear counterex-ample for� in M such that� = �(�). This means� is a counterpath for� in M , and item 2 ofDefinition 5.1 is satisfied.� ? 2 Si2 _ PSF [ PSF _ Si2 � Si+12 . The proof that ? is -linear is analogous to the case ? 2 Si1 _ PSF [ PSF _ Si1 above. The verification of points 1 and 2 in Definition 5.1 isstraightforward.
5.1 Computing a counterpath forLIN-instances
In Section 4, we have shown that deciding whether an arbitrary formula� has a counterpath on a givenstructureM is intractable in general, and so is computing a counterpath. Since instances ofLIN-templates always have a counterpath if they are false inM , the question whether there is an (efficient)procedure for computing any counterpath is natural. Note that existence of a counterpath does not a priorimean that computing a counterpath is easy; this could still be a difficult problem.
Our second main result shows that this is not the case. Let forany finite pathP = s0; s1; : : : ; sk in astructureM denotejP j the length ofP (= k + 1), and let for any formula denotedA( ) theA-nestingdepth of (wheredA( ) = 0 for every pure state formula ).
Theorem 5.2 Let be such that ? 2 LIN. If M 6j= , then has a counterpath inM which is eithera single state (if ? 2 PSF ), or representable asP;C whereP is a finite path (prefix) andC a cycle inM such thatjP j + jCj � dA( )jS(M)j. Moreover, given andM , suchP andC can be computed inpolynomial time.
Proof. The first part (existence of a representationP;C as described) is shown following the inductionin the proof of Theorem 5.1. For each instance� of a template ? 2 Si1 [ Si2, we can construct thedesired representationP;C from the main path of the linear counterexample constructedin the proofthere, exploiting that linear counterexamples�0 used in the constructions have representationsP 0; C 0 asdescribed. We omit repeating all these constructions in detail, and focus here on the relevant facts thatestablishP;C:
1. In cases where� is of the form�1 _ �2, �1 ^ �2, a counterpath for� is immediately obtained bythe induction hypothesis.
2. In cases where� is of the formAX�1, A(�1V�2), and in some cases ofA(�1U�2), the lin-ear counterexample� constructed for� is of the form [�(0); : : : ;�(k);�(k + 1); : : :℄ where�(0),. . . ,�(k � 1) are states except if�? 2 AU(PSF ;LIN n PSF), �(k) is a linear coun-terexample for a formula 0 such thatdA( 0) < dA(�), and all�(j) are states,j > k. Twosubcases arise, depending on the formula 0:2.1 dA( 0) = 0, i.e., 0? 2 PSF . Then,� is a simple path inM , and the states�(j), j > k,
in � are meaningless (i.e., the suffix[�(k);�(k +1) : : :℄ can be replaced by any infinite pathstarting at�(k)). Thus, a counterpath for� can be represented byP;C such thatjP j+ jCj �jS(M)j � dA(�)jS(M)j:
22
2.2 dA( 0) > 0. Then, 0 can be assumed to have a counterpathP 0; C 0 as in the inductionhypothesis, andP;C is given bys0; : : : ; sk�1,P 0; C 0, wheresi = or(�(i)), for i = 0; : : : ; k�1. For a minimalk, it holds thatk � jS(M)j, and we obtainjP j+ jCj = k + jP 0j+ jC 0j � jS(M)j+ dA( 0)jS(M)j � dA(�)jS(M)j:
3. In the case where� = A( 1U 2), a linear counterexample� may be constructed such that each�(i) is a counterexample for 2. In the case where ?2 2 PSF , � is a simple path inM , whichcan be replaced by a prefix-cycle pairP;C such thatjP j + jCj � jS(M)j � dA(�)jS(M)j (cf.2.1); otherwise, if ?2 2 LIN n PSF , thenP;C is given byP 0; C 0 representing�(�(0)), and bythe induction hypothesisjP j+ jCj = jP 0j+ jC 0j � dA( 2)jS(M)j � dA(�)jS(M)j.
This concludes the proof of the first part of the theorem. For computingP;C in polynomial time(second part of Theorem 5.2) we describe an algorithm which proceeds in two steps. Suppose that� andM are given for input.
Step 1. Label each states 2 S with the setF (s) = f�0 j �0 is a subformula of� such thatM; s 6j= �0g:It is well-known that this labeling is possible in polynomial time (in fact in O(j�j(jS(M)j +jR(M)j) time) [3].
Step 2. Construct a counterpath for�, which is either a single state orP;C representing an infinite path,using the following procedure:
ProcedureCOUNTERPATH
Input : Labeled graphG = (S;R; F ), LIN instance�, states 2 S s.t.� 2 F (s).Output : s, if �? 2 PSF ; otherwise,P;C representing a counterpath� for � starting ats.
Execute COUNTERPATH(G;�; s0) for some arbitrarys0 2 S0 such that� 2 F (s0), and return theresult.
COUNTERPATH proceedstop-down, and constructs the output either directly, or by making a recursivecall; thus, COUNTERPATH extends an initially empty prefixP0 to P1 � P2 � � � � repeatedly until it iseventually completed with a cycle. In general, different choices exist for extendingPi toPi+1. The crucialfact is that membership of�? in LIN guarantees a “don’t care” nondeterminism, i.e., no backtracking isnecessary. IfPi is properly extended toPi+1, then it can be finally completed with a cycle.
We now describe how COUNTERPATH proceeds for�? =2 PSF , depending on the structure of�. Weconsider the different possible cases:� � = 1 ^ 2. Then, either 1 2 F (s) or 2 2 F (s) (or both). Call either COUNTERPATH(G; 1 ; s)
or COUNTERPATH(G; 2 ; s), respectively, and return the result.� � = 1_ 2. If ?1 2 PSF , then call COUNTERPATH(G; 2 ; s); otherwise, call COUNTERPATH(G; 1 ; s).Return the result.
23
� � = AX( 1). Choose anys0 such that(s; s0) 2 R and 1 2 F (s0). If ?1 =2 PSF , then callCOUNTERPATH(G; 1 ; s0) and return the result; otherwise, complete the paths; s0 to an arbitraryprefix-cycle pathP;C (whereP may be void) containing at mostjS(M)j states.� � = A( 1V 2). Determine any nodes0 reachable by a (possible empty) paths = s0; s1; : : : ; sk =s0 in R such that 1 2 F (si), for all i = 0; : : : ; k � 1 and 2 2 F (s0). If ?2 =2 PSF , then callCOUNTERPATH(G; 2 ; s0), and returns0; : : : ; sk�1; P 0; C 0 whereP 0; C 0 is the result of the call;otherwise, if ?2 2 PSF , then completes0; : : : ; sk to any prefix-cycle pathP;C having at mostjS(M)j states and return it.� � = A( 1U 2). If there exists a prefix-cycle pairP;C = s0; s1; : : : ; sk inG such thatk < jS(M)jand 2 2 F (si), for eachi = 0; : : : ; k then returnP;C (this can be efficiently determined).
In the other case, determine any states0 which is reachable froms by a paths = s0; : : : ; sk = s0such that 2 2 F (si), for all i = 0; : : : ; k and 1 2 F (sk). Now, if both ?1 ; ?2 2 PSF , thencomplete the paths0; : : : ; sk to an arbitrary prefix-cycle pairP;C such thatjP j + jSj � jS(M)jand return it.
Otherwise, call COUNTERPATH(G; 1 ; s0), if ?1 =2 PSF , and call COUNTERPATH(G; 2 ; s0), if ?2 =2 PSF ; note that only one of the two cases can apply. ReturnP;C = s0; : : : ; sk�1; P 0; C 0whereP 0; C 0 is the result of the call.
The correctness of the procedure COUNTERPATH(G;�; s) follows from the proof of Theorem 5.1. Itis not hard to see that each of the cases in the body of COUNTERPATH can be completed in polynomialtime (modulo recursion). Since the recursion depth is bounded by the formula lengthj�j, it follows thatsomeP;C can be constructed in polynomial time. Using proper data structures (in particular for themaximal strongly conneceted components in subgraphs ofR induced by labelings inF ), each case canbe handled inO(jS(M)j + jR(M)j) time, i.e., in linear time in the size ofM . Thus, the procedureCOUNTERPATH(G;�; s) takesO(j�j(jS(M)j + jR(M)j)) time.
Since, as remarked above, also the construction ofG = (S;R; F ) is possible inO(j�j(jS(M)j +jR(M)j)) time, it follows that someP;C can be computed fromM and� in O(j�j(jS(M)j + jR(M)j))time. This proves the second part and the result.
Remarks. (1) The representationP;C of the path� returned by COUNTERPATH can be adorned toprovide more information about the failure of subformulas.In particular, for an unlessA(�1V�2) thestagesk in � demonstrating the failure of�1V�2 can be marked, and similarly for an untilA(�1U�2);if �2 is false in each state of�, this could be marked at�(0). An adorned cycle-prefix pairP;C can beseen as a compact representation of a linear counterexample, which, different from a counterpath, retainsall structural information of the underlying multi-path.
(2) There are instances� of templates inLIN and structuresM such that for any prefix-cycle pairP;Cof an arbitrary counterpath for� in M , the sizejP j + jCj is (dA(�)jS(M)j); the prefixP may cyclethrough states inM for a number of times that is bounded bydA(�), which can not be expressed by an(infinite) cycle.
We close this section with briefly addressing the problem of recognizing linear counterexamples. Evenif we know that it is possible to compute some arbitrary counterpath for instances of templates inLINefficiently in polynomial time, we can not infer from this that deciding whether any given counterpath
24
is valid is possible in polynomial time. However, this problem is easily reduced to a model checkingproblem for arbitraryACTLformulas, and thus solved in polynomial time.
Theorem 5.3 Given any formula�, a structureM , and a prefix-cycle representationP;C of a path inM , deciding whetherP;C is a valid counterpath for� in M is possible in polynomial time (in fact, inO(j�j(jP j + jCj)) time).
Proof. FromP;C andM , we can easily construct a single-path structureM 0 in polynomial time byrenaming states repeatedly occurring inP;C such that thei-th stages of�(M 0) andP;C have the samelabels for everyi � 0. It follows thatP;C is a valid counterpath iffM 0 6j= �. Deciding the latter iswell-known polynomial. Using the algorithm in [3], it is possible inO(j�j(jS(M 0)j + jR(M 0)j)) time.SincejS(M 0)j and jR(M 0)j areO(jP j + jCj) andM 0 can be constructed inO(j�j(jP j + jCj)) time, itfollows that checking validity ofP;C can be done inO(j�j(jP j + jCj)) time.
6 All -linear Templates are inLINThe proof of the converse of Theorem 5.1 is based on the observation that particular instantiations ofnon-linear templates can be used to derive the result. The structure of these instantiations allows to buildstructures in which no linear counterexamples exist in a systematic way.
Definition 6.1 (disjoint and positive instantiation) A disjoint instantiationof a template ? 2 T? isan instantiation� of ? which can be built starting from pure state formulas such that ^, _, A(�U�),A(�V�) are only applied to formulas�1 and�2 having disjoint sets of atomic propositions, i.e.AP (�1)\AP (�2) = ;.
An instantiation� is positive, if each occurrence of an atom in� is under an even number of negations.
Notice that in a positive template instantation�, each subformula: which is not in the scope of anothernegation is logically equivalent to a monotone (negation-free) Boolean formula overAP ( ). Observealso that: 6� true and: 6� falseholds in this case.
Positive disjoint instantiations have the nice property that with respect to counterexamples, any partof a Boolean combination� of formulas�1; : : : ; �m can be “projected out” in suitable structures, i.e., tocounterexamples for a simplified formula�0 give rise to counterexamples for�. This is particularly usefulfor showing that� is not -linear if any of�1; : : : ; �m is not -linear.
Lemma 6.1 Let � be a positive disjoint instantiation of�? 2 T? which is a monotone Boolean combi-nation of distinct formulas�1; : : : ; �m, viewed as atoms, where each�i is used only once. Let�+ beany nonempty formula obtained by omitting any atoms�1; : : : ; �m in the inductive construction of�. LetM+ be any structure such thatR(M+) is total andAP (M+)\AP (�) = AP (�+). Then, there exists astructureM that coincides withM+ on all components exceptAP (M) = AP (M+) [ AP (�) and, foreach states 2 S(M), L(M)(s) = L(M+)(s)[P whereP � AP (�)nAP (�+), such that (1)M; s j= �iff M+; s j= �+ holds for each states, and (2) for each path�, it holds that� is a local counterpath for� in M iff � is a local counterpath for�+ in M+.
25
Proof. Since� is positive, all�i are positive. Thus, every formula�i which does not occur in�+ canbe made either globally true inM+, by includingAP (�i) in the label of each states, or globally false inM+, by not including any atom fromAP (�i) in the label of each states.
LetM result fromM+ by making each�i globally true (resp., false) such that�i occurs in a maximalsubformula of � which is omitted in the inductive construction of� and connected in� by conjunction(resp., disjunction), that is,� has a subformula of form ^ 0 or 0^ (resp., _ 0 or 0_ ) where allsubformulas in are omitted but not all subformulas in 0. For example, the formula� = ((AX(a)_b)^AX( ))_(d_A(eUf)) is a monotone Boolean combination� = ((�1_�2)^�3)_(�4_�5) of “atoms”�1 = AX(a), �2 = b, �3 = AX( ), �4 = d, and�5 = A(eUf). Let�+ = �3 _�4 = AX( )_d resultby omitting�1, �2, and�5 in the construction of�. Then, given a structureM+ with totalR(M+) suchthatAP (M+) \ AP (�) = f ; dg, we obtainM by addinga andb to the label of each state inM+ (thiseffects that�1 and�2 are globally true inM , while�5 is globally false).
It is not hard to see that the structureM so constructed satisfies the property stated in the lemma.
The next lemma informally states that for any positive disjoint instantiation of a template inLIN, wecan always find a structure that permits only one path and suchthat the formula is true in it, but false ifwe proceed long enough along this path. For example, consider the instantiation = A(aUb) of thetemplateA(?U?) and the structureM corresponding to the transition graph in Figure 6.s0 s1L(s0) = fbg L(s1) = ;
Figure 6: Transition graph representing structureM (initial states0)ClearlyM j= , since is true along the unique path� = [s0; s1; s1; : : :℄ inM . However, it is sufficient
to proceed just one stage along� to make false; in fact, fails in each suffix�i for i � 1.
Observe that the above property does not hold for all instantiations of templates inLIN. For example,consider the instance� = A(falseVa) of the templateA(?V?), which belongs toLIN. A counterex-ample for� is a path� along whicha is false in some state�(i). Here, it is impossible to prefix� with asequences0; : : : ; sk of states such that along the resulting pathfalseVa becomes true.
Before we state the lemma, we need some preliminary definition. Recall that a structure is conic, if ithas a single initial state and this state is not reachable from any state of the structure (see Section 2).
Definition 6.2 (single-path structure) A conic structureM is asingle-pathstructure, ifM has a singlepath starting at the initial state, and each state inM occurs in it. We denote this path by�(M).An immediate consequence of this definition is that for any single-path structureM and non pure-stateformula it holds thatM 6j= just in case where�(M) is a counterpath for .
Lemma 6.2 For every positive disjoint instantiation of a template ? 2 LIN, there exists a single-pathstructureM and ak � 1 such thatM j= and�(M)k is a local counterpath for (resp.,�(M)(k) 6j= if ? 2 PSF ).
Proof. By induction on the stagei � 0 of �i = (Si1; Si2) in which ? first occurs (see Appendix 7).
26
The next lemma informally says that for any positive disjoint instantiation of a template inLIN, itis possible to find a single-path structure which does not satisfy , but is always satisfied if we proceedlong enough on the single path. This lemma is in a sense complementary to the previous lemma. Similaras there, the property is not true for arbitrary instantiations of templates fromLIN. E.g., a single-pathstructure falsifying = A(trueUa) does not contain any “suffix” structure in which holds.
Prior to the lemma, we introduce the notion ofk-structure.
Definition 6.3 (k-structure) A k-structurefor a positive disjoint instantiation of a template ? 2 T?is any conic structureM such thatM 6j= and for each path� in M starting ats0, there exists an indexk � 1 such thatM;�i(0) j= , for eachi � k. 2We will usek-structures repeatedly in constructions of structures which do not have linear counterexam-ples for formulas involving the until operator.
Lemma 6.3 Each positive disjoint instantiation of any template ? 2 LIN has some single-pathk-structureM .
Proof. By induction on the stagei � 0 of �i = (Si1; Si2) in which ? first occurs (see Appendix 7).
In the next result, we show that a large class of templates inT? n LIN which involve nesting intothe until operatorU or the unless operatorV, respectively, are not linear. We establish this by provingthat positive disjoint instantiations of these templates are not -linear. We introduce some preliminaryconcepts.
Definition 6.4 (left- and right-structures) A left-structureM for a positive disjoint instantiation� =A of a template inT? is a conic structure with initial states0 andAP (M) = AP (�), which satisfies,depending on the linear-time operator guarding , the following properties (see Figure 7):
If � = AX(�1), then only one transition(s0; s00) leaving froms0 exists, and� s00 is the initial state of a structure��1 , contained inM , such that��1 6j= �1,� s0 does not appear in the set of states of��1 .If � = A(�1V�2), then� s0 is the initial state of a structure��1 , contained inM , such that��1 6j= �1;� there is only one transition froms0 to a states00 not belonging to��1 , which is the initial state of a
structure��, contained inM , such that�� 6j= �;� the sets of states of��1 and�� are disjoint.
For � = A(�1U�2),M is similar as for� = A(�1V�2), but with the roles of�1 and�2 exchanged.
Right-structuresfor � are particular left-structures, such that all structures��, ��1 , and��2 involved– with the exception of��1 for � = A(�1V�2) – arek-structures (see Figure 8). 2
27
(b) ( )(a) s00 s0��1 s00 s0�� ��1 s00 s0�� ��2Figure 7: Left-structures for (a)� = AX�1, (b)� = A(�1V�2), and (c)� = A(�1U�2)k k k(b) ( )(a)
ks00 s0��1 s00 s0�� ��1 s00 s0�� ��2Figure 8: Right-structures for (a)� = AX�1, (b)� = A(�1V�2), and (c)� = A(�1U�2)
Left- and right-structures will be used as components for the left-nested and right-nested formulas 1 and 2, respectively, in the constructions of structuresM witnessing the fact that formulasA( 1U 2) are not -linear in general.
Lemma 6.4 Let � = A be a positive disjoint instantiation of some template ? 2 T?. Then, thereexists some right-structure for�, and if ? 2 LIN, there exists also some left-structure for�.
Proof. Left-structures for� are easily constructed (use, e.g., the technique of making formulas globallyfalse in Lemma 6.1 to construct the substructures��, ��1 , and��2 of M ). If ? 2 LIN, then thesubtemplates ?1 , ?2 of ? = AX ?1 resp. ? = A( ?1U ?2), ? = A( ?1V ?2) belong toLIN as well.By Lemma 6.3, we can thus use single-pathk-structures for the substructures, and thus the resultingleft-structure is also a right-structure.
We note the following proposition.
Proposition 6.5 LetM be any left-structure for a positive disjoint instantiation � = A of a template inT?. ThenM 6j= �.
Proof. For � = AX(�1), this is obvious. To see this for� = A(�1V�2), let � be a counterexamplefor � in �� (which exists by Theorem 3.1), and let�0 be a counterexample for�1 in ��1 (starting ats0).Then, the multi-path[�0;�(0);�(1); � � �℄ is a counterexample for�. In case� = A(�1U�2), let � bea counterexample for� in �� (which exists by Theorem 3.1), and let�0 be a counterexample for�2 in��2 (starting ats0). Then, the multi-path[�0;�(0);�(1); � � �℄ is a counterexample for�.
The following definition introduces a formal notion of merging two conic structures at their initialstates, which is used repeatedly in the proofs of the subsequent results of this section.
28
Definition 6.5 (fusion of structures) LetM1 andM2 be conic structures with initial statess10 and s20,respectively, having disjoint sets of states. Then, thefusion of M1 andM2 is the conic structureMobtained by taking the union ofM1 andM2, wheres10 ands20 are merged into a single states0 with labelL(s0) = L(s10) [ L(s20). 2Theorem 6.6 Let be a positive disjoint instantiation of a template ? 2 T? such that either
1. = A( 1U 2), where ?1 =2 PSF and ?2 2 LIN n PSF , or
2. = A( 1V 2), where ?1 62 PSF , and ?2 2 LIN.
Then, is not -linear.
Proof. We have to find a structureM such that bothM 6j= and each counterexample for in M is nota linear multi-path. We prove the statement first for the casein which 1 and 2 are of the formA or,for item 2, 2 is a pure state formula. By exploiting Lemma 6.1, we can then conclude that the statementis true in general.
We will constructM for item 1 starting from a left-structureM1 and a right-structureM2 for thesubformula 1 and 2, respectively. Observe that, by Lemma 6.4, suchM1 andM2 exist; unless statedotherwise, we assume that they have disjoint sets of states.For item 2, we will constructM starting froma single-path structure for as in Lemma 6.2.� (1) = A( 1U 2), where ?1 = A ?1 62 PSF and ?2 = A ?2 2 LIN nPSF . We constructM
as the fusion of a left-structureM1 for 1 and a right-structureM2 for 2 with initial states0, andmodify M according to the linear time operatorsX, V, andU, guarding 1 and 2, respectively.Out of the nine emerging cases, we consider here two cases; the others are similar (see Appendix 7).� 1 = AX( 1;1) and 2 = AX( 2;1). We modifyM as follows. In each states of the
structure� 1;1 in M1 (see Def. 6.4), we includeAP ( 2;1) (i.e., in its labelL(s)), and in eachstate of� 2;1 in M2, we includeAP ( 1;1) (see Figure 9).� 1;1AP ( 2;1) AP ( 1;1)M1
M2 s0 k� 2;1Figure 9: TheX-X case:A( 1U 2), where 1 = AX( 1;1) and 2 = AX( 2;1)Clearly, these additions preserve the existence of counterexamples for 1;1 in � 1;1 and for 2;1 in � 2;1 , respectively, sinceAP ( 1;1) andAP ( 2;1) are disjoint.
It holds thatM 6j= , sinceM1 6j= 1 andM2 6j= 2. Indeed, we can find a counterexamplefor 1 _ 2 simply by merging a counterexample for 1 in M1 with a counterexample for 2in M2. Clearly, this counterexample is not linear.
29
It remains to show that no linear counterexample for in M exists. First observe that nocounterexample for 1 is in M2. Indeed, for every multi-path� in M2, �(1) cannot be acounterexample for 1;1, since each state ofM1 excepts0 contains the setAP ( 1;1). Simi-larly, there is no counterexample for 2 is inM1. Hence, each counterexample for involvingcounterexamples for both 1 and 2 cannot be linear. By Definition 3.5, any counterexamplefor must involve counterexamples for 2. Now we show that every counterexample for in-volving only counterexamples for 2 is not linear. Clearly, this concludes the proof. Towardsa contradiction, suppose� is a linear counterexample such that�(i) is a counterexample for 2, for everyi � 0. Since 2 is globally true inM1, �(�) must lead intoM2, and thus into� 2;1 . However,� 2;1 is ak-structure, which means that 2 is eventually true. This raises thedesired contradiction.� 1 = A( 1;1V 1;2) and 2 = A( 2;1U 2;2). We modifyM as follows. We add (1)to every state ofM1 excepts0 the setAP ( 2); (2) to every state ofM2 excepts0 the setAP ( 1); (3) tos0 the setAP ( 1;2) [AP ( 2;1); and, (4) in every states 6= s0 of � 2;2 in M2the setAP ( 2;1) (see Figure 10; note that the order of these additions is immaterial).
M1M2
AP ( 1)AP ( 2) AP ( 1) [ AP ( 2;1)� 1;1AP ( 2)AP ( 1;2) [ AP ( 2;1) k� 2;2s0� 1k� 2
Figure 10: TheV-U case:A( 1U 2), where 1 = A( 1;1V 1;2) and 2 = A( 2;1U 2;2)It easy to see that, also after these additions,M1 6j= 1 andM2 6j= 2. Thus,M 6j= .Moreover, no counterexample for 1 is inM2. Indeed, a counterexample for 1 must containa counterexample for 1;2. But this is impossible, since each state inM2 containsAP ( 1;2).Finally, no counterexample for 2 is in M1. Indeed, since each state ofM1 contains the setAP ( 2;1), a counterexample for 2 inM1 could only be a multi-path� such that each element�(i) is a counterexample for 2;2, for eachi � 0. But this is impossible, since 2;2 is globallytrue inM1.Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be lin-ear. By Definition 3.5 a counterexample for must involve a counterexample for 2. Nowwe show that every counterexample for involving only counterexamples for 2 is not linear.This, clearly, concludes the proof. Towards a contradiction, suppose� is such a linear coun-
30
terexample, i.e.,�(i) is a counterexample for 2, for eachi � 0. But such a counterexamplecannot be linear. Indeed, it cannot lead into� 2 , since this is ak-structure of 2. On the otherhand, it cannot lead into� 2;2 . Indeed, a counterexample for 2 cannot involve a counterex-ample for 2;1 as� 2;2 contains in each state the setAP ( 2;1). Thus, such a counterexamplecould only be a multi-path� such that�(i) is a (linear) counterexample for 2;2, for eachi � 0. But this is not possible, since� 2;2 is ak-structure of 2;2. Hence, no counterexamplefor in M is linear.� (2) The second case is = A( 1V 2), where ?1 = A ?1 =2 PSF and either ?2 = A ?2 2 LIN
or ?2 2 PSF .
For each possible shape of the template ?1 , we construct a structureM such that bothM 6j= andeach counterexample for in M is not linear. The structureM is obtained by a modification of thestructureM which we define next.
Let M 0 be a single-path structure as stated in Lemma 6.2 for formula 2. Thus,M 0 j= 2. Fur-thermore, there exists an indexk � 1 such that�(M 0)k is a local counterpath for 2 (resp., 2 isfalse in�(M 0)(k)). Without loss of generality,k is the least index having this property. Denote bysi = �(M 0)(i), for i = 0; : : : ; k, the firstk + 1 states appearing in�(M 0). Note that thesi (hencealso the suffixes�(M 0)i) are pairwise distinct. Furthermore,sk is the initial state of a structureM+induced bysk in M 0 (i.e., the suffix�(M 0)k) such thatM+ 6j= 2.LetM0 be a left-structure for 1. We take copiesM1; : : : ;Mk�1 and repeatedly take the fusion ofMi with the substructure ofM 0 induced by the statesi in M 0, for i = 0; : : : ; k� 1. The repeatedlyso revised structureM 0 is the desired structureM with initial states0 (cf. Figure 11).
We consider here one of the three emerging types of ?1 ; the proof in the other cases is similar (seeAppendix 7).� 1 = AX( 1;1), i.e., = A(AX( 1;1)V 2). To constructM , we modify the above
structureM as follows. Include in the label of each state not appearing in �(M 0)k the setAP ( 2). Note that this addition does not affect the existence of (local) counterexamples for 1 starting ats0; s1; : : : ; sk�1, sinceAP ( 1) andAP ( 2) are disjoint. Finally, we add the setAP ( 1) in every state ofM 0 (thus, to each state appearing in�(M 0)). This addition preservesthe existence of counterexamples for 1 starting withs0; s1; : : : ; sk�1, since 1 involves thenext-time operator. Furthermore,�(M 0)k is still a local counterpath for 2, sinceAP ( 1) andAP ( 2) are disjoint. The resulting conic structure with initial states0 isM (see Figure 11).
We can see thatM 6j= . Indeed, there exists a multi-path�2, such that�2(i) is a `-counterexample for 1, for 0 � i � k�1 (recall that each statesi is origin of a`-counterexamplefor 1), and�2(k) is a local counterexample for 2 with main path�(M 0)k. Clearly, thismulti-path is not linear. Moreover, no linear counterexample for is in M . Indeed, eachcounterexample for needs a counterexample for 2. But all paths starting with the initialstates0 cannot be a local counterpath for 2. Indeed, each path� not reaching states beyondsk cannot be a counterpath for 2, since the label of each state appearing in� would containthe setAP ( 2). On the other hand, the only path starting withs0 and reachingsk is �(M 0).However, asM 0 was chosen according to Lemma 6.2, this path cannot be a counterpath for 2.Hence, we need a counterexample whose first element is a counterexample for 1. Clearly,
31
. . .
M0 M1 Mk�1 M 0�0 1 �1 1 �k�1 1
s1s0 skleft-structures for 1
sk�1 AP ( 1)AP ( 2)
Figure 11: Nesting into unless, theX case: = A(AX( 1;1)V 2)we cannot find a counterexample for 1 along the path�(M 0), since each state in it containsAP ( 1). Hence, each counterexample for necessarily contains branching, that is, it is notlinear.
This concludes the proof for the case in which ?1 , ?2 have formA or ?2 2 PSF . For the case ofa general ?1 , Lemma 6.1 can be exploited: the instantiation 1 is a monotone Boolean combination ofpositive disjoint instantiations 1;1; : : : ; 1;m (each of which occurs only once) such that w.l.o.g. 1;1 isof the formA . We proceed then for 1 as for 1;1, but use the structureM from Lemma 6.1 for� = 1instead of the structureM+ for �+ = 1;1 (observe thatM+ can always be chosen such thatR(M+) istotal). For the general case of 2, we proceed analogously. This proves the result.
Theorem 6.7 Let be any positive disjoint instantiation of a template ? 2 T?. If ? =2 LIN, then isnot -linear.
Proof. We proceed by induction on the number of universal quantifiers A appearing in , which isdenoted bynA( ).(Basis) The casenA( ) = 0 is trivial, since ? belongs toPSF � LIN.
(Induction) Assume that the statement is true for every such thatnA( ) < k. We have to show thateach positive disjoint instantiation of ? 2 T? nLIN such thatnA( ) = k is not -linear, i.e., that thereis a structureM such that bothM 6j= and each counterexample for in M is not linear.
The formula is either of the formA , or a Boolean combination of formulas 1; : : : ; m. We considerthe possible cases.� = AX�, wherenA(�) = k�1. By Definition 4.9, ? 62 LIN if and only if�? 62 LIN. Thus,
sincenA(�) = k � 1, the induction hypothesis implies that� is not -linear. Hence, there existsa structureM 0 such that bothM 0 6j= � and no counterexample for� in M 0 is linear. Without lossof generality,M 0 is conic and has the initial states00. Let the conic structureM with initial states0result by connecting a new states0 toM 0 via the transition(s0; s00). Clearly,M 6j= . Furthermore,
32
each counterexample� for is such that�(1) is a counterexample for�. Sinceor(�(1)) = s00,�(1) cannot be linear, by hypothesis. Hence,� is not linear.� = A( 1V 2), wherenA( 1) +nA( 2) = k� 1. By the definition ofLIN, the following twocases cover each such that ? =2 LIN:
1. ?1 62 PSF and ?2 2 LIN. This case has been already proven in Theorem 6.6.
2. ?2 62 LIN. By the induction hypothesis, 2 is not -linear. Thus, there exists a structureMsuch thatM 6j= 2 and no counterexample inM is linear. We modifyM by adding in eachstate the setAP ( 1). Clearly, no local counterexamples for 1 can be found inM . However,M 6j= . Moreover, each counterexample for in M must start with a counterexample for 2.Hence, it is not linear.� = A( 1U 2), wherenA( 1) + nA( 2) = k � 1. Due to the intricate possibilities of nesting
into an until fromLIN, this case requires a careful analysis of several subcases.The followingcases exhaust each possibility of ? =2 LIN:
1. ?1 =2 PSF and ?2 2 LIN n PSF ;
2. ?1 =2 LIN and ?2 2 PSF ;
3. ?2 =2 LIN;
4. ?1 2 PSF and ?2 2 LIN n (S12 [ PSF).Case 1 is already proved by Theorem 6.6, and cases 2,3 are simple to prove from the inductionhypothesis. For the remaining case 4, we conclude from Lemma6.1 that it is sufficient to considerthe following cases for ?2 , whereULIN = LIN \ AU(T?;T?) is the set of all linear untiltemplates:
4.1 ?2 2 AX(LIN).4.2 ?2 2 AV(PSF ;LIN);4.3 ?2 2 ULIN ^ULIN;
4.4 ?2 2 (PSF ^ULIN) [ (ULIN ^ PSF).Indeed, 2 is a positive disjoint instantiation of ?2 that can be viewed as monotone Boolean com-bination of different atoms�1; : : : ; �n where each�i is either a pure state formula or of formA . Since ?2 =2 PSF , for some�i either (i) �i = AX 1, (ii) �i = A( 1V 2), or (iii)�i = A( 1U 2). If in case (iii) neitherX norV occur in 2, then some�j wherei 6= j must existsuch that�?j 2 PSF [ULIN and the common ancestor of�i and�j in the formula tree of 2 is aconjunction node (i.e.,�i and�j are subformulas of formulas� and�, respectively, such that�^�is a subformula of 2). Lemma 6.1 implies that it is sufficient to consider the formula �+ where�+ = �i in cases (i), (ii) and�+ = �i^�j in case (iii). Indeed, no disjunction�+ = �i _�j needsto be considered: if no�+ as in the cases (i)–(iii) exists, then�?j 2 ULIN must hold for at leastone�j wherej 6= i. (Otherwise, all�j wherej 6= i would be pure state formulas and connectedin 2 with disjunction. Thus, ?2 2 S12 and ? 2 LIN would hold). However, disjunction of anytwo templates containing subtemplates fromULIN clearly yields a template outsideLIN, which
33
would imply ?2 =2 LIN. Now by Lemma 6.1, for any stuctureM+ for �+ such thatR(M+) istotal andAP (M+) \ AP ( 2) = AP (�+), we can build a structureM for � = 2 such that localcounterpaths for�+ in M+ coincide with local counterpaths for 2 in M . In particular, we obtainthat ifM+ has no counterpath forA( 1U�+), thenM has no counterpath forA( 1U 2).We now describe structures for 4.1–4.4 proving the claim (see Appendix 7 for details).
4.1 ?2 2 AX(LIN). Let M 0 be a single-path structure andk � 1 for formula 2 as de-scribed in Lemma 6.2. Thus,M 0 j= 2, and�(M 0)k is a local counterpath for 2 (resp.,M 0; �(M 0)(k) 6j= 2). Let k w.l.o.g. be the least such index.
. . .
M0 M1 Mk�1s0 s1 sk�1 sk AP ( 1)k kk
M 0Figure 12: Nesting ofPSF andAX(T?) into until: = A( 1UAX( 2;1)).
Let s0; s1; : : : ; sk denote the firstk+1 states in�(M 0). Thesesi are pairwise distinct. Clearly,sk is the first state of the suffix�(M 0)k. We assume w.l.o.g.L(M 0)(sk) \ AP ( 1) = ;. LetM0 be ak-structure for 2 such that the initial state has an empty label. Lemma 6.3 impliesthat such anM0 exists; observe thatM0 6j= 2. Let M1; : : : ;Mk�1 be copies ofM0. Fori = 0; : : : ; k � 1 we repeatedly take the fusion ofMi with the structure induced bysi in M 0.Finally, we add to every state exceptsk the setAP ( 1). The resulting structure is the desiredM (see Figure 12).
4.2 ?2 2 AV(PSF ;LIN). Thus, 2 = A( 2;1V 2;2), where 2;1 is a pure state formula and 2;2 is -linear by Theorem 5.1. k� 2;1s00s0 AP ( 1)AP ( 1) [ AP ( 2;2)Figure 13: Nesting ofPSF andAV(T?) into until: = A( 1UA( 2;1V 2;2))LetM be ak-structure for 2 with initial states00. Such a structure exists by Lemma 6.3, andw.l.o.g.AP (M) \ AP ( 1) = ;. We modifyM by adding a new initial states0 with emptylabel and the transitions(s0; s00) and(s0; s0). Then, we add to each state the setAP ( 1) andto s0 the setAP ( 2;2) (see Figure 13).
4.3 ?2 2 ULIN ^ ULIN. Thus, ?2 = �1 ^ �2, where�1 = A(�1;1U�1;2) and�2 =A(�2;1U�2;2); moreover, each�i;j, i; j 2 f1; 2g is an instantiation of a template inLIN.
34
We constructM as follows. LetM 0 be a single-path structure as in Lemma 6.2 for formula�2.Thus,M 0 j= �2. Furthermore, there exists ak � 1 such that�(M 0)k is a local counterpathfor �2 (and hence for 2). Letk w.l.o.g. be the least such index. Lets0; s1; : : : ; sk, denote thefirst k + 1 states appearing in�(M 0); observe that they are pairwise distinct. Clearly,sk isthe first state of the suffix�(M 0)k. Since is a positive disjoint instantiation, we may assumethat no atom fromAP ( 1) [AP (�1) occurs in any state ofM 0.Let M0 be a right-structure for�1; since�?1 2 LIN, such a structure exists by Lemma 6.4.We remark that, by definition of right-structure,M0 6j= �1. LetM1; : : : ;Mk�1 be copies ofM0. For i = 0; : : : ; k � 1 we repeatedly take the fusion ofMi and the structure induced bythe statesi in M 0. Next, we add in every states0; : : : ; sk�1 the setAP (�1;1). Note that afterthis addition, each structureMi still satisfiesMi 6j= �1, for i = 1; : : : ; k � 1. Indeed, sinceAP (�1;1) \AP (�1;2) = ; for �i�1;2 , still �i�1;2 6j= �1;2 holds.
Now we add in every state ofMi, for 0 � i � k � 1, including statess0; : : : ; sk�1, the setAP ( 1). SinceAP ( 1)\AP ( 2) = ;, this has no effect on the properties ofMi from above.Moreover, we add in every state ofMi, for 0 � i � k � 1, except the statess0; : : : ; sk�1,the setAP (�2). SinceAP (�1) \ AP (�2) = ;, this addition preserves the existence ofcounterexamples for�1 in theMi’s. Finally, we addAP (�1) in every state occurring in thepath�(M 0)k. After this addition,�(M 0)k is still a local counterpath for�2. The resultingstructure is the desiredM (see Figure 14).
4.4 ?2 2 (PSF ^ULIN)[ (ULIN^PSF). Thus, 2 = �1 ^�2. Assume that�1 is a purestate formula and�2 = A(�2;1U�2;2), where�2;1 and�2;2 are instantiations of templates inLIN. The other case (vice versa) is similar.
Let M 0 be a right-structure for�2 = A(�2;1U�2;2). We modifyM 0 by addingAP ( 1) [AP (�1) to each state and by further addingAP (�2;1) to s0; after this modificationM 0 6j= �2still holds. We now add and label two new statess1, s2 to obtain the desiredM as shown inFigure 15.� ? = �?1 ^ �?2 or ? = �?1 _ �?2, wherenA(�?1) + nA(�?2) = k. Thus, can be viewed as a
monotone Boolean combination of formulas 1; : : : ; m. By applying Lemma 6.1, if one of the iis not -linear either by the induction hypothesis or by one of the already considered cases, then is not -linear as well. To complete the proof, by the inductive definition of LIN and Lemma 6.1 itremains to consider the case = 1 _ 2 where ?1 = A ?1 2 LIN and ?2 = A ?2 2 LIN.
We construct a conic structureM whose labeling depends on the outermost linear-time operators in ?1 and ?2 . Commutativity of logical conjunction implies that six cases of conjunctions involvingAX, AU, andAV remain to be considered. We do this forAU andAU; the other cases aresimilar (see Appendix 7).
– 1 = A( 1;1U 1;2), 2 = A( 2;1U 2;2). Let M as in Figure 16, with initial states0.It easy to see thatM 6j= . Indeed, froms0 start both a counterpath forA( 1;1U 1;2)and a counterpath forA( 2;1U 2;2). The path�1 = [s0; s1; s1; : : :℄ is a counterpath forA( 2;1U 2;2), since the formula 2;2 is always false along it. Similarly, the path�2 =[s0; s2; s2; : : :℄ is a counterpath forA( 1;1U 1;2), since the formula 1;2 is always falsealong it. On the other hand,�1 cannot be a counterpath forA( 1;1U 1;2), since therein
35
. . .. . .
M 0kkk
kkkM0M1
Mk�1AP (�2) AP (�1;1)
AP (�1)AP ( 1)
s0s1sk�1sk
�0�1�1�1�k�1�1
�0�1;2�1�1;2�k�1�1;2
Figure 14: Right-Nesting ofULIN ^ ULIN into until: = A( 1U(�1 ^ �2)), where �1 =A(�1;1U�1;2) and�2 = A(�2;1U�2;2). 1;1 is always true and 1;2 is not always false. By symmetry,�2 cannot be a counterpath forA( 2;1U 2;2). Hence, each counterexample for in M not linear.
The main result of this paper on templates, Theorem 4.3, follows from Theorems 5.1 and 6.7.
7 Discussion and Conclusion
For the class ofACTL formulas which are positive disjoint instantiations, the results in the precedingsections give a complete characterization of the -linear fragment. This class is given by those formulas such that ? 2 LIN. Observe that this class is efficiently recognizable.
This result can be extended by the same proof technique to more general classes of formulas , as longas certain independence properties hold on the pure state formulas. Introduce for each occurrence of amaximal pure state formula� in a new propositional atomp�, and consider the formulaF ( ) = ^�2MP ( )(p� $ �);whereMP ( ) is a list of all occurrences of maximal pure state formulas in . Call pure state indepen-dent, if for every truth value assignment to the atomic propositionsp�, the formulaF ( ) is satisfiable.
36
k��2;2k ��2 AP (�2;1)s1AP (�2)AP (�1) [ AP (�2)
s0s2
AP ( 1) [ AP (�1)Figure 15: Right-Nesting ofPSF ^ULIN into until: = A( 1U(�1 ^ �2)), �2 = A(�2;1U�2;2)s1 s2s0AP ( 1) [ AP ( 2;1)AP ( 1;1) [ AP ( 2)AP ( 1;1) [ AP ( 2;1)
Figure 16: Disjunction of 1 = A( 1;1U 1;2) and 2 = A( 2;1U 2;2)Observe that every positive disjoint instantiation is pure state independent.
Then, along the same line of proof as above we can show the following.
Theorem 7.1 Let be any pure state independent formula. Then, is -linear if and only if ? 2 LIN.
However, testing pure state independence is complex in general; this amounts to evaluating the quan-tified Boolean formula (QBF)� = 8P�9AP:F ( ), whereP� is the collection of all atomic propositionsp� introduced for occurrences of maximal pure state formulas,andAP is the collection of all atomicpropositions in . This problem is complete for the class�p2 of the polynomial hierarchy (cf. [8] for�p2).Indeed, the evaluation of the QBFs8X9Y: is in �p2 [8], and the QBF� is constructible in polynomialtime from . On the other hand, consider a QBF8X9Y: , where is of the formy1 ^ 0 wherey1 2 Y .Then, theACTL formula = (AXx1) ^ � � � ^ (AXxn) ^ (AX ), whereX = fx1,. . . ,xng, is purestate independent, just if8X9Y: is true. Since deciding the latter is�p2-hard, also deciding pure stateindependence is�p2-hard.
Our results can be adapted for the concept of witness [6] in the existential fragment ofCTL (denote thisby ECTL), i.e., a portion of a computation tree which witnesses the truth of a formulaE�. Since on anystructureM it holds thatM j= E� if and only ifM 6j= A:�, the existence of linear witnesses (formallydefined in the same vein as counterexamples) is related to theexistence of linear counterexamples. Aswell-known [5], the equivalences:A(�V ) = E(:�U: ) and:A(�U ) = E(:�V: ) hold. Itfollows that a formula in the existentialCTL-fragment has always a linear witness (call thisw-linear),if and only if the formula obtained by dualization of and negating all elementary atomic propositions,is -linear. As a consequence, all instantiations of anECTL-template ? (defined as obvious) have linearwitnesses (call thisw-linear), just if the dual templated( ?) is -linear. As a consequence, we obtain thefollowing characterization of the class ofw-linearECTL-templates.
37
Theorem 7.2 Let ? be an ECTL-template. Then, ? isw-linear if and only ifd( ?) 2 LIN.
In this paper, we have considered Kripke structuresM in which the transition relationR(M) is arbi-trary. As already pointed out, many authors (e.g. [7, 10]) require thatR(M) is total. It appears that ourmain results (precisely, Theorems 4.1–4.3, 5.2, 5.3) and inparticular Theorem 6.7 remain valid underrestriction to the class of structures that have total transition relations. The structureM in the proof ofTheorem 4.1 has totalR(M) by construction, and totality ofR(M) can be assumed to hold forM inthe proof of Theorem 4.2 without loss of generality, since a graph having a node with no outgoing edgestrivially has no Hamiltonian cycle. Furthermore, all structures in the proof of Theorem 6.7 that we haveconstructed for proving that certain formulas are not -linear have totalR(M) if their constituents have.
Several issues remain for further work. One issue is the consideration of linear time operators whichare derived from the basic operatorsX;V;U. The most important such operators areF (sometimes)andG (globally, always) defined asF� = trueU�, G� = falseV�. It is easily recognized from thedefinition ofLIN and our results that these operators correspond to -linear templates. However, the useof these templates in nesting, as well as the use oftrue andfalsein general, appears to be nontrivial. Thecharacterization of the class of -linear templatesACTLenriched by derived linear time operators and/orconstantstrue andfalseis an interesting issue which remains to be explored.
Finally, an extension of our study by fairness constraints [4] would be interesting. In the generalframework, path quantifiers do not range over all infinite paths, but instead over paths along which thefairness constraints, expressed by formulas, must be satisfied infinitely often. E.g., fair schedules in asystem of concurrent infinite processes, represented through a Kripke structure, can be expressed easilythrough fairness constraints. Our results do not immediately carry over to this case. Techniques appliedin [6, 9] might be useful.
Proofs
Lemma 6.2For every positive disjoint instantiation of a template ? 2 LIN, there exists a single-pathstructureM and ak � 1 such thatM j= and�(M)k is a local counterpath for (resp.,�(M)(k) 6j= if ? 2 PSF ).
Proof. We prove the statement by induction on the stagei � 0 of �i = (Si1; Si2) in which ? first occurs.
(Basis) The casei = 0 is trivial.
(Induction) Assume that the statement holds fori and consider the possible cases for ? 2 Si+11 [ Si+12wherei+ 1 > 0. By the induction hypothesis, it remains to consider ? =2 Si1 [ Si2.� ? 2 PSF . (In this case,i = 1.) LetM have the statess0 ands1, wheres0 is the unique initial
state, and the transitions(s0; s1), (s1; s1). LetL(M)(s0) = AP ( ) andL(M)(s1) = ;. Clearly,M is a single-path structure such thatM j= , andM;�(M)1(0) 6j= . Thus the statement holds.� ? 2 AX(Si1). Thus, = AX( 1). By the induction hypothesis, a single-path structureMwith initial states0 and ak � 1 exist for 1 which satisfy the statement of the lemma. Letk� bethe least suchk. If k� > 1 we are done, sinceM is a single-path structure where also satisfiesthe statement of the lemma. Otherwise (i.e., ifk� = 1), we can modifyM by adding a new states00 which reachess0 and has an arbitrary label. Denote byM 0 the resulting single-path structurewith initial states00. Since�(M 0)1 = �(M), it holds thatM 0 j= . Furthermore,�(M 0)1 is a localcounterpath for , since�(M 0)2 = �(M)1. Hence the statement holds.
38
� ? 2 AV(PSF ; Si1). Let = A( 1V 2). By induction hypothesis, for 2 exist a single-pathstructureM and an indexk � 1 such that the property of the lemma holds. We modifyM byaddingAP ( 1) to every state label inM . It is easy to see that the resulting structureM 0 satisfiesM 0 j= because 1 is globally true along�(M 0). Furthermore,�(M 0)k is still a local counterpathfor 2 (resp.,�(M 0)(k) 6j= 2) since is a disjoint positive instantiation. Hence, the statementholds.� ? 2 AU(Si1;PSF). Thus, = A( 1U 2). Consider the single-path structureM with statess0 and s1, wheres0 is the initial state, transitions(s0; s1), (s1; s1) and labelingL(M)(s0) =AP ( 2) andL(M)(s1) = ;. ThisM andk = 1 prove the statement for . Indeed,M j= since 2 is true ins0. Further,�(M)1 is a local counterpath for since 2 is globally false along it.� ? 2 AU(PSF ; Si2). Thus, = A( 1U 2). By induction hypothesis, for 2 exist a single-pathstructureM and an indexk � 1 as in the lemma. Without loss of generality, no atomic propositionfrom AP ( 1) occurs in any state label ofM . Since is a positive disjoint instantiation, it is easyto see thatM andk witness the statement also for . Indeed,M j= since 2 is true in the initialstate ofM . Furthermore,�(M)k is a local counterpath for , since it is a local counterpath for 2(resp., 2 is false in�(M)(k)) and 1 is globally false along it.� ? 2 Si1 _PSF [PSF _Si1. Thus, = 1 _ 2. Assume that ?1 =2 PSF ; the case ?2 =2 PSFis similar. By induction hypothesis, for 1 exist a single-path structureM and an indexk � 1 asstated in the lemma. Without loss of generality, no atomic proposition fromAP ( 2) occurs in anystate label ofM . Since is a positive disjoint instantiation, it is easy to see thatM andk witnessthe statement also for . Indeed,M j= sinceM j= 1. Further,�(M)k is a local counterpath for since it is a local counterpath for 1 (resp., 1 is false in�(M)(k)) and 2 is globally false alongit. Thus, the statement holds.� ? 2 Si1 ^ Si1. Thus, = 1 ^ 2, and w.l.o.g. ?1 =2 PSF . By induction hypothesis, for 1 exista single-path structureM and an indexk � 1 as stated in the lemma. We modifyM by adding toevery state label the set of atomic propositions appearing in 2. It is easy to see that the resultingstructureM 0 andk witness the statement also for . Clearly,M 0 j= sinceM 0 j= 1 andM 0 j= 2since 2 is globally true inM 0. Furthermore,�(M 0)k is a local counterpath for since it is a localcounterpath for 1. Thus, the statement holds. This concludes the proof.
Lemma 6.3Each positive disjoint instantiation of any template ? 2 LIN has some single-pathk-structureM .
Proof. By induction on the stagei � 0 of �i = (Si1; Si2) in which ? first occurs.
(Basis) The casei = 0 is trivial.
(Induction) Assume that the statement holds fori, and consider the possible cases for ? 2 Si+11 [ Si+12 ,wherei+ 1 > 0. By the induction hypothesis, it remains to consider ? =2 Si1 [ Si2.� ? 2 PSF . (In this case,i = 1.) LetM have the statess0 ands1, wheres0 is the unique initial
state, and the transitions(s0; s1), (s1; s1). LetL(M)(s0) = ; andL(M)(s1) = AP ( ). Clearly,M is a single path structure such thatM 6j= , andM;�(M)1(0) j= . Thus the statement holds.
39
� ? 2 AX(Si1). Let = AX( 1). By induction hypothesis, there exist a single-path structureM and an indexk � 1 such thatM 6j= 1 andM;�(M)i(0) j= 1 for all i � k. Let s0 be theinitial state ofM . We modifyM by changing the initial state to a new states with arbitrary labeland adding the transition(s; s0). Clearly, the resulting structureM 0 is single-path andM 0 6j= .From the induction hypothesis, it follows that for eachi � k+1,M 0; �(M 0)i(0) j= 1. Hence, thestatement holds.� ? 2 AV(PSF ; Si1). Let = A( 1V 2). Lets0 be the initial state of a single-path structureMfor 2 andk � 1 as stated in the lemma, which exist by the induction hypothesis. SinceM 6j= 2, itfollowsM 6j= . Furthermore,M;�(�)i(0) j= 2 impliesM;�(�)i(0) j= , for eachi � k. Thusthe statement holds.� ? 2 AU(Si1;PSF). Let = A( 1U 2). Let for 1 beM andk � 1 as stated in the lemma,which exist by induction hypothesis. Without loss of generality, M includesAP ( 2) in each statelabelL(s) except for the initial states0, which contains no atomic proposition fromAP ( 2). Then,M; s0 6j= 2, and sinceM 6j= 1, it follows M 6j= . Furthermore,M;�(M)i(0) j= for all i � ksince 2 is true in�(M)i(0). Thus, the statement holds.� ? 2 AU(PSF ; Si2). Let = A( 1U 2). Let for 2 beM andk � 1 as stated in the lemma,whose existence follows from the induction hypothesis. Without loss of generality, we assume thatthe initial states0 of M contains no atomic proposition fromAP ( 1). SinceM j= 2, it followsM 6j= . Furthermore, sinceM;�(M)i(0) j= 2 it follows thatM;�(M)i(0) j= , for all i � k.Thus the statement holds.� ? 2 Si1 _ PSF [ PSF _ Si1. Let = 1 _ 2. Assume ?1 =2 PSF ; the case ?2 =2 PSFis similar. Let for 1 beM andk � 1 as stated in lemma, which exist by induction hypothesis.Assume without loss of generality that no atomic proposition fromAP ( 2) occurs in any label ofM . Then, it is easy to see thatM andk witness the statement for .� ? 2 Si1 ^ Si1. Let = 1 ^ 2. Let for 1 beM andk � 1 as stated in the lemma, which existby the induction hypothesis. Assume without loss of generality that ?1 =2 PSF , and that each labelof M includesAP ( 2). Since 2 is globally true inM , it is easy to see thatM andk witness thestatement also for . This concludes the proof.
Theorem 6.6 Let be a positive disjoint instantiation of a template ? 2 T? such that either
1. = A( 1U 2), where ?1 =2 PSF and ?2 2 LIN n PSF , or
2. = A( 1V 2), where ?1 62 PSF , and ?2 2 LIN.
Then, is not -linear.
Proof. (1) The following six cases remain.� 1 = AX( 1;1) and 2 = A( 2;1V 2;2). We modifyM in the following way. We add to everystates of M1 excepts0 the setAP ( 2). Similarly, we add to every state ofM2 excepts0 the set
40
M1M2� 2;1AP ( 2)
AP ( 2;2)AP ( 1)AP ( 1) [ AP ( 2;2)s0
k� 2� 1
Figure 17: TheX-V case:A( 1U 2), where 1 = AX( 1;1) and 2 = A( 2;1V 2;2)AP ( 1). Finally, we add in every other state of� 2;1 in M2 (see definition of right-structure),includings0, the setAP ( 2;2) (see Figure 17).
It easy to see that after these additions,M1 6j= 1 andM2 6j= 2 still hold. Thus,M 6j= . More-over, no counterexample for 1 is in M2. Indeed, for every multi-path� in M2, �(1) cannot bea counterexample for 1;1, since each state ofM2 except contains the setAP ( 1;1). Finally, nocounterexample for 2 is in M1. Indeed, a counterexample for 2 must contain a counterexamplefor 2;2. However, this is impossible, since 2;2 is globally true inM1. Hence, a counterexamplefor involving counterexamples for both 1 and 2 cannot be linear. By Definition 3.5 a coun-terexample for must involve counterexamples for 2. Now we show that every counterexamplefor involving only counterexamples for 2 is not linear. Clearly, this concludes the proof. To-wards a contradiction, suppose� is a linear counterexample involving only counterexamplesfor 2. By Definition 3.5,� is such that�(i) is a counterexample for 2, for eachi � 0. But sucha counterexample cannot be linear. Indeed,� cannot lead into� 2 , since it is ak-structure of 2.On the other hand, it cannot lead intoM1 or � 2;1 , since a counterexample for 2 must contain acounterexample for 2;2, and 2;2 is globally true in� 2;1 . Hence, every counterexample for inM is not linear.� 1 = AX( 1;1) and 2 = A( 2;1U 2;2). We modifyM as follows. We add to every state ofM1 excepts0 the setAP ( 2), and to every state ofM2 excepts0 the setAP ( 1). Finally, we addin every state of� 2;2 in M2 includings0 the setAP ( 2;1) (see Figure 18).
It easy to see that after these additionsM1 6j= 1 andM2 6j= 2 still hold. Thus,M 6j= . More-over, no counterexample for 1 is inM2. Indeed, for every multi-path� in M2, �(1) cannot be acounterexample for 1;1, since each state ofM2 excepts0 contains the setAP ( 1;1). Finally, nocounterexample for 2 is in M1. Indeed, since each state ofM1 containsAP ( 2;1), a counterex-ample for 2 in M1 could only be a multi-path� such that�(i) is a counterexample for 2;2, foreachi � 0. But this is impossible, since for every multi-path� in M1, each state appearing in�(i), for i � 1 containsAP ( 2;2). Hence, a counterexample for involving counterexamples forboth 1 and 2 cannot be linear. Definition 3.5 request that a counterexample for must involve acounterexample for 2. Now we show that every counterexample for involving only counterex-
41
M2M1 AP ( 2)
AP ( 2;1)AP ( 1)AP ( 1) [ AP ( 2;1)s0
kk� 2;2� 1
� 2Figure 18: TheX-U case:A( 1U 2), where 1 = AX( 1;1) and 2 = A( 2;1U 2;2)
amples for 2 is not linear. This, clearly, concludes the proof. Towards acontradiction, suppose�is a linear counterexample for such that�(i) is a counterexample for 2, for everyi � 0. Butsuch a counterexample cannot be linear. Indeed, it can neither lead intoM1 nor into� 2 , sincethis is ak-structure of 2. Furthermore, it cannot lead into� 2;2 . Indeed, a counterexample for 2cannot involve a counterexample for 2;1 as� 2;2 contains in each state the setAP ( 2;1). Thus,such a counterexample could only be a multi-path� such that�(i) is a (linear) counterexamplefor 2;2, for eachi � 0. But this is not possible, since� 2;2 is ak-structure of 2;2. Hence, nocounterexample for in M is linear.� 1 = A( 1;1V 1;2) and 2 = AX( 2;1). We modifyM as follows. We add to every state ofM1 excepts0 the setAP ( 2) and to every state ofM2 excepts0 the setAP ( 1). Moreover, weadd tos0 the setAP ( 1;2). Finally, we add in every other state of� 1;1 in M1 (see definition ofleft-structure), the setAP ( 1;2) (see Figure 19).
M2M1 AP ( 1;2)AP ( 2) [AP ( 1;2) � 1;1
AP ( 1)AP ( 2) s0 � 2;1 k� 1Figure 19: TheV-X case:A( 1U 2), where 1 = A( 1;1V 1;2) and 2 = AX( 2;1)
After these additions,M1 6j= 1 andM2 6j= 2 still hold. Thus,M 6j= . Moreover, no counterex-ample for 2 is in M1. Indeed, for every multi-path� in M1, �(1) cannot be a counterexamplefor 2;1, since each state ofM1 excepts0 contains the setAP ( 2;1). Finally, no counterexample
42
for 1 is inM2. Indeed, a counterexample for 1 must contain a counterexample for 1;2, but thisis impossible, since each state inM2 containsAP ( 1;2). Hence, a counterexample for involvingcounterexamples for both 1 and 2 cannot be linear. By Definition 3.5, a counterexample for must involve counterexamples for 2. Now we show that every counterexample for involvingonly counterexamples for 2 is not linear. This, clearly, concludes the proof. Towards acontradic-tion, suppose� is a linear counterexample involving only counterexamplesfor 2. Definition 3.5implies that�(i) is a counterexample for 2, for eachi � 0. But such a counterexample cannot belinear. Indeed,� cannot lead intoM1 and not intoM2, since� 2;1 is ak-structure of 2;1. Thisproves the statement.� 1 = A( 1;1V 1;2) and 2 = A( 2;1V 2;2). We modifyM as follows. We add to every stateof M1 excepts0 the setAP ( 2). Then, we add to every state ofM2 excepts0 the setAP ( 1).Moreover, we add tos0 the setAP ( 1;2). Finally, we add in every state of� 2;1 in M2, includings0, the setAP ( 2;2) (see Figure 20).
M1M2
AP ( 1)AP ( 2) AP ( 1) [ AP ( 2;2)� 1;1AP ( 2)AP ( 1;2) [ AP ( 2;2) s0� 1 � 2;1k� 2
Figure 20: TheV-V case:A( 1U 2), where 1 = A( 1;1V 1;2) and 2 = A( 2;1V 2;2)It easy to see that, also after these additions,M1 6j= 1 andM2 6j= 2. Thus,M 6j= . Moreover, nocounterexample for 1 is inM2. Indeed, 1;2 is globally true inM2. Similarly, no counterexamplefor 2 is in M1. Hence, a counterexample for involving counterexamples for both 1 and 2cannot be linear.
By Definition 3.5, a counterexample for must involve a counterexample for 2. Now we showthat every counterexample for involving only counterexamples for 2 is not linear. This, clearly,concludes the proof. Towards a contradiction, suppose� is a linear counterexample for 2 suchthat�(i) is a counterexample for 2, for eachi � 0. But such a counterexample cannot be linear.Indeed,� cannot lead intoM1, and it cannot lead into� 2 since it is ak-structure of 2. On theother hand, it cannot lead into� 2;1 , since a counterexample for 2 must contain a counterexamplefor 2;2 and 2;2 is globally true in� 2;1 . Hence, every counterexample for in M is not linear.
43
� 1 = A( 1;1U 1;2) and 2 = AX( 2;1). We modifyM in the following way. We add to everystate ofM1 excepts0 the setAP ( 2) and to every state ofM2 excepts0 the setAP ( 1). Finally,we add in every state of� 1;2 in M1 the setAP ( 1;1) (see Figure 21).
M2M1 AP ( 1;1)AP ( 2) [AP ( 1;1) � 1;2
AP ( 1)AP ( 2) s0� 1 k� 2;1Figure 21: TheU-X case:A( 1U 2), where 1 = A( 1;1U 1;2) and 2 = AX( 2;1)
It easy to see that, also after these additions,M1 6j= 1 andM2 6j= 2. Thus,M 6j= . More-over, no counterexample for 2 is in M1. Indeed, for every multi-path� in M1, �(1) cannot bea counterexample for 2;1, since each state ofM1 excepts0 contains the setAP ( 2;1). Finally,no counterexample for 1 is in M2. Indeed, since each state ofM2 contains the setAP ( 1;1), acounterexample for 1 in M2 could only be a multi-path� such that each element�(i) is a coun-terexample for 1;2, for eachi � 0. But this is impossible, since for every multi-path� inM2, eachstate appearing in�(i) contains the setAP ( 1;2), for eachi � 1. Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be linear. By Definition 3.5 a counterex-ample for must involve a counterexample for 2. Now we show that every counterexample for involving only counterexamples for 2 is not linear. This, clearly, concludes the proof. Towards acontradiction, suppose� is a linear counterexample such that�(i) is a counterexample for 2, foreachi � 0. But such a counterexample cannot be linear. Indeed,� cannot lead intoM1, since 2is globally true inM1, and it cannot lead intoM2, since� 2;1 is ak-structure of 2;1. Thus, thestatement is proven.� 1 = A( 1;1U 1;2) and 2 = A( 2;1V 2;2). We modifyM in the following way. We add toevery state ofM1 excepts0 the setAP ( 2). Then, we add to every state ofM2 excepts0 the setAP ( 1). Moreover, we add tos0 the setAP ( 1;1)[AP ( 2;2). Finally, we add to every other stateof � 2;1 in M2 the setAP ( 2;2) (see Figure 22).
It easy to see that after these additions,M1 6j= 1 andM2 6j= 2 hold. Thus,M 6j= . Moreover,no counterexample for 1 is in M2. Indeed, 1;1 is globally true inM2 and for every multi-path� in M2, �(i), for i � 1, cannot be a counterexample for 1;2, since each state ofM2 excepts0contains the setAP ( 1;2). Finally, no counterexample for 2 is inM1. Indeed, 2;2 is globally truein M1. Hence, a counterexample for involving counterexamples for both 1 and 2 cannot belinear. By Definition 3.5, a counterexample for must involve a counterexample for 2. Now weshow that every counterexample for involving only counterexamples for 2 is not linear. This,clearly, concludes the proof. Towards a contradiction, suppose� is a linear counterexample for such that�(i) is a counterexample for 2, for eachi � 0. Such a counterexample cannot be linear.
44
� 2;1M1
M2AP ( 1)AP ( 2) AP ( 1) [AP ( 2;2)
AP ( 2)s0� 1
k� 2AP ( 1;1) [AP ( 2;2) � 1;2
Figure 22: TheU-V case:A( 1U 2), where 1 = A( 1;1U 1;2) and 2 = A( 2;1V 2;2)Indeed,� can neither lead intoM1 (cf. above) nor into� 2;1 , since a counterexample for 2 mustcontain a counterexample for 2;2 which is globally true in� 2;1 . Furthermore,� cannot lead into� 2 , since it is ak-structure of 2. Hence, no counterexample for in M is linear.� 1 = A( 1;1U 1;2) and 2 = A( 2;1U 2;2). We modifyM in the following way. We add toevery state ofM1 excepts0 the setAP ( 2) and to every state ofM2 excepts0 the setAP ( 1).Moreover, we add ins0 the setAP ( 1;1) [AP ( 2;1). Finally, we add in every other state of� 2;2in M2 (see definition of right-structure) the setAP ( 2;1) (see Figure 23).
M1M2
AP ( 1)AP ( 2;1) [ AP ( 2;2)� 1;2AP ( 2)AP ( 1;1) [AP ( 2;1) AP ( 1) [ AP ( 2;1)� 1 � 2;2 kk� 2
s0Figure 23: TheU-U case:A( 1U 2), where 1 = A( 1;1U 1;2) and 2 = A( 2;1U 2;2)
45
It easy to see that after these additions,M1 6j= 1 andM2 6j= 2 hold. Thus,M 6j= . Moreover, nocounterexample for 1 is inM2. Indeed, 1;1 is globally true inM2 and for every multi-path� inM2, �(i), for i � 1, cannot be a counterexample for 1;2, since each state ofM2 excepts0 containsthe setAP ( 1;2). Similarly, no counterexample for 2 is in M1. Hence, a counterexample for involving counterexamples for both 1 and 2 cannot be linear. By Definition 3.5, a counterexam-ple for must involve a counterexample for 2. Now we show that every counterexample for involving only counterexamples for 2 is not linear. This, clearly, concludes the proof. Towardsa contradiction, let� be a linear counterexample for such that�(i) is a counterexample for 2,for eachi � 0. But such a counterexample cannot be linear. Indeed,� cannot lead intoM1, andfurthermore, it cannot lead into� 2 , since this is ak-structure of 2. Finally, it also cannot lead into� 2;2 . Indeed, a counterexample for 2 cannot involve a counterexample for 2;1, as� 2;2 containsin each state the setAP ( 2;1). Thus, such a counterexample could only be a multi-path� such that�(i) is a (linear) counterexample for 2;2, for eachi � 0. But this is not possible, since� 2;2 is ak-structure of 2;2. Hence, every counterexample for in M is not linear.
(2) The following two cases remain.� ?1 = A( ?1;1V ?1;2). Then, = A(A( 1;1V 1;2)V 2). To constructM , we modify the abovestructureM as follows. We add in each state not appearing in�(M 0)k the setAP ( 2). Note thatthis addition does not affect the existence of counterexamples for 1 starting withs0; s1; : : : ; sk�1,sinceAP ( 1) andAP ( 2) are disjoint. Finally, we add the setAP ( 1;2) in every state appearingin �(M 0). This addition preserves the existence of counterexamplesfor 1;1 (hence, for 1) startingwith s0; s1; : : : ; sk�1. Furthermore,�(M 0)k is still a local counterpath for 2, sinceAP ( 2) andAP ( 1;2) are disjoint. The resulting conic structure with initial states0 isM (see Figure 24).
It holds thatM 6j= . Indeed, there exists a multi-path�2, such that�2(i) is a `-counterexamplefor 1, for 0 � i � k � 1 (recall that each statesi is origin of a`-counterexample for 1), and�2(k) is a local counterexample for 2 with main path�(M 0)k. Clearly, this multi-path is notlinear. Moreover, no linear counterexample for in M exists. Indeed, each counterexample for needs a counterexample for 2. It holds that every path starting ats0 cannot be a counterpath for 2. Indeed, each path� not reaching the statesk cannot be a counterpath for 2, since the label ofeach state appearing in� would contain the setAP ( 2).On the other hand, the only path starting ats0 and reachingsk is �(M 0). AsM 0 was chosen ac-cording to Lemma 6.2, this path cannot be a counterpath for 2 by construction. Hence, we needa counterexample such that the first element is a counterexample for 1. Clearly, we cannot find acounterexample for 1 along the path�(M 0), since each state in it containsAP ( 1;2) (and a coun-terexample for 1 necessarily contains a counterexample for 1;2). Hence, each counterexample for necessarily contains branching, that is, it is not linear.� 1 = A( 1;1U 1;2), i.e., = A(A( 1;1U 1;2)V 2). We modify the structureM from aboveas follows. We add to each state not appearing in�(M 0)k the setAP ( 2). Note that this additiondoes not affect the existence of local counterexamples for 1 starting ats0; s1; : : : ; sk�1, sinceAP ( 1) andAP ( 2) are disjoint. Furthermore, add the setAP ( 1;1) in every state appearing in�(M 0). This addition preserves the existence of counterexamplesfor 1;2 (hence for 1) starting ats0; s1; : : : ; sk�1. Finally, we add in every state appearing in�(M)k the setAP ( 1;2). Clearly, after
46
. . .. . .
M 0 Mk�1M1�0 1�1 1
�k�1 1�0 1;1�1 1;1�k�1 1;1AP ( 2)
s1s0left-structureM0 for 1
AP ( 1;2)sk�1sk
Figure 24: Nesting into unless, theV case: = A(A( 1;1V 1;2)V 2)this addition�(M 0)k is still a local counterpath for 2, sinceAP ( 1) andAP ( 2) are disjoint. Theresulting conic structure with initial states0 isM (see Figure 25).
We can see thatM 6j= . Indeed, there exists a multi-path�2, such that�2(i) is a`-counterexamplefor 1, for 0 � i � k � 1, and�2(k) is a counterexample for 2 with main path�(M 0)k. Clearly,this multi-path is not linear. Moreover, no linear counterexample for exists inM . Indeed, eachcounterexample for needs a counterexample for 2. Every path� starting at the initial states0cannot be a counterpath for 2. Indeed, if� does not reach the statesk, it cannot be a counterpathfor 2, since the label of each state appearing in� would contain the setAP ( 2). On the otherhand, the only path starting ats0 and reachingsk is �(M 0)k. SinceM 0 was chosen according toLemma 6.2, it is not a counterpath for 2. Hence, we need a counterexample whose first element isa counterexample for 1. Clearly, we cannot find a counterexample for 1;1 along the path�(M 0),since each state in it contains the setAP ( 1;1). Hence, a counterexample for 1 could only be amulti-path� such that�(i) is a counterexample for 1;2, for eachi � 0. But such a counterexamplecannot be found along the path�(M 0). Indeed, along its suffix�(M 0)k the formula 1;2 is alwaystrue.
Hence, each counterexample for necessarily contains branching, that is, it is not linear.
Theorem 6.7 Let be any positive disjoint instantiation of a template ? 2 T?. If ? =2 LIN, then is
47
. . .. . .
M 0 Mk�1M1�0 1�1 1
sk�k�1 1�0 1;2�1 1;2�k�1 1;2AP ( 2)
s1s0sk�1
left-structureM0 for 1
AP ( 1)AP ( 1)
AP ( 1;1)
Figure 25: Nesting into unless, theU case: = A(A( 1;1U 1;2)V 2)not -linear.
Proof. (continued)� = A( 1U 2), wherenA( 1) + nA( 2) = k � 1.
2. ?1 62 LIN and ?2 2 PSF . Since ?1 =2 LIN, by the induction hypothesis a structureM exists such thatM 6j= 1 and no counterexample for 1 in M is linear. Without loss ofgenerality,M is conic with initial states0 andAP ( 2) \AP (M) = ;.Clearly,M 6j= , sinceM 6j= 2. Modify nowM by adding to each state excepts0 the setAP ( 2). SinceAP ( 1) \ AP ( 2) = ;, still M 6j= 1 holds. Moreover, sinceL(M)(s0) \AP ( 2) = ;, alsoM 6j= 2 holds. Thus,M 6j= . It holds that each counterexample for inM must contain a counterexample for 1, and thus it is not linear. Indeed, in any alternativecounterexample� for the element�(i) would a local counterexample for 2, for everyi � 0. Since all states ofM excepts0 containAP ( 2), this is impossible.
3. ?2 62 LIN. By the inductive hypothesis, there exists a structureM such that bothM 6j= 2and each counterexample for 2 in M is not linear. W.l.o.g.,M is conic with initial states0andAP ( 1) \AP (M) = ;.
48
Clearly,M 6j= , where = A( 1U 2), sinceM 6j= 1 andM 6j= 2. We can concludethat each counterexample for in M is not linear. Indeed, if� is a counterexample for inM , �(0) must be a -counterexample for 2. Moreoveror(�(0)) = s0. Hence,�(0) is acounterexample for 2 in M . Consequently,�(0) and hence also� cannot be linear.
4.1 First observe thatM 6j= . Indeed, each statesi, for 0 � i � k is origin of a local counterex-ample for 2. Furthermore,sk is also origin of a local counterexample for 1. It remains toshow that no linear counterexample is inM . In any counterexample� for the element�(0)must be a counterexample for 2. This implies that a counterpath for cannot reach statesk. Indeed, the only path reaching statesk is �(M 0), which by construction is not a coun-terpath for 2. Thus, a counterpath� for could only lead into some structureMi, where0 � i � k � 1. However, in eachMi formula 1 is globally true. Hence� would have tosatisfy that�j , for eachj � 1, is a local counterpath for 2. Since eachMi is ak-structurefor 2, this is impossible. This proves that no linear counterexample for exists inM .
4.2 The path[s0; s00; : : :℄ is a counterpath for 2. Thus, the multi-path[[s0; s00; : : :℄; [s0; s00 : : :℄; : : :℄is a counterexample for the . It holds that no linear counterexample for exists inM .Indeed, sinceAP ( 1) is contained in each state, any counterexample for must containinfinitely many counterexamples for 2. Sinces00 is the initial state of ak-structure for 2, nocounterpath for is possible which reachess00. Hence, the only possibility for a counterpathof is � = [s0; s0; s0; : : :℄. Sinces0 containsAP ( 2;2), this is impossible. Thus, non linearcounterexample for exists.
4.3 First observe thatM 6j= . Indeed, each statesi, for 0 � i � k � 1 is origin of a local coun-terexample for�1 and thus for 2. Furthermore,sk is also origin of a local counterexamplefor �2, and then for 2. Moreover,sk is a local counterexample for the formula 1.Now we show that no linear counterexample for exists inM . By Definition 3.5, in any coun-terexample� for the element�(0) must be a counterexample for 2. Hence, a counterpathfor cannot reach statesk. Indeed, the only path reaching statesk is �(M 0). This path is nota counterpath for 2 by construction:�(M 0) does not contain any local counterpath for�1,and, moreover,�(M 0) is not an counterpath for�2. Thus, a counterpath� for could onlylead into some structureMi, where0 � i � k � 1. Since in eachMi formula 1 is globallytrue, the suffix�i must be a local counterpath for 2, for eachi � 1. Since each state inMiexcept the initial statesi containsAP (�2), this counterpath for 2 can only be a counterpathfor �1. But this is impossible, since a right-structure for formula �1 cannot contain a linearcounterexample� such that�(i) is a counterexample for�1, for eachi � 0. Thus, it followsthat no linear counterexample for exists inM .
4.4 It holds thatM 6j= . Indeed, there exists a counterexample� for where�(0) is a coun-terexample for 2, and�(1) is a counterexample for both 1 and 2. Furthermore, no linearcounterexample for exists inM . To see this, observe that no path� leading into��2 or into��2;2 can be a counterpath for , as 1 and�1 are always true there and��2 , ��2;2 arek-structures for�2;2 (consequently,�2 is not globally false). Thus, only� = [s0; s1; s2; s2; : : :℄remains as a candidate for a counterpath for . To eliminate�, assume towards a contradic-tion that� = �(�) for some linear counterexample� for . The first element�(0) of everycounterexample� for must be a counterexample for 2 = �1 ^ �2; since�1 is true ins0,it must be a counterexample of�2. Along �, however,�2;2 is not always false, which means
49
that�(0) must involve a counterexample for�2;1. Along �, however,�2;1 is by constructionalways true. This raises a contradiction, and proves that inM no linear counterexample for exists.� ? = �?1 ^ �?2 or ? = �?1 _ �?2, wherenA(�?1) + nA(�?2) = k. In the remaining five cases, the
labeling ofM is chosen as follows (the suitability ofM is easily verified):
– 1 = A( 1;1U 1;2), 2 = A( 2;1V 2;2). SetL(M)(s0) = AP ( 1;1) [ AP ( 2;2),L(M)(s1) = AP ( 1), andL(M)(s2) = AP ( 1;1) [AP ( 2;2).– 1 = A( 1;1V 1;2), 2 = A( 2;1V 2;2). SetL(M)(s0) = AP ( 1;2) [ AP ( 2;2),L(M)(s1) = AP ( 1;2), andL(M)(s2) = AP ( 2;2).– 1 = AX( 1;1), 2 = AX( 2;1). SetL(M)(s0) = ;, L(M)(s1) = AP ( 1;1), andL(M)(s2) = AP ( 2;1).– 1 = AX( 1;1), 2 = A( 2;1U 2;2). SetL(M)(s0) = AP ( 2;1), L(M)(s1) = AP ( 1),
andL(M)(s2) = AP ( 2).– 1 = AX( 1;1), 2 = A( 2;1V 2;2). SetL(M)(s0) = AP ( 2;2),L(M)(s1) = AP ( 1;1),
andL(M)(s2) = AP ( 2;2).Acknowledgments. We would like to thank the reviewers for their detailed and constructive commentswhich helped to improve this paper. This work has been partially supported by the Austrian Science Fundunder Project N Z29-INF.
References
[1] Francesco Buccafurri, Thomas Eiter, Georg Gottlob, andNicola Leone. Enhancing Model Checking in Veri-fication by AI Techniques.Artificial Intelligence, 112(1-2):57–104, 1999.
[2] E.M. Clarke and E.A. Emerson. Skeletons for Branching Time Temporal Logic. InLogic in Programs:Workshop Proceedings, number 131 in LNCS. Springer, 1981.
[3] E.M. Clarke, E.A. Emerson, and A. Sistla. Automatic verification of finite-state concurrent systems usingtemporal logic specifications.ACM Transactions on Programming Languages, 8(2):244–263, 1986.
[4] E.M. Clarke, O. Grumberg, and D.E. Long. Verification Tools for Finite-State Concurrent Systems. In J.W. deBakker, W.P. de Roever, and G. Rozenberg, editors,A Decade of Concurrency - Reflections and Perspectives,number 803 in LNCS, pages 124–175. Springer, 1994.
[5] E.M. Clarke, O. Grumberg, and D.E. Long. Model Checking.In M. Broy, editor,Deductive Program Design,volume 152 ofNATO ASI Series F. Springer, 1996.
[6] E.M. Clarke, O. Grumberg, K.L. McMillan, and K. Zhao. Efficient Generation of Counterexamples and Wit-nesses in Symbolic Model Checking. InProc. 32nd ACM/SIGDA Design Automation Conference 1995 (DAC’95). ACM Press, 1994. Also Technical Report CMU-CS-94-204, Carnegie Mellon University, Pittsburgh,PA, 1994.
[7] E.A. Emerson. Temporal and Modal Logics. In J. van Leeuwen, editor,Handbook of Theoretical ComputerScience, volume B, chapter 16. Elsevier Science Publishers B.V. (North-Holland), 1990.
50
[8] Michael Garey and David S. Johnson.Computers and Intractability – A Guide to the Theory of NP-Completeness. W. H. Freeman, New York, 1979.
[9] Ramin Hojati, Robert K. Brayton, and Robert P. Kurshan. BDD-Based Debugging Of Design Using LanguageContainment and Fair CTL. In Costas Courcoubetis, editor,Proceedings 7th International Conference onComputer Aided Verification (CAV ’95), LNCS 697, pages 41–58, Elounda, Greece, 1993.
[10] O. Kupferman and M. Y. Vardi. An automata-theoretic approach to modular model checking.ACM Transac-tions on Programming Languages, 22(1):87–128, 2000.
[11] K.L. McMillan. Symbolic Model Checking. Kluwer, 1993.
[12] R. Milner. Communication and Concurrency. Prentice-Hall, Englewood Cliffs, N.J., 1989.
51