Alternating automata and temporal logic normal forms

Annals of Pure and Applied Logic 135 (2005) 263–285

www.elsevier.com/locate/apal

Alternating automata and temporal logic normalforms✩

Clare Dixona,∗, Alexander Bolotovb, Michael Fishera

aDepartment of Computer Science, University of Liverpool, Liverpool L69 7ZF, UKbHarrow School of Computer Science, University of Westminster, HA1 3TP, UK

Received 15 June 2002; received in revised form 7 September 2004; accepted 9 March 2005Available online 17 May 2005

Communicated by S.N. Artemov

Abstract

We provide atranslation from SNFPLTL, a normal form for propositional linear time temporallogic, into alternating automata on infinite words, and vice versa. We show this translation has theproperty that the set of SNFPLTL clauses is satisfiable if and only if the alternating automaton hasan accepting run. As there is no direct method known for checking the non-emptiness of alternatingautomata, the translation to SNFPLTL, together with a temporal proof on the resulting SNFPLTLclauses, provides an indirect non-emptiness check for alternating automata.© 2005 Elsevier B.V. All rights reserved.

MSC:03B44; 68Q45; 68Q60

Keywords: Temporal logic; Alternating automata; Specification and verification

1. Introduction

The connection between propositional linear time temporal logic (PLTL) and wordautomata of different kinds is well known. A model for a PLTL formula,ϕ, is essentially

✩ This work was partially supported by EPSRC grant GR/L87491.∗ Corresponding author.E-mail address:[email protected] (C. Dixon).

0168-0072/$ - see front matter © 2005 Elsevier B.V. All rights reserved.doi:10.1016/j.apal.2005.03.002

http://www.elsevier.com/locate/apal

264 C. Dixon et al. / Annals of Pure and Applied Logic 135 (2005) 263–285

a sequence of states where the propositions fromϕ are set to true or false such that thesequence of states and setting of propositions satisfiesϕ. This sequence can be viewed as aninfinite word over an alphabet comprising of subsets of the propositions inϕ. Thus, for anypropositional linear-time temporal logic formula, we can construct a finite automaton suchthat the automaton accepts exactly the sequence of states (infinite word) which satisfies theformula [19,18].

An alternating automaton is an automaton that hasboth the power of existential anduniversal choice, similar in structure to an AND/OR graph [17]. Alternating automata wereconsidered in [6,7] andhave been studied in relation to temporal logic in, for example, [19].

Separated Normal Form (SNFPLTL) [13] is anormal form for representing propositionallinear-time temporal logic formulae. The normal form we present comprises formulaethat are implications with present-time formulae on their left hand side and (present or)future-time formulae on their right hand side. The transformation into this normal formreduces most of the temporal operators to a core set and rewrites formulae into a particularform. This transformation depends on three mainoperations: the renaming of complexsubformulae, the removal of temporal operators, and classical style rewrite operations.

SNFPLTL has been used as the basis for both a temporal resolution method [14] andthe execution of temporal formulae [1]. The basic SNFPLTL for propositional linear-timetemporal logic described here has been extended to provide normal forms for temporallogics of knowledge and belief [9], and the branching-time temporal logic CTL [4] togetherwith its extensions [2,3].

In this paper we provide transformations from alternating automata into SNFPLTL andfrom SNFPLTL into alternating automata. We show that a set,R, of SNFPLTL clausesis satisfiable if, and only if, the alternating automaton constructed fromR, AR, hasanaccepting run. Similarly, an alternating automatonA has an accepting run if, and onlyif, the set of SNFPLTL clausesRA constructed fromA is satisfiable. Whilst translationsfrom propositional linear-time temporal logic into alternating automata have been providedelsewhere (for example [19]) the translation we provide is explicitly developed forSNFPLTL clauses and hence reduces the required number of states.

This work was motivated whilst considering the expressiveness of SNFPLTL. In earlierwork we have shown the correspondence between SNFPLTL and Büchi automata [5],establishing the following result. From any set of SNFPLTL clauses we can construct aBüchi automaton and, given a Büchi automaton, we can construct a set of SNFPLTL clausessuch that the set of SNFPLTL clauses is satisfiable if, and only if, the Büchi automatonhas an accepting run. Sets of SNFPLTL clauses are intuitively similar to the transitionfunctions of alternating automata: these sets are conjunctions of clauses whose left handsides are conjunctions of literals and right hand sides are disjunctions. Thus, reading aninput in an alternating automaton corresponds to satisfying the left hand side of (stepand sometime) clauses. The right hand side (of step or sometime clauses) is either of theform “eventuallyl ” or “next” applied to a disjunction of literals. In SNFPLTL these righthand sides must also be satisfied. In alternating automata they are used to compute theoutputof the transition function. Further, the standard way to check whether an alternatingautomaton has an accepting run (and is therefore non-empty), is to translate it into a Büchiautomaton and check whether the resultant Büchi automaton is non-empty. This translationis exponential [19]. (Direct methods of checking non-emptiness of alternating automata

C. Dixon et al. / Annals of Pure and Applied Logic 135 (2005) 263–285 265

would require traversal of AND/OR graphs; see, for example, [8]). In our approach weprovide a polynomial translation from alternating automata into SNFPLTL, enabling us toapply clausal resolution on the resulting set of clauses, thus establishing an alternativenon-emptiness check for alternating automata.

This paper is organised as follows. InSection 2we give the syntax and semanticsof propositional linear-time temporal logic and inSection 3we define the normal formSNFPLTL. Section 4defines alternating automata. InSection 5we provide a translationfrom alternating automata to SNFPLTL with examples being given inSection 6. In Section 7we give a translation from SNFPLTL to alternating automata with related examples inSection 8. In Section 9we show correctness ofthe translations. InSection 10we compareour translation from SNFPLTL into alternating automata with standard translations fromlinear-time temporal logic into alternating automata and the translations from alternatingautomata into SNFPLTL with translations into Büchi automata. InSection 11we provideconcluding remarks.

2. Propositional linear time temporal logic

2.1. Syntax

PLTL formulae are constructed from the following elements.

• A set,P , of propositional symbols.• Propositional connectives¬, ∨, ∧, and⇒, andtrue andfalse.• Future-time temporal connectives, ‘♦’ (sometime in the future), ‘ ’ (alwaysin the

future), ‘ �’ ( in the next moment in time), ‘ U ’ (until ), and ‘W ’ (unless, orweakuntil ).

The set of well-formed formulae of PLTL, denoted byWFF, is inductively defined as thesmallest set satisfying the following.

• Any element ofP is in WFF.• true andfalse are inWFF.• If A andB are inWFF then so are

¬A A∨ B A∧ B A ⇒ B ♦A A AU B AW B �A.

A literal is defined as either a propositional symbol or the negation of a propositionalsymbol while aneventualityis defined as a formula ofthe form♦A.

2.2. Semantics

PLTL is interpreted over discrete, linear structures, which are infinite in one direction,for example the natural numbers,N . A model of PLTL, σ , can be characterised as asequence ofstatesσ = a0, a1, a2, a3, . . . where each state,ai , is aset of propositionalsymbols, which are satisfied in thei th moment in time. As formulae in PLTL are interpretedat a particular state in the sequence (i.e. at a particular moment in time), the notation(σ, i ) |� A denotes the truth of a formulaA in the modelσ at the state indexi ∈ N . Forany formulaA, givena modelσ and a state indexi ∈ N , then either (σ, i ) |� A holds or(σ, i ) |� A does not hold, denoted by(σ, i ) �|� A. If there is someσ suchthat(σ, 0) |� A,


then A is said to besatisfiable. If (σ, 0) |� A for all models,σ , thenA is said to bevalidand is written|� A. Note that formulae here are interpreted ata0; this is the anchoredversion of temporal logic, i.e. validity and satisfiability are evaluated at the beginning oftime. Both anchored and non-anchored (validityand satisfiability are evaluated at all timepoints) versions of temporal logics are presented in [10].

The semantics of well-formedformulae are as follows.

(σ, i ) |� p iff p ∈ ai [wherep ∈ P ](σ, i ) |� true(σ, i ) �|� false(σ, i ) |� A ∧ B iff (σ, i ) |� A and(σ, i ) |� B(σ, i ) |� A ∨ B iff (σ, i ) |� A or (σ, i ) |� B(σ, i ) |� A ⇒ B iff (σ, i ) |� ¬A or (σ, i ) |� B(σ, i ) |� ¬A iff (σ, i ) �|� A(σ, i ) |� �A iff (σ, i + 1) |� A(σ, i ) |� ♦A iff there exists ak ∈ N suchthatk � i and(σ, k) |� A(σ, i ) |� A iff for all j ∈ N , if j � i then(σ, j ) |� A(σ, i ) |� AU B iff there exists ak ∈ N , such thatk � i and(σ, k) |� B

and for all j ∈ N , if i � j < k then(σ, j ) |� A(σ, i ) |� AW B iff (σ, i ) |� AU B or (σ, i ) |� A.

The normal form uses an additional symbolstart holding only at the beginning of time,i.e.

(σ, i ) |� start iff i = 0.

This is not essential but allows us to present all clauses as implications.

3. Separated normal form

Separated normal form, SNFPLTL, is a formula∧

i

Ai

where eachAi is known as a SNFPLTL clause(analogous to a ‘clause’ in classical logic)and must be one of the following forms with each particularka, kb, lc, ld andl representinga literal.

start ⇒∨

c

lc (an initial SNFPLTL clause)

∧a

ka ⇒ �∨d

ld (astepSNFPLTL clause)

∧b

kb ⇒ ♦l (asometimeSNFPLTL clause).


3.1. Resolution using SNFPLTL

We give a briefoverview of the temporal resolution method for SNFPLTL clauses; forfull details see [14]. To show that a PLTL formula, ϕ, is valid we negate it and translateinto SNFPLTL. This removes all temporal operators apart from� (in the next momentin time) and♦ (sometime in the future) by rewriting them using their fixpoint definitionsand renaming complex subformulae with new propositional variables where the truth valueof these new propositions is linked to the formulae they replaced at all moments in time.These can be rewritten into SNFPLTL using standard equivalences. Then resolution rulesare applied to SNFPLTL clauses until eitherstart ⇒ false is derived, meaning ‘ϕ is valid’,or until no new clauses can be generated, meaning ‘ϕ is not valid’. The method has beenshown to be sound, complete and terminating [14]. Rather than givingfull details, we nextprovide a brief overview of the key aspects of the approach.

The following are classical style resolution rules that can be imposed on pairs of initialclauses or pairs of step clauses (known as initial and step resolution rules respectively).

[IRES]

start ⇒ (F ∨ l )

start ⇒ (G ∨ ¬l )

start ⇒ (F ∨ G)

[SRES1]

P ⇒ �(F ∨ l )

Q ⇒ �(G ∨ ¬l )

(P ∧ Q) ⇒ �(F ∨ G)

The following states ‘ifQ leads to a contradiction then¬Q must hold everywhere’.

[SRES2]

Q ⇒ �false

start ⇒ ¬Q

true ⇒ �¬Q

There is also a complex temporal resolution rule that resolves sets of step clauses thattogether implyP ⇒ � l with a sometime clause of the formQ ⇒ ♦¬l . This isbeyond the scope of this paper and the interested reader is referred to [14].

4. Alternating automata on infinite words

We define alternating automata on infinite words following [19]. An alternatingautomaton,A, on an infinite wordw = a0, a1, . . ., is a tuple(L, S, s0, ρ, F) such that:

• L is a finite non-empty alphabet from which all the input symbols inw are taken;• S is a set of states;• s0 ∈ S is an initial state;• ρ : S× L → B+(S) is a transition function; and• F ⊆ S is a set of accepting states;

whereB+(S) is the set of positive Boolean formulae overSextended withtrue andfalse,i.e. we construct Boolean formulae from the symbols inS, true andfalse using only theconnectives∧ and∨. A set S′ ⊆ S satisfies some formulaφ ∈ B+(S) if the valuationwhich assigns true to members ofS′ and false to members ofS\ S′ satisfiesφ.


Runs of alternating automata are trees. In the following, given a treeτ , the root nodeof τ is ε. Further, given a node,x, of τ , by |x| we abbreviate the distance ofx from theroot, known as thelevel of x, where|ε| = 0. A W-labelled tree, for some setW, is atuple 〈τ, W, t〉, whereτ is a tree,W is a set of labels, andt is a mapping of nodes ofτto W. Let W be the set of states,S, of the automatonA. A run of A on an infinite wordw = a0, a1, . . . is a possibly infinite W-labelled treer = 〈τ, W, t〉 suchthat t (ε) = s0and the following holds. If|x| = i , t (x) = s, andρ(s, ai ) = φ (whereφ ∈ B+(S)), thenx has childrenx1, . . . , xk for somek ≤ |S| and{t (x1), . . . , t (xk)} satisfiesφ. Therun, r ,is acceptingif every infinite branch inr includes infinitely many labels inF . Note that anaccepting run can have finite branches: if|x| = i , t (x) = s andρ(s, ai ) ≡ true thenxdoes not need to have any children. However, an accepting run cannot have a finite branchleading tofalse, i.e. if |x| = i , t (x) = s andρ(s, ai ) ≡ false asfalse is not satisfiable.Thus, every branch in an accepting run has to hittrue or hit (at least one of) the acceptingstates infinitely often.

5. Alternating automata to SNFPLTL

Below we provide the representation of an arbitrary alternating automaton as a set ofSNFPLTL clauses (note that some of the expressions below should be further translated, bysimplemanipulations, into SNFPLTL).

We assume that, given a finite set of propositionsΣ , an alternating automaton,A, canread inputs from an infinite sequence of subsets ofΣ , thusletting the alphabet,L, for Abe 2Σ . Now, given analternating automatonA = (2Σ , S, s0, ρ, F), we definethe set ofpropositions to be used in the set of SNFPLTL clauses as

Σ ∪ {sig , sib | si ∈ S} ∪ {e}.The suffixesg andb can be thought of as representinggood– ‘we have recently been inan accepting state’, andbad – ‘we are awaiting an accepting state’. Given a setΣ andΣ ′ ∈ 2Σ let

conj(Σ ′) =∧

pi ∈Σ ′pi ∧

∧pj ∈Σ\Σ ′

¬pj .

Firstly, e below indicates that some state is in the ‘bad’ mode.

e ⇔∨si ∈S

sib . (1)

There is only one initial state inA that gives the initial clause

start ⇒ s0b. (2)

The accepting condition is that infinitely often we want no state to be ‘bad’:

start ⇒ ♦¬e. (3)


Further, each transitionρ(si ,Σ ′) = ϕ, whereΣ ′ ∈ 2Σ andϕ is a Boolean positive formula,is rewritten into SNFPLTL as follows.

(conj(Σ ′) ∧ sib) ⇒ �TRANS(ϕ)

(e∧ conj(Σ ′) ∧ sig) ⇒ �TRANS1(ϕ)

(¬e∧ conj(Σ ′) ∧ sig) ⇒ �TRANS(ϕ)

(4)

Informally, in constructing the set of clauses (4), we keep a record of reaching acceptingstates in a run. A proposition with ag suffix indicates thatrecentlyone of the acceptingstates has been reached (along one of the branches of the run), whereas ab suffix indicatesthat an accepting state has not been reachedrecently(along some branch). For the firstclause in (4), if sib holds, i.e. we have not been in an accepting state recently, thene mustalso hold (from the definition ofe). In the next moment we only allow the use of ag suffixif the state reached via the transition is an accepting state; otherwise it must have ab suffix.The second clause in (4) records the fact that if recentlywe were in an accepting state andsome other states have a suffixb (i.e. have not recently been in an accepting state) so thate holds, then we set the state reachable via theρ transition to have a suffixg. The thirdclause in (4) is like a reset, i.e. start checking for satisfying an accepting state again. Inmore detail, if no state has a suffixb, then¬e is satisfied; thus we only allow a state witha suffixg if the state is reached from the transitionρ and this state is an accepting state.

The definitions ofTRANSandTRANS1are as follows.

TRANS(true) = true

TRANS(false) = false

TRANS(si ) = sig if si ∈ F

TRANS(si ) = sib if si �∈ F

TRANS(si ∧ sj ) = TRANS(si ) ∧ TRANS(sj )

TRANS(si ∨ sj ) = TRANS(si ) ∨ TRANS(sj )

(5)

TRANS1(true) = true

TRANS1(false) = false

TRANS1(si ) = sig

TRANS1(si ∧ sj ) = TRANS1(si ) ∧ TRANS1(sj )

TRANS1(si ∨ sj ) = TRANS1(si ) ∨ TRANS1(sj )

(6)

6. Examples

Example 1 — alternating automaton with no accepting run

Let A1 = ({{p},∅}, {s0, s1, s2}, s0, ρ, {s1}) whereρ is defined as follows.


s ρ(s, {p}) ρ(s,∅)

s0 s1 ∧ s2 falses1 s1 falses2 s2 false

A1 has no accepting run, as there is no run such that each infinitebranch includess1infinitely often. We construct formulae defininge (from (1)), the initial conditions (from(2)), and the eventuality conditions (from (3)) as follows.

e ⇔ s0b ∨ s1b ∨ s2b

start ⇒ s0b

start ⇒ ♦¬e

These can be rewritten into the normal form as follows where clauses 1–8 are from the firstof the above formulae, the second of the above is already in normal form and the third canbe translated as 10–12 wherex is a fresh propositional symbol.

1. start ⇒ e∨ ¬s0b

2. true ⇒ �(e∨ ¬s0b)


4. true ⇒ �(e∨ ¬s1b)


6. true ⇒ �(e∨ ¬s2b)

7. start ⇒ ¬e∨ s0b ∨ s1b ∨ s2b

8. true ⇒ �(¬e∨ s0b ∨ s1b ∨ s2b)

9. start ⇒ s0b

10. start ⇒ x

11. x ⇒ �x

12. x ⇒ ♦¬e

Clauses obtained from the transition function, (4), are as follows where clauses 13–18are from the transitionρ(s0, {p}) = s1 ∧ s2; clauses 19–21 are from the transitionρ(s0,∅) = false; clauses 22–24 are from the transitionρ(s1, {p}) = s1; clauses 25–27 arefrom thetransitionρ(s1,∅) = false; clauses 28–30 are from the transitionρ(s2, {p}) = s2;and clauses 31–33 are from the transitionρ(s2,∅) = false.

13. p ∧ s0b ⇒ �s1g

14. p ∧ s0b ⇒ �s2b

15. p ∧ e∧ s0g ⇒ �s1g

16. p ∧ e∧ s0g ⇒ �s2g

17. p ∧ ¬e∧ s0g ⇒ �s1g

18. p ∧ ¬e∧ s0g ⇒ �s2b

19. ¬p ∧ s0b ⇒ �false

20. ¬p ∧ e∧ s0g ⇒ �false

21. ¬p ∧ ¬e∧ s0g ⇒ �false

22. p ∧ s1b ⇒ �s1g

23. p ∧ e∧ s1g ⇒ �s1g

24. p ∧ ¬e∧ s1g ⇒ �s1g

25. ¬p ∧ s1b ⇒ �false

26. ¬p ∧ e∧ s1g ⇒ �false

27. ¬p ∧ ¬e∧ s1g ⇒ �false

28. p ∧ s2b ⇒ �s2b

29. p ∧ e∧ s2g ⇒ �s2g

30. p ∧ ¬e∧ s2g ⇒ �s2b

31. ¬p ∧ s2b ⇒ �false

32. ¬p ∧ e∧ s2g ⇒ �false

33. ¬p ∧ ¬e∧ s2g ⇒ �false


From rewriting �false formulae (in clauses 19, 20, 21, 25, 26, 27, 31, 32 and 33) usingSRES2 weobtain the following.

34. start ⇒ (p ∨ ¬s0b) [19]35. true ⇒ �(p ∨ ¬s0b) [19]36. start ⇒ (p ∨ ¬e∨ ¬s0g) [20]37. true ⇒ �(p ∨ ¬e∨ ¬s0g) [20]38. start ⇒ (p ∨ e∨ ¬s0g) [21]39. true ⇒ �(p ∨ e∨ ¬s0g) [21]40. start ⇒ (p ∨ ¬s1b) [25]41. true ⇒ �(p ∨ ¬s1b) [25]42. start ⇒ (p ∨ ¬e∨ ¬s1g) [26]

43. true ⇒ �(p ∨ ¬e∨ ¬s1g) [26]44. start ⇒ (p ∨ e∨ ¬s1g) [27]45. true ⇒ �(p ∨ e∨ ¬s1g) [27]46. start ⇒ (p ∨ ¬s2b) [31]47. true ⇒ �(p ∨ ¬s2b) [31]48. start ⇒ (p ∨ ¬e∨ ¬s2g) [32]49. true ⇒ �(p ∨ ¬e∨ ¬s2g) [32]50. start ⇒ (p ∨ e∨ ¬s2g) [33]51. true ⇒ �(p ∨ e∨ ¬s2g) [33]

And, after applying step resolution, we obtain the following clauses (and possibly others).

52. true ⇒ �(p ∨ ¬s0g) [37, 39]53. true ⇒ �(p ∨ ¬s1g) [43, 45]54. true ⇒ �(p ∨ ¬s2g) [49, 51]55. p ∧ s0b ⇒ �p [14, 47]56. p ∧ e∧ s0g ⇒ �p [15, 53]57. p ∧ ¬e∧ s0g ⇒ �p [17, 53]58. p ∧ s1b ⇒ �p [22, 53]59. p ∧ e∧ s1g ⇒ �p [23, 53]

60. p ∧ ¬e∧ s1g ⇒ �p [24, 53]61. p ∧ s2b ⇒ �p [28, 47]62. p ∧ e∧ s2g ⇒ �p [29, 54]63. p ∧ ¬e∧ s2g ⇒ �p [30, 47]64. start ⇒ e [1, 9]65. start ⇒ p [9, 34]66. p ∧ s0b ⇒ �e [6, 14]67. p ∧ s2b ⇒ �e [6, 28]

From this set of formulae anymodel we construct will havep, s0b, e andx true in the firstmoment in time (from clauses 65, 9, 64, 10). Further, any modelσ we construct will havep, s1g, s2b, e andx true at every moment other than the first moment in time (from clauses55, 13, 14, 66, 11 at time two and then clauses 61, 23, 28, 67, 11 afterwards). Howevereholds inσ from the start of time, and, therefore, ♦¬e cannot be satisfied, and, thus, theset of clauses is unsatisfiable.

Using the temporal resolution calculus,from the clauses 61, 23, 28 and 67 together weobtain

p ∧ e∧ s1g ∧ s2b ⇒ � e.

This can be resolved with sometime clause 12. Applying further step and initial resolutionrules will lead to false being derived in the initial state (start ⇒ false) as required.


Example 2 — automaton with accepting run

Let A2 = ({{p},∅}, {s0, s1, s2}, s0, ρ, {s1}) whereρ is defined as follows.

s ρ(s, {p}) ρ(s,∅)

s0 s1 ∧ s2 false

s1 s2 false

s2 s1 false

As there is a run over the infinite word{p}, {p}, {p}, {p}, . . . such that each infinitebranch infinitely often includess1, i.e. there is an accepting run. Following our methodfor generating a set of corresponding SNFPLTL clauses, we obtain clauses 1–12 which arethe same as Example 1.

Clauses obtained from the transition function, (4), are as follows.

13. p ∧ s0b ⇒ �s1g

14. p ∧ s0b ⇒ �s2b

15. p ∧ e∧ s0g ⇒ �s1g

16. p ∧ e∧ s0g ⇒ �s2g

17. p ∧ ¬e∧ s0g ⇒ �s1g

18. p ∧ ¬e∧ s0g ⇒ �s2b

19. ¬p ∧ s0b ⇒ �false

20. ¬p ∧ e∧ s0g ⇒ �false

21. ¬p ∧ ¬e∧ s0g ⇒ �false

22. p ∧ s1b ⇒ �s2b

23. p ∧ e∧ s1g ⇒ �s2g

24. p ∧ ¬e∧ s1g ⇒ �s2b

25. ¬p ∧ s1b ⇒ �false

26. ¬p ∧ e∧ s1g ⇒ �false

27. ¬p ∧ ¬e∧ s1g ⇒ �false

28. p ∧ s2b ⇒ �s1g

29. p ∧ e∧ s2g ⇒ �s1g

30. p ∧ ¬e∧ s2g ⇒ �s1g

31. ¬p ∧ s2b ⇒ �false

32. ¬p ∧ e∧ s2g ⇒ �false

33. ¬p ∧ ¬e∧ s2g ⇒ �false

and clauses 34–54 are as in Example 1 so we will not repeat them. Applying resolution toclauses 1–54 we can obtain the following (and other) clauses.

55. start ⇒ e [1, 9]56. start ⇒ p [9, 34]57. p ∧ s0b ⇒ �p [14, 47]58. p ∧ s0b ⇒ �e [6, 14]59. p ∧ s2b ⇒ �p [28, 53]60. p ∧ ¬e∧ s1g ⇒ �p [24, 47]61. p ∧ ¬e∧ s1g ⇒ �e [6, 24]


From this set of formulae wecan construct a modelσ = a0, a1, a2, a1, a2, . . . suchthat

a0 = {p, s0b, e}a1 = {p, s1g, s2b, e}a2 = {p, s1g, s2g,¬e}

i.e. we can satisfy¬e in σ infinitely often. This is by using clauses9, 55, 56 (to obtaina0); 13, 14, 57, 58 (to obtaina1); 23, 28, 59 (to obtaina2–note¬e is not forced here but ispossible) and 60, 61, 30, 24 (to obtaina1 again).

7. SNFPLTL to alternating automata

Whilst translations from temporal logic into alternating automata have been given inother works, for example [19], we provide atranslation particularly tailored to SNFPLTLformulae. Let a set of clauses,R, be made upfrom I ⊆ R initial clauses,T ⊆ R stepclauses, andE ⊆ R sometime clauses, and letP be the set of propositional symbols inR.We give a method for constructing an alternating automatonAR = (L, S, s0, ρ, F).

• L = 2P .• S = {∧ri ∈I r i ∧ ∧

r j ∈T∪E r j } ∪ { ∧r j ∈T∪E r j } ∪ {Y | X ⇒ �Y ∈ T}

∪ {♦l | X ⇒ ♦l ∈ E}.• s0 = ∧

ri ∈I r i ∧ ∧r j ∈T∪E r j .

• ρ is definedbelow.• F = { ∧

r j ∈T∪E r j }.Below we define the transition function,ρ : S × L → B+(S). This function uses anauxiliary functionρ′ : Z × L → B+(S) whereZ = R ∪ {X | X ⇒ �Y ∈ R or X ⇒♦Y ∈ R} ∪ {∧i r i | r i ∈ R} ∪ { ∧

i r j | r j ∈ T ∪ E}.• ρ(C1 ∧ C2, V) = ρ′(C1, V) ∧ ρ′(C2, V).• ρ( C1, V) = ρ′(C1, V) ∧ C1.• ρ(♦l , V) = ρ(l , V) ∨ ♦l .• ρ(

∨i l i , V) = true iff for somei , if l i is of the form¬p then p �∈ V else ifl i

is not of the form¬p thenl i ∈ V .

• ρ′(C1 ∧ C2, V) = ρ′(C1, V) ∧ ρ′(C2, V).• ρ′( C1, V) = ρ( C1, V).• ρ′(start ⇒ Y, V ) = ρ(Y, V).• ρ′(

∧i l i ⇒ �Y, V ) = Y if ρ′(

∧i l i , V).

• ρ′(∧

i l i ⇒ �Y, V ) = true if ρ′(∧

i l i , V) ≡ false.• ρ′(

∧i l i ⇒ ♦l , V) = ρ(♦l , V) if ρ′(

∧i l i , V).

• ρ′(∧

i l i ⇒ ♦l , V) = true if ρ′(∧

i l i , V) ≡ false.• ρ′(

∧i l i , V) = true iff for all i , if l i is of the form¬p then p �∈ V else ifl i

is not of the form¬p thenl i ∈ V .

Properties of this translation are discussed inSection 10.2.


8. Example

8.1. Example 3 — unsatisfiable clause-set

Let R be the set of SNFPLTL clauses

{start ⇒ a, start ⇒ b, a ⇒ �a, b ⇒ ♦¬a}.This set of clauses is unsatisfiable by the following argument. The first two clauses requirea andb both to hold in the initial state. The third clause (with the first) then means thata holds in all future moments. The initial state satisfies the left hand side of the fourthclause but the right hand side cannot be satisfied due to the previously established fact thata should hold in all future moments. Hence the set is unsatisfiable.

We construct an alternating automatonAR = (L, S, s0, ρ, F) as follows. To save spacelet

f1 = ((start ⇒ a) ∧ (start ⇒ b) ∧ f2)

f2 = ((a ⇒ �a) ∧ (b ⇒ ♦¬a)).

Now, according to the method described inSection 7:

• Σ = {{a, b}, {a}, {b},∅}.• S = { f1, f2, a,♦¬a}.• s0 = f1.• F = { f2}.• The transition functionρ is given below, where the set of states are in the first column.

s ρ(s, {a, b}) ρ(s, {a}) ρ(s, {b}) ρ(s,∅)

f1 a ∧ ♦¬a ∧ f2 false false false

f2 a ∧ ♦¬a ∧ f2 a ∧ f2 f2 f2

a true true false false

♦¬a ♦¬a ♦¬a true true

There is no accepting run for the following argument. Initially we must read{a, b};otherwise the run fails immediately. Hence we reach statesa, ♦¬a and f2. To satisfy a wemust read either{a, b} or {a}. Both mean that from♦¬a we are led again to♦¬a. Fromf2 we move toa, ♦¬a and f2 for the input{a, b}, or we move toa and f2 for the input{a}. In both cases we keep reading{a, b} or {a} to avoidfalse, but wewill obtain brancheswhere the state♦¬a occurs forever. Hence, for any run, it is not the case that each infinitebranch containsf2 infinitely often, so there is no accepting run.

8.2. Example 4 — satisfiable clause-set

Let R be the set of SNFPLTL clauses

{start ⇒ b, a ⇒ �a, b ⇒ ♦¬a}.We can construct a model for this formulaσ = a0, a0, a0, a0, . . . suchthata0 = {¬a, b},i.e. R is satisfiable.


We construct an alternating automatonAR = (Σ , S, s0, ρ, F) as follows. To save spacelet

f3 = (start ⇒ b) ∧ f4

and

f4 = ((a ⇒ �a) ∧ (b ⇒ ♦¬a)).

• Σ = {{a, b}, {a}, {b},∅}.• S = { f3, f4, a,♦¬a}.• s0 = f3.• The transition functionρ is given below, where the set of states are in the first column.

s ρ(s, {a, b}) ρ(s, {a}) ρ(s, {b}) ρ(s,∅)

f3 a ∧ ♦¬a ∧ f4 false f4 false

f4 a ∧ ♦¬a ∧ f4 a ∧ f4 f4 f4

a true true false false

♦¬a ♦¬a ♦¬a true true

• F = { f4}.Here an accepting run can be constructed on the infinite word{¬a, b}, {¬a, b},{¬a, b}, . . .. From the initial state f3 reading{b} we must move to the statef4. Againreading{b} from f4 we move to f4. Continuing reading{b} we obtain an infinite branchrepeating f4. Each infinite branch containsf4 infinitely often so the run is accepting.

9. Correctness of the translation

Theorem 1. Let A = (2Σ , S, s0, ρ, F) be an alternating automaton andτ (A) be itstranslation intoSNFPLTL. Then A has an accepting run if, and only if,τ (A) is satisfiable.

Proof. Assume thatA has an accepting runr on an infinite wordω = a0, a1, . . ., whereeachai ∈ 2Σ , andr is anS-labelled tree. Fromr we constructr ′, an(S, l )-labelled tree,whereS is the set of states inA andl is eitherg or b. Thus, constructingr ′ from r , we copyr ′ from r and provide the additional labelling of each node byg or b as described below.

From the definition of an accepting run, every infinite branch inr includes infinitelymany labels in F . We definezi a sequence of levels onr ′ as follows. Letz0 be at thelevel of the root node ofr ′, i.e. at level zero. Fori > 0 let levelzi be the first level afterzi−1 such that for each node at levelzi there exists a predecessor of this node (or the nodeitself) occurring after levelzi−1 which is labelled with a state inF . From thedefinition ofaccepting runs it is obvious we can find a level where eachinfinite branch has reached anode labelled with a state inF sincezi−1. Concerning the finite branches, either a nodeis reached betweenzi−1 and the end of the finite branch that is labelled by a state inF ornot. For the former a suitable node labelled with an accepting state has been found. For thelatter, as the branch is finite, we can take the level after the end of the finite branch. Each


zi can be thought of as the level at which we reset and again start checking that we reach anode labelled with a member ofF on each branch (or reach the end of a finite branch).

Now, we label the node at the root of the runr ′ by (s0, b). Between levelszi−1 andzi

(not including levelzi−1 itself), whenever a node is labelled withsm andsm ∈ F , we labelthis node by(sm, g), and label all subsequent nodes along this branch up to and includingthose at levelzi with g. Any nodes betweenzi−1 andzi which are not labelled withg arethen labelled withb. Note that, atlevel zi , all nodes in the runr ′ are annotated withg (bydefinition of where we chosezi to be).

Given someaj , the j th component of the infinite wordw, we construct a model,σ , suchthat(σ, j ) |� p, for all p ∈ aj , and(σ, j ) |� ¬p, for all p ∈ Σ \ aj , and(σ, zi ) |� ¬e foreach reset level,zi , and(σ, j ) |� e for all i suchthat j �= zi . Let (σ, j ) |� sig iff (si , g)

is the label of a node at levelj in r ′, and(σ, j ) |� sib iff (si , b) is the label of a node atlevel j in r ′. We show thatσ is a model forτ (A). Firstnote that(σ, 0) |� (start ⇒ s0b),by construction ofσ , i.e. (2) is satisfied. Next we show that(σ, j ) |� e ⇔ ∨

si ∈Ssib , i.e.(1) is satisfied. For anyj = zi for somei we have that all nodes are labelled withg fromthe definition of where we chosezi to be. From the definition of the model, whenj = zi

we have(σ, j ) |� ¬e and have(σ, j ) |� ¬skb for all sk ∈ S. For j �= zi some node mustbe labelled with b; otherwisewe would have chosen this level to bezi for somei . Hencefrom thedefinition of the model, whenj �= zi we have(σ, j ) |� e and have(σ, j ) |� skb

for somesk ∈ S. In both cases(σ, j ) |� e ⇔ ∨si ∈S sib.

Next we show that the set of step clauses of (4) is satisfied inσ . Take anymoment oftime, say j , in σ , in which the left hand side of a step clause is satisfied. Note that if theleft hand side of a step clause is not satisfied, then the clause itself is satisfied. The stepclauses defined in (4) can be in one of three forms.

conj(Σ ′) ∧ sib ⇒ �TRANS(ϕ)

e∧ conj(Σ ′) ∧ sig ⇒ �TRANS1(ϕ)

¬e∧ conj(Σ ′) ∧ sig ⇒ �TRANS(ϕ).

Recall that these were from transitionsρ(si ,Σ ′) = ϕ. First considerϕ ≡ true, i.e. theend point of a finite branch. Whatever the left hand side of the step clause derived fromthis transition, the righthand side will always be�true (from the definitions ofTRANSandTRANS1). Such a clause is always satisfiable. Next consider the cases whereϕ �≡ trueAssume that(σ, j ) |� conj(Σ ′) ∧ sib and we must show that(σ, j + 1) |� TRANS(ϕ).Consider the labelling of nodes at levelj in r ′. If (σ, j ) |� conj(Σ ′) ∧ sib then,from theconstruction of the modelσ , there must be a node,x, at level j of r ′ labelled with(si , b). Bydefinition of the run,x hask successors labelled with{su, lu} . . . {sv, lv}, wherel i ∈ {g, b},andsu . . . sv satisfiesφ. As x was labelled with(si , b), its successors will be labelled withthe corresponding(sk, g) (sk ∈ {su . . . sv}) if sk ∈ F and (sk, b) if sk �∈ F from ourlabelling ofr ′. This matches the definition ofTRANS(5) so(σ, j + 1) |� TRANS(ϕ).

Next assume that(σ, j ) |� e ∧ conj(Σ ′) ∧ sig and we must show that(σ, j + 1) |�TRANS1(ϕ). Consider the labelling of nodes at levelj of r ′. If (σ, j ) |� e∧conj(Σ ′)∧sig ,then, from the construction of the modelσ , there must be a node,x, at level j of r ′labelled with(si , g). Again, by definition of the run,x hask successors labelled with{su, lu} . . . {sv, lv}, wherel i ∈ {g, b}, andsu . . . sv satisfiesφ. We are given(σ, j ) |� e. By


(1) (definition of e), e ⇔ ∨si ∈Ssib and from the construction ofσ , some other node, say,

x′, in the runr ′ at level j must be labelled with the corresponding(sk, b) (sk ∈ {su . . . sv}).Thus, we are waiting for a node along this branch to be labelled withg and, by definition,we are between levelszl andzl+1 for somel . As x was labelled with(si , g), its successorswill be labelled with the corresponding(sk, g) (sk ∈ {su . . . sv}), from how we havelabelledr ′ and since we are waiting for some labels at levelj to be set from b to g. Thismatches the definition ofTRANS1(6), so(σ, j + 1) |� TRANS1(ϕ).

For the third step clause, assume that(σ, j ) |� ¬e ∧ conj(Σ ′) ∧ sig . We must showthat (σ, j + 1) |� TRANS(ϕ). Consider the labelling of nodes at levelj of the runr ′. If(σ, j ) |� ¬e ∧ conj(Σ ′) ∧ sig then there must be a node,x, at level j of r ′ labelled with(si , g) by the construction of the modelσ . By definition of the run,x hask successorslabelled with{su, lu} . . . {sv, lv}, wherel i ∈ {g, b}, andsu . . . sv satisfiesφ. We are given(σ, j ) |� ¬e. From thedefinition of e (1), e ⇔ ∨

si ∈S sib and by the construction ofσ , nonode, at levelj , must be labelled with the label(sk, b) (sk ∈ {su . . . sv}). Thus, we are atlevelzl , for somel , where all branches of the run have reached a node labelled with a statein F sincezl−1. Hence, successors ofx will be labelled with the corresponding(sk, g) ifsk ∈ F , and(sk, b) if sk ∈ F , from how we have labelled r ′. This matches the definition ofTRANS(5), so(σ, j + 1) |� TRANS(ϕ).

Finally, note that asA has an accepting run, every infinite branch inr includes infinitelymany labelsin F . Further, for the modelσ that we have constructed, the following is true:(σ, zi ) |� ¬e. Therefore, there must be infinitely many levelszi and¬eoccurs inthe modelσ infinitely many times; hence(σ, 0) |� start ⇒ ♦¬e, i.e. our representation of theaccepting condition, (3), is satisfied inσ .

Next assume thatA has no successful run. Thus, each run on each infinite word eitherhas a finite branchterminating infalse or has an infinite branch that does not contain amember ofF infinitely often. We must show thatτ (A) is not satisfiable. We attempt toconstruct a model,σ , for τ (A). Let ai ⊆ Σ be such that(σ, j ) |� p, if andonly if p ∈ aj .As there are no successful runs there must be some unsuccessful runr on the infinite worda0, a1, . . .. Next assume that the propositionssig and sib are set to false unless we areforced to set them to true to satisfy (2) or (4). For example(σ, 0) |� s0b to satisfy (2). Forj ≥ 0, given thej th moment in time, set only thesig andsib propositions to hold atj + 1in order to satisfy (4). At each momentj let (σ, j ) |� e if andonly if (σ, j ) |� sib for somei . Thus (1) holds at each moment in time.

First assume thatr has a finite branchterminating infalse. Assume that the branchending withfalse has comefrom thetransitionρ(si , aj ) = false. This, according to (4), isrewritten into SNFPLTL as

conj(aj ) ∧ sib ⇒ �false

e∧ conj(aj ) ∧ sig ⇒ �false

¬e∧ conj(aj ) ∧ sig ⇒ �false.

Thus at thej th moment in time we must have set eithersig or sib to satisfy the translationof the transition function which led us tosi .

Thus, inσ the left hand side of one of the clauses above will be satisfied at momentj .Therefore,(σ, j ) |� conj(aj ) and either(σ, j ) |� sib or (σ, j ) |� sig . Consider the case


where(σ, j ) |� conj(aj ) and(σ, j ) |� sib. Theother two cases are similar. In SNFPLTLwe apply the SRES2 rule to the first of the previous three step clauses and obtain

start ⇒ (¬conj(aj ) ∨ ¬sib)

true ⇒ �(¬conj(aj ) ∨ ¬sib).

Thus, for j = 0, σ cannot be a model for the first of the above two clauses and forj > 0,σ cannot be a model for the second of the above two clauses. Since(σ, j ) |� conj(aj ) and(σ, j ) |� sib so (σ, j ) �|� ¬conj(aj ) ∨ ¬sib and(σ, j ) �|� start ⇒ (¬conj(aj ) ∨ ¬sib)

(for j = 0) or (σ, j ) �|� true ⇒ �(¬conj(aj ) ∨ ¬sib) (for j > 0).Alternatively, if we try construct a model from a run with an infinite branch that does not

contain a member ofF infinitely often, we cannot satisfy the formulastart ⇒ ♦¬e.Constructσ as above. On some branch there must be a level, sayj , wherefrom that levelonwards no state on that branch is inF . Hence following (4) there must be somej ′ ≥ jsuch that for all k ≥ j ′ there exists ani suchthat (σ, k) |� sib . Hence, in the model,(σ, k) |� e, for all k � j ′, and, therefore,(σ, 0) �|� ♦¬e, i.e. (σ, 0) �|� start ⇒

♦¬e. We conclude thatσ is not a model for this set of clauses. Hence, everyσ that wetry to construct for each unsuccessful run is not a model for the set of SNFPLTL clauses;hence, the set of SNFPLTL clauses is unsatisfiable.�

Theorem 2. Let T bea set ofSNFPLTL clauses andτ ′(T) be its translation into analternating automaton. Then T is satisfiable if, and only if,τ ′(T) has an accepting run.

Proof. First assume thatT is satisfiable. Then we must beable to construct a modelσ forT . We must show thatτ ′(T) has an accepting run. Letω = a0, a1, . . . be the infinite wordsuchthatai is the set of propositions satisfied inσ at timei .

For τ ′(T), to have an accepting runr means thatr must have no branches that endin false and must have no infinite branches that do not contain a member ofF infinitelyoften. We show that the run,r , on the infinite wordω, has neither of these properties, and,therefore, must be accepting.

We first show the alternating automatonτ ′(T) and the runr on the infinite wordωcannot contain branches ending infalse. Assume thatr has a branch ending infalse atlevel 0. From the translation from SNFPLTL to alternating automata these could only comefrom translating states which are a conjunction of clauses including either of the followinginitial clauses:

• start ⇒ false;• start ⇒ ∨

i l i where there is nol i ∈ a0.

The first clause is unsatisfiable in any model so could not have been a member ofT ,since we assumed thatT was satisfiable. The second is not satisfiable inσ at time 0, i.e.(σ, 0) �|� ∨

i l i from howa0 has been defined, so also could not have been a member ofT .

Next assume thatr has a branch ending infalse at level j + 1 for j � 0. From thetranslation from SNFPLTL to alternating automata, these could only come from translatingstates which are a conjunction of step and sometime clause including either of the followingstepclauses:


• ∧k lk ⇒ �false where alllk ∈ aj ;

• ∧k lk ⇒ �

∨i l i where alllk ∈ aj and there is nol i ∈ aj +1.

Again, for the first step clause, from the definition ofω, we have(σ, j ) |� ∧k lk. Since

we also have(σ, j + 1) �|� false, σ is not a model for this clause, soT cannot contain thisclause. Finally,(σ, j ) |� ∧

k lk, from thedefinition of ω, but (σ, j + 1) �|� ∨i l i . Again,

σ is not a model for this clause, soT cannot contain this clause. Thus, the runr cannotcontain finite branches ending infalse.

Next we show that the alternating automatonτ ′(T) and the runr on the infinite wordω cannot contain infinite branches that do not contain a member ofF infinitely often. LetI ⊆ T bethe initial clauses ofT , T ′ ⊆ T be step clauses ofT , andE ⊆ T be sometimeclauses ofT . The accepting states,F , of τ ′(T) areF = { ∧

r j ∈T ′∪E r j }. Theinitial stateis a conjunction of clauses,s0 = ∧

ri ∈I r i ∧ ∧r j ∈T ′∪E r j . Thetransition function applied

to a conjunction is the conjunction of the transitions. Looking at the transition applied tothe left hand side conjunction, i.e. conjunctions of initial clauses, we end up with finitebranches ending either intrue or false. Here we areconsidering infinite branches so wewill next consider the right conjunct. Applying the transition function to the right conjunct,weobtain

ρ′ ∧

r j ∈T ′∪E

r j

∧

∧

r j ∈T ′∪E

r j

.

The branch containing the right conjunct will keep repeating it infinitely, which is theaccepting state inF . Considering the left conjunct, from the transition function, thebranches derived from step clauses will be finite, ending either intrue or false. Howeverfor sometime clauses, where the transition isρ(♦l , V ) = ρ(l , V) ∨ ♦l , we may have abranch containing♦l infinitely such that at each level of the run after♦l has occurred,ρ(l , V) = false. This infinite branch does not contain a member ofF infinitely often.Assume that there is an infinite branch containing♦l in r from level j onwards and thatthis is from the clause

∧i l i ⇒ ♦l is in T . From thedefinition of ω, we have(σ, j ) |� ∧

i l iso (σ, j ) |� ♦l . Thus, toobtain♦l forever from levelj we must haveρ(l , ak) = false,for all k � j . Therefore, l �∈ ak and(σ, k) �|� l , for k � j . Then(σ, j ) �|� ♦l , i.e.σ , isnot a model forT , contradicting our original assumption. Hence, the run cannot containinfinite branches that donot include a member ofF infinitely often.

Thus,r cannot contain branches that end infalse or infinite branches that do not containF infinitely often, sor must be an accepting run.

To show the other direction assume thatτ ′(T), the translation of a set of SNFPLTLclauses,T , into an alternating automaton, has an accepting run,r , on an infinite word,ω = a0, a1, a2, . . ., such thatai ∈ 2Σ . We show howto construct a model forT . Constructa modelσ suchthat (σ, j ) |� p, for all p suchthat p ∈ aj , and(σ, j ) |� ¬p, for all psuchthat p ∈ Σ \ aj . We show thatσ is a model for all clauses inT . We consider clausesin turn of their type, i.e. initial, step and sometime:


• start ⇒ ∨i l i ;

• ∧k lk ⇒ �

∨i l i ;

• ∧k lk ⇒ ♦l .

If a clausestart ⇒ ∨i l i is in T , this clause becomes a conjunct of the initial state.

The transition functionρ(∨

i l i , a0) cannot lead tofalse, as r is an accepting run, soρ(

∨i l i , a0) = true, so l i ∈ a0 for somel i . Hence, by construction, in the modelσ ,

(σ, 0) |� l i , so(σ, 0) |� ∨i l i and(σ, 0) |� start ⇒ ∨

i l i as required. Next assume that aclause

∧k lk ⇒ �

∨i l i is in T . From thetransition function for , there is a copy of the

step and sometime clauses at each level in the run. Consider some arbitrary levelj ≥ 0.First assume that for somek, lk �∈ aj . We have(σ, j ) �|� ∧

k l i and the clause consideredis satisfied inσ . Otherwise, assume that all lk ∈ aj , and inthe model(σ, j ) |� ∧

k l i . Inr the transition functionρ(

∨i l i , aj +1) cannot lead tofalse, asr is an accepting run, so

ρ(∨

i l i , aj +1) = true. Therefore,l i ∈ aj +1 for somel i . Hence, by construction ofσ , wehave(σ, j +1) |� l i , so(σ, j +1) |� �

∨i l i , and(σ, j ) |� ∧

k lk ⇒ �∨

i l i as required.Finally, assume that a clause

∧k lk ⇒ ♦l is in T . As mentioned above, from the

transition function for , there is a copy of the step and sometime clauses at eachlevel in the run. Consider an arbitrary levelj ≥ 0. First assume that for somelk �∈ aj .We have(σ, j ) �|� ∧

k l i , and the clause considered is satisfied. Otherwise, assume thatall lk ∈ aj and in the model(σ, j ) |� ∧

k l i . As r is an accepting run, we are notallowed to have♦l infinitely along a branch. Consider the transition function for♦l ,i.e. ρ(♦l , V) = ρ(l , V) ∨ ♦l . At some point, say,m, we must haveρ(l , am) = true, sol ∈ am. Thus,(σ, m) |� l , for somem � j . Again,(σ, j ) |� ∧

k lk ⇒ ♦l as required.We have shown how to construct a model from an accepting run and the theorem

follows. �

10. Discussion

10.1. Alternating automata to SNFPLTL

Here we compare the translation of an alternating automata into SNFPLTL withtranslations into Büchi automata.

A Büchi automatonA is (Σ , S, S0, ρ, F) whereΣ is the alphabet,S is the set of states,S0 ⊆ S is a nonempty set of accepting states,ρ : S× Σ → 2S is a transition function. Arun of A on an infinite wordw = a0, a1, . . . is a sequences0, s1, . . . wheres0 ∈ S0 andsi+1 ∈ ρ(si , ai ) for all i � 0. A run r is accepting if there is some accepting state thatrepeats inr infinitely often.

Translations from alternating automata on infinite words to Büchi automata on infinitewords are known – see for example [16,19] – such that the sets of infinite words acceptedby each are the same.

Theorem 3 ([16] ). Given an alternating automaton A = (Σ , S, s0, ρ, F) we canconstruct a non-deterministic Büchi automaton, An with 2O(|S|) states, such that the setof infinite words accepted by A is the same as those accepted by An.

Note there is an exponential increase in the number of states.


Theorem 4 ([20] ).

(1) Thenon-emptiness problem for a non-deterministic Büchi word automaton is decidablein linear time [11,12].

(2) The non-emptiness problem for a non-deterministic Büchi word automaton of size n isdecidable in space O(log2 n) [18].

Thus, to carry out a non-emptiness check on an alternating automaton, fromTheorems 3and4 we could translate an alternating automaton into a Büchi automaton that recognisesthe same set of infinite words and then perform a non-emptiness check on the resultingBüchi automaton.

Theorem 5 ([19] ). Checking non-emptiness for alternating automata on infinite wordsvia a translation to Büchi automata is decidable in exponential time.

Next we consider the cost of thetranslation into SNFPLTL and temporal resolutionapplied to this set of clauses.

Theorem 6. The translation from an alternating automaton A= (Σ , S, s0, ρ, F) intoSNFPLTL produces m clauses (initially) where m is polynomial in|S|.Proof. We consider the number of clauses obtained from each element of the translation.

• 1 for start ⇒ s0b.• 3 for start ⇒ ♦¬e. This formula can be translated into SNFPLTL as

start ⇒ x

x ⇒ �x

x ⇒ ♦¬e

wherex is a new propositional variable.• 2(|S| + 1) for thedefinition of e (e ⇔ s0b ∨ . . . ∨ snb):

start ⇒ ¬e∨ s0b ∨ . . . ∨ snb

true ⇒ �(¬e∨ s0b ∨ . . . ∨ snb)

and the following for eachi = 0, . . . , n:

start ⇒ ¬sib ∨ e

true ⇒ �(¬sib ∨ e).

• For each entry in the transition table we obtain at least three clauses from the translationgiven in (4). However applying (4) may resultin the right hand side not being adisjunction of literals as the structure (of the underlying positive Boolean formulae)is preserved by applying theTRANSandTRANS1translations. Assuming that the righthand sides are as simple as possible, the maximum number of clauses that we mayobtain for each of the translations in (4) is |S|. Thesize of the transition table is|S|×|Σ |;hence we obtain at most 3× |S|2 × |Σ | clauses.


Theorem 7 ([15] ). Checking the satisfiability using temporal resolution given a set ofclauses is decidable in exponential time.1

Thus, in order to carry out a non-emptiness check on an alternating automaton, fromTheorem 1we could translate an alternating automaton into a set of SNFPLTL clauses thatis satisfiable if, and only if, the alternating automaton has an accepting run. Applying thetemporal resolution method to the resulting set of clauses, if false is derived there was noaccepting run of the original alternating automaton; otherwise there was one.

Theorem 8. Checking the non-emptiness of alternating automata on infinite words is viatranslation toSNFPLTL and temporal resolution decidable in exponential time.

Proof. FromTheorems 6and7.

10.2. SNFPLTL to alternating automata

In Section 7we provided a translation explicitly from SNFPLTL to alternating automatathat utilises the structure of the formulae in normal form. In this section we examine thedifferences and similarities between the construction provided here and those given in [19].Let R be a set of SNFPLTL clauses such thatI ⊆ R are initial clauses,T ⊆ R are stepclauses, andE ⊆ R are sometime clauses, and letP be the set of propositional symbols inR. Let

Form(R) =∧ri ∈I

r i ∧∧

r j ∈T∪E

r j .

LetForm(R′) be the same asForm(R) except with the initial clauses of the formstart ⇒ areplaced bya. We do this as theoperatorstart is not mentioned in [19].

Let AR = (L, S, s0, ρ, F) be the alternating automaton constructed from the methodin this paper andA′

R′ = (L ′, S′, s′0, ρ

′, F ′) be the construction from [19]. In bothconstructionsL = L ′ = 2P and the initial states ares0 = Form(R) ands′

0 = Form(R′).Thus the initial states are the same apart from the removal of “start ⇒” from the initialclauses. The size of the set of statesSof AR is at most 2 (a state representingForm(R) anda state representing “always” theconjunction of the step and sometime clauses) plus thenumber of step and sometime clauses. The number of states

|S| � |T | + |E| + 2.

The set of statesS′ consists of the number of subformulae and their negations. Letlen(ϕ)

be defined as the number of propositional symbols or operators inϕ excluding negation.The number of states|S′| � 2 × len(Form(R′)).

Theorem 9. Given a set ofSNFPLTL formulae R in their simplest form, let R′ be thesyntactic variant of R described above. Let S be the set of states of an alternatingautomaton constructed using the method in this paper and S′ be the set of statesconstructed using the method constructed in [19]. Then|S| < |S′|.

1 Ref. [15] uses the fusionof PLTL and a number of normal modal logics; however the result holds here if themodal part is empty.


Proof. We prove by induction on the number of clauses inR. For the base case letRcontain one clause. This must be either an initial, step or sometime clause.

• Let the clause inR be an initial clause of the formstart ⇒ ∨ki=1 l i . From the state

definition, S will contain one statestart ⇒ ∨ki=1 l i . Form(R′) = ∨k

i=1 l i . Thus|S′| = 2(2k − 1) and for allk ∈ N |S| < |S′|.

• The proof is similar for a step clause of the form(∧k′

j =1 l ′j ⇒ �∨k

i=1 l i ). The states

in S will be the clause itself and∨k

i=1 l i , i.e. |S| = 2. The number of clauses inS′ willbe|S′| � 4(k′+k)+2. If we assume that clauses are intheir simplest form, the smallestthis can be is if the left hand side istrue and|S′| = 4k′ + 4. So|S| < |S′| for k, k′ ∈ N.

• The proof is similar for an sometime clause of the form(∧k′

j =1 l ′j ⇒ ♦l ). The statesin S will be the clause itself and♦l , i.e. |S| = 2. If we assume thatl ′j �= l for all l ′j ,then the number of clauses inS′ will be |S′| = 2(2k′ + 3) (essentially two for eachsymbol except negation). Ifl ′j = l for somel ′j , then the number of clauses inS′ will be|S′| = 2(2k′ + 2). So|S| < |S′| for k′ ∈ N.

Assume that there aren clauses inR and we add another clause. Without loss of generalitywe can assume that bothI andT ∪ E are non-empty. The case where one set is empty issimilar to thebase cases.

• For some initial clausestart ⇒ ∨ki=1 l i we add no new states toS. For S′ the best case

is thatS′ already contains all the subformulae and negations from∨k

i=1 l i in which casewe add no new states. Thus from the induction hypothesis|S| < |S′|, this still holds.

• For a stepclause of the form∧k′

j =1 l ′j ⇒ �∨k

i=1 l i we add at mostone state toS.

Again for S′ the best case is where the subformulae and negations of∧k′

j =1 l ′j and�

∨ki=1 l i are already inS. Hence we would just add two states for the step formula

and its negation. From the induction hypothesis,|S| < |S′|.• For a sometime clause of the form

∧k′j =1 l ′j ⇒ ♦l we add at most one state toS. Again

for S′ the best case is where the subformulae and negations of∧k′

j =1 l ′j and♦l arealready inS. Hence we would just add two states for the eventuality formula and itsnegation. From the induction hypothesis,|S| < |S′|.

In AR the set of accepting statesF is the formula associated with the set of step andsometime clauses. In [19] the accepting states will be formulae of the form¬(AU B) (asthe operator is defined as an abbreviation). When applied to a set of SNFPLTL clausesthese will be the same. The translationsρ andρ′ are essentially the same but that forρ isgiven in terms of the format of the SNFPLTL clauses.

11. Conclusions

We havegiven translations from alternating automata into a particular temporal logicnormal form, SNFPLTL, and vice versa such that an alternating automaton has an acceptingrun if, and only if, the corresponding set of SNFPLTL clauses is satisfiable. In particular,this result is useful in providing a method for checking the non-emptiness of alternating


automata. As we mentioned, the direct method of checking non-emptiness of theseautomata would require traversal of corresponding AND/OR trees, which is a complexprocedure [8]. Alternatively, non-emptiness can be checked by, for example, giving atranslation into a (non-deterministic) Büchi automaton (see [19,16]) and doing the non-emptiness check there. The results of this paper enable us to view the clausal temporalresolution method [14] as another method for checking non-emptiness of alternatingautomata: given an alternating automaton, translate it into SNFPLTL and then applytemporal resolution to the clausesobtained. If the clauses obtained are unsatisfiable, thenthis means there is no accepting run. Note also that, although the translations of alternatingautomata into Büchi automata are exponential, the translation established in this paperis polynomial in the number of states. However once the Büchi automaton has beenconstructed, the check for an accepting run islinear whereas temporalresolution is morecostly (exponential). The use of strategies to guide the refutation search may avoid theworstcase complexity in many cases.

References

[1] H. Barringer, M. Fisher, D. Gabbay, R. Owens, M. Reynolds (Eds.), The Imperative Future: Principles ofExecutable Temporal Logic, Research Studies Press, 1996.

[2] A. Bolotov, Clausal resolution for extended computation tree logic ECTL, in: M. Reynolds, A. Sattar (Eds.),Proceedings of the Tenth International Symposium on Temporal Representation and Reasoning and theFourth International Conference on Temporal Logic, TIME-ICTL 2003, July 2003, Cairns, Australia, IEEEComputer Society Press, 2003, pp. 110–117.

[3] A. Bolotov, A. Basukoski, A clausal resolution method for CTL branching-time logic ECTL+,in: Proceedings of TIME 2004 the Eleventh International Symposium on Temporal Representation andReasoning, July 2004, Tatihou, Normandie, France, IEEE Computer Society Press, 2004.

[4] A. Bolotov, M. Fisher, A clausal resolution methodfor CTL branching time temporal logic, Journal ofExperimental and Theoretical Artificial Intelligence 11 (1999) 77–93.

[5] A. Bolotov, M. Fisher, C. Dixon, On the relationship betweenω-automata and temporal logic normal forms,Journal of Logic and Computation 12 (4) (2002) 261–581.

[6] J. Brzozowski, E. Leiss, Finite automata, and sequential networks, Theoretical Computer Science 10 (1980)19–35.

[7] A. Chandra, D. Kozen, L. Stockmeyer,Alternation, ACM Journal 28 (1) (1981) 114–133.[8] P. Dasgupta, P.P. Chakrabarti, S.C. DeSarkar, Multi-objective heuristic search in AND/OR graphs, Journal

of Algorithms 20 (2) (1996) 282–311.[9] C. Dixon, M. Fisher, M. Wooldridge, Resolution for temporal logics of knowledge, Journal of Logic and

Computation 8 (3) (1998) 345–372.[10] E.A. Emerson, Temporal and modal logic, in: J. van Leeuwen (Ed.), Handbook of Theoretical Computer

Science, Elsevier Science Publishers B.V., Amsterdam, The Netherlands, 1990, pp. 996–1072.[11] E.A. Emerson, C.-L. Lei, Modalities for model checking: Branching time logic strikes back, in: Proceedings

of the Twelfth ACM Symposium on the Principles of Programming Languages, January 1985, pp. 84–96.[12] E.A. Emerson, C.-L. Lei, Temporal model checkingunder generalized fairness constraints, in: Proceedings

of the Eighteenth Hawaii International Conference on System Sciences, 1985, pp. 277–288.[13] M. Fisher, A normal form for temporal logic and its application in theorem-proving and execution, Journal

of Logic and Computation 7 (4) (1997) 429–456.[14] M. Fisher, C. Dixon, M. Peim, Clausal temporal resolution, ACM Transactionson Computational Logic 2

(1) (2001) 12–56.[15] U. Hustadt, C. Dixon, R.A. Schmidt, M. Fisher, Normal forms and proofs in combined modal and temporal

logics, Extended version of the paper with the same name and authors published in: Proceedings of the ThirdInternational Workshop on Frontiers of Combining Systems, FroCoS’2000, in: LNAI, vol. 1794, Springer,2000.


[16] S. Miyano, T. Hayashi, Alternating finite automata onω-words, Theoretical Computer Science 32 (1984)321–330.

[17] N.J. Nilsson, Problem-Solving Methods inArtificial Intelligence, McGraw-Hill, New York, 1971.[18] M. Vardi, P. Wolper, Reasoning about infinite computations, Information and Computation 115 (1) (1994)

1–37.[19] M.Y. Vardi, An automata-theoretic approach to linear temporal logic, in: Proceedings of the VIII Banff

Higher Order Workshop, in: Lecture Notes in Computer Science, vol. 1043, Springer-Verlag, 1996,pp. 238–266.

[20] M.Y. Vardi, Alternating automata: Checking truth and validity for temporal logics, in: Proeeedings of the14th International Conference on Automated Deduction, in: Lecture Notes in Artificial Intelligence, vol.1249, Springer-Verlag, 1997, pp. 191–206.

Alternating automata and temporal logic normal forms

Documents

Transcript of Alternating automata and temporal logic normal forms