Invariance Under Stuttering in Branching-Time Temporal Logic · Ron Gross1 Submitted to the Senate of the Technion { Israel Institute of Technology Sivan, 5768 Haifa June, 2008 [email protected]

Invariance Under Stuttering in

Branching-Time Temporal Logic

Ron Gross

Technion - Computer Science Department - M.Sc. Thesis MSC-2008-19 - 2008


Invariance Under Stuttering in

Branching-Time Temporal Logic

Research Thesis

Submitted in Partial Fulfillmentof the Requirements for the Degree of Master of Science

in Computer Science

Ron Gross1

Submitted to the Senate of the Technion – Israel Institute of Technology

Sivan, 5768 Haifa June, 2008

[email protected]



The research thesis was done under the supervision of Assoc. Prof.Michael Kaminski in the Department of Computer Science.

I would like to deeply thank my supervisor, Assoc. Professor MichaelKaminski, for his continued professional and personal guidance and for hispatience with my work. Working with you has been a very pleasant experi-ence for me. Thank you for urging me not to compromise and helping memaintain a high standard of work. In addition, I wish to thank my examin-ers, Orna Grumberg and Orna Kupferman, for their thorough examinationof this thesis and for their helpful comments.

In a personal note, I wish to deeply acknowledge the support of my familyand especially that of my parents, for teaching me about math and scienceand encouraging me to pursue my quest for knowledge and understanding.

I would also like to thank my partner Aya, for constantly reminding meof the important things in life and never allowing me to lose sight of myobjectives.

The generous financial help of the Technion is gratefully acknowledged.



Contents

Abstract 1

Notation and Abbreviations 2

1 Introduction 3

2 Syntax and Semantics of Propositional CTL* 62.1 Syntax of Propositional CTL* . . . . . . . . . . . . . . . . . . 62.2 Semantics of Propositional CTL* . . . . . . . . . . . . . . . . 7

3 A Branching-Time Ehrenfeucht-Fraısse Game 9

4 Stutter Equivalence 124.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.2 Stutter Operations . . . . . . . . . . . . . . . . . . . . . . . . 134.3 Finite Stuttering . . . . . . . . . . . . . . . . . . . . . . . . . 204.4 Infinite Stuttering . . . . . . . . . . . . . . . . . . . . . . . . . 214.5 Unstuttering Sequences . . . . . . . . . . . . . . . . . . . . . . 254.6 Existence of An Upper Bound . . . . . . . . . . . . . . . . . . 254.7 Lower Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . 274.8 Stutter Equivalence of Branching Time Structures . . . . . . . 30

5 ”Next”-free Formulas do not Express Stutter Invariance 32

6 Branching-Time General Temporal Logic of Actions 356.1 Syntax of General Temporal Logic of Actions . . . . . . . . . 356.2 Branching-time General Temporal Logic of Actions . . . . . . 366.3 Stutter-Invariance of BGTLA . . . . . . . . . . . . . . . . . . 38


7 Algorithmic Checking of Stutter-Equivalence 427.1 Stutter-Equivalence of Finite Kripke Structures . . . . . . . . 427.2 Stutter-Equivalence of Infinite Structures is not Contained in

RE ∪ co−RE . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

8 Open Problems 56

Appendices 58

A Proofs of Auxiliary Statements for Chapter 4 59

B Proofs of Auxiliary Statements for Chapter 5 64

C Proofs of Auxiliary Statements for Chapter 7 66

Bibliography 73

2


List of Figures

4.1 Width Stuttering . . . . . . . . . . . . . . . . . . . . . . . . . 154.2 Height Stuttering . . . . . . . . . . . . . . . . . . . . . . . . . 164.3 Example 4.2.4 – Truth Value Changed by Allowing I ′3 ⊆ I ′2 . . 174.4 First Model of the Execution Tree . . . . . . . . . . . . . . . . 194.5 Refined Model of the Execution Tree . . . . . . . . . . . . . . 204.6 Limitations of Finite Stuttering . . . . . . . . . . . . . . . . . 214.7 Infinite Stuttering Sequences Add Halted Paths . . . . . . . . 234.8 A Stuttering Sequence Without an Unstuttering Sequence . . 264.9 A Lower Bound Implies an Upper Bound . . . . . . . . . . . . 274.10 Example 4.6 – A Lower Bound Implies an Upper Bound . . . 284.11 An Upper Bound Does not Imply a Lower Bound . . . . . . . 294.12 Transitivity of Stutter Equivalence . . . . . . . . . . . . . . . 31

5.1 Two Structures Equivalent Under ”next”-Free Formulas . . . . 335.2 A Substructure for Theorem 5.0.7 . . . . . . . . . . . . . . . . 33

6.1 An Unstuttered Structure and a Non-Stutter Step . . . . . . . 376.2 Two Stutter Equivalent Structures . . . . . . . . . . . . . . . 376.3 BGTLA’s 3-Rule . . . . . . . . . . . . . . . . . . . . . . . . . 396.4 BGTLA’s ∃3-Rule . . . . . . . . . . . . . . . . . . . . . . . . 40

7.1 Kripke Structure Height Stuttering . . . . . . . . . . . . . . . 457.2 Kripke Structure Width Stuttering . . . . . . . . . . . . . . . 467.3 Two Stutter-Equivalent Structures Without a Common Upper

Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487.4 The Finite Representative . . . . . . . . . . . . . . . . . . . . 487.5 A Repetitive Structure . . . . . . . . . . . . . . . . . . . . . . 507.6 A Canonical Structure Equivalent to the one in Figure 7.4

(page 48) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52


7.7 A Computable Structure With No Matching Finite KripkeStructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

C.1 Partitioning of IU . . . . . . . . . . . . . . . . . . . . . . . . . 68C.2 The Structures {Ik} . . . . . . . . . . . . . . . . . . . . . . . . 70C.3 The Special Case I0 . . . . . . . . . . . . . . . . . . . . . . . . 70C.4 The Structure I∞ . . . . . . . . . . . . . . . . . . . . . . . . . 70

4



Abstract

Invariance under temporal stuttering is a useful and attractive feature ofspecifications and specification languages. Linear stuttering has been inten-sively studied, and several languages for expressing linear stutter-invariantproperties are known from the literature. However, less work has been doneon branching-time stuttering. A definition of branching-time stuttering wasproposed by Browne, Clarke and Grumberg. It is arguable whether thisdefinition is the ”right” definition of branching-time stutter-equivalence.

We come up with an alternative definition of branching-time stutteringbased on stuttering steps. We show that, for our definition, the ”next-time”operator is required in order to express some stutter-invariant propertiesin the logic CTL*, using an Ehrenfeucht-Fraısse game for CTL*. We thenintroduce BGTLA, a stutter-invariant extension of the Temporal Logic ofActions for branching time.

Finally, we present some results on algorithmic testing of stutter equiva-lence, both for general temporal structures and for the special case of finiteKripke structures.


Notation and Abbreviations

• V = {p1, p2 . . . pn} is a finite set of flexible propositional variables.

• The formulas of CTL* are the closure of V using the operators ¬,∧, ◦,∃,U.

• We abbreviate some CTL* formulas:

ϕ ∨ ψ , ¬(¬ϕ ∧ ¬ψ)

⊥ , p1 ∧ ¬p1

ϕ → ψ , ¬ϕ ∨ ψ

ϕ ↔ ψ , (ϕ → ψ) ∧ (ψ → ϕ)

2ϕ , ϕU ⊥∀ϕ , ¬∃¬ϕ

3ϕ , ¬2¬ϕ

• For a structure I and a state s ∈ I we denote by Is the substructureof I starting at s.

• For a path π = (s0, s1 . . .) we denote by πsi or π+i the suffix of πstarting at si

• We denote sequences either by specifying some values, as in (I0, I1 . . .),or by using an index (Ii).

• We denote sequences of sequences by double-indexing, as in ((Ii)j).

• For an assignment v, its characterizing formula is denoted βv.

• For every pi, we denote vpithe assignment assigning true to pi and false

to all other variables. Then βi is used as a shorthand for βvpi.

• 〈ϕ〉ψ is the GTLA operator ϕ ∧ (ψ 6= ◦ψ) (in GTLA ψ has to be acombination of propositional variables, we allow any stutter-invariantformula as ψ).

• [ϕ]ψ is the dual operator to 〈〉, and is defined as ϕ ∨ (ψ ≡ ◦ψ).

• RE is the set of recursively enumerable languages.

• co-RE is the complement of RE

2


Chapter 1

Introduction

A stuttering of a linear temporal structure is another linear structure obtainedfrom it by replicating some of its states. The unstuttering of a structure isthe structure received by removing all stuttering steps or replicated statesfrom the original structure. Two linear structures are called stutter-equivalentif they have the same unstuttering. A temporal formula or specification isstutter-invariant if it does not distinguish between stutter-equivalent struc-tures.

Stutter-invariance is an attractive feature in formal verification of con-current systems, because stutter-invariant properties are preserved betweendifferent levels in hierarchical specifications of concurrent systems [16, 7, 3]and it enables easier model checking via partial order reductions [11]. In ad-dition, it is useful for concurrent program verification, where program threadscan be suspended at arbitrary points during the run of a program, and thetruth-value of formulas that are not stutter-invariant may change because ofsuch context switches.

The propositional linear temporal logic PLTL is commonly used to de-scribe properties of some disjoint runs of concurrent systems. Stuttering inPLTL is well understood, and several sub-logics that express only stutter-invariant properties of PLTL are known. One example of a stutter-invariantlogic is the generalized temporal logic of actions GTLA, which is semantically

equivalent to the stutter-invariant part of PLTL−U – PLTL without the ”un-til” operator [8], [12]. Another such example is PLTL−◦ – PLTL without the”next” operator, which was shown to be equivalent to the stutter-invariantfragment of PLTL in [14].

Linear-time temporal logic can only express properties of concurrent sys-

3


tems related to some definite runs of the system. Properties dealing withdifferent possible execution flows cannot be expressed in linear temporal log-ics. An example of such a property is that a sent message can always beeither delivered or lost. Branching-time temporal logics are better suited toexpressing such properties. Branching-time stuttering has been defined andstudied in [1], [6], [5] and [13]. The usual definition found in [1] is:

Definition 1.0.1. (from [1]) Given two Kripke structures M,M ′ with thesame set of atomic propositions, we define a sequence of equivalence relationsE0, E1 . . . on S × S ′ (the sets of states in M, M ′) as follows:

• (s, s′) ∈ E0 if and only if L(s) = L(s′) (s and s′ have the same assign-ment)

• (s, s′) ∈ En+1 if and only if:

1. For every path π in M that starts in s there is a path π′ in M ′ thatstarts in s′, a partition B1, B2 . . . of π, and a partition B′

1, B′2 . . .

of π′ such that, for all j ∈ N , Bj and B′j are both nonempty and

finite, and every state in Bj is En-related to every state in BJ ’,and

2. For every path π′ in M ′ starting in s′ there is a path π in Mstarting in s that satisfies the same conditions as in (1).

We will say that two paths π and π′ s-correspond if they satisfy condition(1) above. Our notion of equivalence with respect to stuttering is defined asfollows: (s, s′) ∈ E if and only if (s, s′) ∈ Ei for all i ≥ 0. Furthermore, wesay that M with initial state s0 is equivalent to M ′ with initial state s′0 if(s0, s

′0) ∈ E.

Definition 1.0.1 is an iterative definition of stutter-equivalence. The samerelation E can be defined as a fixed point relation:

Definition 1.0.2. The relation E is the minimal relation such that:

• If L(s) = L(s′) then (s, s′) ∈ E

• If (s, s′) ∈ E then for every path π starting at s there exists a path π′

starting at s′ and a partitioning of π and π′ to finite, nonempty andconsecutive parts (Bi) and (B′

i) accordingly, such that for every k ≥ 0and for every pair of states (s0, s

′0) ∈ Bk ×B′

k, (s0, s′0) ∈ E.

4


Using either definition, the following corollary follows:

Corollary 1.0.3. Given two Kripke structures M and M ′ with initial statess0 and s′0 respectively, (s0, s

′0) ∈ E if and only if, for all CTL* formulas f

without the ”next” operator, (M, s0) |= f ⇔ (M ′, s′0) |= f .

However, we argue that the above definition is not the only intuitivegeneralization of linear-time stuttering. We propose an alternative definitionof branching-time stuttering based on two stuttering steps, and show that itdefines a different, more restrictive stutter equivalence relation.

The work is organized as follows: In chapter 2 we recall the commonlyused logic CTL*. In chapter 3 we define an Ehrenfeucht-Fraısse game forCTL*, that we use in later chapters in order to obtain some equivalenceresults. In chapter 4 we introduce an alternative definition of branching-timestuttering based on stuttering steps, and support it by showing that it hassome desirable properties. In chapter 5 we use an Ehrenfeucht-Fraısse-gameto show that the ”next-time” operator ◦ is required for expressing some CTL*stutter-invariant properties, in contrast with Linear Time Logic. In chapter6 we define a rich stutter-invariant generalization of the General TemporalLogic of Actions that allows us to define only branching-time properties. Inchapter 7 we investigate some algorithmic properties of stutter-invariance.We conclude in chapter 8 with a few open problems.

5


Chapter 2

Syntax and Semantics ofPropositional CTL*

In this chapter we recall the syntax and semantics of propositional CTL*.

2.1 Syntax of Propositional CTL*

In this section we define propositional CTL* formulas (first order CTL*formulas can be defined by adding non-propositional variables and the exis-tential and universal quantifiers).

• Let V = {p1, p2 . . . pn} be a finite set of flexible propositional variables.Then for each i ∈ {1 . . . n}, pi is an atomic formula.

• If ϕ, ψ are formulas, then so are ¬ϕ, ϕ ∧ ψ, ◦ϕ, ∃ϕ and ϕUψ.

We shall use the standard abbreviations:

ϕ ∨ ψ , ¬(¬ϕ ∧ ¬ψ)

⊥ , p1 ∧ ¬p1

> ¬⊥ϕ → ψ , ¬ϕ ∨ ψ

ϕ ↔ ψ , (ϕ → ψ) ∧ (ψ → ϕ)

3ϕ , >Uϕ

2ϕ , ¬3¬ϕ

∀ϕ , ¬∃¬ϕ

We syntactically identify state formulas as follows:

6


• The atomic predicates p1 . . . pn are state formulas.

• If ϕ, ψ are state formulas then ¬ϕ and ϕ ∧ ψ are state formulas.

• If ϕ is a path formula then ∃ϕ is a state formula.

• In addition, all CTL* formulas are path formulas.

2.2 Semantics of Propositional CTL*

In this section we define the semantics of propositional CTL* formulas (see[4, page 65]). The informal meanings of the temporal connectives are:

◦ϕ ϕ holds in the next state on the current path.3ϕ there exists a future state somewhere on the current path

on which ϕ holds.2ϕ on the current path, ϕ always holds.ϕUψ on the current path ϕ holds until ψ does.∃ϕ there exists some path starting at the current state on which

ϕ holds.∀ϕ on all paths starting at the current state, ϕ holds.

We will now formally define the semantics of CTL* formulas:We represent a tree as a set of states T and a set of edges E that induce a

partial order < on T , with the minimal element denoted the root of the tree.A valuation is defined as a mapping from states to sets of atomic variables.

A branching time temporal interpretation (also called a branching-timestructure) is a triplet (T, E, v), where (T,E) is a discrete rooted tree of states,with height ω and finite, potentially unbounded, branching degrees, and vis a valuation function v : T → 2V . In this thesis, as a shorthand, someof our examples deal with finite trees. Every such tree is interpreted as aninfinite tree, with the last state on every branch repeated infinitely to forman infinite linear thread.

The semantics of CTL* can also be directly defined on finite Kripke struc-tures. We prefer to define its semantics on infinite trees, and later induce thesemantics on finite Kripke structures, as will be discussed in section 7.

A path in a structure is an increasing sequence of consecutive states start-ing at the root. The semantics of CTL* formulas is defined with respect toa path π = (s0, s1 . . .) starting at the root s0. For a structure I and a states ∈ I we denote by Is the substructure of I starting at s, and by π+i or πsi

7


the suffix of π starting at si, namely (si, si+1 . . .). The semantics is definedinductively as follows:

• (I, π) |= pi if and only if pi ∈ v(s0).

• (I, π) |= ϕ ∧ ψ if and only if (I, π) |= ϕ and (I, π) |= ψ.

• (I, π) |= ¬ϕ if and only if (I, π) 6|= ϕ.

• (I, π) |= ϕUψ if and only there exists a k ≥ 0 such that for 0 ≤ i < k(Isi , π+i) |= ϕ and (Isk , π+k) |= ψ.

• (I, π) |= ◦ϕ if and only if (Is1 , π+1) |= ϕ.

• (I, π) |= ∃ϕ if and only if there exists a path π′ starting at r such that(I, π′) |= ϕ.

We write I |= ϕ if and only if (I, π) |= ϕ for all paths π starting at r.

8


Chapter 3

A Branching-TimeEhrenfeucht-Fraısse Game

For the following chapters we require a tool for showing equivalence be-tween branching-time structures with respect to some fragment of CTL*.For this purpose, in this chapter we will define Ehrenfeucht-Fraısse gamesfor branching-time temporal logic. Linear temporal-logic EF-games were de-fined in [2], and games for arbitrary branching-time temporal logics weredefined in [15]. We give a brief description of an EF game for CTL*, whichis an extension of the LTL game with the additional ∃−move.

The k-round game is played by two players, the Spoiler and Duplicator.The objective of the Duplicator is to prove that two structures are equivalentunder certain formulas, and the objective of the Spoiler is to construct acounter example – a formula no longer than k + 1 satisfied by one structurebut not the other.

The game configuration is two temporal structures I0, I1, and one pathin each structure π0 ∈ I0 and π1 ∈ I1. In the 0-round game, there areno moves. The Duplicator wins if the roots of I0 and I1 have the sameatomic propositions, otherwise the Spoiler wins. In the k + 1-round game,the Spoiler choose a move, then the Duplicator chooses a response, and thena k-round game is played (the U-move involves two consecutive moves asexplained below), with whoever won the k-round game winning the k + 1-round game. In what follows, whenever Ia is assigned some substructure ofIa, the appropriate path πa is adjusted to be the induced subpath of πa inthe new Ia. The moves are as follows:

9


• ∃-Move – The Spoiler chooses a ∈ {0, 1} and a path π′a ∈ Ia, and thensets πa to π′a. The Duplicator then chooses a path π′1−a ∈ I1−a and setsπ1−a to π′1−a.

• 3-Move – The Spoiler chooses a ∈ {0, 1} and sa ∈ πa, and then setsIa to be substructure(Ia, sa). The Duplicator then selects s1−a ∈ π1−a

and sets I1−a to be substructure(I1−a, s1−a).

• ◦ −Move – The Spoiler chooses a ∈ {0, 1}. Let s0 be the next stateon π0 after the root and s1 be the next state on π1 after the root. TheDuplicator has no choice in this move, and the structures I0, I1 are setto substructure(I0, s0) and substructure(I1, s1) respectively.

• U-Move – The Spoiler chooses a ∈ {0, 1} and selects a state sa ∈ πa.The Duplicator selects a state s1−a ∈ π1−a. Now, the Spoiler either:

– sets I0 to its substructure starting at s0 and I1 to its substructurestarting at s1, or

– chooses a new a′ ∈ 0, 1, and a position s′a′ < sa′ . If so, theDuplicator then chooses a position s′1−a′ < s1−a′ , and then thestructures I0, I1 are assigned the substructures at s′0, s

′1.

Actually, since 3ϕ is just shorthand for >Uφ, the 3−Move is not neededfor this game – we add it in order to visualize the game better using simplermoves.

Definition 3.0.1. A game state is the current configuration, along with anychoices already made by either player for the current move. A strategy is afunction from game states to legitimate move choices (either move selectionby the Spoiler or choices within the current move by either player). A playerP plays according to a strategy S in an instance of the game if in this game,for every game state s where it is P ’s turn to choose, he chooses S(s).

A winning strategy S for a player P in a game is a strategy for which onevery instance of the game where P plays according to S, P wins.

Theorem 3.0.2. If for every natural k, the Duplicator has a winning strat-egy for the k-round EF-game on I0, I1 when the Spoiler may use only a subsetM of the moves, then all CTL* formulas containing only quantifiers and con-nectives in M ∪ {∧,¬} cannot distinguish between I0 and I1.

10


Proof. The proof follows from the proof in [2] with the additional restrictionto only M −moves and addition of the ∃ −Move if ∃ ∈ M . We have notdefined a ∧ − Move or ¬ − Move because they do not benefit the Spoiler– if formulas ¬ϕ1 and ϕ2 ∧ ϕ3 distinguish between two structures, then alsoϕ1 and either ϕ2 or ϕ3 distinguish between the same structures. Since theDuplicator has a winning strategy for every natural k, then for every finiteformula ϕ that the Spoiler tries to use in order to distinguishes between I1

and I2, the Duplicator has a counter strategy for the appropriate |ϕ| − 1round game.

11


Chapter 4

Stutter Equivalence

In this chapter we define branching-time stutter equivalence and prove it isindeed an equivalence relation.

4.1 Motivation

A linear structure is a branching-time structure with a constant branchingdegree 1. A linear structure I ′ is a stuttering of another linear structure I ifit can be obtained from I by replicating some (possibly infinite) subset of itsstates, where every state is only replicated a finite number of times. Linearstuttering is a partial order on linear structures – if I ′ is a stuttering of I,then I < I ′. A minimal element under this order is called an unstutteringor unstuttered structure. The reflexive and symmetric closure of this partialorder is an equivalence relation on structures called stutter equivalence (linearstuttering is already transitive because it is a partial order).

Definition 4.1.1. Let L be some logic, F be a fragment of L, and ∼ bean equivalence relation over structures. We say that F expresses ∼ (in L) ifand only if:

1. Every formula ϕ ∈ F is invariant under ∼ – for every two equivalentstructures I ∼ I ′, I |= ϕ if and only if I ′ |= ϕ.

2. For every formula ϕ ∈ L that is invariant under ∼, there exists anequivalent formula ϕ′ in F .

12


Note that not every property invariant under ∼ can be defined in F ,but rather every property that is invariant under ∼ and can be defined inlanguage of L, can also be defined in F .

In Linear Time Logic, the set of ”next”-free formulas expresses stutter-invariance – every ”next”-free formula is stutter-invariant, and for every for-mula defining a stutter-invariant property there is an equivalent ”next”-freeformula [14].

For a structure I let the ”next”-free theory of I be the set of formulas notcontaining the ”next-time” operator and satisfied by I.

Definition 4.1.2. A halted path in a structure I is a path π = (s0, s1 . . .) suchthat there exists a k such that for all i greater than k, all the substructures{Isi} are identical.

Theorem 4.1.3. Two linear structures I, I ′ are stutter equivalent if andonly if their ”next”-free theories are identical.

The proof of Theorem 4.1.3 is presented in Appendix A.We could use this theorem to define branching-time stutter invariance.

However, such a definition would depend on the underlying language and,therefore would not be universal. Instead, we wish to arrive at a semantic def-inition of branching time stuttering, independent of the formula structure orlanguage in question, but rather based on the structures under consideration.Unlike [1], we explore a definition based on atomic stuttering operations, in-stead of an iterated matching of individual states and paths. We will latersee that this different definition of stutter-equivalence produces similar yetdifferent results.

While the existing definition of stutter equivalence is helpful in deter-mining when two structures are stutter-equivalent, it does not offer a directmethod of producing stutter equivalent structures, where in the definitionwe propose does yield an easy way to produce stutter-equivalent structuresfrom a given structure.

4.2 Stutter Operations

In this section we define two atomic stutter operations. We propose a limi-tation on possible stutter operations – every stutter operation we use mustpreserve the truth value of all ”next”-free formulas. In other words, if op is a

13


stutter operation, and I ′ = op(I, . . .), then for every formula ϕ not containing”next” it must hold that I |= ϕ if and only if I ′ |= ϕ.

We define a set of two stutter operations {HS,WS} (Height Stutteringand Width Stuttering). Each of these operation transforms a structure Iinto a stutter-equivalent structure I ′, through a local change in one of thestates of I. We call this state the focus of the operation op and denoteit by focus(op). All the states in I ′ outside the substructure starting atfocus(op) are identical to those in I. We sometimes write I ′ = op(I, s),where s is the focus of op.

4.2.1 Width Stuttering

Definition 4.2.1. Let I be an interpretation, s be a state of I, and sc a childof s. The structure I ′ = WS(I ′, sc) is obtained by copying the substructureIsc and attaching the copy as a new child of s, see Figure 4.1 on page 15.

For I ′ = WS(I, sc) and a path πI ∈ I, let πI′ be the same path in I ′. Anypath going through sc in I is also copied a second time in I ′, and we denoteits second copy by π∗I′ .

Lemma 4.2.2. If I ′ = WS(I, sc), then for all formulas ϕ and paths πI ∈ I,(I, πI) |= ϕ if and only if (I ′, πI′) |= ϕ and if π∗I′ is defined then (I, πI) |= ϕif and only if (I ′, π∗I′) |= ϕ.

The proof of Lemma 4.2.2 is presented in Appendix A.

4.2.2 Height Stuttering

Definition 4.2.3. Let I be an interpretation, s be a state in I, and Cs be asubset of the children of s. The interpretation I ′ = (T ′, E ′, v′) = HS(I, s, Cs)is obtained by replacing s with two new states s′, s′′ such that:

• If s is not the root of I and sp is its parent, then (sp, s′) ∈ E ′.

• There in an edge (s′, s′′) ∈ E ′.

• For every state sc that is a child of s, (s′′, sc) ∈ E ′.

• For every state sc ∈ Cs, a new copy of Isc is now a successor of s′.

14


Figure 4.1: Width Stuttering

15


Figure 4.2: Height Stuttering

16


Figure 4.3: Example 4.2.4 – Truth Value Changed by Allowing I ′3 ⊆ I ′2

The valuation is adjusted such that v′(s′) = v′(s′′) = v(s) and all otherstates copied from I retain their valuation, see Figure 4.2 on page 16.

For an interpretation I and a state s ∈ I, we write I \ s for the structurereceived from I by removing s and all its descendants. If s 6∈ I then I \s = I.

For a finite set of states, S = {s1, s2 . . . sn}, we define I \ S , (((I \ s1) \s2) . . .\sn) (the order of the elements in S does not matter). We write I ′ ⊆ Iif there exists a finite set of states S such that I ′ = I \ S.

Let I ′ = HS(I, s, Cs) for some structure I. Let I ′2 = I ′s′ \s′′ and I ′3 = I ′s

′′.

We have defined HS so that I ′2 ⊆ I ′3 but not I ′3 ⊆ I ′2, because if we allowedI ′3 ⊆ I ′2, then the truth value of some ”next”-free formulas would not bepreserved, as shown by the following example.

Example 4.2.4. In Figure 4.3 on page 17, if we defined HS by allowing anyI ′3 ⊆ I ′2, then the formula A2 (p1 → ∃3p3) would be satisfied by I, but notby I ′.

We shall demonstrate the motivation for allowing I ′3 6⊆ I ′2: Assume thatthe instruction concurrently means ”execute the nested instructions concur-rently and wait until all are completed”, exit immediately exits the entire pro-gram regardless of any open concurrent operations, and synchronized blocks

17


are guaranteed atomicity. Let us analyze the following non-deterministicprogram:

18


Figure 4.4: First Model of the Execution Tree

state = A;

concurrently

{

if op_B() then synchronized

{

state = B;

exit;

}

if op_C() then synchronized

{

state = C;

exit;

}

}

state = D;

A possible representation of this program’s execution tree is given inFigure 4.4 on page 19.

Suppose that we have the additional information that operation B maytake 1 − 10 seconds to complete, and that operation C can take 5 − 10seconds. The above diagram is still correct, but a more refined diagram canbe obtained by applying a partial HS operation, as shown in Figure 4.5 onpage 20. The refinement is expressed in the second copy of A with the onlyallowed transitions to the second copy B or to the original copy of A.

Thus, the application of HS with I ′2 ⊂ I ′3 allows us to obtain refinedexecution trees of concurrent programs, analogously to how linear stuttering

19


Figure 4.5: Refined Model of the Execution Tree

can express refinement of single runs of programs.Let I ′ = HS(I, s, Cc) and πI be a path in I. If s 6∈ πI , then let πI′ = π,

otherwise πI′ is obtained from πI by replacing the state s with the pair ofstates (s′, s′′). If some state t ∈ Cs is on πI , we additionally define π∗I′ asthe path in I ′ starting with π, continuing up to s′, and then ending with thesecond copy of the suffix of π.

Lemma 4.2.5. If I ′ = HS(I, s, Cs), then for every formula ϕ that does notcontain ◦ and for every path πI ∈ I, (I, πI) |= ϕ if and only if (I ′, πI′) |= ϕand if π∗I′ is defined then (I, πI) |= ϕ if and only if (I ′, π∗I′) |= ϕ.

The proof of Lemma 4.2.5 is presented in Appendix A. Note that unlikeWS, the operation HS does not preserve the truth values of some formulascontaining ◦, for example ◦p1. In Chapter 6 we define a subset of CTL* thatincludes formulas with ◦ that are preserved under the HS operation.

Proposition 4.2.6. If I ′ is obtained from I by a single application of eitherHS or WS, then for all ”next”-free formulas ϕ, I |= ϕ ⇔ I ′ |= ϕ.

Proof. The proposition follows directly from the lemmas.

4.3 Finite Stuttering

We define a relation Stutter that represents a single stuttering step. Thatis, for two structures I, I ′, (I, I ′) ∈ Stutter if I ′ = WS(I, s) for some s orI ′ = HS(I, s, Cs) for some s and Cs.

20


Figure 4.6: Limitations of Finite Stuttering

Definition 4.3.1. Let Stutter∗ be the transitive, reflexive and symmetricclosure of Stutter. We say that a structure I ′ can be obtained from anotherstructure I by an unstuttering step if (I, I ′) ∈ stutter. Structures I and I ′

are finitely stutter equivalent if (I, I ′) ∈ Stutter∗ , that is, if I ′ can beobtained from I by finitely many stuttering or unstuttering steps.

Note that Stutter∗ is by definition an equivalence relation.Finite stuttering is a very limited form of stuttering. Even in the linear-

time case there are simple structures that are stutter equivalent by the usualdefinition of [11], but are not finitely stutter equivalent by the above defini-tion, see Figure 4.6 on page 21.

This brings us to consider the more general approach of Infinite Stutter-ing.

4.4 Infinite Stuttering

In this section we define infinite stuttering, which is a preorder on temporalstructures.

A layer of depth k in a structure is the set of all nodes with distanceexactly k from the root. For an ordinal number k, a sequence of length k isa mapping from k to some domain, as usual 1. Unless specifically stated, weassume that all sequence are of length ω. We will usually denote a sequence

1An ordinal k is defined as the set of all smaller ordinals

21


either by specifying some of its values, as (x0, x1 . . .) or by naming an indexeditem, as (xi). We will also use sequences of sequences of elements, denotedby ((xi)j).

A converging sequence of structures is a sequence (I0, I1 . . .) such thatfor every positive integer k, there is a place in the sequence from which thelayers of depth ≤ k remain unchanging. Formally, for every positive k thereexists Nk such that the first k layers of (INk

, INk+1 . . .) are identical. Thelimit structure I∞ = limi→∞ Ii is defined such that for every positive k, thefirst k layers of I∞ are the same as the first k layers of INk

.

Definition 4.4.1. An infinite stuttering sequence is a converging sequenceof structures with the additional property that for every two adjoining struc-tures (Ii, Ii+1) either Ii+1 = Ii or (Ii, Ii+1) ∈ Stutter.

In the linear case, it is sufficient to extend the definition of finite stutterequivalence to cover any pair of structures that have infinite stuttering se-quences from a common ”parent” structure. When applied to branching timestructures, such ”stuttering” may introduce new halted paths. If a haltedpath is added to a structure without a halted path by the means of an infinitenumber of stutter operations, the truth values of some ”next”-free formulasare not preserved, as in Figure 4.7 on page 23.

The formula ∃2p1 does not hold in any of the structures in (Ii) but itholds in the limit structure I∞ = limi→∞Ii. If the HS stutter operationson Ii is performed at the state with p1 at depth i, then there is only afinite number of stutter operations performed on the states in each level ofthe structures in the sequence. Therefore, limiting the number of stutteroperations performed on each level still admits degenerate cases. To solvethis, we define a notion of ”original depth”denoted by od, which is the depthof a state’s origin in the original unstuttered structure:

Definition 4.4.2. Let (I0, I1 . . .) be an infinite stuttering sequence. For astate s ∈ I0 let origin(s) , s, and for some i > 0 and a state s′ ∈ Ii copiedfrom s let origin(s′) = s. For any i ≥ 0 and a state s in Ii, the original depthof s is defined as the depth of origin(s) in I0.

Definition 4.4.3. An advancing stuttering sequence is an infinite stutteringsequence with the additional property that for every positive number k thenumber of stutter operations performed with focus at a state with originaldepth k is finite. Alternatively, an advancing stuttering sequence is an infinite

22


Figure 4.7: Infinite Stuttering Sequences Add Halted Paths

23


stuttering sequence where in every state is only replicated a finite number oftimes.

This restriction prevents the creation of new halted paths from structureswithout such paths.

Another possible solution to this problem is defining height stuttering asself-loops with fairness, such that every self-loop is traversed only a finitenumber of times

Definition 4.4.4. We say that a structure I ′ is a stuttering of anotherstructure I and write I ≤ I ′ if there exists an advancing stuttering sequenceof length ω from I to I ′.

We call a stuttering sequence non-decreasing if the original depth of thefocus of stutter operations in it is non-decreasing. In what follows, weassume all stuttering sequences are advancing and of length ω.

Definition 4.4.5. A drop in a stuttering sequence is a stutter operationwith focus at lower original depth than some previous stutter operation.

Lemma 4.4.6. For a stuttering sequence (Ii) with at least one drop,let m(Ii) be min(d|d is the original depth of the focus of a drop in (Ii)). Let(Ii) be a stuttering sequence that contains at least one drop, and let i0 be theindex of the structure obtained from the first drop in (Ii) with focus at orig-inal depth m(Ii). Then, there exists an equivalent stuttering sequence (Ji)such that:

• I0 = J0 and limi→∞Ii = limi→∞Ji

• Either (Ji) contains no drops, m(Ji) > m(Ii) or m(Ji) = m(Ii) and thenumber of drops in (Ji) with focus at original depth m(Ii) is smallerthan the number of such drops in (Ii).

The proof of Lemma 4.4.6 is presented in Appendix A.

Lemma 4.4.7. For every stuttering sequence (Ii), there exists a non-decreasingstuttering sequence (Ji) with J0 = I0, limi→∞Ji = limi→∞Ii.

Proof. We construct a sequence ((Ii)j) of stuttering sequences. The base is(Ii)0 = (Ii), and for every j, let (Ii)j+1 be the structure whose existence isguaranteed by applying Lemma 4.4.6 to (Ii)j. For every positive integer k,the first k elements of (Ii)k are non-decreasing, and remain unchanging in(Ii)j for all j ≥ k. Therefore, the limit sequence (Ii)∞ is well defined, and itis a non-decreasing stuttering sequence from I0 to limi→∞Ii.

24


Proposition 4.4.8. The relation ≤ is a preorder on structures, that is, ≤is a reflexive and transitive relation.

The proof of Proposition 4.4.8 is presented in Appendix A.

Corollary 4.4.9. Every stuttering sequence shorter than ω2 is equivalent toa sequence of length ω.

Proof. If the length of the sequence is smaller than ω2 then it is smallerthan k · ω for some positive integer k. We obtain a sequence of length ω byno more than k repeated activations of Proposition 4.4.8.

When dealing with stuttering sequences of length at least ω2, it is notsufficient to require that each ω-length stuttering sequence have a limit, theentire sequence must have a limit as well. In this thesis we will not investigatethe properties of such sequences.

4.5 Unstuttering Sequences

We call a sequence of structures (Ii) an unstuttering sequence if it has a limitI∞ and for every i, Stutter(Ii+1, Ii) or Ii+1 = Ii.

It appears that the existence of a stuttering sequence from some struc-ture I to another structure J does not imply the existence of an unstutteringsequence from J to I. For example, see Figure 4.8 on page 26. In this fig-ure, the structure I∞ is the stuttering of I0 as it is the limit of (I0, I1 . . .).However, I∞ has no unstuttering – there exists no structure J such thatStutter(J, I∞), because every possible ustuttering step from I∞ must bealong the diagonal, and every state along the diagonal is the root of a dif-ferent structure than its sibling or parent states. Therefore, no unstutteringsequence exists from I∞.

4.6 Existence of An Upper Bound

We wish to use stuttering sequences to define branching-time stutter equiv-alence. For that, we will need one additional proposition:

Proposition 4.6.1. (Diamond) The relation ≤ is an upper semi-lattice:For structures I, J,K, if I ≤ J and I ≤ K then there exists a structure Lthat is an upper bound of I, J,K (see Figure 4.9 on page 27).

25


Figure 4.8: A Stuttering Sequence Without an Unstuttering Sequence

26


Figure 4.9: A Lower Bound Implies an Upper Bound

The proof of Proposition 4.6.1 is presented in Appendix A.

Example 4.6.2. For example, in Figure 4.10 on page 28, the stutter opera-tions used to reach K from I are HS(s2, {}) and WS(s3). The state s2 hasone additional copy in J , so we apply HS on both copies. The state s3 isleft unchanged in J , so we just apply WS on it

4.7 Lower Bound

We would like to have a lower bound similar to the upper bound we found.However, there exist structures I, J,K so that J ≤ I, K ≤ I, but J and Kare not the stuttering of any other structure, see Example 4.7.1.

Example 4.7.1.In Figure 4.11 on page 29, assuming v(si1) = {p1}, v(si

2) ={p2}, v(si

3) = {}, there is no structure X that has a (non-trivial) stutteringsequence to either J or K, because every consecutive si’s in either structurehave different children. However it is possible to reach I from both structuresin a single stuttering step. Therefore, ≤ is not a full lattice.

27


Figure 4.10: Example 4.6 – A Lower Bound Implies an Upper Bound

28


Figure 4.11: An Upper Bound Does not Imply a Lower Bound

29


4.8 Stutter Equivalence of Branching Time

Structures

Since the existence of a lower bound of two structures implies the existence ofan upper bound, but the converse does not hold, we define stutter-equivalenceas follows:

Definition 4.8.1. (Stutter Equivalence) Two structures I, J are stutter-equivalent if there exists a structure K that is an upper bound of I and Junder the relation ≤.

Theorem 4.8.2. Stutter-equivalence is an equivalence relation on struc-tures.

Proof. Reflexivity and symmetry are trivial, so what remains to be proven istransitivity. Let I, J,K be structures such that I and J have an upper boundLI,J and J and K have an upper bound LJ,K . Then LI,J and LJ,K have alower bound J , and by the Diamond Proposition have an upper bound LI,J,K .By transitivity of ≤, LI,J,K is an upper bound for I and K (see Figure 4.12on page 31).

In what follows, let (I0, I1 . . .) be a non-decreasing stuttering sequencefrom I0 to I∞, π be a path in I0 and π∞ a copy of that path (perhaps withsome replicated states) in I∞.

Theorem 4.8.3. Any ◦ − free formula is invariant under branching-timestuttering.

The proof of Theorem 4.8.3 is presented in Appendix A.

30


Figure 4.12: Transitivity of Stutter Equivalence

31


Chapter 5

”Next”-free Formulas do notExpress Stutter Invariance

In this chapter we prove that our definition of stutter equivalence is morerestrictive than the usual definition.

Definition 5.0.4. For an assignment v ⊆ V we denote by βv the character-izing formula

∧pi∈v pi ∧

∧pi 6∈v ¬pi.

For every pi let vpi= {pi} the assignment assigning true to pi and false

to all other variables. We abbreviate βi , βvpi.

Lemma 5.0.5. Let I1, I2 be the structures in Figure 5.1 on page 33. No”next”-free formula distinguishes between I1 and I2.

The proof of Lemma 5.0.5 is presented in Appendix B.

Definition 5.0.6. A CTL* formula ϕ is invariant under branching-timestuttering if for every two stutter-equivalent structures I, I ′, I |= ϕ if andonly if I ′ |= ϕ.

Theorem 5.0.7. There exist a formula invariant under branching-time stut-tering for which there is no equivalent ”next”-free formula.

Proof. We construct an explicit formula ϕ. Let ϕ be ∃3 [β1 ∧ ∃ ◦ β2 ∧ ∃ ◦ β3].The meaning of this formula is that the substructure in Figure 5.2 (page

33 exists somewhere in the structure under consideration.Note that ϕ is stutter-invariant, because the above sub-structure cannot

disappear after applying stuttering steps to a structure, and also cannot be

32


Figure 5.1: Two Structures Equivalent Under ”next”-Free Formulas

Figure 5.2: A Substructure for Theorem 5.0.7

33


created by stuttering. By Lemma 5.0.5, no ”next”-free formula distinguishesbetween I1 and I2, but I1 |= ϕ, I2 6|= ϕ.

This result is opposite to Corollary 1.0.3 that follows from the usual def-inition of branching-time stuttering, which states that ”next”-free formulasexpress stutter-invariance. There are CTL* formulas which are invariantunder branching-time stuttering as defined in this thesis, but are not stutter-invariant under the usual definition from [1].

Proposition 5.0.8. Every pair of structures that is stutter-equivalent isalso stutter-equivalent according to the usual definition. The converse doesnot hold.

Proof. According to [1], there is a single ”next”-free CTL formula character-izing any equivalence class of structures under stutter equivalence. Accord-ing to Theorem 4.8.3, this formula is stutter-invariant, so it has the sametruth value for every pair of stutter-equivalent. Therefore, they are stutter-equivalent according to the usual definition.

However, according to the proof of Theorem 5.0.7 there exist struc-tures that are not stutter-equivalent by the usual definition but are stutter-equivalent according to our definition.

It might be of interest to find other instances of properties invariant underour definition but not under the usual definition, that appear as part ofexisting temporal specifications.

34


Chapter 6

Branching-Time GeneralTemporal Logic of Actions

For a logic L and an operator X let L−X be the subset of L obtained byremoving all formulas containing X. In this chapter we recall the definition

of GTLA, the stutter-invariant fragment of LTL−U. We then extend it tobranching time, reaching a language BGTLA. We conjecture that BGTLA

is the maximal stutter-invariant fragment of CTL*−U i.e. , that there is no

”larger” stutter-invariant fragment of CTL*−U, that contains formulas thathave no BGTLA equivalent.

6.1 Syntax of General Temporal Logic of Ac-

tions

In this section we recall the definition of the General Temporal Logic ofActions. For a finite set of propositional variables p = pi1 , pi2 . . . pik let p ≡ ◦pbe the formula

∧1≤jk

(pij ↔ ◦pij

), and p 6≡ ◦p is defined as ¬ (p ≡ ◦p).

GTLA formulas and pre-formulas are defined using a double induction,similar to [12]:

1. Propositional atoms are formulas

2. If ϕ and ψ are formulas, so are ϕ ∧ ψ, ¬ϕ and 3ϕ

3. If ϕ is a formula, then ϕ and ◦ϕ are pre-formulas

35


4. If ϕ and ψ are pre-formulas, so are ϕ ∧ ψ and ¬ϕ

5. If ϕ is a pre-formula and p is a set of variables, then the following is aformula

3〈ϕ〉p , 3 (ϕ ∧ (p 6≡ ◦p))

The formula 3〈ϕ〉p states that ϕ holds at some point on the current pathwhen at least one variable in p changes its value (One can equivalently defineGTLA using the dual operator [ϕ]p ≡ ¬3〈¬ϕ〉p instead of with 3〈ϕ〉.)

Note that the language of GTLA is a subset of CTL*. Thus, the semanticsof GTLA is derived from that of CTL*. GTLA formulas define propertiesthat are stutter-invariant for linear structures, and GTLA express all linearstutter-invariant properties. A GTLA formula is satisfied by a branching-time structure if and only if it is satisfied by all paths in the structure. Wecall two sets of temporal structures stutter-equivalent if for every structurein one set there is a stutter-equivalent structure in the other set, and viceversa. If two branching time structures are stutter-equivalent, then the setsof paths in both structures induce stutter-equivalent sets of linear structures.Therefore, GTLA formulas define properties that are branching-time stutter-equivalent.

The expressive power of GTLA formulas is lacking when dealing withbranching-time structures. Therefore, we extend it with branching-time op-erators in the following section.

6.2 Branching-time General Temporal Logic

of Actions

In this section we define the Branching-time General Temporal Logic of Ac-tions, which is a generalization of GTLA that includes branching-time for-mulas.

Adding the path quantifier ∃ to GTLA’s formula construction rules is in-sufficient, resulting in a logic that is not expressive enough. For example, thestutter-invariant formula ∃3 (¬p1 ∧ ¬p2 ∧ ◦p1 ∧ ∃ ◦ p2) cannot be expressedusing only the GTLA operators together with ∃.

In GTLA, the expression p inside 〈ϕ〉p must be a set of propositionalvariables, which determine the non-stuttering steps. In branching-time stut-tering there are steps that are not stuttering steps, yet in which no propo-

36


Figure 6.1: An Unstuttered Structure and a Non-Stutter Step

Figure 6.2: Two Stutter Equivalent Structures

sitional variable changes its value, as in Figure 6.1 on page 37, which showsan unstuttered structure.

Therefore, we need to allow any stutter-invariant formula ψ and not justpropositional atoms to appear in the expression 〈ϕ〉ψ, in order to express somestutter-invariant properties such as the one defined by 3 (∃3p2 ∧ ◦¬∃3p2).

We must also be careful not to add too much expressive power to GTLA.If we allowed ∃ ◦ ϕ as a pre-formula for some formula ϕ, we could pro-duce the following formula ∃3〈p1 ∧ ¬∃ ◦ ¬ (p1 ∨ p2)〉p2 , which is equivalentto ∃3 (p1 ∧ ∀ ◦ (p1 ∨ p2) ∧ (p2 6≡ ◦p2)). This CTL* formula is not stutter-invariant, as shown by the two structures in Figure 6.2 on page 37. In thisfigure, the structure I does not satisfy the above formula, while I ′, which isstutter-equivalent to I, does.

The formulas of BGTLA are defined as follows:

1. Propositional atoms are formulas

2. If ϕ and ψ are formulas, so are ϕ ∧ ψ, ¬ϕ, 3ϕ and ∃ϕ

37


3. If ϕ is a formula, then ϕ and ◦ϕ are pre-formulas

4. If ϕ and ψ are pre-formulas, so are ϕ ∧ ψ and ¬ϕ

5. 〈〉-Rule – Let 〈ϕ〉ψ , (ϕ ∧ (ψ 6≡ ◦ψ)). If ϕ is a pre-formula and ψ is aformula then 3〈ϕ〉ψ is a formula.

6. ∃〈〉-Rule – If ϕ1 . . . ϕn are pre-formulas and ψ1 . . . ψn, χ are formulas,then the following is a formula

∃3

(∀ ◦2χ ∧

∧1≤i≤n

∃ (〈ϕi〉ψi)

)

6.3 Stutter-Invariance of BGTLA

In this section we will show that BGTLA is a stutter-invariant extension ofGTLA.

Lemma 6.3.1. BGTLA’s 〈〉−Rule preserves stutter-invariance of formulas.

Proof. As usual, since the WS operation preserves the truth values of allformulas, we will only look at two structures I, I ′ for which I ′ = HS(I, s, Cs)for some s, Cs.

Let 3〈ϕ〉ψ be a formula constructed by the 〈〉 −Rule, π = (s0, s1 . . .) bea path in I, and suppose that (I, π) |= 3〈ϕ〉ψ. Then there exists somenon-negative integer k for which (Isk , π+k) |= 〈ϕ〉ψ. So (Isk , π+k) |= ϕand either (Isk , π+k) |= ψ and (Isk+1 , π+k+1) 6|= ψ or (Isk , π+k) 6|= ψ and(Isk+1 , π+k+1) |= ψ. Also assume without loss of generality that (Isk , π+k) |=ψ and (Isk+1 , π+k+1) 6|= ψ.

Let π′ be any path in I ′ copied from π, and let k′ + 1 be the index ofthe first copy of sk+1 on π′. The formula ψ is stutter-invariant, and the

structures I ′s′k′ and I ′s

′k′+1 are stutter-equivalent to Isk and Isk+1 respectively.

Thus, (I ′s′k′ , π′+k′) |= ψ and (I ′s

′k′+1 , π′+k′+1) 6|= ψ (see Figure 6.3 on page 39).

The formulas that the pre-formula ϕ is constructed from are stutter-invariant, and depend only on I ′s

′k′ and I ′s

′k′+1 . Therefore, (I ′s

′k′ , π′+k′) |= ϕ

and (I ′, π) |= 3〈ϕ〉ψ.Now assume (I, π) 6|= 3〈ϕ〉ψ. Then for every k, (Isk , π+k) 6|= 〈ϕ〉ψ. Let

π′ be any path in I ′ copied from π and s′k′ be a state on π′ copied fromsome sk. Assume to the contrary that (I ′s

′k′ , π′+k′) |= 〈ϕ〉ψ. Assume without

38


Figure 6.3: BGTLA’s 3-Rule

loss of generality that (I ′s′k′ , π′+k′) |= ϕ ∧ ψ and that (I ′s

′k′+1 , π′+k′+1) 6|= ψ.

Since (I ′s′k′ , , π′+k′) satisfies ψ and (I ′s

′k′+1 , π′+k′+1) does not, the states s′k′

and s′k′+1 are copies of two different states sk and sk+1 in I. Thus, s′k′+1

is not a stuttered copy of sk. Because of the stutter-invariance of ψ andof the formulas that ϕ is composed from, we obtain (Isk , π+k) |= 〈ϕ〉ψ, acontradiction.

Lemma 6.3.2. BGTLA’s ∃〈〉−Rule preserves stutter-invariance of formu-las.

Proof. Again, we will only consider two structures I, I ′ for which for somes, Cs, I ′ = HS(I, s, Cs), and disregard the WS operation as trivial. Let

∃3

(∀ ◦2χ ∧

∧1≤i≤n

∃ (〈ϕi〉ψi)

)

be a formula constructed by the ∃〈〉 −Rule and assume that

I |= ∃3

(∀ ◦2χ ∧

∧1≤i≤n

∃ (〈ϕi〉ψi)

)

Then there exists a path π = (s0, s1 . . .) in I and some non-negativeinteger k for which (Isk , π+k) |= ∀ ◦2χ ∧∧

1≤i≤n ∃ (〈ϕi〉ψi). Therefore, there

39


Figure 6.4: BGTLA’s ∃3-Rule

exists n paths π1 . . . πn all starting at sk so that for 1 ≤ i ≤ n, (Isk , πi) |=ϕi ∧ψi ∧ ◦¬ψi. Also, for all paths π starting at sk let s+(π) be the successor

of sk on π. Then(Is+(π), π+

)|= ◦2χ (see Figure 6.4 on page 40).

Let s′k′ be the deepest copy of sk on π′. The structure Is′k′ is identical to

Isk , and, therefore, I ′ |= ∃3(∀ ◦2χ ∧∧

1≤i≤n ∃ (〈ϕi〉ψi)).

Assume that I 6|= ∃3(∀ ◦2χ ∧∧

1≤i≤n ∃ (〈ϕi〉ψi))

and assume to the

contrary that I ′ |= ∃3(∀ ◦2χ ∧∧

1≤i≤n ∃ (〈ϕi〉ψi)). Thus, there exist paths

π′1 . . . π′n and states s′k′ , t′1, t

′2 . . . t′n such that for 1 ≤ i ≤ n, t′i ∈ π′i and

(I ′t′k′ , πi) |= ϕi ∧ ψi ∧ ◦¬ψi.For every i, s′k′ satisfies ψi while the state ti does not. Therefore, every

40


origin of every t′i in I ′ differs from the origin of s′k′ . Let sk be the origin of s′k′and t1, t2 . . . tn be the origins of t′1, t

′2 . . . t′n. Then, the structure Isk satisfies

∀ ◦2χ ∧∧1≤i≤n (∃ (〈ϕi〉ψi

)), in contradiction with the assumption.

Theorem 6.3.3. BGTLA formulas define stutter-invariant properties.

Proof. By Lemmas 6.3.1,6.3.2 and Theorem 4.8.3.

41


Chapter 7

Algorithmic Checking ofStutter-Equivalence

In this chapter we study the algorithmic properties of stutter-equivalence.

7.1 Stutter-Equivalence of Finite Kripke Struc-

tures

In this section we present an algorithm for deciding stutter-equivalence ofunwindings of finite Kripke structures.

Definition 7.1.1. A finite Kripke structures is a 4-tuple M = (S, T, L, sI),where S is some finite set of states, T : S → 2S is a transition function fromstates to sets of successor states, L : s → 2V is a labeling function from statesto sets of atomic predicates and sI ∈ S is the initial state.

Definition 7.1.2. For a finite Kripke structure M = (S, T, L, sI) we definethe unwinding of M denoted unwind(M) as the minimal branching-timetemporal structure for which the following holds:

• There exists a mapping f from the states of unwind(M) to S

• For r = root(unwind(M)), f(r) = SI

• If (sM , s′M) ∈ T and f(s) = sM then there exists a state s′ ∈ children(s)such that f(s′) = s′M

42


• If f(s) = sM then the valuation of s is L(sM)

Let us denote by unwind(M) the branching-time computation tree struc-ture obtained by unwinding the finite Kripke structure M . A stutter opera-tion on a finite Kripke structure M is a local operation on some state in Mthat produces another finite Kripke structure M ′ for which unwind(M) ≤unwind(M ′). We define a set {HSK ,WSK} of stutter operations on Kripkestructures. In what follows, let M = (S, E, L, sI) be a finite Kripke structureand s some state in S.

7.1.1 Height Stuttering

Let out ⊆ outgoing edges(s), in′, in′′ ⊆ incoming edges(s) such that in′ ∪in′′ = incoming edges(s), and move start ∈ {false, true}. We define

HSK(M, s, out, in′, in′′,move start)

to be the structure M ′ = (S ′, E ′, L′, s′I) (see Figure 7.1 on page 45) obtainedfrom M by replacing s with two new states s′, s′′ copied from it such that:

1. L′(s′) = L′(s′′) = L(s)

2. (s′, s′′) ∈ E ′

3. For every edge (s, t) ∈ E there exists an edge (s′′, t) ∈ E ′

4. For every edge (s, t) ∈ out there exists an edge (s′, t) ∈ E ′

5. For every edge (t, s) ∈ in′ there exists an edge (t, s′) ∈ E ′

6. For every edge (t, s) ∈ in′′ there exists an edge (t, s′′) ∈ E ′

7. If s = sI then:

(a) If move start is true then s′I = s′′

(b) Otherwise, s′I = s′

8. If the self-loop (s, s) ∈ E then:

(a) If (s, s) ∈ in′, then (s′′, s′) ∈ E ′

(b) If (s, s) ∈ in′′ then (s′′, s′′) ∈ E ′

43


(c) If (s, s) ∈ out and either (s′′, s′) ∈ E ′ or (s′′, s′′) ∈ E ′, then(s′, s′) ∈ E ′ (the additional condition here is placed in order toprevent the case where in M from s there is always the possibilityof a self-loop, while in M ′ there would be a state s′′ supposedlyequivalent to s, but from where no ”self-loop” exists.

7.1.2 Width Stuttering

Let in′, in′′ ⊆ incoming edges(s) such that in′ ∪ in′′ = incoming edges(s),and loop′, loop′′, move start ∈ {false, true}. We define

WSK(M, s, in′, in′′,move start, loop′, loop′′)

to be the structure (see Figure 7.2 on page 46) received from M by replacings with two new states s′, s′′ such that:

1. For every edge (s, t) ∈ E there exists edges (s′, t) and (s′′, t) in E ′

2. For every edge (t, s) ∈ in′ there exists an edge (t, s′) in E ′

3. For every edge (t, s) ∈ in′′ there exists an edge (t, s′′) in E ′

4. If s = sI then:

(a) If move start is true then s′I = s′′

(b) Otherwise, s′I = s′

5. If the self-loop (s, s) ∈ E then both (s′, s′) and (s′′, s′′) are in E ′

7.1.3 Stutter Equivalence of Finite Kripke Structures

We use the definition of equivalence of finite Kripke structures from [1]:

Definition 7.1.3. Let M = (S, T, L, sI) and M ′ = (S ′, T ′, L′, s′I) be two finiteKripke structures. We define a sequence of equivalence relations E0, E1 . . .as follows:

• (s, s′) ∈ E0 if and only if L(s) = L′(s)

44


Figure 7.1: Kripke Structure Height Stuttering

45


Figure 7.2: Kripke Structure Width Stuttering

46


• (s, s′) ∈ En+1 if and only if:

– L(s) = L(s′)

– For every s1 that is a successor of s in T there exists s′1 that is asuccessor of s′ in T ′ such that (s1, s

′1) ∈ En

– For every s′1 that is a successor of s′ in T ′ there exists s1 that is asuccessor of s in T such that (s1, s

′1) ∈ En

Two structures M and M ′ are equivalent if and only if for every positivei, (sI , s

′I) ∈ Ei.

Definition 7.1.4. We say that a finite Kripke structure M ′ is a stutteringof another Kripke structure M and write M ≤ M ′ if there exists a finitesequence of Kripke structures (called a Kripke structure stuttering sequence)(Mi) = M0,M1 . . . Mk such that M = M0,M

′ = Mk and every structure inthe sequence is obtained from the previous one by a stutter operation.

Two structures are called stutter-equivalent if there exists Kripke struc-ture stuttering sequences M0 . . . Mk and M ′

0 . . . M ′k′ such that Mk and M ′

k′

are equivalent.

The following lemma is due to [1].

Lemma 7.1.5. Two finite Kripke structures are equivalent if and only ifthey satisfy the same CTL* formulas if and only if they satisfy a specific CTLformula.

Equivalence of Finite Kripke structures can be checked by checking if thetwo structures satisfy a single CTL formula. In definition 7.1.4 we do notrequire the stuttering sequences to reach the exact same structure, becausesome structures exists with stutter-equivalent unwindings , but for which noKripke structure stuttering sequences to a common upper bound exist (seeFigure 7.3 on page 48).

Definition 7.1.6. We say that a structure I is a prefix of another structureI ′ if I is obtained from I ′ by removing all the descendants of some subsetof states. We define the finite representative of I with respect to some finiteKripke structure M of which I is an unwinding. The finite representative ofI is the maximal prefix of I such that every path in I does not contain morethan one copy of any state in M (see Figure 7.4 on page 48).

47


Figure 7.3: Two Stutter-Equivalent Structures Without a Common UpperBound

Figure 7.4: The Finite Representative

We call an edge in a finite Kripke structure forward if it has a copy con-tained entirely within the finite representative of the structure’s unwinding.All edges that are not forward are backward. Self-loops are considered to bebackward edges as well.

Lemma 7.1.7. If a finite Kripke structure M ′ is obtained from another finiteKripke structure M by a single stutter operation, then the finite representativeof unwind(M ′) is obtained from the finite representative of unwind(M) by afinite number of stutter operations.

Proof. The number of copies of every state in M inside the finite represen-tative of unwind(M) is finite. If M ′ = HSK(M, ...) or M ′ = WSK(M, ...)then applying HS or WS accordingly a finite number of times on the fi-nite representative of unwind(M) will produce the finite representative of

48


unwind(M ′).

Lemma 7.1.8. If a finite Kripke structure M ′ is obtained from anotherfinite Kripke structure M by a single stutter operation, then unwind(M) ≤unwind(M ′).

Proof. Using Lemma 7.1.7, we see that the finite representative of the un-winding of M ′ can be obtained from the finite representative of M by afinite number of single stutter operation. If we apply these stutter opera-tion to every copy of the relevant states in the unwinding of M , we obtainthe unwinding of M ′. The number of stutter operations at any originaldepth remains finite, and we obtain a stuttering sequence from unwind(M)to unwind(M ′).

Lemma 7.1.9. If two finite Kripke structure are stutter-equivalent thentheir unwindings are stutter-equivalent as well.

Proof. The proof is by induction on the sequence length using Lemma 7.1.8and Lemma 7.1.5.

Definition 7.1.10. Let I be temporal structure and P be a prefix of I.The structure I is called repetitive in P if for every child s of every maximalelement in P there exists a state s′ in P for which Is is identical to Is′ up torenaming of states (see Figure 7.5 on page 50).

Definition 7.1.11. Let I and I ′ be structures such that I ≤ I ′, and let Pbe a prefix of I. The stuttering of P in I ′ is the set of states in I ′ with originin P .

Definition 7.1.12. Let (Ii) be a stuttering sequence from I0 to some struc-ture I∞, and P some set of states in I0. The set stutter(P, I∞) is the set ofall states in I∞ with origin in P .

Lemma 7.1.13. Let I and I ′ be the unwindings of two finite Kripke struc-tures M and M ′, and let P and P ′ be the finite representatives of I and I ′.If the structures I and I ′ are stutter equivalent then there exists an upperbound IU on I and I ′ that is repetitive in both the stuttering of P and P ′ inIU .

The proof of Lemma 7.1.13 is presented in Appendix C.

49


Figure 7.5: A Repetitive Structure

50


Lemma 7.1.14. Let M be a finite Kripke structure, I be its unwinding, andlet I ′ be a stuttering of I. Let P be the finite representative of I, and P ′ thestuttering of P in I ′. If I ′ is repetitive in P ′ then there exists a finite Kripkestructure M ′ such that I ′ is the unwinding of M ′ and M ≤ M ′.

The proof of Lemma 7.1.14 is presented in Appendix C.

Lemma 7.1.15. Let structures I and I ′ be the unwindings of finite Kripkestructure M and M ′, respectively. If I and I ′ are stutter-equivalent then Mand M ′ are stutter-equivalent.

Proof. Since I and I ′ are stutter equivalent, according to Lemma 7.1.13 theyhave an upper bound IU that is repetitive in the stuttering of the finiterepresentatives of I and I ′. According to Lemma 7.1.14, there exist two finiteKripke structures MU and M ′U such that IU is the unwinding of both MU

and M ′U , M ≤ MU and M ′ ≤ M ′U . Finally, according to Definition 7.1.4,M and M ′ are stutter-equivalent.

Theorem 7.1.16. Two finite Kripke structures are stutter-equivalent if andonly if their unwindings are stutter-equivalent.

Proof. The theorem follows directly from the Lemmas 7.1.9 and 7.1.15.

7.1.4 Algorithmic Checking of Kripke Structure Stut-ter Equivalence

Definition 7.1.17. A canonical structure is a finite Kripke structure inwhich the number of states in the finite representative of its unwinding isequal to the number of states in the structure.

Lemma 7.1.18. A finite Kripke structure is canonical if and only if everystate in it except the root has exactly one entering forward edge.

Proof. Let M be a canonical structure and assume to the contrary that astate exists in M with more than one entering forward edge. Then, in theM ’s unwinding, this state would be replicated, and the finite representativewould have more states than the structure, contradicting the fact the M iscanonical.

Let M be a finite kripke structure and assume that every state in Mexcept the root has exactly one entering forward edge (the root always haszero entering forward edges). Then by definition, the finite representative ofM will only contain every state in the structure once, and M is canonical.

51


Figure 7.6: A Canonical Structure Equivalent to the one in Figure 7.4 (page48)

Lemma 7.1.19. For every finite Kripke structure M there exists a canonicalKripke structure M ′ such that M ≤ M ′ (See Figure 7.6 on page 52 for anexample of a canonical structure obtained from a non-canonic structure).

Proof. For a finite Kripke structure M let us define

χ(M) = |forward edges(M)| − |states(M)|

We apply WSK on every state with more than one entering forward edge,directing each incoming edge to a different copy of the state. Every suchoperation reduces χ(M) , which is greater or equal to −1 in every connectedfinite Kripke structure. In every finite Kripke structure with χ ≥ 0 there isa state with multiple incoming forward edges, and so we can apply a WSK

operation on that structure and obtain a structure with a lower value of χ.Therefore, after no more than χ(M) + 1 applications of WSK , we reach astructure with χ = −1, which according to Lemma 7.1.18 is canonical.

Definition 7.1.20. Let I and I ′ be stutter-equivalent structures with upperbound IU , P and P ′ be finite prefixes of I and I ′ respectively, and R ⊆ P×P ′.

We say that R is a matching between P and P ′ in relation to IU if forR is the maximal relation for which for every (s, s′) ∈ R there exists a statesU ∈ IU such that the origins of sU in I and I ′ are s and s′ respectively.

Lemma 7.1.21. Let M and M ′ be two canonical finite stutter-equivalentKripke structures, I and I ′ be their unwindings, and let P and P ′ be the finiterepresentatives of I and I ′ respectively.

52


Then, there exists two stuttering sequences from I and I ′ to an upperbound IU , where no more than |P | · |P ′| − 1 stutter operations are applied tostates with origin in P∪P ′, and the structure IU is repetitive in stutter(P, IU)and stutter(P ′, IU).

(This is an extension of Lemma 7.1.13)The proof of Lemma 7.1.21 is presented in Appendix C.

Lemma 7.1.22. If two canonical Kripke structures M, M ′ are stutter-equivalent, then there exist Kripke structure stuttering sequences shorter than|M | · |M ′| from them to two equivalent structures that satisfy the same CTL*formulas.

Proof. Let P and P ′ be the finite representatives of unwind(M) and unwind(M ′)respectively. Using Lemma 7.1.21, we obtain that there are stuttering se-quences from the unwinding of the two structures to a common structureIU , for which the number of stutter operations effecting the finite repre-sentatives is not more than |P | · |P ′| − 1. This structure is repetitive inboth unwind(P, IU) and in unwind(P ′, IU). Therefore, like in the proof ofLemma 7.1.13, applying the equivalent Kripke structure stutter operationsto M and M ′, we obtain two finite Kripke structures Mf and M ′

f ′ that sat-isfy the same CTL* formulas, and that are stutter-equivalent to M and M ′

respectively.

Lemma 7.1.23. For a finite Kripke structure with n states there exists anequivalent canonical structure with no more than n! states.

Proof. A clique of size n has the largest canonical structure of all structureswith n states. The size of the canonical structure for a clique is immediatelyobtained by the following recursion according: f(n) = 1 + (n − 1)f(n − 1)with f(1) = 1. It can be shown inductively that f(n) < n! for all n > 2.

Lemma 7.1.24. The number of canonical structures with n states is bound

by nn−1 · 2n(n−1)2 .

Proof. The number of possible canonical structures with n states and nobackward edges is equal to the number of labeled rooted trees of size, whichis nn−1. Overestimating, such a structure has no more than n(n−1)

2back edges

(this can happen if the forward edges form a thread). In total, we obtain

that there are no more than nn−1 · 2n(n−1)2 canonical structure of size n!.

53


Theorem 7.1.25. There exists an algorithm for checking Kripke structure

stutter equivalence in O

((n!n!−1 · 2n!(n!−1)

2

)2)

time.

Proof. Using Lemma 7.1.23 we obtain the canonization of the two inputstructures (each of size no more than n!) and examine all possible pairs ofstuttering sequences no longer than the size of the canonic structures squared.By Lemma 7.1.21, if there exists two appropriate Kripke structure stutteringsequences than they are discovered by this examination.

Note that this is a gross overestimation. We actually do not have toexamine all canonical structures of the given size – we only need to examinestructures that are obtained from the input by stuttering, not every possiblecanonical structure of this size. Also, we conjecture that for most or allstructures we do not have to canonize the structures and can find stutteringsequences that do not necessarily contain canonical structures.

7.2 Stutter-Equivalence of Infinite Structures

is not Contained in RE ∪ co−RE

In this section we show that no algorithm exists for deciding the stutter-equivalence of two structures for general branching-time structures, and evensemi-deciding the problem or its inverse is impossible.

Definition 7.2.1. We say that the deterministic Turing machine M over analphabet Σ computes a structure I = (T,E, v) (and that the structure I iscomputable) if:

1. The machine M halts on every input.

2. For every input x, the machine M produces an output of the form(β, y1, y2 . . . yn), where β ∈ 2V and y1 . . . yn ∈ Σ∗. We denote y1 . . . yn

as children(M(x)) and β as value(M(x))

3. There exists a bijection f : Σ∗ → T , such that for every x, y ∈ Σ∗:

(a) f(ε) = root(I)

(b) y ∈ children(M(x)) if and only if (f(x), f(y)) ∈ E

54


Figure 7.7: A Computable Structure With No Matching Finite Kripke Struc-ture

(c) value(M(x)) = v(f(x))

A structure I is computable if there exists a Turing machine that com-putes it.

Note that there exist computable temporal structures that cannot beobtained by unwinding any finite Kripke structure (see Figure 7.7 on page55).

We encode states as words, with ε encoding the root of I. The machineM computes the edge relation on states and the labeling of states. We definethe relation SE ⊂ Σ∗ ×Σ∗ that comprises all the pairs of machines (M,M ′)such that the structures computed by M and M ′ are stutter-equivalent.

Definition 7.2.2.We say the two branching-time temporal structures I1 andI2 are isomorphic if there is a one-to-one and unto mapping f between statesof I1 to states of I2, such that s2 = f(s1) if and only if

• The labeling of s1 is identical to the labeling of s2

• For every state s′1 ∈ children(s1) there exists a unique state s′2 ∈children(s2) such that f(s′1) = s′2

Theorem 7.2.3. SE 6∈ RE ∪ co−RE – the problem of deciding for a pairof Turing machines that compute structures, if the computed structures arestutter-equivalent, is not semi-decidable, and neither is its complement.

The proof of Theorem 7.2.3 is presented in Appendix C.This result is somewhat surprising, given that the problem of checking

if two structures are isomorphic is in co − RE – if they are not isomorphic,then a counter example can always be found in a finite amount of time. Asimple algorithm for verifying non-isomorphism is checking for k = 0, 1 . . .the isomorphism of the subtrees of heights k. If the two infinite trees arenon-isomorphic then there exist witness of a finite depth to this fact, and sothis problem is in co−RE.

55


Chapter 8

Open Problems

We conclude the thesis with a few open problems not addressed in this work.

Problem 1. Give a direct identification of stutter-free structures – That is,given a structure I, is there another, different structure J such that J < I.Assuming the tree description itself is recursive (recursive enumerable), isthere an algorithmic (recursive or recursively enumerable) solution?

Problem 2. Find a polynomial-time algorithm for deciding if two finiteKripke structures are stutter-equivalent.

Problem 3. Is the relation ≤ a partial order on structures? Does I ≤ Jand J ≤ I imply I = J?

Problem 4. A stutter-equivalent theory for a structure is the set of allstutter-equivalent formulas satisfied by that structure. If two structures havethe same stutter-equivalent theories, are they stutter-equivalent?

Problem 5.Does BGTLA express all stutter-invariant properties in CTL∗−U?

Problem 6. Find an extension of BGTLA that includes U and operatorssuch as (〈ϕ1〉ψ1)U (〈ϕ2〉ψ2) that expresses all stutter-invariant properties inCTL*.

Problem 7. Let M be a finite Kripke structures and I its unwinding.Also, let M ′ be the structure obtained by unifying stutter-equivalent statesof M and I ′ be some minimal structure under the Stutter relation that isstutter-equivalent to I. Identify under what conditions is I ′ an unwinding ofM ′.

56


Problem 8. Give a definition of stutter-equivalence that is similar in formto the one given in [1] (Definition 1.0.1 in this thesis), but is equivalent toour definition of stutter-equivalence.

57


Appendices

58


Appendix A

Proofs of Auxiliary Statementsfor Chapter 4

Theorem 4.1.3. Two linear structures I, I ′ are stutter equivalent if andonly if their ”next”-free theories are identical.

Proof. One direction is proven in [14], and we prove the other one.Assume that the ”next”-free theories of I and of I ′ are identical. Let

{v1 . . . v2n} be the set of all assignments to the atomic variables, and forevery such assignment vi let βvi

be its characterizing formula∧

1≤j≤n αj,where αj = pj if pj ∈ vi and αj = ¬pj if pj 6∈ vi.

We first consider the case in which I does not consist of a single haltedpath.

For every k there exists a formula ϕk of the form βvc1U(βvc2

U(. . .Uβvck) . . .)

that defines the first k states of the unstuttering of I. The set {ϕk} of suchformulas define all the states of the unstuttering of I. Since this set of for-mulas is jointly satisfied by I and I ′, then the unstuttering of I ′ is the sameas that the unstuttering of I, and I and I ′ are stutter equivalent.

If I is a halted path, then there exists a single formula of the form

βvc1U(βvc2

U . . .U(βvck−1U2βvck

) . . .)

that defines all the elements of the unstuttering of I. Again this formulamust be satisfied by I ′ as well, and so I and I ′ are stutter-equivalent.

Lemma 4.2.2. If I ′ = WS(I, sc), then for all formulas ϕ and paths πI ∈I, (I, πI) |= ϕ ⇔ (I ′, πI′) |= ϕ and if π∗I′ is defined then (I, πI) |= ϕ ⇔(I ′, π∗I′) |= ϕ.

59


Proof. For the propositional variables the proof is immediate. For logicaland temporal connectives and the quantifier ∃ the proof is by induction onthe formula structure. We will show in detail the case of ◦ϕ, only.

Assume that the lemma holds for ϕ, and that for some πI = (s0, s1 . . .) ∈I, (I, πI) |= ◦ϕ. Then (Is1 , π+1

I ) |= ϕ, and (I ′s1 , π+1I′ ) |= ϕ. By the definition

of ◦, we obtain (I ′, πI′) |= ◦ϕ. Similarly, if π∗I is defined then (I ′s1 , (π∗I )+1I′ ) |=

ϕ, and (I ′, π∗I′) |= ◦ϕ.Assume that for some π′I′ = (s′0, s

′1 . . .), (I ′, π′I′) |= ◦ϕ. The path π′I′ is

a (first or second) copy of some path πI = (s0, s1 . . .) ∈ I. If (I, πI) 6|= ◦ϕ,then (Is1 , π+1) 6|= ϕ, and so (I ′s

′1 , π′+1) 6|= ϕ. Therefore, (I ′, π′) 6|= ◦ϕ, in

contradiction to the assumption.

Lemma 4.2.5. If I ′ = HS(I, s, Cs), then for every formula ϕ that does notcontain ◦ and for every path πI ∈ I, (I, πI) |= ϕ if and only if (I ′, πI′) |= ϕand if π∗I′ is defined then (I, πI) |= ϕ if and only if (I ′, π∗I′) |= ϕ.

Proof. For the propositional variables the proof is immediate. For logicaland temporal connectives and the quantifier ∃ the proof is by induction onthe formula structure. This time we will show in detail the case of ϕUψ.

Assume that the lemma holds for ϕ and ψ, and that for πI = (s0, s1 . . .) ∈I, (I, πI) |= ϕUψ. Then there exists a k ≥ 0 such that for 0 ≤ i < k,(Isi , π+i

I ) |= ϕ and (Isk , π+kI ) |= ψ.

Let s be the focus of the HS operation. If s is not on πI then theproof is trivial using the induction assumption. Assume that s ∈ πI and letj be a positive integer such that sj = s. For all i < k, (I ′si , π+i

I′ ) |= ϕ.This is true if k < j because the path is identical in I and I ′, and also ifk ≥ j, because the states s1 and s2 are both copies of s and so the inductionassumption holds for them. The same argument shows that (I ′sk , π+k

I′ ) |= ψ,and so (I ′), πI′) |= ϕ.

The proof for π∗I′ when it is defined is similar.

Lemma 4.4.6. For a stuttering sequence (Ii) with at least one drop,let m(Ii) be min(d|d is the original depth of the focus of a drop in (Ii)). Let(Ii) be a stuttering sequence that contains at least one drop, and let i0 be theindex of the structure obtained from the first drop in (Ii) with focus at orig-inal depth m(Ii). Then, there exists an equivalent stuttering sequence (Ji)such that:

• I0 = J0 and limi→∞Ii = limi→∞Ji

60


• Either (Ji) contains no drops, m(Ji) > m(Ii) or m(Ji) = m(Ii) and thenumber of drops in (Ji) with focus at original depth m(Ii) is smallerthan the number of such drops in (Ii).

Proof. We transform (Ii) to (Ji) by ”pulling” the first drop with focus atoriginal depth m(Ii) backward towards the start of (Ii), placing it right afterall stutter operations with equal or lower original depth.

Every such pull might require replicating a stutter operation – if a stutteroperation on a state lower in the tree is pushed behind a stutter operationwith focus on a deeper state, we might need to apply the deeper stutteroperation on the new, copied branch created by the lower stutter operation.In general, every stutter operation can be thus pushed to its place accord-ing to original depth, at the potential cost of exponentially lengthening thesequence up to it.

The resulting stuttering sequence (Ji) still has I0 as a first element, and itslimit is limi→∞Ii. Because it contained a finite number of stutter operationsat any original depth, it now has either no drops, or m(Ij) > m(Ii), or thenumber of drops with original depth m(Ii) is lower in it.

Proposition 4.4.8. The relation ≤ is a preorder on structures, that is, ≤is a reflexive and transitive relation.

Proof. We will prove that the relation ≤ is reflexive and transitive. It iseasy to see ≤ is reflexive – for every structure I, the sequence (I, I, I . . .) isan advancing stuttering sequence from I to itself. We will show that ≤ istransitive.

Let I, J,K be structures such that I ≤ J and J ≤ K. We will toshow that I ≤ K. Let (Ii), (Ji) be non-decreasing stuttering sequences, withI0 = I, I∞ = limi→∞Ii = J, J0 = J, J∞ = limi∞Ji = K. We construct a newsequence (Ki)

∞.We start with (Ki)0 = (I0, I1 . . . , J0, J1 . . .), the concatenation of (Ii) and

(Ji). The sequence (Ki)0 is of length 2 ·ω, and so is not a stuttering sequenceaccording to our definition (it has all other properties of a stuttering sequenceexcept being of length ω).

We call the elements of (Ki)j with indexes 0 ≤ i < ω ”the first halfof (Ki)j” and all members with indexes ω ≤ i < 2 · ω ”the second halfof (Ki)j”. In a series of steps we will transform the sequence (Ki)0 to a”proper” stuttering sequence of length ω. In the jth step, we push all stutteroperations with od = j from the second half of (Ki) to the first half, to

61


a place just after all the existing operations in the first half with od = j.Every such push might include several (potentially infinite) copying of stutteroperations. If an operation op2 in the second half with focus on state s2 ispushed behind an operation op1 in the first half with focus on state s1, ands1 is a descendant of s2 then the operation op1 must now be applied to allthe new copies of s1. Although every push might create an infinite numberof new stutter operations in (Ki)j, the number of states that are not affectedby these pulls increases with j. For every positive integer t there exists a jsuch that every step after the jth step does not affect K0 . . . Kt.

What follows is that the limit sequence (Ki)∞ is defined, and it is astuttering sequence of length ω, because every operation in the second halfof (Ki)0 has by now been pulled to the first half. Since for every sequence(Ki)j, limi→∞(Ki)j = K, then also limi→∞(Ki)∞ = K.

Proposition 4.6.1. (Diamond) The relation ≤ is an upper semi-lattice:For structures I, J,K, if I ≤ J and I ≤ K then there exists a structure Lthat is an upper bound of I, J,K.

Proof. We will construct L and prove J ≤ L and K ≤ L (I ≤ L is impliedby the transitivity of ≤). Let (Ji) = (J0, J1 . . .) and (Ki) = (K0, K1 . . .) benon-decreasing stuttering sequences from I to J and K respectively. We willshow the construction of the sequence (Ji)

′ from J to L (the sequence (Ki)′

from K to L is constructed symmetrically).Let (opi)

K be the sequence of stutter operations used in (Ki). For everystutter operation in (opi)

K , we apply it on all the copies of its focus in (J ′i).This creates a sequence {Ji}′ with a limit structure denoted LJ . The sym-

metric construction creates a sequence {Ki}′ with a limit structure denotedLK . The structures LJ and LK are identical because the same stutter oper-ations were used to create them from I. The order of the stutter operationsused to reach LJ and LK is different, and because of this some operationshave to be replicated, but we still have L = LJ = LK .

Theorem 4.8.3. Any ◦ − free formula is invariant under branching-timestuttering.

Proof. We shall prove that in an EF-game on I0, I∞, the Duplicator has awinning strategy as long as no ◦-Moves are used. Because of the restrictionto a finite number of stutter-operations performed at any original depth, anystate in I0 is only replicated a finite amount of times. We give a winningstrategy for the Duplicator:

62


• ∃-Move – If the Spoiler picks a path π ∈ I0, the Duplicator picksits copy in I∞, which is obtained from π by adding replicating stateswhenever possible. It is built incrementally – whenever a state s isreached in π, we reach state s′ ∈ π∞ which is a copy of state s. Thenas long as we can, we add a copied successor of the current state to π∞.If the Spoiler picks any path π′ ∈ I∞, the Duplicator picks the originalpath π ∈ I0.

• 3-Move – As long as the Spoiler advances only in copied states, theDuplicator does not move at all. Whenever the Spoiler advances tostates with higher original depth, the Duplicator does so as well. Sincethe number of states with a given original depth is limited, the Dupli-cator can never get stuck on a path with non-decreasing original depth,and can always match the Spoiler’s moves.

• U-Move – For the first part of the U-Move, the Duplicator moves likethe 3-Move. Then, if the Spoiler moves backward, to a state withlower original depth, the Duplicator does so as well. In the first movethe Duplicator always selects a state with equal original depth to theSpoiler’s choice, so he can do so in the second move as well.

Since the Duplicator has a winning strategy, according to the Theo-rem 3.0.2, the structures I0, I∞ are indistinguishable by all ”next”-free for-mulas.

63


Appendix B


Lemma 5.0.5. Let I1, I2 be the structures in Figure 5.1 on page 33. No”next”-free formula distinguishes between I1 and I2.

Proof. We give a winning strategy for the Duplicator, as long as the Spoilerdoes not use ◦−moves. If the Spoiler moves into one of the branches startingwith β2 or β3 and the Duplicator can match this move, the Duplicator willwin, because the two structures under comparison are the same.

• ∃-Move – If the Spoiler chooses the path (β1, β1, . . .), then the Dupli-cator chooses the same path in the other structure. Otherwise, theSpoiler chooses a path of the form βk

1β2 or βk1β3 with k > 0. The Du-

plicator responds by choosing the path βk′1 β2 or βk′

1 β3 accordingly, withthe smallest possible k′.

• 3-Move – Due to the strategy for the ∃-Moves, the paths π1, π2 arealways identical up to the number of β1 states. If the current path isβ1

ω, then the Duplicator never moves at all regardless of the Spoiler’smove. If the current path in one of the structures is of the form βk

1β2 orβk

1β3, then the current path in the other structure is identicle up to k.If the Spoiler advances up to the states with β2 or β3, the Spoiler cannever win, because the Duplicator’s response is to reach the β2, β3 statein the other structure and thus reach an identical structure. Therefore,a clever Spoiler always retains a positive number of states with β1, andso the Duplicator needs not move in this case.

64


• U-Move – If the current path is (β1, β1 . . .) the Spoiler cannot makea meaningful move – the Duplicator’s path is also (β1, β1 . . .) and heretains his position. If the current path is βk

1β2 or βk1β3 with k > 0 the

Spoiler may choose a position with β1, or the first position with β2 orβ3, or another position with β2, β3. If he chooses a position with β1, theDuplicator does not move. If the Spoiler chooses the first position withβ2, β3, the Duplicator chooses the same such position on his path, andthen a smart Spoiler must go back to some position with β1, but so canthe Duplicator. If the Spoiler’s first choice is a later position of β2, β3

and not the first such position, in his second choice he might retain aplace with β2, β3 or go back to some β1 position – in both cases, theDuplicator’s reply is to copy the Spoiler’s move.

The Duplicator wins because as long as the Spoiler does not enter oneof the side branches, the Duplicator can maintain a similar state. It followsfrom Theorem 3.0.2 that all ”next”-free formulas do not distinguish betweenI1, I2.

65


Appendix C


Lemma 7.1.13. Let I and I ′ be the unwindings of two finite Kripke struc-tures M and M ′, and let P and P ′ be the finite representatives of I and I ′.If the structures I and I ′ are stutter equivalent then there exists an upperbound IU on I and I ′ that is repetitive in both the stuttering of P and P ′ inIU .

Proof. We will prove that there exists an upper bound IU on I and I ′ thatis repetitive in the stuttering of P in IU .

Let IU be some upper bound of I and I ′, (Ii) be a stuttering sequencefrom I to IU . Assume without loss of generality that in (Ii), after a stutteroperation has been applied to a state, no other stutter operation is appliedto any ancestor of that state.

Also, let us assume without loss of generality that (Ii) is partitioned intofour continuous parts (see Figure C.1 on page 68):

1. I0 . . . Il - containing all the stutter operations applied to stutter(P, IU)∩stutter(P ′, IU)

2. Il+1 . . . Im - containing all the stutter operations applied to stutter(P, IU)\stutter(P ′, IU)

3. Im+1 . . . In - containing all the stutter operations applied to stutter(P ′, IU)\stutter(P, IU)

4. In+1, In+2 . . . - all the other stutter operation in (Ii)

66


We construct a new stuttering sequence (Ji) from I. For 0 ≤ i ≤ l letJi = Ii. Then, for every stutter operation in Il1 . . . Im with focus s, let s′ bethe matching state of s in P ′ (recall that I ′ is repetitive in P ′ and s 6∈ P ′).We add to (Ji) copies of all such stutter operation, with the focus of the copyon s. Similarly, for every stutter operation in Im+1 . . . In, with focus on somestate s, let s′ be the matching state in P . We add to (Ji) copies of all suchstutter operations, with the focus of the copies on s′. Then, we add to (Ji)all stutter operations in Il+1 . . . Im.

Finally, for every state s in I that is a replicate of some state s′ ∈ P ,we apply to s′ all stutter operations applied to s. Let J∞ be the limit of(Ji). Because of the construction of (Ji), the structure J∞ is repetitive instutter(P, J∞).

By a similar construction we obtain a stuttering sequence (J ′i) from I ′

with a limit J ′∞ repetitive in stutter(P ′, J ′∞). Because we copied all stutteroperation applied to stutter(P, IU) ∩ stutter(P ′, IU) and stutter(P ′, IU) ∩stutter(P, IU) to stutter(P, J∞) and to stutter(P ′, J ′∞), we see that J∞ isidentical to J ′∞.

Lemma 7.1.14. Let M be a finite Kripke structure, I be its unwinding, andlet I ′ be a stuttering of I. Let P be the finite representative of I, and P ′ thestuttering of P in I ′. If I ′ is repetitive in P ′ then there exists a finite Kripkestructure M ′ such that I ′ is the unwinding of M ′ and M ≤ M ′.

Proof. Let (Ii) be a stuttering sequence from I to I ′ where after a stutteroperation is applied to a state no other stutter operation is applied to itsancestor, and where all stutter operations are applied to states in P beforeall other states. We construct a finite Kripke structure stuttering sequence(Mi). As the base, let M0 = M .

Let Pk be the copy of P in Ik, s ∈ Pk be the focus of the current stutteroperation, and s′ be the matching state in Mk. According to the stutteringoperation applied to s, we apply a stuttering operation to Mk:

• WS(Ik, s) - We choose in′ = in′′ = incoming edges(s), move start =loop′ = loop′′ = false and add to (Mi) the structureWSK(Mk, s

′, in′, in′′, move start, loop′, loop′′).

• HS(Ik, s, Cs) - let C ′s be the set of states in Mk matching Cs. Let out =

C ′s, in

′ = incoming edges(s), in′′ = ∅, move start = false. Then we

67


Figure C.1: Partitioning of IU

68


add to (Mi) the structure

HSK(Mk, s′, out, in′, in′′, move start)

.

Let Mf be the last structure in (Mi). For every 0 ≤ i ≤ f , the finiterepresentative of unwind(Mi) is identical to that of Ii. The finite represen-tative of I ′ is identical to that of If , and so to that of unwind(Mf ). Since I ′

is repetitive in If , unwind(Mf ) = I ′.

Lemma 7.1.21. Let M and M ′ be two canonical stutter-equivalent finiteKripke structures, I and I ′ be their unwindings, and let P and P ′ be the finiterepresentatives of I and I ′ respectively.

Then, there exists two stuttering sequences from I and I ′ to an upperbound IU , where no more than |P | · |P ′| − 1 stutter operations are applied tostates with origin in P∪P ′, and the structure IU is repetitive in stutter(P, IU)and stutter(P ′, IU).

Proof. For every matching R we define

max sets(R) =

{(A,B)

∣∣∣∣A and B are maximal sets such that(∀s ∈ A)(∀s′ ∈ B) ((s, s′) ∈ R)

}

We also define f(R) = ΣA,B∈max sets(R) (|A| · |B| − 1).The sequences are constructed inductively:As base let M0 = M and M ′

0 = M ′. Assume that the sequences areconstructed until Mk and M ′

k′ , and let Pk and P ′k be the finite representatives

of unwind(Mk) and unwind(M ′k′). Since Mk and M ′

k′ are stutter-equivalent,there exist some matching R between Pk and P ′

k′ .If max sets(R) contains two siblings or a child and parent states, then

one of these cases hold:

• The matching set to these two states contains two similar states (twosiblings or a child and parent states). In this case, there exists a refine-ment of R, and we replace R by its refinement.

• The matching set to these two states does not contain two similarstates. In this case we add either WSK operations (if the states aresiblings) or HSK operations (if the states are child and parent) to theappropriate stuttering sequence.

69


Figure C.2: The Structures {Ik}

Figure C.3: The Special Case I0

In both these cases (either refining R or adding certain stutter opera-tions), there exists a new matching R′ between the last two finite Kripkestructures in the sequences, where f(R′) < f(R). This is true for the caseof adding stutter operations even though this enlarges one of the structures,because the size of the matching set in the other structure is reduces by 1.If the sets A and B were matched in R and now A \ {s} is matched with Band s is matched with a new copy of B, then the value of f is lowered by((|A| − 1) · |B| − 1 + |B| − 1)− (|A| · |B| − 1) = 1

When this processes terminates and no appropriate pair of states exists,then the unwinding of both structure is the same. Since with every iteration fdecreases by at least 1 and f is non-negative, then the combined lengths of thestuttering sequences from M and M ′ cannot be greater than |M | · |M ′|.Theorem 7.2.3. SE 6∈ RE ∪ co−RE – the problem of deciding for a pairof Turing machines that compute structures, if the computed structures arestutter-equivalent, is not semi-decidable, and neither is its complement.

Proof. We describe a reduction from the Halting Problem (HP ) to SE. Wedefine the following structures in Figures C.2,C.3,C.4 on pages 70–70.

Let Mk, M∞ be Turing machines computing Ik and I∞ respectively. Givena Turing machine M as an input, we output the pair of machines (M0,M

′).

Figure C.4: The Structure I∞

70


The machine M ′, given input x, finds the state s encoded by x in I0 bystarting at the root and scanning until it reaches a state with encoding x.Let k be the distance of s from root(I0). The machine M ′ then runs M on xfor k steps. If M halts within k steps, M ′ answers like the machine Mk. IfM does not halt on x within k steps, M ′ answers like M∞.

If the input for the reduction is a Turing machine that never halts, thenM ′ computes I∞, otherwise it computes Ik for some non-negative integer k.Note that for every such k, I0 and Ik are stutter-equivalent but I0 and I∞ arenot. Therefore, M ∈ HP if and only if (M0, M

′) ∈ SE. Because HP 6∈ RE,SE 6∈ RE either.

With a slight modification to the above reduction we could output (M∞,M ′)as output, getting M ∈ HP if and only if (M∞,M ′) 6∈ SE. From this followsthat SE 6∈ co−RE.

71


Bibliography

[1] Michael C. Browne, Edmund Melson Clarke, and Orna Grumberg. Char-acterizing finite Kripke structures in propositional temporal logic. The-oretical Computer Science, 59(1-2):115–131, 1988.

[2] Kousha Etessami and Thomas Wilke. An until hierarchy and other appli-cations of an Ehrenfeucht-Fraisse game for temporal logic. Informationand Computation, 160(1-2):88–108, 2000.

[3] J. L. Fiadeiro and T. Maibaum. Sometimes “tomorrow” is “sometime”— action refinement in a temporal logic of objects. Lecture Notes inComputer Science, 827:48–??, 1994.

[4] Dov M. Gabbay, Marcelo Finger, and Mark A. Reynolds. TemporalLogic: Mathematical Foundations and Computational Aspects, volume 2.Oxford University Press, 2000.

[5] Rob Gerth, Ruurd Kuiper, Doron Peled, and Wojciech Penczek. Apartial order approach to branching time logic model checking. In Pro-ceedings of the Third Israel Symposium on the Theory of Computing andSystems (ISTCS’95), Tel Aviv, Israel, January 4-6, 1995, 1995.

[6] Jan Friso Groote and Frits W. Vaandrager. An efficient algorithm forbranching bisimulation and stuttering equivalence. In M.S. Paterson,editor, Automata, Languages and Programming, pages 626–638, 1990.

[7] Edmund M. Clarke Jr., Orna Grumberg, and Doron A. Peled. Modelchecking. MIT Press, Cambridge, MA, USA, 1999.

[8] Michael Kaminski. Invariance under stuttering in a temporal logic with-out the ”until” operator. Fundamenta Informaticae, 82:127–140, 2008.

72


[9] Michael Kaminski and Yael Yariv. A real-time semantics of temporallogic of actions. Journal of Logic and Computation, 13:921–937, 2003.

[10] Leslie Lamport. Introduction to TLA. Technical Note 1994-001, DigitalSystems Research Center, Palo Alto, CA, 1994.

[11] Leslie Lamport. The temporal logic of actions. ACM Transactions onProgramming Languages and Systems, 16(3):872–923, May 1994.

[12] S. Merz. A more complete TLA. In J.M. Wing, J. Woodlock, andJ. Davies, editors, Proceedings of FM’99 – Formal Methods: WorldCongress on Formal Methods in the Development of Computer Systems,Volume II, pages 1226–1244, Berlin, 1999. Springer Verlag. LectureNotes in Computer Science 1709.

[13] Shiva Nejati, Arie Gurfinkel, and Marsha Chechik. Stuttering abstrac-tion for model checkin. In Bernhard K. Aichernig and Bernhard Beckert,editors, SEFM ’05: Proceedings of the Third IEEE International Con-ference on Software Engineering and Formal Methods, pages 311–320,Washington, DC, USA, 2005. IEEE Computer Society.

[14] Doron Peled and Thomas Wilke. Stutter-invariant temporal propertiesare expressible without the next-time operator. Information ProcessingLetters, 63(5):243–246, 1997.

[15] Alexander Rabinovich and Shahar Maoz. An infinite hierarchy oftemporal logics over branching time. Information and Computation,171(2):306–332, 2001.

[16] Serdar Tasiran. Compositional and hierarchical techniques for the formalverification of real-time systems. PhD thesis, 1998. Chair-Robert K.Brayton.

73


תכונות משומרות תחת חזרות בלוגיקה טמפורלית

של זמן מתפצל

רון גרוס


תכונות משומרות תחת חזרות בלוגיקה טמפורלית

של זמן מתפצל

חיבור על מחקר

לשם מילוי חלקי של הדרישות לקבלת התואר

מגיסטר למדעים במדעי המחשב


1רון גרוס

טכנולוגי לישראל מכון –הוגש לסנט הטכניון

2008יוני ח "תשס'סיון ה

1 [email protected]


ח מיכאל קמינסקי בפקולטה למדעי המחשב/'המחקר נעשה בהנחיית פרופ

. הן המקצועית והן האישית, על תמיכתו המתמשכת, ח מיכאל קמינסקי/'פרופ, ברצוני להודות למנחה שלי

אותי לא להתפשר ושעזרת לי לשמור על תודה שעודדת . העבודה איתך היתה חויה נעימה ביותר עבורי

, ארנה קופרמן' ארנה גרימברג ופרופ' פרופ, כמו כן ברצוני להודות לבוחנים שלי.סטנדרט גבוה בעבודתי

.על הבדיקה היסודית שערכו לעבודתי ועל הערותיהן המועילות

ושתמיד , דעשהכירו לי את המתימטיקה והמ, ברצוני להודות למשפחתי ובפרט להורי, בנימה אישית

.עודדו אותי לרדוף ידע ולהבין עוד

על כך שהיא מזכירה לי ללא הרף את הדברים החשובים בחיים , זוגתי איה-ברצוני להודות לבת, בנוסף

.ולא נותנת לי לוותר על מטרותי

.אני מודה לטכניון על תמיכתו הכספית הנדיבה בהשתלמותי



I

תקצירי "מהמבנה השני ע ניתן לקבל אותואם , של מבנה טמפורלי לינארי אחר גמגוםמבנה טמפורלי לינארי הוא

י סילוק כל החזרות או צעדי "מבנה לא מגומגם מתקבל ממבנה טמפורלי ע .על חלק ממצביו חזרה

נוסחא . אם לשניהם קיים אותו מבנה לא מגומגם שקולים תחת חזרותשני מבנים לינארים הם . הגמגום

אם הפעלת גמגום על מבנה כלשהו לא משנה את ערך משתמרת תחת חזרותבלוגיקה לינארית נקראית

.האמת של הנוסחא על המבנה

בזמןחזרות של מצבים . שימור תחת חזרות היא תכונה שימושית ורצויה של מפרטים ושפות מפרט

שימור . וקיימות בספרות מספר שפות המבטאות תכונות המשתמרות תחת חזרות, לינארי נחקרו רבות

, ת חזרות מאפשר הפעלת טכניקות כגון רדוקצית סדר חלקי המאפשרת בדיקת מודלים קלה יותרתח

דוגמאות לשפות המבטאות רק תכונות לינאריות . והרכבה היררכית של מודלים ממודלים פשוטים יותר

). ”Next”ללא אופרטור LTL-X )LTL-ו GTLAהמשתמרות תחת חזרות הן

י "הגדרה לחזרות בזמן מתפצל הוצעה ע. על חזרות מצבים בזמן מתפצל מחקר נעשתפחות , לעומת זאת

שני מבנים טמפורליים בזמן מתפצל הם שקולים תחת , תחת ההגדרה הזאת. קלארק וגרומברג, בראון

כך ששני מצבים מתאימים אם ורק אם שתי , חזרות אם קיימת התאמה בין המצבים של שני המבנים

:התכונות הבאות מתקיימות

.מות של שני המצבים שוותההש .1

לכל מסלול המתחיל במצב הראשון קיים מסלול המתחיל במצב השני וקיימות חלוקות של שתי .2

k-שני מצבים נמצאים בקבוצה ה, kכך שלכל מספר טבעי , המסלולים לקבוצות סופיות רציפות

.אם ורק אם הם מתאימים

לא מתייחסת למבנה העץ היא , אולם. מתפצלהגדרה זו נותנת מענה לשקילות מבנים תחת חזרות בזמן ,

ואין בה התייחסות למושג של , )אם כי באופן איטרטיבי(אלא למסלולים בלבד , של המבנים הטמפורלים

היחידה למושג אפשריתאנחנו טוענים כי זו איננה ההגדרה ה. הגדרה הלינאריתבכמו " צעד גמגום"

.שקילות תחת חזרות בזמן מתפצל

המתבססת על צעדי גמגום , השקילות תחת חזרותלמושג שונה ו מציעים הגדרה בעבודה זו אנחנ

משפט שמתקיים עבור ההגדרה , בפרט. מההגדרה הקיימת חזקה יותרומראים כי היא , אטומיים

איננו תקף , "’Next‘לכל נוסחא המשתמרת תחת חזרות קיימת נוסחא שקולה ללא אופרטור "המקובלת

אשר הן משומרות תחת גמגום כפי ”Next“ות נוסחאות המכילות את אופרטור קיימ –לגבי ההגדרה שלנו

. אבל הן לא משומרות בהגדרה המקובלת, שהגדרנו אותו

:ההגדרה אותה אנחנו מציעים מתבססת על שני צעדי הגמגום הבאים

.עץ מסויים במבנה והוספתו כאח של תת העץ המקורי-הכפלה של תת – גמגום לרוחב .1

כל . כאשר מצב אחד הוא האב של המצב השני, פיצול מצב במבנה לשני מצבים – גובהלגמגום .2

קבוצה שרירותית של -תת, בנוסף. נהיים בנים של המצב הבן, על תתי העצים שלהם, בני המצב

.כאשר העותקים נהיים בנים של המצב האב, בני המצב מועתקים

בתור סדרה סדרת גמגוםאנחנו מגדירים . ”Next“שני הצעדים משמרים את כל הנוסחאות ללא אופרטור

י הפעלת צעד גמגום "כאשר כל מבנה בסדרה מתקבל מהמבנה הקודם ע, אינסופית של מבנים טמפורלים

לא ניתן להסתפק בסדרות סופיות כיוון ( או שהוא עותק של המבנה שלפניו, יחיד על המבנה שלפניו

שאפילו במקרה הלינארי ישנן דוגמאות פשוטות למבנים שקולים עבורם נדרש מספר אינסופי של צעדי


II

סדרת גמגום מתכנסת לגבול אם לכל עומק בעץ קיים מקום בסדרה שהחל . )גמגום על מנת לעבור בינהם

.ד לעומק זההעץ ע-ממנו כל המבנים בסדרה מכילים את אותו תת

של צומת במבנה כלשהו בסדרת גמגום הוא עומק המצב המקורי ממנו הועתק הצומת מקורי עומק

אם בכל עומק מקורי מתבצעים מספר סופי של צעדי מתקדמתגמגום היא סדרת. במבנה הראשון בסרה

הם הגבלת סדרות הגמגום לסדרות מתקדמות בלבד נעשית כדי למנוע מקרים מנוונים שב. גמגום

.משנות את ערכם ”Next“נוסחאות מסויימות ללא אופרטור

למבנה Aקיימת סדרת גמגום ממבנה "אנו מראים כי קבוצת המבנים הטמפורלים בזמן מתפצל עם היחס

B” אם קיימות סדרות גמגום מ –מהווה סריג למחצה-A ל-B ול-C ,אז קיים ל-B ול-C חסם עליוןD ,

). ההפך איננו נכון( D-ל C-ומ B-וקיימות סדרות גמגום מ

אם קיימות שתי סדרות גמגום מאותן חזרות בזמן מתפצלתחת שקולים שני מבנים הם אנו מגדירים ש

אנחנו משתמשים בתכונות הסריג למחצה על מנת להראות שהיחס אותו הגדרנו . המבנים למבנה משותף

).כחלק מהתכונות המחייבות יחס שקילות(הוא טרנזיטיבי

, עבור לוגיקה של זמן מתפצל (Ehrenfeucht–Fraïssé game) פרייסה-משחקי אהרנפוכטגדירים מאנחנו

ל משמרת את כל הנוסחאות שלא מכילות את אופרטור "שההגדרה הנומשתמשים בהם על מנת להוכיח

“Next” .אנחנו מציגים נוסחא שכן מכילה את אופרטור , בנוסף“Next” ,ואשר , המשתמרת תחת חזרות

תוצאה זו מראה שיחס השקילות אותו הגדרנו חזק יותר . ”Next“קולה לאף נוסחא ללא אופרטור לא ש

.מיחס השקילות עבור ההגדרה הישנה) מצומצם יותר(

שהינה שפה המאפשרת תיאור כל התכונות , GTLAלוגיקה בהמשך אנחנו מביאים את ההגדרה הקיימת ל

-וכן מרחיבים אותה ל, ”Until”ללא אופרטור LTL-י בהלינאריות המשתמרות תחת חזרות הניתנות לביטו

BGTLA , לא הצלחנו להוכיח ש. תכונות זמן מתפצל המשתמרות תחת חזרותלבטא רק שפה המאפשרת-

BGTLA מבטאת את כל התכונות המשתמרות תחת חזרות הניתנות לביטוי ב-CTL* ללא אופרטור

“Until” . את כל התכונות המשתמרות תחת חזרות בשפה אחרת המבטאת לא מצאנו יש לציין כי-CTL*.

. בזמן מתפצלחזרות אנחנו בוחנים את ההיבטים האלגוריתמיים של תכונות משומרות תחת לבסוף

בעיית ההכרעה האם הם , י מכונות טיורינג המחשבות מבניםתאנחנו מראים שבהינתן ש, ראשית

כמו גם הבעייה ההופכית לה , עה למחצהמחשבות מבנים שקולים תחת חזרות בזמן מתפצל איננו כרי

אנחנו מגדירים שקילות תחת חזרות של מבני קריפקה , לאחר מכן). co-RE -או ב RE-הבעייה איננה ב(

ומראים כי שני מבני קריפקה סופיים הינם שקולים תחת חזרות אם ורק אם המבנים הטמפורליים , סופיים

נו מציגים אלגוריתם המכריע אם שני מבני קריפקה סופיים אנח, לבסוף. הנפרשים על ידיהם הינם שקולים

.הינם שקולים תחת חזרות

3בפרק . *CTLאנחנו מציגים את הדקדוק והמשמעות של 2בפרק : חלוקת העבודה לפרקים היא כדלקמן

אנחנו מציגים את 4בפרק . פרייסה עבור לוגיקה של זמן מתפצל-אנחנו מגדירים משחק אהרנפוכט

ומראים שהיא בעלת מספר תכונות רצויות כגון שימור כל , ו עבור גמגום בזמן מתפצלההגדרה שלנ

פרייסה על מנת להראות -אנחנו משתמשים במשחק אהרנפוכט 5בפרק . ”Next“הנוסחאות ללא

בפרק . ”Next“שמשתמרות תחת חזרות אך לא שקולות לאף נוסחא ללא ”Next“שקיימות נוסחאות עם

שבה ניתן לבטא חלק גדול מהנוסחאות המשתמרות תחת חזרות BGTLAהלוגיקה אנחנו מגדירים את 6

כולל דיון , אנחנו דנים בהיבטים האלגוריתמיים של השתמרות תחת חזרות 7בפרק . ורק נוסחאות כאלה

אנחנו מסיימים בהצגת . בבעיית הכריעות והצגת אלגוריתם המכריע את הבעייה עבור מבני קריפה סופיים

.ת פתוחות שלא נחקרו במסגרת עבודה זומספר בעיו


Documents

Invariance Under Stuttering in Branching-Time Temporal Logic · Ron Gross1 Submitted to the Senate of the Technion { Israel Institute of Technology Sivan, 5768 Haifa June, 2008 [email protected]