Table Of ContentThe final publication is available at Springer via http://dx.doi.org/10.1007/s00236-015-0250-1
A. Molinari, A. Montanari, A. Murano, G. Perelli, A. Peron
Checking interval properties of computations
In Journal: Acta Informatica, Springer Berlin Heidelber, 2015
Checking Interval Properties of Computations
AlbertoMolinari AngeloMontanari Aniello
· ·
Murano GiuseppePerelli AdrianoPeron
· ·
Received:date/Accepted:date
6
1
0 Abstract Modelcheckingisapowerfulmethodwidelyexploredinformalverifica-
2 tion. Given a model of a system, e.g., a Kripke structure, and a formula specifying
n its expected behaviour, one can verify whether the system meets the behaviour by
a checkingtheformulaagainstthemodel.
J
Classically,systembehaviourisexpressedbyaformulaofatemporallogic,such
3
asLTLandthelike.Theselogicsare“point-wise”interpreted,astheydescribehow
1
the system evolves state-by-state. However, there are relevant properties, such as
] thoseconstrainingthetemporalrelationsbetweenpairsoftemporallyextendedevents
O
orinvolvingtemporalaggregations,whichareinherently“interval-based”,andthus
L askingforanintervaltemporallogic.
.
s Inthispaper,wegiveaformalizationofthemodelcheckingprobleminaninterval
c logicsetting.First,weprovideaninterpretationofformulasofHalpernandShoham’s
[
interval temporal logic HS over finite Kripke structures, which allows one to check
1 intervalpropertiesofcomputations.Then,weprovethatthemodelcheckingproblem
v
5
9 AlbertoMolinariandAngeloMontanari
1 DepartmentofMathematicsandComputerScience,
3 UniversityofUdine,Italy
0 E-mail:[email protected];[email protected]
1. AnielloMurano
0 DepartmentofElectronicEngineeringandInformationTechnology,
UniversityofNapoli,Italy
6
E-mail:[email protected]
1
: GiuseppePerelli
v
DepartmentofComputerScience
i
X OxfordUniversity,UK
E-mail:[email protected]
r
a AdrianoPeron
DepartmentofElectronicEngineeringandInformationTechnology,
UniversityofNapoli,Italy
E-mail:[email protected]
This work is licensed under a
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
http://creativecommons.org/licenses/by-nc-nd/4.0/"
2 AlbertoMolinarietal.
forHSagainstfiniteKripkestructuresisdecidablebyasuitablesmallmodeltheorem,
andweprovidealowerboundtoitscomputationalcomplexity.
Keywords IntervalTemporalLogic ModelChecking Decidability Computa-
· · ·
tionalComplexity
1 Introduction
Aclassicalprobleminhardwareandsoftwaresystemdesignistocomeupwithauto-
matictechniquestoensurereliability.Inthiscontext,formalmethodshaveprovided
structures and algorithms that have been successfully applied in several domains.
Oneofthemostnotabletechniquesismodelchecking,whereaformalspecification
ofthedesiredpropertiesofthesystemischeckedagainstamodelofitsbehaviour[6,
7,24,28]. The solution of the model checking problem, and thus its precise com-
plexity, relies on the particular computational model and specification language we
consider.Infinite-statesystemverification,systemsareusuallymodelledaslabelled
state-transition graphs, or Kripke structures, while specifications are formulas of a
suitable(point-based)linearorbranchingtemporallogic.Thefirstattemptinthisdi-
rectiongoesbacktothelate’70s,whentheuseofthelineartemporallogicLTLin
program verification was proposed by Pnueli [22]. LTL allows one to reason about
changes in the truth value of formulas in a Kripke structure over a linearly-ordered
temporal domain, where each moment in time has a unique possible future. More
precisely,onehastoconsiderallpossiblepathsinaKripkestructureandtoanalyse,
foreachofthem,howpropositionletters,labellingthestates,changefromonestate
tothenextonealongthepath.ThemodelcheckingproblemforLTLturnsouttobe
PSPACE-complete[7,23,27].
Propositionalintervaltemporallogicsprovideanalternativesettingforreasoning
about time. They have been applied in a variety of computer science fields, includ-
ing artificial intelligence (reasoning about action and change, qualitative reasoning,
planning, and natural language processing), theoretical computer science (specifi-
cation and verification of programs), and databases (temporal and spatio-temporal
databases)[10].Interval-basedtemporallogicstakeintervalsastheirprimitivetem-
poral entities. Such a choice gives them the ability to express temporal properties,
such as actions with duration, accomplishments, and temporal aggregations, which
cannotbedealtwithinstandard(point-based)temporallogics.
AprominentpositionamongintervaltemporallogicsisoccupiedbyHalpernand
Shoham’smodallogicoftimeintervals(HS,forshort)[12].HSfeaturesonemodality
foreachofthe13possibleorderingrelationsbetweenpairsofintervals(theso-called
Allen’srelations[1]),apartfromtheequalityrelation.Asanexample,thecondition:
“thecurrentintervalmeetsanintervaloverwhichpholds”canbeexpressedinHSby
theformula A p,where A isthe(existential)HSmodalityforAllenrelationmeet.
h i h i
In[12], ithas beenshown thatthe satisfiabilityproblemfor HSinterpreted overall
relevant(classesof)linearordersishighlyundecidable.Sincethen,alotofworkhas
beendoneonthesatisfiabilityproblemforHSfragments,whichshowedthatundecid-
ability rules over them [2,14,17]. However, meaningful exceptions exist, including
theintervallogicoftemporalneighbourhoodandthelogicofsub-intervals[3–5,19].
CheckingIntervalPropertiesofComputations 3
Here,we focusourattention onthemodel checkingproblemfor HS.Whilethe
satisfiability problem for HS and its fragments has been extensively and systemati-
callyinvestigatedintheliterature[8],alittleworkhasbeendoneonmodelchecking.
The idea is to evaluate HS formulas on finite Kripke structures making it possible
to check the correctness of the behaviour of the system with respect to meaningful
intervalproperties.Tothisend,weinterpreteachfinitepathofaKripkestructureas
aninterval,andwedefineitslabellingonthebasisofthelabellingofthestatesthat
composeit,accordingtothehomogeneityassumption[25].Formally,wewillshow
that finite Kripke structures can be suitably mapped into interval-based structures,
called abstract interval models, over which HS formulas can be interpreted. Since
finite Kripke structures may have loops, (abstract) interval models have, in general,
aninfinitedomain.InordertodeviseamodelcheckingprocedureforHSoverfinite
Kripke structures, we prove a small model theorem showing that, given an HS for-
mulaψ andafiniteKripkestructureK,thereexistsafiniteintervalmodelwhichis
equivalenttotheoneinducedbyK withrespecttothesatisfiabilityofψ.Themain
technicalingredientsare(i)thedefinitionofasuitableequivalencerelationoverfinite
paths(sequences)inK,whichisparametricinthenestingdepthofAllen’smodalities
B and E inψ,and(ii)theproofthattheresultingquotientstructureisfiniteand
h i h i
equivalenttotheoneinducedbyK withrespecttothesatisfiabilityofψ.
The rest of the paper is organised as follows. In Section 2, we introduce syntax
and semantics of HS (over interval models), and we establish a suitable connection
between finite Kripke structures and abstract interval models. In Section 3, we in-
troduce the fundamental notion of BE -descriptor. Next, in Section 4, we prove the
k
small model theorem. Then, in Section 5, we show that the model checking prob-
lem for HS over finite Kripke structures is EXPSPACE-hard. Finally, in Section 6,
webrieflydiscussrelatedwork.Conclusionsandfutureworkdirectionsaregivenin
Section7.
2 IntervaltemporallogicandKripkestructures
Inthissection,wegivesyntaxandsemanticsofHalpernandShoham’sintervaltem-
poral logic HS with respect to (abstract) interval models. Moreover, we provide a
suitablemappingfromKripkestructurestointervalmodelsthatallowsustointerpret
HS formulas over Kripke structures and then to define the notion of interval-based
modelchecking.
2.1 TheintervaltemporallogicHS
An interval algebra to reason about intervals and their relative order was first pro-
posedbyAllenin[1];then,asystematiclogicalstudyofintervalrepresentationand
reasoning was done by Halpern and Shoham, who introduced the interval temporal
logicHSfeaturingonemodalityforeachAllenintervalrelation[12].
Table 1 depicts 6 of the 13 possible binary ordering relations between a pair of
intervals. The other 7 are the equality and the 6 inverse relations (given a generic
4 AlbertoMolinarietal.
binary relation R, the inverse relation R holds between two elements, bRa, if and
onlyifaRb).
Table1 Allen’sintervalrelationsandcorrespondingHSmodalities.
Allenrelation HSmodality Definitionw.r.t.intervalstructures Example
x y
MEETS hAi [x,y]RA[v,z] ⇐⇒ y=v v z
BEFORE hLi [x,y]RL[v,z] ⇐⇒ y<v v z
STARTED-BY hBi [x,y]RB[v,z] ⇐⇒ x=v∧z<y v z
FINISHED-BY hEi [x,y]RE[v,z] ⇐⇒ y=z∧x<v v z
CONTAINS hDi [x,y]RD[v,z] ⇐⇒ x<v∧z<y v z
OVERLAPS hOi [x,y]RO[v,z] ⇐⇒ x<v<y<z v z
In the table, each Allen relation is shown together with the corresponding HS
(existential)modality.Initsoriginalformulation,HSallowedpointintervalsaswell,
thatis,intervalsconsistingofasinglepoint,butthatwayHSmodalitiesareneither
mutuallyexclusivenorjointlyexhaustive,i.e.,morethanonerelation,orevennone,
may hold between any two intervals. In the following, we will consider only strict
intervals,consistingoftwoormorepoints(strictsemantics).
ThelanguageofHSfeaturesasetofpropositionlettersAP,theBooleanconnec-
tives and ,thelogicalconstants and (respectivelytrueandfalse),andatem-
¬ ∧ > ⊥
poral modality for each of the (non trivial) Allen’s relations, namely, A , L , B ,
h i h i h i
E , D , O , A , L , B , E , D ,and O .
h i h i h i h i h i h i h i h i h i
Formally,HSformulasaredefinedbythefollowinggrammar:
ψ ::=p ψ ψ ψ X ψ X ψ, with p AP.
|¬ | ∧ |h i |h i ∈
Inthefollowing,wewillmakeuseofthestandardabbreviationsofpropositional
logic, e.g., we will write ψ ϕ for ψ ϕ, ψ ϕ for ψ ϕ, and ψ ϕ for
∨ ¬ ∧¬ → ¬ ∨ ↔
(ψ ϕ) (ϕ ψ).Moreover,forallX,dualuniversalmodalities[X]ψ and[X]ψ
→ ∧ →
arerespectivelydefinedas X ψ and X ψ,asusual.
¬h i¬ ¬h i¬
Finally,itcanbeeasilyshownthat,whenthestrictsemanticsisassumed,allHS
modalitiescanbeexpressedintermsofmodalities A , B , E ,andthetransposed
h i h i h i
modalities A , B , E asfollows:
h i h i h i
L ψ A A ψ L ψ A A ψ
h i ≡h ih i h i ≡h ih i
D ψ B E ψ E B ψ D ψ B E ψ E B ψ
h i ≡h ih i ≡h ih i h i ≡h ih i ≡h ih i
O ψ E B ψ O ψ B E ψ
h i ≡h ih i h i ≡h ih i
GivenanysubsetofAllen’srelations X , ,X ,wedenotebyHS[X , ,X ]
1 n 1 n
{ ··· } ···
thefragmentofHSthatfeaturesmodalitiesX , ,X only.Asanexample,wedenote
1 n
···
by HS[A,A,B,B,E,E] the HS fragment that features modalities A , A , B , B ,
h i h i h i h i
E ,and E only(observethatthisfragmentcontainsanequivalentformulaforevery
h i h i
HSformula).
HScanbeviewedasamulti-modallogicwithsixprimitivemodalities,namely,
A , B , E , and their inverses. Accordingly, HS semantics can be defined over a
h i h i h i
CheckingIntervalPropertiesofComputations 5
multi-modal Kripke structure, here called abstract interval model, in which (strict)
intervalsaretreatedasatomicobjectsandAllen’srelationsassimplebinaryrelations
betweenpairsofintervals.
Definition1 AnabstractintervalmodelisatupleA=(AP,I,A ,B ,E ,σ),where:
I I I
– AP isafinitesetofpropositionletters;
– Iisapossiblyinfinitesetofatomicobjects(worlds);
– A ,B ,E arethreebinaryrelationsoverI;
I I I
– σ:I 2AP isa(total)labelingfunction,whichassignsasetofpropositionletters
7→
toeachworld.
Intuitively,intheintervalsetting,Iisasetofintervals,A ,B ,andE areinterpretedas
I I I
Allen’sintervalrelationsA(meets),B(started-by),andE (finished-by),respectively,
andσ assignstoeachintervalthesetofpropositionlettersthatholdoverit.
Given an abstract interval model A =(AP,I,A ,B ,E ,σ) and an interval I I,
I I I ∈
thetruthofanHSformulaoverIisdefinedbyinductiononthestructuralcomplexity
oftheformulaasfollows:
– A,I =piff p σ(I),foranypropositionletter p AP;
| ∈ ∈
– A,I = ψ iffitisnottruethatA,I =ψ;
| ¬ |
– A,I =ψ ϕ iffA,I =ψ orA,I =ϕ;
| ∨ | |
– A,I = X ψ,forX A,B,E ,iffthereexistsJ IsuchthatIX JandA,J =ψ;
| h i ∈{ } ∈ I |
– A,I = X ψ,forX A,B,E ,iffthereexistsJ IsuchthatJX IandA,J =ψ.
| h i ∈{ } ∈ I |
Satisfiabilityandvalidityaredefinedintheusualway:anHSformulaψ issatis-
fiableifthereexistsanintervalmodelA andaworld(interval)I suchthatA,I =ψ.
|
Moreover,ψ isvalid,denotedas =ψ,ifA,I =ψ forallworlds(intervals)I ofany
| |
intervalmodelA.
2.2 Kripkestructuresandabstractintervalmodels
FinitestatesystemsareusuallymodelledasfiniteKripkestructures.Inthefollowing,
we first recall the definition of finite Kripke structure and then we define a suitable
mappingfromthisclassofstructurestoabstractintervalmodelsthatmakesitpossible
tospecifypropertiesofsystemsbymeansofHSformulas.
Definition2 (FiniteKripkestructure)AfiniteKripkestructureisatupleK =(AP,
W,δ,µ,w ), where AP is a set of proposition letters, W is a finite set of states
0
(worlds), δ W W is a left-total relation between pairs of states (accessibility
⊆ ×
relation),µ :W 2AP atotallabellingfunction,andw W istheinitialstate.
0
7→ ∈
For all w W, µ(w) captures the set of proposition letters that hold at that state; δ
∈
is the transition relation that constrains the evolution of the system over time. The
relationδ isleft-totalbecausethepathsofK aremeanttorepresentsystemcompu-
tations.
AsimpleKripkestructure,consistingoftwostatesonly,isreportedinthefollow-
ingexample.Wewilluseitasarunningexampleintherestofthepaper.
6 AlbertoMolinarietal.
Example1 Figure1belowdepictsatwo-stateKripkestructureK (theinitialstate
Equiv
isidentifiedbyadoublecircle).Despiteitssimplicity,itfeaturesaninfinitenumber
of different (finite) paths. Formally, K is defined by the following quintuple:
Equiv
( p,q , v ,v , (v ,v ),(v ,v ),(v ,v ),(v ,v ) ,µ,v ), where µ(v ) = p and
0 1 0 0 0 1 1 0 1 1 0 0
{ } { } { } { }
µ(v )= q .
1
{ }
vp0 vq1
Fig.1 TheKripkestructureKEquiv.
Definition3 (TrackoverK)Atrackρ overafiniteKripkestructureK =(AP,W,δ,
µ,w )isafinitesequenceofstatesv v ,withn 1,suchthatforalli 0, ,n
0 0 n
··· ≥ ∈{ ··· −
1 ,(v,v ) δ.
i i+1
} ∈
Let Trk be the (infinite) set of all tracks over a finite Kripke structure K. For
K
anytrackρ =v v Trk ,wedefine:
0 n K
··· ∈
– ρ =n+1;
| |
– ρ(i)=vi;
– states(ρ)= v0, ,vn W;
{ ··· }⊆
– intstates(ρ)= v1, ,vn 1 W;
{ ··· − }⊆
– fst(ρ)=v0andlst(ρ)=vn;
– ρ(i,j)=vi vj,0 i< j ρ 1isasubtrackofρ;
··· ≤ ≤| |−
– Pref(ρ)= ρ(0,i) 1 i ρ 2 isthesetofallproperprefixesofρ;
{ | ≤ ≤| |− }
– Suff(ρ)= ρ(i, ρ 1) 1 i ρ 2 isthesetofallpropersuffixesofρ.
{ | |− | ≤ ≤| |− }
If fst(ρ)=w , where w is the initial state of K, ρ is said to be an initial track.
0 0
Noticethatthelengthoftracks,prefixes,andsuffixesisgreaterthan1,astheywill
bemappedintostrictintervals.
An abstract interval model (over Trk ) can be naturally associated with a finite
K
Kripkestructurebyinterpretingeverytrackasanintervalboundedbyitsfirstandlast
states.
Definition4 (Abstract interval model induced by K) The abstract interval model
induced by a finite Kripke structure K =(AP,W,δ,µ,w ) is the abstract interval
0
modelAK =(AP,I,AI,BI,EI,σ),where:
– I=TrkK,
– AI={(ρ,ρ0)∈I×I|lst(ρ)=fst(ρ0)},
– BI={(ρ,ρ0)∈I×I|ρ0∈Pref(ρ)},
– EI={(ρ,ρ0)∈I×I|ρ0∈Suff(ρ)},
– σ :I 2AP suchthatforallρ I,
7→ ∈
σ(ρ)= µ(w).
w∈st\ates(ρ)
CheckingIntervalPropertiesofComputations 7
In Definition 4, relations A ,B , and E are interpreted as Allen’s interval relations
I I I
A,B, and E, respectively. Moreover, according to the definition of σ, a proposition
letterp AP holdsoverρ=v v ifandonlyifitholdsoverallthestatesv , ,v
0 n 0 n
∈ ··· ···
ofρ.Thisconformstothehomogeneityprinciple,accordingtowhichaproposition
letterholdsoveranintervalifandonlyifitholdsoverallofitssubintervals.
SatisfiabilityofanHSformulaoverafiniteKripkestructurecanbegiveninterms
ofinducedabstractintervalmodels.
Definition5 (SatisfiabilityofHSformulasoverKripkestructures)LetK beafinite
Kripke structure, ρ be a track in Trk , ψ be an HS formula. We say that the pair
K
(K,ρ)satisfiesψ,denotedbyK,ρ =ψ,ifandonlyifitholdsthatA ,ρ =ψ.
K
| |
We are now ready to formally state the model checking problem for HS over finite
Kripkestructures:itistheproblemofdecidingwhetherK =ψ.
|
Definition6 LetK beafiniteKripkestructureandψ beanHSformula.Wesaythat
K modelsψ,denotedbyK =ψ,ifandonlyif
|
forallinitialtracksρ Trk , itholdsthatK,ρ =ψ.
K
∈ |
We conclude the section by giving some examples of meaningful properties of
tracksthatcanbeexpressedinHS.Tostartwith,weobservethattheformula[B] can
⊥
beusedtoselectallandonlythetracksoflength2.Indeed,givenanyρ with ρ =2,
| |
independentlyofK,itholdsthatK,ρ =[B] ,becauseρ hasnot(strict)prefixes.On
| ⊥
theotherhand,itholdsthatK,ρ = B if(andonlyif) ρ >2.Modality B can
| h i> | | h i
actuallybeusedtoconstrainthelengthofanintervaltobegreaterthan,lessthan,or
equaltoanyvaluek.Letusdenoteknestedapplicationsof B by B k.Itholdsthat
h i h i
K,ρ = B k ifandonlyif ρ k+2.Analogously,K,ρ =[B]k ifandonlyif
| h i > | |≥ | ⊥
ρ k+1.Let‘(k)beashorthandfor[B]k−1 B k−2 .ItholdsthatK,ρ =‘(k)
| |≤ ⊥∧h i > |
ifandonlyif ρ =k.
| |
LetusconsidernowthefiniteKripkestructureK ofExample1,depictedin
Equiv
Figure1.Forthesakeofbrevity,foranytrackρ,wedenotebyρnthetrackobtained
by concatenating n copies of ρ. The truth of thefollowing statements can be easily
checked:
– KEquiv,(v0v1)2 = A q;
| h i
– KEquiv,v0v1v0 = A q;
6| h i
– KEquiv,(v0v1)2 = A p;
| h i
– KEquiv,v1v0v1 = A p.
6| h i
The above statements show that modalities A and A can be used to distinguish
h i h i
betweentracksthatstartorendatdifferentstates.
Modalities B and E can be exploited to distinguish between tracks encom-
h i h i
passingadifferentnumberofiterationsofagivenloop.Thisisthecase,forinstance,
withthefollowingstatements:
– KEquiv,(v1v0)3v1 = B A p B ( A p B A p) ;
| h i h i ∧h i h i ∧h ih i
– KEquiv,(v1v0)2v16|=hBi(cid:0)hAip∧hBi(hAip∧hBihAip)(cid:1).
(cid:0) (cid:1)
8 AlbertoMolinarietal.
Finally,HSmakesitpossibletodistinguishbetweentracksρ =v3v v andρ =
1 0 1 0 2
v v v3,whichinvolvethesamenumberofiterationsofthesameloops,butdifferin
0 1 0
theorderofloopoccurrences:K ,ρ = B ( A q B A p),butK ,ρ =
Equiv 1 Equiv 2
| h i h i ∧h ih i 6|
B ( A q B A p).
h i h i ∧h ih i
Example2 InFigure2,weprovideanexampleofafiniteKripkestructureK that
Sched
modelsthebehaviourofaschedulerservingthreeprocesseswhicharecontinuously
requestingtheuseofacommonresource.Theinitialstateisv :noprocessisserved
0
inthatstate.Inanyotherstatev andv,withi 1,2,3 ,thei-thprocessisserved
i i
∈{ }
(thisisdenotedbythefactthat p holdsinthosestates).Forthesakeofreadability,
i
edgesaremarkedeitherbyr,forrequest(i),orbyu,forunlock(i).Edgelabelsdo
i i
nothaveasemanticvalue,thatis,theyareneitherpartofthestructuredefinition,nor
propositionletters;theyaresimplyusedtoeasereferencetoedges.Processiisserved
instatev,then,after“sometime”,atransitionu fromv tov istaken;subsequently,
i i i i
process i cannot be served again immediately, as v is not directly reachable from
i
v (the scheduler cannot serve the same process twice in two successive rounds). A
i
transition r , with j =i, from v to v is then taken and process j is served. This
j i j
6
structurecaneasilybegeneralisedtoahighernumberofprocesses.
v0
0/
r1 r3
r2
pv11 pv22 pv33
r1 r2 r2 r3
u1 u2 u3
pv11 pv22 pv33
r3 r1
Fig.2 TheKripkestructureKSched.
WeshowhowsomemeaningfulpropertiestobecheckedoverK canbeex-
Sched
pressedinHS.Inallformulas,weforcethevalidityoftheconsideredpropertyoverall
legalcomputationsub-intervalsbyusingmodality[E](allcomputationsub-intervals
CheckingIntervalPropertiesofComputations 9
aresuffixesofatleastoneinitialtrack).Moreover,wewillmakeuseoftheshorthand
wit ( p ,p ,p )fortheformula:
2 1 2 3
≥ { }
( D p D p ) ( D p D p ) ( D p D p ),
1 2 1 3 2 3
h i ∧h i ∨ h i ∧h i ∨ h i ∧h i
which states that there exist at least two sub-intervals such that p holds over the
i
former and p over the latter, with i,j 1,2,3 and j=i (such a formula can be
j
∈{ } 6
easilygeneralisedtoanarbitrarysetofpropositionlettersandtoanynaturalnumber
k).Thetruthofthefollowingstatementscanbeeasilychecked:
– KSched =[E] B 5 wit 2( p1,p2,p3 ) ;
| h i >→ ≥ { }
– KSched =[E](cid:16) B 10 D p3 ; (cid:17)
6| h i >→h i
– KSched =[E](cid:16) B 7 D p1 (cid:17) D p2 D p3 .
6| h i >→h i ∧h i ∧h i
(cid:16) (cid:17)
The first formula states that in any suffix of an initial track of length greater than
orequalto7atleast2propositionlettersarewitnessed.K satisfiestheformula
Sched
sinceaprocesscannotbeexecutedtwiceinarow.Thesecondformulastatesthatin
anysuffixofaninitialtrackoflengthatleast12process3isexecutedatleastoncein
someinternalstates.K doesnotsatisfytheformulasincetheschedulercanavoid
Sched
executingaprocessadlibitum.Thethirdformulastatesthatinanysuffixofaninitial
trackoflengthgreaterthanorequalto9, p ,p ,p areallwitnessed.Theonlyway
1 2 3
tosatisfythispropertyistoconstraintheschedulertoexecutethethreeprocessesin
astrictlyperiodicmanner,butthisisnotthecase.
3 ThefundamentalnotionofBEk-descriptor
In the previous section, we have shown that, for any given finite Kripke structure
K, one can find a corresponding induced abstract interval model A , featuring one
K
interval for each track of K. Since K has loops (each state must have at least one
successor),thenumberofitstracks,andthusthenumberofintervalsofA ,isinfinite.
K
Inthissection,weprovethat,givenafiniteKripkestructureK andanHSformulaϕ,
thereexistsafiniteabstractintervalmodel,whichisequivalenttoA withrespectto
K
thesatisfiabilityofϕ (infact,ofaclassofHSformulasincludingϕ).
Westartwiththedefinitionofsomebasicnotions.Thefirstoneisthenotionof
BE-nestingdepthofanHSformula.
Definition7 (BE-nestingdepthofanHSformula)Letψ beanHSformula.TheBE-
nesting depth of ψ, denoted by Nest (ψ), is defined by induction on the structure
BE
complexityoftheformulaasfollows:
– NestBE(p)=0,foranypropositionletter p AP;
∈
– NestBE( ψ)=NestBE(ψ);
¬
– NestBE(ψ ϕ)=max NestBE(ψ),NestBE(ϕ) ;
∧ { }
– NestBE( B ψ)=NestBE( E ψ)=1+NestBE(ψ);
h i h i
– NestBE( X ψ)=NestBE(ψ),forX A,A,B,E .
h i ∈{ }
10 AlbertoMolinarietal.
Making use of the notion of BE-nesting depth of a formula, we can define a
relationofk-equivalenceovertracks.
Definition8 LetK beafiniteKripkestructureandρ andρ0 betwotracksinTrkK.
We say that ρ and ρ are k-equivalent if and only if, for every HS-formula ψ, with
0
Nest (ψ)=k,K,ρ =ψ ifandonlyifK,ρ =ψ.
BE 0
| |
Itcanbeeasilyprovedthatk-equivalencepropagatesdownwards.
Proposition1 LetK beafiniteKripkestructureandρ andρ0betwotracksinTrkK.
Ifρ andρ arek-equivalent,thentheyareh-equivalent,forall0 h k.
0
≤ ≤
Proof LetusassumethatK,ρ =ψ,with0 Nest (ψ) k.Considertheformula
BE
| ≤ ≤
B k , whose BE-nesting depth is equal to k. It trivially holds that either K,ρ =
h i > |
B k orK,ρ = B k .Inthefirstcase,wehavethatK,ρ = B k ψ.Since
h i > | ¬h i > | h i >∧
Nest B k ψ =k,fromthehypothesis,itimmediatelyfollowsthatK,ρ =
BE 0
h i >∧ |
B k (cid:16)ψ, and thu(cid:17)s K,ρ =ψ. The other case can be dealt with in a symmetric
0
h i >∧ |
way.
tu
Wearenowreadytointroducethenotionofdescriptor,whichwillplayafunda-
mentalroleinthedefinitionoffiniteabstractintervalmodels.
Definition9 (B-descriptor and E-descriptor) Let K =(AP,W,δ, µ,w0) be a finite
Kripkestructure.AB-descriptor(resp.,E-descriptor)isalabelledtreeD=(V,E,λ),
whereV isafinitesetofvertices,E V V isasetofedges,andλ :V W
⊆ × 7→ ×
2W W isanodelabellingfunction,thatsatisfiesthefollowingconditions:
×
1. forall(v,v) E,withλ(v)=(v ,S,v )andλ(v)=(v ,S,v ),itholdsthat
0 ∈ in fin 0 0in 0 0fin
S S,v =v ,andv S(resp.,S S,v =v ,andv S);
0⊆ in 0in 0fin∈ 0⊆ fin 0fin 0in∈
2. forallpairsofedges(v,v),(v,v ) E,ifthesubtreerootedinv isisomorphicto
0 00 0
∈
thesubtreerootedinv ,thenv =v (hereandinthefollowing,wewritesubtree
00 0 00
formaximalsubtree).
Condition (2) of Definition 9 simply states that no two subtrees, whose roots are
siblings,canbeisomorphic(noticethatλ istakenintoaccount).
For X B,E , the depth of an X-descriptor (V,E,λ) is the depth of the tree
∈{ }
(V,E). We call an X-descriptor of depth k N an Xk-descriptor. An X0-descriptor
∈
D consists of its root only, which is denoted by root(D). A label of a node will
bereferredtoasadescriptorelement.Hereafter,twodescriptorswillbeconsidered
equaluptoisomorphism.Thefollowingpropositionholds.
Proposition2 Forallk N,thereexistsafinitenumberofpossibleBk-descriptors
∈
(resp.,E -descriptors).
k
Proof LetusconsiderthecaseofB -descriptors(thecaseofE -descriptorsisanal-
k k
ogous).Fork=0,thereareatmost W 2W W pairwisedistinctB -descriptors.
| | 0
| |· ·| |
As for the inductive step, let us assume h to be the number of pairwise distinct B-
descriptorsofdepthatmostk.ThenumberofB -descriptorsisatmost W 2W
k+1 | |
| |· ·
W 2h(thereareatmost W 2W W possiblechoicesfortheroot,whichcanhave
| |
| |· | |· ·| |
