Angelika Mader Veri cation of Modal Properties Using Boolean Equation Systems EDITION VERSAL 8

Transcription

1 UsingBooleanEquationSystems VericationofModalProperties AngelikaMader EDITIONVERSAL8

2 Band1:E.Kindler:ModularerEntwurf Herausgeber:WolfgangReisig Lektorat:RolfWalter EDITIONVERSAL Band2:R.Walter:PetrinetzmodelleverteilterAlgorithmen. verteiltersystememitpetrinetzen Band4:K.Schmidt:SymbolischeAnalysemethoden Band3:D.Gomm:ModellierungundAnalyse mitpetrinetzen verzogerungs-unabhangigerschaltungen BeweistechnikundIntuition Band5:M.Kohn:FormaleModellierung Band6:D.Barnard:TemporalLanguageofTransitions furalgebraischepetrinetze asynchronersysteme Band8:A.Mader:VericationofModalProperties Band7:U.Jaeger:EventDetectionin UsingBooleanEquationSystems ActiveDataBases andclient-serversystems

3 UsingBooleanEquationSystems VericationofModalProperties AngelikaMader DieterBertzVerlag

4 Systems/AngelikaMader.{Berlin:Bertz,1997 Mader,Angelika: VericationofModalPropertiesUsingBooleanEquation (EditionVersal;Bd.8) Zugl.:Munchen,Techn.-Univ.,Diss.,1997 DieDeutscheBibliothek{CIPEinheitsaufnahme NE:GT ISBN n-x AlleRechtevorbehalten GorlitzerStr.37, c1996bydieterbertzverlag,berlin

5 Abstract expressionscontainingleastandgreatestxpoints.fixpoint-equation model-checking. Themodal-calculuscontainsxpoint-operatorswhichgivegreatexbraicallyweintroducexpoint-equationsystemsasanextensionopressivepower.Inordertotreatthemodel-checkingproblemalge- systemsexpressedinthemodal-calculus.thisapproachiscalled Thethesisisconcernedwithvericationofpropertiesofconcurrent and presentanewalgorithm,similartogaueliminationforlinearequationsystems. BooleanlatticesarecalledBooleanequationsystems.Modelcheck- solvingnitebooleanequationsystems.wediscussexistingmodelcheckingalgorithmsfromtheperspectiveofbooleanequationsystems systemsinterpretedoverthebooleanlatticeoraninniteproductof Asanapplicationweinvestigatealgorithmssolvingtheproblemof ingforsystemswithnitestatespacesisshowntobeequivalentto mutualexclusion,constructformulaeforlivenesspropertiesandverify lencetoanautomata-theoreticproblembygoingviabooleanequa- tionsystems.thereexistedareductionofmodel-checkingtoagame wepresentanalgorithm,similartothegaueliminationalgorithmfor equivalence. Forthecaseofinnitestatespaceswealsoshowthatmodel-checkingis thenitecase. equivalenttosolvinginnitebooleanequationsystems.additionally, themwithanimplementationofthegaueliminationalgorithm. Model-checkinginthemodal-calculushasalreadybeentreatedin automatatheoryandgametheory.weareabletoshowanewequiva- theoreticproblem.usingbooleanequationsystemswecanprovethe

6

7 environmentheprovidedforus,andhisliberalattitudes,whichmade acarefreeandconcentratedwayofworkingpossible. fortheconstantsupportofmyallactivitieshere,thecomfortable IamindebtedtomyproofreadersJulianBradeld,EdBrinksmaand EkkartKindler.Theircommentsandcarefulcriticismwereofgreat Acknowledgement helpformeinndingoutwhatiwasdoing,inimprovingmywork, Intherstplace,IwouldliketothankmysupervisorWilfriedBrauer ereeandformostlyilluminatingdiscussions,julianbradeldforhis commentsonpartsofthethesis. IamverygratefultopeopleinEdinburgh:ColinStirlingforbeingref- and,whatisperhapsevenmorevaluable,theyincreasedthefuni hadwhenwritingup.thanksalsotochristinerocklwhogaveuseful EdBrinksmaandPeterRossmanithsupportedmeinndinganexponentialexampleformyversionoftheGaualgorithmanddelivered scienticatmosphereandthegreatvarietyofsinglemaltscontributed enormouslytomyenjoymentofmyvisitstoedinburgh. Kaivolaforclarifyingautomata-theoreticconcepts.Theimpressive forhertheoreticalandpracticalhelpconcerninggames,androope hisinsightinbooleanequationsystemswithme,perditastevens friendshipandpleasantcooperation,kyriakoskalorkoti,whoshared sharptongueofdominikgomm. liketoacknowledgeallpeopleofthegrouphere,andthosewholeftto Berlin.Ispentagoodtimewiththem.Particularly,Iammissingthe Gaualgorithmwasextremlyhelpfultome.Furthermore,Iwould pleasuretome.hisneverendingengagementinimplementingthe mefromalong-termpassion.infrankwallnerifoundacolleague ManythanksgotoBarbaraRoemerwhogavevaluablehintsconcerninglayout. whowasnotafraidofxpointsanddiscussionswithhimwereagreat WithoutGerhard'ssupportIcouldnothavedonethisworkandmany (Sonderforschungsbereich342)forfundingmypositionattheTU. IthankFa.Siemens,ZFE,andtheDeutscheForschungsgemeinschaft otherthingsatthesametimewhilehavingachild.manythanksalso

8 todavidforconsistentlyrelativizingallupsanddownsconcerningmy workandforallthenightshesleptthrough. >FromEd,myparents,familyandfriendsIreceivedvaluablesupport ofvariouskindsduringallthetime,forwhichiowethemgreatthanks.

9 Contents 2Basics. 1Introduction. 2.2Fixpointsandtheirproperties.::::::::::::::22 1.1Generalintroduction.::::::::::::::::::::11 2.1Ordersandlattices.:::::::::::::::::::::19 1.2Synopsis.:::::::::::::::::::::::::: Simplexpoints.:::::::::::::::::: Themodal-calculus. 3Fixpoint-equationsystems. 3.1Fixpoint-equationsystemsforcompletelattices.::::28 4.1Syntaxandsemantics.:::::::::::::::::::45 3.2Booleanequationsystems.::::::::::::::::: Nestedxpoints.::::::::::::::::::24 4.3Propertiesofthemodal-calculus.::::::::::::51 4.2Basicformulae.::::::::::::::::::::::: SolvingBooleanequationsystems. 5Booleanequationsystemsformodelchecking. 5.3ReductionofBooleanequationsystems.:::::::::62 5.1Reductionofthemodelcheckingproblem.::::::::56 5.2Representationandcomplexity.::::::::::::::59 6.1PlainBooleanequationsystems.:::::::::::::

10 106.4Gauelimination.::::::::::::::::::::::81 6.3Tableaux.::::::::::::::::::::::::::76 6.2Approximation.::::::::::::::::::::::: Complexityforthegeneralcase.::::::::: Complexityforsubclasses.::::::::::::: Globalandlocalalgorithm.::::::::::::82 CONTENTS 7Peterson'smutexalgorithm. 8Equivalenttechniques. 6.5Complexity.:::::::::::::::::::::::::94 7.2FairnessandLiveness.::::::::::::::::::: Graphgames.:::::::::::::::::::::::: Alternatingautomata.::::::::::::::::::: ExperimentalResults.::::::::::::::::::: Modellingthealgorithm.:::::::::::::::::: InniteBooleanequationsystems. 9.6Conclusion.::::::::::::::::::::::::: Examples.:::::::::::::::::::::::::: Eliminationmethod.:::::::::::::::::::: Equivalencetothemodelcheckingproblem.::::::: Denitions.::::::::::::::::::::::::: SetbasedBooleanequationsystems.::::::::::: AAppendix 10Conclusion. A.3ProofsofChapter8.::::::::::::::::::::161 A.2ProofsofChapter5.::::::::::::::::::::158 A.1ProofsofChapter3.:::::::::::::::::::: Innitestatespacemodelchecking:::::::::::: Finitestatespacemodelchecking::::::::::::: Bibliography A.4ProofsofChapter9.::::::::::::::::::::

11 Chapter1 Introduction. 1.1Generalintroduction. be,itispossiblethatitshouldbe... Yet,fromtheproposition`itmaybe' Whenitisnecessarythatathingshould fromthatitfollowsthatitisnotnecessary;itcomesaboutthereforethatthe itfollowsthatitisnotimpossible,and ianstoicsalsodealtwithmodallogics,introducingatimebasedinter- pretation:possibleisjustwhateitherisorwillbe;athingisnecessary onlyifitisnowtrueandalwayswillbetrue. Leibnizgaveasemanticmodelforlogicsincludingthemodalities`nec- Aristotle,Hermeneia1 ThebeginningofmodallogicdatesbacktoAristotlewhowasalready concernedwiththelogicofnecessityandpossibility.later,themegar- be;whichisabsurd... thingwhichmustnecessarilybeneednot essarily'and`possibly':heassumedasetofworldsanddeneda propositionbeingnecessarilytrueifitistrueinallworlds,andbeing possiblytrueifthereexistssomeworldwhereitistrue.inaddition, 1see[Boc70]

12 tury.nowadaysphilosophers,logicians,linguistsandcomputerscien- tistsshareaninterestinthesubject,andvarioussystemsofmodal Formalmathematicaltreatmentofmodallogicstartedinthiscen- logichavebeendeveloped. 12 Infurtherdevelopment,morestructurewasgiventothemodelof heprovedthatweliveinthebestofallpossibleworlds. Chapter1.Introduction. worlds.whendecidingwhethersomepropositionpisnecessaryin areorderedlinearlyintime. oneworldonlyaspeciedsetofworldsmayberelevant,whichneed Incomputersciencemodalandtemporallogicplayaroleinthevericationofsystems.Here,thetaskistoshowthatasystemmeets itsspecicationwhichmayconsistofsetofpropertiesexpressedas systems.theyconsistofasetofstates(representingtheworlds)and formulaeofalogic. ModelsformodallogicareKripkestructures,alsocalledtransition transitionsbetweenthestates(theaccessibilityrelation).atransition pinballmachine.transitionsmaycarryalabelidentifyinganaction (write1toamemorycell,shootthepinball)ormodellingjustthe systemmodelsthedierentstatesanarbitrarysystemcanenter,and actionsleadingfromonestatetoanother.astatecanrepresente.g. on-goingofasystemastimepasses.thelattercaseprovidesamodel fortemporallogic. Propositionsareaboutstatesorpathsofamodel,e.g.forthepinball thecontentofamemory,thevalueofaprogramcounter,astateofa machineinitiallytheonlypossibleactionistoinsertacoin;thereexists arunofthepinballmachine,whereialwaysgetafreegame,or,ifi rolldown. oneworldmeansthatpbeingtrueinallworldsaccessiblefromthe currentone.temporallogicisthendenedasamodallogic,where accessibilitybetweenworldsrepresentstimepassingby,andtheworlds anaccessibilityrelationbetweenworlds,andpisnecessarilytruein notincludeeveryworldinthemodel.thisfeatureisrepresentedby hitthepinballmachineinnitelyoftenthentheballwilleventually

13 tiveprograms.provingcorrectnessforaprogramwastoshowthat [MP69],Park[Par70]andHoare[Hoa69]wereimportantdevelopments givenaspeciedinputtheprogramwouldterminateandproduce aspeciedoutput.theworksoffloyd[flo67],mannaandpnueli Intherstperiod,objectsofvericationweresequentialandimpera- inthiscontext. 1.1.Generalintroduction. 13 Therstmodallogicsforvericationweredynamiclogicsintroduced bypratt[pra76],andmostlyusedinthepropositionalversion.propositionaldynamiclogic(pdl)isbuiltupfrompropositionallogic extendedbythemodalitieshi,whereaprogramisaregularexpressionoverasetofatomicprograms.theformulahipistrueata state,whereitispossiblefortheprogramtoexecuteandresultin astatesatisfyingp.variousrestrictionsandextensionsofpdlhave acteristicsofprograms:terminationandresultsproducedwerenot longernecessaryfeatures,buton-goingandinteractionwithanenvironmentbecamerelevant.pnuelicalledthem\reactivesystems". andpdl-[str81]whereaninniteloop-operatorisaddedtopro- beeninvestigated.themostfamousonesarepdlwithtestprogams, gramexpressions. Theintroductionofconcurrencycausedchangeconcerningthechar- Clarke,EmersonandSistla[CES86],andothersstartedwithanew approach,calledmodel-checking.here,vericationfornitestatesystemsisperformedautomaticallyand,incontrasttoderivingaproof, Pnueli[MP83]foundthattemporallogicissuitableinthiscontext. Theyappliedaproof-theoreticstyleofverication:foragivenprogramtheyderivedasetoftemporalpropertiesandshowedthatthe Provingcorrectnesshererequiredmoreexpressivelogics.Mannaand specifyingpropertywasaconsequenceofthisset(orwasnot). pinballmachinetheninnitelyoftenitwillbeinthestate\tilt"). relevantpropertiesarenot(e.g.ifinnitelyoftenaplayerhitsthe ifthepinballisshotthenitwilleventuallyrolldownagain),butsome (CTL).Inthislogicanumberofusefulpropertiesisexpressible(e.g. analgorithmreceivingaformulaandamodelasinputgivestheresult trueorfalse.thetemporallogictheyusediscomputationtreelogic

14 AnextensionofCTLthatcanexpressthe\tilt"-propertycitedabove thetacklingofthesizeofproblemsandthedenitionofmoreexpressivelogics.ofcourse,theproblemsarenotmutuallyindependentof isvericationandthesmalleristhesizeofsolvableproblems. 14 eachother;roughly,themoreexpressivealogicis,themorecomplex Insubsequentdevelopment,workwascenteredmainlyontwoissues: Chapter1.Introduction. iscalledctl*.forthistemporallogicemersonandlei[el86]presentedamodel-checkingalgorithm. MeanwhilealsovariousextensionsofCTLandCTL*havebeeninves- andthexpointoperatorsand.themodalitiesallowonetoexpresspropertiesforonenext-step,whilebymeansofleast(anddually additiontopropositionallogicitcontainsthemodalities[a]andhai modalandtemporallogicsmentionedabove:themodal-calculus.in tigatedwhicharemoreexpressive,butstillsimpleenoughformodel- checking. greatest)xpointimmediatelypropertiesoverniteandinnitepaths Kozen[Koz83]introducedaverypowerfullogic,subsumingallother canbemodelled.thebeautyofthislogicliesinitsexpressivenessin combinationwithitssimplicity.therstmodel-checkingalgorithm forthemodal-calculuswasdevelopedbyemersonandlei[el86]. However,thecomplexityoftheiralgorithmishigherthanthatforless expressivelogicssuchasctl:itisofexponentialcomplexityinthesize byso-called\symbolicmodel-checking".forearlieralgorithmsthe Concerningthesizeofproblemsconsiderableprogresshasbeenachieved thecomplexityofthisproblemhavenotyetbeendetected. -calculushavebeensuggested,yettherehasnotbeenanyessential algorithmsforctl.sincethenanumberofalgorithmsforthemodal improvementconcerningcomplexitysofar,andthelowerboundsfor oftheformulaincontrasttopolynomialcomplexityofmodel-checking model,atransitionsystem,hadtoberepresentedexplicitly.ina newapproachforctlmodel-checkingburch,clarkeandmcmillan [BCM+92]choseBinaryDecisionDiagrams(BDDs)asdata-structure, sizeofproblemsthatcouldbetreatedgrewenormously. whichallowedaverycompactencodingoftransitionsystems,andthe

15 However,thesizeofthetransitionsystemsisstillthemostlimiting probleminthisarea.especiallyforconcurrentsystemstheso-called \statespaceexplosion"makesvericationdicultorevenimpossi- 1.1.Generalintroduction. ble.reductiontechniquesfortransitionsystemshavebeeninvesti- gatedincludinge.g.abstractionsandsymmetries,whichrelativize thepurelyautomaticapproachandreintroduceelementsofproofto 15 ornoteventhesetofreachablestates,buta(hopefullysmall)subset whetherapropertyholdsofpathsstartingfromtheinitialstateofa system.showingitscorrectnessmaynotrequirethewholestatespace, setofallstatessatisfyingaproperty.usually,weareinterestedin model-checking. Themethodofmodel-checkingdescribedaboveis\global"inthesense thatthealgorithmstraversethewholestatespaceanddeterminethe StirlingandWalker[SW89]informofatableausystem. ofit.algorithmsbasedonthisideaarecalled\local".alocalmodelcheckingalgorithmforthemodal-calculuswasrstintroducedby grammars. sistanceisapossibility.bradeldandstirling[bs90,bra92]developed modelsdenede.g.bysomepetri-netclasses[en94],orcontext-free automaticmethods.however,provingpropertieswithcomputeras- atableaumethodallowingcomputer-aidedvericationforformulaeof themodal-calculus.otherworkhasbeendoneinthisareaforinnite Inthecaseofgeneralinnitestate-spacesthereisnohopeforfully Booleanequationsystems.Infact,wecanshowthatthetwoproblems formedtotheproblemofsolvingaclassofequationsystems,called -calculus.theapproachisanalgebraicone:model-checkingistrans- showtheirrelationstoothertechniques,inautomatatheoryandgame areequivalent,forthecaseofnitesystemsaswellasforinniteones. Basedonthisequivalencewediscussmodel-checkingalgorithmsand Alsointhiswork,weareconcernedwithmodel-checkingforthemodal theory.thefollowingsectiongoesontooutlinethisinmoredetail.

16 16 1.2Synopsis. Inthebeginningwegiveabriefcollectionofrelevantdenitionsand factsfromlatticetheoryandthexpointtheoremswhicharestructures Incomputersciencemainlyleastxpointshavebeenconsidered.Propositionsforexpressionscontainingleastandgreatestxpointoperators donotgobeyonddualityargumentssofar.chapter3containstherst contributionofthiswork:anintroductionofxpoint-equationsystems entailsanextensivecollectionofpropertiesofxpoint-equationsystems.thedierencebetweenmoretraditionalequationsystemsand xpoint-equationsystemsconsistsoftheadditionalstructuregivento thelatter:thereisanorderdenedontheequationsandeachequationisequippedwithaminimalityormaximalitycondition.because ofthisstructureknownresultsforsolutionsofequationsystemsover latticesdonotapplyforthexpoint-equationsystems.inthiswork xpoint-equationsystemswillbeinterpretedoverthebooleanlattice fornitestatespacemodel-checkingaswellasoveraninniteproduct ofbooleanlatticesformodel-checkingofinnitestatespaces.section 3.2containsdenitionsandpropertiesforthenitecase,extending Booleanequationsystems. Chapter4containsanintroductiontothemodal-calculus,including propertiesforxpoint-equationsystemsoverarbitrarylattices.the interpretedinthiswayarecalledbooleanequationsystemsandinnite syntax,semantics,basicnotationsandfacts. Themainpointofchapter5istheequivalenceofthemodel-checking innitecasewillbetreatedinchapter9.fixpoint-equationsystems problemfornitestatespacesandtheproblemofsolvingboolean equationsystems.reductionstobooleanequationsystemsforthecase ofnon-alternating-calculusexpressionshavealreadybeentreatedby applyingdirectlytothegeneralcase.thesizeofabooleanequation otherpeople.theextensiontothegeneralcasecouldbedonebythe andfactsbasicforthewholework. Chapter1.Introduction. asageneralizationofnestedandalternatingxpoint-expressions.it well-knownxpointtheorems.here,insection5,wegiveareduction

17 equationsystem,weconstructaformulaofthemodal-calculusanda Section5.2showsthereductionintheotherdirection.GivenaBoolean simpleformforequationshastobedenedfollowingknowntechniques. systemlinearinthesizeoftheoriginalmodel-checkingproblemaa 1.2.Synopsis. systemderivedislinearinthesizeofthemodelandlinearinthesize oftheformula.inordertogetarepresentationofabooleanequation 17 relatingittothe\classical"versionofbooleanequationsystemswithoutorderontheequationsandwithoutsideconditionsforxpoints. thethemodelsatisestheformula.thesizeofthemodelisquadratic inthesizeofthebooleanequationsystem,thesizeoftheformulais linear. Chapter6dealswithmethodsforsolvingBooleanequationsystems, localaswellasglobalones.westartwithadiscussionoftheproblem, model,suchthatthebooleanequationsystemhasthesolutiontruei inationforlinearequationsystems.itleadstoboth,alocalanda BooleanequationsystemsbeinginNP\co-NP,andaccordingtothe techniqueforbooleanequationsystemswhichissimilartogauelim- Theknownmethodssolvingthemodel-checkingproblemaretheapproximationtechniqueandatableaumethod.Weinterpretethem equivalenceresultsalsothemodel-checkingproblemiscontainedin globalalgorithm.thelastsectioncontainsasimpleproofforsolving onbooleanequationsystems.inadditionwepresentanewsolving thisclass,whichisaknownresult. Examplesforapplicationarepresentedinchapter7.Here,wefocus inotherframeworks:thereexistreductionstoproblemsinautomata- algorithmsolvingtheproblemofmutualexclusion.theseproperties providenon-trivialexamplesfor-calculusformulae.theyareveri- edwithanimplementationofgaueliminationforbooleanequation systems. Themodel-checkingproblemforthemodal-calculushasbeentreated oncomposingandprovingdierentlivenesspropertiesforpeterson's andgame-theory.intherstcaseallautomataderivedaretree- automata.insection8.1weshowtheequivalenceofmodel-checking andthenon-emptiness-problemofalternatingautomataoninnite

18 playerhasawinningstrategyforagameandsolvingabooleanequationsystem.thereductionofbooleanequationsystemstomodelcheckinggivesimmediatelyareductionfromamodel-checkinggame games.insection8.2,weshowtheequivalenceofdecidingwhethera Themodel-checkingproblemhasalsobeenreducedtomodel-checking wordsoverasingle-letteralphabetwithaparityacceptancecondition. Chapter1.Introduction. 18 xpoint-equationsystemsinterpretedovera(possiblyinnite)productofbooleanlattices.theequivalenceofinnitebooleanequation systemsandthemodel-checkingproblemforinnitestatespacesis Sofarwehaveonlybeenconsideringnitestatespaces.Inchapter toamodel-checkingproblem,whichhasbeenanopenquestion. case.booleanequationsystemsastheyareusedherearederivedfrom provedbyreductionsinbothdirections.theseresultsareonlyuseful whenhavinganiterepresentationoftheproblemwhichisgivenby 9,thetheoryofBooleanequationsystemsisextendedtotheinnite setbasedequationsystems.wepresentaneliminationmethodusing ideasfromgaueliminationforthenitecaseandfromthetableau examplesdemonstratethetechnique. Thethesisendswithconcludingremarksputtingourresultsinageneralframework. methodofbradeldandstirling.itsolvessetbasedequationsystemsandalsothemodel-checkingproblemfortheinnitecase.small

19 Chapter2 Basics. xpointoperatorsofmodallogichavetobedenedviacontinuous interpretedasanorderpreservingfunctionbetweentwolattices.the functions.therefore,wecollectheretherelevantdenitionsandfacts. iscompletelattice.thesemanticofaformulaofmodallogiccanbe 2.1Ordersandlattices. Thebasicstructureinthisworkarelattices;formulaeofmodallogic withimplicationorderformalattice,thepowersetofastatespace Adetailedintroductionintolatticesandorderscanbefound[DP90]. Asetequippedwithapartialorderiscalledanorderedset. (transitivity)xyandyzimplyxz (antisymmetry)xyandyximplyx=y ifforallx;y;z2p: (reexivity) Denition2.1AbinaryrelationonasetPisapartialorder greatestelementofqisa2qifaxforallx2q.dually,the Denition2.2GivenanorderedsetPandasubsetQofPthe xx leastelementofqisa2qifaxforallx2q.

20 20Denition2.3LetPbeanorderedset.Thegreatestelementof P,ifitexists,iscalledthetopelementofPandwritten>.Dually, Proposition2.4GivenanorderedsetPanysubsetQPisan Pandwritten?. theleastelementofp,ifitexists,iscalledthebottomelementof Chapter2.Basics. orderedset. Proposition2.5Let(P1;1);:::;(Pn;n)beorderedsets.Their productp1:::pncanbeequippedwithapartialorderbypointwisedenition:(x1;:::;xn)(y1;:::;yn)ixiiyifor1in. Denition2.6LetPandQbeorderedsets.Thesetoffunctions fromptoqisdenotedby(p!q).foreachfunctionf2(p!q) Onthesetoffunctions(P!Q)anorderisinheritedfromthe p1p2itisthecasethatf(p1)f(p2). thedomainispandthecodomainisq. Afunctionf2(P!Q)ismonotone,ifforallp1;p22Pwith ThesetofallmonotonefunctionsisdenotedbyhP!Qi. f(a)g(a)foralla2a. orderontheircodomainq:letf;g2(p!q).thenfgif Denition2.7LetPbeanorderedsetandSbeasubsetofP. Thenx2PisanupperboundofS,ifsxforalls2S.Dually x2pisalowerboundofs,ifxsforalls2s. AllupperboundsofSarecollectedinaset"S,thelowerbounds TinsteadofWandV,and[and\insteadof_and^. inmumvfx;yg.whenspeakingaboutpowersetswewillusesand Notation:ForthesupremumWfx;ygwewritex_y,andx^yforthe VS.TheyarealsocalledthesupremumandinmumofS. upperboundofs,anddenotedbyws.thegreatestelementof #Sifitexists,iscalledgreatestlowerboundofS,anddenotedby inaset#s.theleastelementof"s,ifitexists,iscalledleast

21 2.1.Ordersandlattices. Denition2.8LetPbeanon-emptyorderedset.Pisalattice, ifx_yandx^yexistforallx;y2p.pisacompletelattice,if WSandVSexistforallsubsetsSP. Proposition (5)IfPandQare(complete)latticesthenalsothesetsoffunctions (4)ForanysetXitspowersetP(X)equippedwiththesetinclusion (1)InalatticeWSandVSexistforallnitesubsetsSP. (2)Everynitelatticeiscomplete. (3)Inacompletelatticethebottomelement?andthetopelement inmumareobtainedpointwise. (P!Q)andhP!Qiare(complete)lattices.Supremumand orderisacompletelattice. >exist. fop(k1) theoperationssupremum_andinmum^,andasetofoperators sions.thesearebuiltupbyvariablesxfromasetofvariablesx, theoperatorop(ki) Inmostcaseswethinkoffunctionsasrepresentedbyfunctionexpres- f::=xjf_fjf^fjop(ki) monotonefunction,andspsuchthatwsandvsexistin Proposition2.10LetPandQbeorderedsets,f:P!Qa 1;:::;Op(kn) P,andWf(S),Vf(S)existinQ.Thenf(WS)Wf(S)and ngforsomen2in,wherekidenotesthearityof f(vs)wf(s). i. i(f;:::;f) directed,ifeverynitesubsetfofshasanupperboundins. Proposition2.11Productsofcompletelatticesequippedwitha partialorderasinproposition2.5arecompletelattices. Denition2.12Anon-emptysubsetSofanorderedsetPis

22 22Thenf:P!QiscontinuousifforeverydirectedsetinPitisthe casethatf(wd)=wf(d). Denition2.13LetPandQbecompletelattices. Afunctionthatpreserves?,i.e.f(?)=?iscalledstrict. Chapter2.Basics. Proposition2.14LetPandQbecompletelattices.Thenevery 2.2Fixpointsandtheirproperties. Denition2.15GivenalatticePandafunctionf:P!P.An elementx2pisaxpointoffiff(x)=x. monotonefunctionf:p!qisalsocontinuous. TheverybasictheoremcomesfromTarski[Tar55](seealso[LNS82]). Thissectionisacollectionofvariouspropertiesofxpointswhichcan befoundintheliterature.itstartswithpropertiesofsimplexpoints, bothleastandgreatest.thenwelookatthemoregeneralcasewhere xpointoperatorsofpossiblydierenttypearenested. Itguaranteestheexistenceofaleastandgreatestxpointforamonotonefunctionoveracompletelattice Simplexpoints. Wewillusewhenreferringtoeitheror. Thenextproperties(formonotonef)canbefounde.g.in[Koz83]. notemptyandthesystem(p;)isacompletelattice;inparticular theleastxpointisx:f(x)=vfa2ajf(a)agandthe monotonefunction,andpthesetofallxpointsoff.thenpis Theorem2.16Let(A;)beacompletelattice,f:A!Aa greatestxpointisx:f(x)=wfa2ajf(a)ag.

23 2.2.Fixpointsandtheirproperties. Proposition2.17 (1)f(X:f(X))=X:f(X) (2)Iff(a)athenX:f(X)a. (3)Iff(a)athenX:f(X)a. (4)Iff(a)g(a)foralla2AthenX:f(X)X:g(X). 23 Thefollowingpropertyisknownasthereductionlemma,seeforexample[Koz83],[Win89]. Lemma2.18aX:f(X)iaf(X:(f(X)_a)) (6)X:f(X)=X:f(f(X)) (5)Iff(a)=f(b)foralla;b2AthenX:f(X)=f(X). generalversion,usingtransniteiteration(see[lns82]). butnoconstructivemethodtoyieldit.thisisthesubjectofthenext Tarski'stheoremshowstheexistenceofaleastandgreatestxpoint, well-knowntheorembasedonapproximants.itispresentedhereinits Denition2.19Let(A;)beacompletelatticeand or,dually,ax:f(x)iaf(x:(f(x)^a)). term,whereisanordinal.theapproximanttermsaredenedby +1X:f(X)def transniteinduction: f:a!aamonotonefunction.thenx:fisanapproximant X:f(X)def X:f(X)def 0X:f(X)def 0X:f(X)def =^<X:f(X) =_<X:f(X) => =f(x:f(x)) =? whereisalimitordinal.

24 24X:f(X)=^ X:f(X)=_ functionf:a!a Proposition2.20Foracompletelattice(A;)andamonotone 2OrdX:f(X) 2OrdX:f(X) Chapter2.Basics. and,dually, thatofasuchthatfor: X:f(X)=X:f(X) Moreoverthereexistsanordinalofcardinalitylessorequalto whereordistheclassofallordinals. andgaremonotoneinbotharguments.asarststepwewilldene wherexandyarevariablesoverlattices(a;)and(b;),andf 2.2.2Nestedxpoints. Wenowwanttoconsidernestedxpoints,suchasX:f(X;Y:g(X;Y)) X:f(X)=X:f(X): theirdomainsareinterpretedindierentways.fortechnicalreasons weassumefromnowonthattherearenottwodierentvariablesina nestedxpointexpressionhavingthesamenames. abusenotationanddonotintroducenewnamesforfandgwhen theinnerxpointy:g(x;y)asafunctiong0fromatob.wewill andthegreatestxpointis Y:g(X;Y)def Y:g(X;Y)def monotonefunctiononabtob.thentheleastxpointwith respecttobisafunctionfromatob Denition2.21Let(A;)and(B;)becompletelattices,ga =Wfg02(A!B)jg(X;g0(X))g0(X)g. =Vfg02(A!B)jg(X;g0(X))g0(X)g

25 2.2.Fixpointsandtheirproperties. Proof:straightforward g0(a)=y:g(a;y)(g0(a)=y:g(a;y))foreverya2a,where isamonotonefunctiong0:a!banditisthecasethat Proposition2.22Theleast(greatest)xpointofg:AB!B g(a;y):b!aandy:g(b;y)followsdenition forwardly.intheremarkbelowg0mightbeavectoroffunctions Themonotonicityofg0impliesthatf(X;g0(X))isamonotonefunction fromatoaanditsxpointsarewelldenedaccordingtodenition (possiblyempty)productsofcompletelattices. resultingfrominnerxpointsandalldomainscouldbeinterpretedas 2.16.Theapplicationtoarbitrarynestingofxpointsworksstraight- Remark2.23Wewanttopointout,thatthereexisttwobasicallydierentinterpretationsoftheinnerxpointswhichhave g0(a)def morecommonone:g0asafunctiononatobisdenedpointwise, consequencesforalgorithmscalculatingthem.therstoneisthe canexplicitlycalculatethefunctiong0,notinapointwisemanner, functiong(a;y)onbtobandtheapplicationofaxpointoperator Yiswelldened.Thisinterpretationgivesrisetotheapproximationbasedalgorithms.Evaluationofg0ataisdonebyasimple Theotherinterpretationfocusesonthefact,thatinsomecaseswe approximationofy:g(a;y)asinproposition2.20. =Y:g(a;Y).Foreveryargumenta2Awegetthesimple howasimultaneousxpointcanbetransformedtoanestedxpoint expression. Bekic'stheorem[Bek84]foreliminationofsimultaneousxpointsshows butasafunctionexpressionwithafreevariabley.heretheevaluationofg0(a)consistsofasimplefunctionevaluationandnotofan f:ab!aandg:ab!bmonotonefunctions. Theorem2.24Let(A;)and(B;)becompletelattices, approximation. a=x:f(x;y:g(x;y)),andb=y:g(a;y): Then(X;Y):(f(X;Y);g(X;Y))=a;b,where

26 26 Chapter2.Basics.

27 Chapter3 Fixpoint-equation systems. pretedoverarbitrarycompletelattices.fortheissueofthisworkthe caseofxpoint-equationsystemsisinvestigated,wheretheyareinter- propertiesofxpoint-equationsystems.intherstsectionthegeneral nitionsofsyntaxandsemanticsitcontainsanextensivecollectionof technicalbasisfortherestofthework.therefore,apartfromde- Weintroducexpoint-equationsystemsextendingthenotionofnested requireddomainsarethebooleanlatticeandapossiblyinniteprod- xpointexpressions.theintentionofthischapteristoprovidethe uctofbooleanlattices.thesecondsectionfocusesonthexpoint- equationsystemsoverthebooleanlattice,booleanequationsystems. Forthiscasesomedenitionssimplifyandwegetanumberoffurther properties.proofsofthischapterareshiftedtotheappendix.

28 3.1Fixpoint-equationsystemsfor 28 fromxpointexpressionstoxpointequationsystems.themainpart Firstsyntaxandsemantics1aredened,thenwegiveatranslation completelattices. Chapter3.Fixpoint-equationsystems. ineachfunction.insteadofperformingexplicitlythesubstitutionin environment.;1;:::willrangeoverenvironments,whereeachis equationsystems. Inthefollowingweconsidersequencesoffunctionsf1;f2;:::overalattice(A;).Often,freevariableswillbesubstitutedbythesamevalues eachfunctionwecollectthevaluesofthevariablesinavaluation,called ofthissectioncontainsanextensivecollectionofpropertiesofxpoint- fby(x).by[x=a]wedenotetheenvironmentthatcoincideswith afunction:x!a. Afunctionfcanbeappliedtoanenvironment,andtheresultf() isthevalueofthefunctionfaftersubstitutingeachfreevariablexof forallvariablesexceptx,i.e.(y)=([x=a])(y)fory6x,and Theorderonalattice(A;)extendsnaturallytoanorderonenvironmentsoverA(seeDeniton2.6).Wehave12iforallvariables latticeoperations_and^canbeappliedalsotoenvironmentswhen ments(foraxedsetofvariablesx)formsalattice.obviously,the ([X=a])(X)=a.Intheremainder[X=a]haspriorityoverallother interpretingthempointwise. operations,and[x=a]alwaysstandsfor([x=a]). X2Xitisthecasethat1(X)2(X).Thusthesetofenviron- pointedmetoitforthespecialcaseofxpoint-equationsystemsovertheboolean Axpoint-equationsystemoverAisanitesequenceofequations oftheform(x=f),wheref:an!aforsomen2inisa Denition3.1Let(A;)beacompletelattice. lattice.itturnedouttobemorecompactthanearlierversions. monotonefunction. Theemptysequenceisdenotedby. 1TheversionofnotationusedherewasinspiredfromVergauwen[Ver95]who

29 rightsideofanequationofearecollectedinthesetrhs(e).variables whichappearonthelefthandsideofanequationofearecollectedin thesetlhs(e),i.e.lhs((x=f)e)def equationsystemehavethesamelefthandsidevariable.variables Fortechnicalreasonsweassumethatnotwoequationsofaxpoint- 3.1.Fixpoint-equationsystemsforcompletelattices. InthefollowingE;E0;E1;:::willrangeoverxpoint-equationsystems. =fxg[lhs(e).variablesonthe 29 ofrhs(e)whicharecontainedinlhs(e)arecalledbound.variables whicharenotboundarefree,free(e)def axpoint-equationsystemeisasetofconsecutiveequationsofeall havingthesamexpointoperatorinfront. Theorderdenedbelowreectsthelinearorderofequationsina xpoint-equationsystem.itwillbeappliedtobothequationsand variables. Denition3.2Let(X=f)Ebeaxpoint-equationsystemand =rhs(e)nlhs(e).ablockin respecttoe,iffree(e0)free(e). systeme,ifforeachpairofequationswith(xx=fx)c(yy=fy) Axpoint-equationsystemE0isasubsystemofaxpoint-equation AsubsystemE0ofaxpoint-equationsystemEiscalledclosedwith ine0bothequationsarecontainedineandorderedinthesameway. AsusualXEYabbreviates(XCYorX=Y). 0Y=ganequationofE.ThenX=fC0Y=gandalsoXCY. Denition3.3Let(A;)beacompletelattice,(X=f)Ea Thesolutionofaxpoint-equationsystemrelativetoisan environmentdenedbystructuralinduction: xpoint-equationsystemovera,and:x!aanenvironment. [(X=f)E]def [(X=f)E]def []def X:f([E])=Wfajaf([E][X=a])g X:f([E])=Vfajaf([E][X=a])g where=[e][x=x:f([e])] = =[E][X=X:f([E])]

30 holdsforallenvironments1;2. Note,thatifallvariablesofrhs(E)arebound,then[E]1=[E]2 30Denition3.4Givenaxpoint-equationsystemEwedenea lexicographicordereonenvironments. 12i1=2 Chapter3.Fixpoint-equationsystems. Thereexistsanalternativecharacterizationofthesolutionofaxpointequationsystem,whichinsomecontextswillbemoresuitable. 1E2i1(X)>2(X)or1(X)=2(X)and1E02. LetE(X=f)E0. Proposition3.5Thesolutionof[]is. Dually,ifE(X=f)E0,then 1E2i1(X)<2(X)or1(X)=2(X)and1E02. Thesolutionof[(X=f)E]isthelexicographicallyleast(w.r.t (2)1isthesolutionof[E][X=1(X)]. (X=f)E)environment1satisfying: Denition3.6ForE=(1X1=f1)(2X2=f2):::(nXn=fn) (1)f(1)=1(X)and lete(i)def X2)(X4=X1_X3)beaxpoint-equationsystemoverIB. Example:Let(X1=X2^X4)(X2=X3_X1)(X3=X4^ Thecharacterizationofthesolutionwillbeillustratedbyanexample overthebooleanlatticeib=ffalse;trueg,wherefalse<true. Corollary3.7If[E]=0then[E(i)]0=0for1in. =(ixi=fi):::(nxn=fn)for1in. Startingfromthexpoint-equationsystemconsistingonlyofthelast equationx4=x1_x3wewillselectstepwiseallenvironmentsful- equationsystemwithoneequationmore. llingpoint(2)ofproposition3.5,thenthosefulllingpoint(1),and inthenextsteptheremainingenvironmentsareconsideredforthe

31 3.1.Fixpoint-equationsystemsforcompletelattices. Forreadabilitywewriteanenvironmenthereasavector(b1;b2;b3;b4), FortheequationsystemconsistingofthelastequationE(4)(X4= meaninganenvironmentwhere(xi)=bi. X1_X3),itisthecasethat [E(4)](true;false;false;true)=(true;false;false;true) 31 [E(4)](true;true;true;true)=(true;true;true;true) [E(4)](true;true;false;true)=(true;true;false;true) [E(4)](true;false;true;true)=(true;false;true;true) [E(4)](false;true;true;true)=(false;true;true;true) [E(4)](false;false;true;true)=(false;false;true;true) followingdo: notallofthemfulllpoint(1),i.e.,theequationx3=x4^x2;the NowwegoonwithE(3)(X3=X4^X2)(X4=X1_X3) Eachoftheenvironmentsabovefulllpoint(2)ofproposition3.5,but [E(4)](false;false;false;false)=(false;false;false;false) [E(4)](false;truefalse;false)=(false;truefalse;false) (true;false;false;true) equationx2=x3_x1.theseare: Notethatforallthesefourenvironmentsitis [E(3)]=[(X3=X4^X2)(X4=X1_X3)]= Thenextstepistoselecttheseenvironmentswhichfulllalsothe (false;false;false;false) (true;true;true;true) (false;true;true;true) Buthereitisthenotthecasethateachofthesesatises [E(2)]=[(X2=X3_X1)(X3=X4^X2)(X4=X1_X3)]=. (false;false;false;false) (true;true;true;true) (false;true;true;true)

32 For(true;true;true;true)wehave 32=[(X2=X3_X1)(X3=X4^X2)(X4=X1_X3)] =[(X2=X3_true)(X3=X4^X2)(X4=true_X3)] [E(2)](true;true;true;true) Chapter3.Fixpoint-equationsystems. Bothfulllpoint(1)and(2)ofproposition3.5.Hencesolutionis onlythelexicographicllysmalleronewithrespecttoe(2),whichis incideinthefreevariableofe(2),whichisx1andequalstofalse. Ontheotherhand,(false;true;true;true)and(false;false;false;false)co- =(true;true;true;true) =[(X2=true)(X3=X4^X2)(X4=true](true;true;true;true) (true;true;true;true) (false;false;false;false)(becauseofthemu-xpointintheequationof systemisnotveryintuitive,andaninterestingquestionis,whether X2). Bothenvironments(true;true;true;true)and(false;false;false;false)fulll (true;true;true;true)(becauseofthe-xpointofx1)isthesolutionof theequationsystem. Unfortunately,thedenitionofthesolutionofaBooleanequation equationx1=x2^x4andthelexicographicallysmallerone,here selectoneenvironmentasthesolution. thereexistsamoreilluminatingcharacterization. Anaturalideaistodeterminethesetofallenvironmentsthatfulllall equations(xi)=fi(),andthen,accordingtothexpointoperators, C relatedtothemethodswhichdeterminethesolution.thiswillbe Unfortunatelythisapproachcannotwork.Counterexamplescanbe xpointexpressionstoxpoint-equationsystemsandshowthatthe nestedxpointexpressions.wenowdeneatransformationfrom treatedinchapter6. Fixpointequationsystemsareintroducedasanextendednotationfor foundinsection6.1andalsosomemorediscussionofthispoint. semanticispreserved. Thequestionforaclearercharacterizationofthesolutionisclosely

33 3.1.Fixpoint-equationsystemsforcompletelattices. Thetransformationisdividedintotwofunctions.One,E,mapsthe tree-likestructureofaxpointexpressiontoasequenceofexpressions. withanexampleandgivetheformaldenitionafterwards. Example: E(X:((Y:X_Y)^(Z:X^Z))) Theotherone,E0turnsexpressionsintoxpointequations.Westart 33 =(X=E0(Y:X_Y)^E0(Z:X^Z))E(Y:X_Y)E(Z:X^Z) =(X=E0((Y:X_Y)^(Z:X^Z))) =(X=Y^Z)(Y=E0(X_Y))(Z=E0(X^Z)) =(X=Y^Z)(Y=X_Y)(Z=X^Z) Denition3.8LetX:fbeaxpointexpressionoveralattice (A;),wherefisamonotonefunctiononAconsistingofconstants, variables,xpointexpressions,thelatticeoperations_and^and E((Y:X_Y)^(Z:X^Z)) eachvariableisboundonlyoncebyaxpointoperator.emaps X:ftoaxpoint-equationsystemandisdenedasfollows: Op(ki) additionallyasetofmonotoneki-aryoperationsona,denotedby iforsomei2in.assumethatinx:fnamesareunique,i.e. E(Op(ki) i(f1;:::;fki))=e(f1):::e(fki) E(f1_f2)=E(f1)E(f2) E(f1^f2)=E(f1)E(f2) E(X:f)=(X=E0(f))(E(f)) E(X)= E(a)= E0(Op(ki) i(f1;:::;fki))=op(ki) E0(f1_f2)=E0(f1)_E0(f2) E0(f1^f2)=E0(f1)^E0(f2) E0(X:f)=X E0(X)=X E0(a)=ai(E0(f1);:::;E0(fki))

34 34 Theproofofthispropositionrequiresthefollowinglemma: Proposition3.9LetX:fbeaxpointexpressionoveralattice Then(X:f)()=([E(X:f)])(X). (A;)andanarbitraryenvironment. Chapter3.Fixpoint-equationsystems. that lhs(e1)\lhs(e2)=;, lhs(e1)\rhs(e2)=;, Lemma3.10LetE1andE2bexpoint-equationsystems,such Booleanequationsystemsinthecontextof-calculusmodelchecking systemtoa(nested)xpointexpressionisnotalwayspossible.for Notethatastraightforwardtransformationbackfromaxpoint-equation wewillshowamethodinsection5.2.ingeneral,axpoint-equation lhs(e2)\rhs(e1)=;. sions.forexample(x=y)(u=v)isaxpoint-equationsystem, systemcanbetransformedbacktoasetof(nested)xpointexpres- Then[E1][E2]=[E1E2] andx:yandu:vare(theonlysensible)xpointexpressionscorrespondingtoit. Anotherexampleis(X=Z)(Y=X)(Z=Y).Itmightcorrespond totheexpressionx:z:y:x,butthetransformationofthisexpressiontoaxpoint-equationsystemgives(x=z)(z=y)(y=x). monotoneoperatoronenvironments. solutions.therstonestatesthataxpoint-equationsystemisa tionsystemswhichdescribeequivalenceandorderrelationsontheir Inthefollowingwepresentacollectionofpropertiesofxpointequa- ItiseasytoseethatinthelemmaaboveonlyforvariablesXthatare freeineweneedthecondition1(x)2(x).hencetheorderof theenvironmentsdenedpointwiseonallvariablescanberestricted tothevariableswhicharefreeine. Lemma3.11If12then[E]1[E]2.

35 tionsorderedbyrespectively,forallenvironments.itextendsthe 3.1.Fixpoint-equationsystemsforcompletelattices. equationsystems,relatingthosethathavethesamesolution,orsolu- Wedeneanequivalencerelationandanorder-onxpoint- Corollary3.12[E]1_[E]2[E](1_2),and [E]1^[E]2[E](1^2). 35 equivalencerelationdenedin[ver95]forbooleanequationsystems. thisresultwasstatedin[ver95]. Equivalenceandorderingofxpoint-equationsystemsispreservedfor prexingofequations.forequivalenceonbooleanequationsystems Denition3.13 Lemma3.14IfE1E2thenEE1EE2. DeneE1E2i[E1]=[E2]forallenvironments. DeneE1-E2i[E1][E2]forallenvironments. Denition3.15Letforsomen2IN E1(1X1=f1):::(nXn=fn), E2(1X1=g1):::(nXn=gn). ThenE1E2ifigi. IfE1-E2thenEE1-EE2. E1_E2def E1^E2def Lemma3.16IfE1E2thenalsoE1-E2 Corollary3.17[E1]_[E2][E1_E2],and =(1X1=f1_g1):::(nXn=fn_gn), =(1X1=f1^g1):::(nXn=fn^gn), [E1]^[E2][E1^E2].

36 X3)(X2=X3)(X3=X2) systemse1(x1=x2)(x2=x2)(x3=x1)ande2(x1= greaterone: Example:Againthelatticeis(IB;).Considertwoxpoint-equation casethatbothsystemshavethesamesolutiontheirdisjunctionhasa Thiscorollarywillbeillustratedbyanexample,whereeveninthe 36 Chapter3.Fixpoint-equationsystems. Thereareothersimple,desirablepropertieswhichsurprisinglydonot X1_X2)is(true;true;true). hold.wedemonstratehereoneofthem. IfE1-E2thenE_E1-E_E2andE^E1-E^E2 solutionoftheirdisjunction(x1=x2_x3)(x2=x2_x3)(x3= Bothhavethesamesolution(false;false;false)forany.However,the Counterexample:LetE;E1;E2bexpoint-equationsystemsoverthe Booleanlattice(IB;). C E1(X1=X1)(X2=X2)(X3=X3) E^E1. (false;false;true),e2^ehas(false;false;false)assolution.heree^e2- E1hasthesolution(false;true;true)andE2hasthesolution(true;true;true). ThesolutionofEis(false;false;true).E1^Ehasalsothesolution HenceE1-E2. E2(X1=X2)(X2=X3)(X3=X2) E(X1=X2)(X2=X1)(X3=X3) ThefollowinglemmaextendsapropertyforBooleanequationsystems in[ver95]toxpoint-equationsystems. Lemma3.18If([(X=f)E])(X)=([(X=g)E])(X) then[(x=f)e]=[(x=g)e]: C ingandreductionmethodsforxpoint-equationsystems. theequationsystempreservingthesolution.thisallowsstepwisesolv- knowingpartsofthesolutionthenthesepartsmaybe\removed"from Thenextbothlemmatadealwithaquitenaturalproperty:when

37 3.1.Fixpoint-equationsystemsforcompletelattices. Lemma3.19Let EE1(X=f)E2, ([E])(X)=a,and E0E1(X=a)E2. 37 pointoperator,fromto,ortheotherwayround.frombekic's equationsystemwheninterchangingequationsorswitchingthex- Thefollowinglemmatadescribepropertiesofthesolutionofaxpoint- Lemma3.20[E1(X=a)E2]=[E1E2][X=a]. Then[E]=[E0]. whichreferstolexicographicordering(proposition3.5). slightlysurprisinghavinginmindthecharacterizationofasolution pliesdierentsolutionswhichareorderedpointwise.thispropertyis Theorem2.24itfollowsthatinterchangingsubsequentequationswith thesamexpointoperatordoesnotinuencethesolution.thesame holdsforequationswithdierentxpointoperatorsifthevariablesof bothequationsaredierent.otherwiseinterchangingequationsim- Lemma3.21Let 1def 2def Then1=2. Lemma3.22If X1isnotfreeinf2, =[E1(X1=f1)(X2=f2)E2], X2isnotfreeinf1, =[E1(X2=f2)(X1=f1)E2]. 1def 2def Then1=2. =[E1(1X1=f1)(2X2=f2)E2] =[E1(2X2=f2)(1X1=f1)E2]

38 38Lemma3.23Let 1def 2def Thenitis12,andmoreover,iftheinequalityisstrictthen 1(X1)<2(X1)and1(X2)<2(X2). =[E1(X1=f1)(X2=f2)E2], =[E1(X2=f2)(X1=f1)E2]. Chapter3.Fixpoint-equationsystems. Lemma3.24Let 1def 2def =[E1(X=f)E2], _or^.everyxpoint-equationsystemcanbetransformedintosuch tems,whereeachrighthandsidecontainsatmostoneoftheoperators Oftenweneedsomestandardrepresentationofxpoint-equationsys- Thenitis12,andmoreover,iftheinequalityisstrictthen 1(X)<2(X). =[E1(X=f)E2]. aformbyintroductionofadditional\fresh"variables. ([(X=f1_f2)E])(Y)=([(X=f1_X0)(0X0=f2)E])(Y), ([(X=f1^f2)E])(Y)=([(X=f1^X0)(0X0=f2)E])(Y), wherex0isanewvariable,i.e.(*)x0doesnotoccurontheright handsideofeorinf1orf2,and(**)y6=x0. Lemma3.25 withinablockduplicateequationsmayberemoved. Forreductionofxpoint-equationsystemsthenextpropertyisuseful: Lemma3.26Let 1def 02def 2def Then1=2. =[E1(X1=f)(X2=f)E2] =[E1[X1=X2](X2=f[X1=X2])E2[X1=X2]] =02[X1=02(X2)]

39 3.2.Booleanequationsystems. nedinsection3applyalsotobooleanequationsystems.however, 3.2Booleanequationsystems. WenowintroduceBooleanequationsystemsasaspecialcaseofxpointequationsystems,wheretheunderlyinglatticeistheBooleanlattice 39 ftrue;falsegwithfalse<true.ofcourse,syntaxandsemanticsasdeexpressions.analogouslytodenition3.1wedene: ordertodistinguishthebooleancasealsosyntacticallywechoose[[]] LetXbeasetofBooleanvariables,andf;g;:::rangeoverBoolean andwewillreintroducesyntaxandsemanticsforthisspecialcase.in interpretedoverthebooleanlatticedealingwithxpointsgetssimpler, insteadof[]assemanticbrackets. ABooleanequationisoftheformX=f,where2f;g,Xisa acountablesetofvariablesxisdenotedbyib+(x). Denition3.27ThesetofnegationfreeBooleanexpressionsover DealingwithxpointsgetsmuchsimplerovertheBooleanlattice. Thefollowingtwolemmatashowthattheleastandgreatestxpoints equationandeisabooleanequationsystem,then(x=f)eisalso ABooleanequationsystemisasequenceofBooleanequations.The emptysequenceisabooleanequationsystem;ifx=fisaboolean abooleanequationsystem. BooleanvariableX2X,andf2IB+(X). pointwise.(seealsodenition2.21andremark2.23.) ofbooleanfunctionscanberepresentedasfunctionsthemselves.in contrasttostandarddenitionsitisnotnecessarytoevaluatethem Lemma3.29Supposef(X1;:::;Xn)isamonotoneBooleanfunctionfromIBntoIB.Thenitsleastandgreatestxpointswith respecttox1arex1:f(x1;:::;xn)=f(false;x2;:::;xn)and X1:f(X1;:::;Xn)=f(true;X2;:::;Xn)andbotharemonotone singlevariablex.thenx:f(x)=f(false)andx:f(x)=f(true). Lemma3.28Supposef(X)isamonotoneBooleanfunctioninthe functionfromibn 1toIB.

40 40Proposition3.30LetEbeaBooleanequationsystem,X=fa Booleanequation,anenvironment,b=falseandb=true.Then forthesolutionofabooleanequationsystemitisthecasethat: [[(X=f)E]]=[[E]][X=f([[E]][X=b])]: [[]]= Chapter3.Fixpoint-equationsystems. Example:ConsidertheequationsystemX1=X1andarbitrary. itsvariablesandthesizeofallitsright-handsideexpressions, HencethesolutionofthisBooleanequationsystemisX1=true.C ThesizeofaBooleanequationsystemEisdenedasthenumberof [[X1=X1]]=[[]][X1=(X1)([[]][X1=true])] jjdef =[X1=(X1)([X1=true])] =[X1=true] ThesizeofanegationfreeBooleanexpressionjfjisthenumberof variablesandconstantscontainedinf. expressionconsistsofconjunctions,ordisjunctions,orasinglevariable ABooleanequationsystemEisinsimpleform,ifeachright-handside j(x=f)ejdef =0 oraconstant. =1+jfj+jEj: expressionsto2.thisgivesrisetothefollowingdenitionofastandard Insomecontextsitisusefultorestrictthesizeoftheright-handsize formforbooleanequationsystems. ABooleanequationsystemEisinstandardform,if lhs(e)=fx1;:::;xngforsomen2in ifxicxjtheni<j eachright-handsideexpressionconsistsofadisjunctionxi_xj,a conjunctionxi^xj,asinglevariablexioraconstanttrueorfalse.

41 3.2.Booleanequationsystems. ABooleanequationsystemcanbedevidedintoblocks.Ablockis abooleanequationsysteme0instandardformandarenaming function,suchthat([[e]])(x)=([[e0]])((x)),ande0hassize Proposition3.31ForeachBooleanequationsystemEthereexists linearinthesizeofe. 41 depthandalternationdepthforbooleanequationsystems.. operatorinfront.hencewecandistinguish-blocksand-blocks. Booleanequationsystem.Wenowdeneactivevariables,nesting systemextendsnaturallytoanordereandcontheblocksofa ThelinearorderingsEandContheequationsofaBooleanequation denedasasetofconsecutiveequationsofehavingthesamexpoint Denition3.32Let EbeaBooleanequationsystem, XX=fX,YY=fYbeequationsofE, XX=fXCYY=fY thereisafreeoccurrenceofxinyy=fy,or ThenXisactiveinYY=fYi somevariablezisfreeinyy=fy,xczcyandxisactive Whendeningthenestingdepthandalternationdepthofxpoint AvariableXisactiveinablockEj,ifitisactiveinanyequationof Ej. AblockEiisactiveinablockEj,ifsomevariableXinanequation XX=fXofEiisactiveinEj. inzz=fz. mulaorderisapartialorder.inthecaseofbooleanequationsystems wehavejustalinearorderontheequations.however,thepartialorder isreectedbythepossibleapplicationsoflemma3.22tointerchange operatorsforexpressionswehavetotakeintoaccountthatthesubfor- equations.

42 42EistheminimalnumberofblocksofallBooleanequationsystems Denition3.33ThenestingdepthofaBooleanequationsystem accordingtolemma3.22. Denition3.34Let thatcanbederivedfromeby(repeated)interchangingofequations Chapter3.Fixpoint-equationsystems. EbeaBooleanequationsystem, 1X1=f1C:::CnXn=fnachainofBooleanequationsof Section3containsanumberofpropertiesofxpointequationsystems, maximallength,suchthatforevery1i<n whichare,ofcourse,alsovalidforthespecialcaseofbooleanequation systems.inadditiontothesethereexistmorepropertiesforboolean ThenEhasalternationdepthn,i.e.ad(E)=n. (2)Xnisfreeinfn,and (3)i6=i+1, (1)Xiisactiveini+1Xi+1=fi+1, ductivelyasfollows: ThecomplementationEofaBooleanequationsystemisdenedin- equationsystems,whichwillbeneededinlaterchapters. where= (X=f)E=(X=f)E; false=true true=false X=XforX2X = = Thecomplementofanenvironmentisdenedas(X)=(X). ThecomplementationlemmaforBooleanequationsystemsis: Lemma3.35([[E]])(X)=falsei([[E]])(X)=true. f1^f2=f1_f2 f1_f2=f1^f2

43 3.2.Booleanequationsystems. ThenextisaverystrongpropertyaboutareductionofBooleanequationsystemspreservingtheirsolution.HavingaBooleanequatiotionsofE0.IneveryequationofEwithadisjunctionontheright-hand orconstantsontheirright-handsideareunchangedandbecomeequationsysteme0inthefollowingway:allequationshavingconjunctions 43 systemeinstandardformwecanconstructanewbooleanequa- asystemisinconjunctiveform.theorderofvariablesineande0 sideonedisjunctisselectedasthenewright-handsidefortheequation ine0.notethate0containsnoproperdisjunctionsandwesay,such isthesame.fromdenition3.15andlemma3.16weknowalready thereexistsachoiceofdisjuncts,suchthateande0havethesame solution.thedualpropertyholdswhenchoosingconjunctsinsteadof disjuncts. thatforeveryenvironmentthesolutionofe0islowerorequaltothe solutionofe.thefollowingpropositionsaysevenmore:forevery Proposition3.36GivenaBooleanequationsystemEandan environmentthereexistbooleanequationsystemse0ande00with theproperties: E0isinconjunctiveform, E0E,and [[E0]]=[[E]]. mentthereexistsabooleanequationsysteme0withthefollowing ForE00thedualpropertieshold: E00isindisjunctiveform, E00E,and [[E00]]=[[E]]. Corollary3.37ForBooleanequationsystemEandanenviron- properties: [[E]]=[[E0]],and E0isderivedfromEbyselectingineveryequationonevariable oftherighthandexpression.

44 conjunctivecase. Proof:Applyproposition3.36forthedisjunctiveandthenforthe 44 Chapter3.Fixpoint-equationsystems.

45 Chapter4 places,suchas[sti93]and[eme91].herewewillbrieyreviewthe logicanditspropertiesandwegiveassociateddenitionsrelevantto Thischaptergivesanintroductiontothemodal-calculusaccording beenwidelystudiedanddetailedintroductionscanbefoundinseveral tokozen'spropositional-calculus[koz83].themodal-calculushas Themodal-calculus. ourwork. ofthemodal-calculusisanexpressionoftheform: labelsandadenumerablesetzofpropositionalvariables.aformula ofatomicpropositionsincludingtrueandfalse,anitesetlofaction Thesyntaxofthemodal-calculusisdenedwithrespecttoasetQ 4.1Syntaxandsemantics. standardconventionsforthederivedoperatorsandabbreviationsare: occurrenceofzinfallsunderanevennumberofnegations.the wherez2z,q2qanda2l,andwhereinz:everyfree ::=ZjQj:j^j[a]jZ:; 1_2def hkidef [K]def haidef =Wa2Khai =:[a]: =Va2K[a] =:(:1^:2)

46 wherekl,and[z=:z]meansthesyntacticalsubstitutionof 46 everyoccurrenceofzinby:z. [ K]def Z:def [ ]def =[LnK] =[L] =:Z::[Z=:Z]; Chapter4.Themodal-calculus. mulacanbetransformedsyntacticallyintopositivenormalformby usingthederivedoperators,applyingthedemorganrulesandrenamingvariables.therefore,wecanrestrictthesetofformulaetothe positivefragmentassumingthatforeveryatomicpropositionq2q thenegationofqisalsoanatomicproposition,i.e.anelementofq. Inthissense,anequivalentdenitionofthesyntaxis: ::=ZjQj^j_j[a]jhaijZ:jZ: subsetofxpointfreeformulaeby0. Aformulaisinpositivenormalform,ifnegationsapplyonlyto Wedenotethesetofallmodal-calculusformulaebyL,andthe atomicpropositionsandnovariableisquantiedtwice.everyfor- by!def andassumethattheyareinnormalform. Formulaeofthemodal-calculuswiththesetLofactionlabelsare a2labinaryrelationonstates.theunionofallrelationsisdenoted Inthefollowingwewillreferonlytoformulaeofthepositivefragment interpretedrelativetoalabelledtransitionsystemt=(s;fa!ja2 Lg),whereSisapossiblyinnitesetofstatesanda!SSforevery formulaisthesetofstatesjjjjtv.astatessatisesaformula, modelmofthemodal-calculus.thesemanticsofeach-calculus holdforeverystateinv(q)andv(z).thepairtandviscalleda writtenassj=m,is2jjjjtv,whichisdenedinductivelyasfollows: propositionqinqandpropositionalvariablezinzasetofstates V(Q)SandV(Z)SmeaningthatpropositionQandvariableZ =Sa2La!.AvaluationfunctionVassignstoeveryatomic jjqjjtv=v(q) jjzjjtv=v(z)

47 4.1.Syntaxandsemantics. jj1^2jjtv=jj1jjtv\jj2jjtv jj1_2jjtv=jj1jjtv[jj2jjtv jjz:jjtv=\fs0sjjjjjtv[z=s0]s0g jjhaijjtv=hhaiitjjjjtv jj[a]jjtv=[[a]]tjjjjtv 47 where[[a]]ts0def jjz:jjtv=[fs0sjs0jjjjtv[z=s0]g numberoftransitions,jtjdef Examplesfor-calculusformulaewillbegivenbelow.Firstwewant tointroducesometechnicalterms. Thesizeofatransitionsystemincludesthenumberofstatesandthe hhaiits0def =fsj9s02s0:sa!s0g =fsj8s02s:ifsa!s0thens02s0g Thebranchingdegreej-Rjisthemaximalnumberofsuccessorsthat anystateofthetransitionsystemhas,j-rjdef AnupperboundforthebranchingdegreeisthenumberofstatesjSj. Thesizeofaformulajjisdenedasfollows: =jsj+j!j. j1_2j=j1j+j2j j1^2j=j1j+j2j jzj=jqj=1 =maxs2sjfs0js!s0gj. jz:j=1+jj jz:j=1+jj jhaij=1+jj j[a]j=1+jj Denition4.1Asusual,subformulaeofaformulaaredened inductivelyonthestructureof.if writee,andc ifitisapropersubformula. isasubformulaofwewill

48 48 WenowwanttointroducethenotionsofnestingdepthandalternationdepthofxpointoperatorsforformulaeofL.Thelatter subformulaof.anoccurrenceofavariablewhichisnotboundis Zisbound.AnoccurrenceofXinisbound,ifitisboundinany Denition4.2InaformulaZ: calledfree. eachoccurrenceofthevariable Chapter4.Themodal-calculus. Kaivola[Kai96].Thereamoredetaileddiscussionoftheseconcepts AlternationdepthwasdenedbyEmersonandLei[EL86]andisa withaminorextension.itsdenitionbasedonactivevariablesfollows willbedenedviaactivevariablesasintroducedbykozen[koz83]. relevantsizeformanymodelcheckingalgorithms.niwinski[niw86] gaveamoresensibledenitionforalternationdepthwhichwewilluse alternationdepthis2,whereaswewantittobe1. theemerson-leialternationdepthofx:y:z:xis3,itsniwinski canbefound.asmallexamplefordemonstratingthedierencesis: beaformula, E1X1: Denition4.3Let Thenhasnestingdepthn,i.e.nd()=n. beamodal-calculusformula, Denition4.4Let mallength. 1C:::CnXn: nachainofsubformulaeofmaxi- Zavariable. ThenZisactivein thereisafreeoccurrenceofzin somevariablez0isfreein inz0: beasubformulaof,i.e.e 0. i,ez0:,or,and0e,andzisactive

49 4.2.Basicformulae. beaformula, E1X1: Denition4.5Let mallength,suchthatforevery1i<n (1)Xiisactiveini+1Xi+1: 1C:::CnXn: nachainofsubformulaeofmaxi- i+1, 49 LeavingitoutwouldgiveNiwinskialternationdepth. Notethatourextensionconsistsofpoint(2)inthepreviousdenition. Thenhasalternationdepthn,i.e.ad()=n. (3)i6=i+1. (2)Xnisfreein n,and Therstaspecttomakeclearisthedierencebetweenthemodalities builtup,andwewanttoexplainthemhere. [a]andhai.theformula[a]istrueatastateforwhichnecessarily ever,thereareonlyafewbasicstructures,fromwhichformulaeare Itneedssomepracticetoreadandcreate-calculusformulae.How- 4.2Basicformulae. possiblythea-successorsfulll. thea-successorsfulll,theformulahaiistrueatastateforwhich Forthersttransitionsystem,wehaves0j=haiQands0j=[a]Q.For s0 ccc as3 bs2j=q s1j=qt0 ccc at3 bt2j=:q t1j=q Q,butt06j=[a]Q,ast0alsohasana-successorfullling:Q.Inthe thesecondoneitist0j=haiq,becauset0hasana-successorfullling u0b thirdtransitionsystemwegetu06j=haiq,duetotheabsenceofanasuccessor,butu0j=[a]q,becausethereisnoa-successornotfullling u3 Q.

50 eral,leastxpointsdescribenitebehaviour,greatestxpointsaddi- tionalyalsoinnitebehaviour.inthetransitionsystemsbelowwe Crucialisthedierencebetweenleastandgreatestxpoints.Ingen- 50 assume:qateachstate,wheretheoppositeisnotstatedexplicitly. Chapter4.Themodal-calculus. v1av2j=q pathonwhicheventuallyqwillhold".itholdsbothstatesv1and TheformulaZ:haiZ_Qstandsfortheproperty\thereexistsana- w1a aw2aw3j=q a w1.theuniversalcounterpart\onallpathseventuallyqwillhold", w1isnotcontained,andhenceisnotanelementoftheleastxpoint, jj[a]x_qjjtv[z=fw3g]=[[a]]tfw3g[fw3g=;[fw3gfw3g Itfollowsthatintheintersectionofallsetssatisfyingtheinequality thesubsetfw3gsatisestheinequality: expressedbyz:[a]z_q,holdsforv1,butnotforw1,becauseon whichcoincideswiththeinformalargumentationabove. Consideringthesemanticdenitionofaleastxpoint,wehavethat theinnitepathw1w2w1w2:::theatomicpropositionqneverholds. Withagreatestxpoint,theproposition\onalla-pathsalwaysQ Combiningleastandgreatestxpointsallowsustoexpressmorecomplicatedproperties.TheformulaZ:X:(([a]Z^Q)_[a]X)corresponds holds"canbeformulatedasz:[a]z^q.inthetransitionsystems aboveitonlyholdsatw3. totheproposition\onallinnitea-pathsinnitelyoftenqholds".to makethestructureplausible,considerthetwofragmentsoftheformulax:(([a]z^q)_[a]x)saying\eventually([a]z^q)willhold" andz:([a]z^q)saying\alwaysqwillhold".combiningthemin oneformulagives\always,eitherqholds,or,ifitdoesnot,theneventuallyqwillhold"whichisequivalenttotherstexplanationabove. Aslastexampleconsidertheproperty\eventuallyQwillalwayshold", existentialversionz:x:((haiz^q)_haix)holdsalsoforw1. Inthetransitionsystemsabove,thisformulasatisesv1andw3.The

51 expressedbytheformulax:z:(([a]z^q)_[a]x).here,theleast xpointistheoutermostandthedierencetothepreviousformula 4.3.Propertiesofthemodal-calculus. liesintheorderof\alwayseventually"and\eventuallyalways". Inchapter7weusesomemoresophisticatedformulae,buttheyare explainablewiththebasicexamplesdiscussedinthissection. 51 theonlywayoflookingatthenextstatewithinapath.itstandsin allsuccessorsorsomesuccessormaybeconsidered.infact,thisis Themodal-calculusisabranchingtimelogic,inthatateachstate ofrunsandineachrunthereisoneuniquesuccessorforeachstate.a contrasttolineartime(temporal)logic.there,themodelsaresets 4.3Propertiesofthemodal-calculus. branchingtimepropertywhichcannotbeexpressedinlineartimeis: itisalwayspossibletocontinueinsuchawaythateventuallyqholds. Expressiveness Themodal-calculussubsumesmanyothertemporallogics,suchas PropositionalDynamicLogic(PDL)[FR79],PDL-[Str82],ComputationTreeLogic(CTL)[CE81],itsextendedversionsCTL*[EH86], However,translationsfromtheselogics(apartfromHennessy-Milner andectl*[vw83],hennessy-milnerlogic[hm85],andlineartime exponential,forectl*thetranslationissingle-exponential[dam92], logic)intomodal-calculusarenon-trivial,e.g.forctl*isitdouble- asitisalsoforlineartime-calculus. lowc2denotesaformulathatisclosedandgeneratedbythegrammar. wasshowntobeexactlyasexpressiveasectl*.inthedenitionbe- L2includesL1andallowsconjunctionsand[a]-operatorsinarestricted eralcase,constants,variablesandthexpointoperators.thefragment form:theymaybeappliedonlytoclosedsubformulae.in[ejs93]l2 ThefragmentL1ofthemodal-calculusconsistsofformulaewhich containonlydisjunctions,diaanextstepoperators,and,asinthegen-

52 Foralongtimeitwasnotknown,whetheralternationdepthofmore than3increasestheexpressivenessofthemodal-calculus.bradeld ThesetofformulaeofL2isdenedas: [Bra96]showedthestrictnessofthealternationhierarchybytransformingittothemu-arithmetichierarchy.Independently,Lenzi[Len96] relations:inmodallogicwithoutxpointsrstorderpropertiescanbe 522::=QjZj2_2j2^c2jhai2j[a]c2jZ:2jZ:2 Chapter4.Themodal-calculus. provedthesameresult. Comparingmodallogicswithpropositionallogicgivesthefollowing ittobeequi-expressivetosns. monadicsecondordertheoryofnsuccessors.in[hut90]huttelshowed rstandsecondorderlogic. KozenandParikh[KP83]reducedthemodal-calculustoSnS,the expressivepowerbeyondrstorder:themodal-calculusliesbetween expressed,butmodallogicliesstrictlybetweenpropositionallogicand Axiomatization rstorderlogic.addingxpointoperatorstomodallogicshiftsthe pendentlyalsohartonas[har95],bymeansofmodaldualitytheory. andbonsangue([akm95],[bk95])provedthesameresult,andindezationforthefullmodal-calculus.ambler,kwiatkowska,measor Walukiewicz[Wal95b]showedthecompletenessofKozen'saxiomatizationforthefullmodal-calculuswasanopenquestion. -calculus(theaconjunctivefragment).foralongtimetheaxiomati- Kozen[Koz83]gaveanaxiomatizationforafragmentofthemodal doesthereexistamodelforit? Fromthereductionofthemodal-calculustoSnS[KP83]thedecidabilityfollowsgivinganon-elementarydecisionprocedure. Thequestionofdecidabilityis:givenaformulaofthemodal-calculus, Decidability model.healsogivesanonelementarydecisionprocedure. calculus,sayingthateveryformulahavingamodelhasalsoanite In[Koz88]Kozenprovedanitemodeltheoremforthemodal-

53 In[EJ88]EmersonandJutlashowedthatdecidabilityofthemodalcalculushasdeterministicexponentialtimecomplexity.Byareduction fromalternatingpolynomialspaceturingautomataitfollowsthatthe 53 problemisexptimecomplete[eme96]. ModelChecking Themodelcheckingproblemis:Givenamodelandaformulaofthe 4.3.Propertiesofthemodal-calculus. case. ThesizeofthemodelcheckingproblemisdenedasjjjTj,where dealwithnitestatespacemodelchecking,chapter9withtheinnite modelswithbothniteandinnitestatespaces.chapters5to8will modal-calculusdoesinitialstateofthetransitionsystemsatisfythe isaformulaandtatransitionsystem. formula? Zhang,SokolskyandSmolka[ZSS94]showedthatnitestatespace Manyauthorsrestrictthemodelstoniteones.Wewanttoconsider triviallybeexpressedasasetofbooleanequations(withanyxpoint Kalorkoti[Kal96]pointedoutthatamonotoneBooleancircuitcan operators),andp-hardnessfollowsfromtheequivalenceofthemodel checkingisp-complete. modelcheckingisp-hard,evenforthealternationfreefragment.it followsfromemersonandlei's[el86]polynomialalgorithmforfragmentswithrestrictedalternationdepththatforthesefragmentsmodel provedinchapter5. checkingproblemandsolvingbooleanequationsystems,whichwillbe ThebestknownupperboundformodelcheckingintheunrestrictedcalculusisNP\co-NP,provedbyEmerson,JutlaandSistla[EJS93]. Thesetof-calculusformulaeLfactorizedbytheequivalencerelation,formsalattice,whereformulaeareorderedbyimplication, Ingure4.1below,weillustratethemodelcheckingproblem. Section6.5containsaproofofthisresultinourframework. formula.thepowersetp(s)isacompletelattice. monotoneandmapseachformulatothesetofstatesthatsatisfythe [[]]:L!P(S) knownasthelindenbaumalgebraofl.thesemanticfunction

54 54 SSSSSSSS (0/,,)) true S Chapter4.Themodal-calculus. SSSSSSSS false kktv (P(S),) S oneexamplefornon-continuityis[a],wherejj[a]jjtv=[[a]]tjjjjtvand wouldalsobeacompletelattice.however,thisisnotthecase,and IfjjjjTVwerecontinuous,wecouldimmediatelyderivethat(L=,) Figure4.1.Latticesofthemodal-calculusanditssemantics ; whethertheinitialstateisanelementofthisset.thisapproachis calledglobalmodelchecking.thestrategyoflocalmodelchecking setofstatesforwhichtheformulagivenholds,andthentocheck degree(see[sti93]p.499). Onestrategytosolvethemodelcheckingproblemistodeterminethe [[a]]tisonlycontinuousfortransitionsystemswithnitebranching triestoanswerthequestiondirectlyfortheinitialstate.

55 Chapter5 checking. systemsformodel Booleanequation equationsystemsforthecaseofsimplexpoints.onereasonis,that Themaininterestofthischapteristoshowtheequivalenceofthe andlevi[vl94]andothers.however,theymainlyderiveboolean theapproximationschemeusingbacktracking,themostwellknown ofsolvingbooleanequationsystems.severalauthorshavereduced modelcheckingproblemforthemodal-calculusandtheproblem algorithmgivingasolutionto(nested)xpointexpressions,requires andcrubille[ac88],andersen[and92],larsen[lar92],vergauwen subsequentlysolvingsimplexpointexpressions.therefore,thereis themodelcheckingproblemintobooleanequationsystems:arnold noneedfordeningxpoint-equationsystemswithnestedandalternatingxpointoperators.incontrasttothiswewanttoinvestigatethrithm.existingmodelcheckingalgorithmscannowbeinterpretedas generalcaseofbooleanequationsystemsindependentlyfromanyalgo- algorithmsforsolvingbooleanequationsystemsandviceversa.furthermore,wehaveanumberofusefulpropertiesofxpoint-equation

56 problemwillbeshown,astheycanbefoundinautomatatheoryand gametheory(chapter8). Section5containsthereductionofthemodelcheckingproblem.Itconsistsofasyntacticalmappingfroma-calculusformulaandamodeover,theequivalencetootherframeworkssolvingthemodelchecking andhelptogiveaclearerunderstandingofthebasicproblem.more- systemscollectedinchapter3.theyallowustoderivenewalgorithms 56 Chapter5.Booleanequationsystemsformodelchecking. inthesizeoftheformulaaswellasinthesizeofthetransitionsystem.apolynomialreductionfrombooleanequationsystemstomodel systemderivedhasthesolutiontrueforacorrespondingvariable.in section5.2itwillbeshownthatthereexistsareductionwhichislinear attheinitialstateofthetransitionsystem,ithebooleanequation toabooleanequationsystem,andtheproofthattheformulaholds 5.1Reductionofthemodelchecking checkingproblemsispresentedinsection5.2. modal-calculusformulaandamodelmtoabooleanequation ThetransformationfunctionEmapsapair(;M)consistingofa system. EreferstoasetoffunctionsfE1;:::Eng,whereeachEi,for1in, RoughlythefunctionEisresponsibleforthelinearizationofanested isrelatedtostatesiofthetransitionsystem. problem. xpointformula,whereasthefunctioneimapsamodal-calculus argumentmofewhenitisclearfromthecontext.note,thatthe formulatoabooleanexpressionatstatesi.wewillomitthesecond equivalentformulax:byadditionofaneectlessxpointoperator, transformationisdenedforformulaehavingaxpointasoutermost operator.aformulanotinthisformcaneasilytransformedtoan wherexisnotfreein(seeproposition2.17(5)).

57 5.1.Reductionofthemodelcheckingproblem. E(1^2)=E(1)E(2) E(X)= E(Q)= 57 E(1_2)=E(1)E(2) E(X:)=(X1=E1()):::(Xn=En())E() E(hai)=E() E([a])=E() Ei(1_2)=Ei(1)_Ei(2) Ei(1^2)=Ei(1)^Ei(2) andfor1in Ei(X)=Xi Ei(Q)=(trueifsi2V(Q) Ei(hai)=_ Ei([a])=^ falseotherwise ForavaluationVtheenvironmentVisdenedas:V(Xi)=truei Thefollowingreductiontheoremshowsthatthetransformationpreservesthesemantics,i.e.apropertysatisesastateinamodelithe Ei(X:)=Xi sia!sjej() si2v(x). correspondingvariableinthebooleanequationsystemderivedhasthe solutiontrue. ThenforallenvironmentsVitisthecasethat sij=mx:i([[e((x=);m)]]v)(xi)=true. M=(T;V)amodelandsiastateofT. Theorem5.1LetX:beaformulaofthemodal-calculus,

58 proveis\onsomeinnitea-pathqholdsin- Aproofcanbefoundintheappendix.Amotivationforitwillbeafter 58 thefollowingexample. Example:Considerthetransitionsystemdepicted,andletQholdfors2,butnotfors1, i.e.v(q)=fs2g.thepropositionwewantto Chapter5.Booleanequationsystemsformodelchecking. E(X:Y:hai((Q^X)_Y)) nitelyoften",x:y:hai((q^x)_y).the reductiontoabooleanequationsystemis: =(X1=E1(Y))(X2=E2(Y))E(Y:hai((Q^X)_Y) =(X1=Y1)(X2=Y2)(Y1=E1(hai((Q^X)_Y))) s1as2 =::: (Y2=E2(hai((Q^X)_Y)))E(hai((Q^X)_Y)) (Y1=E2((Q^X)_Y)))(Y2=E1((Q^X)_Y))) =(X1=Y1)(X2=Y2)(Y1=X2_Y2)(Y2=Y1) (Y1=(true^X2)_Y2)))(Y2=(false^X1)_Y1))) E((Q^X)_Y) Theproofoftheorem5.1willtakeseveralintermediatesteps.Roughly a-calculusformulahastobemappedtoa-calculusequationsystem. Thenthelatterismappedtoaequationsystemonthepowersetof thestatespace,wheremodaloperatorsaremappedtosetoperators etc.thelaststepreectstheisomorphismbetweensetsandboolean vectors.forthebasecaseofexpressionsthesituationcanbeillustrated C orderingformalattice(0=,;)),thelindenbaumalgebraof0. themodal-calculus,i.e.,theexpressionsofthepropositionalmodal logic.theequivalenceclassesof0togetherwiththeimplication asfollows:recallthat0isthesetofxpoint-freeexpressionsof

59 5.2.Representationandcomplexity. SSSSSS (M/,,)) true S kktv! SSSSSS (P(S),) I= SSSSSS (true,:::,true) 59 Figure5.1.Latticesformodal-calculus,statespaceandBooleanvectorspace false ; (false,:::,false) (IBjSj,) ThepowersetofthestatespaceS=fs1;:::;sngwiththeinclusion orderformsacompletelattice(p(s);).theevaluationfunction isomorphicto(p(s);).thelaststepleadsfromavectorexpression falsetruethebooleanlattice(ibjsj;jsj)withpointwiseorderingis theevaluationfunctionfrom0toexpressionsover0mapsmodal wegetanexpressionoverthepowersetofthestatespace.dening variablesandthelogicaloperators^;_tothesetoperators\;[.thus kktv:0!p(s)ismonotone(andcontinuous).theextensionof inibntoabooleanequationsystem;avectorexpressionissplitinto nexpressionsandtheoperators[[a]]t;hhaiitareevaluated. operators[a];haitosetoperators[[a]]t;hhaiit,modalvariablestoset 5.2Representationandcomplexity. forsomeindexsetsi1;:::;il.obviouslythesizeofthisexpressionis modaloperators.theproblemisdiscussedine.g.[and92]:anequationinl1oftheformixi=hai[a]:::hai[a]xjwithlmodaloperators Booleanequationsystemofexponentialsizeinthenestingdepthof istransformedtojsjequationsoftheformwi1vi2:::wil 1VIlXk AstraightforwardapplicationofthetransformationEmayleadtoa boundedbyj-rjl,wherej-rjisthebranchingdegreeoftheunderlyingtransitionsystem.theupperboundforthebranchingdegreeis

60 tionisdonebyintroductionofadditionalvariables.forthegeneral handsideconsistsofadisjunctxi_xjoraconjunctxi^xjorone modaloperatorinfrontofavariable[a]xorhaix.thetransforma- thesizeofthestatespacejsj. 60 InordertoavoidsuchblowupArnoldandCrubille[AC88]suggested totransform-calculusequationsintosimpleform,i.e.eachright Chapter5.Booleanequationsystemsformodelchecking. caseofnestedxpointoperatorsinproposition3.25thecorrectness ofintroducingnewvariablesandequationsisprovedfordisjunctions andconjunctions.thecorrectnessofintroducingnewvariablesand fromthetransformationefromamodal-calculusformulaanda lemma3.25. UsingthistechniquethesizeofaBooleanequationsystemresulting equationsformodaloperatorscanbeshownsimilarlytotheproofof stateexistsana-transitiontoeachotherstate(nottoitself).the assumptionsforthisresultcanbefoundinandersen[and92].the thenalsoinsimpleformasdenedinsection3.2. Example:Consideratransitionsystemwithkstatesandfromeach -calculusformulaisx:[a]haix. Booleanequationsystemderivedfromamodelcheckingproblemis model(t;v)isboundbyo(jjjtj).adiscussionoftherepresentation kaaaaaa!!! aaaaaaaaa ::: 1 2 HHH Figure5.2.Transitionsystem

61 anuntransformedequation X=[a]haiX TheBooleanequationsystemderivedfrom hassizeofo(k2): 5.2.Representationandcomplexity. X1=k^j=2k_ i=1;i6=jxi simpleformequations (X=[a]X0)(X0=haiX) 61 Xk=k 1 ::: hassizeofo(k): ^j=1k_ i=1;i6=jxi X01=k_j=2Xj X1=k^j=2X0j CItisobviousthatnestingdepthandalternationdepthofaBoolean X0k=k 1 Xk=k 1 :::_j=1x0j ^j=1x0j depthoftheunderlying-calculusformula.independencyofthe modelthesenumberscandecreaseasthefollowingexamplewillshow: equationsystemarenotgreaterthannestingdepthandalternation X:haiY:[b]X^[a]Y Egives: (X1=Y2)(X2=Y1)(Y1=Y2)(Y2=Y1) Example:Considerthe-calculusformula andthetransitionsystemdepicted. TransformationtoaBooleanequationsystem hasnestingdepthandalternationdepth2. Ehasnestingdepth2andalternationdepth1.s1as2

62 Inordertoshowthatthemodelcheckingproblemandtheproblemof 5.3ReductionofBooleanequation solvingabooleanequationsystemareequivalentwealsohavetogivea 62systems. Chapter5.Booleanequationsystemsformodelchecking. ofetheyhavethesamesolution.roughly,aftersomereorderingof transformationintheotherdirection.foranyclosedbooleanequation dividedintoblocks.wedeneatransitionsystemthatconsistsofas manystatesasthelargestblockcontainsequations.transitionsare equationsandintroductionofnewequationsanequationsystemis systemewewillconstructaformulaofthemodal-calculusanda modelm,suchthateande(;m)areequivalent,i.e.forallvariables denedstraightforwardlyinsuchaway,thatthetransformatione producestherequiredexpressions. allx2lhs(e)andenvironments suchthatforavariablerenamingfunctiononthevariablesofe, apropositionofthemodal-calculusandamodelm=(t;v), Theorem5.2ForaclosedBooleanequationsystemEthereexists standardform. Proof:Theconstructionofandatransitionsystemisperformed insevensteps.weassumethatthebooleanequationsystemeisin Itisad(E)ad(),TisofsizeO(jEj2)andisofsizeO(jEj2). ([[E]])(X)=([[E(;M)]])((X)): (2)Withineachblockmovealldisjunctionstothetopandtheconjunctionstothebottomaccordingtotheorem3.21.Nowdivide eachblockintotwonewblocks,suchthatonecontainsnodis- (1)DivideEintoblocks,suchthatconsecutiveblockshavedierent noconjunctions(calleddisjunctiveblock). operator. junctions(calledconjunctiveblock)andtheotheronecontains xpointoperatorsandwithinoneblockthereisauniquexpoint

63 (4)TransformtheBooleanequationsystemintoanequivalentone,E0 5.3.ReductionofBooleanequationsystems. (3)IntroduceanewvariableforeachblockandifXisthevariable functionwhichmapsan\old"variabletoa\new"one. ofablockrenamealltheleft-handsidevariablesofthisblock tox1;:::;xjforsomej2in.letbetheinjectiverenaming 63 sequentblock.thenintroduceanewvariablex0,transformthe isnotavariableofthesameblockasyandnotofthedirectlysubatorofthisblock.continuewithintroductionofnewvariables ontherighthandsideofanequationy=f,whereyexandx equationabovetoy=f[x=x0]andaddtheequation0x0=x tothedirectlysubsequentblock,where0isthexpointoper- inthefollowingway.assumethereisoccurrenceofavariablex sequent,butnotdirectlysubsequentblock.choosenamesofnew variables,suchthatwithinoneblockthereisstillauniquevariablenameandconsequentvariablesarenumberedbyconsequent indices.thetransformationiscorrectaccordingtolemmata3.25 and3.22.theadditionalblow-upofthebooleanequationsystem isnotmorethano(n2)forndef untilthereisnooccurrenceofavariablewhichbelongstoasub- (5)Ifnisthehighestindexappearinginoneoftheblocksthencreate (block)variables(x;y)thereexistsauniquelabelxy.transform cannotbeaddedmoreequationsthanthenumberofright-hand sidevariablesintheprecedingblocksofe. Deneasetofactionlabels,suchthatforeachorderedpairof atransitionsystemtconsistingofnstatesnumbered1ton. =jej,becauseineachblockofe0 forequationsofaconjunctiveblock, theequationsandaddlabelledtransitionstothetransitionsystem asfollows.let1i;j;kn. forequationsofadisjunctiveblock, ixi=yj_zk ixi=yj^zk ixi=hxyiy_hxzizixy ixi=[xy]y^[xz]zixy!j;ixz addtottransition(s) ixy ixy!j!k!k

64 (6)Createasequenceofexpressions,oneforeachblock.Foreach 64disjunctiveblockwithvariablesX1;:::;Xkdene Thetransformationdoesnotincreasethesizeoftheequationsystem(apartfromadditionofmodalities). Xdef Chapter5.Booleanequationsystemsformodelchecking. Dually,foreachconjunctiveblockwithvariablesX1;:::;Xkdene reducedtohxyiy).createtheexpressionx:x. appearsatmostonceinx(assumingthathxyiy_hxyiyis Notethataccordingtothechoiceofactionlabelseachvariable =k_i=1fijxi=iisanequationg: (7)Byconstructionthesequenceofexpressionshastheproperty:in ThesizeofX:XislinearinthenumberofblocksofE0. pearsatmostonceinx.createtheexpressionx:x. X:Xoccuronlyleft-handsidevariablesfromprecedingexpressionsorfromthedirectlysubsequentone.Generateanexpression Againaccordingtothechoiceofactionlabelseachvariableap- Xdef =k^i=1fijxi=iisanequationg: constructeddonotcontainatomicpropositions). temtandanarbitraryvaluation(thisis,becausetheformulae subsystemofe(;m),wheremconsistsofthetransitionsys- startingwiththerstexpressionofthesequenceandtheiterativelysubstitutingthevariablewhichisleft-handsidevariable ofthenextexpressionbythenextexpression.showthate0isa ThesizeofislinearinthesizeofallX,andhencequadratic laeconstructeddonotcontainconstants. (T;V).ThevaluationVcanbechosenarbitrarily,becausetheformu- ItiseasytoshowthatE0isasubsystemofE(;MT),whereMT= O(b2),wherebisthenumberofblocksinE,andthetransition systemthasatmostnstatesand2ntransitions,wherenisthe inthenumberofblocksofe0.then,altogether,thesizeofis numberofequationsine.

65 5.3.ReductionofBooleanequationsystems. consideringinnitebooleanequationsystemsweassumethatthe innitenumberofequations.thetransformationfortheinnite casethenworksastheoneforthenitecase,onlythetransition Remark5.3ThenumberofactionlabelsisquadraticinthenumberofblocksofE,butdoesnotdependonthesizeofblocks.When numberofblocksisnite,butwithineachblocktheremaybean 65 Example: Booleanequationsystem Z1=Z3_Z5 Z2=Z4^Z6 sizequadraticinthenumberofblocks. systemwillhaveaninnitenumberofstates.theformulahas Z4=Z2_Z5 Z3=Z1_Z6 step1: Z5=Z3^Z2 step2:blockstructure step3:renaming Z6=Z4_Z3 Z1=Z3_Z5 Z2=Z4^Z6 W1=U1_X2 X1=V1_Y1 X2=X1_W1 U1=W1_Y1 V1=X1^X2 additionalvariables step4:introductionof Z4=Z2_Z5 Z6=Z4_Z3 Z5=Z3^Z2 Z3=Z1_Z6 Y1=W1^V1 W1=U1_X2 W2=X1 U1=V2_V3 W3=X2 V1=W2^W3 W4=X3 V2=W1 X1=V1_Y1 V3=W4 X2=X1_W1 X3=Y1 Y1=W1^V1

66 step5:creatingequationsandatransitionsystem 66U1=huviV_huviV V1=[vw]W^[vw]W V2=[vw]WChapter5.Booleanequationsystemsformodelchecking. W1=hwuiU_hwxiX W2=hwxiX W3=hwxiX W4=hwxiX X1=hxviV_hxyiY V3=[vw]W w11x1x2 y1;y2; X2=hxxiX_hxwiW X3=hxyiY Y1=[yw]W^[yv]V 4 1 x21;x22;v;w u;v;w wv 2 3w step6:createoneexpressionforeachblock U:huviV step7:generateoneexpression V:[vw]W W:hwuiU_hwxiX U:huvi( X:hxviV_hxxiX_hxwiW_hxyiY Y:[yw]W^[yv]V V:[vw]( W:hwuiU_hwxi( X:hxviV_hxxiX_hxwiW_hxyi( Y:[yw]W^[yv]V ))))

67 5.3.ReductionofBooleanequationsystems. translateformulaandtransition systemcreatedbacktoa U1=V2_V3 U2=false 67 W1=U1_X2 U3=false W2=X1 U4=false W3=X2 V1=W2^W3 W4=X3 V2=W1 X1=V1_Y1 V3=W4 X2=X1_W1 V4=true X3=Y1 X4=false Y1=W1^V1 Y2=false Y3=false Y4=false C

68 68 Chapter5.Booleanequationsystemsformodelchecking.

69 Chapter6 SolvingBoolean InthischapterwewillilluminatevariousmethodsforsolvingBoolean equationsystems.allofthemareinfactmodelcheckingalgorithms. Usuallytheyarepresentedwithindierentsettings.Heretheyareall discussedwithinoneframework.thisallowsaclearerunderstanding ofconcepts. Wedistinguishtwobasicclassesofmethods,theglobalonesandthe casecomplexityoflocalalgorithmscanneverbebetterthantheone interest.(usuallyitisthevariablewhichcorrespondstotheinitial stateofthetransitionsystemandthepropertytoprove.)theworst formationtocalculatethesolutionforthesinglevariablewhichisof onestrytodetermineasubsetofequationswhichgivessucientin- andtheirresultisacompletesolutionforallvariables.thelocal localones.theglobalonesrequirethefullbooleanequationsystem ofglobalalgorithms:intheworstcasethewholeequationsystemis informationandthereforelocalmethodsmighthavebetteraverage involvedinthesolutionfortherstvariable.however,insomeaverage casecomplexity.traditionally,approximationtechniques(seesection caseitislikelythatjustasubsetoftheequationscontainssucient

70 70 6.2)belongtotheglobalalgorithms,tableaumethods(seesection6.3) tothelocalones.however,bordersbetweentheapproachesarenot strict.thereexistsanapproximationbasedalgorithmwhichworks locally;thegaueliminationalgorithm(seesection6.4)existsinboth versions. Inchapter8wewillconsiderotherframeworks,inwhichthereexist Chapter6.SolvingBooleanequationsystems. 6.1PlainBooleanequationsystems. ForthemomentweconsiderclosedBooleanequationsystemsinsimple algorithmssolvinganequivalentproblemalsosolvebooleanequation problemsequivalenttosolvingbooleanequationsystems.ofcourse, formwithoutanyminimalityandmaximalityconditions,i.e.wejust forgetaboutthes.theremainingsystemepisnotanorderedset ofbooleanequationsoftheformxi=fiforsome1in.a solutionsofthebooleanfunctionformacompletelattice.thenumber systemepcaneasilybetransformedintoabooleanfunctionofthe thatforeachequationxi=fiitisfi()=(xi).anequation formw1in(fi^x0i)_(f0i^xi)=0.itisawellstudiedareawhat Theconditionthatallfisaremonotoneensuresthatthesetofall thesolutionsofsuchafunctionare(seeforexample[rud74]). solution(orxpoint)ofepisanenvironment:lhs(ep)!ib,such FromaplainBooleanequationsystemEpwecanderivetwosortsof graphs:theordergraphtellingorderconditionsforthevariablesineverysolutionandthedependencygraphshowingtheinterdependency ofthevariablesinthesystem. Theordergraphisarepresentationoforderconditionsderivedfrom theequations.itconsistsofasetofverticesf1;:::;n;true;falseg,one ofsolutionsisingeneralexponentialinthenumberofequations. vertexforeachequationofthesystemepandtwofortheboolean constants.ifthereisanequationxi=xj^xkinepthenforevery solutionofepitisthecasethatxixjandxixk.hence therewillbetheedgesj!iandk!iintheordergraph.dually,if

71 (Xj)=trueand(Xk)=truefulllstheorderconditionsderived allvariablesinthecyclehavetobeequalineverysolution.however, 6.1.PlainBooleanequationsystems. theedgesi!jandi!k.cyclesintheordergraphindicatethat Xi=Xj_XkthenXiXjandXiXkandtheordergraphcontains butnotbeingsolutionsofthesystem.forexample(xi)=false, thereexistenvironmentsfulllingallconditionsoftheordergraph, 71 ThedependencygraphofaplainBooleanequationsystemEpalso fromxi=xj^xk,butisnotasolutionoftheequation. hastheverticesf1;:::;n;true;falseg.itisarepresentationofthe Xi=Xj^XkorXi=Xj_Xkthedependencygraphcontainsthe edgesj!iandk!i.theinformationwecangetfromthedepen- dependencyrelationsderivedformtheequations.foranequation tions.partsofthegraphwhicharenotstronglyconnectedindicate dencygraphisforexampleaboutthenestingstructureoftheequa- weaddtoourequationsystemminimalityandmaximalityconditions thattheunderlyingsystemcanbedecomposedinpartswhichcanbe (booleangraphsinhisterminology)andderivedecientalgorithms solvedoneaftertheother. Ourquestionnowiswhatisthesolutionweareinterestedin,when andorder. ForBooleanequationsystemswithonlymaximalxpointsoronly minimalxpointsandersen[and94a]investigateddependencygraphs lutionsoftheplainbooleanequationsystemistheonewewant?a fordeterminingthemaximal,orminimalresp.xpoint. rstideaisthatitisthelexicographicallyleastsolutionoftheplain system.thelexicographicorderisderivedfromthexpointoperators Forthecaseofnestedandalternatingmaximalandminimalxpoints asindenition3.4andthecharacterizationofthesolutionfromproposition3.5suggestssuchanidea.therstexamplebelowwillshow, thatthisisnotthecase.thesecondexamplewillshowthatitiseven xpointoperatorsisoneofthesolutionsoftherelatedplainboolean equationsystem.nowaninterestingquestionis,whichoneoftheso- thingsgetmorecomplicated.clearly,thesolutionofthesystemwith worse.therewepresenttwobooleanequationsystems,bothhaving

72 xpointoperatorsdonotprovideenoughinformationtoselectthesolution.allalgorithmswewilldiscussinthischapterhavetodetermine thesolutionsofthesubsystemsrst(insomeabstractview).thisis thesamexpointoperatorsinthesameorder,andbothhavingthe setofsolutionsfortheirplainversion.however,theirsolutionsdier. Chapter6.SolvingBooleanequationsystems. 72 Thisindicates,thatthesetofxpointsoftheplainsystemandthe However,thesolutionof[[X2:X2]][X1=i(X1)]isX2=trueforboth anargumentforthatthetraditionalmethodsforsolvingplainboolean environments,i=1,2.hencethesolutionofthewholesystemis1, Thereexisttwoenvironmentsfulllingthebothconditionsabove: equationsystemsdonothelpinthecasehere. i.e.x1=true;x2=true,whereasthelexicographicleastxpointis Example:Let(X1=X2)(X2=X2)beaBooleanequationsystem. 1=[X1=true][X2=true]and2=[X1=false][X2=false].Forboth, i=1,2,itis(x1)(i)=i(x1)and(x2)(i)=i(x2). thebooleanequationsystem,([[(x1=x2)(x2=x1)]])(xi)=true X1=false;X2=false. tionsystemis([[(x1=x2)(x2=x2)]])(xi)=falsefori=1;2. lutions(true;true)and(false;false).thesolutionforthebooleanequa- Example:TheplainequationsystemX1=X2,X2=X2,hastheso- TheplainequationsystemX1=X2,X2=X1alsohasthesolutions (true;true)and(false;false).however,herewehaveanothersolutionfor CalculatingtheleastxpointX:f(X)ofamonotone(andcontinuous)functionf(X)worksinthewellknownmanner:thefunctionticesisbasedontheapproximationtechniquefromproposition Approximation. Themostwellknownmethodforsolvingxpointequationsoverlat- fori=1;2. C thelatticeisnite. plicationsoffwillreachthexpointafteranitenumberofsteps,if ofthepreviousapplicationetc.,andtheincreasingchainoftheseap- isappliedrsttothebottomelementofthelattice,thentotheresult

73 6.2.Approximation. Dually,whenstartingfromthetopelement>,thegreatestxpoint?f(?)f(f(?)):::fi(?)=X:f(X)forsomei2IN beapproximatedsimultaneouslyinordertoreachtheleastxpoint. canbedetermined. Themethodeasilyextendstonestedxpoints.Fornestedxpointsof thesamekindsuchasx1:f1(x1;x2:f2(x1;x2))bothfunctionscan 73 taneouscalculationisnotpossible.whenapproximatingx1:f1each evaluationoff1requiresafullapproximationofx2:f2:?f1(?)f21(?):::fi1(?)=x1:f1(x1;x2:f2(x1;x2)) forsomei2in. ForalternatingxpointssuchasX1:f1(X1;X2:f2(X1;X2))asimul- wegetbymonotonicityargumentstheincreasingchain Forfi+1 1(?)def =f1(fi1(?);fi+1 2(?))andfi+1 2(?)def =f2(fi1(?);fi2(?)) systemsisstraightforward.fromtheexplanationsabovefollowsthat fi+1 Hencethealgorithmsbasedonthistechniqueareexponentialinthe forethealgorithmismostecientforabooleanequationsystemwhen allvariablesofoneblockcanbeapproximatedsimultaneously.there- alternationdepth. TheapplicationoftheapproximationtechniquetoBooleanequation 1(>)=f1(fi1(>);X2:f2(fi1(>);X2)). tionsystem WeassumethatBooleanequationsystemsconsideredhereareinsuch aformwherethenumberofblocksisminimal.(seealsodenitions illustratetheapproximationschemeforanalternatingdepth3equa- 3.33and3.34fornotionsofnestingdepthandalternationdepth.)Beforediscussingthevariousapproximationbasedalgorithmswetryto itistransformedtoanequivalentonewithaminimalnumberofblocks. E3:(X1;X2)!X3:f3(X1;X2;X3) E2:(X1;X3)!X2:f2(X1;X2;X3) E1:(X2;X3)!X1:f1(X1;X2;X3) Eachxpointequationdeterminesoneoftheplanes: system(x1=f1)(x2=f2)(x3=f3).thepicturesimpliesthe Inpicture6.1weconsideranalternationdepth3xpointequation actualsituationintheway,thatwedrawlatticesaslines.

74 74 > X3 (((((((((((((((((((( Chapter6.SolvingBooleanequationsystems.!!! e 1? X2 > X1 equationsystem.oneofthemisthesolutionweareinterestedin.it TheplanesE1,E2andE3intersectinsomeofthexpointsofthe Figure6.1.Visualizinganalternationdepth3approximation2 willbecharacterizedbytheorderofequations.inthepicturethereis intersectionpointofplanese3ande2.thenextstartingpointis justoneintersectionpoint,forsimplicity. thelowervalueofx2,x1=?andx3=?.againthee3-planeis that,onestepisperformedinthedirectionofx2correspondingto oneevaluationoff2.theresultisalowervalueforx2,closertothe?,x2=>andx3=?representedbyadotinthepicture.from thispointitapproximatesinthedirectionofx3thee3-plane.after Theapproximationalgorithmworksasfollows:itstartsatpointX1= approximatedindirectionofx3,followedbyastepindirectionoff2, etc..theseiterativeapproximationsaredepictedeachbyadottedline withanarrowshowingthedirectionoftheapproximation.whenthe 3

75 valueforx1whichgivesanewstartingpointfortheapproximation, illustratedbyahexagondotinthepicture. AltogetherthealgorithmmovesalongtheintersectionlineofE3and 6.2.Approximation. E2untilitreachestherstintersectionwithE1,therstxpoint, intersectionlineofe3ande2isreached,onestepindirectionofx1is performed,correspondingtoanevaluationoff3.theresultisanew 75 xpointsisperformedbythestraightforwardapplicationofproposition2.20,theexplicitcalculationofanincreasingchain.thetime complexityofthealgorithmforbooleanequationsystemswithone whichisthesolutionofthesystem. InEmersonandLei'salgorithm[EL86]theapproximationforunnested [CS91],Andersen[And92,And93]andVergauwenandLewi[VL92]. thorsdevelopedfasteralgorithmsfortheapproximationofunnested tiontechniquetobooleanequationsystemswitharbitraryalternation depththealgorithmhastimecomplexityo(jejad(e)+1)).otherau- xpoints,e.g.arnoldandcrubille[ac88],cleavelandandsteen ArnoldandCrubille'sandVergauwenandLewi'salgorithmsarebased xpointoperatoristheno(jej2).byextensionoftheapproxima- therighthandsideofitsequationistheconstanttrueoradisjunctionwhereonevariablehasthesolutiontrueoraconjunctionwhere falseunlessitis\forced"tohavethesolutiontrue.itmustbetrueif onbooleanequationsystems,andersenarguesondependencygraphs, equationsystemwithonly-operatorseveryvariablehasthesolution However,thebasicideaofallthesealgorithmisthesame:inaBoolean bothvariablesmustbetrue.theextensionofthesealgorithmstothe CleavelandandSteenon-calculusequationsystemsinsimpleform. generalcaseaccordingtotheapproximationschemathenprovidesalgorithmswhichareexponentialinthealternationdepthofthesystem withatleastalternationdepth3.theircrucialideaisvisualizedin picture6.1:thestandardapproximationtechniquewouldcontinuethe approximationofplanee3fromthenewstartpoint,whichismarked AgreataccelerationwasgainedbyLong&al[LBC+94]forsystems byahexagoninthepicture.actually,fromthepreviousapproxima- [And92,And93],[CKS92].

76 rivedalocalalgorithmforalternationfreexpointexpressionsbased ofthealternationdepthofthesystem. Allalgorithmsmentionedaboveareglobalones.Andersen[And92]de- 76 tioninthelowerx1-levelandmonotonicityofthefunctionsweknow thatthee3planemustlieabovethesquarepoint,whichmaybeused asthenewstartingpointthen.theiralgorithmisexponentialinhalf Chapter6.SolvingBooleanequationsystems. sentedalocalalgorithmforbooleanequationsystemsofalternation depth2whichisalsoapproximationbased.theiralgorithmhasthe complexitythantheglobalones.in[vl94]vergauwenandlewipre- samecomplexityascomparableglobalalgorithms,buttheadvantage oflocalmethodsthatitpossiblyneedsjustasmallsubsetofequations todeterminethevariableofinterest.thissubsetofequationshasthe onapproximationtechniques,buthavingaslightlyhigherworstcase temandthecomplexitymeasuresareforanadaptedversion.when collected.manyofthemwerenotintendedforbooleanequationsys- equations(uptonondeterministicchoice). Inthetablebelowcomplexityresultsofthealgorithmsmentionedare otherlocalmethodsase.g.tableauxmakeuseofthesamesubsetsof uponsolutionsofvariablesoutside.itseemstobethecasethatthe propertythatthesolutionsofvariablesofthesubsetdonotdepend InthissectionwedeneatableaumethodforsolvingBooleanequation 6.3Tableaux. ad.forthelocalmodelcheckingalgorithmin[vl94]itise=e1e2. slightlybetterbounds.thealternationdepthad(e)isabbreviatedby applieddirectlytothemodelcheckingprobleminsomecasesthereare systemcompletely.atableaugivesasolutionjustforonevariable.for systems.incontrasttoglobalmethods,whichsolveabooleanequation thispurposenotallequationsarerequired.itisthereforecalledalocal method.thetableaumethodpresentedhereistheoneofstirlingand ConsideraBooleanequationsystemEbeinginstandardformandan Walker[SW89]appliedtoBooleanequationsystems. environment.assumethesolutionis0def =[[E]].Thegoalisto

77 6.3.Tableaux. algorithmfromfragmentcomplexity [EL86] [AC88] TimeComplexityofApproximationBasedAlgorithms full O(jEjad+1) O(jEjjlhs(E)j) 77 [CS91] [CKS92] [VL92] [LBC+94] ad1 O(jEj) [And92] ad1 O(jEjad) O(ad2jEjbad=2c+1) O(jEjlog(jEj)) global showthat([[e]])(xi)=true.thesolutionforxicanonlybetrue,if [VL94] [VLAP94] ad2 full O(jE1j+jlhs(E1)jjE2j)local O(jEjcad) i.e.fi(0)=true.asubgoalisthentryingtoshowthatfigetstrue forequationixi=fitheright-handsidefiistrueatthesolution, local forthesolution.atableauforvariablexiisaprooftreewithroot rulesforconstructingatableauarecollectedbelow.rulesareapplied Xi.ThesucessorsofXiarevariablesrepresentingthesubgoals.The containingxj,andbetweennandn0thereisnonodecontaininga aresuccessful. Terminationcondition1:ThenodencontainingXjisaleafofthe tableauifonthepathfromntotherootthereisanothernoden0 whetheritissuccessfulornot.atableauissuccessfulifallitsleaves isnoruleapplicabletoanodewehavereachedaleafandcandecide untilaterminationconditionholdsforanode.inthecasethatthere Thenoden0iscalledthecompanionofn. variablexisuchthatxiisavariableofalowerblockthanxjine.

78 Tableaurules: 78 Terminationcondition2:ThenodencontainingXjisaleafofthe tableau,ifonthepathfromntotherootthereisanothernoden0 containingxj.thenoden0iscalledthecompanionofn. [^1]Xi XjXk ixi=xj^xkisanequationofe Chapter6.SolvingBooleanequationsystems. Aleafcontainingtheconstanttrueissuccessful,aleafcontainingthe [^2]Xi constantfalseisunsuccessful.forleavescontainingavariablethe [_2]Xi [_1]Xi Xk ixi=xj_xkisanequationofe isanequationofe Successcriterion2:Aleafnissuccessful,iftheleast(w.r.t.E) successcriteriondiersfortheterminationconditions: Successcriterion1:Aleafcontaininga-variableissuccessful,aleaf anditscompanionisa-variable. nisunsuccessful,iftheleast(w.r.t.e)variableatanodebetweenn containinga-variableisunsuccessful. variableatanodebetweennanditscompanionisa-variable.aleaf transitionsystem: tableau(forbothterminationconditions)whentheunderlyingtransitionsystemjustgrowslinearly. Considerthe-calculusformulaX:[a]Y:hbi(Y_X)andthefollowing ExampleThisisademonstrationoftheexponentialgrowthofa tableauwithrootx1. Proposition6.1([[E]])(X1)=trueithereexistsasuccessful 1m HHHHHH a12 11 b2mhhh a21 22 mm b3... km HHH ak1 k2 mm b1

79 6.3.Tableaux. TheBooleanequationsystemderivedis X11=true Xk=Yk1^Yk2 X1=Y11^Y12 ::: 79 Xk1=true Thetableauforthecasek=3is: Yk2=Y1_X1 Y11=Y2_X2 Yk=false Y1=false ::: Y31X3 X1Y32 Y21X1Y22 Y11 X2Y31X3 X1Y32 X1Y31X3 X1Y32 Y21X1Y22 Y12 X2 following: plewherethesubtreesarenotexactlythesame,butsimilaristhe factthatitcontainsthesamesubtreesseveraltimes.anotherexam- Itisobviousthattheexponentialsizeofthetableauisduetothe Y31X3 X1Y32 X:h iy:h ih ix^h ih iy andthetransitionsystem Example: Giventhe-calculusformula 2iii 4

80 80 TheBooleanequationsystemderivedis X1=Y2_Y3_Y4_Y5 X4=Y5 X3=Y5 X2=Y5 Chapter6.SolvingBooleanequationsystems. X5=Y1_Y2_Y3_Y4 Y2=5_i=1Xi^5_i=1Yi Y3=5_i=1Xi^5_i=1Yi Y1=X5^Y5 Y4=5_i=1Xi^5_i=1Yi maytryitbyhand. TheversionofthetableaumethodofCleavelandasimplementedin wasstoppedafterhavingcreated22millionnodes.thescepticalreader ThetableauforthisBooleanequationsystemhasanenormoussize. AnimplementationoftheoriginaltableaumethodofStirling&Walker Y5=5_i=1Xi^5_i=1Yi Theexamplespresentedherecanalsobesolvedwithoutproducing AtableaubasedmodelcheckingalgorithmwasintroducedbyLarsen theconcurrencyworkbenchcandealwithredundancyofthiskind. redundantinformationbythetechniqueof[mad92]. dierentsubtreesofthetableauthesame(orverysimilar)subgoals [Lar95]forunnestedxpointexpressions.StirlingandWalker[SW89] stratedbyexamplesinthissection.onereasonforthatisthatin andcleaveland[cle90]developedtableaumethodsforthefullmodal -calculus.winskel[win89]extractedtheprinciplesofthesetableau methodssuerfromahighworstcasecomplexity,whichwasdemon- methodsandpresentedthemasarewritesystem.unfortunatelythese

81 6.4.Gauelimination. maybecomputedrepeatedly.forunnestedxpointexpressionslarsen previouslydiscovered(failed)resultsareremembered.in[mad92]the [Lar92]presentedatableaumethodwithpolynomialworstcase.There tableaumethodsof[sw89]and[cle90]areextendedbyadditional structurewhichallowstomakemaximaluseofresultsgainedinone subtableauforlatersubtableauxduringconstruction.however,some 81 amountofredundancyisinherenttotop-downconstructions,andit sectionissimilartothegaueliminationalgorithmforlinearequationsystems.itistheonlymethodknownsofarwhichdoesnot tothegaueliminationmethodinsection Gauelimination. ThemethodforsolvingBooleanequationsystemspresentedinthis canonlybeavoidedbyabottom-upevaluation.thisapproachleads anexpressionisconstructedcontainingnooccurrenceofx.inasubsequentsubstitutionstepeachoccurrenceofxintherestofthducedbyonevariableandequationaftertheotheruntilthesolution isdetermined.thereductionconsistsoftwostepswhichareapplied iteratively.firstcomesaneliminationstep,whereforavariablex requirebacktrackingtechniques:anequationsystemisstepwisere- equations.thustheproblemofsolvingabooleanequationsystemis reducedtotheproblemofsolvingasmallerbooleanequationsystem. TheGaueliminationalgorithmisalsorelatedtothetableaumethods. Themainideahereisthattheconstructionofatableauinatop-down mannerleadstotreespossiblycontainingmanycopiesofidentical(or ingsystemcontainsnooccurrenceofxontheright-handsidesofits equationsystemissubstitutedbythex-freeexpression.theremain- involvingallequationsofthebooleanequationsystem.thecombinationofatableau-liketop-downselectionofequationsandbottom-up similar)subtrees.averynaturalwaytoovercomesuchanunnecessary blow-upistoconstructadirectedacyclicgraphinsteadofatree(i.e. atableau).thiscanbedoneinabottom-upmanner. Apurebottom-upmethodwouldagainleadtoaglobalalgorithm

82 examplewheretheexpressionscreatedhaveexponentialsize. havior,gaueliminationsolvestheprobleminlineartime.however, forthenaivealgorithmderivedfromgaueliminationthereexistsan 82 theapproximationmethodortableaumethodhaveanexponentialbe- evaluationgivesanalgorithmwhichmakesuseofthesameinformationasatableau,butavoidsredundancy.inmanyexamples,where Chapter6.SolvingBooleanequationsystems. InthecaseofGaueliminationforBooleanequationsystemsaneliminationstepinferedinlemma6.2isaconsequenceoflemma3.29.In anequationx=feachoccurrenceofxinfmaybesubstitutedby 6.4.1Globalandlocalalgorithm. dierentversionbykalorkoti[kal96]. Thealgorithmwasintroducedin[BM93,Mad95]andinaslightly Dierentproofscanbefoundin[BM93,Mad95]. Thesubstitutionstepderivedfromlemma6.3preservesthesolution justinthecasewhenwefollowtheorder:anoccurrenceofavariable maybesubstitutedbyaright-handsideexpressiononlyinalllower false,orduallyforbytrue. Theeliminationstepisbasedonthefollowinglemma. TheproofspresentedherewerepartlysuggestedbyVergauwen[Ver95]. (w.r.t.e)equations.(seealsoproposition2.21.) Lemma6.2Let [[(X=f)E2]]=[[(X=f0)E2]]: Proof:Accordingtoproposition3.14itissucienttoshowthat E1;E2beBooleanequationsystems, X=f;X=f0Booleanequations, [[(X=f)E2]]=[[E2]][X=f([[E2]][X=b])] Then[[E1(X=f)E2]]=[[E1(X=f0)E2]]. wheref0=f[x=b]. =[[E2]][X=f0([[E2]][X=b])] =[[(X=f0)E2]]

83 6.4.Gauelimination. Thefollowinglemmaisthebasisforthesubstitutionstep: Lemma6.3Let E1;E2;E3beBooleanequationsystems, 1X1=f;1X1=f0;2X2=gBooleanequations, wheref0=f[x2=g] def 02def Proof:Againfollowingproposition3.14wejustneedtoshowthatfor [[E1(1X1=f)E2(2X2=g)E3]]def [[E1(1X1=f0)E2(2X2=g)E3]]def Then1=2 =[[(1X1=f)E2(2X2=g)E3]]and=1 itisthecasethat01=02. =[[(1X1=f0)E2(2X2=g)E3]]=2. solutionof(1x1=f0)e2(2x2=g)e3.hence02islexicographically smallerthan01,because02isthesolution. Wewillshowthat01fulllsbothconditionsofproposition3.5forthe Showf0(01)=01(X1)(condition(1)ofproposition3.5) 01(X1)=f(01) g(01)=01(x2) =f(01[x2=01(x2)]) =f(01[x2=g(01)]) lexicographicallysmallerthan02. Show[[E2(2X2=g)E3]]01=01(condition(2)ofproposition3.5): 3.5forthesolutionof(1X1=f)E2(2X2=g)E3,andhence01is followsfromproposition3.7 Analogously,thedualholds:02fulllsbothconditionsofproposition f(02)=02(x1)(condition(1)ofproposition3.5): =f0(01) analogously [[E2(2X2=g)E3]]02=02(condition(2)ofproposition3.5) Altogetherwecanconcludethat01=02.

84 84 Basedonthesebothlemmataisthefollowingalgorithminpseudo code. i:=n; Inputare(1X1=f1):::(nXn=fn)and Chapter6.SolvingBooleanequationsystems. whilenot(f1trueorf1false) doinstantiatexiinfitobi; Figure6.2.GlobalVersionoftheGauEliminationAlgorithm odi:=i-1; f1:=eval(f1);:::;fi 1:=Eval(fi 1);(evaluationstep) SubstitutefiforXiinf1;:::;fi 1;(substitutionstep) (eliminationstep) expressionsappliedinthefunctionevalofthealgorithmingure datastructureforbooleanexpressions.theretheevaluationrulesare Inanimplementationbinarydecisiondiagramswerechosenas performedimplicitlywitheverysubstitutionandeliminationstep.in theexamplesdonebyhandthefollowingsetofbooleanlawswasused AcrucialpointinthealgorithmaretheevaluationrulesforBoolean forevaluationẋ^true=x (X^Y)_(X^Z)=X^(Y_Z) X_(X^Y)=X X^(X_Y)=X X^false=false X_false=X X_true=true Inmostcontextsweareonlyinterestedintherstcomponentofthe (X_Y)^(X_Z)=X_(Y^Z)

85 everyxiwherethevariablesxi;:::;xndonotoccur.astraight backwardsubstitutionleadstothewholesolution. substitutionstephavetobeappliedntimesgivinganexpressionfor areinterestedinthewholesolutionthegaueliminationstepand ingure6.4.1stops,ifthesolutionofx1(f1)isdetermined.ifwe 6.4.Gauelimination. solution,i.e.whetherx1istrueorfalse.thereforethealgorithm 85 Example:StartingwiththeBooleanequationsystem: SubstitutionofX1^X2forX4andevaluation(Thesubstitutedexpressionsareunderlined): X1=X2_X3 X3=X4_X1 X1=X2_X3 X2=X3^X4 X4=X1^X2 SubstitutionofX1forX3andevaluation: X3=(X1^X2)_X1=X1 X1=X2_X1 X2=X3^(X1^X2) SubstitutionofX1forX2: Thecompletesystemconstructedbythealgorithmis: EliminationofX2inX2=X1^X2givesX2=X1^true=X1. X1=X1_X1=X1=false(byaneliminationstep) X2=X1^(X1^X2)=X1^X2 BackwardsubstitutiongivesX1=X2=X3=X4=false. subsetofequationswhichisnecessarytodeterminethesolutionfor Ifonlytherstvariableisofinterest,itsucestoconsideronlythe X1=false X2=X1 X3=X1 X4=X1^X2 (from4) (from3) (from2) (from1) C

86 E0consistingonlyoftheequation(1X1=f1).AslongasX1is notevaluatedtotrueorfalseweselectafreevariablefromf1,insert itsequationine0,applytheglobalversionofgauelimination,and 86 X1.Therelevantsubsetofequationsisselectedinatop-downmanner. ThisobservationleadstothelocalversionofGaueliminationgivenin gure6.3.theideaisasfollows.westartwiththeequationsystem Chapter6.SolvingBooleanequationsystems. continueinthesamewaywiththemodiedequationsysteme0. whilenot(f1=trueorf1=false) InstantiateX1inf1; f1:=eval(f1); E0:=(1X1=f1); doselectxjfromf1,wherexjisnotinlhs(e0); Createfj,insertjXj=fjinE0 (evaluationstep) (eliminationstep) Figure6.3.LocalVersionoftheGauEliminationAlgorithm Thereexistsanaccelerationofthealgorithmwhichworksasfollows: anoccurrenceofavariablexjmaybesubstitutedbytrueorfalseatan odapplytheglobalversionofgaueliminationtoe0 accordingtotheorderbythetransformationrules; possibilityappearsinthedenitionofthesemanticsforbooleanequationsystems(proposition3.30):anyoccurrenceoftherstvariable, earlierstagethanwhenoccurringontherighthandsideofitsdening equationjxj=fj.thisisthecase,whenitdoesnothappenthat(a inthesensethatitcanbedeterminedinadvance,whethersucha copyof)thisoccurrenceofxjissubstitutedintoanequationixi=fi wherexiexjduringthealgorithm.thispropertyisastaticone besubstitutedbytrueorfalserightinthebeginning.however,forthis X1,willneverbesubstitutedintoapriorequation,simplybecause theredoesnotexistapriorone.hence,everyoccurrenceofx1may substitutionintoapriorequationwillhappen.aspecialcaseofthis

87 itisonlyguaranteedthatthealgorithmproducesthecorrectsolution fortherstvariable Complexityforthegeneralcase. 6.4.Gauelimination. accelerationitisthecasethatbackwardsubstitutiondoesnotwork: 87 gentstorageofexpressions. andgiveanexampleforit.thesourceofcomplexityhereisthesize tially.however,itisnotknown,whetherthereexistsaversionofthe algorithm,wherethisexponentialblowupisavoidedbymoreintelli- ofright-handsideexpressions,whichinanexamplegrowthsexponen- eliminationisofcomplexityexponentialinthenumberofequations, InthissectionwearguethatthenaivealgorithmderivedfromGau Incomparisontotheapproximationalgorithmthebehaviourcwof acase,wheretheapproximationbasedalgorithmsneedsexponentially thealgorithmneedssametimeandspace.anexampledemonstrates Gaueliminationalgorithmsisverydierent.WeshowthatthecomplexityofGaueliminationisindependentfromthealternationdepth ofthebooleanequationsystem,i.e.givenanarbitrarybooleanequa- manysteps,butgaueliminationonlypolynomialtimeandspace. numberofequations,butalternationdepth1,andforbothsystems polynomialinthenumberofequations.especiallyforthefragment ForsomefragmentsweshowthatGaueliminationhascomplexity tionsystemthereexistsabooleanequationsystemwiththesame correspondingtol2gaueliminationprovidesano(n2)algorithm. ThenumberofsubstitutionstepsduringtheGaueliminationinthe globalalgorithmislessthan(n 1)+(n 2)+:::+1n2.Thelocal pressionsarisingfromiterativesubstitutions.ingeneralsubstitution versionincludesatmostnapplicationsoftheglobalalgorithmgiving alltogetherlessthann3substitutionsteps. tialinthenumberofvariablesinvolved.assumingthataboolean ofbooleanexpressionsintobooleanexpressionsleadstosizeexponen- ThecrucialpointconcerningcomplexityisthesizeoftheBooleanex- equationsysteminnormalformconsistsofnequations(anddierent

88 pressionscreatedrelativelysmall.findinganexamplewheretheright- uationrulesasdiscussedaboveandtheeliminationrulekeeptheex- Tryingabignumberofexamplesshowedthattheapplicationofeval- globalandlocalalgorithmiso(2n). 88 variables),thenthesizeofthebooleanexpressionscreatedduringthe algorithmisboundby2n.hencetheworstcasecomplexityofthe Chapter6.SolvingBooleanequationsystems. handsideexpressionsareofexponentialsizeturnedouttobeadi- culttask.theexamplebelowwasconstructedwithhelpofbrinksma sionwhereonevariableappearstwiceandthelawsforevaluationof XnuptoXn=2thereisnoapplicationoftheeliminationrulepossible. ordertoreduceit.suchanexpressiongivesaschemeforiterativesubstitutionwithnopossibilityofreduction.thexpointoperatorsin [Bri96]andRossmanith[Ros96].Thebasicideaistondanexpres- Thereforexpointoperatorsareleftaway.Assumen210IN.Thesize thisexampleareirrelevant,becausewhenbuildingupexpressionsfor Booleanexpressionsasxedforthealgorithmarenotapplicablein ofexpressionsisthenboundbyo(2n=5). X1 X2 X3 X4 =X2 =X3 =X4 Xn=2+4=Xn=2+6_Xn=2 3 Xn=2+3=Xn=2+5^Xn=2 2 Xn=2+2=Xn=2+4^Xn=2 1 Xn=2=Xn=2+1 Xn=2+1=Xn=2+2_Xn=2+3 ::: =X5 Xn 10=Xn 9_X10 Xn 11=Xn 9_X11 Xn 12=Xn 10^X12 Xn 13=Xn 11^X13 Xn 14=Xn 13_Xn 12 Xn=2+5=Xn=2+6_Xn=2 4 :::

89 6.4.Gauelimination. Xn 4=Xn 3_Xn 2 Xn 5=Xn 4_X6 Xn 6=Xn 4_X7 Xn 9=Xn 8_Xn 7 Xn 7=Xn 5^X8 Xn 8=Xn 6^X9 89 Inordertomaketheconceptualdierencetotheapproximationmethod clearweshowthatgaueliminationisindependentofthealternation Xn=X1_X2 Xn 1=X1_X3 Xn 2=Xn^X4 Xn 3=Xn 1^X5 variablewithleastxpoint. depthofabooleanequationsystem.leastandgreatestxpointsare treatedinasimilarway:thecorrespondingvariablesaresubstituted byaconstant,trueforavariablewithgreatestxpoint,falsefora bitraryalternationdepthweconstructabooleanequationsysteme0 Proposition6.4Thecomplexityofthenaivealgorithmbased withonly-xpoints,ande0hasthepropertythatthesizeofexpressionscreatedduringgaueliminationisatleastthesizeofexpressions Booleanequationsystemandhencealsooftheunderlying-calculus Proof:TheideaisthatforagivenBooleanequationsystemEofar- ongaueliminationisindependentofthealternationdepthofthe createdfore.(theirsolutionsmaydier.) formula. ForthispurposewehavetorestricttheclassofBooleanequationsystemsweconsidertothosewhichdonotcontainconstantsandallright becauseconstantsandxedrighthandsidevariablescanbeelimiplyingthiseliminationbeforestartinganyalgorithmwillnotincreasnatedfromabooleanequationsysteminlineartime(inthesizeofthe handsidevariablesarebound.infactthisisnotarealrestriction, system)suchthatthesolutionofthesystemispreserved.henceap-

90 instandardform.thisrepresentationcanbeachievedbyalinear 90 itscomplexity.furthermoreweconsiderbooleanequationsystems blow-upoftheoriginalsystem(inthesizeoftheunderlying-calculus formula). ThetransformationfromEtoE0worksasfollows: everyconjunctioncontaininga-variableistransformedtoadisjunction(ofthesamevariables),and Chapter6.SolvingBooleanequationsystems. everyissubstitutedbya. X2lhs(E0). WehavetoshowthatthesizeofexpressionswhenapplyingGau NotethatthesolutionofE0willbe0,where0(X)=falseforall thesamedependencygraph,andthereforealsothesamestructureof eliminationtoe0isgreaterorequaltothosefore.bothsystemshave ApplyingasubstitutionstepleadstoanexpressioniXi=f[Xj=g]and thecorrespondingequationsofe0,wherei<j. variables.letixi=f;jxj=gbeequationsofeandxi=f0,xj=g0 thermorecorrespondingequationsofbothsystemscontainthesame ThepropertytoshowholdsfortheinitialsystemsEandE0.Fur- lost"incomparisontoe. substitutions.wejusthavetomakesurethatine0\novariablesget (numberof)variablesasf0andg0thenthiswillalsoholdforf[xj=g] Xi=f0[Xj=g0]respectively.Iffandgcontainedatleastthesame off[xj=g]. ForaneliminationstepconsideraspartofanexpressionofEaconjunctionXi^Xj,whereXiisa-variableandXjisa-variable,and andf0[xj=g0]andthesizeoff0[xj=g0]isgreaterorequaltothesize evaluatestoxjasintheothercase.whenxjissubstitutedbyfalse thentheconjunctionofewillevaluatetofalse,whereasthedisjunctionofe0willevaluatetoxi,leadingtoagreaterexpression(withajunctionxi_xjandxiwillbesubstitutedbyfalse.thedisjunction leastonemorevariable)thanine.notethatthecaseofsubstituting Xiissubstitutedbytrue.ThentheconjunctionevaluatestoXj.In trueforavariableinadisjunctionintroducedine0doesnothappen, thetransformedsysteme0theconjunctionwastransformedtoadis-

91 6.4.Gauelimination. becausethesolutionofe0givesfalseforeveryvariableofe0. AnystatementaboutsizeofBooleanexpressionsmakesonlysenseif wechooseasensiblerepresentationofbooleanexpressions.inthecase hereweevaluateexpressionsjustwiththerulesforconstants. Wenowwanttodemonstratebysomeexamples\good"behaviourof Gauelimination,wheretableaumethodandapproximationmethod 91 needexponentialspaceand/ortime.twoexampleshavealreadybeen treatedinsection6.3,illustratingtheexponentialblow-upoftheplain tableaumethod.theseexamplescaneasilybesolvedwiththetechniquesfromthissectionwithoutanyblow-up.thismightnotbetoo sizenandalternationdepthn. TheGaueliminationmethodproducesonlyexpressionsofaxed surprisingasalreadyextensionsofthetableaumethodin[cle90]and [Mad92]candealwiththeseexamples. Herewepresentanotherexample.Itsfeaturesarethefollowing: Itisscalable,i.e.itisasetofexamples,whichcanhavearbitrary Letn22IN Knownalgorithmsbasedontheapproximationtechniqueareexponentiallyinn. Thelastaspectisduetothefactthattheexampleisconstructedina waythatamaximalnumberofbacktrackingstepsisrequired. constantlengthforanyoftheexamples,andthecomplexityis O(n2). X4=X3_Xn X2=X1_Xn X3=X2^Xn X1=X2^Xn Xn 2=Xn 3_Xn Xn 1=Xn 2^Xn Xn 3=Xn 4^Xn Xn=Xn 1_Xn=2 :::

92 tiveandtheconjunctiveclassandacombinationofthem.thefrag- mentsofthemodal-calculusthatgivesrisetotheseclassesarel1 InthissectionweconsiderclassesofBooleanequationsystemsfor whichgaueliminationhascomplexityo(n2).thesearethedisjunc Complexityforsubclasses. Chapter6.SolvingBooleanequationsystems. Gaueliminationtodisjunctivesystemsarealwaysdisjunctions.The ifallitsequationsare.expressionscreatedduringanapplicationof disjunctionoritisa2-aryconjunctionwhereatleastoneconjunctisa constant.abooleanequationsysteminstandardformisdisjunctive, ABooleanequationiscalleddisjunctive,ifitsright-handsideisa toectl[vw83],anextensionofctl. andl2.in[ejs93]thefragmentl2wasshownbeingequi-expressive thatareinvolved,whichisatmostthenumberofequationsinthe system. sizeofandisjunctionisboundbythenumberofdierentvariables ofanequationcanberepresentedasaset.substitutioncorresponds Proof:TheglobalversionoftheGaueliminationalgorithmtakes atmostn2eliminationandsubstitutionsteps.eachright-handside canbesolvedintimeandspaceo(n2)withtheglobalversionofthe Gaueliminationalgorithm.ApplyingthelocalversionoftheGau eliminationalgorithmneedstimeo(n3)andspaceo(n2). Proposition6.5AdisjunctiveBooleanequationsystemofsizen morethanndierentexpressions,orsetsresp.,eachofsizelessthan n.thelocalalgorithmneedslessthann3eliminationandsubstitution steps. Theconjunctiveclassisdenedanalogously:aBooleanequationsysteminstandardformisconjunctive,ifitcontainsonlyequationswith thentoaremovingoneelementofasetandunionoftwosets.these operationscanbeperformedinconstanttime.thereexistalwaysnot conjunctionsontheirrighthandsides,ordisjunctions,whereoneof thedisjunctsisaconstant.thedualargumentholdshere. Proposition6.6AconjunctiveBooleanequationsystemofsizen canbesolvedintimeandspaceo(n2)withthethelocalversionof

93 Disjunctiveandconjunctiveclassesmaybecombinedinarestricted Proof:Analogouslytothepreviousproofofproposition Gauelimination. way.intuitively,therequirementis,thatwhenapplyingthegaueliminationalgorithmneveradisjunction(containingmorethanaconstant orasinglevariable)issubstitutedintoaconjunctionorviceversa.the formaldenitionofthecombinedclassisgivenbelow.recallthata subsysteme0ofeisclosedwithrespecttoe,ifree(e0)free(e). eachdisjunctivesystemiscontainedinthecombinedclass; eachconjunctivesystemiscontainedinthecombinedclass; ifabooleanequationsystemeofthecombinedclasscontainesa fc,thenthereisavariablexineitherfdorfc,suchthat disjunctiveequationdxd=fdandaconjunctiveequationcxc= X=fXistheleast(w.r.t.E)equationofasubsystemE0 GaueliminationalgorithmneedstimeO(n3)andspaceO(n2). thegaueliminationalgorithm.applyingthelocalversionofthe. 93 classtheglobalversionofthegaueliminationalgorithmsolvesthe Proposition6.7ForaBooleanequationsysteminthecombined (cxc=fc)c(x=fx). (dxd=fd)c(x=fx), E0iscontainedinthecombinedclass, closedwithrespecttoe, Proof:TheobservationhereisthattheGaueliminationalgorithm evaluatestheleastvariableofaclosedsubsystemtoaconstant.the restisanalogoustothedisjunctiveandconjuncticecase. systeminspaceandtimeo(n2). eliminatedfromtheequationsystemaccordingtolemma3.20,followed byafurtherevaluationstep,andsoon.inthiscaseeachvariableofa aftereachevaluationstepequationswithaconstantright-handsideare thegaueliminationalgorithmhastobemodiedintheway,that Note,thatX=fXhasnottobenecessarilytheleastequationofthe subsystem;itmaybeoneequationofaclosedsubsystem.inthiscase closedsubsystemisevaluatedtoaconstant.

94 94 getalocalalgorithmforthecombinedclassthereisamodication Alsonote,thatthelocalversionoftheGaueliminationalgorithm classisnotnecessarilycontainedinthecombinedclass.inorderto substitutesdisjunctionsintoconjunctionsandviceversa.thereason appliedtobooleanequationsystemsofthecombinedclasspossibly isthatasubsystemofabooleanequationsysteminthecombined Chapter6.SolvingBooleanequationsystems. temsderivedfrom-calculusformulaeoffragmentl2arecontained tobecreateduntiltheactualsubsystemisinthecombinedclass. formulaeofthefragmentl1aredisjunctive,andbooleanequationsys- inthecombinedclass.(seedenitionsforl1andl2inchapter4). Emerson,JutlaandSistla[EJS93]presentedamodelcheckingalgorithmforL1andL2whichisofcomplexityO(jj2jTj).Transformation tobooleanequationsystemsgivesalsoano(jej2)algorithm. thenoderepresentingthe-calculusformulaandinitialstate,which BhatandCleaveland[BC96]developedamodelcheckingalgorithmfor impliesthattheformulasatiesthetransitionsystem.thelineartime caseofbooleanequationsystems.fortheextensionofthealgorithm tothefragmentl2theyclaim,thattheresultingalgorithmmaybe formulaisprovedbyatableausystem.thetimecomplexityoftheir algorithmiso(ad()jjjtj),givingano(ad(e)jej)algorithmforthe 6.5Complexity. shownalsotohavetimecomplexityo(ad()jjjtj). ItiseasytoseethatBooleanequationsystemsderivedfrom-calculus necessary:beforeapplicationoftheglobalalgorithmequationshave additionallylabelledby_or^.aformulaoflineartimetemporallogic thefragmentl1.itoperatesonthedependencygraphwherenodesare expressesthatthereexistsa-cycle(orconstanttrue)reachablefrom non-emptinessproblemsoftreeautomata,whichareinnp.thenthe proofs(e.g.[ejs93,bvw94])reducethemodelcheckingproblemto Forthemodelcheckingproblemthisisaknownresult.Mostofthe WegiveaproofthattheproblemofsolvingBooleanequationsystem iscontainedinnp\co-np.

95 ducedtoadisjunctivesystembychoosingonevariableoutofevery propertyholdsforsomemodelifitsnegationdoesnotandviceversa. AnarbitraryBooleanequationsysteminstandardformcanbere- WeclaimthattheproofintheframeworkofBooleanequationsystems isquitesimple.roughlytheargumentationworksasfollows. modelcheckingproblemisalsocontainedininco-np,justbecausea 6.5.Complexity. 95 DuallyaBooleanequationsysteminstandardformcanbereducedto Booleanequationsystemhasasolutionpointwisegreaterthanthesolutionoftheoriginalone.However,inproposition3.36itwasshown conjunctionandthrowingtheotheroneaway.ingeneralthereduced aconjunctivesystem.ingeneralitwillhaveapointwiselowersolution systemintimeo(jej2). thantheoriginalone,buttheremustexistonereductiongivingthe thattheremustbeonereductiontoadisjunctivesystemhavingthe solvedinquadratictimeaccordingtoproposition6.6. samesolution.againadisjunctivebooleanequationsystemcanbe samesolution.accordingtoproposition6.5wecansolvethereduced thesolutionsoftheconjunctiveandthedisjunctiveone.hence,if reductions(outofexponentiallymany),onetoadisjunctivesystem, time.weknowthatthesolutionoftheoriginalsystemliesbetween GivenaBooleanequationsysteminstandardformwecanguesstwo weguessed\correctly"andbothsystemshavethesamesolution,this mustalsobethesolutionoftheoriginalsystem. theotheronetoaconjunctiveone.bothcanbesolvedinquadratic righthandsideremainunchanged.byconstructionanddenition tooneofthedisjuncts.theequationswithaconjunctiononthe adisjunctionontherighthandsidewereducetherighthandside Proof:WeguessaconjunctivesystemE0:ineachequationofEwith innp\co-np. Theorem6.8SolvingaBooleanequationsystemEiscontained 3.15followsthatE0E.Thereareexponentiallymanypossibilitiesto choosesuchaconjunctivesystem.analogouslyweguessadisjunctive systeme00e.againthereareexponentiallymanypossibilitiesto

96 96 guess.ingeneralthesolutionofe0ispointwiselowerorequaltothe solutionase. solutionofe(proposition3.16).proposition3.36saysthatthereexists aconjunctivesysteme0havingthesamesolutionase.thesolution 3.16).AndagainthereexistsadisjunctivesystemE00havingthesame ofe00ispointwisegreaterorequaltothesolutionofe(proposition Chapter6.SolvingBooleanequationsystems. problemtosolvinge,i.e.([[e]])(x)=falsei([[e]])(x)=true.from andhencesolvingeisalsoinco-np. theyhavethesamesolutionthenitmustbethesolutionofe. E0andE00canbesolvedinquadratictime(propositions6.5,6.6).If Inlemma3.35itwasprovedthatthesolvingEisthecomplementary theargumentationabovefollowsthatsolvingeisalsocontainedinnp

97 algorithm. Chapter7 Inthissectionwedemonstratetwothings:Anon-trivialapplicationof Peterson'smutex themodal-calculusandresultsfromvericationwithaprototypeimplementationofthelocalgaueliminationalgorithm.forthispurpose thealgorithmsformutualexclusion(mutex)seemtobeappropriate: ononehandtheyaremoreinterestingthanthecoeemachine,but itisinthecriticalsection.thetaskofmutexalgorithmsisnowto time.whenaprocesshasaccesstothecommonsourcethenwesay shareacommonsourcewhichmaybeusedbyoneprocessonlyatone formulae. Roughlythemutexproblemisthefollowing:two(ormore)processes theyaresmallenoughtocaptureconceptseasily,ontheotherhand organizetheavailabilityofthecommonsourceinsuchawaythatit thepropertiestobeprovedresultinrathersophisticated-calculus neverhappensthatbothprocesseshaveaccessatthesametime(safety ThebasisfortheexamplespresentedhereistheworkofWalker[Wal91], (livenessproperty). whoencodedthebestknownmutexalgorithmsasccsprocessesand property)andthatarequestingprocesscannotbedeniedaccessforever

98 teedwithoutfairnessassumptions.acommonpossibilityistorequire [Vog96]pointedout,livenessformutexalgorithmscannotbeguaran- hisproperties.askindlerandwalter[wal95a,kw97]andvogler safetypropertieshewassuccessful,thereremainedopenquestions 98 triedtoprovesafetyandlivenesspropertiesforthem.whereasfor concerningliveness.onereasonisthathedidnottreatfairnessin Chapter7.Peterson'smutexalgorithm. fairnessforeverything.ingeneral,thisisnotnecessaryformostcases, WeinvestigatePeterson'smutexalgorithm.Othermutexalgorithms examplespresentedherearecontainedin[km]. 7.1Modellingthealgorithm. sumptionsformutexalgorithmstofulllthelivenessproperty.the andourinteresthereistondoutwhataretheprecisefairnessas- canbetreatedanalogously. Peterson'salgorithmworksfortwoprocessesP1andP2,eachone havingabooleanvariable,b1orb2resp.,whichissettotrueifa readsb2.duallyprocessp2writestob2andreadsb1.bothprocesses readandwritetovariablek.leti;j2f1;2gandj6=i. processwishestoenterthecriticalsection.thereisaturnvariablek theprocesswiththecorrespondingindex.processp1writestob1and takingvaluesfromf1;2gandincaseofaconictitgivesapriorityto whiletruedo begin(noncriticalsection); TheprocessesaremodelledfollowingWalker's[Wal91]approach.He waituntilnotbjork=i; bi:=true; formulatedthetwoprocessesasccsagents[mil89].eachvariableis end; k:=j; (criticalsection); bi:=false

99 7.1.Modellingthealgorithm. representedbyitsownagentandwritingtoavariableorreadingit areactionswhereaprocessagentandavariableagentsynchronize. ModellingProcessP1: =req1:b1wt:kw2:p11+:p1 99 P22 P21 ModellingProcessP2: P12 P11 =enter2:exit2:b2wf:p2 =b1rf:p22+b1rt:(kr1:p21+kr2:p22) =req2:b2wt:kw1:p21+:p2 =enter1:exit1:b1wf:p1 =b2rf:p12+b2rt:(kr2:p11+kr1:p12) Modellingthewholeprocess: L Modellingthevariablesb1,b2andkbyprocessagents: Peterson=(P1jP2jK1jB1fjB2f)nL =fb1rf;b1rt;b1wf;b1wt;b2rf;b2rt;b2wf;b2wt; B1t =b1rf:b1f+b1wf:b1f+b1wt:b1t =b1rt:b1t+b1wt:b1t+b1wf:b1f kr1;kr2;kw1;kw2g B2f B2t =b1rf:b2f+b1wf:b2f+b1wt:b2t criticalsectionandmodelthisbehaviorbyadditional-loopsforprocessp1andprocessp2.anotherpointconcernsthesemanticsofthe wealsotakeintoaccountthataprocessmayneverwishtoenterthe However,therearesmalldierences:inadditiontoWalker'sversion K1 K2 =kr1k1+kw1k1+kw2k2 =kr2k2+kw2k2+kw1k1 =b1rt:b2t+b1wt:b2t+b1wf:b2f rithmwitha(non-busy)wait-statementgivingdierentprocessagents semanticsismodelled.alternativelywealsowanttolookatthealgo- wait-statementinthealgorithm.intheprocessabovethebusy-waiting

100 100 forp11andp21: P2=req2:b2wt:kw1:P21+:P2 P12=enter1:exit1:b1wf:P1 P11=b2rf:P12+kr1:P12 P1=req1:b1wt:kw2:P11+:P1 Chapter7.Peterson'smutexalgorithm. Wedistinguishthreeconcepts:progress,weakfairnessandstrongfairness.Theydescribeconditionsforaccesstocommonsources,which 7.2FairnessandLiveness. P22=enter2:exit2:b2wf:P2 P21=b1rf:P22+kr2:P22 volved.gettingaccesstoavariableiseitherreadingthevariableor arevariablesinthecasehere,whenevermorethanoneprocessisin- writingtoit. Progress:Wheneveraprocesscontinuouslywantstohaveaccessto avariabletheneitheriteventuallycanaccessorinnitelyoftensome otherprocessesaccess. Weakfairness:Wheneveraprocesscontinuouslywantstohaveaccess processp2.a-calculusformulaexpressingthispropertyis: Strongfairness:Wheneveraprocessinnitelyoftenwantstohave VerifyingitforprocessPetersongivesfalseforbothinterpretations 1Z:[ ]Z^[req1](X:[ ]X_henter1itt) propertyforprocessp1andbysymmetryargumentsitfollowsalsofor criticalsectiontheniteventuallymaydoso.wewanttoshowthe Thelivenesspropertytoproveis,thatifaprocesswishestoenterthe accesstoavariabletheniteventuallygetsit. donotincludesomeadditionalassumptions.forexampleitiseasyto seethatinaninterleavingbasedmodelwealsohavetomakeprogress ofthewaitstatementasexpected.thepropertydoesnotholdifwe explicit.afterrequestingthecriticalsectiononeprocesscouldstopdoinganything,whereastheotheroneisreadingvariablescontinuously.

101 conditionwith-calculusexpressionsforprocesspetersonasencoded Fromthetechnicalpointofviewwecannotformulateanyfairness wewanttomakeprecise. 7.2.FairnessandLiveness. Thewholesystemisdoingsomethingallthetime,but,ofcourse,we cannotprovethattheoneprocesseventuallyentersthecriticalsection.whatfurtherfairnesspropertiesarerequiredisthepointwhich 101 Wewillusethesametechniqueandaddvariousprobesforvariable whichprocessgotaccesstowhichvariable,orwhichprocesswould accessestotheprocesses. Apropertywewanttoproveisthefollowing: liketodoso.walkerusedadditionalactions,calledprobes,inorder tomakerequest,enteringandexitingofthecriticalsectionvisible. above.everyvariableaccessresultsina-actionanditisnotvisible k2.thenewagentsforprocessesp1andp2areforinterpretationwith Requiringprogressforallvariables,afterrequestingthecriticalsection aprocessmayeventuallyenter. busywaitingarebelow. cessareinvolved.theadditionalprobesareb11,b12,b21,b22,k1and Accordingtothedenitionofprogresswehavetoaddanindividual probetoeachvariableaccessindicatingwhichvariableandwhichpro- P1=req1:b1wt:b11:kw2:k1:P11+:P1 Theformulaexpressinglivenessunderprogressconditionsisquite Peterson2=(P1jP2jK1jB1fjB2f)nL P22=enter2:exit2:b2wf:b22:P2 P2=req2:b2wt:b22:kw1:k2:P21+:P2 P12=enter1:exit1:b1wf:b11:P1 P21=b1rf:b12:P22+b1rt:b12:(kr1:k2:P21+kr2:k2:P22) P11=b2rf:b21:P12+b2rt:b21:(kr2:k1:P11+kr1:k1:P12) tothepossibilityofenteringthecriticalsectionoritfails(oneof)the progressconditions.thepossibilityoffailingprogressconditionsconsiststheninfurtherdisjunctionsinthe\pure"livenessformula1. large,buttheconstructionisratheruniform,anditrytogiveamotivation.whatisactuallyexpressedistheproperty:always,aftera request,eachpathhastofulllthefollowing:eitheriteventuallyleads

102 afterwardstheindicatingprobe.forexampleatastatewhereprocess P2wantstohaveaccesstovariablekthe-calculusformulahihk2itt itcoulddoit.inaccsprocessthestates,whereaprocesscould haveaccesstoavariablearethosewhereitcoulddoa-actionand holds.accordingtothisadditionofprobeswealsohavetomodel 102 Itissupposedthataprocess\wishes"toreadorwriteavariable,if Chapter7.Peterson'smutexalgorithm. thatavariableaccessanditsprobehavetoperformedasanatomic action.pathswheretheseactionsarenotdirectlysubsequentshould notbeconsideredandtheyalsofailtheassumptions.intheformula (e.g.:::_(hb11itt^[b11]x):::).additionallyweassumethatifprocessp2mayenterthecriticalsectionorexitthenitwilleventuallydo thisconditionisexpressedas\wheneveraprobecanbeperformedand itisnotperformedimmediately,thenthispathwillnotbeconsidered" it. Wewillhaveacloserlooktooneofthesubformulaeexpressingthe access(by[b11;b12]x)andeventuallytherewillbealwaysnoaccess pointoperatorsexpressesan\eventuallyalways"property.itisful- Accordingtothediscussionsinsection4.2thiscombinationofx- possibilitytofailaprogresscondition,e.g. (by[ b11;b12]y).thedisjunction[ b11;b12](x_y)isnecessarybe- X::::Y:hihb11itt^[b11;b12]X^[ b11;b12](x_y)::: causeofthebranchingstructure:imagineapathfailingtheprogress- condition,butonpathsbranchingothereiseventuallyanenter1 hihb11itt),butonlynitelyoftenoneoftheprocessesperformsan lledonallpaths,wherealwaysaccesstovariableb11ispossible(by action. 02X:[ ]X_henter1itt 2Z:[ ]Z _Y:hihb22itt^[b21;b22]X^[ b21;b22](x_y) _Y:hihb21itt^[b21;b22]X^[ b21;b22](x_y) _Y:hihb12itt^[b11;b12]X^[ b11;b12](x_y) _Y:hihb11itt^[b11;b12]X^[ b11;b12](x_y) ^[req1]02

103 7.2.FairnessandLiveness. _Y:hihk1itt^[k1;k2]X^[ k1;k2](x_y) _Y:hihk2itt^[k1;k2]X^[ k1;k2](x_y) _Y:hexit2itt^[exit2]X^[ exit2](x_y) _Y:henter2itt^[enter2]X^[ enter2](x_y) 103 _(hk2itt^[k2]x)) _(hk1itt^[k1]x) _(hb22itt^[b22]x) _(hb12itt^[b12]x) _(hb21itt^[b21]x) _(hb11itt^[b11]x) notsucientforliveness,asexpected.havingtriedseveralfairness Verifying2forPeterson2showsthatonlyprogressconditionsare assumptions,thefollowingturnedouttobetheweakestonethatis sucientforprovingliveness:inadditiontothegeneralprogressassumptions,weakfairnessisnecessaryforwriteaccesstob1andb2and forbothreadandwriteaccessofvariablek.theprobeswhichhaveto readandwriteaccessforvariablesb1andb2gettingthesetofprobes b11w;b21r;b22w;b12r;k1;k2(theotherpossibilitiesdonotappearin beaddedtotheprocessagentsnowhavealsotodistinguishbetween thecasehere).wegetthefollowingprocess: P1=req1:b1wt:b11w:kw2:k1:P11+:P1 P2=req2:b2wt:b22w:kw1:k2:P21+:P2 P12=enter1:exit1:b1wf:b11w:P1 P11=b2rf:b21r:P12+b2rt:b21r:(kr2:k1:P11+kr1:k1:P12) The-calculusformula3expressingtheintendedlivenessproperty isconstructedanalogouslyto2.notethattheprogressconditions foractionsb12wetc.donotappearintheformula,simplybecause Peterson3=(P1jP2jK1jB1fjB2f)nL P22=enter2:exit2:b2wf:b22w:P2 P21=b1rf:b12r:P22+b1rt:b12r:(kr1:k2:P21+kr2:k2:P22)

104 resulttrue. 104 theydonotappearintheprocess.verifying3forpeterson3gavethe _Y:hihb11witt^ 03X:[ ]X_henter1itt 3Z:[ ]Z^[req1]03 [b11w]x^[ b11w](x_y) Chapter7.Peterson'smutexalgorithm. _Y:henter2itt^[enter2]X^[ enter2](x_y) _Y:hihk2itt^ _Y:hihk1itt^ _Y:hihb22witt^ _Y:hihb21ritt^[b21r;b22w]X^[ b21r;b22w](x_y) _Y:hihb12ritt^[b11w;b12r]X^[ b11w;b12r](x_y) _Y:hexit2itt^ [b22w]x^ [k2]x^ [k1]x^ [b22w](x_y) _(hb12ritt^[b12r]x) _(hb21ritt^[b21r]x) _(hb11witt^[b11w]x)[exit2]x^[ exit2](x_y) [ k2](x_y) [ k1](x_y) Forthecaseofinterpretingthewaitstatementnotwithbusywaiting toprogressonlyfairwritingforthevariablesb1andb2issucient thenecessaryrequirementsturnouttobemuchweaker.inaddition forliveness.herealsothepositionoftherequest-probemakesadifference.inwalker'sversionofpeterson'salgorithmtherequest-probe wasplacedafterwritingb1totrue.inthiscasewecanshowthat _(hk1itt^[k1]x) _(hk2itt^[k2]x) _(hb22witt^[b22w]x) requestprobebeforewritingtob1leavesthesolutionofthisproblem onlyprocessesandformulaeveried. tothefairnessconditions. Theprooftechniqueisthesameasinthecaseaboveandwepresent criticalsection,butisnotabletosetvariableb1totrue.placingthe oneconictishiddeninthisversion:processp1wishestogetintothe onlyprogressrequirementsaresucienttoproveliveness.however,

105 7.2.FairnessandLiveness. P12 P11 P21 =enter1:exit1:b1wf:b11:p1 =req1:b1wt:b11:kw2:k1:p11+:p1 =b2rf:b21:p12+kr1:k1:p12 =req2:b2wt:b22:kw1:k2:p21+:p2 =b1rf:b12:p22+kr2:k2:p (Peterson5),itisthecasethat2doeshold! 2expressessimplylivenessunderprogressassumptions.ItwasevaluatedtofalseforPeterson4andprocessesP1andP2asabove.Forthe P22 Peterson4=(P1jP2jK1jB1fjB2f)nL =enter2:exit2:b2wf:b22:p2 modicationofp1,wheretherequestprobereq1comesafterb1wt:b11 forvariablesb1andb2hastobeguaranteed.theprobesindicating Fortherequestprobereq1inthe\correct"placeasabovefairwriting write(andread)accessforb1andb2havetobeadded.theformula 4givingtruePeterson4isasfollows: _Y:hihb22witt^ _Y:hihb12ritt^[b11w;b12r]X^[ b11w;b12r](x_y) _Y:hihb21ritt^[b21r;b22w]X^[ b21r;b22w](x_y) _Y:hihb11witt^ 04X:[ ]X_henter1itt 4Z:[ ]Z^[req1]04 _Y:hihk1;k2itt^[k1;k2]X^[ k1;k2](x_y) [b22w]x^ [b11w]x^[ b11w](x_y) _Y:henter2itt^[enter2]X^[ enter2](x_y) _Y:hexit2itt^ _(hb11witt^[b11w]x)[exit2]x^[ exit2](x_y) [b22w](x_y) _(hk1itt^[k1]x) _(hk2itt^[k2]x) _(hb22witt^[b22w]x) _(hb12ritt^[b12r]x) _(hb21ritt^[b21r]x)

106 tion6.4wasimplementedbywallner[wal93]andtheprocessesand formulaeofthischapterhavebeenveriedusingthisimplementation. ThelocalversionoftheGaueliminationalgorithmpresentedinSec ExperimentalResults. Chapter7.Peterson'smutexalgorithm. TheprogramiswritteninCandBinaryDecisionDiagrams(BDDs) suitablechoiceforouralgorithm:eachsubstitutionstepduringthealgorithmmakesacompositionofbbdsnecessary.thesizeofthebdds TheBBDpackagefromCarnegieMellonUniversitywasused.Thepro- agentstotransitionsystemsasinputfortheprogramwasperformed withtheedinburghconcurrencyworkbench. However,experimentsshowedthatBDDsareprobablynotthemost gramwasrunonasunultrasparc1.thetransformationfromccs [Bry86]havebeenchosenasdatastructureforBooleanexpressions. grewmorethanexpectedandmadefrequentandtime-consumingreorderingnecessary.belowwelisttheresultsfromtheverication procedures.bddsizesareincludedandhereandwetookonlyinto accountthesizeofthebddrepresentingtheright-handsideofthe VersionofPeterson states formula xpoints result timevericationofpetersons'smutexalgorithm equationscreated8min13min1min1min1min falsetruefalsetruetrue %ofallequations17%22%17%18%13% maximalbddsize averagebddsize substitutionsteps eliminationsteps

107 expressalways-properties,whichmakesanevaluationoftheformula gorithmcontainingtherelevantprobesforthiscase.allformulae 7.3.ExperimentalResults. isnoadvantageinthiscase.however,itturnedout,thatonly13-22% atallstatesnecessary.itistobeexpectedthatlocalmodelchecking variableofinterest(\therstequation").eachformulaintroduced intheprevioussectionwasveriedfortheversionofpeterson'sal- 107 ofthepossibleequationshadtobecreated.

108 108 Chapter7.Peterson'smutexalgorithm.

109 Chapter8 Equivalenttechniques. Themodelcheckingproblemforthemodal-calculushasbeentreated alsowithinotherframeworks,andthereexistreductionstoproblemsin automatatheoryandtheoryofgames.chapter5containsreductions versa.inthischapterwewillshowtheequivalenceofsolvingboolean ofthemodelcheckingproblemtobooleanequationsystemsandvice ustoapplythevariouspropertiesforbooleanequationsystemsfrom chapter3andsection3.2alsotothekindofalternatingautomataand itfollowsthatalgorithmssolvingoneproblemcanbetransformedin ordertosolvetheotherproblems.furthermoretheequivalenceallows playerhasawinningstrategy,ontheotherhand.fromtheequivalence equationsystemsononehand,andthenonemptinessproblemforalternatingautomataaswellasthedecisionproblemforgames,i.e.which gamesconsidered. natingautomataandthemodelcheckingproblemareequivalenttoo. resultsofsection5.2thatthenonemptinessproblemforthesealtertionandbooleanequationsystems.itfollowsthenaccordingtothe Inthissectionweshowtheequivalenceofalternatingautomataon 8.1Alternatingautomata. innitewordsovera1-letteralphabetwithaparityacceptancecondi-

110 Letbeanitenonemptyalphabet.Anitewordoverisanite Wordsandtrees. Foranoverviewoverautomataoninnitewordsandtreessee[Tho90], foralternatingautomataalso[var95]. 110 Chapter8.Equivalenttechniques. ofelementsof.thesetofinnitewordsoverisdenotedby!. sequencea0;:::;anofelementsof.thesetofnitewordsoveris denotedby.aninnitewordoverisainnitesequencea0;a1;::: arecalledleaves.abranchbofatreeisasequenceb1b2:::,such numberofitschildrenisthearityofanode.nodeswithoutchildren sor,itsparent,andanitenumberofsuccessors,itschildren.the predecessor,therootof.eachothernodehasoneuniquepredeces- nislabelledbyanelementof,writtenas(n)2.thesetof nodesmaybeeitherniteorinnite.thereexistsonenodewithout Atreeoverthealphabetisadirected,acyclicgraph.Eachnode Alternatingautomata. Alternatingautomataareageneralizationofnondeterministicautomata. thesetlim(b)asallelementsaofsuchthatinnitelymany thatb0istherootofandeachbiistheparentofbi+1.itiseither Forourpurposeautomataoveranalphabetcontainingasingleletter nite,endinginaleaf,ofinnite.givenabranchbofatreewedene aresucient. AnalternatingautomatonAisheredenedasatuple(fag;S;s0;;), nodesofbarelabelledwitha.notethatifbisnite,thenlim(b)=;. where isanacceptanceconditionwhichhastobespecied. fagisa1-letteralphabet, SisthesetofstatesofA, s02sistheinitialstate, :fags!b+(s)atransitionfunction,whichmapsastateof S(andthesymbola)toanegationfreeBooleanexpressionoverS,

111 SnS0.AsubsetS0ofSsatisesanegationfreeBooleanexpression disjunctivenormalform,allthestatesoccurringinonedisjunctform asetwhichsatisesf. fovers,iff(s0)=true.forexamplewhenfisrepresentedin alls2s0wehavethats0(s)=trueandfalseforallotherstatesin 8.1.Alternatingautomata. ForasubsetS0ofSdeneanenvironmentonstatesS0suchthatfor 111 therootofrislabelledbytheinitialstates0 treeroverswiththeproperties: ifanodenhasthechildrenn1;:::;nk,andnislabelledbyastate ArunofanautomatonAoverthe(innite)word!=a;a;a;:::isa whichcontainsforasubsetofcoloursallstatesofthesecolours.the acceptanceconditionis: everynitebranchendsinaleaflabelledwithastates,suchthat coloursf1;:::;mgforsomem2in,andanacceptancesetfs, ArunrofAisacceptingiftheacceptanceconditionholds,which hereisaparitycondition.includesalabellingofthestateswith s,where(a;s)=f,thenthelabelsetfr(n1);:::r(nk)gsatisesf. letteralphabetasdenedabovecanbeinterpretedasanon-deterministic tree-automatonandviceversa.inthiscasearunofanautomatona foreveryinnitebranchbthestatewiththeleastlabelinlim(b) Wemayalsomentionnowthatanalternatingautomatonoverasingle- Anautomatonisemptyifithasnoacceptingrun. (a;s)=true overthe(innite)treeisatreeroverswiththeproperties: therootofrislabelledbytheinitialstates0 iscontainedinf. Theacceptanceconditionforarunisasabove. denefors2stheautomatonasasa,butwithinitialstates;for ifanodenofrhasthechildrenn1;:::;nk,thenfor(a;r(n))=f thesetoflabelsfr(n1);:::r(nk)gsatisesf eachnodenofrwithchildrenn1;:::;nkthereexistsanoden0in withchildrenn01;:::;n0k,suchthateverysubtreeofrrootedwith niisarunofar(ni)overthesubtreeofrootedwithn0i.

112 FromBooleanequationsystemstoalternating 112nondeterministictree-automatonisnonempty. Proposition8.1AnalternatingautomatonAoverinnitestrings anda1-letteralphabetisnonemptyitheinterpretationofaas Chapter8.Equivalenttechniques. automata. GivenaBooleanequationsystemEandanenvironmentweconstruct SomevariableXiofEistakenasinitialstate. AE;=(fag;SE;Xi;E;;E;),where SEisthesetofallvariablesofE,i.e.SE=lhs(E)[rhs(E). IfX=fisanequationofE,wedene(a;X)=f,otherwise anautomatonae;asfollows. TheacceptancesetFcontainsallstatesXwhereX=fisan equationwithagreatestxpointoperatorine.thelabellingof (a;x)=(x). Theorem8.2ForaBooleanequationsystemEandanenvironment itisthecasethat([[e]])(xi)=trueiae;(fag;se;xi;e;;e;) isnonempty.moreoverae;hassizeofo(jej). getsthelabel1,thesecond2etc..stateswhichdonotcorrespond Hencetheirlabellingisirrelevant. toleft-handsidevariablesineareonlylabelsofleavesinallruns. thestatesfollowstheorderofthevariablesine:therstvariable Theproofisintheappendix. FromalternatingautomatatoBooleanequation phabetwithparityconditiontoabooleanequationsystemissimple. GivenanautomatonA(fag;S;s0;;)weconstructaBooleanequationsystemEAasfollows: systems. Thetransformationfromanalternatingautomatonovera1-letteral- ThesetofstatesSisinterpretedassetofBooleanvariables.

113 8.1.Alternatingautomata. Foreachs2S\Fthereisanequations=(a;s)inEA. Foreachs2SnFthereisanequations=(a;s)inEA. TheacceptanceconditionincludesalabellingofthestatesofS.If inea,i.e.theequationisi=(a;si)isbeforeisj=(a;sj)in forsi;sj2sthelabelofsiislowerthanthelabelofsjthensicsj 113 A(fag;S;s0;;)isnonemptyi([[EA]])(s0)=true. Theorem8.3Foranalternatingparityautomatonovera1-letter alphabeta(fag;s;s0;;)thereexistsabooleanequationsystem EAofsizeO(jAj),suchthatforanyenvironmentitis: EA.(Ifsiandsjcarrythesamelabelthentheyareinthesame blockandtheirorderisirrelevant.) andtransformitbacktoanautomatonaeaasintheprevioussection. Proof:TaketheBooleanequationsystemEAasconstructedabove Itiseasytoseethatwegettheoriginalautomatonuptolabelling. lemsfollowseasily: Theequivalencefollowsthenfromtheorem8.2. Nowtheequivalenceofalternatingautomataandmodelcheckingprob- Theorem8.4ForanalternatingparityautomatonA(fag;S;s0;;) somerenamingfunction:s!s,anyenvironmentandany overa1-letteralphabetthereexistsapropositionofthemodal -calculusandamodelmwiththestatespaces,suchthatfor (s0)2jjjjtvia(fag;s;s0;;)isnonempty.itisad()jfj+1 valuationvitis: Fromtheequivalenceprovedaboveandtheresultsfromsection6.5we knowthatthenonemptinessproblemforalternatingparityautomata Complexityandrelationtootherwork. Proof:Applytheorems8.2,8.3and5.2. andthemisofsizeo(jaj2). overa1-letteralphabetiscontainedinnp\co-np.inthissection

114 morestandardacceptanceconditions,thebuchiandrabinacceptance conditions. TheBuchiacceptanceconditionforarunrofan(alternating)automataconsistsofanacceptancesetFSandtherequirement,that wewanttorelatethisresulttoothercomplexityresultsforthesame 114 probleminthetheoryofautomata.forthatpurposeweconsider Chapter8.Equivalenttechniques. (Ln;Un)gandtherequirementforarunrtobeacceptedis:foreach lim(b)\f6=;foreverybranchbofr. TheRabinconditionincludesasetofacceptingpairsf(L1;U1);:::; overa1-letteralphabettheacceptanceconditionsmakeadierence. However,concerningtheemptinessproblemforalternatingautomata thesameforallthesethreeacceptanceconditions(seee.g.lindsay [Lin88]);itistheclassof!-regularlanguages. Thelanguagesacceptedbyalternatingautomataoninnitewordsare andlim(b)\li=;. branchbofrthereexistsani2f1;:::;ngsuchthatlim(b)\ui6=; statecontainedintheacceptancesetfgetsthelabel1andeach otherstatenotcontainedinfgetsthelabel2.thelabellingtogether labelsfromf1;2g.thelabelsarechoseninsuchaway,thateach sentiallyonlytransformationsoftheacceptanceconditions. ForthecaseofBuchiautomatathestateshavetobeequippedwith tomataandfromparityautomatatorabinautomata,whicharees- ThereexistlineartranslationsfromBuchiautomatatoparityau- initialstates0isnonemptyi([[ea]])(s0)=trueforanyenvironment ofconstructionofeaitfollowsthateahasalternationdepthofat.fromthestructureofbuchiacceptanceconditionsandtheway abooleanequationsystemea,suchthatthebuchiautomatonwith toanalternatingparityautomaton,andfurtherwiththeorem8.3to condition.thuseveryalternatingbuchiautomatonacanbemapped withtheacceptancesetfisthentheequivalentparityacceptance most2;therstequationshavegreatestxpointoperators,thelast [Var95],prop.5andproposition8.1. equationshaveleastxpointoperators.applyingcomplexityresults fromchapter6.2wegetthepropositionbelow.itfollowsalsofrom

115 ForthereductionofaparityautomatontoaRabinautomatonwe colouri2f1;:::;mgwedenelidef alsojusttheacceptanceconditionneedstobetransformed.foreach 8.1.Alternatingautomata. quadratictimeandspace. automataoninnitewordsovera1-letteralphabetisdecidablein Proposition8.5ThenonemptinessproblemforalternatingBuchi 115 andproposition8.1. pairs,becauseitacceptsnothing.itiseasytoseethatthisrabinconditionacceptsthesamerunsastheoriginalparityconditionandvice versa.however,herethenonemptinessproblemfollowsfrom[ej88] pair(li;ui)withli=;canberemovedfromthesetofaccepting anduidef =fs2sjshasalabellowerthanig.notethatanaccepting =fs2fjsislabelledwithig dition(e.g.[se84,niw88,ej91,kai96]).themodal-calculuswas Representing-calculusformulaeasautomataalreadyhasalongtra- showntobeexpressivelyequivalenttoautomataoninnitetrees. modelcheckingproblemandnonemptinessofnondeterministictreeautomatawithparityacceptanceconditionfromemerson,jutlaand automataoninnitewordsovera1-letteralphabetisnp-complete. Amongknownresultstheclosesttooursistheequivalenceofthe Proposition8.6ThenonemptinessproblemforalternatingRabin andtheirresultareinterderivable.anotherapproach(e.g.see[var95, Sistla[EJS93].Withproposition8.1theequivalencepresentedhere BVW94])istorepresentaformulaofthemodal-calculusandalsothe transitionsystemas(alternating,amorphous)rabintree-automata.if theproduct-automatonoftheseisnonempty,thentheformulaholds attheinitialstateofthetransitionsystem.however,thisemptiness InthisapproachtheNP\co-NPcomplexityofthemodelchecking problemfollowsfromcomplementationarguments. problemisnp-complete,andhencetheproblemsarenotequivalent.

116 closedandinstandardform. 8.2Graphgames. StartingfromtheframeworkofBooleanequationsystemswecanderivegraphgamesasdenedin[Sti96]andshowtheequivalenceofboth 116 approaches.inthissectionweassumebooleanequationsystemsbeing Chapter8.Equivalenttechniques. chosenbytwoplayers,playeriandplayerii.theplaystartsatsome AplayponthegamegraphGEisaninnitesequenceofvertices numberofedgesofg. carryingonelabelfromfi,iigandanotherfromf;g1thegraph Gcontainsoneortwoedgesoftheformi!jforeachvertexi.The sizejgjisdenedasusualassumofthenumberofverticesandthe AgamegraphGconsistsofasetofverticesf1;:::;ng,eachofthem initialvertexi.wheneverthecurrentvertexislabelledwithithen lim(p)ofallverticeswhichhavebeenvisitedinnitelyoften.ifthe Astrategyforaplayerisadecisionfunctionfromtheplaydoneso moveandchoosesasuccessor. thecurrentvertex.dually,ifitislabelledbyiithenplayeriihasto Decidingwhoisthewinnerofaplayprequiresconsideringtheset fartothenextmove. playerihastomoveandchoosesoneofthesuccessors,whichthenis Ahistoryfreewinningstrategyisawinningstrategywherethechoice ofasuccessordoesnotdependontheinitialsequenceoftheplaydone iifshecanwineveryplay. AplayerhasawinningstrategyforthegameonGEwithinitialvertex wins;ifitislabelledwiththenplayeriiwins. leastvertexofallverticesinlim(p)islabelledwiththenplayeri IIanda.Inbothcasesaextravertexhastobeintroducedwhichinheritsallthe I-nodewithaandeachII-nodewitha.Fortheotherwayroundwehaveto takecareoftwocases:verticescarryingaianda,and,duallyverticescarryinga successorsoftheoneconsidered,butisthentheonlyimmediatesuccessorofthe originalone.intherstcasetheoriginalvertexgetsthelabelii,itsnewsuccessor thelabeli,duallyinthesecondcase.inallothercasesthelabelsodmayjust beremoved. onelabelfromfi,iig.forgettingfromthedenitiontheretooursweequipeach 1In[Sti96]gamegraphsaredenedinsuchawaythateachvertexcarriesonly

117 I(II)thereexistsauniquechoiceofasuccessorateveryI-labelled 8.2.Graphgames. sofar.thismeansthatinahistoryfreewinningstrategyforplayer (II-labelled)vertex. FromBooleanequationsystemstographgames. 117 GivenaBooleanequationsystemEwewilldeneagamegraphGE. RecallthatforagivenBooleanequationsystemEthedependency graph(seesection6.1)consistsofasetofverticesf1;:::;n;true;falseg, label,truegetsthelabel.ifxi=xj^xkisanequationofe Xi=finEvertexiofGEislabelledwith.Vertexfalsegetsthe EssentiallythegamegraphGEforEisitsdependencygraphwhere additionallyeachvertexcarriestwomorelabels.foreveryequation edgesi!jandi!kinthedependencygraph. thereisanequationxi=xj_xk(xj^xk)inethentherewillbe oneforeachleft-handsidevariableofeandtwofortrueandfalse.if thenvertexiislabelledwithi,andallotherverticesarelabelledwith II.TwomoreedgesareaddedtoGEfortechnicalreasons:false!false andtrue!true. Theproofcanbefoundintheappendix. Theexistenceofhistory-freewinningstrategiesfollowseasilyfrom thecorrespondingpropertiesforbooleanequationsystems(seealso [Sti96]). Theorem8.7PlayerIIhasawinningstrategyforthegameonGE withinitialvertexii([[e]])(xi)=true.moreoverjgej=o(jej). Proof:Followsimmediatelyfromlemma3.36andtheorem8.7. gameongewithinitialvertexi,thenshehasalsoahistoryfree winningstrategy. Proposition8.8IfplayerI(II)hasawinningstrategyforthe

118 IfvertexihaslabelIandi!jandi!kareedgesinGthen IfvertexiofGislabelledwiththerewillbeanequationXi=fi FromagamegraphGwederiveaBooleanequationsystemEG. FromgraphgamestoBooleanequationsystems. 118inEG.Therewillbenoequationsfortrueandfalse. Chapter8.Equivalenttechniques. IfvertexihaslabelIIandthereareedgesi!jandi!kinG Fori<jitisXiCXjinEG. Xi=Xj_XkisanequationofEG. thenxi=xj^xkisanequationofeg.ifthereisjustoneedge Proof:Followsimmediatelyfromthefact,thatthegamegraphdened withinitialvertexii([[eg]])(xi)=true.moreoverjgj=o(jegj). Theorem8.9PlayerIIhasawinningstrategyforthegameonG i!jfromithenxi=xjisanequationofeg. byegisagaintheoriginalgamegraph,i.e.g=geg,togetherwith lenceofdeterminingwhetherthereexistsawinningstrategyforone playerinagameandsolvingbooleanequationsystems.thisisanotherproofthatthedecisionproblemforgraphgamesisinnp\ theorem8.7 Withlinearreductionsinbothdirectionswehaveshowntheequiva- co-np.withtheequivalenceofthelatterandthemodelcheckingprobleminthemodal-calculuswegetimmediatelyananswertoanopen questionin[sti96]. Theorem8.10ForagamegraphGthereexistsapropositionof Proof:Followsfromtheorems5.2,8.7and8.9. themodal-calculusandamodelmwiththestatespaces,such thatforarenamingfunction:f1;:::;ng!sandanyvaluation withinitialvertexi.moreoverjmj=o(jgj2). Vitis: (i)2jjjjtviplayeriihasawinningstrategyforthegameong

119 canbeinterpretedasabranchofarunonanalternatingautomation asdenedintheprevioussection.thebranchisacceptediplayerii tices.theanalogytotheautomataapproachisobvious:eachplay 8.2.Graphgames. Inthissectionaplayhasbeendenedasaninnitesequenceofver- Relationtoothertechniques. 119 thisdenitionaplayisequivalenttoapathinatableauasdened vertexwiththeleastlabelbetweentherstandsecondoccurrenceof avertexhasbeenvisitedtwice.playeriiwinssuchaniteplay,ifthe theonevisitedtwiceislabelledwith,otherwiseplayeriwins.with ofvertices([sti96]).thentheterminationconditionforaplayis,that EquallyaplayonagamegraphGcanbedenedasanitesequence winstheplay. volved.amoreecientandsimplealgorithmavoidingredundancyis However,thecriteriaforpossible\reuse"ofpriorinformationarein- analgorithmwhichsolvesthedecisionproblemforniteplayshasto solvingthisprobleminatop-downmanneriscontainedin[mad92]. dealwithsameredundancyproblemastableauxhave.onealgorithm egyforplayeriiorasuccessfultableauarethesame.consequently insection6.3.thequestionwhetherthereexistsawinningstrat- Gaueliminationofsection6.4.

120 120 Chapter8.Equivalenttechniques.

121 Chapter9 InniteBoolean equationsystems. Sofarwehavebeenconcernedwithmodelcheckingonlyfornitestate systems.ithasbeenshownthattheretheproblemsofsolvingboolean boundedbuersorprogramsusingrecursivedata-structuressuchas innitestatespaceeasilyarisewhene.g.consideringsystemswithun- equationsystemsandmodelcheckingareequivalent.modelswithan naturalnumbersortrees.inthischaptertheframeworkofboolean equationsystemsontheotherhandwillbeshowntobeequivalent. sibly)innitestatespaceononehand,andsolvinginniteboolean equationsystemswillbeextendedtotheinnitecase.themodel resentablemethodforsolvinginnitebooleanequationsystems.here checkingproblemforthemodal-calculusandsystemswith(pos- approximationtechniquesarenotapplicable.wepresentanelimina- However,suchanequivalenceisonlyuseful,ifthereexistsanitelyrep- equationsystems.thiseliminationmethodiscloselyrelatedtothe tionmethodsimilartogausseliminationinsection6.4basedonarep- resentationofinnitebooleanequationsystemsbysetbasedboolean Inatableauforaninnitestatesystemthesameeectcanoccuras inthenitecase:thetableaumightcontainmanycopiesofsimilar tableaumethodofbradeldandstirling[bs91,bra92].itcombines thetop-downapproachofthetableauwithabottom-upevaluation.

122 intheeliminationalgorithmpresentedhere.itisintendedthatan theeliminationmethodsimpliesthesuccesscriterion.thenondeterminismcontainedinthetableaumethodis,ofcourse,stillcontained 122 subtrees.thebottom-upevaluationavoidsthiskindofredundancy. Chapter9.InniteBooleanequationsystems. Todeterminewhetheratableauissuccessfulornotitisnecessaryto investigatesocalledextendedpaths.itturnsoutthatthestrategyof intelligentprovermakesuseofher(notgenerallyformalizable)knowledgeaboutsystemandpropertytoproveinordertodealwiththtationforinnitebooleanequationsystems.weshowasubstitution stepandeliminationstepsimilartotheonesinthegauelimination ofsection6.4.withtheseanalgorithmisformulateddescribingthe nondeterministicpartsofthealgorithm. WedeneinniteBooleanequationsystemsandshowhowproperties bottom-upversionofthetableaumethodin[bs91,bra92].small forthecaseofnitebooleanequationsystemscanbetransfered.set basedbooleanequationsystemsareintroducedasaniterepresen- examplesdemonstratethetechnique. 9.1Denitions. InthissectionwedenesyntaxandsemanticsofinniteBooleanequationsystems.Furthermore,weshowthatforeachinniteBoolean mayconsistofinniteconjunctionsordisjunctions.however,what ofequations,ontheotherhandtheright-handsidesofeachequation twokindsofinnity:ononehandtheremightbeaninnitenumber thereexisthistoryfreewinningstrategies. InthecaseofinniteBooleanequationsystemswehavetodealwith bothsystemshavethesamesolution.intermsofgamesthissaysthat equationsystemthereexistsasysteminconjunctiveformsuchthat nitesequenceofblocks,whereablockisapossiblyinnitesetof ofaninnitebooleanequationsystemisasfollows. systems.aninnitebooleanequationsystemthereforeconsistsofa stillhastobeniteisthenestingdepthofinnitebooleanequation Booleanequationsallhavingthesamexpointoperator.Thesyntax

123 9.1.Denitions. ofitselementsisoftheformwi2ixi,vi2ixiorxiwhereiisa Denition9.1ThesetofpositiveinniteBooleanexpressions overacountablesetxofvariablesisdenotedbyib+1(x).each countableindexsetandxi2x[ftrue;falseg. AninniteBooleanequationisoftheformX=f,where2f;g, 123 X2Xandf2IB+1(X). equationsystemtherearenotwoequationshavingthesamevariable Again,fortechnicalreasons,weassumethatinaninniteBoolean 1B1:::nBnforsomen2IN. AninniteBooleanequationsystemEisanitesequenceofblocks thesamexpointoperator,j2jandjisacountableindexset. AblockBisasetofinniteBooleanequationsXj=fj,allhaving Xi=trueor(Xi)=trueforsomei2I,andfalseotherwise.Dually (Vi2IXi)()=falseifforsomei2IeitherXi=falseor(Xi)=false. ontheleft-handside.thedenitionsofthesetofleft-handsidevariableslhs(e)andright-handsidevariablesrhs(e)ofaninnitebooleamultaneoussubstitutionofallxi2xbybifori2i,suchthat ForsomeindexsetIandbI2IBIwedenoteby[XI=bI]thesi- [XI=bI](Xi)=bifori2Iandotherwise[XI=bI](Xi)=(Xi). aredenedasinthenitecase.wehave(wi2ixi)()=true,if equationsystemareasinthenitecase.alsoenvironments:x!ib ThesemanticofaninniteBooleanequationsystemisdenedrecursively.IncontrasttothenitecaseineachstepaninniteBoolean equationsystemisnotreducedtosystemswithoneequationless,but withoneblockless. wherelhs(b)=fxi2xji2igforsomeindexseti,andb2ibi. XI:B([[E]])=\fb2IBIj8i2I:bifi([[E]][XI=b])g Denition9.2LetBEbeaninniteBooleanequationsystem, XI:B([[E]])=[fb2IBIj8i2I:bifi([[E]][XI=b])g [[BE]]=[[E]][XI=XI:B([[E]])],where [[]]=

124 124 Withthisdenitionofthesemanticwecanmakeuseofallthepropertiesprovedforxpointequationsystemsinchapter3.Inthiscasewe interpretablockaboveasonevectorvaluedxpointequation.how- Chapter9.InniteBooleanequationsystems. ever,weoftenwanttoargueaboutasinglebooleanequation,not fromablockandconsideritasoneblock.whenarguingaboutin- nitelymanybooleanequationsthenblockscontaininginnitelymany equationsshouldbesplitbeforeapplyingtherelevantlemmata. aboutawholeblock.thereforeweneedthepropertybelowabout splittingofblocks.thenitisalsopossibletosplitasingleequation Lemma9.3Let B,B1andB2beblocks,whereB=B1[B2. E1,E2beinniteBooleanequationsystems, andanenvironment. saysthatforeverybooleanequationsystemeandenvironmentthere fromxpointexpressionstoxpointequationsystems.detailsareleft tothereader. Wenowshowapropertywhichistheinniteversionoflemma3.36.It Proof:FollowsfromBekic'sTheorem2.24andthetransformation existsaconjunctivebooleanequationsysteme0suchthate0e,and Then[[E1BE2]]=[[E1B1B2E2]]. [[E0]]=[[E]].Intermsofgamesthismeansthatalsointheinnite casetherearehistoryfreewinningstrategies. Theorem9.4GivenaninniteBooleanequationsystemE= IfjXk=Vi2IXiisanequationinblockBjofEthenitisalso 1B1:::nBnandanenvironmentthereexistsaninniteBoolean junctionsontheright-handside,suchthat IfjXk=XiisanequationinblockBjofEthenitisalsoan equationsysteme0=1b01:::nb0nsuchthate0containsnodis- anequationinb0jofe0.

125 9.2.Equivalencetothemodelcheckingproblem. IfjXk=Wi2IXiisanequationinblockBjofEandIis [[E]]=[[E0]] blockb0jofe0.ifiisemptythenjxk=falseisanequationof nonempty,thenforsomei2itheequationjxk=xiisin 125 Aproofcanbefoundintheappendix. 9.2Equivalencetothemodelchecking ThetransformationfunctionE1mapsapair(;M)consistingofa systemsonlyoneconjunctoronedisjunctontheright-handsideof eachequationwehavetointroducenewvariables. nitestatespacestoinnitebooleanequationsystemsdoesnotdier fromthenitecase.however,asweallowforinnitebooleanequation Essentiallythetransformationofthemodelcheckingproblemforin- problem. statespacestoaninnitebooleanequationsystem. ThefunctionE1performsthetransformationsfromanestedxpoint formulatoaxpointequationsystemandcreatesthebasicblock modal-calculusformulaandamodelmwithapossiblycountable structureofthewholesystem.byintroductionofnewvariablesand constantsitalsoreduceseachright-handsideexpressiontoasingle variable,constant,modality,disjunctionorconjunction(andnocombinationofthose).e1referstoasetoffunctionsfe1;e2;:::g,which WeomittheargumentMofE1whenitisclearfromthecontext. relatedtostatesiofthetransitionsystem. createthebooleanequationswithinoneblock.eacheifori2inis E1(1_2)=E1(1)E1(2) E1(1^2)=E1(1)E1(2) E1([a])=E1() E1(X)= E1(Q)=

126 126 E1(X:1_2)=(X1=E1(X0_X00))(X2=E2(X0_X00))::: E1(X:1^2)=(X1=E1(X0^X00))(X2=E2(X0^X00))::: E1(hai)=E1() E1(X0=1)E1(X00=2)forfreshX0,X00 Chapter9.InniteBooleanequationsystems. andfori2in E1(X:)=(X1=E1())(X2=E2()):::E1() Ei(Q)=(trueifsi2V(Q) ifisnotaconjunctionordisjunction Ei(X:)=Xi Ei(hai)=_ Ei([a])=^ Ei(X)=Xi sia!sjej() falseelse V(Xi)=trueisi2V(X). ThetransformationfunctionE1alsomapstoavaluationVanenvironmentVdenedasfollows: Proposition9.5ThepropertyX:holdsatstatesioftransitionsystemTinthemodelM=(T;V),sij=MX:,ithe correspondinginnitebooleanequationsystemhasthesolutiontrue forxi,i.e.forallenvironmentsvitisthecasethat section5.2isimmediatelyapplicabletotheinnitecase. introductionofnewvariablesandequationsiscorrectduetolemma systemtoamodelcheckingproblemworkshere.theconstructionof Proof:Theproofisanalogoustotheoneofproposition5.1.The AlsothebackwardstransformationfromaninniteBooleanequation ([[E1((X=);M)]]V)(Xi)=true.

127 9.3.SetbasedBooleanequationsystems. ([[E]])(X)=([[E(;M)]])((X)) X2lhs(E)andenvironmentswehave Theorem9.6ForeachinniteBooleanequationsystemEthere existsapropositionofthemodal-calculusandamodelm,such thatforavariablerenamingfunctiononthevariablesofe,all 127 SofarwehaveintroducedinniteBooleanequationsystems,showed 9.3SetbasedBooleanequationsystems. Proof:SeeproofofTheorem5.2 thatvariouspropertiesofthenitecasealsoholdfortheinnite,and thatthemodelcheckingproblemforpossiblyinnitestatespacesand innitebooleanequationsystemsareequivalent.howeverthisresults ThereforehereTheorem9.4iscrucial.Foreverymodelcheckingprob- TheniterepresentationwegiveheredealsonlywithinniteBoolean onlybecomeuseful,ifwendaniterepresentationofinniteboolean equationsystems.thisistheaimofthissection. lemwegetaninnitebooleanequationsystem,andforeveryin- nitebooleanequationsystemethereexistsanotherinniteboolean existdisjunctions,thentheyconsistofnotmorethanonedisjunct). solutionaseandbeingnitelyrepresentable. equationsysteme0withoutproperdisjunctions,buthavingthesame equationsystemswhichcontainnoproperdisjunctions(i.e.ifthere ThekindofBooleanequationsystemswhichwillbeintroducedhere Herethisideageneralizestovariablesforpairsconsistingofasetof iscalled\setbased".intuitivelyinabooleanequationsystemderived statesandaxpointvariable,andthevariablewillbetrue,ifthe fromamodelcheckingproblemthereisonevariableforeachpair correspondingxpointformulaholdsatallstatescontainedintheset. consistingofastateandaxpointvariable.thevariablewillbetrue, Thesetsconsideredheremayofcoursecontaininnitelymanystates ifthexpointformulacorrespondingtothisvariableholdsatthestate. andthisisthetechniquewhereniterepresentationscanbeobtained.

128 thatpurposeweneedpartialmappings;1;:::.eachright-handside theinnitebooleanequationsystem,towhichitistransformed.for mationtoaninnitebooleanequationsystem.thesemanticsofa setbasedbooleanequationsystemisthendenedbythesemanticsof variableinasetbasedbooleanequationsystemwillbeequippedwith 128 EncodedinasetbasedBooleanequationsystemwillbeatransfor- Chapter9.InniteBooleanequationsystems. M!P(S).Thenwealsodene(N)=Ss2N(s)forNS. Theconcatenation21andunion1[2of2:M2!P(S)and 1:M1!P(S)aredenedintheusualway: ForthestatespaceSandsomeMSletthefunctionbe: suchamapping. Givenafunction:M!P(S)dene and1[2:(m1[m2!p(s) 21:(M1!P(S) s17!fs2sj9s22m2:s221(s1)ands22(s2)g i+1def 0def def =Id;theidentityfunction =[ =i i2ini s7!1(s)[2(s) wellfounded. WenowdenethesyntaxofsetbasedBooleanequationsystems. denes1<s2ifs12(s2).wewillsayiswellfounded,if<is Anorder<onMSisdenedbyafunction:fors1;s22M (X;M)2XisaBooleanvariable, (X;M)=Vj2J(Xj;Mj;j),where Denition9.7AsetbasedBooleanequationisoftheform: 2f;g, M;MjSforallj2J,

129 9.3.SetbasedBooleanequationsystems. Jisaniteindexset, (Xj;Mj)2X[ftrue;falseg, j:m!mjforallj2j. AsetbasedBooleanequationsystemisanitesequenceofsetbased Booleanequations. 129 viaatransformationtofetoaninnitebooleanequationsystem. ThesemanticsofasetbasedBooleanequationsystemEisdened Informally,asetbasedequation(X;M)=Vj2J(Xj;Mj;j)will bemappedtoasetofinnitebooleanequations,eachoftheform Xs=fs,wheres2Mandfsisaconjunctionwhichwillbedened T(((X;M)=^j2J(Xj;Mj;j))E)= below. AssumeM=fs01;s02;:::g.ThenT()= (Xs01=^j2J^ t2j(s01)xj;t)(xs02=^j2j^ Xj;t=trueifXj=true, where Xs0i2X, Xj;t2X[ftrue;falseg, t2j(s02)xj;t):::t(e) Xj;t=falseifXj=false. (Xj;Mj)=false,thentheinnitedisjunctionalsogetsfalse,i.e., Itiseasytosee,thatifinVj2J(Xj;Mj;j)foroneofthedisjuncts systemeisdenedrelativelytoanenvironmentandisitselfan [[E]]=0,where0((X;M))=(Vs2MXs)([[T(E)]]) environment. Denition9.8ThesemanticsofasetbasedBooleanequation ([[((X;M)=Vj2J(Xj;Mj;j))E]])((X;M))=false.

130 andstirling[bs91,bra92].intheirmethodthesuccessofatableau 130 abottom-upevaluationversionofthetableaumethodofbradeld 9.4Eliminationmethod. InthissectionwepresentaneliminationmethodforsetbasedBoolean equationsystems.similarlytothenitecaseitcanbeinterpretedas Chapter9.InniteBooleanequationsystems. methodthistaskissolvedbythemappingsinaverysimpleway. Analogouslytothenitecase(seesection6.4)wedeneasubstitution stepandaneliminationstepinasetbasedbooleanequationsystem, andshowthattheypreservethesolution. Firstweshowthesubstitutionstep.Whenperformingonesubstitution stepinasetbasedbooleanequationsystemethisstandsforapossibly requiresinvestigationofsocalledextendedpaths.intheelimination innitenumberofsimultaneoussubstitutionstepsinthecorresponding innitebooleanequationsystemt(e). Lemma9.9Let E1,E2,E3besetbasedBooleanequationsystems, M;N;N0S,whereNN0 assumingthatforallj2jitisy6=xj fn0=^ fm=(y;n;y)^^j2j(xj;mj;j); f0m=^ k2k(yk;nk;k); Theproofisintheappendix. anenvironment. Then[[E1(X(X;M)=fM)E2(Y(Y;N0)=fN)E3]] =[[E1(X(X;M)=f0M)E2(Y(Y;N0)=fN)E3]]. k2k(yk;nk;yk)^^j2j(xj;mj;j); mayjustbesubstitutedbytrueorfalse.herewheneliminatingavariableadditionallythemappingsofallotherright-handsidevariables systemstheright-handsideoccurrencesoftheleft-handsidevariable Nextweshowtheeliminationstep.IncaseofniteBooleanequation

131 vestigationofextendedpathsinthetableaumethod. 9.4.Eliminationmethod. ofthisequationareextended.intuitivelythiscorrespondstothein- Lemma9.10Let E1andE2besetbasedBooleanequationsystems, (X;M)=(X;M;)^Vi2I(Xi;Mi;i)asetbasedBoolean 131 anenvironment,and 0def equation, Aproofcanbefoundintheappendix. BasedonthesebothlemmataisthealgorithminFigure9.1.Itstask If=then0=[[E1((X;M)=Vi2I(Xi;Mi;i))E2]]. If=andiswellfoundedthen0isasinthecasefor=, ifisnotwellfoundedthen0((x;m))=false. =[[E1((X;M)=(X;M;)^Vi2I(Xi;Mi;i))E2]] collectedintheblockt((z;s0)=g).evaluationevalofconjunctions allotherequationszs=gsremainunchanged.alltheseequationsare ronmentitis([[e]])(xs)=true.creatinganequation(z;s0)=g handsideofanequationzs=gsineonedisjunctisselected,whereas istoshowthatforaninnitebooleanequationsystemeandenvi- isheredonebythefollowingrules: includesanondeterministicchoice:fromeachdisjunctionontheright- Thealgorithminpseudocodeisasfollows: (false;)^^i2i(xi;mi;i)=(false;) (true;)^^i2i(xi;mi;i)=^i2i(xi;mi;i) systemsandproveditcorrect.thequestionisstill,whetheritisalways SofarwepresentedanalgorithmforsolvingsetbasedBooleanequation possibletondarepresentationofaninnitebooleanequationsystem assetbasedbooleanequationsystemsuchthatfromsolvingthelatter ^;=(true;)forany thesolutionoftherstcanbederived.

132 132 Apply,ifpossible,aneliminationstep; fx:=eval(fx); E0:=X(X;M)=fX; whilenotfx=(true;)orfx=(false;) CreateanequationX(X;M)=fX,suchthats2M; Chapter9.InniteBooleanequationsystems. doselect(y;n;y)fromfx; Figure9.1.EliminationalgorithmforinniteBooleanequationsystems. odevaluateeachequationz(z;m0)=eval(fz); CreateanequationY(Y;N0)=fY,whereNN0; InsertY(Y;N0)=fYinE0accordingtothetransformation; Proposition9.11ForaninniteBooleanequationsystemEand Applyallpossibleeliminationstepsandsubstitutionsteps; consistsintheselectionofasetofstateswhencreatinganewequation. suchthatthesolutionispreserved.theothernondeterministicchoice systeme.theorem9.4saysthatthereexistsachoiceofdisjuncts TheoneisthechoiceofdisjunctsintheinniteBooleanequation Proof:Thealgorithmincludestwosortsofnondeterministicchoices. canevaluateavariable(x;m)totrue,wheres2m. environment,where([[e]])(xs)=truethealgorithminfigure9.1 method.)wehavetomakesurethatthereexistchoices,suchthatthe (Notethatthischoiceiscomparabletothethinruleinthetableau variablesofthesystemewhichhavethesolutiontrue.hencethereare thesolutiontrue,i.e.nydef Thesimplestchoiceiscollectingallvariablesofablock,whichhave nitenumberofthesesets.whenrestrictingthechoiceofsetstothese blockofethereexistsonesetofthiskind,andthereforethereisjusta resultingsetbasedsystemcontainsonlyanitenumberofequations. NYtheresultingsetbasedsystemE0isnite.Notethatitcontainsall =fs2sj([[e]])(ys)g=true.foreach

133 9.5.Examples. enoughequationsinordertoapplythesubstitutionandelimination steps,whicharecorrectaccordingtolemmata9.10and Examples. 133 Wewanttodemonstratetheeliminationmethodbytwoexamples. Theproblemsarebothcontainedin[Bra92]. -calculusthisis:s2jjz:[ ]ZjjTV. everypathstartingatshasonlynitelength.intermsofmodal ForthetransitionsystemTbelowwewanttoshowthepropertythat sbbbbbp TTTTTTTTB Xs11 s33 s00 s22xxx s10 InarststepwederivetheinniteBooleanequationsystemforthe s21 s32xx s31 s20 modelcheckingproblemabove. Xs30 Zsij=Zsi(j 1) Zs=Vi2INZsiifori;j2INand0<ij andpropertytoprovecomesin.ononehandineachdisjunction ThenextstepistondarepresentationassetbasedBooleanequation system.ingeneralthisisthepartwheretheknowledgeaboutsystem oftheinnitesystemonedisjuncthastobeselected,whichisnot innitesystemasuitablepartitionofthestatespacehastobefound. necessaryinthecasehere.ontheotherhandforeachblockofthe Zsi0=true fori2in

134 134 Asabbreviationweintroducethesetsandmappings M1def M2def M3def 0:s7!f(0;0)g =f(i;i)ji2innf0gg =f(i;j)2ininj0<jig =f(i;0)2iningchapter9.innitebooleanequationsystems. 2:8><>:M2!P(M2) 1:s7!M1 (i;j)7!f(i;j 1)gforj>1 ThesetbasedBooleanequationsystemisthen: 3:8><>:M2!P(M3)? willdenoteanarbitrarymapping (i;1)7!f(i;0)g (i;j)7!;forj>1 (i;1)7!; Theprocedureofsolvingthisequationsystemisnowdoneindetail. Wesubstitutetheright-handsideofequation9.3intoequation9.2 gettingforequation9.2: (Z;M2)=(Z;M2;2)^(Z;M3;3) (Z;M3)=(true;?) (Z;fsg)=(Z;M1;1)^(Z;f(0;0)g;0) (9.1) (Z;M2)=(Z;M2;2)^(true;?) (9.2) (9.3) Inthelaststepwesubstitutetheright-handsidesofequations9.5and Nextweapplyaneliminationsteptoequation9.4.Because2is wellfoundedweget: 9.3intoequation9.1. (Z;M2)=(true;?) (9.5) (9.4) (Z;fsg)=(true;?)^(true;?) (9.6) (9.7)

135 9.5.Examples. whichgivestheexpectedresultzs=trueors2jjz:[ ]ZjjTV.C ThesecondexampleisoriginallyaPetriNetexamplein[Bra92].Here wedemonstrateitsversionbasedonatransitionsystem.theproperty Thiswillbeshownfortheinitialstates00ofthetransitionsystembelowandthecorrespondingexpressioniss002jjY:Z:[c]Y^[ c]zjjtv. 135 toproveisthatonallpathsac-transitionoccursonlynitelyoften. s00 c s01 s11 c s02 c s03 c i2f1;2g,j;k2inandk>0.denethemappings Weimmediatelypresentasetbasedsystem,whereitisassumedthat s101((1;j))=(f(1;j)gforj1 ;forj=0 s12 s13 ::: 5((1;k))=(f(1;k 1)g)fork>1 3((0;j))=f(0;j+1)g 4((0;j))=f(1;j)g 2((1;j))=(;forj1 f(1;0)gforj=0 ThenasetbasedBooleanequationsystemequivalenttothemodel checkingproblemis: (Y;f(0;j)g)=(Z;f(0;j)g;id) 6((1;1))=f(1;0)g; fork=1 (Z;f(0;j)g)=(Z;f(0;j)g;3)^(Y;f(1;j)g;4)(9.10) (Y;f(1;j)g)=(Z;f(1;k)g;1)^(Z;f(1;0)g;2)(9.9) (9.8)

136 136 Aftersubstitutionofequation9.12intoequations9.11and9.9and eliminationstepsinequations9.10and9.11weget: (Z;f(1;k)g)=(Z;f(1;k)g;5)^(Z;f(1;0)g;6)(9.11) (Z;f(1;0)g)=(true;?) Chapter9.InniteBooleanequationsystems. (Y;f(0;j)g)=(Z;f(0;j)g;id) (Y;f(1;j)g)=(Z;f(1;k)g;1)^(true;?) (9.12) (9.13) 9.13andalso9.16in9.14. Nowwesubstitutetheright-handsideofequation9.15inequation (Z;f(1;k)g)=(true;?) (Z;f(1;0)g)=(true;?) (Z;f(0;j)g)=(Y;f(1;j)g;43) (9.15) (9.16) (9.17) (9.14) Thelastsubstitutionof9.19in9.18givestheresult (Y;f(0;j)g)=(Y;f(1;j)g;id43) (Y;f(1;j)g)=(true;?) ::: (9.18) anditisprovedthats002jjy:z:[c]y^[ c]zjjtv. (Y;f(0;j)g)=(true;?) (9.19) tionsystemscanbeextendedinordertodealalsowithinnitestate spaces.themodelcheckingproblemforinnitestatespacesandsolvingbooleanequationsystemswereshowntobeequivalent.whilstthe tofullyautomaticproving.therstallowstoconsideronlyarelevant thetableaumethodthereandtheeliminationmethodpresentedhere arecloselyrelated.themainadvantagesofthetableaumethodarethe theoreticalapproachdiersverymuchfromtheonein[bs91,bra92], 9.6Conclusion. InthischapterweshowedthatthetechniquesforniteBooleanequa- C onesoflocalmodelcheckingandcomputerassistedprovingincontrast

137 9.6.Conclusion. partofthestatespace,whichispossiblyamuchsmallersubset.the lattergivesthepossibilitytosetupaprooffollowingtheknowledge aboutthespecialstructureandpropertiesofasystemincontrastto traversingawholestatespaceandtryingtoproveeverysubformula ateverystate,whichmakesprovingpropertiesimpossibleforinnite systems.theeliminationalgorithmcombinesthetop-downstrategy 137 wegettheadvantagesofthetableaumethod,butwearealsoableto ofthetableauwithabottom-upevaluation.withthiscombination avoidtheinherentredundancyoftableauxaswellasexplorationof Andersen[And94b]describedanothermethodforperformingmodel extendedpathsforthesuccesscriterion. -calculustoinnitebooleanequationsystems,butdidnotderivea andalsosimilartothetableausystemof[bs91,bra92].itimproves checkingoninnitestatesystems,presentedasasetofrewritingrules niterepresentation. thetableaumethodinthesensethatthesuccesscriterionforaleafis derivablefromthepathleadingtothatleafratherthanbyanexplorationofpossiblythewholetableau. AlreadyWallner[Wal94]transformedmodelcheckingforthemodal

138 138 Chapter9.InniteBooleanequationsystems.

139 Chapter10 Conclusion. showntobeequivalentforboth,modelswithinniteandwithnite statespace. Theapproachwasanalgebraicone:modelcheckingwastransformed tosolvingbooleanequationsystemsandbothproblemshavebeen Inthisthesisweattackedmodelcheckinginthemodal-calculus. 10.1Finitestatespacemodelchecking EquivalencetosolvingBooleanequationsystems themodelcheckingproblem:right-handsidesofequationsarenegationfreebooleanexpressions,theequationsareorderedlinearly,and eachequationisequippedwithaminimalityormaximalitycondition; thelogicalmodalitiesdisappear,andthemodelisencodedintheequa- Booleanequationsystemsasusedherehaveasimplerstructurethan checkingproblemtoabooleanequationsystem.withthisresult anyalgorithmsolvingoneoftheproblemsalsosolvestheotherone. theequivalenceofbothproblemsbyareductionwhichmapsamodel spacestosolvingbooleanequationsystems.furtherwehaveshown Otherpeoplehavereducedthemodelcheckingproblemfornitestate tionsystem.booleanequationsystemsareinterpretedovercomplete

140 140 latticesandresultsoflatticetheorygivesupportinndingnewalgorithms. Algorithmsandcomplexity Thereexistseveralalgorithmswhichsolvethemodelcheckingproblem Chapter10.Conclusion. standing.weintroducedanewalgorithm,similartogauelimination plexity.themodel-checkingproblemisknowntobeinnp\co-np, ingallofthemwithinoneframeworkhelpedtogetaclearerunder- anditisbelievedthatthereexistsanalgorithmsovingtheproblemin polynomialtime.butsofar,nopolynomialalgorithmhasbeenfound. Existingmodel-checkingalgorithmsusevarioussettings,andinterpret- fornitestatespaces.however,theyallhaveexponentialtimecom- alongtimetondanexamplewherethisalgorithmhasexponential behaviour,i.e.theexpressionscreatedhaveexponentialsize.while forlinearequationsystems,inaglobalandalocalversion.ittook lookingforitmanyexamplesoccurredwherethetableaumethodand theapproximationtechniquehaveexponentialtimecomplexity(and alsospaceforthetableau),butgaueliminationsolvestheminlineartimeandspace.thedicultyinndinganexponentialexample GaueliminationisindependentofthealternationdepthofaBoolean equationsystemora-calculusformula(butdependsonthestructure mightindicatethattheaveragecomplexityoftheproblemismuch betterthanexponential.furthermore,weshowedthatcomplexityof alternationdepth.obviously,isnotinherenttotheproblemthatalgorithmssolvingitareexponentialinthealternationdepth.thisgives anargument,thattherecouldbeapolynomialalgorithmcombining ideasofapproximationandeliminationapproach. Application Fairnesspropertiesarequitediculttoexpressinthemodal- -calculusallowstoexpress\innitelyoften"andthisisanecessary oftheexpressions).approximationalgorithmsareexponentialinthe calculus.usuallystatementsarerestrictedtothefactthatthemodal

141 ingredientforfairnessproperties.wegaveinsection*7examples whichallowthederivationofaschemeforengineering\real"liveness propertieswithfairnessassumptions.somefairnessandliveness propertiescanalsobeexpressedinothertemporallogics,suchas 10.1.Finitestatespacemodelchecking CTL*,buttranslationfromtheselogicstomodal-calculusisfor allinterestinglogicsexponentialorevenworse.thereforeitisuseful 141 exampleshelpwithengineeringofnewformulae. Otherframeworks Modelcheckinginthemodal-calculushasalreadybeentreatedin toformulatepropertiesdirectlyinthemodal-calculusandour otherframeworks.welookedatthemfromtheperspectiveofboolean equationsystemsandcouldshowequivalencesforautomata-theoretic andgame-theoreticproblems. Automatatheory modelcheckinginthemodal-calculustoautomata-theoreticprob- Wewereabletoshowanewresult:theequivalenceofsolvingBoolean Mapping-calculusformulaetoautomataalreadyhasalongtradition. automata.thereisastrongclaim,thatmodal-calculusexpressions dition.theequivalencetomodelcheckingfollowsimmediatelywith lems.however,allautomatapreviouslyconsideredhavebeentree- resultsfromchapter5.inotherworktherearevariousreductionsof equationsystemsandtheemptinessproblemforalternatingautomata correspondtotree-automata,andthisideahasbeentransferredto oninnitestringsovera1-letteralphabetandparityacceptancecon- modelcheckingwork.ourresultdemonstratesthatthisisnotanecessaryfeature.nonewcomplexityresultsfollowdirectlyfromour tondasolution. equivalence,butnowalsoresultsofalternating!-automatamayhelp

142 142 WehaveshowntheequivalenceofsolvingBooleanequationsystems andgraphgames.indoingthiswegaveananswertotheopenquestion Gametheoryisanactiveareaofresearchandthereexistreductionsof ofwhethergraphgamesarereducibletomodelcheckingproblems. Chapter10.Conclusion. 10.2Innitestatespacemodelchecking answertothecomplexityofthemodelcheckingproblem. thatanswerstoopencomplexityquestionsingametheorywillgivean \subexponential"algorithm(2opn)(see[sti96]).thereissomehope graphgamestoe.g.simplestochasticgame,forwhichthereexistsa ForthecaseofinnitestatespacesweintroducedinniteBoolean Translatingintogame-theoreticterms,wealsoshowedtheexistenceof EquivalencetosolvingBooleanequationsystems equationsystemsandshowedtheequivalenceofmodelcheckingin themodal-calculusandsolvinginnitebooleanequationsystems. theexistenceofhistory-freewinningstrategieswasacrucialconditionforrepresentinginnitebooleanequationsystemsbynite,set basedbooleanequationsystems.thealgorithmiscloselyrelatedto thetableaumethodofbradeldandstirling[bs91,bra92],but,like inthenitecase,avoidingredundancyoftableaux.thebottom-up eliminationalgorithmforinnitebooleanequationsystems.here, history-freewinningstrategiesforthecaseofinnitestatespaces. Algorithm AnalogouslytoGaueliminationforthenitecasewederivedan strategyforsolvingsetbasedbooleanequationsystemsgaveanother Likeinthetableausystemthereisahighgradeofnondeterminism minesuccessofaleafisreplacedbyiterativefunctioncompositions whichseemstobeeasiertreatableforanimplementation. advantage:thecomplicatedexplorationofextendedpathstodeter-

143 inherentintheeliminationalgorithm.theideaofmakinguseof knowledgeaboutasystemandapropertytodirectaproofisquite attractive.ifthesupposedpropertiesaboutasystemandthesystem 10.2.Innitestatespacemodelchecking donotcoincidethenthesolutionofthesetbasedsystemconstructed willbefalse.thisalsoimmediatelygivesdiagnosticinformation.it wouldbeinterestingtotrythisapproachwithrealworldexamples. 143

144 144 Chapter10.Conclusion.

145 AppendixA A.1ProofsofChapter3. Thesolutionof[(X=f)E]isthelexicographicallyleast Proposition3.5Thesolutionof[]is. (w.r.t(x=f)e)environment1satisfying: (1)f(1)=1(X)and (2)1isthesolutionof[E][X=1(X)]. Proof:Assumethat=.Thecase=isdually. (8)01(X)1(X) (7)f(01)=01(X) ontheotherhandfor (6)01def (5)1(X)Tfajaf([E][X=a])gfrom(3)and(4) (3)1=[E][X=1(X)] (4)1(X)=f([E][X=1(X)]) =[E][X=X:f([E])] 1islex.leastenv. from(1) from(2) (9)1(X)=X:f([E])] from(5)and(8) fullling(1)and(2)

146 Proof:Followsdirectlyfromproposition Corollary3.7If[E]=0then[E(i)]0=0for1in. AppendixA.Appendix equationsystemsconcerningtheindependenceofequationswithdifferentvariables. Lemma3.10LetE1andE2bexpoint-equationsystems,suchthat lhs(e2)\rhs(e1)=;. Then[E1][E2]=[E1E2]. Theproofofproposition3.9isnowbyinductiononthestructureof E. AssumeX:fisanunnestedexpression,i.e.E(X:f)=X:f,and Proposition3.9LetX:fbeaxpointexpressionoveralattice(A;) andanarbitraryenvironment. Then(X:f)()=([E(X:f)])(X). Proof:FortheproofofthispropositionweneedapropertyofBoolean lhs(e1)\rhs(e2)=;, lhs(e1)\lhs(e2)=;, Nowassumethat1X1:f1;:::;lXl:flarethedirectxpointsubformulaeofX:f(andbyassumptionthenamesofvariablesin xpointexpressionsareunique,suchthatx1doesnotoccurin =([X=X:f()])(X) ThesameholdsforunnestedX:f ([X:f])(X)=([][X=X:f([])])(X) anenvironment. 2X2:f2;:::;lXl:fletc.).Furthermoreletfor1ilandSA [E(iXi:fi)][X=S]def =(X:f)() ([X:f])(X)=([(X:E0(f))E(1X1:f1):::E(lXl:fl)])(X) =([(X:E0(f))E1:::El])(X) =([E1:::El][X=X:(E0(f)([E1:::El]))])(X) =[Ei][X=S]=(iXi:fi)([X=S])

147 A.1.ProofsofChapter3. AgainthesameholdsfornestedX:f. =X:(E0(f)([E1:::El]))(lemma3.10) =X:(E0(f)([E1]:::[El]) =X:(E0(f)([X1=1X1:f1;:::;lXl:fl)) =(X:f)() 147 inductionstep:[e]1[e]2 Lemma3.11If12then[E]1[E]2. inductionhypothesis:assumethatforall12itis[e]1[e]2. Forall12itisthecasethat[]1=12=[]2. Proof:byinduction. [E]1[X=X:f([E]1)][E]2[X=X:f([E]1)](ind.hyp.) 1[X=X:f([E]1)]2[X=X:f([E]1)](denitionof) [(X=f)E]1[(X=f)E]2 X:f([E]1)X:f([E]2) (fandx: aremonotone) Proof:Forthesecondpartweshow[(X=f)E1][(X=f)E2]. Thelemmaasstatedfollowsthenfromiterativeapplicationofthe Lemma3.14IfE1E2thenEE1EE2. IfE1-E2thenEE1-EE2. (denitionof semantics) weakerstatement. Therstpartfollowstheimmediately. [(X=f)E1]=[E1][X=X:f([E1])] =[(X=f)E2]: [E2][X=X:f([E2])] [E1][X=X:f([E2])]

148 148 Lemma3.16IfE1E2thenalsoE1-E2 Assumefg.Then [X=f]=[X=(X:f)()] Proof:bystructuralinduction [X=(X:g)()] AppendixA.Appendix AssumefgandE1E2with[E1][E2]. [(X=f)E1]=[E1][X=X:f([E1])] =[X=g] [E1][X=X:g([E1])] Lemma3.18If([(X=f)E])(X)=([(X=g)E])(X) [E1][X=X:g([E2])] Proof:Followsdirectlyfromproposition3.5. then[(x=f)e]=[(x=g)e]: [E2][X=X:g([E2])] =[(X=g)E2] Lemma3.19Let EE1(X=f)E2, ([E])(X)=a,and E0E1(X=a)E2. Then[E]=[E0]. Proof:Notethatherewecannotsimplyapplyproposition3.5or is016=1andderiveaninnitenumberofsubsystemsofeande0, Theproofisdonebycontradiction.Weassumethatfor[E0]def whichmusthavedierentsolutions. lemma3.14,becausetheequivalence[(x=f)e2]=[(x=a)e2] doesnotholdforallenvironments. =01it

149 orderofequationsine),forwhichholds1(y)6=01(y),suchthat forallpreviousvariables1and01coincide.fixtheisuchthat respectively.letnbethenumberofequationsofe.foralli,1in A.1.ProofsofChapter3. NowchoosetherstvariableYofvar(E)(rstwithrespecttothe holds,[e(i)]1=1. 1and01coincideinallvariableswhicharenotboundinE,orE0 149 E(i)(iY=g)E(i+1),andE0(i)(iY=g)E0(i+1). 1=[E(i)]1 =[(iy=g)e(i+1)]1 Hence,because1(Y)6=01(Y)also 01=[E0(i)]1 =[E(i+1)]1[Y=iY:g([E(i+1)]1)] iy:g([e(i+1)]1)]6=iy:g([e0(i+1)]1)], Ontheotherhandstill1(X)=aandalso00 andtherefore[e(i+1)]16=[e0(i+1)]1def =[(iy=g)e0(i+1)]1 canapplythesameargumentationtoe(i+1),1,e0(i+1)and00 =[E0(i+1)]1[Y=iY:g([E0(i+1)]1)] on.altogetherwecanderivethattheremustbeaninnitenumberof subsystemse(i)ande0(i)havingdierentsolutionsrelativeto1. Lemma3.20[E1(X=a)E2]=[E1E2][X=a]. =00 1 Proof:Forallenvironmentswehave[(X=a)E2]=[E2][X=a]. 1(X)=a.Thereforewe ForsomeE;E0andallenvironmentslet[E]=[E0][X=a].Then 1,andso [(Y=f)E]=[E][Y=Y:f([E])] =[E0][X=a][Y=Y:f([E0][X=a])] =[(Y=f)E0][X=a]:

150 150 Lemma3.21Let 1def 2def Proof:followsfromBekic'stheoremandthetransformationfrom Then1=2. =[E1(X1=f1)(X2=f2)E2],and =[E1(X2=f2)(X1=f1)E2]. AppendixA.Appendix nestedxpointstoxpoint-equationsystemsinproposition3.9. Lemma3.22If X1isnotfreeinf2, showsthat [(1X1=f1)(2X2=f2)E2]=(2X2=f2)(1X1=f1)E2] X2isnotfreeinf1, 1def forallenvironments.thenlemma3.14canbeapplied. 2def Proof:Straightforwardapplicationofthedenitionofthesemantics Then1=2. =[E1(1X1=f1)(2X2=f2)E2] =[E1(2X2=f2)(1X1=f1)E2] Lemma3.23Let 1def 2def Thenitis12,andmoreover,iftheinequalityisstrictthen =[E1(X1=f1)(X2=f2)E2],and =[E1(X2=f2)(X1=f1)E2]. propositiontoshowthatforallenvironmentsitis Proof:Accordingtolemma3.14itsucesfortherstpartofthe 1(X1)<2(X1)and1(X2)<2(X2). [(X1=f1)(X2=f2)E2][(X2=f2)(X1=f1)E2]. Duetoproposition3.5thesearethetwopropertieswhichthesolution Let[(X1=f1)(X2=f2)E2]def f2(01)=01(x2)(proposition3.5), 02of[(X2=f2)(X1=f1)E2]musthave,andfurthermorethe [(X1=f1)E2]01=01(lemmata3.19,3.20) =01.Weknowthat

151 solution02isthelexicographicleastoneofthoseenvironments0 havingtheseproperties.hencethesolution02islexicographically A.1.ProofsofChapter3. lowerorequalto1,i.e.02(x2)01(x2). solutionsmustbeequal. If02(X2)=01(X2)thenapplyinglemmata3.19,3.20showsthatboth 151 andwithlemma3.11also 01=[(X1=f1)(X2=f2)E2] 02=[(X1=f1)E2][X2=02(X2)] If02(X2)>01(X2)then0201and[X2=02(X2)]>[X2=01(X2)] =[(X1=f1)E2][X2=01(X2)] =[(X1=f1)E2][X2=02(X2)] =01: [(X1=f1)E2][X2=01(X2)] =[(X2=f2)(X1=f1)E2]: Lemma3.24Let 1def 2def Thenitis12,andmoreover,iftheinequalityisstrictthen =[E1(X=f)E2],and =[E1(X=f)E2]. lemma3.14itsucestoshowthat[(x=f)e2][(x=f)e2]. Proof:Inordertoprovetherstpartofthelemmaandaccordingto 1(X)<2(X). 1(X)=2(X)=aintheequationsystemsduetolemma3.19and [(X=f)E2]=[E2][X=X0:f([E2][X=X0])] eliminateitwithlemma3.20: Forthesecondpartofthelemmaassumethatthesolutionscoincideat Xandshowthatthentheymustbeidentical.Substitutethesolution [E2][X=X0:f([E2][X=X0])] =[(X=f)E2]:

152 152 [E1(X=f)E2]=[E1(X=a)E2] =[E1E2][X=a] =[E1(X=f)E2]: =[E1(X=a)E2] AppendixA.Appendix wherex0isanewvariable,i.e.(*)x0doesnotoccurontheright ([(X=f1_f2)E])(Y)=([(X=f1_X0)(0X0=f2)E])(Y), Lemma3.25 ([(X=f1^f2)E])(Y)=([(X=f1^X0)(0X0=f2)E])(Y), handsideofeorinf1orf2,and(**)y6=x0. Proof:bystraightforwardapplicationofthedenitionofthesemantics. ([(X=f1^X0)(0X0=f2)E])(Y) =([(0X0=f2)E][X=X:(f1^X0)([(0X0=f2)E])])(Y) =([(0X0=f2)E][X=X:(f1([E])^f2([E]))])(Y)() =([(0X0=f2)E][X=X:(f1([E])^0X0:f2([E]))])(Y) =([(0X0=f2)E][X=X:(f1^f2)([E])])(Y) [X=X:(f1([(0X0=f2)E])^X0([(0X0=f2)E]))])(Y) [X=X:(f1([E][X0=:::])^X0([E][X0=0X0:f2([E])]))])(Y) Lemma3.26Let Theprooffor_isanalogous. =([E][X=X:(f1^f2)([E])][X0=:::])(Y) =([E][X=X:(f1^f2)([E])](Y) =([(X=f1^f2)E])(Y) 1def ()() 2def Then1=2. 02def =[E1(X1=f)(X2=f)E2] =02[X1=02(X2)] =[E1[X1=X2](X2=f[X1=X2])E2[X1=X2]]

153 caseof=isdual.moreovertheproofisdonefore1.the Fortheproofherethealternativecharacterizationofthesolutionof generalizationtoarbitrarye1followsthenbylemma3.14and3.19. suitable. Proof:Wewillshowthelemmaforthecaseof=.Theother A.1.ProofsofChapter3. axpoint-equationsysteminproposition3.5turnedouttobemore 153 Showthat21: Hence,withproposition3.5,itis21. Showthat12: (1) (2) (3) (4) [E2[X1=X2]]1=[E2]1(1),(2),proposition3.5 1(X1)=1(X2)proposition3.5 (1) 1(X2)=f(1)proposition3.5 (2) (3) [E2[X1=X2]]2=2 2(X1)=2(X2)bydenition [E2]1=1 [E2]2=2 (1),(2),lemma3.19 corollary3.7 (4) (5) (7)X1:f([(X2=f)E2]2)2(X1)(2),(4),(6),Theo.2.16 (6) (8) (9) f([(x2=f)e2]2)f(2)(5),monotonicityoff [(X2=f)E2]22 [(X2=f)E2]1[(X2=f)E2]2 1(X1)2(X1)(7) f(2)=2(x2)proposition3.5 (3),(4),proposition3.5 Booleanequation,anenvironment,b=falseandb=true.Then forthesolutionofabooleanequationsystemholds: Proposition3.30LetEbeaBooleanequationsystem,X=fa (10)1=[(X2=f)E2]12 (8)&proposition3.11 [[]]= (9),(5),prop3.5 Proof:Applylemma3.29todenition3.3. [[(X=f)E]]=[[E]][X=f([[E]][X=b])].

154 154 BooleanequationsystemE0instandardformandarenamingfunction Proposition3.31ForeachBooleanequationsystemEthereexistsa standardformisperformedbyintroductionofadditionalvariables,suchthat([[e]])(x)=([[e0]])((x)),ande0hassizelinearinthe Proof:ThetransformationfromaBooleanequationsystemEinto sizeofe. AppendixA.Appendix Lemma3.35([[E]])(X)=falsei([[E]])(X)=true. expressionsofe.renamingdoesnotinuencethesize. sizeoftheright-handsideexpressionsofe.thesizeoftherighthandsideexpressionsofe0islinearinthesizeoftheright-handside ([[]])(X)=(X) (proposition3.25).thenumberofadditionalvariablesislinearinthe Proof:byinductiononthestructureofE Show([[(Y=f)E]])(X)=([[(Y=f)E]])(X) inductionhypothesis:([[e]])(x)=([[e]])(x) =([[]])(X) =[[E]][Y=f([[E]][Y=false])])(X)inductionhypothesis =([[E]][Y=f([[E]][Y=false])])(X)inductionhypothesis =([[E]][Y=f([[E]][Y=false])])(X)complementationof =([[E]][Y=f([[E]][Y=false])])(X)deMorgan =([[E]][Y=f([[E]][Y=false])])(X)denitionofsemantics =[[E]][Y=f([[E]][Y=true])(X) =([[(Y=f)E]])(X) denitionofsemantics

155 Proposition3.36GivenaBooleanequationsystemEandanenvironmentthereexistBooleanequationsystemsE0andE00withthe 155 A.1.ProofsofChapter3. properties: E0isinconjunctiveform, E0E,and [[E0]]=[[E]]. ForE00thedualpropertieshold: E00isindisjunctiveform, E00E,and [[E00]]=[[E]]. FortheproofofthispropositionweneedlemmataA.1andA.2. LemmaA.1GivenBooleanequationsystemsE;E1;E2withthe properties: (1)E1;E2areinconjunctiveform, (2)E1E,E2E, (3)[[E1]][X=false]=[[E]][X=false], (4)[[E2]][X=true]=[[E]][X=true]. ThenthereexistsaBooleanequationsystemE3inconjunctiveform, [[E3]][X=false]=[[E]][X=false], suchthate3eand ByconstructionofE3follows ixi=gi,if([[e1]][x=false])(xi)=false. Proof:Assume E1=(1X1=f1):::(nXn=fn)and LetiXi=fibeanequationofE3,if([[E1]][X=false])(Xi)=trueand E2=(1X1=g1):::(nXn=gn). [[E3]][X=true]=[[E]][X=true]. (7)E3isinconjunctiveform. (6)E3E,and (5)[[E1]][X=false][[E3]][X=false],

156 156 Wealsoknowthat[[E2]][X=true][[E3]][X=true],becauseatthe With(4)and(6)followsthat[[E3]][X=true]=[[E]][X=true]. From(3),(5),(6)andproposition3.16followsthat [[E3]][X=false]=[[E]][X=false]. variableswheree2ande3diere3hasthesolutiontruefor[x=false] andhencealsofor[x=true]. AppendixA.Appendix LemmaA.2GivenBooleanequationsystemsE;E1;E2withthe (2)E1E,E2E, properties: (1)E1;E2areindisjunctiveform, (3)[[E1]][X=false]=[[E]][X=false], (4)[[E2]][X=true]=[[E]][X=true]. Proofofproposition3.36:byinduction ProofanalogoustotheproofoflemmaA.1 ThenthereexistsaBooleanequationsystemE3indisjunctiveform, [[E3]][X=false]=[[E]][X=false], suchthate3eand haveadisjunctionasrighthandsideandshowthatwecanselectone HereweassumethattheBooleanequationsystemisinnormalform, i.e.eachrighthandsideexpressioniseitheraconjunctionoradisjunctionoftwovariables.thenwehavetoinvestigatetheequationswhich [[E3]][X=true]=[[E]][X=true]. ofthedisjunctspreservingthesolution. [[X=(Xi_Xj)]]=[X=(Xi_Xj)([X=b])] =[X=[X=b](Xi)_[X=b](Xj)] =[X=[X=b](Xi)] =[[X=Xi]]: thenassumewlogxi(0)=true) (if(xi_xj)(0)=true

157 3def 1def 2def NowassumethatforE;thereexistsE1suchthat[[E]]=[[E1]].Let A.1.ProofsofChapter3. =[X=b]; =[X=(Xi_Xj)([[E]][X=b])] wheretrue=falseandfalse=true157 Wehavetoconsidertwocases: [[(X=Xi_Xj)E]]=[[E]][X=(Xi_Xj)([[E]][X=b])] (i)(xi_xj)([[e]]1)=b,andhence1=2.thenthereexistse1 suchthat[[e]]i=[[e1]]ifori=1;2. =[[E]]2 =[[E]][X=(Xi_Xj)([[E]]1)] ()=[[E1]][X=(Xi_Xj)([[E1]][X=b])] =[[E1]][X=(Xi)([[E1]][X=b])] =() (ii)(xi_xj)([[e]]1)6=b,andhence2=3.nowthereexistsa ande3with[[e]]3=[[e3]]3. dierentequationsystemforeitheri,e1with[[e]]1=[[e1]]1 =[[(X=Xi)E1]] (asinthebasecase: ThenduetopropositionA.1thereexistsE4with[[E4]]1=[[E]]1 chooseadisjunctwhichgivesthecorrectresult) ()=[[E4]][X=(Xi_Xj)([[E4]][X=b])] and[[e4]]3=[[e]]3.hence whichhasthesamesolutionaseworksanalogously. Theproofforthedualfact,thatthereexistsaconjunctivesystem =[[(X=Xi)E4]]: =[[E4]][X=(Xi)([[E4]][X=b])] (againchooseasuitabledisjunct)

158 158 A.2ProofsofChapter5. Theorem5.1LetX:beaformulaofthemodal-calculus,M= ThenforallenvironmentsVitisthecasethat (T;V)amodelandsiastateofT. AppendixA.Appendix thesecondtoaequationsystemoverthepowerspaceofthestate rstleadsfroma-calculusformulatoa-calculusequationsystem, arereducedstepwise. space,thelastonetobooleanequationsystems.foreachdomainwe giveasemanticsandshowthatineachcasetheproblemstobesolved sij=mx:i([[e((x=);m)]]v)(xi)=true. Thersttransformation,E,leadsfromthesetof-calculusformulae, Proofoftheorem5.1:ThemappingEisdividedinthreesteps:the Thistransformationwasalreadygivenandprovedindenition3.8and Ltosequencesofunnested-calculusformulae,denotedbyL1. provedinproposition3.9.herewejustpresentthetransformationfor theactualscenario. E:L!L1isbasedonamappingE0andisdenedasfollows: E(1_2)=E(1)E(2) E(1^2)=E(1)E(2) E(hai)=E() E([a])=E() E(X)= E(Q)= E0(1^2)=E0(1)^E0(2) E0(1_2)=E0(1)_E0(2) E(X:)=(X:E0())(E()) E0([a])=[a]E0() E0(X)=X E0(Q)=Q

159 NotethathereweinterpretthevaluationfunctionVasanenvironment. A.2.ProofsofChapter5. E0(X:)=X E0(hai)=haiE0() 159 Fromproposition3.9follows:s2jjX:jjVis2([[E(X:)]]V)(X). laetoaxpoint-equationsystemoverthepowersetofthestatespace. Thesecondtransformation,EM,mapsasequenceof-calculusformu- LetX:beanunnested-calculusformulaandEasequenceof Formally,thisisthestepfromthelogicalformulaetotheirsemanticdomain.Technically,weperformonlyasyntacticaltransformation P(S)isbasedonamappingE0Manddenedasfollows. fromlogicalvariablestosetvariables,fromthebooleanconnectives_ and^tothesetoperations[and\,fromthemodaloperators[a]and haitosetoperators[[a]]tandhhaiit. unnested-calculusformulae.thetransformationem:l1! EM((X:)E)=(X=E0M())EM(E) E0M(1^2)=E0M(1)\E0M(2) E0M(X)=X E0M(Q)=V(Q) EM()= Recallthatthesemanticsofaxpoint-equationsystemwasgivenin denition3.3.herefdenotesamonotonesetfunctiononp(s). E0M(1_2)=E0M(1)[E0M(2) E0M(X:)=X=E0M() E0M(hai)=hhaiiT(E0M()) E0M([a])=[[a]]T(E0M()) [[(X=f)E]]V=[[E]]V[X=\fSSjSf([[E]]V[X=S])g [[(X=f)E]]V=[[E]]V[X=[fSSjSf([[E]]V[X=S])g [[]]V=V

160 expressions.accordingtobekic'stheoremsuchasimultaneousxpointexpressioncanbeeliminatedandsubstitutedbyasequenceof simplexpointexpressions.inadditionthesetoperators[[a]]tand hhaiitcanbeeliminatedbyevaluation,becausehereeachboolean asabooleanvectorexpressionandequivalentlyasavectorofboolean spaceandabooleanvectorspaceallowstorepresentasetexpression Inthelaststeptheisomorphismbetweenthepowersetofthestate 160 nitionsofthesemantics:[[(x:)e]]v=[[(x=e0m())em(e)]]v Correctnessofthetransformationfollowsimmediatelyfromthede- AppendixA.Appendix expressiondescribesasetexpressionataparticularstateoftheunderlyingtransitionsystemandateachsinglestatethesetoperators canbeevaluatedeasily. AltogetherthetransformationfunctionEIB:P(S)!IBmaps system.itreferstoasetoffunctionsfeib;1;:::;eib;ng,wheren=jsj axpoint-equationsystemoversetsofstatestoabooleanequation EIB((X=f)E)=(X1=E1(f)):::(Xn=En(f))EIB(E) EIB;i(S)=(trueifsi2S EIB()= isthesizeofthestatespace. EIB;i(A1\A2)=EIB;i(A1)^EIB;i(A2) EIB;i(A1[A2)=EIB;i(A1)_EIB;i(A2) EIB;i(hhaiiTA)=_ EIB;i([[a]]TA)=^ EIB;i(X)=Xi falseelse InordertoshowthecorrectnessofthetransformationEIBwehaveto above: V(Xi)=trueisi2V(X) ThesemanticofaBooleanequationsystemwasalreadygiveninsection 3.2.TheenvironmentVderivedfromthevaluationVisdenedas sia!sjeib;j(a)

161 si2([[e]]v)(x)i([[eib(e)]]v)(xi)=true. proveforasetequationsystemeandavaluationv: ofann-arysimultaneousxpointtoanestedxpointandthetransformationofanestedxpointtoaxpoint-equationsystemgivenin denition3.8andproposition3.9. A.3.ProofsofChapter8. TheproofhererequiresBekic'stheorem2.24forthetransformation 161 tothesemanticsgivenwecanconcludethat tions,andfromthecorrectnessofthesetransformationwithrespect [[E(X:)]]V(Xi)=trueisi2jjjjTV. E()=(EIBEME)()whereistheusualcompositionoffuncsionandamodeltoaBooleanequationsystemcanbecomposedby thetransformationse;em,andeibasdenedabove,anditholds: AltogetherthetransformationfunctionEfroma-calculusexpres- MoreoverAE;hassizeofO(jEj). A.3ProofsofChapter8. itis([[e]])(xi)=trueiae;(fag;se;xi;e;;e;)isnonempty. Theorem8.2ForaBooleanequationsystemEandanenvironment intheirinitialstate,butcoincideinthesetofstatesse,thetransition Proof:Inthefollowingweoftenarguewithautomatawhichdieronly relatione;andtheacceptingconditione;.thenwewillexplicitly NowthproofisbyinductiononE. branchbofr,i.e.b0=bfb,thenb0fulllsalsotheacceptancecondition E;andhencer0isanacceptingrunofAE;withinitialstateXj. initialstatexiandarunr0ofae;withinitialstatexj,suchthat (*)Note,ifwehaveanacceptingrunroftheautomatonAE;with everybranchb0ofr0consistsofaniteinitialpartbfcontinuedbya talkabouttheautomatonae;withinitialstatexi. ia;withinitialstatexihasanacceptingrun. i;(a;xi)=true i(xi) ([[]])(Xi)=true

162 162 inductionhypothesis:8xi;eoflengthn,:([[e]])(xi)=truei AE;withinitialstateXihasanacceptingrun. Show8Xi;Eoflengthn,;;X;f: ([[(X=f)E]])(Xi)=trueiA(X=f)E;withinitialstateXiis nonempty. (=)) AppendixA.Appendix case1([[(x=f)e]])(xi)=true=([[e]][x=f([[e]][x=true])])(xi) 1.1([[E]][X=false])(Xi)=true ThenthereexistsanacceptingrunronAE;[X=false]withinitial ThetreeristhenalsoanacceptedrunofA(X=f)E;withinitialstateXi,becauseE;[X=false]and(X=f)E;coincideonall thisnodewouldbealeafandthisbranchnotaccepted. statexiandnonodeofrislabelledwithx,becauseotherwise 1.2([[E]][X=false])(Xi)=false acceptedbythe\weaker"acceptancecondition(x=f)e;. Furthermore,ifarunisacceptedbyE;[X=false])thenitisalso statesdierentfromxandnonodeofrislabelledwithx. automatonae;[x=true]withinitialstatexjl. asatisfyingsetofffxj1;:::;xjkgitisthat ([[E]][X=true])(Xjl)=truefor1lk.ForeachXjlthereis (1)Thenitmustbethecasethatf([[E]][X=true])=true,i.e.for ConsideratreerX0wheretherootislabelledwithXandthesuccessorsoftherootarerj1;:::;rjkfrom(1).LetrX00bethetree (2)WeshownowthatthereexistsanacceptingrunrXon accordingtotheinductionhypothesisanacceptingrunrjlofthe A(X=f)E;withinitialstateX. labelledwithxthesucessorsarelabelledwithasatisfyingset rx0.continuesubstitutionofx-labelledleavesbyrx0getting nallythetreerx.itiseasytoseethatrxfollowsthetransitionfunction(x=f)e;becauseitcoincidesonallrj1;:::;rjk withe;[x=true]onallstatesapartfromxandatthenodes rx0whereallleaveslabelledwithxaresubstitutedbyacopyof

163 A.3.ProofsofChapter8. eachbranchbxofrxconsistseitherofaniteinitialpartfollowedbyabranchfromsomerjl,where1lk,inwhichno labelledwithx.intherstcasebxisacceptedbythefactthat ItremainstoshowthattherunrXisalsoaccepted.Notethat nodeislabelledwithx,orbxcontainsinnitelymanynodes offaccordingtothetransitionfunction(x=f)e;(a;x)=f. 163 bxisacceptedbytheacceptancecondition(x=f)e;,because withinitialstatexjlandargument(*)above.inthelattercase AE;[X=true]withinitialstateXjlisalsoacceptedbyA(X=f)E; Xisa-variableandgetstheleastindex. (3)Wenallyhavetoshowthatthereisanacceptingrunron eachbranchcontainingnox-labellednodewhichisacceptedby A(X=f)E;withinitialstateXi.Accordingtotheassumptions itmustbethecasethat([[e]][x=true])(xi)=trueandwiththe inductionhypothesisweknowthattheremustbeanaccepting case2([[(x=f)e]])(xi)=([[e]][x=([[e]][x=false])])(xi)=true r0andsubstituteeachleaflabelledwithxbytherunrxfrom (X=f)E;.Eachbranchofr0containingnoXandacceptedbt (2).ItiseasytoseethatrXfollowsthetransitionfunction E;[X=true]isalsoabranchofrandacceptedby(X=f)E;. Allotherbranchesareacceptedbyargument(*)above. runr0ofae;[x=true]withinitialstatexi.nowtaketherun 2.1([[E]][X=false])(Xi)=true withx,sincesuchanodewouldbealeafofanotaccepted branch.hencerisalsoanacceptingrunofa(x=f)e;with AE;[X=false]withinitialstateXi.Nonodeofrislabelled Accordingtotheinductionhypothesisthereisanacceptingrunr 2.2([[E]][X=false])(Xi)=false E;[X=false]. initialstatexi,because(x=f)e;ande;[x=false]coincide onallstatesapartfromxandxdoesnotappearinr. Then(X=f)E;acceptseverybranchthatisacceptedby

164 164(1)Thenitmustbethecasethatf([[E]][X=false])=true,i.e. theremustbeasatifyingsetfxj1;:::;xjkgforsomek2inof fsuchthat([[e]][x=false])(xjl)=truefor1lk.accordingtotheinductionhypothesisforeach1lkthereisan acceptingrunrjlonae;[x=false]withinitialstatexjl.sinceno nodeislabelledwithxeachtreerjlisalsoanacceptingrun AppendixA.Appendix ingrunrx.letrxbethetreewheretherootislabelledwith ofa(x=f)e;withinitialstatexjl,becausethetransitionfunctionse;[x=false]and(x=f)e;coincideonallstatesapartfrom (1).SincefXj1;:::;Xjkgisanacceptingsetoff,rXfollows accepts. (2)ShownowthatA(X=f)E;withinitialstateXhasanaccept- Xandthesuccessorsoftherootarethetreesrj1;:::;rjkfrom Xand(X=f)E;acceptseveryinnitebranchthatE;[X=false] thetransitionfunction(x=f)e;(a;x)=f,whichcoincides withe;[x=false]onallstatesotherthanx.withargument(*) runr0ofae;[x=true]withinitialstatexiletrbeasr0where followsthatrxisalsoacceptedbya(x=f)e;. allleaveslabelledwithxaresubstitutedbyrxfrom(2).note accordingtotheinductionhypothesistheremustbeanaccepting (3)ItremainstoconstructanacceptingrunrofA(X=f)E;with initialstatexi.weknowthat([[e]][x=true])(xi)=trueand thatallbranchesofr0containingnoxarealsoacceptedby A(X=f)E;withinitialstateXi.Allotherbranchesareaccepted statexiisnonempty.thecomplementationofalternatingautomata accordingtotherstpartoftheproofweknowthatae;withinitial Assume([[E]])(Xi)=false,thenbylemma3.35([[E]])(Xi)=trueand andalternatingautomatawithparitycondition. ((=)WemakeuseofcomplementationofBooleanequationsystems byargument(*). withinitialstatexiisae;withinitialstatexi,andifae;hasan withparityconditioniseasy(see[ej91]):thecomplementofae; acceptingrun,thenae;isempty.

165 ((=) Proof:ItfollowsimmediatelyfromconstructionthatthesizeofGEis linearinthesizeofe. initialvertexii([[e]])(xi)=true.moreoverjgej=o(jej). Theorem8.7PlayerIIhasawinningstrategyforthegameonGEwith A.3.ProofsofChapter Assume([[E]])(Xi)=true.Accordingtolemma3.36thereexistsa BooleanequationsystemE0inconjunctiveform,whereE0Eand and[[e0]]=[[e]].allconjunctionsofearecontainedine0,butfrom ningstrategyforplayeriiistochooseineveryi-labelledvertexthis initialvertexlabelledwithiplayeriiwinseveryplay.thenawin- with_. WenowwanttoshowbycontradictionthatforthegameonGE0with playeriinevertakesamove,becausetherearenoverticeslabelled equationofe0.considerthegamegraphge0.ineveryplayonge0 eachdisjunctionofethereisonlyonedisjunctinthecorresponding lim(p)nfjgfor0<j<n.wenowwanttoshowthatintheboolean asubsequencep0=v0;v1;:::;vnofp,wherev0=vn=jandvk2 andalso(atleast)oneofitspredecessors.moreovertheremustbe I.Letjbetheleastvertexinlim(p).Foreachvertexinlim(p)it mustbethecasethatthereis(atleast)oneofitssuccessorsinlim(p) AssumepisaplayofGE0withinitialvertexiwhichiswonbyplayer successorwhichisalsocontainedinge0. f1j,thentheequationcorrespondingtovertexv2intof1jgivingxj= equationcorrespondingtovertexv1issubstitutedintofjgivingxj= p0denesasequenceofsubstitutionsteps(lemma6.3)ine0:rstthe j,istheleastonewithrespecttoeamongtheseequations.now lim(p).weknowthatxj=fj,theequationcorrespondingtovertex j6=false.considerallequationsxk=fkine0wherekisavertexin equationsysteme0thevariablexihasthesolutionfalse.assume adisjunctionorasinglevariabletheequationevaluatestoxj=false aneliminationstep(lemma6.2).becausef(n 1)jandmayapply thevariablexjontheright-handsideofxj=fn 1 anditisthecasethat([[e0]])(xj)=([[e]])(xj)=false.theinitial f2jandsoon.aftern 1substitutionstepswehaveanoccurrenceof jcanonlyconsistof

166 166 partofpdenesasequencefromxitotherstoccurrenceofxjinp andgoingthisinitialsequencebackwardsapplyingsubstitutionsteps (=)) havetoapplythelastargumentaboveandgetthesamecontradiction. forconstants(lemma3.19)wegetthat([[e0]])(xi)=([[e]])(xi)= falsewhichcontradictstheassumption.forthecasej=falsewejust AppendixA.Appendix rstcaseoftheproofwecanshowthatfrom([[e]])(xi)=falseit Theotherdirectionfollowsbydualityarguments.Analogouslytothe followsthatplayerihasawinningstrategy.sinceonlyoneofthe playerscanhaveawinningstrategyand([[e]])(xi)mustbeeither A.4ProofsofChapter9. trueorfalsetheproofiscomplete. 1B1:::nBnandanenvironmentthereexistsaninniteBoolean Theorem9.4GivenaninniteBooleanequationsystemE= equationsysteme0=1b01:::nb0nsuchthate0containsno disjunctionsontheright-handside.inparticular: IfkXj=Vi2IXiisanequationinblockBjofEthenitisalso IfkXj=XiisanequationinblockBjofEthenitisalsoan IfkXj=Wi2IXiisanequationinblockBjofEandIis anequationinb0jofe0. Theargumentationhereissimilartotheoneintheproofforthenite case(proposition3.36).thereintheinductionstepwehavetoconstructonebooleanequationsystembasedontwoothers(lemmaa.1). nonempty,thenforsomek2itheequationkxj=xiisinblock Proof:byinductiononthestructureofE. [[E]]=[[E0]] IncontrasttothenitecaseherewehavetoconstructoneBoolean B0jofE0.IfIisemptythenkXj=falseisanequationofB0jofE0. equationsystembasedoncountablenumberofotherones.however, theideaandtechniqueisverymuchthesame.

167 fewerblocksthannandenvironmentwecanndaninniteboolean equationsysteme0havingnodisjunctionswithmorethanonedisjunct onitsright-handsideand[[e]]=[[e0]]. requirements. inductionhypothesis:foreachinnitebooleanequationsystemewith basecase:lete=andbeanenvironment.thene0=fulllsthe A.4.ProofsofChapter Dene inductionstep:assumethatbeisaninnitebooleanequationsystem,thatforsomeindexsetilhs(b)=fxiji2ig,andthatisan environment.then [[BE]]=[[E]][XI=XI:B([[E]])] Nowweproceedasfollows:,andsincethebformanascendingchainintheproductlatticeIBI, iscountable. foranordinal,alimitordinal.byproposition2.20,b=bforsome b+1def bdef b0def =B([[E]][XI=b =_<b =falsei solutionaseforall[xi=b].thene0andealsohavethesame ClimbingupthebwerstconstructasystemE0havingthesame B([[E]][XI=b])=B0([[E]][XI=b]).ThenwegetalsoB([[E]][XI=b]= terwardsweconstructablockb0,alsoclimbinguptheb,suchthat solutionfortheleastxpointb,i.e.[[e]][xi=b]=[[e0]][xi=b].af- B0([[E0]][XI=b]=bThetheoremfollowsthenbyapplicationofthedefinitionofthesemantic. WerstconstructasystemE0,suchthat Forthisweusethefactthataccordingtotheinductionhypothesisfor knowthatthenalso([[e0]][xi=b0])(x)=true.foreachofthesexlet (1)[[E]][XI=b]=[[E0]][XI=b]forall. For=0selectallX2lhs(E)where([[E]][XI=b0])(X)=true.We TheconstructionofE0worksasfollows: [[E0]][XI=b]. eachthereexistsane0havingtherequiredformand[[e]][xi=b]=

168 168 theequationx=f0frome0beanequationofe0inthecorresponding block.whatevertheremainingequationsofe0willbe(theymightall (*)([[E0]][XI=b0])(X)=true=([[E]][XI=b0])(X). befalse,see3.19),wehave ForeachselectallvariablesXj2lhs(E)suchthat AppendixA.Appendix ([[E]][XI=b+1])(Xj)=true andforallthesexjlettheequationxj=f0jine0beanequation ofe0,suchthatxj=f0jiscontainedinthecorrespondingblockto (havinglowersignature) Theargumentnowisbyinduction.AssumethatforallotherXk theoneofecontainingxj=fj. ([[E]][XI=b])(Xj)=false if([[e]][xi=b])(xk)=true if([[e0]][xi=b])(xk)=true then([[e0]][xi=b])(xk)=true; Thisis,becauseofmonotonicity,forall HenceweknowthatforalltheseXk,where ([[E0]])(Xk)=true=([[E]])(Xk)thatalso([[E0]])(Xk)=true. then([[e0]][xi=b])(xk)=true: thenb([[e]][xi=b])=b([[e0]][xi=b])=b+1 Furthermore if Withthebasecase(*)wecannowconclude(1).(SeealsotheargumentationforlemmaA.1incombinationwithlemma9.3). (2)XI:B([[E]])=XI:B([[E0]]) Fromtheabovewealsocanconclude NextweconstructB0insuchaway,thatforeach B([[E]][XI=b])=B0([[E]][XI=b]). LeteachequationX=Vj2JXjforsomeindexsetJinBbe [[E]][XI=b]=[[E0]][XI=b] alsoanequationofb0.

169 IfthereisanequationinBoftheformX=XiorX=WXi, A.4.ProofsofChapter9. IfthereisanequationinBoftheformX=Wj2JXjforsome wherethedisjunctioncontainsonlyasingledisjunct,thenletx= indexsetjandthereisoneofthedisjunctstrue,thenletx=true XibeanequationofB ForeachequationX=Wj2JXjinBwhere([[BE]])(X)= InallothercasesforXi2lhs(B)wehave([[BE]])(Xi)=true X=XjbeanequationofB0. indexsetj.foreachofthesexithereexistsansuchthat andtheequationforxiisoftheformxi=wj2jxjforsome falsechooseanyofthedisjunctsfromwj2jxj,sayxj,andlet Altogetherwehavethenthat Itfollowsfromtheconstructionthat (3)B([[E]][XI=b+1])=B0([[E]][XI=b+1]) accordingtothechoiceofxj. letx=xjanequationinb0.hence(b0([[e]][xi=b]))i=true Wj2JXjavariableXj,suchthat([[E]][XI=b])(Xj)=trueand ([XI=b+1])(Xi)=trueand([XI=b])(Xi)=false.Selectfrom [[BE]]=[[E]][XI=XI:B([[E]])] =[[E]][XI=XI:B0([[E]])](3) =[[E0]][XI=XI:B0([[E0]])](1);(2) assumingthatforallj2jitisy6=xj Lemma9.9Let E1,E2,E3besetbasedBooleanequationsystems, M;N;N0S,whereNN0 ThedualcaseforBEworkssimilarly. fm=(y;n;y)^^ =[[B0E0]] j2j(xj;mj;j); fn0=^ k2k(yk;nk;k);

170 anenvironment. Then[[E1(X(X;M)=fM)E2(Y(Y;N0)=fN)E3]] 170f0M=^ =[[E1(X(X;M)=f0M)E2(Y(Y;N0)=fN)E3]]. k2k(yk;nk;yk)^^ j2j(xj;mj;j); AppendixA.Appendix XXm=^ Form2Mandn2NE4containstheequations systemse4ande5. Proof:TransformbothequationsystemstoinniteBooleanequation n2y(m)yn^^j2j^ alltheyn,andgettingthenewequation stitutionstepsintheinnitebooleanequationsysteme4substituting ine4.accordingtolemmata9.3,6.3wecanapplyinnitelymanysub- YYn=^ k2k^ n02k(n)yk;n0t2j(m)xj;tand ThisisanequationoftheinniteBooleanequationsystemE5. XXm=^ n2y(m)^ k2k^ n02(ky)(m)yk;n0^^j2j^ k2k^ n02k(n)yk;n0^^j2j^ Lemma9.10Let E1andE2besetbasedBooleanequationsystems, t2j(m)xj;t (X;M)=(X;M;)^Vi2I(Xi;Mi;i)asetbasedBooleanequation, anenvironment,and 0def If=then0=[[E1((X;M)=Vi2I(Xi;Mi;i))E2]]. If=andiswellfoundedthen0isasinthecasefor=, ifisnotwellfoundedthen0((x;m))=false. =[[E1((X;M)=(X;M;)^Vi2I(Xi;Mi;i))E2]]

171 Proof:Inarststepthesetbasedequationsystemistransformedto aninnitebooleanequationsystem,wherethesetequation (X;M)=(X;M;)^^i2I(Xi;Mi;i) fors2mismappedtoablockbcontainingtheequations A.4.ProofsofChapter Xs=^ Theequation (X;M)=^i2I(Xi;Mi;i) ismappedtoablockbinaninnitebooleanequationsystem, s02(s)xs0^^i2i^ containingtheequationss02i(s)zi;s0: Xs=^i2I^ onlyforthecasee1=,i.e.[[be02]]=[[be02]],andaccordingto Wewillabbreviatethe(innite)vectorofallXifori2IbyX. or=wehavetoshowthat[[e01be02]]=[[e01be02]]and LetE01def accordingtolemma3.14wejusthavetoshowtheequivalenceabove =T(E1)andE02def s02(i)(s)zi;s0 thedenitionofthesemanticsitsucestoshowthatx:b([[e02]])= X:B([[E02]]) NowwewanttoapplyasubstitutionsteptoeachXs0.ForapplyinginnitelymanysubstitutionswithinblockBweneedproposition 2.17(6)andlemma9.3ratherthanlemma9.9. Xs=^ =^ s002((s))xs00^^i2i^ s02((s))xs0^^i2i^ s02(s)(^ s002(s0)xs00^^i2i^ s02((i)[i)(s)zi;s0 s002(i)(s)zi;s00^^i2i^ s002i(s0)zi;s00)^^i2i^ s02i(s)zi;s0 =T(E2).Forthecasesthatiswellfounded :::applyingthesesubstitutionstepslog2(n)times

172 172 LettheseequationsbecollectedinablockBnforn22m;m2IN Itfollowsfromproposition2.17(6)that[[BnE02]]=[[BE02]]forall =^ s02n(s))xs0^^i2is02(i(0[1[:::n 1))(s)Zi;s0 ^AppendixA.Appendix soldef soldef Bn. Dene bdef bdef b=x:bn([[e]]02) anditfollowsthat =[[BE02]] =X:B([[E02]] =X:B([[E02]] Weabbreviatesol[X=b](Xs)bybsandsol[X=B(sol)](Xs)by b=b(sol),andalsosol=[[b]]solandb=b(sol) Withlemmata3.19and3.20itisthecasethatsol=[[B]]soland ShownowX:B(sol)=b (i)becauseinbthereisnofreexsontheright-handside,itisthe Itsucestoshowthatb=bandforthatpurposeweshowthat (2)impliesthatB([[E]]02[X=b])=bandhencebb. (1)X:B(sol)=band(2)X:B(sol)=b (1)impliesthatB([[E]]02[X=b])=bandhencebb, (B(sol))(Xs),andanalogouslyforbandB.Nowweassume=. casethatx:b(sol)=b(sol) IfforB(sol)andanequationXs=Vi2IVs02(i)(s)Zi;s0inB wehavethat(vi2ivs02(i)(s)zi;s0)(sol)=falsethenthereforsome Zi;s0itmustbethatsol(Zi;s0)=false.ThenwecanndaBn,where theequationforxshasthiszi;s0onitsright-handsideandalso (Bn(sol))(Xs)=falseandhencewehavealso(X:Bn(sol))(Xs)= (ii)deneb0def Assumethat(X:B(sol))(Xs)=false. falseandalso(x:b(sol))(xs)=bs=false.thereforeisbb(sol). =trueiandb+1def =B(sol[X=b]).

173 If>1thentheremustbeaX0sforsomes02(s)withsol(Xs0)= sol(zi;s0)=false.butthenitisalso(b(sol))(xs)=false. If=1thentheremustbeaZi;s0forsomei2I,s02i(s),where Xs.) suchthatbs=falseandb 1 Showthatthenalso(B(sol))(Xs)=false.Thentheremustbesome A.4.ProofsofChapter9. s=true.(iscalledthesignatureof 173 falseandhenceb(sol)b. Altogetherfrom(X:B(sol))(Xs)=falsefollowsthat(B(sol))(Xs)= From(i)and(ii)wecanconcludethatB(sol)=b Henceitis(B(sol))(Xs)=false. forsomei2i,s02(in)(s),forsomen,suchthatsol(zi;s0)=false. falseandx0shavingasignature0<.applyingthisargumentrepeatedlythenthesignatureeventuallyreaches0,andthenwehaveazi;s0 Whenshowingthatb=B(sol)applythesameargumentsasabove tosolinsteadofsol.from(i)followsthenthatx:b(sol)b, andletbeitssignature.foralls002(s0)xs00mustbetrueand B(sol[X=b]).AssumeanXs0beingtrueattheleastxpoint Ifisnotwellfoundedthendeneb0=falseIandb+1= existssomen2insuchthatn(s)=;andtheequivalenceofbnand Bfollowsimmediately. Forthecase=notethatifiswellfoundedforeachS2Mthere from(ii)thatbx:b(sol). notwellfoundedwecanndaninnitechainofdecreasingsignatures, whichisacontradiction. havealowersignature.repeatthisargumentforxs00.becauseis

174 174 AppendixA.Appendix

175 Bibliography [AKM95]S.Ambler,M.Kwiatkowska,andN.Measor.Dualityand [AC88]A.ArnoldandP.Crubille.Alinearalgorithmtosolve [And92]H.R.Andersen.Modelcheckingandbooleangraphs.In ComputerScience,151(1):3{27,1995. ProcessingLetters,29:57{66,1988. thecompletenessofthemodalmu-calculus.theoretical xed-pointequationsontransitionsystems.information [And94a]H.R.Andersen.Modelcheckingandbooleangraphs.TheoreticalComputerScience,126(1):3{30,1994currentsystems.PhDthesis,AarhusUniversity,1993ence,1992. ESOP'92,volume582ofLectureNotesonComputerSci- Proceedingsof4thEuropeanSymposiumonProgramming, [And93]H.R.Andersen.Vericationoftemporalpropertiesofcon- [And94b]H.R.Andersen.Onmodelcheckinginnite-statesystems. [BC96]G.BhatandR.Cleaveland.Ecientlocalmodel-checking [BCM+92]J.R.Burch,E.M.Clarke,K.L.McMillan,D.L.Dill,and ComputerScience,pages8{17.Springer,1994. InProceedingsofLFCS'94,volume813ofLectureNotesin forfragmentsofthemodal-calculus.inproceedingsof TACAS'96,volume1055ofLectureNotesinComputerScience,pages107{126.Springer, yond.informationandcomputation,98(2):142{170,june L.J.Hwang.Symbolicmodelchecking:1020statesandbe-

176 176 [BK95]M.BonsangueandM.Kwiatkowska.Re-interpretingthe [Bek84]H.Bekic.HansBekic:ProgrammingLanguagesandTheir Denition,volume177ofLectureNotesinComputerScience,chapterDenableoperationsingeneralalgebras,and thetheoryofautomataandowcharts.springer,1984. modal-calculus.inmodallogicandprocessalgebra, Bibliography [Boc70]I.M.Bochenski.AHistoryofFormalLogic.ChelseaPublishingCompany,NewYork,secondedition,1970. Birkhauser, /12/93A,TechnischeUniversitatMunchen,1993. [BM93]D.BarnardandA.Mader.Modelcheckingforthemodal mu-calculususinggauelimination.technischerbericht CSLILectureNotes,pages65{83,1995. [Bra92]J.C.Bradeld.VerifyingTemporalPropertiesofSystems. [Bra96]J.C.Bradeld.Themodalmu-calculusalternationhierarchyisstrict.InProceedingsofCONCUR'96,volume 1119ofLectureNotesinComputerScience,pages233{246. [Bri96]E.Brinksma.personalcommunication [Bry86]R.E.Bryant.GraphbasedalgorithmsforBooleanfunc- Springer, (8):677{691,1986. tionmanipulation.ieetransactionsoncomputers,c- [BVW94]O.Bernholtz,M.Y.Vardi,andP.Wolper.Anautomatatheoreticapproachtobranching-timemodelchecking.Itiesofprocesses.InProceedingsofCONCUR`90,volume [BS91]J.BradeldandC.Stirling.Localmodelcheckingforin- [BS90]J.C.BradeldandC.Stirling.Verifyingtemporalproper- nitestatespaces.theoreticalcomputerscience,1991. Springer,1990. ProceedingsofCAV'94,volume818ofLectureNotesin 458ofLectureNotesinComputerScience,pages115{125. ComputerScience,pages142{155.Springer,1994.

177 [CE81]E.M.ClarkeandE.A.Emerson.Designandsynthesisof Bibliography [CES86]E.M.Clarke,E.A.Emerson,andA.P.Sistla.Automatic synchronisationskeletonsusingbranchingtimetemporal pages52{71.springer,1981. vericationofnite-stateconcurrentsystemsusingtem- logic.volume131oflecturenotesincomputerscience, 177 [CKS92]R.Cleaveland,M.Klein,andB.Steen.Fastermodel minglanguagesandsystems,8:244{263,1986. porallogicspecications.acmtransactionsonprogram- [Cle90]R.Cleaveland.Tableau-basedmodelcheckinginthepropositionalmu-calculus.ActaInformatica,27:725{747,1990. Springer,1992. andd.k.probst,editors,proceedingsofcav'92,volume 663ofLectureNotesinComputerScience,pages410{422. checkingforthemodalmu-calculus.ing.v.bochmann [CS91]R.CleavelandandB.Steen.Alineartimemodel-checking [DP90]B.DaveyandH.Priestley.Introductiontolatticesand [Dam92]M.Dam.CTL*andECTL*asfragmentsofthemodalcalculus.Technicalreport,UniversityofEdinburgh,June cation,2:79{92,july1991. ceedingsofthethirdworkshoponcomputeraidedveri- algorithmforthealternationfreemodalmu-calculus.pro [EH86]E.A.EmersonandJ.Halpern.\sometimes"and\not [EJ88]E.A.EmersonandC.S.Jutla.Thecomplexityoftreeautomataandlogicsofprograms.InProceedingsofthe29th 368{377,1991. anddeterminacy.inproceedingsofthe32ndfocs,pages order.cambridgeuniversitypress,1990. [EJ91]E.A.EmersonandC.S.Jutla.Treeautomata,mu-calculus never"revisited:onbranchingversuslineartime.journal oftheacm,33:151{178,1986. IEEEFOCS,pages328{337,1988.

178 [EL86]A.EmersonandC.Lei.Ecientmodelcheckinginfragmentsofthepropositionalmu-calculus.Proceedingsof Springer,1993. fragmentsof-calculus.inproceedingsofcav'93,volume 697ofLectureNotesinComputerScience,pages385{396. Bibliography 178 [EJS93]E.Emerson,C.Jutla,andA.Sistla.Onmodelcheckingfor [Eme96]E.Emerson.LogicsforConcurrency,volume1043ofLec- [Eme91]E.A.Emerson.Temporalandmodallogic.InJ.van ence,volumeb.elsevier/north-holland,1991. Leuwen,editor,HandbookofTheoreticalComputerSci- 1stAnnualSymposiumonLogicinComputerScience, poralreasoningaboutreactivesystems,pages41{101. turenotesincomputerscience,chapterautomatedtem- LICS'86,pages267{278,1986. [Flo67]R.Floyd.Assigningmeaningstoprograms.InJ.T. [EN94]J.EsparzaandM.Nielsen.DecidabilityissuesforPetri 160,1994. Schwartz,editor,MathematicalAspectsofComputerScience,pages19{32.AmericanMathematicalSociety,1967. ofregularprograms.journalofcomputerandsystemscience,18:194{211,1979. nets-asurvey.j.inform.process.cybernet.,30(3):143{ Springer,1996. [HM85]M.HennessyandR.Milner.Algebraiclawsfornondeterminismandconcurrency.JournaloftheACM,32:137{162, ming.communicationoftheacm,12:576{580,1969. ComputerScience,74:239{248,1990. [FR79]M.J.FischerandLadnerR.E.Propositionaldynamiclogic [Har95]C.Hartonas.Stonedualityformodal-logics [Hut90]H.Huttel.SnScanbemodallycharacterized.Theoretical [Hoa69]C.A.R.Hoare.Anaxiomaticbasisforcomputerprogram- [Kai96]R.Kaivola.Usingautomatatocharacterisexedpointtemporallogics.PhDthesis,UniversityofEdinburgh,1996.

179 [Koz83]D.Kozen.Resultsonthepropositionalmu-calculus.The- substitutions.1996.submittedforpublication. 179 [KM]E.KindlerandA.Mader.Trappingfairness.toappear. [Kal96]K.Kalorkoti.Modelcheckinginthemodal-calculusby BibliographyoreticalComputerScience,27:333{354,1983. [KP83]D.KozenandR.Parikh.Adecisionprocedureforthe [KW97]E.KindlerandR.Walter.Mutexneedsfairness.InformationProcessingLetters,62(31{39),1997ingsofCAV'92,volume663ofLectureNotesinComputer Science.Springer,1992. recursion.inproceedingsofcaap'88,volume299oflec- [Koz88]D.Kozen.Anitemodeltheoremforthepropositional [Lar92]K.Larsen.Ecientlocalcorrectnesschecking.InProceed- Programs,1983. propositional-calculus.insecondworkshoponlogicsof -calculus.studialogica,47:233{241,1988. [Lar95]K.G.Larsen.ProofsystemforHennessy{Milnerlogicwith [Len96]G.Lenzi.Ahierarchytheoremforthe-calculus.InProceedingsofICALP'96,volume1099ofLectureNotesin Animprovedalgorithmfortheevaluationofxpointexpressions.InProceedingsof6thInternationalConference ofcomputer-aidedverication,cav'94,volume818of [LBC+94]D.Long,A.Browne,E.Clarke,S.Jha,andW.Marrero. LectureNotesinComputerScience,pages338{350,1994. turenotesincomputerscience,pages215{230,1995. [LNS82]J.-L.Lassez,V.L.Nguyen,andE.A.Sonenberg.Fixed [Lin88]P.Lindsay.Onalternating!-automata.JournalofComputerandSystemSciences,36:16{24,1988. pointtheoremsandsemantics:afolktale.information volume663oflecturenotesincomputerscience,pages [Mad92]A.Mader.Tableaurecycling.InProceedingsofCAV'92, ComputerScience,pages87{97.Springer,1996. ProcessingLetters,14(3):112{116,May {342.Springer,1992.

180 [Mil89]R.Milner.CommunicationandConcurrency.Prentice 180 [Mad95]A.Mader.Modal-calculus,modelcheckingandGau LectureNotesinComputerScience,pages72{88.Springer, elimination.inproceedingsoftacas'95,volume1019of Hall,1989. Bibliography [MP69]Z.MannaandA.Pnueli.Formalizationofpropertiesof [MP83]Z.MannaandA.Pnueli.Howtocookatemporalproof recursivelydenedfunctions.inproceedingsoftheacm SymposiumonTheoryofComputing,pages201{210,1969. [Niw88]D.Niwinski.Fixed-pointsvs.innitegeneration.InPro- [Niw86]D.Niwinski.Onxedpointclones.InProceedingsofthe ACMonPrinciplesofProgrammingLanguages,pages141{ Science,pages402{409.Springer, thICALP,volume226ofLectureNotesinComputer systemforyourpetlanguage.inproceedingsofthe10th puterscience,pages402{409,1988. ceedingsofthethirdieeesymposiumonlogicincom- 154,1983. [Par70]D.M.R.Park.Fixpointinductionandproofofprogram [Pra76]V.Pratt.SemanticalconsiderationsofFloyd-Hoarelogic. [Ros96]P.Rossmanith.personalcommunication [Rud74]S.Rudeanu.BooleanFunctionsandEquations.North- InProceedingsofthe1stIEEESymposiumonFoundations ofcomputerscience,pages109{121,1976. semantics.machineintelligence,5:59{78,1970. [SE84]R.S.StreettandE.A.Emerson.Anautomatatheoretic [Sti93]C.Stirling.Modalandtemporallogics.InS.Abramsky, HollandPublishingCompany,1974. decisionprocedureforthepropositionalmu-calculus.informationandcomputation,81:249{264,1984. D.Gabbay,andT.Maibaum,editors,HandbookofLogic incomputerscience,volume2,pages447{463.oxford UniversityPress,1993.

181 [Sti96]C.Stirling.Modelcheckingandothergames.Notesfor [Str81]R.S.Street.Propositionaldynamiclogicofloopingand Bibliographymathtworkshoponnitemodeltheory,Universityof Wales,Swansea,1996. Computing,pages375{383,1981. converse.inproceedings13thsymposiumontheoryof 181 [Str82]R.S.Street.Propositionaldynamiclogicofloopingand [SW89]C.StirlingandD.Walker.Localmodelcheckinginthe [Tar55]A.Tarski.Alatticetheoreticalxpointtheoremandits modalmu-calculus.inj.dazandf.orejas,editors, ComputerScience,pages369{383,1989. ProceedingsofTAPSOFT,volume351ofLectureNotesin 54:121{141,1982. converseiselementarydecidable.informationandcontrol, [Var95]M.Y.Vardi.ComputerScienceToday.RecentTrendsand [Tho90]W.Thomas.HandbookofTheoreticalComputerScience, 191.Elsevier/North-Holland,1990. volume2,chapterautomataoninniteobjects,pages133{ Developments.,volume1000ofLectureNotesinComputer applications.pacicjournalofmathematics,5:285{309, [VL92]B.VergauwenandJ.Lewi.Alinearalgorithmforsolvingxed-pointequationsontransitionsystems.InJ.-C. Science,chapterAlternatingautomataandprogramveri- [Ver95]B.Vergauwen.manuscript AlgebraandProgramming,CAAP'92,volume581ofLectureNotesinComputerScience,pages322{341.Springer, cation,pages471{484.springer,1995. Raoult,editor,Proceedingsof17thColloquiumonTreesin [VL94]B.VergauwenandJ.Lewi.Ecientlocalcorrectness tems.inproceedingsoficalp'94,volume820oflecture checkingforsingleandalternatingbooleanequationsys NotesinArticialIntelligence,pages302{315.Springer,

182 [Vog96]W.Vogler.Eciencyofasynchronoussystemsandread 182 [VLAP94]B.Vergauwen,J.Lewi,I.Avau,andA.Pote.Ecientcomputationofnestedx-pointswithapplicationstomodel Bibliography checking.ind.gabbayandh.j.ohlbach,editors,pro- cialintelligence,pages165{179.springer,1994. ceedingsofictl'94,volume827oflecturenotesinarti- [VW83]M.VardiandP.Wolper.Yetanotherprocesslogic.InProceedingsoftheWorkshoponLogicsofPrograms,volume [Wal91]D.Walker.AutomatedanalysisofmutualexclusionalgorithmsusingCCS.TechnicalReportECS-LFCS-89-91, arcsinpetrinets.technicalreport,universitataugsburg, [Wal93]F.Wallner.EinlokalermodelcheckermitGau- Springer,1983. Elimination.Fortgeschrittenenpraktikum,1993. UniversityofEdinburgh, ofLectureNotesinComputerScience,pages501{512. [Wal94]F.Wallner.ModelCheckingimModalen-Kalkul [Wal95a]R.Walter.PetrinetzmodelleverteilterAlgorithmen,volume2ofEditionVersal.BertzVerlag,1995.Dissertation. ofthepropositional-calculus.inproceedingsoflics'95, marbeit. [Wal95b]I.Walukiewicz.CompletenessofKozen'saxiomatization furunendlichesystememithilfesymbolischergau- Elimination.Master'sthesis,TUMunchen,1994.Diplo- [ZSS94]S.Zhang,O.Sokolsky,andS.A.Smolka.Ontheparallel [Win89]G.Winskel.Anoteonmodelcheckingthemodalcalculus.InG.Ausiello,M.Dezani-Ciancaglini,and complexityofmodelcheckinginthemodalmu-calculus. S.RonchiDellaRocca,editors,Proceedingsof16thICALP, InProceedingsofthe9thIEEESymposiumonLogicin volume372oflecturenotesincomputerscience,pages 761{772,1989. ComputerScience,pages154{163,1994.