lambda-Coloring of Graphs

A Classification of Symbolic Transition Systems

THOMAS A. HENZINGER

University of California, Berkeley

RUPAK MAJUMDAR

University of California, Berkeley

and

JEAN-FRANCOIS RASKIN

Universite Libre de Bruxelles, Belgium

Authors’ addresses: Thomas A. Henzinger, Department of Electrical Engineering and ComputerSciences, University of California at Berkeley, CA 94720-1770, USA. Email: [email protected]: http://www.eecs.berkeley.edu/~tah

Rupak Majumdar, Department of Electrical Engineering and Computer Sciences, Universityof California at Berkeley, CA 94720-1770, USA. Email: [email protected]. URL:http://www.eecs.berkeley.edu/~rupak

Jean-Francois Raskin, Departement d’Informatique, Faculte des Sciences, Universite Libre deBruxelles, Belgium. Email: [email protected]. URL: http://www.ulb.ac.be/di/ssd/jfr

A preliminary version of this paper appeared in the Proceedings of the 17th Annual Symposium

on Theoretical Aspects of Computer Science (STACS), Lecture Notes in Computer Science 1770,Springer-Verlag, 2000, pages 13–34.

This research was supported in part by the DARPA grant F33615-C-98-3614, the MARCO grant98-DT-660, the NSF grants CCR-9988172, CCR-0085949, and CCR-0225610, and the BelgianNational Fund for Scientific Research (FNRS).

Permission to make digital/hard copy of all or part of this material without fee for personalor classroom use provided that the copies are not made or distributed for profit or commercialadvantage, the ACM copyright/server notice, the title of the publication, and its date appear, andnotice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish,to post on servers, or to redistribute to lists requires prior specific permission and/or a fee.c© 2006 ACM 1529-3785/2006/0700-0001 $5.00

ACM Transactions on Computational Logic, Vol. V, No. N, February 2006, Pages 1–31.

2 · T.A. Henzinger et al.

We define five increasingly comprehensive classes of infinite-state systems, called STS1–STS5,

whose state spaces have finitary structure. For four of these classes, we provide examples fromhybrid systems.

STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolicallyby iteratively applying predecessor and boolean operations on state sets, starting from a finitenumber of observable state sets. Any such iteration is guaranteed to terminate in that only afinite number of state sets can be generated. This enables model checking of the µ-calculus.

STS2 These are the systems with finite similarity quotients. They can be analyzed symbolicallyby iterating the predecessor and positive boolean operations. This enables model checking of theexistential and universal fragments of the µ-calculus.

STS3 These are the systems with finite trace-equivalence quotients. They can be analyzed symbol-ically by iterating the predecessor operation and a restricted form of positive boolean operations(intersection is restricted to intersection with observables). This enables model checking of allω-regular properties, including linear temporal logic.

STS4 These are the systems with finite distance-equivalence quotients (two states are equivalentif for every distance d, the same observables can be reached in d transitions). The systems in thisclass can be analyzed symbolically by iterating the predecessor operation and terminating whenno new state sets are generated. This enables model checking of the existential conjunction-freeand universal disjunction-free fragments of the µ-calculus.

STS5 These are the systems with finite bounded-reachability quotients (two states are equivalent iffor every distance d, the same observables can be reached in d or fewer transitions). The systemsin this class can be analyzed symbolically by iterating the predecessor operation and terminatingwhen no new states are encountered (this is a weaker termination condition than above). Thisenables model checking of reachability properties.

Categories and Subject Descriptors: D.2.4 [Software Engineering]: Software/Program Verifi-cation; F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoningabout Programs

General Terms: Formal Verification, Temporal Logics

Additional Key Words and Phrases: Model Checking, Symbolic Algorithms, State Equivalences,Hybrid Automata

1. INTRODUCTION

Algorithmic verification methods (“model checking”) were originally invented forthe analysis of finite-state systems, whose state spaces can be explored exhaus-tively. Much recent interest has concerned the application of such methods toinfinite-state systems. There are two important approaches. Methods of the firstkind reduce an infinite-state system to an “equivalent” finite-state system —oftena quotient system— and then explore the resulting finite quotient space. We callthese methods reductionist. A well-known representative of the reductionist ap-proach is the region-graph method for timed automata [Alur and Dill 1994]: everytimed automaton is bisimilar to a finite graph of clock regions, each representingan equivalence class of infinitely many clock states; model checking a timed au-tomaton can therefore be reduced to model checking its region graph. Methods ofthe second kind explore the infinite state space directly, by manipulating a datatype called region, whose members represent possibly infinite sets of states. We call

ACM Transactions on Computational Logic, Vol. V, No. N, February 2006.

A Classification of Symbolic Transition Systems · 3

these methods symbolic.1 A typical representative of the symbolic approach is theclock-zone method for timed automata [Henzinger et al. 1994]: the symbolic modelchecking of timed automata manipulates clock zones, each representing a booleancombination of clock constraints, where a clock constraint bounds a clock value orthe difference between two clock values (a single clock zone, therefore, may corre-spond to a union of many clock regions). While sometimes optimal in theoreticalcomplexity, reductionist methods usually experience state explosion and are oftenoutperformed in practice by symbolic methods. It is easy to see why: a symbolicmethod never distinguishes states that are considered equivalent by the reductionistapproach, but when answering a specific verification question, a symbolic methodperforms an analysis of the given infinite state space that may be considerably lessdetailed than would be required for constructing the entire finite quotient system.In a sense, the symbolic method performs no more work than necessary for answer-ing the specific question, whereas the reductionist method provides a worst-caseupper bound on the amount of work to be performed.

Regions (state sets) in symbolic model checking might be implemented as pred-icates in some constraint language, for example, as constraints on the booleans,integers, or reals. A region algebra supports individual operations on regions. Formodel checking, we are particularly interested in boolean operations on regions(such as set intersection and set difference) as well as the predecessor operationPre , which, given a target region, computes the region of all states with successorsin the target region. The iteration of these operations may generate an infinitenumber of distinct regions. The main concern with symbolic methods, therefore,is termination. We refer to procedures that may or may not terminate as “semi-algorithms.” In this paper, we study restricted classes of infinite-state transitionsystems for which certain forms of iteration terminate after a finite number of regionoperations, and yet yield sufficient information for checking unbounded temporalproperties of the system. In particular, we argue that the semi-algorithms for modelchecking various temporal logics can be seen as instances of generic closure semi-algorithms, which refine a partition of the state space by applying the Pre operatortogether with a possibly limited selection of boolean region operators. Hence, ifa closure semi-algorithm terminates, so do the corresponding semi-algorithms formodel checking. Second, we show that the closure semi-algorithms terminate ex-actly when certain equivalence relations on the infinite state space have finite index.Thus, to obtain symbolic model-checking procedures for infinite-state systems, itsuffices that the corresponding equivalence relations have finite index. In otherwords, while the algorithms themselves are completely symbolic, their guaranteesof termination are given by a reductionist argument (existence of an “equivalent”finite quotient). For example, while in theory there are infinitely many clock con-straints for timed automata, the clock-zone method can be shown to compute only

1Our usage of the term “symbolic” is considerably broader than the narrow usage commmonin some model-checking communities, where “symbolic” often means “based on binary-decisiondiagrams” (BDDs) [Burch et al. 1992]. Note that BDDs are but one data structure for representingstate sets (in this case, finite boolean state sets). Similarly, our usage of the term “region” is moregeneral than the clock regions of timed automata: while the latter is a set of clock states of aspecific shape, we denote by “region” any representable set of states.



clock constraints that define blocks (unions) of the finitely many clock regions whichrepresent bisimilarity classes of states. Reduction is not part of the algorithm, butpart of its correctness proof.

We propose a classification of infinite-state systems into five increasingly generalclasses, depending on which equivalence relations have finite index. The first class ofinfinite-state systems are those with finite bisimilarity quotients. Timed automatafall into this class. On systems with finite bisimilarity quotients, we can symboli-cally model check all µ-calculus formulas, including the formulas of the branchingtemporal logics Ctl and Ctl∗ [Emerson 1990]. The second class of infinite-statesystems are those with finite similarity quotients. On these, we can model checkall existential and universal formulas of the µ-calculus (and of branching temporallogics). A formula is existential (resp. universal) if it is in positive normal form(i.e., negations occur only in front of atomic propositions) and contains only exis-tential (resp. universal) path quantifiers. Infinite-state systems of the third classhave finite trace-equivalence quotients. On these, all ω-regular properties, expressedby Buchi automata or linear temporal-logic formulas, can be model checked. Thefourth class constitute systems with finite distance-equivalence quotients. Distanceequivalence distinguishes two states u and v if there is an observable p and a num-ber n, such that from u a state satisfying p can be reached in n transitions, butfrom v no p-state can be reached in exactly n transitions. On systems with finitedistance-equivalence quotients, we can model check the existential conjunction-freeand universal disjunction-free formulas of the µ-calculus. Finally, the fifth classcontains systems with finite bounded-reachability quotients. Bounded-reach equiv-alence distinguishes two states u and v if there is an observable p and a number n,such that from u a state satisfying p can be reached in n transitions, but from vno p-state can be reached in n or fewer transitions. These are the well-structuredtransition systems of [Finkel and Schnoebelen 1998], and they permit the modelchecking of reachability properties.

This classification provides a syntax-independent way for proving the termina-tion of symbolic model-checking algorithms for infinite-state systems. Examplescan be found from subclasses of hybrid automata: while timed automata fall intothe first class (finite bisimilarity [Alur and Dill 1994]), two-dimensional rectangularautomata fall into the second class (finite similarity [Henzinger et al. 1995]), higher-dimensional rectangular automata fall into the third class (finite trace equivalence[Henzinger et al. 1998; Henzinger and Kopke 1996]), and networks of timed andrectangular automata fall into the fifth class (finite bounded reachability [Abdullaand Jonsson 1998]). While in each of these four specific cases, termination of thesymbolic approach has been proved individually [Henzinger et al. 1994; Henzingeret al. 1995; Henzinger and Majumdar 2000; Abdulla and Jonsson 1998], in this pa-per we provide termination proofs for symbolic model-checking algorithms for theentire classes 1–5. It should be mentioned that we know of no natural representa-tives for the fourth class of infinite-state systems. However, the closure propertiesof classes 1–3 immediately give rise to a more general class, which, however, doesnot encompass all well-structured transition systems (class 5): bisimilarity classesare closed under Pre, intersection, and difference; similarity classes, under Preand intersection; trace-equivalence classes, under Pre and intersection with observ-



ables; distance-equivalence classes, under Pre only. This motivates the definitionof class 4.

2. SYMBOLIC TRANSITION SYSTEMS

We say that a transition system is “symbolic” if it comes equipped with an algebraof regions which permits the effective computation of certain operations on regions.

Definition: Symbolic transition system. A symbolic transition system S =(Q, δ,R, p·q, P ) consists of a (possibly infinite) set Q of states, a (possibly nondeter-ministic) transition function δ : Q→ 2Q which maps each state to a set of successorstates, a (possibly infinite) set R of regions, an extension function p·q : R → 2Q

which maps each region to a set of contained states, and a finite set P ⊆ R ofobservables, such that the following six conditions are satisfied:

(1) The set P of observables covers the state space Q; that is,⋃

{ppq | p ∈ P} = Q.Moreover, for each observable p ∈ P , there is a complementary observable p ∈ Psuch that ppq = Q \ ppq.

(2) For each region σ ∈ R, there is a region Pre(σ) ∈ R such that

pPre(σ)q = {u ∈ Q | (∃v ∈ δ(u) : v ∈ σ)};

furthermore, the function Pre : R → R is computable.

(3) For each pair σ, τ ∈ R of regions, there is a region And(σ, τ) ∈ R such thatpAnd(σ, τ)q = pσq ∩ pτq; furthermore, the function And : R × R → R iscomputable.

(4) For each pair σ, τ ∈ R of regions, there is a region Diff (σ, τ) ∈ R such thatpDiff (σ, τ)q = pσq\pτq; furthermore, the function Diff : R × R → R is com-putable.

(5) All emptiness questions about regions can be decided; that is, there is a com-putable function Empty : R → B such that Empty(σ) iff pσq = ∅.

(6) All membership questions about regions can be decided; that is, there is acomputable function Member : Q×R → B such that Member (u, σ) iff u ∈ pσq.

The tuple RS = (P ,Pre ,And ,Diff ,Empty) is called the region algebra of S.

Remark: Abstract interpretation. In a symbolic transition system, the seman-tics is lifted from individual states to sets of states. Hence the region algebra of asymbolic transition system can be viewed as the collecting semantics (in the senseof abstract interpretation [Cousot and Cousot 1977]) of the concrete semantics ofthe transition system.

Remark: Duality. We take an existential view of symbolic transition systems.The dual, universal view requires (1)

⋂

{ppq | p ∈ P} = ∅, (2–4) closure of R undercomputable functions Pre , And , and Diff such that

pPre(σ)q = {u ∈ Q | (∀v ∈ δ(u) : v ∈ σ)},

pAnd(σ, τ)q = pσq ∪ pτq, and pDiff (σ, τ)q = Q\pDiff (τ, σ)q, and (5) a com-putable function Empty for deciding all universality questions about regions (thatis, Empty(σ) iff pσq = Q). The tuple RS = (P,Pre ,And ,Diff ,Empty) is the dual



region algebra of S. All results of this paper have an alternative, dual formula-tion.

2.1 Example: Polyhedral Hybrid Automata

A polyhedral hybrid automaton H of dimension m, for a positive integer m, consistsof the following components [Alur et al. 1996]:

Continuous variables. A set X = {x1, . . . , xm} of real-valued variables. We writeX for the set {x1, . . . , xm} of dotted variables (which represent first derivativesduring continuous change), and we write X ′ for the set {x′1, . . . , x

′m} of primed

variables (which represent values at the conclusion of discrete change). A linearconstraint over X is an expression of the form k0 ∼ k1x1 + · · · + kmxm, where∼∈ {<,≤,=,≥, >} and k0, . . . , km are integer constants. A linear predicate overX is a boolean combination of linear constraints over X . Let Lm(X) be the setof linear predicates over X . Given a predicate φ over X , and a valuation x ∈ Rm

for the variables in X , we write φ[X := x] for the truth value that results fromevaluating φ at x.

Discrete locations. A finite, directed multigraph (V,E). The vertices in V arecalled locations ; the edges in E are called jumps.

Invariant and flow conditions. Two vertex-labeling functions inv and flow . Foreach location v ∈ V , the invariant condition inv (v) is a conjunction of linear con-straints over X , and the flow condition flow (v) is a conjunction of linear constraintsover X. While the automaton control resides in location v, the variables may evolveaccording to flow (v) as long as inv(v) remains true.

Update conditions. An edge-labeling function update. For each jump e ∈ E, theupdate condition update(e) is a conjunction of linear constraints over X ∪X ′. Thepredicate update(e) relates the possible values of the variables at the beginning ofthe jump (represented byX) and at the conclusion of the jump (represented by X ′).

The polyhedral hybrid automaton H is a rectangular automaton [Henzinger et al.1998] if

—all linear constraints that occur in invariant conditions of H have theform x ∼ k, for x ∈ X and k ∈ Z;

—all linear constraints that occur in flow conditions of H have the formx ∼ k, for x ∈ X and k ∈ Z;

—all linear constraints that occur in jump conditions of H have the formx ∼ k or x′ = x or x′ ∼ k, for x ∈ X and k ∈ Z;

—if e is a jump from location v to location v′, and update(e) containsthe conjunct x′ = x, then both flow (v) and flow(v′) contain the sameconstraints on x.

The rectangular automaton H is a singular automaton if each flow condition ofH has the form x1 = k1 ∧ . . . ∧ xm = km. The singular automaton H is a timedautomaton [Alur and Dill 1994] if each flow condition of H has the form x1 =1 ∧ . . . ∧ xm = 1.

The polyhedral hybrid automaton H defines the symbolic transition system SH =(QH , δH , RH , p·qH , PH) with the following components:



—QH = V × Rm; that is, every state (v,x) consists of a location v (the discretecomponent of the state) and values x for the variables in X (the continuouscomponent).

—(v′,x′) ∈ δH(v,x) if either (1) there is a jump e ∈ E from v to v′ such thatupdate(e)[X,X ′ := x,x′] is true, or (2) v′ = v and there is a real ∆ ≥ 0 and adifferentiable function f : [0,∆] → Rm with first derivative f such that f(0) =x and f(∆) = x′, and for all reals ε ∈ (0,∆), both inv(v)[X := f(ε)] andflow(v)[X := f(ε)] are true. In case (2), the function f is called a flow function.

—RH = V × Lm(X); that is, every region (v, φ) consists of a location v (thediscrete component of the region) and a linear predicate φ overX (the continuouscomponent).

—p(v, φ)qH = {(v,x) | x ∈ Rm and φ[X := x] is true}; that is, the extensionfunction maps the continuous component φ of a region to the valuations for thevariables in X which satisfy the predicate φ. Consequently, the extension of everyregion consists of a location and a polyhedral subset of Rm.

—PH = V × {true}; that is, only the discrete component of a state is observable.

It requires some work to see that SH is indeed a symbolic transition system. First,notice that the linear predicates overX are closed under all boolean operations, andthat satisfiability is decidable for the linear predicates. Second, the Pre operator iscomputable on RH , because all flow functions can be replaced by straight lines [Aluret al. 1996].

2.2 Background Definitions

The symbolic transition systems are a special case of transition systems. A transi-tion system S = (Q, δ, ·, p·q, P ) has the same components as a symbolic transitionsystem, except that no regions are specified and the extension function is definedonly for the observables (that is, p·q : P → 2Q).

State equivalences. A state equivalence ∼= is a family of relations which containsfor each transition system S an equivalence relation ∼=S on the states of S. The∼= equivalence problem for a class C of transition systems asks, given two statesu and v of a transition system S from the class C, whether u ∼=S v. The stateequivalence ∼=a is as coarse as the state equivalence ∼=b if u ∼=S

b v implies u ∼=Sa v for

all transition systems S. The equivalence ∼=a is coarser than ∼=b if ∼=a is as coarseas ∼=b, but ∼=b is not as coarse as ∼=a. Given a transition system S = (Q, δ, ·, p·q, P )and a state equivalence ∼=, the quotient system is the transition system S/∼= =(Q/∼=, δ/∼=, ·, p·q/∼=, P ) with the following components:

—the states in S/∼= are the equivalence classes of ∼=S ;—τ ∈ δ/∼=(σ) if there is a state u ∈ σ and a state v ∈ τ such that

v ∈ δ(u);—σ ∈ ppq/∼= if there is a state u ∈ σ such that u ∈ ppq.

The quotient construction is of particular interest to us when it transforms aninfinite-state system S into a finite-state system S/∼=.

State logics. A state logic L is a logic whose formulas are interpreted over thestates of transition systems; that is, for every L-formula ϕ and every transition



system S, there is a set [[ϕ]]S of states of S which satisfy ϕ. The L model-checkingproblem for a class C of transition systems asks, given an L-formula ϕ and a state uof a transition system S from the class C, whether u ∈ [[ϕ]]S . Two formulas ϕ and ψof state logics are equivalent if [[ϕ]]S = [[ψ]]S for all transition systems S. The statelogic La is as expressive as the state logic Lb if for every Lb-formula ϕ, there is anLa-formula ψ which is equivalent to ϕ. The logics La and Lb are equally expressiveif La is as expressive as Lb, and Lb is as expressive as La. The logic La is moreexpressive than Lb if La is as expressive as Lb, but Lb is not as expressive as La.

Every state logic L induces a state equivalence, denoted ∼=L: for all states u andv of a transition system S, define u ∼=S

L v if for all L-formulas ϕ, we have u ∈ [[ϕ]]S iffv ∈ [[ϕ]]S . We say that the state logic L preserves the state equivalence ∼= if ∼=L is ascoarse as ∼=, and L defines ∼= over a class C of transition systems if ∼=S

L coincides with∼=S for all transition systems S in C. The state logic L admits abstraction if for everyL-formula ϕ and every transition system S, we have [[ϕ]]S =

⋃

{σ | σ ∈ [[ϕ]]S/∼=L};that is, a state u of S satisfies an L-formula ϕ iff the ∼=L equivalence class of usatisfies ϕ in the quotient system. Consequently, if L admits abstraction, thenevery L model-checking question on a transition system S can be reduced to anL model-checking question on the induced quotient system S/∼=L . Below, we shallrepeatedly prove the L model-checking problem for a class C of transition systemsto be decidable by observing that for every transition system S from C, the quotientsystem S/∼=L has finitely many states and can be constructed effectively.

Symbolic semi-algorithms. A symbolic semi-algorithm takes as input the regionalgebra RS = (P , Pre , And , Diff , Empty) of a symbolic transition system S =(Q, δ,R, p·q, P ), and generates regions in R using the operations P , Pre, And , Diff ,and Empty . Depending on the input S, a symbolic semi-algorithm on S may ormay not terminate. The dual of a symbolic semi-algorithm is obtained by replacingthe operators Pre , And , Diff , and Empty with their duals Pre , And , Diff , andEmpty , respectively.

2.3 Preview

In sections 3–7 of this paper, we shall define five increasingly comprehensive classesSTS1–STS5 of symbolic transition systems. In each case i ∈ {1, . . . , 5}, we willproceed in four steps:

1 Definition: Finite characterization. We give a state equivalence ∼=i anddefine the class STS(i) to contain precisely the symbolic transition systems S forwhich the equivalence relation ∼=S

i has finite index (i.e., there are finitely many ∼=Si

equivalence classes). Each state equivalence ∼=i is coarser than its predecessor ∼=i−1,which implies that STS(i− 1) ( STS(i) for i ∈ {2, . . . , 5}.

2 Algorithmics: Symbolic state-space exploration. We give a symbolic semi-algorithm Ai that terminates precisely on the symbolic transition systems in theclass STS(i). This provides an operational characterization of the class STS(i)which is equivalent to the denotational definition of STS(i). The symbolic semi-algorithm Ai is called a closure semi-algorithm, because it closes the finite setP of observables under certain operations. The termination of the closure semi-algorithm Ai is proved by observing that, if given the region algebra of a symbolic



transition system S as input, then the extensions of all regions generated by Aiare ∼=S

i blocks (i.e., unions of ∼=Si equivalence classes). If S is in the class STS(i),

then there are only finitely many ∼=Si blocks, and the closure semi-algorithm Ai

terminates upon having constructed a representation of the quotient system S/∼=i .The closure semi-algorithm Ai can therefore be used to decide the ∼=i equivalenceproblem for the class STS(i) of symbolic transition systems.

3 Verification: Decidable properties. We give a state logic Li which admitsabstraction and defines the state equivalence ∼=i over the class STS(i) of symbolictransition systems. Since the finite ∼=i quotient can be constructed effectively usingthe closure semi-algorithm Ai, it follows that the Li model-checking problem forthe class STS(i) is decidable. However, model-checking algorithms that rely on theexplicit construction of quotient systems are usually impractical. Hence, we alsopresent a symbolic semi-algorithm Bi that, given the region algebra of a symbolictransition system S from STS(i), and an Li-formula ϕ, computes the region [[ϕ]]S .The symbolic semi-algorithm Bi is called a model-checking semi-algorithm, becauseit directly solves all Li model-checking questions for the class STS(i). The termina-tion of the model-checking semi-algorithm Bi is proved by observing that Bi nevergenerates any regions that are not generated by the closure semi-algorithm Ai.However, for a given system S and formula ϕ, the model-checking semi-algorithmBi often generates fewer regions than the closure semi-algorithm Ai and is thuspreferable in practice.

4 Example: Hybrid systems. The interesting members of the class STS(i)are those symbolic transition systems which have infinitely many states. In fourout of the five cases STS1–STS5, following [Henzinger 1996], we provide certainkinds of polyhedral hybrid automata as examples. In this way, we obtain uniformdecidability proofs and uniform symbolic model-checking algorithms for severalclasses of hybrid automata.

3. CLASS-1 SYMBOLIC TRANSITION SYSTEMS

The class-1 systems are characterized by finite bisimilarity quotients. The regionalgebra of a class-1 system has a finite subalgebra that contains the observables andis closed under Pre , And , and Diff operations. This enables the model checking ofall µ-calculus properties. Infinite-state examples of class-1 systems are provided bythe singular hybrid automata, and by the bakery protocol for mutual exclusion.

3.1 Finite Characterization: Bisimilarity

Definition: Bisimilarity. Let S = (Q, δ, ·, p·q, P ) be a transition system. Abinary relation � on the state space Q is a simulation on S [Milner 1971] if u � vimplies the following two conditions:

1. For each observable p ∈ P , we have u ∈ ppq iff v ∈ ppq.2. For each state u′ ∈ δ(u), there is a state v′ ∈ δ(v) such that u′ � v′.

Two states u, v ∈ Q are bisimilar, denoted u ∼=S1 v, if there is a symmetric simulation

� on S such that u � v. The state equivalence ∼=1 is called bisimilarity.

Definition: Class STS1. A symbolic transition system S belongs to the classSTS1 if the bisimilarity relation ∼=S

1 has finite index.



Symbolic semi-algorithm Closure1

Input: a region algebra R = (P,Pre ,And ,Diff ,Empty).

T0 := P ;for i = 0, 1, 2, . . . do

Ti+1 := Ti∪ {Pre(σ) | σ ∈ Ti}∪ {And(σ, τ) | σ, τ ∈ Ti}∪ {Diff (σ, τ) | σ, τ ∈ Ti}

until pTi+1q ⊆ pTiq.

The termination test pTi+1q ⊆ pTiq, which is shorthand for {pσq | σ ∈ Ti+1} ⊆ {pσq |σ ∈ Ti}, is decided as follows: for each region σ ∈ Ti+1 check that there is a region τ ∈ Tisuch that both Empty(Diff (σ, τ)) and Empty(Diff (τ, σ)).

Fig. 1. Partition refinement.

3.2 Symbolic State-Space Exploration: Partition Refinement

The bisimilarity relation of a finite-state system can be computed by partition re-finement [Kanellakis and Smolka 1990]. The symbolic semi-algorithm Closure1 ofFigure 1 applies this method to infinite-state systems [Bouajjani et al. 1990; Hen-zinger 1995]. The semi-algorithm Closure1 inductively constructs regions, startingfrom the observables, by applying the three operations Pre , And , and Diff . Itterminates when no new regions are generated. Suppose that the input given toClosure1 is the region algebra of a symbolic transition system S = (Q, δ,R, p·q, P ).Then each Ti, for i ≥ 0, is a finite set of regions; that is, Ti ⊆ R. By inductionit is easy to check that for all i ≥ 0, the extension of every region in Ti is a ∼=S

1

block. Thus, if ∼=S1 has finite index, then Closure1 terminates. Conversely, suppose

that Closure1 terminates with pTi+1q ⊆ pTiq. From the definition of bisimilarity itfollows that if for each region σ ∈ Ti, we have u ∈ pσq iff v ∈ pσq, then u ∼=S

1 v.This implies that ∼=S

1 has finite index.

Theorem 1A For all symbolic transition systems S, the symbolic semi-algorithmClosure1 terminates on the region algebra RS iff S belongs to the class STS1.

Corollary 1A The ∼=1 (bisimilarity) equivalence problem is decidable for the classSTS1 of symbolic transition systems.

3.3 Decidable Properties: Branching Time

Definition: µ-calculus. The formulas of the µ-calculus [Kozen 1983] are gener-ated by the grammar2

ϕ ::= p | p | x | ϕ ∨ ϕ | ϕ ∧ ϕ | ∃© ϕ | ∀© ϕ | (µx : ϕ) | (νx : ϕ),

for constants p from some set Π, and variables x from some set X . The © con-structor is a “next-state” modality; the µ and ν constructors are least and greatestfixpoint quantifiers. Let S = (Q, δ, ·, p·q, P ) be a transition system whose observ-ables include all constants; that is, Π ⊆ P . Let E : X → 2Q be a mapping fromthe variables to sets of states. We write E [x 7→ ρ] for the mapping that agrees with

2We define all formulas to be in positive normal form, where only constants are negated.



E on all variables, except that x ∈ X is mapped to ρ ⊆ Q. Given S and E , everyformula ϕ of the µ-calculus defines a set [[ϕ]]S,E ⊆ Q of states:

[[p]]S,E = ppq;[[p]]S,E = Q\ppq;[[x]]S,E = E(x);[[ϕ1

{

∨

∧

}

ϕ2]]S,E = [[ϕ1]]S,E{

∪

∩

}

[[ϕ2]]S,E ;

[[{

∃

∀

}

© ϕ]]S,E = {u ∈ Q | ({

∃

∀

}

v ∈ δ(u) : v ∈ [[ϕ]]S,E )};

[[{

µν

}

x : ϕ]]S,E ={

∩

∪

}

{ρ ⊆ Q | ρ = [[ϕ]]S,E[x7→ρ]}.

A variable x is called free in a formula ϕ if there is an occurrence of x in ϕ thatis not in the scope of some µx or νx. A µ-calculus formula is closed if it has nofree variables. If we restrict ourselves to the closed formulas of the µ-calculus, thenwe obtain a state logic, denoted Lµ1 : the state u ∈ Q satisfies the Lµ1 -formula ϕ ifu ∈ [[ϕ]]S,E for any variable mapping E ; that is, [[ϕ]]S = [[ϕ]]S,E for any and all E .

Remark: Duality. For every Lµ1 -formula ϕ, the dual Lµ1 -formula ϕ is obtainedby replacing the constructors p, p, ∨, ∧, ∃©, ∀©, µ, and ν by p, p, ∧, ∨, ∀©, ∃©,ν, and µ, respectively. Then, [[ϕ]]S = Q\[[ϕ]]S . It follows that the answer of themodel-checking question for a state u ∈ Q and an Lµ1 -formula ϕ is complementaryto the answer of the model-checking question for u and the dual formula ϕ.

The following facts about the distinguishing and expressive powers of the µ-calculusare well-known. First, Lµ1 preserves ∼=1 (bisimilarity); indeed, the state equivalencedefined by Lµ1 over the class STS1 of symbolic transition systems with finite bisim-ilarity quotients is exactly ∼=1 [Browne et al. 1988]. Second, Lµ1 is very expressive(see [Janin and Walukiewicz 1996] for a characterization); in particular, Lµ1 is moreexpressive than the temporal logics Ctl and Ctl∗ [Emerson 1990], which like Lµ1define bisimilarity over the STS1 systems. Third, Lµ1 admits abstraction [Alur andHenzinger 1998] (the proof is by induction on Lµ1 -formulas). It follows that thatthe Lµ1 model-checking problem is decidable for the STS1 systems. However, wenow present a model-checking algorithm for Lµ1 over STS1 systems which avoidsthe construction of bisimilarity quotients.

The definition of Lµ1 naturally suggests a model-checking algorithm for finite-statesystems, where each fixpoint can be computed by successive approximation [Emer-son and Lei 1986; Burch et al. 1992]. The symbolic semi-algorithm ModelCheck

of Figure 2 applies this procedure to infinite-state systems. Suppose that the in-put given to ModelCheck is the region algebra of a symbolic transition systemS = (Q, δ,R, p·q, P ), a µ-calculus formula ϕ, and any mapping E : X → 2R fromthe variables to sets of regions. Then for each recursive call of ModelCheck, each Ti,for i ≥ 0, is a finite set of regions from R, and each recursive call returns a fi-nite set of regions from R. It is easy to check that all of these regions are alsogenerated by the semi-algorithm Closure1 on input RS . Thus, if Closure1 termi-nates, then so does ModelCheck. Furthermore, if it terminates, then ModelCheck

returns a set [ϕ]E ⊆ R of regions such that⋃

{pσq | σ ∈ [ϕ]E} = [[ϕ]]S,E , whereE(x) =

⋃

{pσq | σ ∈ E(x)} for all x ∈ X . In particular, if ϕ is closed, then a stateu ∈ Q satisfies ϕ iff Member (u, σ) for some region σ ∈ [ϕ]E .

Theorem 1B For all symbolic transition systems S in STS1 and every Lµ1 -formula ϕ,



Symbolic semi-algorithm ModelCheck

Input: a region algebra R = (P,Pre,And ,Diff ,Empty), a formula ϕ ∈ Lµ1 ,

and a mapping E with domain X.

Output: [ϕ]E :=if ϕ = p then return {p};if ϕ = p then return {Diff (q, p) | q ∈ P};if ϕ = x then return E(x);if ϕ = (ϕ1 ∨ ϕ2) then return [ϕ1]E ∪ [ϕ2]E ;if ϕ = (ϕ1 ∧ ϕ2) then

return {And(σ, τ) | σ ∈ [ϕ1]E and τ ∈ [ϕ2]E};if ϕ = ∃© ϕ′ then return {Pre(σ) | σ ∈ [ϕ′]E};if ϕ = ∀© ϕ′ then return P\\{Pre(σ) | σ ∈ (P\\[ϕ′]E)};if ϕ = (µx : ϕ′) then

T0 := ∅;for i = 0, 1, 2, . . . do

Ti+1 := [ϕ′]E[x7→Ti]

untilS

{pσq | σ ∈ Ti+1} ⊆S

{pσq | σ ∈ Ti};return Ti;

if ϕ = (νx : ϕ′) then

T0 := P ;for i = 0, 1, 2, . . . do

Ti+1 := [ϕ′]E[x7→Ti]

untilS

{pσq | σ ∈ Ti+1} ⊇S

{pσq | σ ∈ Ti};return Ti.

The pairwise-difference operation T\\T ′ between two finite sets T and T ′ of regions iscomputed inductively as follows:

T\\∅ = T ;T\\({τ} ∪ T ′) = {Diff (σ, τ) | σ ∈ T}\\T ′.

The termination testS

{pσq | σ ∈ T} ⊆S

{pσq | σ ∈ T ′} is decided by checking thatEmpty(σ) for each region σ ∈ (T\\T ′).

Fig. 2. Model checking.

the symbolic semi-algorithm ModelCheck terminates on the region algebra RS andthe input formula ϕ.

Corollary 1B The Lµ1 model-checking problem is decidable for the class STS1 ofsymbolic transition systems.

Remark: Duality. Model checking of Lµ1 -formulas on STS1 systems can alsobe performed by the dual of the semi-algorithm ModelCheck. Suppose that theinput given to the dual semi-algorithm ModelCheck is the dual region algebra of asymbolic transition system S = (Q, δ,R, p·q, P ), and the Lµ1 -formula ϕ. If S belongsto the class STS1, then ModelCheck terminates with the output T ⊆ R such that[[ϕ]]S =

⋂

{pσq | σ ∈ T}.

3.4 Example: The Bakery Protocol

Consider the 2-process bakery protocol [Lamport 1974] for mutual exclusion, whichis presented as a collection of guarded commands in Figure 3. The program countersof the two processes, pc1 and pc2, each range over three locations: pci = N ifprocess i is not in its critical section; pci = W if process i is waiting to enter its



var pc1, pc2 : {N,W,C}var y1, y2 : N

[] pc1 = N → pc1, y1 := W,y2 + 1[] pc1 = W ∧ (y2 = 0 ∨ y1 ≤ y2) → pc1 := C

[] pc1 = C → pc1, y1 := N, 0

[] pc2 = N → pc2, y2 := W,y1 + 1[] pc2 = W ∧ (y1 = 0 ∨ y2 < y1) → pc2 := C

[] pc2 = C → pc2, y2 := N, 0

Fig. 3. The 2-process bakery protocol.

critical section; and pci = C if process i is in its critical section. The protocol usestwo variables y1 and y2, which range over the natural numbers and represent the“tokens” of the two processes. A state of the protocol, therefore, is a quadrupleof values in {N,W,C}2 × N2. The observables are the boolean formulas over theprogram counters, in particular, the observable pinit = (pc1 = N ∧ pc2 = N) is theinitial region, and qmutex = (pc1 = C ∧ pc2 = C) is the region that violates mutualexclusion. The values of the tokens are not observable.

The bisimilarity relation of this infinite-state system has finite index. To seethis, define the binary relation ≈ on states as follows: for all states u and v,let u ≈ v iff (1) u(pci) = v(pci) for i = 1, 2; (2) u(yi) = 0 iff v(yi) = 0 fori = 1, 2; and (3) u(y1) ≤ u(y2) iff v(y1) ≤ v(y2), where u(x) denotes the value ofvariable x in state u. By a simple case enumeration, it can be checked that ≈ is abisimulation (i.e., a symmetric simulation). Moreover, the relation has finite index(the number of equivalence classes is 72). Thus, the 2-process bakery protocolis in STS1. By Theorem 1A, the closure semi-algorithm Closure1 terminates onthe region algebra of the protocol. By Theorem 1B, the model-checking semi-algorithm ModelCheck terminates as well for all Lµ1 -formulas. In particular, theregion [[pinit ∧ (µx : qmutex ∨ ∃© x)]] can be computed to be empty in a finitenumber of steps. This proves that there is no sequence of transitions that leadsfrom an initial state to a state that violates mutual exclusion; thus the protocolguarantees mutual exclusion.

3.5 Example: Singular Hybrid Automata

The fundamental theorem of timed automata [Alur and Dill 1994] shows that forevery timed automaton, the (time-abstract) bisimilarity relation has finite index.The proof can be extended to the singular automata [Alur et al. 1995]. It followsthat the symbolic semi-algorithm ModelCheck, which has been implemented forpolyhedral hybrid automata in the tool HyTech [Henzinger et al. 1995], decidesall Lµ1 model-checking questions for singular automata. The singular automataform a maximal class of hybrid automata in STS1. This is because there is a2D (two-dimensional) rectangular automaton whose bisimilarity relation is stateequality [Henzinger 1995].

Theorem 1C The singular automata belong to the class STS1. There is a 2Drectangular automaton that does not belong to STS1.





T0 := P ;for i = 0, 1, 2, . . . do

Ti+1 := Ti∪ {Pre(σ) | σ ∈ Ti}∪ {And(σ, τ) | σ, τ ∈ Ti}


The termination test pTi+1q ⊆ pTiq is decided as in Figure 1.

Fig. 4. Intersection refinement.


The class-2 systems are characterized by finite similarity quotients. The regionalgebra of a class-2 system has a finite subalgebra that contains the observablesand is closed under Pre and And operations. This enables the model checking ofall existential and universal µ-calculus properties. Infinite-state examples of class-2systems are provided by the 2D rectangular hybrid automata.

4.1 Finite Characterization: Similarity

Definition: Similarity. Let S be a transition system. Two states u and v of Sare similar, denoted u ∼=S

2 v, if there are two simulations �1 and �2 on S such thatu �1 v and v �2 u. The state equivalence ∼=2 is called similarity.

Definition: Class STS2. A symbolic transition system S belongs to the classSTS2 if the similarity relation ∼=S

2 has finite index.

Since similarity is coarser than bisimilarity [van Glabbeek 1990], the class STS2 ofsymbolic transition systems is a proper extension of STS1.

4.2 Symbolic State-Space Exploration: Intersection Refinement

The symbolic semi-algorithm Closure2 of Figure 4 is an abstract version of themethod presented in [Henzinger et al. 1995] for computing the similarity relation ofan infinite-state system. A different algorithm for computing simulation quotientsis given in [Bustan and Grumberg 2003]. Suppose that the input given to Closure2

is the region algebra of a symbolic transition system S = (Q, δ,R, p·q, P ). Giventwo states u, v ∈ Q, we say that v simulates u if u � v for some simulation � on S.For i ≥ 0 and u ∈ Q, define

Simi(u) =⋂

{pσq | σ ∈ Ti and u ∈ pσq},

where the set Ti of regions is computed by Closure2. By induction it is easy tocheck that for all i ≥ 0, if v simulates u, then v ∈ Sim i(u). Thus, the extensionof every region in Ti is a ∼=S

2 block, and if ∼=S2 has finite index, then Closure2

terminates. Conversely, suppose that Closure2 terminates with pTi+1q ⊆ pTiq.From the definition of simulations it follows that if v ∈ Sim i(u), then v simulates u.This implies that ∼=S

2 has finite index.

Theorem 2A For all symbolic transition systems S, the symbolic semi-algorithm



Closure2 terminates on the region algebra RS iff S belongs to the class STS2.

Corollary 2A The ∼=2 (similarity) equivalence problem is decidable for the classSTS2 of symbolic transition systems.

4.3 Decidable Properties: Negation-free Branching Time

Definition: Negation-free µ-calculus. The negation-free µ-calculus consists ofthe µ-calculus formulas that are generated by the grammar

ϕ ::= p | x | ϕ ∨ ϕ | ϕ ∧ ϕ | ∃© ϕ | (µx : ϕ) | (νx : ϕ),

for constants p ∈ Π and variables x ∈ X . The state logic Lµ2 consists of the closed

formulas of the negation-free µ-calculus. The state logic Lµ2 consists of the duals ofall Lµ2 -formulas.

The following facts about the distinguishing and expressive powers of the negation-free µ-calculus and its dual are well-known. First, both Lµ2 and Lµ2 preserve ∼=2

(similarity); indeed, the state equivalence defined by Lµ2 (respectively, Lµ2 ) overthe class STS2 of symbolic transition systems with finite similarity quotients isexactly ∼=2 [Loiseaux et al. 1995]. Therefore the µ-calculus Lµ1 with negation is more

expressive than either Lµ2 or Lµ2 . Second, the negation-free µ-calculus Lµ2 is moreexpressive than the existential fragments of Ctl and Ctl∗ [Emerson 1990], which

also define similarity over the STS2 systems. The dual logic Lµ2 is more expressivethan the universal fragments of Ctl and Ctl∗, which again define similarity overthe STS2 systems. Third, both Lµ2 and Lµ2 admit abstraction [Alur and Henzinger

1998]. It follows that the Lµ2 and Lµ2 model-checking problems are decidable forthe STS2 systems. However, we now show that the procedure ModelCheck fromFigure 2 decides the model-checking problems for Lµ2 and Lµ2 over STS2 systemswithout constructing similarity quotients.

If we apply the symbolic semi-algorithm ModelCheck to the region algebra of asymbolic transition system S and an input formula from Lµ2 , then the cases ϕ = pand ϕ = ∀© ϕ′ are never executed. It follows that all regions which are generatedby ModelCheck are also generated by the semi-algorithm Closure2 on input RS .Thus, if Closure2 terminates, then so does ModelCheck.

Theorem 2B For all symbolic transition systems S in STS2 and every Lµ2 -formula ϕ,the symbolic semi-algorithm ModelCheck terminates on the region algebra RS andthe input formula ϕ.

Corollary 2B The Lµ2 and Lµ2 model-checking problems are decidable for the classSTS2 of symbolic transition systems.

4.4 Example: 2D Rectangular Hybrid Automata

For every 2D rectangular automaton, the (time-abstract) similarity relation hasfinite index [Henzinger et al. 1995]. It follows that the symbolic semi-algorithm

ModelCheck, as implemented in HyTech, decides all Lµ2 and Lµ2 model-checkingquestions for 2D rectangular automata. The 2D rectangular automata form a max-imal class of hybrid automata in STS2. This is because there is a 3D rectangularautomaton whose similarity relation is state equality [Henzinger and Kopke 1996].



Theorem 2C The 2D rectangular automata belong to the class STS2. There is a3D rectangular automaton that does not belong to STS2.


The class-3 systems are characterized by finite trace-equivalence quotients. Theregion algebra of a class-3 system has a finite subalgebra that contains the observ-ables and is closed under Pre operations and those And operations for which one ofthe two arguments is an observable. This enables the model checking of all lineartemporal properties. Infinite-state examples of class-3 systems are provided by therectangular hybrid automata.

5.1 Finite Characterization: Traces

Definition: Trace equivalence. Let S = (Q, δ, ·, p·q, P ) be a transition system.A trajectory of S is a finite sequence θ = u0u1 . . . un of states ui ∈ Q such thatui+1 ∈ δ(ui) for all 0 ≤ i < n. The first state u0 is called the source of thetrajectory θ, the last state un is its sink, and the length of the trajectory is n.An observation is a set of observables. Every state u ∈ Q induces an observation,denoted by 〈〈u〉〉 = {p ∈ P | u ∈ ppq}. A trace from state u is a finite sequenceof observations which is induced by some trajectory with source u; that is, ϑ =π0π1 . . . πn is a trace from u ∈ Q if there exists a trajectory u0u1 . . . un of S suchthat (1) u0 = u and (2) 〈〈ui〉〉 = πi for all 0 ≤ i ≤ n. The observables in thelast observation πn are called the targets of the trace ϑ, and its length is n. Twostates u, v ∈ Q are trace equivalent, denoted u ∼=S

3 v, if every trace from u is a tracefrom v, and vice versa. The state equivalence ∼=3 is called trace equivalence.

Definition: Class STS3. A symbolic transition system S belongs to the classSTS3 if the trace-equivalence relation ∼=S

3 has finite index.

Since trace equivalence is coarser than similarity [van Glabbeek 1990], the classSTS3 of symbolic transition systems is a proper extension of STS2.

5.2 Symbolic State-Space Exploration: Observation Refinement

Trace equivalence can be characterized operationally by the symbolic semi-algorithmClosure3 of Figure 5. Suppose that the input given to Closure3 is the region algebraof a symbolic transition system S = (Q, δ,R, p·q, P ). By induction it is easy tocheck that for all i ≥ 0, the extension of every region in Ti is a ∼=S

3 block. Thus,if ∼=S

3 has finite index, then Closure3 terminates. Conversely, suppose that Closure3

terminates with pTi+1q ⊆ pTiq. Suppose further that there are two states u, v ∈ Qand a trace π0π1 . . . πn from u which is not a trace from v. For 1 ≤ j ≤ n, let πj bethe region that results from conjoining by And the observables in the finite set πj(note that for every observable p ∈ P , either p ∈ πj or p ∈ πj). Then Ti containsthe region And(π0,Pre(And(π1,Pre(· · · ,And(πn−1,Pre(πn)))))), which contains ubut not v. It follows that if for each region σ ∈ Ti, we have u ∈ pσq iff v ∈ pσq,then u ∼=S

3 v. This implies that ∼=S3 has finite index.






T0 := P ;for i = 0, 1, 2, . . . do

Ti+1 := Ti∪ {Pre(σ) | σ ∈ Ti}∪ {And(σ, p) | σ ∈ Ti and p ∈ P}



Fig. 5. Observation refinement.

pp

p p

p

p

p

p

. . .

vu

Fig. 6. Trace equivalence does not imply ω-trace equivalence.

Corollary 3A The ∼=3 (trace) equivalence problem is decidable for the class STS3

of symbolic transition systems.

Remark: Infinite traces. We have defined trace equivalence based on finitetraces only. An ω-trajectory of S is an infinite sequence u0u1u2 . . . of states suchthat all finite prefixes of θ are trajectories of S. An ω-trace from state u ∈ Q is aninfinite sequence of observations which is induced by some ω-trajectory of S withsource u. Two states u, v ∈ Q are ω-trace equivalent if every trace and ω-trace fromu is also a trace or ω-trace from v, and vice versa. As transition systems may notbe finitely branching, trace equivalence does not imply ω-trace equivalence. To seethis, consider the states u and v of Figure 6, which are trace equivalent but not ω-trace equivalent. This is because u and v agree on all finite traces of the form {p}n,for n ≥ 1, but only u has the ω-trace {p}ω. Note that Algorithm Closure3 does notterminate on the symbolic transition system from Figure 6. The following lemmashows that if Algorithm Closure3 terminates, then trace equivalence and ω-traceequivalence coincide.

Lemma 3a For all states u and v of a symbolic transition system S in the classSTS3, if u ∼=S

3 v, then u and v are ω-trace equivalent.

Proof. Suppose that Algorithm Closure3 terminates, and consider two states u andv that are trace equivalent. We show that every ω-trace from u is also an ω-tracefrom v. Consider an ω-trace ϑ = π0π1π2 . . . from u. By way of contradiction,



suppose that there is no ω-trajectory with source v which induces the ω-trace ϑ.For each n ≥ 1, denote the prefix π0π1 . . . πn of ϑ by ϑn. We build the followingsubtree T of the unfolding of the transition function from state v: the root of Tis 〈v〉; the nodes of T have the form 〈u0u1 . . . un〉, where u0u1 . . . un is a trajectorywith source v which induces the trace ϑn; there is an edge in T from 〈u0u1 . . . un〉to 〈u0u1 . . . un+1〉 if un+1 ∈ δ(un). We say that a node z of T is infinitely reachingif z has a descendant at distance n for all n ≥ 1; and z is infinitely branching if zhas infinitely many immediate descendants (at distance 1). Since u and v are traceequivalent, for each n ≥ 1, there is a trajectory with source v which induces ϑn.It follows that the root of T is infinitely reaching. However, since there is no ω-trajectory with source v which induces ϑ, the tree T has no infinite path. ByKonig’s lemma, T must contain a node z which is both infinitely reaching andinfinitely branching. For each n ≥ 1, there must exist f(n) ≥ n such that z hasan immediate successor 〈. . . uf(n)〉 which is the root of a subtree of height f(n) butnot f(n) + 1. Then Algorithm Closure3 should have separated all states uf(n), forn ≥ 1, into different equivalence classes, and hence could not have terminated.

5.3 Decidable Properties: Linear Time

Definition: Deterministic µ-calculus. The deterministic µ-calculus (also called“L1” in [Emerson et al. 1993]) consists of the µ-calculus formulas that are generatedby the grammar

ϕ ::= p | x | ϕ ∨ ϕ | p ∧ ϕ | ∃© ϕ | (µx : ϕ) | (νx : ϕ),


formulas of the deterministic µ-calculus. The state logic Lµ3 consists of the duals ofall Lµ3 -formulas.

Following [Emerson et al. 2001], we show that Lµ3 has the same expressive poweras existentially interpreted Buchi automata. We recall a few definitions. A Buchiautomaton [Thomas 1990] is a tuple B = (S,Φ,→, s0, F,B), where S is a finite setof states, Φ is a finite input alphabet, → ⊆ S×Φ×S is a labeled transition relation,s0 ∈ S is the start state, F ⊆ S is a set of finite accepting states, and B ⊆ S is a setof Buchi accepting states. The automaton B accepts a finite word w0w1 . . . wn ∈ Φ∗

if there is a finite sequence s0s1 . . . sn+1 of states si ∈ S, beginning from the startstate s0, such that (1) si

wi→si+1 for all 0 ≤ i ≤ n, and (2) sn+1 ∈ F . The automatonB accepts an infinite word w0w1w2 . . . ∈ Φω if there is an infinite sequence s0s1s2 . . .of states, beginning with s0, such that (1) si

wi→si+1 for all i ≥ 0, and (2) si ∈ Bfor infinitely many i ≥ 0. The state logic ∃Buchi has a formula of the form ∃Bfor every Buchi automaton B with Φ = 2Π; that is, each input letter is a set ofconstants. Then, given a transition system S = (Q, δ, ·, p·q, P ) with Π ⊆ P , and astate u ∈ Q, let u ∈ [[∃B]]S if there exist a trace or ω-trace ϑ = π0π1π2 . . . from u,and a finite or infinite word $ = w0w1w2 . . . with the same length as ϑ, such that(1) wi ⊆ πi for all i ≥ 0, and (2) the word $ is accepted by B. If (1) and (2), thenwe say that the trace or ω-trace ϑ is accepted by the Buchi automaton B.

Lemma 3b The state logics Lµ3 and ∃Buchi are equally expressive.

Proof. The proof is based on the following constructions. By induction on thestructure of an Lµ3 -formula ϕ, we can construct a Buchi automaton Bϕ such that ∃Bϕ



is equivalent to ϕ; see [Emerson et al. 2001] for details. Conversely, given a Buchiautomaton B, we construct an Lµ3 -formula ϕB such that for all transition systems S,a state u of S satisfies ϕ iff some trace or ω-trace from u is accepted by Bϕ. LetB = (S,2P ,→, s0, F,B) be a Buchi automaton over the alphabet 2P . For notationalconvenience, we present the formula ϕB in equational form [Cleaveland et al. 1992];it can be easily converted into the standard fixpoint representation by unrolling theequations and binding variables with least and greatest fixpoint quantifiers. For aset π ⊆ P of observables, let π be the conjunction

∧

π of the observables in π. Foreach automaton state s ∈ S, we introduce a variable xs ∈ X . If s ∈ F is a finiteaccepting state, then xs = π. If s 6∈ F , then the equation for xs is

xs =λ

∨

{π ∧ ∃© xs′ | sπ→ s′}

where λ = ν if s ∈ B is a Buchi accepting state, and λ = µ otherwise. The top-levelvariable is xs0 , where s0 is the start state of the automaton. The correctness of theprocedure follows from [Bhat and Cleaveland 1996] (an equivalent construction isgiven in [Dam 1994]).

The state logic ∃Buchi, by its very definition, preserves ω-trace equivalence. More-over, as every finite trace can be specified by a Buchi automaton, over the classSTS3 of symbolic transition systems with finite trace-equivalence quotients, byLemma 3a, the state equivalence defined by ∃Buchi is exactly ∼=3 (trace equiv-alence). By Lemma 3b, it follows that both the deterministic µ-calculus Lµ3 and

its dual Lµ3 also preserve ω-trace equivalence, and the state equivalence defined

by Lµ3 (respectively, Lµ3 ) over the STS3 systems is ∼=3. Therefore the negation-free µ-calculus Lµ2 with unrestricted conjunction is more expressive than Lµ3 , and

Lµ2 is more expressive than Lµ3 . Since Buchi automata are more expressive thanthe linear temporal logic Ltl [Wolper 1983], by Lemma 3b, the deterministic µ-calculus Lµ3 is more expressive than the existential interpretation of Ltl, whichalso defines trace equivalence over the STS3 systems. For example, the existentialLtl formula ∃(pUq) (“on some trace, p until q”) is equivalent to the Lµ3 -formula(µx : q ∨ (p ∧ ∃© x)) (notice that one argument of the conjunction is a constant).

The dual logic Lµ3 is more expressive than the usual, universal interpretation ofLtl, which again defines trace equivalence over the STS3 systems. For example,the universal Ltl formula ∀(pWq) (“on all traces, either p forever, or p until q”)

is equivalent to the Lµ3 -formula (νx : p ∧ ∀© (q ∨ x)) (notice that one argument

of the disjunction is a constant). Finally, both Lµ3 and Lµ3 admit abstraction [Alur

and Henzinger 1998]. It follows that the Lµ3 and Lµ3 model-checking problems aredecidable for the STS3 systems. However, we now show that the procedure Mod-

elCheck from Figure 2 decides the model-checking problems for Lµ3 and Lµ3 overSTS2 systems without constructing trace-equivalence quotients.

If we apply the symbolic semi-algorithm ModelCheck to the region algebra of asymbolic transition system S and an input formula from Lµ3 , then all regions whichare generated by ModelCheck are also generated by the semi-algorithm Closure3 oninput RS . Thus, if Closure3 terminates, then so does ModelCheck.

Theorem 3B For all symbolic transition systems S in STS3 and every Lµ3 -formula ϕ,the symbolic semi-algorithm ModelCheck terminates on the region algebra RS and



the input formula ϕ.


Remark: Ltl model checking. The Ltl model-checking problem for a class C

of transition systems asks, given an existential (respectively, universal) Ltl formula∃ψ (respectively, ∀ψ) and a state u of a transition system from the class C, whethersome (respectively, all) ω-traces from u satisfy ψ [Emerson 1990]. Our results sug-gest a symbolic procedure for Ltl model checking over STS3 systems [Henzingerand Majumdar 2000]. Suppose that S is a symbolic transition system in the classSTS3, and ∃ψ is an existential Ltl formula (for a universal Ltl formula, take thenegation). First, convert ψ into a Buchi automaton Bψ using a tableau construc-tion [Wolper 1983], and then into an equivalent Lµ3 -formula ϕψ in equational form(introduce one variable xs per state s of Bψ, as in the proof of Lemma 3B). Second,run the symbolic semi-algorithm ModelCheck on the inputs RS and ϕψ.3 It willterminate with a representation of the set of states that satisfy ∃ψ in S.

While ModelCheck provides, in this way, a symbolic semi-algorithm for modelchecking Ltl, traditionally a different method has been used for the symbolic modelchecking of Ltl formulas [Clarke et al. 1994]. Given a state u of a finite-state tran-sition system S, and an existential Ltl formula ∃ψ, the model-checking questioncan be answered by constructing the product of S with the tableau automaton Bψ,and then checking the nonemptiness of a Buchi condition on the product structure.A Buchi condition is an Ltl formula of the form 23φ, where φ is a boolean com-bination of observables; therefore Buchi nonemptiness can be checked symbolicallyby evaluating the equivalent Lµ3 -formula

χ = (νx1 : (µx2 : (∃© x2) ∨ (φ ∧ ∃© x1))).

To extend this method to infinite-state systems, we need to be more formal. Let S =(Q, δ,R, p·q, P ) be a symbolic transition system, and let Bψ = (S,2P ,→, s0, ∅, B)be a Buchi automaton. Notice that since we interpret Ltl only over ω-traces, theset F of finite accepting states of the Buchi automaton is empty. The productstructure Sψ = (S ×Q, δψ, S ×R, p·qψ, S × P ) is the following symbolic transitionsystem with state space S × Q, region set S × R, and observable set S × P : theextension p(s, σ)qψ is the set {s}×pσq of states, and (s′, u′) ∈ δψ(s, u) iff (1) s

π→ s′

and u′ ∈ δ(u), and (2) u ∈ ppq for all observables p ∈ π. Since the state space ofthe Buchi automaton Bψ is finite, it is easy to check that Sψ is again a symbolictransition system. Furthermore, for all states u ∈ Q, we have u ∈ [[∃Bψ]]S iff(s0, u) ∈ [[23φ]]Sψ , where φ =

∨

s∈B,p∈P (s, p).Let DirectCheck be the instance of the symbolic semi-algorithm ModelCheck which

evaluates the Lµ3 -formula ϕψ on the region algebra of the symbolic transition sys-tem S, and let ProductCheck be the instance of ModelCheck which evaluates theLµ3 -formula χ on the region algebra of the product structure Sψ. We show that

3In practice, we run a variant of ModelCheck directly on the equational representation of theLµ3 -formula ϕψ [Cleaveland et al. 1992]. This is because in equational form, the size of ϕψ is

linear in the size of the Buchi automaton Bψ (and exponential in the size of the Ltl formula ψ).Conversion of ϕψ into fixpoint representation would involve another exponential.



there is a direct correspondence between the regions computed by ProductCheck

and the regions computed by DirectCheck; in fact, the algorithm DirectCheck mim-ics the evaluation of χ with respect to Sψ . To see this, we first write the formulaχ in equational form as x1 =ν x2 and x2 =µ ((∃© x2) ∨ (φ ∧ ∃© x1)). Now weintroduce two sets of variables, {xs1 | s ∈ S} and {xs2 | s ∈ S}. For j = 1, 2, we usethe variable xsj to track the value of xj on the product structure at the automa-ton state s, that is, at each step, x1 =

∨

{xs1 | s ∈ S} and x2 =∨

{xs2 | s ∈ S}.With these new variables, the equations for χ become xs1 =ν x

s2 for all s ∈ S, and

xs2 =µ

∨

{π ∧ ∃© xs′

1 | sπ→ s′} for all s ∈ B, and xs2 =µ

∨

{π ∧ ∃© xs′

2 | sπ→ s′}

for all s ∈ S\B. The top-level variable is xs01 . From this, it is clear that these twomethods are equivalent in the regions they compute. It follows that ProductCheck

terminates iff DirectCheck does.

Corollary 3B∗ For all symbolic transition systems S in STS3, and every existen-tial Ltl formula ∃ψ, the symbolic semi-algorithm ProductCheck terminates for Sand ψ.

5.4 Example: Rectangular Hybrid Automata

For every rectangular automaton, the (time-abstract) trace-equivalence relationhas finite index [Henzinger et al. 1998]. It follows that the symbolic semi-algorithm

ModelCheck, as implemented in HyTech, decides all Lµ3 and Lµ3 model-checkingquestions for rectangular automata. The rectangular automata form a maximalclass of hybrid automata in STS3. This is because for simple generalizations ofrectangular automata, the reachability problem is undecidable [Henzinger et al.1998].

Theorem 3C The rectangular automata belong to the class STS3. There is apolyhedral hybrid automaton that does not belong to STS3.


We define two states of a transition system to be “distance equivalent” if for ev-ery distance d, the same observables can be reached in d transitions. The class-4systems are characterized by finite distance-equivalence quotients. The region al-gebra of a class-4 system has a finite subalgebra that contains the observables andis closed under Pre operations. This enables the model checking of all existentialconjunction-free and universal disjunction-free µ-calculus properties, such as theproperty that an observable can be reached in an even number of transitions.

6.1 Finite Characterization: Equi-distant Targets

Definition: Distance equivalence. Let S be a transition system. Two states uand v of S are distance equivalent, denoted u ∼=S

4 v, if for every trace from u withlength n and target p, there is a trace from v with length n and target p, and viceversa. The state equivalence ∼=4 is called distance equivalence.

Definition: Class STS4. A symbolic transition system S belongs to the classSTS4 if the distance-equivalence relation ∼=S

4 has finite index.

Figure 7 shows that distance equivalence is coarser than trace equivalence: thestates u and v are distance equivalent but not trace equivalent. It follows that the



?

�

?

� U

u

U

q

qp p

p

q

q

p v

Fig. 7. Distance equivalence is coarser than trace equivalence.



T0 := P ;for i = 0, 1, 2, . . . do

Ti+1 := Ti∪ {Pre(σ) | σ ∈ Ti}



Fig. 8. Predecessor iteration.

class STS4 of symbolic transition systems is a proper extension of STS3.

6.2 Symbolic State-Space Exploration: Predecessor Iteration

The symbolic semi-algorithm Closure4 of Figure 8 computes the subalgebra of aregion algebra RS that contains the observables and is closed under the Pre oper-ation. Suppose that the input given to Closure4 is the region algebra of a symbolictransition system S = (Q, δ,R, p·q, P ). For i ≥ 0 and two states u, v ∈ Q, defineu ∼S

i v if for every trace from u with length n ≤ i and target p, there is a trace fromv with length n and target p, and vice versa. By induction it is easy to check thatfor all i ≥ 0, the extension of every region in Ti, as computed by Closure4, is a ∼S

i

block. Since ∼Si is as coarse as ∼S

i+1 for all i ≥ 0, and ∼=S4 is equal to

⋂

{∼Si | i ≥ 0},

if ∼=S4 has finite index, then ∼=S

4 is equal to ∼Sj for some j ≥ 0. Then, Closure4

will terminate in j iterations. Conversely, suppose that Closure4 terminates withpTi+1q ⊆ pTiq. In this case, if for all regions σ ∈ Ti, we have u ∈ pσq iff v ∈ pσq,then u ∼=S

4 v. This is because if u can reach an observable p in n transitions, but vcannot, then there is a region in Ti, namely, Pren(p), such that u ∈ pPren(p)q andv 6∈ pPren(p)q. It follows that ∼=S

4 has finite index.


Corollary 4A The ∼=4 (distance) equivalence problem is decidable for the classSTS4 of symbolic transition systems.

6.3 Decidable Properties: Conjunction-free Linear Time

Definition: Conjunction-free µ-calculus. The conjunction-free µ-calculus con-



sists of the µ-calculus formulas that are generated by the grammar

ϕ ::= p | x | ϕ ∨ ϕ | ∃© ϕ | (µx : ϕ)


formulas of the conjunction-free µ-calculus. The state logic Lµ4 consists of the dualsof all Lµ4 -formulas.

Definition: Conjunction-free temporal logic. The formulas of the conjunction-free temporal logic L3

4 are generated by the grammar

ϕ ::= p | ϕ ∨ ϕ | ∃© ϕ | ∃3≤d ϕ | ∃3ϕ,

for constants p ∈ Π and nonnegative integers d ≥ 0. Let S = (Q, δ, ·, p·q, P ) bea transition system whose observables include all constants; that is, Π ⊆ P . TheL3

4 -formula ϕ defines the set [[ϕ]]S ⊆ Q of satisfying states:

[[p]]S = ppq;[[ϕ1 ∨ ϕ2]]S = [[ϕ1]]S ∪ [[ϕ2]]S ;[[∃© ϕ]]S = {u ∈ Q | (∃v ∈ δ(u) : v ∈ [[ϕ]]S)};[[∃3≤d ϕ]]S = {u ∈ Q | there is a trajectory of S with source u,

length at most d, and sink in [[ϕ]]S};[[∃3ϕ]]S = {u ∈ Q | there is a trajectory of S with source u and

sink in [[ϕ]]S}.

Note that the L3

4 -formula ∃3ϕ is equivalent to the Lµ4 -formula (µx : ϕ ∨ ∃© x).Moreover, the constructor ∃3≤d is definable from ∃© and ∨; however, it will beessential in the ∃©-free fragment of L3

4 we will consider below.

Remark: Duality. For every L3

4 -formula ϕ, the dual formula ϕ is obtained byreplacing the constructors p, ∨, ∃©, ∃3≤d, and ∃3 by p, ∧, ∀©, ∀2≤d, and ∀2,respectively. The semantics of the dual constructors is defined as usual, such that[[ϕ]]S = Q\[[ϕ]]S . The state logic L3

4 consists of the duals of all L3

4 -formulas. Itfollows that the answer of the model-checking question for a state u ∈ Q and anL3

4 -formula ϕ is complementary to the answer of the model-checking question foru and the L3

4 -formula ϕ.

The following easy facts about the conjunction-free µ-calculus, conjunction-freetemporal logic, and their duals are relevant in our context. First, the state equiv-alence induced by both Lµ4 and Lµ4 is ∼=4 (distance equivalence). Therefore the

deterministic µ-calculus Lµ3 is more expressive than Lµ4 , and Lµ3 is more expressive

than Lµ4 . Second, the conjunction-free µ-calculus Lµ4 is more expressive than the

conjunction-free temporal logic L3

4 , and Lµ4 is more expressive than L3

4 , both ofwhich also induce distance equivalence. For example, the property that an ob-servable p can be reached in an even number of transitions can be expressed inLµ4 by the formula (µx : p ∨ ∃© ∃© x), for which there is no equivalent L3

4 -

formula [Wolper 1983]. Third, both Lµ4 and Lµ4 admit abstraction. It follows that

the Lµ4 and Lµ4 model-checking problems are decidable for the STS4 systems. Asusual, we now show that the procedure ModelCheck from Figure 2 decides themodel-checking problems for Lµ4 and Lµ4 over STS4 systems without constructingdistance-equivalence quotients.



p

p

p

p

p

p

. . . .

u0 u1 u2

Fig. 9. Bounded-reach equivalence is coarser than distance equivalence.

If we apply the symbolic semi-algorithm ModelCheck of to the region algebra of asymbolic transition system S and an input formula from Lµ4 , then all regions whichare generated by ModelCheck are also generated by the semi-algorithm Closure4 oninput RS . Thus, if Closure4 terminates, then so does ModelCheck.

Theorem 4B For all symbolic transition systems S in STS4 and every Lµ4 -formula ϕ,the symbolic semi-algorithm ModelCheck terminates on the region algebra RS andthe input formula ϕ.



We define two states of a transition system to be “bounded-reach equivalent” if forevery distance d, the same observables can be reached in d or fewer transitions. Theclass-5 systems are characterized by finite bounded-reach-equivalence quotients.Equivalently, for every observable p there is a finite bound np such that all statesthat can reach p can do so in at most np transitions. This enables the model checkingof all reachability and (by duality) invariance properties. The transition systems inclass 5 have also been called “well-structured” [Abdulla et al. 1996]. Infinite-stateexamples of class-5 systems are provided by networks of timed automata.

7.1 Finite Characterization: Bounded-distance Targets

Definition: Bounded-reach equivalence. Let S be a transition system. Twostates u and v of S are bounded-reach equivalent, denoted u ∼=S

5 v, if for every tracefrom u with length n and target p, there is a trace from v with length at mostn and target p, and vice versa. The state equivalence ∼=5 is called bounded-reachequivalence.

Definition: Class STS5. A symbolic transition system S belongs to the classSTS5 if the bounded-reach-equivalence relation ∼=5

S has finite index.

Figure 9 shows that bounded-reach equivalence is coarser than distance equivalence:



Symbolic semi-algorithm Reach


for each p ∈ P do

T0 := {p};for i = 0, 1, 2, . . . do

Ti+1 := Ti ∪ {Pre(σ) | σ ∈ Ti}until

S

{pσq | σ ∈ Ti+1} ⊆S

{pσq | σ ∈ Ti}end.

The termination testS

{pσq | σ ∈ Ti+1} ⊆S

{pσq | σ ∈ Ti} is decided as in Figure 2.

Fig. 10. Predecessor aggregation.

all states ui, for i ≥ 0, are bounded-reach equivalent, but no two of them aredistance equivalent. It follows that the class STS5 of symbolic transition systemsis a proper extension of STS4.

7.2 Symbolic State-Space Exploration: Predecessor Aggregation

The symbolic semi-algorithm Reach of Figure 10 starts from the observables andrepeatedly applies the Pre operation, but its termination criterion is more easilymet than the termination criterion of the semi-algorithm Closure4; that is, Reach

may terminate on more inputs than Closure4. Indeed, we shall show that, if theinput is the region algebra of a symbolic transition system S = (Q, δ,R, p·q, P ), thenReach terminates iff S belongs to the class STS5. Furthermore, upon termination,u ∼=S

5 v iff for each observable p ∈ P and each region σ ∈ T pi , we have u ∈ pσq iffv ∈ pσq.

An alternative characterization of the class STS5 can be given using well-quasi-orders on states [Abdulla et al. 1996; Finkel and Schnoebelen 1998]. A quasi-orderon a set A is a reflexive and transitive binary relation on A. A well-quasi-orderon A is a quasi-order � on A such that for every infinite sequence a0, a1, a2, . . . ofelements ai ∈ A there exist indices i and j with i < j and ai � aj . A set B ⊆ Ais upward-closed if for all b ∈ B and a ∈ A, if b � a, then a ∈ B. If � is a well-quasi-order on A, then every infinite increasing sequence B0 ⊆ B1 ⊆ B2 ⊆ · · · ofupward-closed sets Bi ⊆ A eventually stabilizes; that is, there exists an index i ≥ 0such that Bj = Bi for all j ≥ i. To see this, we reason by contradiction: if not, thenwe can find an infinite sequence b0 ∈ B0, b1 ∈ B1\B0, . . ., bi ∈ Bi\(B0∪. . .∪Bi−1),. . . such that there are no indices i, j for which bi � bj , leading to a contradiction.

Theorem 5A For all symbolic transition systems S, the following three conditionsare equivalent:

1. S belongs to the class STS5.2. The symbolic semi-algorithm Reach terminates on the region alge-

bra RS .3. There is a well-quasi-order � on the states of S such that for all

observables p and all nonnegative integers d, the set [[∃3≤d p]]S isupward-closed.

Proof. (2 ⇒ 1) Define u ∼S≤n v if for all observables p ∈ P , for every trace from



p

1−11

13

21. . . .

. . . .

21

12 11

Fig. 11. An STS5 system on which Lµ4 model checking does not terminate.

u with length n and target p, there is a trace from v with length at most n andtarget p, and vice versa. Note that ∼S

≤n has finite index for all n ≥ 0. Supposethat the semi-algorithm Reach terminates, for each observable p ∈ P , in at most iiterations. Then for all n ≥ i, the equivalence relation ∼S

≤n is equal to ∼S≤i. Since

∼=S5 is equal to

⋂

{∼S≤n| n ≥ 0}, it has finite index.

(1 ⇒ 3) Define the quasi-order u �S5 v if for all observables p ∈ P and all n ≥ 0, for

every trace from u with length n and target p, there is a trace from v with lengthat most n and target p. Then each set [[∃3≤d p]]S , for an observable p ∈ P and anonnegative integer d ≥ 0, is upward-closed with respect to �S

5 . Furthermore, if∼=S

5 has finite index, then �S5 is a well-quasi-order. This is because u ∼=S

5 v impliesu �S

5 v: if there were an infinite sequence u0, u1, u2, . . . of states such that for alli ≥ 0 and j < i, we have uj 6�S

5 ui, then no two of these states would be ∼=S5

equivalent.

(3 ⇒ 2) This part of the proof follows immediately from the stabilization propertyof well-quasi-orders [Abdulla et al. 1996].

7.3 Decidable Properties: Bounded Reachability

Definition: Bounded-reachability logic. The bounded-reachability logic L3

5

consists of the L3

4 -formulas that are generated by the grammar

ϕ ::= p | ϕ ∨ ϕ | ∃3≤d ϕ | ∃3ϕ,

for constants p ∈ Π and nonnegative integers d. The state logic L3

5 consists of theduals of all L3

5 -formulas.

The following easy facts about bounded-reachability logic and its dual are relevantin our context. First, the state equivalence induced by both L3

5 and L3

5 is ∼=5

(bounded-reach equivalence). Therefore the conjunction-free temporal logic L3

4

is more expressive than L3

5 , and L3

4 is more expressive than L3

5 . For example,the property that an observable p can be reached in exactly d transitions can beexpressed in L3

4 by the formula ∃© . . . ∃© p with d next operators, for which thereis no equivalent L3

5 -formula. Second, both L3

5 and L3

5 admit abstraction. Sincefor STS5 systems the bounded-reach-equivalence quotient can be constructed usingthe symbolic semi-algorithm Reach, we have the following theorem.

Theorem 5B The L3

5 and L3

5 model-checking problems are decidable for the classSTS5 of symbolic transition systems.

A direct symbolic model-checking semi-algorithm for L3

5 and, indeed, L3

4 is easilyderived from the semi-algorithm Reach. Then, if Reach terminates, so does model



checking for all L3

4 -formulas, including unbounded ∃3 properties. The extensionto L3

4 is possible, because ∃© properties pose no threat to termination. Howeverthe same is not true for Lµ4 . Figure 7.3 shows a symbolic transition system from theclass STS5 for which the evaluation of the Lµ4 -formula (µx : p∨∃©∃©x) using thesymbolic semi-algorithm ModelCheck does not terminate (note that in this example,the symbolic semi-algorithm Reach with Pre replaced by Pre2, which uses a morerelaxed termination criterion, does not terminate either). We show that this is notsuprising as Lµ4 is undecidable on STS5 systems. To establish this result, we proceedas follows. Given a two-counter machine M , we define a symbolic transition systemSM which belongs to the class STS5, and which encodes the computations of Msuch that the Lµ4 -formula (µx : pfin ∨ ∃© ∃© x) characterizes exactly the set ofconfigurations of M from which there is a halting computation.

Let M = 〈K,C,D, I〉 be a two-counter machine, where K = {`0, . . . , `m} isa finite set of control locations with initial location `0 and final location `m, thenonnegative integer variables C and D are the two counters, and I is a functionthat labels each nonfinal location with an instruction (increment a counter, decre-ment a counter, or test a counter for zero) and a successor location (in the caseof zero-test there are two successor locations). A configuration of M is a tripleγ = 〈`, c, d〉, where ` ∈ K is the value of the program counter, which indicatesthe current control location, and c, d ∈ N are the values of the two counters Cand D. The configuration γ is final if ` = `m. We write Γ for the set of config-urations of M , and Γfin ⊆ Γ for the set of final configurations. If γ 6∈ Γfin , thenM(γ) denotes the successor configuration of γ, which results from γ by executingthe instruction I(`). A computation of M from configuration γ is a finite sequenceγ0, γ1, . . . , γk of configurations such that (1) γ0 = γ and (2) γi+1 = M(γi) for all0 ≤ i < k. The computation is halting if γk ∈ Γfin . The problem of decidingif a two-counter machine has a halting computation from the initial configuration〈`0, 0, 0〉 is undecidable [Hopcroft and Ullman 1979].

We define the symbolic transition system SM = (Q, δ,R, p·q, P ) which encodesthe computations of M as follows.

—The state space Q = Γ × {1, 2} contains two copies for each configuration of M .

—The transition function δ is defined as follows: (γ ′, j′) ∈ δ(γ, j) if either (1) γ 6∈Γfin and j = 1 and γ′ ∈ Γfin and j′ = 1 (that is, every copy 1 of a nonfinalconfiguration has a transition to every copy 1 of a final configuration); or (2) γ 6∈Γfin and j = 1 and γ′ = γ and j′ = 2 (that is, every copy 1 of a nonfinalconfiguration has a transition to the copy 2 of the same configuration); or (3) γ 6∈Γfin and j = 2 and γ′ = M(γ) and j′ = 1 (that is, every copy 2 of a nonfinalconfiguration has a transition to the copy 1 of the successor configuration).

—The regions in R are the Presburger formulas. More precisely, a region is a first-order formula over the free variables pc, C,D, J , where pc is interpreted over theset K of control locations, C and D are interpreted as nonnegative integers, andJ is interpreted over the set {1, 2}. The program counter pc occurs only in atomicsubformulas of the form pc = `, for constants ` ∈ K; the two counters C and Doccurs only in atomic subformulas from (N,=,+, 0, 1); and the copy designatorJ occurs only in atomic subformulas of the form J = 1 or J = 2. The extensionof a region σ is the set of states that satisfy the formula σ.



—The only observables in P are the formula pc = `m, which we abbreviate to pfin ,and its negation. Note that ppfinq = Γfin × {1, 2}.

We now establish three properties of SM .

Lemma 5a SM is a symbolic transition system.

Proof. The Presburger formulas are trivially closed under all boolean operations,and the emptiness (satisfiability) and membership (satisfaction) problems are decid-able for the Presburger formulas [Cooper 1972; Berman 1980]. So, it remains to beshown that for every Presburger formula σ, we can construct a Presburger formulaPre(σ) such that a state (γ, j) satisfies Pre(σ) iff there is a state (γ ′, j′) ∈ δ(γ, j)which satisfies σ. Following the definition of δ, we construct Pre(σ) as a disjunctionof three parts. The first two parts are simple and left to the reader. The third partis a disjunction over all instructions of M . Suppose that in location ì, the instruc-tion C := C + 1 is executed and leads to location ì+1. Then the correspondingdisjunct of Pre(σ) is

(∃pc′, C ′, D′, J ′ : pc = ì ∧ J = 2 ∧ pc′ = ì+1 ∧ C ′ = C + 1 ∧ D′ = D ∧ J ′ = 1∧σ[pc, C,D, J := pc′, C ′, D′, J ′]),

where the last conjunct results from σ by replacing the four free variables with theirprimed versions.

Lemma 5b The symbolic transition system SM is in the class STS5.

Proof. We show that the symbolic semi-algorithm Reach terminates for bothobservations in P . Every state that can reach a state in ppfinq can do so in atmost two transitions, because the first copy of every nonfinal configuration has atransition to the first copy of every final configuration. Every state that can reacha state in ppfinq can do so in zero transitions, that is, pPre(pfin )q ⊆ ppfinq, becausethere are no outgoing transitions from final configurations.

Lemma 5c For all configurations γ of M , there exists a halting computation ofM from γ iff the symbolic transition system SM has a trace from (γ, 1) with evenlength and target pfin .

Proof. The left-to-right direction follows directly from the construction of SM .For the right-to-left direction, we reason by induction on the even length k of thetrace. Base case (k = 0): the configuration γ itself is final, and therefore there is ahalting compution (of length 0) from γ. Inductive case (k > 0): by the constructionof SM , the configuration γ cannot be final, and a trace from (γ, 1) with length kand target pfin must begin with the three states (γ, 1), (γ, 2), (M(γ), 1) followedby an even number of transitions. By the induction hypothesis, there is a haltingcomputation of M from M(γ), and therefore also from γ.

This reduces the halting problem for a two-counter machine M to the problem ofchecking if the state (〈`0, 0, 0〉, 1) of the symbolic transition system SM satisfies theLµ4 -formula (µx : pfin ∨ ∃© ∃© x).

Theorem 5B∗ The Lµ4 and Lµ4 model-checking problems are undecidable for theclass STS5 of symbolic transition systems.



� � �

u1u0

p pq

Fig. 12. Reach equivalence is coarser than bounded-reach equivalence.

7.4 Example: Networks of Timed Automata

A network of timed automata [Abdulla and Jonsson 1998] consists of a finite-statecontroller and an arbitrarily large set of identical 1D timed automata. The con-tinuous evolution of the system increases the values of all variables. The discretetransitions of the system are specified by a set of synchronization rules. Formally, anetwork of timed automata is a triple (C,H,Λ), where C is a finite set of controllerlocations, H is a 1D timed automaton, and Λ is a finite set of rules of the formr = (〈c, c′〉, e1, . . . , en), where c, c′ ∈ C and e1, . . . , en are jumps of H . The rule r isenabled if the controller location is c and there are n timed automata H1, . . . , Hn

whose states are such that the jumps e1, . . . , en, respectively, can be performed.The rule r is executed by simultaneously changing the controller location to c′ andthe state of each Hi, for 1 ≤ i ≤ n, according to the jump ei. The following resultis proved in [Abdulla and Jonsson 1998].

Theorem 5C The networks of timed automata belong to the class STS5. There isa network of timed automata that does not belong to STS4.

8. GENERAL SYMBOLIC TRANSITION SYSTEMS

For studying reachability questions on symbolic transition systems, it is natural toconsider the following fragment of bounded-reachability logic.

Definition: Reachability logic. The reachability logic L3

6 consists of the L3

5 -formulas that are generated by the grammar

ϕ ::= p | ϕ ∨ ϕ | ∃3ϕ,

for constants p ∈ Π.

The reachability logic L3

6 induces the state equivalence ∼=6, which can be definedas follows.

Definition: Reach equivalence. Let S be a transition system. Two states u andv of S are reach equivalent, denoted u ∼=S

6 v, if for every trace from u with target p,there is a trace from v with target p, and vice versa. The state equivalence ∼=6 iscalled reach equivalence.

Reach equivalence is coarser than bounded-reach equivalence: in Figure 12, allstates ui, for i ≥ 0, are reach equivalent, but no two of them are bounded-reach-equivalent. Therefore the reachability logic L3

6 is less expressive than the bounded-reachability logic L3

5 . For every symbolic transition system R with k observables,the reach-equivalence relation ∼=R

6 has at most 2k equivalence classes and, there-fore, finite index. Since the reachability problem is undecidable for many kindsof symbolic transition systems (including Turing machines and polyhedral hybridautomata [Alur et al. 1995]), it follows that there cannot be a general algorithm forcomputing the reach-equivalence quotient of symbolic transition systems.



REFERENCES

Abdulla, P. and Jonsson, B. 1998. Verifying networks of timed automata. In TACAS 98: Tools

and Algorithms for the Construction and Analysis of Systems. Lecture Notes in ComputerScience 1384. Springer-Verlag, 298–312.

Abdulla, P., Cerans, K., Jonsson, B., and Tsay, Y.-K. 1996. General decidability theoremsfor infinite-state systems. In Proceedings of the 11th Annual Symposium on Logic in Computer

Science. IEEE Computer Society Press, 313–321.

Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T., Ho, P.-H., Nicollin, X., Oliv-

ero, A., Sifakis, J., and Yovine, S. 1995. The algorithmic analysis of hybrid systems. Theo-

retical Computer Science 138, 3–34.

Alur, R. and Dill, D. 1994. A theory of timed automata. Theoretical Computer Science 126,183–235.

Alur, R. and Henzinger, T. 1998. Computer-Aided Verification: An Introduction to Model

Building and Model Checking for Concurrent Systems. Draft.

Alur, R., Henzinger, T., and Ho, P.-H. 1996. Automatic symbolic verification of embeddedsystems. IEEE Transactions on Software Engineering 22, 181–201.

Berman, L. 1980. The complexity of logical theories. Theoretical Computer Science 11, 71–77.

Bhat, G. and Cleaveland, R. 1996. Efficient model checking via the equational µ-calculus. InProceedings of the 11th Annual Symposium on Logic in Computer Science. IEEE ComputerSociety Press, 304–312.

Bouajjani, A., Fernandez, J.-C., and Halbwachs, N. 1990. Minimal model generation. In CAV

90: Computer-Aided Verification. Lecture Notes in Computer Science 531. Springer-Verlag,197–203.

Browne, M., Clarke, E.M., and Grumberg, O. 1988. Characterizing finite Kripke structuresin propositional temporal logic. Theoretical Computer Science 59, 115–131.

Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., and Hwang, L.J. 1992. Symbolicmodel checking: 1020 states and beyond. Information and Computation 98, 142–170.

Bustan, D. and Grumberg, O. 2003. Simulation-based minimization. ACM Transactions on

Computational Logic 4, 181–206.

Clarke, E.M., Grumberg, O., and Long, D. 1994. Verification tools for finite-state concurrentsystems. In A Decade of Concurrency: Reflections and Perspectives. Lecture Notes in ComputerScience 803. Springer-Verlag, 124–175.

Cleaveland, R., Klein, M., and Steffen, B. 1992. Faster model checking for the modal µ-calculus. In CAV 92: Computer-Aided Verification. Lecture Notes in Computer Science 663.Springer-Verlag, 410–422.

Cooper, D.C. 1972. Theorem proving in arithmetic without multiplication. Machine Intelli-

gence 7, 91–100.

Cousot, P. and Cousot, R. 1977. Abstract interpretation: A unified lattice model for the staticanalysis of programs by construction or approximation of fixpoints. In Proceedings of the Fourth

Annual Symposium on Principles of Programming Languages. ACM Press, 238–252.

Dam, M. 1994. Ctl∗ and Ectl∗ as fragments of the modal µ-calculus. Theoretical Computer

Science 126, 77–96.

Emerson, E. 1990. Temporal and modal logic. In Handbook of Theoretical Computer Science,J. van Leeuwen, Ed. Vol. B. Elsevier Science Publishers, 995–1072.

Emerson, E., Jutla, C., and Sistla, A. 1993. On model checking for fragments of µ-calculus.In CAV 93: Computer-Aided Verification. Lecture Notes in Computer Science 697. Springer-Verlag, 385–396.

Emerson, E., Jutla, C., and Sistla, A. 2001. On model checking for the µ-calculus and itsfragments. In Theoretical Computer Science 258, 491–522.

Emerson, E. and Lei, C. 1986. Efficient model checking in fragments of the propositional µ-calculus. In Proceedings of the First Annual Symposium on Logic in Computer Science. IEEEComputer Society Press, 267–278.



Finkel, A. and Schnoebelen, P. 1998. Well-structured Transition Systems Everywhere. Tech.

Rep. LSV-98-4, Laboratoire Specification et Verification, ENS de Cachan, France.

Henzinger, M., Henzinger, T., and Kopke, P. 1995. Computing simulations on finite andinfinite graphs. In Proceedings of the 36th Annual Symposium on Foundations of Computer

Science. IEEE Computer Society Press, 453–462.

Henzinger, T. 1995. Hybrid automata with finite bisimulations. In ICALP 95: Automata,

Languages, and Programming. Lecture Notes in Computer Science 944. Springer-Verlag, 324–335.

Henzinger, T. 1996. The theory of hybrid automata. In Proceedings of the 11th Annual Sympo-

sium on Logic in Computer Science. IEEE Computer Society Press, 278–292.

Henzinger, T., Ho, P.-H., and Wong-Toi, H. 1995. HyTech: The next generation. In Pro-

ceedings of the 16th Annual Real-time Systems Symposium. IEEE Computer Society Press,56–65.

Henzinger, T. and Kopke, P. 1996. State equivalences for rectangular hybrid automata. InCONCUR 96: Concurrency Theory. Lecture Notes in Computer Science 1119. Springer-Verlag,530–545.

Henzinger, T., Kopke, P., Puri, A., and Varaiya, P. 1998. What’s decidable about hybridautomata? Journal of Computer and System Sciences 57, 94–124.

Henzinger, T. and Majumdar, R. 2000. Symbolic model checking for rectangular hybrid sys-tems. In TACAS 00: Tools and Algorithms for the Construction and Analysis of Systems.Lecture Notes in Computer Science 1785. Springer-Verlag, 142–156.

Henzinger, T., Nicollin, X., Sifakis, J., and Yovine, S. 1994. Symbolic model checking forreal-time systems. Information and Computation 111, 193–244.

Hopcroft, J. and Ullman, J. 1979. Introduction to Automata Theory, Languages, and Com-

putation. Addison-Wesley Publishing Company.

Janin, D. and Walukiewicz, I. 1996. On the expressive completeness of the propositional µ-calculus with respect to the monadic second order logic. In CONCUR 96: Concurrency Theory.Lecture Notes in Computer Science 1119. Springer-Verlag, 263–277.

Kanellakis, P. and Smolka, S. 1990. CCS expressions, finite-state processes, and three problemsof equivalence. Information and Computation 86, 43–68.

Kozen, D. 1983. Results on the propositional µ-calculus. Theoretical Computer Science 27,333–354.

Lamport, L. 1974. A new solution of Dijkstra’s concurrent programming problem. Communica-

tions of the ACM 17, 453–455.

Loiseaux, C., Graf, S., Sifakis, J., Bouajjani, A., and Bensalem, S. 1995. Property-preservingabstractions for the verification of concurrent systems. Formal Methods in System Design 6,

11–44.

Milner, R. 1971. An algebraic definition of simulation between programs. In Second International

Joint Conference on Artificial Intelligence. The British Computer Society, 481–489.

Thomas, W. 1990. Automata on infinite objects. In Handbook of Theoretical Computer Science,J. van Leeuwen, Ed. Vol. B. Elsevier Science Publishers, 133–191.

van Glabbeek, R. 1990. Comparative Concurrency Semantics and Refinement of Actions. Ph.D.Thesis, Vrije Universiteit te Amsterdam, The Netherlands.

Wolper, P. 1983. Temporal logic can be more expressive. Information and Control 56, 72–99.

Received January 2001; revised July 2002; accepted June 2003


lambda-Coloring of Graphs

Documents

Transcript of lambda-Coloring of Graphs