Uppsala Computing Science

Research Report No. 157

January 11, 1999

ISSN 1100–0686

On the Expressive Power of CTL�Faron Moller

Uppsala University

fm@csd.uu.se

Alexander RabinovichTel Aviv University

rabino@math.tau.ac.il

Uppsala Computing Science Research Report Series

Computing Science Department http://www.csd.uu.se/papers/reports.htmlUppsala University ftp://ftp.csd.uu.se/pub/papers/reportsBox 311, S-752 39 UppsalaSWEDEN Copyright c the authors

Abstract

We show that the expressive power of the branching time logicCTL� coincideswith that of the class of bisimulation invariant propertiesexpressible in so-calledmonadic path logic: monadic second order logic in which set quantification is re-stricted to paths. In order to prove this result, we first prove a new Composition The-orem for trees. This approach is adapted from the approach ofHafer and Thomasin their proof that CTL� coincides with the whole of monadic path logic over theclass of binary trees.

1 Introduction

Various temporal logics have been proposed for reasoning about so-called “reactive” systems,computer hardware or software systems which exhibit (potentially) non-terminating and non-deterministic behaviour. Such a system is typically represented by the (potentially) infinitesequences of computation states through which it may evolve, where we associate with eachstate the set of atomic propositions which are true in that state, along with the possible nextstate transitions to which it may evolve. Thus its behaviouris denoted by a (potentially) infiniterooted tree, with the initial state of the system represented by the root of the tree.

Various equivalences have been proposed between such systems as well, depicting whentwo systems should be deemed the same. Given such an equivalence, it is most desirable thatthe temporal logic being employed does not distinguish between two equivalent behaviours: atemporal property which holds of a particular system shouldhold for all equivalent systems.

In this paper, we shall be interested specifically in bisimulation equivalence [17, 16], thebranching time temporal logic CTL� [1, 3], and so-called monadic path logic MPL [10, 11]:monadic second order logic in which set quantification is restricted to paths. It is well knownthat CTL� respects bisimulation equivalence in the above sense, while already first order logicdoes not. However, Hafer and Thomas [11] demonstrate that every CTL� property can beexpressed in MPL, and that the reverse is also true if you restrict attention to binary trees.(Two binary trees are bisimulation equivalent only if they are isomorphic, and MPL respectsisomorphism.) In this paper we modify their argument to showthat the reverse is true over alltrees when we restrict attention to the bisimulation invariant subset of MPL properties, thoseMPL properties which do not distinguish between bisimulation equivalent trees. We thus showthat CTL� corresponds precisely to bisimulation invariant MPL.

A further closely related result due to Janin and Walukiewicz [13] shows that the proposi-tional mu-calculus coincides with the bisimulation invariant properties expressible in the wholeof monadic second order logic. However, whereas their proofrelies on an automata-theoreticcharacterisation of such logical properties, the present proof is automata-free, based instead ona Composition Theorem which is proven with the aid of the appropriate Ehrenfeucht-Fraissegame.

In the remainder of this introduction, we provide the relevant definitions for trees, bisim-ulation equivalence, monadic second order logics, and CTL�. In the next section we presentstandard results about characterising equivalences usingEhrenfeucht-Fraisse games, and in thefollowing section we present and prove the main technical result of the paper, our CompositionTheorem for trees. In the final section, we apply our Composition Theorem to the problem ofshowing our expressive completeness result for CTL� with respect to the bisimulation invariantfragment of MPL.

1.1 Computation Trees

A treet consists of a partially-ordered set ofnodesSt in which the ancestors of any given nodes 2 St constitute a finite total order with a common minimal element"t, referred to as therootof the tree. Computationally, a node in the tree correspondsto a state in a computation, and itsancestorsfs0 2 St : s0<sg correspond to the states passed through in the computation leadingup to the state (corresponding to node)s, starting from the initial state (corresponding to node)"t. We shall denote the (immediate) successor relation by!, so thats! s0 if and only if s<s0

1

and there is nos00 with s<s00<s0. Computationally,s! s0 means that there is a transition fromstates to states0, and the set of ancestors of a state can thus be listed withs as such a sequenceof transitions:"t ! s1 ! s2 ! � � � ! sn ! s.

Furthermore, the nodes of a tree are labelled by elements taken from some finite set�,representing the atomic properties which are true at the given state of the computation. Hencea tree is in fact given as a labelling functiont : St ! �, and we shall refer to such a tree as a�-valued tree.

A path through a treet is an!-sequence—or a maximal finite sequence—of successivenodes� = hs1; s2; s3; : : :i through the tree; that is,s0 ! s1 ! s2 ! � � �; and if this sequenceis finite, then there is no successor for the final node. If the first node of this path is the root"t,then the path is referred to as afull path or branch. The ith nodesi in the path� is denotedby �i, and we shall use�i = h�i; �i+1; �i+2; : : :i to denote the subpath of� rooted at�i. (Inparticular,� = �1.) Finally, we shall usets to denote the subtree oft rooted at the nodes.Remark 1.1 (More general trees)As described, the trees which we are using are!-trees; thatis, each branch is either a finite sequence or an!-sequence of nodes. However, all of ourresults—and in particular our Composition Theorem— hold for a more general class of trees,namely all partially-ordered sets in which the ancestors ofany given node constitute a well-founded total order with a common root". The well-foundedness ensures that the successorsof any node are defined; that is, ifs<s0 thens ! s00 for somes00�s0. However, for ease ofpresentation, we restrict ourselves to the above computationally-motivated subclass of!-trees.

1.2 Bisimulation Equivalence

One popular equivalence between computation trees is that of bisimulation equivalence. Thisequivalence catches subtle differences between trees based on their branching structures. Ithas a very appealing mathematical theory, and is generally regarded as the finest behaviouralequivalence of interest for concurrency (it is often arguedthat concurrent systems giving riseto bisimulation equivalent computation trees are indistinguishable for all reasonable notions ofobservation).

Informally two trees are bisimulation equivalent if they differ only up to multiplicity andordering of their subtrees. Formally we have the following co-inductive definition. Abisimula-tion is a binary relationR � Nt1 � Nt2 between the nodes of two treest1 andt2 which relatestheir roots:h"t1 ; "t2i 2 R; and such that wheneverhs1; s2i 2 R we have that:� s1 ands2 have the same labels:t1(s1) = t2(s2);� if s1 ! s01 then s2 ! s02 with hs01; s02i 2 R; and� if s2 ! s02 then s1 ! s01 with hs01; s02i 2 R.

Two treest1 andt2 arebisimulation equivalent, written t1 � t2, if they are related by somebisimulation.

We shall be interested in distinguishing between trees onlyup to bisimulation equivalence.In particular, we shall associate with any given tree a “wide” normal form tree which is obtainedby reproducing every subtree an infinite number of times. Formally, we say that awide tree isone in which for every transitions ! s0 there are infinitely many transitionss ! s00 such thatts0 is isomorphic tots00. Clearly every treet is bisimulation equivalent to a wide treetw. The

2

treetw can be defined as follows: its node areStw = fs(i) : s 2 St andi 2 !g with labellingfunctiontw(s(i)) = t(s); its root is"tw = "(0)t ; ands(i)<s0(j) iff s<s0 andi�j.Remark 1.2 (Bisimulation equivalence is trivial over binary trees) Note that any two (full)binary trees which are bisimulation equivalent must in factbe isomorphic.

1.3 Monadic Second Order Logic and Monadic Path Logic

The monadic second order logic MSOL(<;�) appropriate for expressing properties of�-valuedtrees has individual variablesx; y; z; : : : (representing nodes), set variablesX; Y; Z (represent-ing sets of nodes), and predicate constantsPa (a2�). Formulas are built up from atomic formu-las of the formx = y, x < y, x2X andx2Pa using the propositional connectives^ and:, andthe quantifier9. We shall denote by FOL(<;�) the subset of first order formulas, those that donot involve set variables. We shall write'(x1; x2; : : : ; xm; X1; X2; : : : ; Xn) to indicate the vari-ables which (may) appearfree in ', that is, not within the scope of a quantifier. Thequantifierdepthof a formula', denoted byqd('), is inductively defined to be the maximum number ofnested quantifiers in': qd(') = 0 for atomic formulas'; qd(' ^ '0) = max(qd('); qd('0));andqd(9x') = qd(9X') = 1 + qd(').

As usual, a formula isclosedif it involves no free variables, in which case it is referredto as asentence. Note that every formula must involve some first order variable, so there areno sentences with quantifier depth 0; and sentences of quantifier depth 1 have only first ordervariables occurring within them. We write(t; s1; s2; : : : ; sm; S1; S2; : : : ; Sn) j= '(x1; x2; : : : ; xm; X1; X2; : : : ; Xn)if the formula'(x1; x2; : : : ; xm; X1; X2; : : : ; Xn) is satisfied in the�-valued treet with xi in-terpretted by the nodesi (1 � i � m) andXj interpretted by the set of nodesSj (1 � j � n).

We shall also interpret FOL(<;�) sentences over wordsw 2 �� and!-sequencesw 2 �!,writing w j= ' to mean the expected: variables represent positions in the sequence with=and< representing relative position, andx2Pa means that the letter at positionx is a. It isstraightforward to verify the correctness of this interpretation, in the sense that for any treetwhich just consists of a path� = h�1; �2; : : :i (that is, every node has at most one successor), andfor any FOL(<;�) sentence', we have thatt j= ' iff t(�) j= ', wheret(�) = t(�1)t(�2) � � �.

Monadic path logicMPL is defined to be the monadic second order logic as described,but where we restrict the interpretation of set variablesX to range not over arbitrary sets ofnodes but over branches. We could equally consider quantification over arbitrary paths, but asnoted by Hafer and Thomas [11] this would give no difference in expressive power: denotingquantification over arbitrary paths byb9, we have the following obvious translations:� 9X' = b9X9r8x[(r<x _ r=x) ^ r2X ^ '].� b9X' = 9X9r'0, where '0 is obtained from' by replacing all atomic formulas of the

form x2X by (r<x _ r=x) ^ x2X.

Remark 1.3 (MPL versus first order logic) MPL is in a sense no more expressive than firstorder logic. Given a treet, we can consider itscompletiontc obtained by extending eachbranch with a limit node, so that each path intc has a maximal element. Given any MPL

3

sentence', let'c be the first order formula obtained from' by replacing all subformulas9x�by 9x9`(x < ` ^ �), and replacing all subformulas9X� by 9`(:9x(`<x) ^ �0) where�0 isobtained from� by replacing each occurrence ofx2X byx<`. Then clearlyt j= ' iff tc j= 'c.1.4 Computation Tree Logics

The syntax of the propositional (branching time) computation tree logic CTL� is specified byinductively defining two sets of formulas,state formulasq andpath formulasp, starting froma finite set ofatomic propositionsfPa : a2�g using the path operatorsEp (“ there exists a pathsuch thatp”), Xp (“next timep”) and pUp0 (“p until p0”). Formally, these two sets of formulasare given by the following equations:q ::= Pa j q ^ q0 j :q j Epp ::= q j p ^ p0 j :p j Xp j pUp0CTL� then consists of the set of state formulasq generated by the above rules. Further commontemporal operators can then be introduced as abbreviations; for example:Ap (“ for all paths,p”)abbreviates:E:p; Fp (“eventuallyp”) abbreviates trueUp; andGp (“alwaysp”) abbreviates:F:p.

The set of path formulas not involving theE operator defines the propositional linear timelogic LTL. It can be more succinctly defined as the set of formulas given by the followingequation: p ::= Pa j p ^ p0 j :p j Xp j pUp0

CTL� formulas are interpretted over trees, and LTL formulas are interpretted over paths, byway of a satisfaction relationj=. Given a treet, a nodes in this tree, and a path� throughthis tree, we write(t; s) j= q to mean that state formulaq is true at nodes in the treet, and(t; �) j= p to mean that path formulap is true of the path� in t. This relation is definedinductively as follows.(t; s) j= Pa iff t(s) = a(t; s) j= q ^ q0 iff (t; s) j= q and (t; s) j= q0(t; s) j= :q iff (t; s) 6j= q(t; s) j= Ep iff there is a path� in t rooted ats such that(t; �) j= p(t; �) j= q iff (t; �1) j= q(t; �) j= p ^ p0 iff (t; �) j= p and (t; �) j= p0(t; �) j= :p iff (t; �) 6j= p(t; �) j= Xp iff length(�)>1 and (t; �2) j= p(t; �) j= pUp0 iff there isi with 1�i� length(�) such that(t; �i) j= p0 and (t; �k) j= p whenever 1�k<i:Note that most authors consider onlytotal trees, thus stipulating that all paths are infinite. Wedo not make such a restriction, but our semantic definitions coincide with the usual interpreta-tion for total trees. Also worth noting is that some authors use a slightly different yet equallyexpressive version of the until operatorbU, wherepbUp0 makes no restrictions on the initial state.

4

Thus this operator translates into our use aspbUp0 = XpUp0; and conversely our operator canbe translated aspUp0 = p0 _ (p ^ pbUp0).

As LTL formulas are actually interpretted over paths, they can equally be interpretted overwordsw = w1w2 � � �wn 2 �� and!-sequencesw = w1w2 � � � 2 �! by adapting the definitionof the satisfaction relationj= as follows. (As with paths, theith letter ofw 2 ��[�! is denotedwi and we usewi = wiwi+1 � � � to denote the suffix ofw starting at theith letter.)w j= Pa iff w1 = aw j= p ^ p0 iff w j= p and w j= p0w j= :p iff w 6j= pw j= Xp iff length(w)>1 and w2 j= pw j= pUp0 iff there isi with 1�i� length(w) such thatwi j= p0 and wk j= p whenever 1�k<i:It is straightforward to verify the correctness of this interpretation, in the sense that for any path� = h�1; �2; : : :i in any treet, and for any LTL formulap, we have that(t; �) j= p iff t(�) j= p,wheret(�) = t(�1)t(�2) � � �.

The following is an important result relating LTL and FOL(<;�) due to Kamp [14]. (See [5]for a more accessible proof of this result.)

Theorem 1.4 (Kamp) LTL and FOL(<;�) are equally expressive:

1. Given any LTL formulap there is an equivalent FOL(<;�) sentence'p:for everyw 2 �� [ �!, w j= p iff w j= 'p.

2. Given any FOL(<;�) sentence' there is an equivalent LTL formulap':

for everyw 2 �� [ �!, w j= ' iff w j= p'.

Remark 1.5 (Binary trees versus general trees)The logics FOL(<;�), MPL, and CTL� allobey different laws when interpretted over binary trees than when interpretted over arbitrarytrees. For example, the following pair of distinct CTL� formulas are equivalent over the classof binary trees:EXPa ^ EXPb and EXPa ^ EXPb ^ AX(Pa _ Pb). Furthermore, Hafer andThomas [11] demonstrate that over binary trees, MPL and CTL� coincide; however, this resultfails immediately in general. This is due to the fact that CTL� respects bisimulation equivalence(any two bisimulation equivalent trees must satisfy the same CTL� formulas), but MPL, andindeed already first order logic, sentences do not. (This does not contradict the result of Haferand Thomas, as we noted in Remark 1.2 that two binary trees areonly bisimulation equivalentwhen they are actually isomorphic, and MPL certainly respects isomorphism.) For example,Hafer and Thomas consider the first order sentence9x9y[:(x<y _ x=y _ y<x) ^ x2Pa ^ y2Pa]which expresses that there exist two incomparable nodes labelleda. They note that over binarytrees this is equivalent to the CTL� formula EF(AXEFPa); however, this sentence cannot betranslated into CTL� in general, as it is satisfied by only the first of the followingtwo bisimula-tion equivalent trees: aa a aa

5

2 Equivalences and Games

Given two treest andt0, we write t �n t0 if no MPL sentence of quantifier depthn can dis-tinguish between these trees. Formally,t �n t0 if and only if for any MPL sentence' withqd(') � n we havet j= ' iff t0 j= '. Equally, we write(t; s) �n (t0; s0) if no MPL formula'(x) with qd(') � n can distinguish between these trees with specified nodes; and finally wewrite (t; �) �n (t0; �0) if no MPL formula'(X) with qd(') � n can distinguish between thesetrees with specified branches (full paths).

The relations�n are clearly equivalence relations over trees, trees with specified nodes,and trees with specified branches, and as indicated in [11] they enjoy the following importantproperties.

Lemma 2.1

1. For eachn, the relation�n defines finitely many equivalence classesT1; T2; : : : ; Tm oftrees; that is,t �n t0 iff t; t0 2 Ti for somei 2 f1; 2; : : : ; mg.

2. For each equivalence classTi there is a MPL sentence�i with qd(�i) � n which charac-terises it; that is,t 2 Ti iff t j= �i.

3. Every MPL sentence' with qd(') � n is equivalent to a (finite) disjunction of thecharacterising sentences�i.

(The lemma also holds for trees with a specified node or branchand MPL sentences with onefree variable with quantifier depth bounded byn. However, for ease of presentation, we onlyexplicitly describe the case for trees and sentences.)

The proof of the above lemma is easy once you realize that there are only finitely manysemantically-distinct formulas with at most one free variable of a fixed quantifier depthn. Thisfact itself can be shown easily by induction on quantifier depth.

The equivalences�n have an elegant characterisation in terms of the followingEhrenfeucht-Fraisse game. The game is played by two players on two treest andt0, and involves the firstplayer choosing a node or branch in one of the two trees, afterwhich the second player re-sponds by choosing the same type of object (node or branch) inthe other tree which she be-lieves ‘matches’ the object chosen by the first player. Aftern rounds, there will ben nodesand branches(s1; : : : ; sk; �k+1; : : : ; �n) selected in the first tree andn corresponding nodes andbranches(s01; : : : ; s0k; �0k+1; : : : ; �0n) selected in the second tree. The second player is deemedthe winner if the mappingsi 7! s0i and�j 7! �0j respects the relations<, 2, and2Pa. If thesecond player has awinning strategy, that is, a strategy to follow when choosing her responsesto the first player’s moves which will guarantee her a win, then we say thatt andt0 aren-gameequivalent, and we writet �n t0. The relations(t; s) �n (t0; s0) and(t; �) �n (t0; �0) are de-fined analogously, where the mapping is extended withs 7! s0 in the first instance and� 7! �0in the second instance. The characterisation theorem is then as follows. (For a proof, we referto [2, 12].)

Theorem 2.2 �n = �n. That is,� t �n t0 iff t �n t0;� (t; s) �n (t0; s0) iff (t; s) �n (t0; s0); and� (t; �) �n (t0; �0) iff (t; �) �n (t0; �0).6

3 The Composition Theorem

Composition Theorems are tools which reduce sentences about a complete structure to sen-tences about its parts. An early example of such a result is the Feferman-Vaught Theorem [4]which reduces the first-order theory of generalised products to the first order theory of its fac-tors. Composition theorems for theories of orderings, usedas an alternative to the automatatheoretic approach popularized by Buchi, were first explored by Lauchli [15], and subsequentlydeveloped by Shelah [18]. The technique was used in a series of papers by Gurevich and She-lah [6, 8, 9, 10], and outlined in a survey exposition by Gurevich [7]. Hafer and Thomas [11]provide a composition theorem for MPL over binary trees, andin the present paper we prove acomposition theorem for MPL over wide trees. Thomas [19] provides a recent overview on us-ing composition theorems where he suggests that, despite their success, such techniques are stilllargely ignored by the theoretical computer science community in favour of the well-establishedautomata-theoretic techniques. He emphasizes the importance of the approach for decidabilityquestions, though it is evident that it is of importance as well to questions of definability, as inthe present paper.

Referring to Lemma 2.1, withn fixed, we can fixm as well as the equivalence classesT1; T2; : : : ; Tm and sentences�1; �2; : : : ; �m as given in Lemma 2.1. We then define the ex-tended alphabet�0 = ��Pf1; 2; : : : ; mg. Given a treet and a path� in the tree, we denote byv(t; �) the (!-)word over�0 of length equal to that of� whoseith letter is given by:v(t; �)i = �t(�i); fj : �i ! s with ts 2 Tjg�.

That is, theith letter ofv(t; �) is labelled(a; J) if and only if the ith node�i in the path�is labelled bya 2 �, and the subtrees of this node are drawn precisely from the equivalenceclassesfTj : j 2 Jg. We shall also use the notationv(t; s) wheres is a node in the treetto meanv(t; �) where� is the (unique) partial path leading from the root of the treeto s. Theimportance ofv(t; s) andv(t; �) is that they capture the whole of(t; s) and(t; �), respectively,with respect to the distinguishing power of MPL formulas of quantifier depthn. This fact isformulated in terms of games in the following.

Lemma 3.1 Given a wide treet with nodes and path�, and a wide treet0 with nodes0 andpath�0:

1. if v(t; s) �n v(t0; s0) then (t; s) �n (t0; s0);2. if v(t; �) �n v(t0; �0) then (t; �) �n (t0; �0).

Proof We shall prove only the first result, as the proof of second result is virtually identical.A winning strategy for player II in the game played on trees(t; s) and(t0; s0) can be based

directly on a winning strategy for player II in the game played on pathsv(t; s) andv(t0; s0) asfollows.� If the first player chooses a node onv(t; s), then the second player simply chooses the

corresponding node onv(t0; s0) as dictated by the strategy for the path game.

A symmetric strategy applies if the first player chooses a node onv(t0; s0).7

� If the first player chooses a nodes0 in t not on v(t; s), then the second player looksat the last nodes1 on v(t; s) which is an ancestor of the chosen node, and finds thecorresponding nodes01 on v(t0; s0) as dictated by the strategy for the path game. Thematching nodes00 will come from a subtree rooted at a successor nodes02 of s01 whichcomes from the same equivalence class as the subtree rooted at the successor nodes2 ofs1 on the path tos0; this is possible, sinces1 ands01 must have the same label from�0, andhence have subtrees drawn from the same equivalence classes. As these are wide trees,there are infinitely-many such subtrees; the one which we take is the one which containsthe elements chosen previously by one of the two players which correspond to elementschosen previously by the other player which are in the subtree rooted ats2. If there areno previously-chosen elements in the subtree rooted ats2, then we chooses02 so that thesubtree below it also contains no previously-chosen elements. Note that this argumentrelies on the fact that we have wide trees. The particular choice for s00 is then dictatedby the strategy for the game played on these subtrees which are drawn from the sameequivalence class, and hence admit a winning strategy in thegame for the second player.

A symmetric strategy applies if the first player chooses a node in t0 not onv(t0; s0).� If the first player chooses a path� in t, then similar to the previous case, the second playerlooks at the last nodes1 on v(t; s) which is on the path�, and finds the correspondingnodes01 onv(t0; s0) as dictated by the strategy for the path game. Assuming that the path�is not a finite path ending ats (in which case the matching path�0 is the finite path endingat s0), the matching path�0 will run through a subtree rooted at a successor nodes02 of s01which comes from the same equivalence class as the subtree rooted at the successor nodes2 of s1 on the path�; this is possible, sinces1 ands01 must have the same label from�0, and hence have subtrees drawn from the same equivalence classes. As these are widetrees, there are infinitely-many such subtrees; the one which we take is the one whichcontains the elements chosen previously by one of the two players which correspond toelements chosen previously by the other player which are in the subtree rooted ats2. Ifthere are no previously-chosen elements in the subtree rooted ats2, then we chooses02so that the subtree below it also contains no previously-chosen elements. Note that thisargument relies on the fact that we have wide trees. The particular choice for�0 is thendictated by the strategy for the game played on these subtrees which are drawn from thesame equivalence class, and hence admit a winning strategy in the game for the secondplayer.

A symmetric strategy applies if the first player chooses a path in t0.It is clear that this indeed provides a winning strategy for the second player. �

With this lemma in place, we can now state and prove our Composition Theorem.

Theorem 3.2 (Composition Theorem for wide trees)

1. For every MPL formula'(x) with qd(') � n, there is aFOL(<;�0) sentence withqd( ) � n such that for all wide treest and all nodess in t we have(t; s) j= '(x) if andonly if v(t; s) j= .

8

2. For every MPL formula'(X) with qd(') � n, there is aFOL(<;�0) sentence withqd( ) � n such that for all wide treest and all paths� in t we have(t; �) j= '(X) ifand only ifv(t; �) j= .

With this theorem, we are thus reducing any property'(x) or '(X) of a whole wide tree to anequivalent property of a simple path.

Proof Again we only prove the first result, as the proof of the secondresult is virtually identical.Let '(x) with qd(') � n be fixed. Then let� �1(x); : : : ; �m(x) be formulas that define the�n-equivalence classes of�-labelled trees

with a specified node, as given in Lemma 2.1 (for the case of trees with a specifiednode). In particular, by Lemma 2.1(3) we have that'(x) $ Wi2I �i(x) for someI � f1; : : : ; mg;� �1; : : : ; �k be sentences that define the�n-equivalence classes of�0-labelled paths;� Ji = n j : (t; s) j= �i(x) and v(t; s) j= �j for some(t; s)o for each i 2 f1; : : : ; mg(note that by Lemma 3.1 these sets must be disjoint); and finally let� = Wi2I Wj2Ji �j.

We shall demonstrate that this satisfies the conditions of the theorem.Given any wide treet with nodes,(t; s) j= '(x) iff (t; s) j= �i(x) for somei 2 I

iff v(t; s) j= �j for somei 2 I andj 2 Jiiff v(t; s) j= :

Finally, asv(t; s) is a path, the formula can be assumed to be in FOL(<;�0), since any pathquantifiers would be redundant and can be removed. �Remark 3.3 (More general trees)As noted in Remark 1.1, this Composition Theorem actu-ally holds for arbitrary well-founded wide trees. In fact, by maintaining multisets of subtrees,we can prove a more general Composition Theorem for arbitrary well-founded trees.

4 The Expressive Completeness of CTL�In this section we demonstrate the expressive completenessof CTL� with respect to MPL for-mulas which respect bisimulation equivalence. We start by noting the following easy direction,which is given as Proposition 4.1 in [11].

Lemma 4.1 Given any CTL� formula q there is an equivalent MPL formula'q; that is, forevery treet, (t; "t) j= q if and only ift j= 'q.It is well-known (and easily demonstrated) that CTL� respects bisimulation equivalence, so theMPL formula'q in the above Lemma must also respect bisimulation equivalence. The reversetranslation follows as a corollary of the following lemma for wide trees, the proof of whichrelies on our Composition Theorem 3.2.

9

Lemma 4.2 Given any MPL sentence' there is a CTL� formula q' which is equivalent to itover the class of wide trees; that is, for every wide treet, t j= ' if and only if(t; "t) j= q'.

Proof The proof of this result is by induction on the quantifier depth of '. The result is easilyobtained forqd(n) = 1. For example, if' = 9x(x 2 Pa) thenq' = EFPa.

In the induction step, we assume that any MPL sentence with quantifier depth no greaterthann is equivalent to some CTL� formula over wide trees. The only cases of interest are' = 9x'0(x) and' = 9X'0(X), whereqd('0) = n.

By Lemma 2.1 we havem equivalence classesT1; T2; : : : ; Tm of trees with respect tothe equivalence relation�n, characterised by MPL sentences�1; �2; : : : ; �m, each of quanti-fier depth no greater thann, and hence by induction each equivalent to some CTL� formulaq1; q2; : : : ; qm, respectively, over the class of wide trees.

Consider the case where' = 9x'0(x) with qd('0) � n. We can apply the first part ofthe Composition Theorem 3.2 to the subformula'0(x) to get a FOL(<;�0) formula withqd( ) � n such that for all wide treest and all nodess of t we have(t; s) j= '0(x) iffv(t; s) j= . Let 0 = 9z �z where �z is obtained from by replacing all subformulas9x�by 9x(x�z ^ �); then clearly9z : v(t; z) j= iff 9� : v(t; �) j= 0. By Kamp’s Theorem 1.4,we can translate this first-order formula 0 into an equivalent LTL formulap.

The formulap involves atomic propositions of the formP(a;I) with (a; I) 2 �0; we wish toreplace each of these atomic propositions by a suitable CTL� formulaq(a;I) expressing that thenode of interest satisfies the atomic predicatePa and that its successor nodes are representedprecisely by the equivalence classesTi with i2I; that is: each successor satisfies someqi withi2I, and for eachi2I there is a successor which satisfiesqi. The substitution is thus as follows:q(a;I) = Pa ^ i2I EXqi ^ AX

_i2I qiOur desired CTL� formula is thenEp0, wherep0 denotes the CTL� path formula which we obtainfrom p after performing the above substitutions: given any wide tree,t,t j= ' iff 9s : (t; s) j= '0(x) iff 9s : v(t; s) j= iff 9� : v(t; �) j= 0

iff 9� : v(t; �) j= p iff 9� : (t; �) j= p0 iff (t; "t) j= Ep0A simpler argument based on the second part of the Composition Theorem 3.2 (not requiring

the quantifier relativisation step) handles the case where' = 9X'0(X) with qd('0) � n. �Corollary 4.3 Given any MPL sentence' which is invariant under bisimulation equivalence,there is an equivalent CTL� formulaq'; that is, for every treet, t j= ' if and only if(t; "t) j= q'.

Proof Given', the appropriateq' is as given in Lemma 4.2: given anyt, let tw be a bisimulationequivalent wide tree. Thent j= ' iff tw j= ' (by assumption on', givent � tw)

iff (tw; "tw) j= q' (by Lemma 4.2)iff (t; "t) j= q' (since CTL� respects bisimulation equivalence.) �

Finally, combining Lemma 4.1 and Corollary 4.3 gives us our desired result:

Theorem 4.4 (The Expressive Completeness of CTL�) CTL� is expressively equivalent to theMPL formulas which respect bisimulation equivalence.

10

References

[1] E.M. Clarke and E.A. Emerson (1981). Design and verification of synchronous skeletonsusing branching time temporal logic.Lecture Notes in Computer Science131:52–71.

[2] H.-D. Ebbinghaus and J. Flum (1995).Finite Model Theory. Springer Perspectives inMathematical Logic.

[3] E.A. Emerson and J.Y. Halpern (1986). ‘Sometimes’ and ‘not never’ revisited: on branch-ing versus linear time temporal logics.Journal of the ACM33(1):151–178.

[4] S. Feferman and R.L. Vaught (1959). The first-order properties of products of algebraicsystems.Fundamenta Mathematica47:57–103.

[5] D. Gabbay, I. Hodkinson and M. Reynolds (1994).Temporal Logic. Oxford UniversityPress.

[6] Y. Gurevich (1979). Modest theory of short chains I.Journal of Symbolic Logic44:481–490.

[7] Y. Gurevich (1985). Monadic second-order theories. InModel-Theoretic Logics, (J. Bar-wise and S. Feferman, eds.), pp479-506, Springer-Verlag.

[8] Y. Gurevich and S. Shelah (1979). Modest theory of short chains II.Journal of SymbolicLogic44:491–502.

[9] Y. Gurevich and S. Shelah (1979). Rabin’s uniformization problem.Journal of SymbolicLogic48:1105–1119.

[10] Y. Gurevich and S. Shelah (1985). The decision problem for branching time logic.Journalof Symbolic Logic50(3):668–681.

[11] T. Hafer and W. Thomas (1987). Computation tree logic CTL� and path quantifiers in themonadic theory of the binary tree. InProceedings of ICALP’87: International Colloquiumon Automata, Languages and Programming, Lecture Notes in Computer Science267:269–279, Springer-Verlag.

[12] W. Hodges (1993).Model Theory. Cambridge University Press.

[13] D. Janin and I. Walukiewicz (1996). On the expressive completeness of the proposi-tional mu-calculus with respect to monadic second order logic. In Proceedings of CON-CUR’96: International Conference on Concurrency Theory, Lecture Notes in ComputerScience1119:263–277, Springer-Verlag.

[14] H.W. Kamp (1968). Tense logic and the theory of linear order. PdD Thesis, University ofCalifornia, Los Angeles.

[15] H. Lauchli (1968). A decision procedure for the weak second order theory of linear order.In Contributions to Mathematical Logic, Proceedings of LogicColloquium Hanover 1966,North-Holland.

11

[16] R. Milner (1989).Communication and Concurrency. Prentice-Hall.

[17] D.M.R. Park (1981). Concurrency and automata on infinite sequences.Lecture Notes inComputer Science104:168–183.

[18] S. Shelah (1975). The monadic theory of order.Annals of Mathematics102:379–419.

[19] W. Thomas (1997). Ehrenfeucht Games, the composition method, and the monadic theoryof ordinal words. InStructures in Logic and Computer Science: A Selection of Essaysin Honor of A. Ehrenfeucht, Lecture Notes in Computer Science1261:118-143, Springer-Verlag.

12