A Complete Proof System for QPTL - CiteSeerX

A Complete Proof System for QPTL Yonit Kesten Amir Pnueli Department of Computer Science Weizmann Institute of Science Rehovot 76100, Israel E-mail: [email protected] [email protected] An Extended Abstract

Abstract

variable x at some state, appears squared in variable y some time later. This may be used to specify the behavior of a procedure with input x and output y, whose task is to square numbers. However, very soon one realizes that this formula is valid over a set of program computations i the same formula without the universal quanti cation is valid. Therefore one may specify the same property with the simpler formula: x = u = 1 (y = u
u):

The paper presents an axiomatic system for quanti ed propositional temporal logic (qptl), which is

propositional temporal logic equipped with quanti cation over propositions (boolean variables). The advantages of this extended temporal logic is that its expressive power is strictly higher than that of the unquanti ed version (ptl) and is equal to that of S1S, as well as that of !-automata. Another important application of qptl is its use for formulating and verifying re nement relations between reactive systems. In fact, the completeness proof is based on the reduction of a qptl formula into a Buchi automaton, and performing equivalence transformations on this automata, formally justifying these transformations.

2. Using quanti cation over exible variables (vari-

ables that may change from one state to another) in order to increase the expressive power of the logic. For example, it is a known fact (through [Kam68], [GPSS80], and [MP71]) that unquanti ed (propositional) tl cannot count. In particular, it is impossible to specify in (unquanti ed) ptl that p must hold on every even position in the model. In qptl, this is speci ed by the following formula: 9t: t ^ 0 (2 t $ :t) ^ 0 (t ! p) In this formula, the auxiliary (speci cation) variable t is used as a counter modulo 2. It is true at all even positions and false at all odd positions.

1 Introduction

For a long time, temporal logics have been mainly used for the speci cation and veri cation of properties of reactive systems. According to this approach, a system is speci ed by a list of properties, all of which should be satis ed by any acceptable implementation. As long as this was the main use, quanti ers did not play an important role in temporal logic (tl). There were only two places where the use of quanti ers was recommended:

In spite of these two cases, quanti cation never played a central role in the use of tl for speci cation and veri cation of properties. This changed drastically with the suggestion of using tl for proving re nement (or implementation ) between programs. This suggestion is extensively discussed in the framework of TLA ([Lam91], [Lam94]), which freely interchanges formulas and programs, and has also been studied under the framework of tl considered here [KMP93]. According to this approach, to verify that system S1 re nes system S2 , we have to prove the implication

1. Using quanti cation over rigid variables (variables that stay the same throughout the model) to connect value of system variables at two dierent states. For example, the formula 8u: x = u = 1 (y = u
u) uses quanti cation over the rigid variable u to specify the property that every value which appears in  This research was supported in part by the European Community ESPRIT Basic Research Action Projects REACT (6021).



9x1 :sem S1

1



!



9x2:sem S2



(1)

where sem Si , i = 1; 2, is a temporal formula called the temporal semantics of system Si ([MP83], [MP91]), which characterizes all models that are computations of Si , and xi, i = 1; 2, are the internal variables of Si . This formula states that, for every 1, a computation of S1 , there exists 2, a computation of S2 , such that 1 and 2 agree on the interpretation of all variables except possibly the internal variables x1 and x2. The assumption is that S1 and S2 do share some observable variables y on which 1 and 2 must agree. Implication (1) is valid i the following implication is valid: sem S1 ! 9x2:sem S2

These two schemes correspond to the well-known methods of forward and backward simulation. The claim that these schemes always de ne a temporal function can be formally stated by the following two theorems: 9u: 0 ?u = f( u)
and 9u: 0 ?u = f(2 u)
(4) In view of this important application of quanti cation, it became apparent that every deductive method for proving program re nement by tl should oer a repertoire of theorems and proof rules for formally dealing with quanti ers. The usual question is how do we recognize that our arsenal of axioms and inference rules is adequate. This is a standard question dealt with in logic under the heading of completeness . Unfortunately, it has been shown that, unlike the predicate calculus, full tl with quanti ers cannot be axiomatized [Aba89]. Learning that there is no chance that true completeness can be established, there are two possible paths to follow. The rst is to search for relative completeness in the sense of Cook [Coo78]. A second possibility is to restrict the logic to a simpler fragment, where real completeness is possible. Both directions strive for separation of concerns, trying to untangle the interaction between the temporal operators (or the program dynamics aspects in the case of [Coo78]) and the rich data structures. In this paper we chose to follow the second path and consider quanti ed tl where the variables are restricted to range over nite domains. Without loss of generality, we can restrict our attention to boolean variables (propositions). This leads to the version of the logic studied here: Quanti ed Propositional Temporal Logic . We were encouraged to follow this path by the previous successful treatment of the propositional fragment of unquanti ed tl (ptl) [GPSS80]. As shown in [SVW87], the satis ability problem for qptl is decidable, albeit with non-elementary complexity. Therefore, one may justi ably ask why do we bother to provide an axiomatic system for a decidable logic. Intellectual curiosity aside, our main reason for studying this problem is not because of our interest in qptl per se but rather that, by studying qptl, we can gain con dence that the set of axioms and rules we propose are adequate in some sense for reasoning in full qtl, and master techniques for deductive proofs in the presence of quanti ers. A source of inspiration for our work came from the monograph of Dirk Siefkes [Sie70], who established completeness of an axiomatic system for S1S after the logic has been shown to be decidable by Buchi. In the introduction, Siefkes explains that he considers

(2)

The main approach for establishing such an implication is to prove the implication sem S1 ! sem S2 [x2 7! t2 ];

(3)

where sem S2 [x2 7! t2 ] is obtained from sem S2 by replacing all occurrences of x2 by the term t2 which, in general, may be a function of x1 and y. We can view t2 (x1; y) as a Skolem function mapping values of x1 and y into values of x2 . This corresponds to the well-known notion of re nement mapping , establishing a mapping between states of S1 and states of S2 . Methods for proving re nement by re nement mapping have been extensively discussed in the literature, e.g., [Lam83], [LS84], [LT87], [Jon87], and [AL91]. An important question is how to de ne the Skolem function x2 = t2 (x1 ; y) in an eective way. Observe that t2 is a temporal function in the sense that the value of t2 at position j of a model may depend on the values of x1 and y at positions that either precede or succeed j. In [AL91], Abadi and Lamport identify two de nitional schemes for establishing the necessary temporal Skolem function:

 A history scheme which can be de ned by the forward inductive de nition u = f( u) This scheme de nes the value of u at position j as a function of u at position j ? 1 but may refer to values of other variables at all positions.

 A prophecy scheme which can be de ned by the forward inductive de nition u = f(2 u) This scheme de nes the value of u at position j as a function of u at position j + 1 but may refer to values of other variables at all positions.

2

2 QPTL: Syntax and Semantics

Buchi's decision procedure, based on automata, to be semantical (model theoretical) while he was looking for a syntactical (proof theoretical) approach to the same problem.

We assume a countable set of boolean variables (propositions) V . The syntax of qptl formulas is de ned as follows:  Every variable x 2 V is a formula.

1.1 An Overview of the Completeness Proof

The full proof of completeness is long and detailed. In this extended abstract, we present only the main steps, claims, and lemmas, with no proofs. We refer the reader to [KP95] for a longer account and proofs of these claims and lemmas. However, in spite of this technical complexity, the proof is based on a very simple principle. Assume that the temporal formula p is valid. We wish to show that p is provable. Let us apply the algorithm proposed in [SVW87] for checking whether :p is satis able. The algorithm consists of the following steps applied to an arbitrary formula ': 1. Construct a Buchi automaton A' which accepts precisely the models (in nite sequences) satisfying '. 2. Check whether A' is empty. Formula ' is satis able i A' is non-empty. Applying this algorithm to the formula :p which is known to be unsatis able (since p is valid), we will obtain an automaton A:p which accepts the empty language. Our completeness proof will mimic the decision algorithm by establishing (denoting provability in our axiomatic system by `Qx ): 1. `Qx ' , A' , where A' is the characteristic formula of the automaton A' , i.e., a formula satis ed by all the sequences accepted by A' . 2. If A is empty (i.e., accepts the empty language), then `Qx :'. Since :p is unsatis able, A:p will be empty. Consequently, we can prove in our axiomatic system `Qx :p , A:p followed by `Qx :A:p , from which we can infer `Qx p. We nd it somewhat ironic that, starting with an attempt to establish a proof-theoretic approach to solving the qptl-validity problem that can serve as an alternative to the automata-theoretic approach initiated by Buchi, the best proof we managed to construct for the completeness of the axiomatic approach is again based on reduction to automata. Another surprise encountered in the completeness proof is that the history and prophecy theorems (4) which we consider central to a re nement proof need not be taken as axioms but can be proven as theorems. This is one of the rst results we obtained from [Sie70].

 If p and q are formulas, then so are :p; p _ q; 2 p; p W q; 2 p; and p B q  If p is a formula and x is a variable then 8x p

is a formula. Thus, as the set of basic operators we take :, _, 2 (next), W (waiting-for, unless, weak until), 2 (before, weak previous), B (back-to, weak since), and 8. Additional operators can be de ned by: p^q p$q 0 p 1 p pUq pSq c 0p p)q p,q 9x:p(x)

= = = = = = = = = =

:(p _ q) p!q (p ! q) ^ (q ! p) pW f `p : 0 :p Q p pWq ^ 1 q  p p Bq ^ Q q c 2 0 p `p 0 (p ! q) 0 (p $ q) :8x::p(x)

= :p _ q = p Bf = : ` :p = : 2 :p = 2 ` p

A formula that contains no temporal operators is called a propositional assertion or simply an assertion.

2.1 Semantics

A state s is an interpretation of the variables in V , assigning to each variable x 2 V a truth value. We denote by s[x] 2 ff; tg the value assigned to x by state s. A model is an in nite sequence of states: : s0 ; s1 ; s2; : : : Given a model  and a temporal formula p, we present an inductive de nition for the notion of p holding at a position j  0 in , denoted by (; j) j= p.  For a variable x 2 V , (; j) j= x () sj [x] = t. For the boolean connectives,  (; j) j= :p () (; j) j== p; i.e., not (; j) j= p.  (; j) j= p _ q () (; j) j= p or (; j) j= q For the temporal operators, 3

 (; j) j= 2 p () (; j + 1) j= p  (; j) j= p W q () (; i) j= p, for all i  j, or (; k) j= q, for some k  j and (; i) j= p, for all i, j  i < k  (; j) j= 2 p () j = 0 or j > 0 and (; j ? 1) j= p  (; j) j= p B q () (; i) j= p, for all i  j, or (; k) j= q, for some k  j and (; i) j= p, for all i, k < i  j For a variable x 2 V , the model 0 : s00 ; s01 ; : : : is said

MP. p ! q; p ` q 8-GEN. p ) q(x) ` p ) 8x:q(u),

provided p does not refer to x. The system consisting of axioms FX0{FX9 and PX1{PX8, and rule MP, is shown in [KLP95] to be complete for propositional temporal logic (ptl), i.e., the unquanti ed fragment of qptl. This is based on [LPZ85] and [Lic91] with a modi cation of the proof from the oating notion of temporal validity used there to the (anchored ) notion of validity used here. We use this partial completeness to simplify major portions of the completeness proof, by assuming that every valid ptl formula can be proven by the system presented here. In the detailed completeness proof, we use many theorems and derived inference rules. Here we list only some of them. For example, the following theorems can be proven: :9x: p , 8x: :p :8x: p , 9x: :p QT: p(') ) 9x: p(x) NFX5: ( 2 ) ') ! 0 ' The last theorem is a derived version of the induction axiom. Axiom QX1 states that 8 commutes with 2 . Additional theorems claim that 8 commutes with 0 , 2 ,  , and ` ; and that 9 commutes with 2 , 1 , 2 ,  , and Q . Some of the derived rules that can be prove in the system are: INST p(x) ` p('); provided ' is admissible for p(x) 9-INTR p(x) ) q ` 9x:p(x) ) q provided x does not occur in q 88-INTR p(x) ) q(x) ` 8x:p(x) ) 8x:q(x) p(x) , q(x) ` 8x:p(x) , 8x:q(x) 99-INTR p(x) ) q(x) ` 9x:p(x) ) 9x:q(x) p(x) , q(x) ` 9x:p(x) , 9x:q(x)

to be a x-variant of model : s0 ; s1 ; : : : if, for each i = 0; 1; : : :, state s0i agrees with si on the interpretation of all variables, except possibly on the interpretation of x. For the quanti er 8,  (; j) j= 8x p () (0 ; j) j= p, for every 0 , a x-variant of  For a formula p and a position j  0 such that (; j) j= p, we say that p holds at position j of . If (; 0) j= p, we say that p holds on , and denote it by  j= p. A useful past formula is the formula rst , de ned as rst : 2 f. This formula characterizes the rst position in any model. That is, it is false at all positions j > 0 and true for j = 0. A temporal formula p is called satis able if it holds on some model. It is called valid , denoted j= p if it holds on all models. Formulas p and q are de ned to be equivalent , denoted p  q, if the formula p $ q is valid. Formulas p and q are de ned to be congruent , denoted p  q, if the formula 0 (p $ q) is valid.

3 The Proof System

4 History and Prophecy Schemes

The set of axioms dealing with the future and past operators are presented in table 1 [MP91]. Excluding axiom PX7, every past axiom is almost a mirror image of a corresponding future axioms. Axiom PX7 states that the rst position of every sequence satis es 2 f. Axiom FX5 represents the induction principle. Axioms FX8 and PX8 are mixed axioms , containing both future and past operators. Axiom QX2 stipulates that ' be admissible for p(x), which we take to mean that the sets of variables in ' and p(x) are disjoint. For inference rules, we take:

In this section, we establish several additional theorems leading to the proofs of the history and prophecy schemes.

4.1 Variables over Finite Domains

The basic logic introduced above allows only boolean variables. In order to express the behaviors of automata, it helps to consider variables which range over an arbitrary nite domain D. Without loss of generality, we may take D to be a segment of the integers f1; : : :; ng where we may assume that n = 2r for 4

Axioms: FX0. FX1. FX2. FX3. FX4. FX5. FX6. FX7. FX8. TAU. QX1. QX2.

Axiomatic System Qx p !p :p , : 2 p PX1.  p ) 2 p (p ! q) , (2 p ! 2 q) PX2. 2 (p ! q) , ( 2 p ! 2 q) (p ! q) ) ( 0 p ! 0 q) PX3. ` (p ! q) ) ( ` p ! ` q) p ! 0 2 p PX4. 0 p ! 2 p (p ) 2 p) ! (p ) 0 p) PX5. (p ) 2 p) ! (p ) ` p)  ?
   (p W q) , q _ p ^ 2 (p W q) PX6. p B q , (q _ p ^ 2 (p B q) ) 0 p ) pW q PX7. 2 f p ) 2  p PX8. p ) 2 2 p 0 p, for every p, a temporal instantiation of a propositional tautology. 8x: 2 p , 2 8x:p 8x:p(x) ) p('), where ' is a formula admissible for p(x).

0 2 2 0 0

Inference Rules: MP. p ! q; p ` q 8-GEN. p ) q(x) ` p ) 8x:q(x), provided p does not refer to x. Table 1: The axiomatic system for qptl.

This generalization is not a real extension since Dvariables, D-expressions and D-constants can be encoded by r-tuples of boolean variables, r-tuples of boolean formulas, and r-tuples of the boolean constants, ranging over t and f. This is done as follows: The D-variable y can be encoded by the boolean variables x1; : : :; xr , each representing a bit in the binary representation of y. An expression will be represented by a tuple of formulas '1 ; : : :; 'k . For example, if '1; : : :; 'k is the tuple representation of expression e1 and 1 ; : : :; k is the tuple representation of expression e2 , then the tuple representations of the expressions 2 e1 ,  e1 and if (p : e1 else e2 ), and the representation of the formula e1 = e2 are given by:

some r > 0. Consequently, we may extend the basic logical language by a vocabulary VD of D-variables , D-expressions , and D-constants : K: fk1; : : :; kng. To the syntactical de nition of qptl, we add the following clauses:

 Every D-variable y 2 VD and every D-constant k 2 K are D-expressions.  If e is a D-expression, then so are 2 e and  e, intended to represent the value of e at the next and previous positions of the model, respectively. If  e is evaluated at position 0, it yields the default value k1.

 If p is a formula and e1 and e2 are (D)-

e1 ?? (2 '1; : : :; 2 'r ) e1 ?? ( '1; : : :;  'r ) if (p : e1 else e2 ) ? ? ?
(p ^ '1 ) _ (:p ^ 1 ); : : :; (p ^ 'r ) _ (:p ^ r ) e1 = e2 ?? '1 $ 1 ^


^ 'r $ r 2 

expressions, then if (p : e1 else e2) is an expression whose intended meaning is that it evaluates to the value of e1 if p holds, otherwise, its value is that of e2 .

It is not dicult to see that all the axioms, theorems, and rules presented in section 3 can be extended to cover D-variables and expressions. We refer to expressions also as functions .

 If e1 and e2 are expressions, then e1 = e2 is an (atomic) formula.

5

Lemma 1 Let '(y) be a qptl formula. Then '(y) ) 9z:'(z) ^ z = min u : '(u)

The two-branch conditional statement if (p : e1 else e2 ) can be extended to an m + 1-branch conditional as follows: Let p1; : : :; pm be qptl formulas and e1 ; : : :; em+1 be expressions. Then

This lemma claims that if ' is satis ed by some y then it is also satis ed by some z whose current value (value at the current position) is minimal. Lemma 2 Let '(y) be an extensible formula. Then 0 9y:'(y) This lemma claims that, for every position j, we can nd a sequence y such that '(y) holds at j. It is proven by the induction axiom NFX5, using the fact that ' is extensible. Claim 3 Let '(y) be a uniquely extensible formula.

if (p1 : e1; p2 : e2 ; : : :; pm : em else em+1 ) is an m + 1-branch conditional expression. It can be de ned as an m ? 1 nesting of two-branch conditionals. We let min u : '(u) be a shorthand notation for

if

( 9u:'(u) ^ u = k1 : k1 ; 9u:'(u) ^ u = k2 : k2 ; : : 9u:'(u) ^ u = kn : kn else k1 )

Then

'(y) ) (y = min u : '(u)) This claim states that if '(y) holds then y has a locally minimal value among all sequences satisfying ' at the current position. This is not surprising, since there is only one unique y (over all past positions) that can satisfy ', due to the unique extensibility of '. Claim 4 Let '(y) be uniquely extensible. Then '(y) ) '(min u : '(u)) This claim states that if we consider a sequence, represented by y, such that at any position, y is locally minimal among all sequences currently satisfying ', then the sequence y satis es ' at present. This follows from unique extensibility, claiming that at any position, there is only one way to extend y to satisfy '. The importance of this claim is not so much in that we found a sequence satisfying ' but in the fact that we have a syntactical representation min u : '(u)) for this satisfying sequence. Once we have a closed-form expression for this, we can apply theorem QT as is done next. Lemma 5 Let '(y) be uniquely extensible. Then 9y: 0 '(y) This lemma combines lemma 2, claim 3, claim 4 and theorem QT, to obtain the existence of y satisfying ' at all positions. Let '(y) be extensible. De ne sext ' (y) : '(y) ^ (y = min u : ('(u) ^ c ` (u = y))) This formula requires a y that satis es ' and that is locally minimal among all sequences satisfying ' and agreeing with y on all preceding positions. The idea is to convert an arbitrary extensible formula into a uniquely extensible one.

Obviously, if there exists a u such that '(u) holds, then min u : '(u) yields the constant ki with the smallest index such that '(u) ^ u = ki holds. If there does not exists such a u, then min u : '(u) return the default value k1. Note that minimization is only applied to the value of u at the current position, but u may have arbitrary dierent values at dierent positions.

4.2 Extensible Formulas if

A qptl formula '(y) is called (y?)past dependent ` (y = z) ) '(y) $ '(z)

is valid. Thus, a past-dependent formula '(y) depends only on the past values of variable y. A past-dependent formula '(y) is called extensible if 2 '(y) ) 9z:'(z) ^ c ` (y = z) is valid. This entailment requires that if '(y) holds at the previous position, we can always nd a sequence, represented by z, which agrees with y on all preceding positions and cause ' to hold at the present position. It allows the validity of ' to be extended from the previous to the current position, by appropriate extension of y into z. An extensible formula '(y) is called uniquely extensible if both '(y) ^ '(z) ) (y = z) and '(y) , ` '(y) are valid. The rst formula implies that ' can be extended from the preceding to the current position in a unique way. The second formula implies that if ' holds now, it must have held at all preceding positions. 6

Lemma 9 let h(y) be a historic function, and '(y) : y = h(y). Then ` '(y)

Lemma 6 Let '(y) be an extensible formula. Then ` sext ' (y)

is a uniquely extensible formula.

is an extensible formula.

This lemma claims that the conversion is successful, once we require that sext ' (y) holds now and at all preceding positions.

This lemma claims that the formula y = h(y) constructed from a historic function h(y) is an extensible formula, to which we may apply theorem 1 as is done in the following theorem.

Theorem 1 Let '(y) be an extensible formula. Then 9y
0 '(y)

Theorem 2 Let h(y) be a historic function and '(y) : y = h(y). Then

?

9y: 0 y = h(y)

This theorem claims that if ' is an extensible formula, then there exists a sequence y satisfying ' at all positions. It extends the statement made by lemma 5 for the more restricted class of uniquely-extensible formulas. Let step (t ) represent the following qptl formula

This theorem establishes that a history scheme always de nes some sequence y satisfying the recurrence equation y = h(y) at all positions.

The Prophecy Scheme

step (t ) : ` t ^ c 0 :t

A functiom f(y) is called prophetic if it satis es

The formula step (t ) characterizes t as a step function, being true up to (and including) the present position, and being false from the next position on. Such sequences are used to mark the current position.

Claim 7

2 (y = z) ! (f(y) = f(z))

Obviously, a prophetic function f(y) only depends on the value of y at the next position. Let '(y) : y = f(y), where f(y) is a prophetic function. We de ne the following qptl formula: 2 3 ` '(u) 5 (5) ^ (y) : 9t:step (t ) ^ 0 1 9u : 4 ` (t ! u = y) This formula lies at the heart of the reason why prophecy schemes, which are based on backward induction over a nite domain, still identify a well de ned sequence y satisfying y = f(y) at all positions. The formula uses the step variable t to mark the current position. Then it requires the existence of in nitely many future points, at which we can start a backwards induction on a sequence u (that may vary from one future starting point to another), requiring that all these sequences when they come back to the current position (and below) agree with the current value of y. The informal proof that a prophecy scheme has a solution is based on Konig's lemma. The formula gives the Konig's argument a formal expression.

0 9t:step (t )

This claim states that, for every position j, there exists a step function marking the position. Let g1, g2 , and g3 be three functions, and z be a variable that does not occur free in any of these functions. Then,

Claim 8 ?
0 9z: c ` (z = g1 ) ^ (z = g2 ) ^ c 0 (z = g3 )

This claim states that we can always patch together three functions and claim the existence of a sequence z whose value equals g1 at all positions preceding the current one, z equals g2 at the current position, and z equals g3 at all positions succeeding the current position.

The History Scheme

Claim 10

A function h(y) is called historic if it satis es c ` (y




= z) ) (h(y) = h(z))

` (y = z) ) c ` ( (y) = (z))

Obviously, the value of a historic function h(y) only depends on the value of y at the preceding positions.

This claim identi es (y) as a past-dependent formula. 7

Claim 11

Let  : s0 ; s1 ; : : : be a model. A sequence of automaton-states r : q0; q1; : : : is a run of A over , if q0 2 Q0 and, for every i  0,

0 8v 9u: 2 (u = v) ^ ` (u = f(u))

si j= (qi; qi+1):

This claim states that, given an initial value v, we can always apply the backward induction and obtain a sequence u satisfying u = f(u) at the current and all preceding positions, and whose value at the next position equals v.

A run r of A visits a state q 2 Q if there exists an i such that ri = q. The in nity set inf(r) of a run r is the set of automaton-states that are visited in nitely many times. A run is accepting if the in nity set inf(r) satis es the acceptance condition C. A model  is said to be accepted by the automaton A, if A has an accepting run over . Classes of !-automata are de ned according to their acceptance conditions. We denote by B, R and S the !-automata with Buchi, Rabin and Streett acceptance conditions, respectively. The acceptance conditions for these three classes are summarized in the table below. Syntax Semantics B Qacc  Q inf(r) \ Qacc 6=  _ \ Li 6=  ^ (Li ^ :Ui ) 9i: inf(r) R inf(r) \ U = 

Corollary 12 0 9u: ` (u = f(u))

This corollary claims that, at every position, one can nd a sequence u satisfying u = f(u) at all preceding positions.

Lemma 13 Let f(y) be a prophetic function and '(y) : y = f(y). Then the formula as de ned in (5) is an extensible formula.

Lemma 14 Let f(y) be a prophetic function and '(y) : y = f(y). Then

S

(y) ) c ` (y = f(y)) This lemma claims that if holds at some position, then y = f(y) holds at all preceding positions.

i

^

i

(Li ! Ui )

8i :

i inf(r) \ Li =  _ inf(r) \ Ui 6= 

A model 0 is said to be a j-marked variant of  if 0 is a t-variant of  and 0 interprets t as t at position j and f elsewhere. Observe that every model  has a unique j-marked variant for each j  0. Automaton A j-approves a model  if it accepts the j-marked variant of . Let ' be a qptl formula not referring to the boolean variable t, and A be an !-automaton. We say that A is an automaton congruent to the formula ' if, for every model  and position j  0, (; j) j= ' i A j-approves . An !-automaton is deterministic if, for every model , A has exactly one run over . We use the notation D and N for deterministic and non-deterministic automata, respectively. Let A be an !-automaton. We say that A is void if there is no model  and no position j  0, such that  is j-approved by A. We say that A is initially void if there is no model  which is 0-approved by A. Note that an automaton which only accepts the empty language is necessarily void. On the other hand, an automaton may be void and yet accept a non-empty language. However, all the models it accepts are not a j-marked variant of some model, meaning that the number of positions at which t is true, in any of the accepted models, is dierent from 1.

Theorem 3 Let f(y) be a prophetic function and '(y) : y = f(y). Then

9y: 0 (y = f(y)) This theorem establishes the existence of a sequence y, satisfying the prophecy scheme equation y = f(y) at all positions. By lemma 13 formula is extensible, which by theorem 1 guarantees the existence of a sequence y satisfying at all positions. By lemma 14, this implies that y = f(y) holds at all positions. 5 From qptl to !-Automata An !-automaton A = (Q; Q0; ; C) consists of

 Q { a nite set of automaton-states.  Q0  Q { a subset of initial automaton-states.   { For every qi; qj 2 Q, (qi; qj ) is a propositional assertion.  C { an acceptance condition.

8

For every automaton A, we can construct a qptl formula A , characterizing the approving runs of A. The formula uses a variable y which ranges over Q to denote the current state in which the automaton is currently situated. We write at ? qi as a synonym for u = qi and, for a Wset of states S  Q, we write in ? S as a synonym for qi 2S at ? qi. The formula is de ned in several stages as follows: Sn (t) : init A : run A : A :

c `

Similarly, we replace all occurrences of the B operator with the temporal operators ` and  , using the following congruence: p B q , 9t: t ^ ` (t ! q _ (p ^  t)) (7) Next, we de ne an NB-automata A' congruent to the formula ' by induction on the structure of '. We use the axiomatic system Qx to prove the congruence ' , A' . Due to lack of space, we present here only the constructions corresponding to propositions, the operators 2 and : (only a sketch), and omit all proofs. In the full paper (also [KP95]), we will present the constructions corresponding to the operators _, 1 ,  , 2 , Q , and 9, and complete all the proofs.

:t ^ t ^ c 0 :t

in ?WQ0 0 i;j (at ? qi ^ 2 at ? qj ^ (qi ; qj ))

9t; y :Sn (t) ^ Q ( rst ^ init A ^ run A ^ accCA )

Formula Sn (t) characterizes t as a proper marker which is true at the current position and false at all other positions. Formula init A reuires that the automaton currently resides at an initial state. Formula run A requires that, from now on, variable y will follow the transition rules, moving from state qi to qj only when (qi; qj ) holds. Finally, formula A groups all these components together, requiring that t marks the current position and that, if we go back to the beginning of the model, we can interpret the values of y as encoding an accepting run of the automaton. The acceptance formula accCA depends, of course, on the acceptance type. For the three considered types, it is de ned as follows: accB : W 0 1 in ? Qacc accR : Vi ( 0 1 in ? Li ^ 1 0 :in ? Ui ) accS : i (1 0 :in ? Li _ 0 1 in ? Ui )

Case: ' is a proposition p. Let Ap : (Q; Q0; ; Qacc) be an NB-automaton given by: Q : fq0; q1g Q0 : fq0g QAcc : fq1g (q0; q1) = p ^ t (q0; q0) = (q1; q1) = t

Claim 16 The automaton Ap is congruent to p. Claim 17 `Qx p , Ap Case: ' is of the form 2 p. By induction, we assume that we have already constructed the automaton congruent to p, which is given by Ap : (Qp ; Qp0;  p ; Qpacc). The automaton for 2 p is given by A2 p =

Claim 15 Every automaton A is congruent to its characteristic formula A . That is, (; j) j= A i A j -approves .

(Q; Q0; ; Qacc ), where we de ne QA : fqiA j qi 2 Qp g QB : fqiB j qi 2 Qp g and let Q : Q A [ QB p Q0 : fqiA j qi 2 Qp0 g QAcc : fqiA j qi 2 QAcc g For every qix ; qjy 2 Q, let  p (qi ; qj ) = '. Then

5.1 Inductive Construction of Automata

In the following, we show how to construct for each formula ' an NB-automaton (non-deterministic Buchiautomaton) which is congruent to '. The construction is inductive, showing rst how to construct an automaton congruent to a proposition p, and then presenting, for each operator of the language, a construction showing how to build an automaton that corresponds to a formula using this operator from the automata corresponding to its subformulas. To reduce the number of considered constructions, we replace all occurrences of the W operator with the temporal operators 0 and 2 , using the following congruence: p W q , 9t: t ^ 0 (t ! q _ (p ^ 2 t)) (6)

8 > >