LTL+b=₀LTL+b+p

which was already noted at the end of Sect. 4.1.

Expressive completeness of temporal logic refers to the first-order logic FOL¹ with a fixed interpretation of “time” by the set of natural numbers. Of course, this corresponds to the choice ofN as the underlying “time model” in the semantics of LTL and its variants. In Sect. 10.1 we will briefly discuss other sets such as the integersZor the realsRwhich could be chosen instead ofN. Remarkably, expressive completeness of temporal logic carries over (in an analogously defined way) to a number of such time domains including Dedekind-complete structures such asR, but not for example the rational numbersQ.

Ω1:

q0

q1

- ?

¬v

? v vs

k_¬v ^Ω2:

q0

q1

- ? true

vs

k_¬v ^Ω3:

q0

q1

- ? true

? v vs

Fig. 4.2. Three B¨uchi automata

• q0∈Q0is an initial location and

• _η

iδ(qi,qi+1)holds for alli∈N(in the sense of Sect. 1.1).

The runis accepting andKis accepted ifq_i∈Q_f holds for infinitely manyi∈N. The languageL(Ω)ofΩis the set of temporal structures forVwhich are accepted byΩ.

The structure of a B¨uchi automaton is that of an ordinary non-deterministic finite automaton (NFA). Locations of automata are often called (automaton) states, but we prefer to use a different word in order to distinguish them from the states of a temporal structure. The acceptance condition of a B¨uchi automaton adapts that of an NFA toω-runs: a run is accepting if it visits an accepting location infinitely often. In the above definition, we have replaced the conventional notion of the alphabet over which the automaton operates by a setVof propositional constants, because we will use automata as acceptors of temporal structures.

Example. Figure 4.2 shows three B¨uchi automataΩ1,Ω2, andΩ3, where we as- sumeV = {v}. When drawing B¨uchi automata, we indicate initial locations by incoming arrows without a source location. Accepting locations are marked by dou- ble circles. We omit transitions labeled by false from the diagrams: for example, we haveδ(q1,q1) =false for the middle automaton.

Automaton Ω1 visits location q1 upon reading a state satisfying v, and visits locationq₀otherwise. Sinceq₁ is accepting, the automaton accepts precisely those temporal structures that contain infinitely many states satisfyingv. Observe also that Ω₁is deterministic: it has only one initial location and for any locationqand stateη there is precisely one locationqsuch that_ηδ(q,q). In particular, there is only one possible run over any temporal structure forV.

Starting from locationq₀, automaton Ω₂ may always choose to remain atq₀. However, when reading a state satisfyingvit may choose to move toq₁; it then ver- ifies that the following state satisfies¬v (otherwise, the run cannot be completed).

The acceptance condition ensures that any structure accepted byΩ2 contains in- finitely many states satisfyingv followed by a state satisfying¬v. In other words, L(Ω2)consists of those temporal structures satisfying the formula23(v∧ e¬v).

Observe that this formula is equivalent to23v ∧23¬v. It is not hard to find a deterministic B¨uchi automaton defining the same language.

AutomatonΩ3may similarly decide to move to locationq1upon reading a state satisfyingv. It can complete the run only if all subsequent states satisfyv: the lan- guageL(Ω3)consists of those structures that satisfy32v. This language cannot be defined by a deterministic B¨uchi automaton. In fact, it can be shown that determin- istic B¨uchi automata are strictly weaker than non-deterministic ones.

In analogy to regular languages, which are accepted by non-deterministic finite automata, we say that a languageL, understood as a set of temporal structures, over some setVof propositional constants, isω-regular (overV) if it is definable by a B¨uchi automaton, that is, ifL=L(Ω)for some B¨uchi automatonΩoverV.

The class ofω-regular languages enjoys many of the closure properties known from regular languages. These are interesting in their own right, but are also at the basis of the characterizations of the expressiveness of the logics LTL+q and LTL+μ in Sect. 4.4, and they are related to decidability results that will be useful in Chap. 11.

Theorem 4.3.1. IfL1andL2areω-regular overVthen so areL1∪L2andL1∩L2. Proof. LetΩ1 = (V,Q⁽¹⁾,Q₀⁽¹⁾, δ⁽¹⁾,Q_f⁽¹⁾)andΩ2 = (V,Q⁽²⁾,Q₀⁽²⁾, δ⁽²⁾,Q_f⁽²⁾) be B¨uchi automata characterizingL1=L(Ω1)andL2=L(Ω2). We will construct B¨uchi automataΩ^∪andΩ^∩such thatL(Ω^∪) =L1∪ L2andL(Ω^∩) =L1∩ L2.

ForΩ^∪, we simply take the disjoint union ofΩ1andΩ2. More precisely, define Ω^∪= (V,Q^∪,Q₀^∪, δ^∪,Q_f^∪)where

• Q^∪= (Q⁽¹⁾× {1})∪(Q⁽²⁾× {2}),

• Q₀^∪= (Q₀⁽¹⁾× {1})∪(Q₀⁽²⁾× {2}),

• δ^∪((q,i),(q,i)) =

δ⁽ⁱ⁾(q,q) ifi=i, false otherwise,

• Q_f^∪= (Q_f⁽¹⁾× {1})∪(Q_f⁽²⁾× {2}).

It follows immediately from this definition that, for i ∈ {1,2}, Ω^∪ has a run = ((q0,i),(q1,i),(q2,i), . . .)over a temporal structure K forV if and only if Ωi has a corresponding runi = (q0,q1,q2, . . .)overK. Moreover,is accepting forΩ^∪ if and only ifi is accepting forΩi, and all runs ofΩ^∪ are of this form.

Hence,Ω^∪characterizesL1∪ L2.

The automatonΩ^∩ is essentially defined as the product ofΩ1andΩ2, but we have to be a little careful about the definition of the acceptance condition: the product automaton has to visit accepting locations of bothΩ₁andΩ₂infinitely often, and it is easy to find examples for which the naive definitions of the set of accepting locations asQ_f⁽¹⁾×Q_f⁽²⁾, or as(Q_f⁽¹⁾×Q⁽²⁾)∪(Q⁽¹⁾×Q_f⁽²⁾), produce wrong results. Instead, we observe that requiring infinitely many visits to bothQ_f⁽¹⁾andQ_f⁽²⁾is equivalent to requiring that infinitely often the run visitsQ_f⁽¹⁾, eventually followed by a visit of a location inQ_f⁽²⁾.

Technically, the locations of Ω^∩ contain an extra component l ∈ {1,2} that indicates whether we are waiting for a visit of an accepting location ofΩ1or ofΩ2. The automaton is defined asΩ^∩= (V,Q^∩,Q₀^∩, δ^∩,Q_f^∩)where

• Q^∩=Q⁽¹⁾×Q⁽²⁾× {1,2},

• Q₀^∩=Q₀⁽¹⁾×Q₀⁽²⁾× {1},

Ω1:

q₀⁽¹⁾

q₁⁽¹⁾ - ?

true v s ktrue

Ω2:

q₀⁽²⁾

q₁⁽²⁾ - ?

true

¬v s k true

Ω^∩: -

q₀⁽¹⁾,q₀⁽²⁾,1

? true

?^¬v

-

v

q₁⁽¹⁾,q₀⁽²⁾,1^true-

?^¬v

q₀⁽¹⁾,q₀⁽²⁾,2

? true

?^v

^¬v

q₁⁽¹⁾,q₀⁽²⁾,2

6_true

_¬ v

q₀⁽¹⁾,q₁⁽²⁾,2

6_v HH HH HH Y^true

q₀⁽¹⁾,q₁⁽²⁾,1 true6

* v

Fig. 4.3. Construction of a product

• δ^∩((q⁽¹⁾,q⁽²⁾,l),(¯q⁽¹⁾,¯q⁽²⁾,¯l)) =

⎧⎪

⎪⎪

⎨

⎪⎪

⎪⎩

δ⁽¹⁾(q⁽¹⁾,q¯⁽¹⁾)∧ δ⁽²⁾(q⁽²⁾,¯q⁽²⁾) ifq^(l)∈/ Q_f^(l)and¯l =l orq^(l)∈Q_f^(l)and¯l =l, false otherwise,

• Q_f^∩=Q_f⁽¹⁾×Q⁽²⁾× {1}.

Figure 4.3 illustrates this construction (locations that are only reachable via unsatis- fiable transition labels have been omitted).

Assume thatΩ^∩has an accepting run = ((q₀⁽¹⁾,q₀⁽²⁾,l₀),(q₁⁽¹⁾,q₁⁽²⁾,l₁), . . .) over the temporal structureK. By the definitions ofQ₀^∩andδ^∩, it follows immedi- ately that₁ = (q₀⁽¹⁾,q₁⁽¹⁾, . . .)and₂ = (q₀⁽²⁾,q₁⁽²⁾, . . .)are runs ofΩ₁ andΩ₂, respectively. Moreover,is accepting, and therefore we must haveq_k⁽¹⁾ ∈Q_f⁽¹⁾and l_k = 1for infinitely manyk ∈N. In particular,₁is an accepting run ofΩ₁overK.

We now show that for everyk such thatq_k⁽¹⁾ ∈Q_f⁽¹⁾andlk = 1there exists some j >ksuch thatq_j⁽²⁾ ∈Q_f⁽²⁾. Since we already know that there are infinitely many positions such thatq_k⁽¹⁾ ∈ Q_f⁽¹⁾andlk = 1, it follows thatq_j⁽²⁾ ∈Q_f⁽²⁾ also holds infinitely often; hence₂is an accepting run ofΩ₂. Indeed, assume thatq_k⁽¹⁾∈Q_f⁽¹⁾ andlk = 1. By the definition ofδ^∩, we havelk+1 = 2. Now, ifq_j⁽²⁾ ∈/ Q_f⁽²⁾for all j >k, it would follow thatlj = 2for allj>k, contradicting the fact thatli= 1for infinitely manyi∈N.

Conversely, given runs1and2ofΩ1andΩ2overK, it is straightforward to

construct an accepting run ofΩ^∩overK.

Theω-regular languages are also closed under projection: for a temporal struc- tureK= (η₀, η₁, η₂, . . .)for a setVof propositional constants andv∈V, we write

V_−vfor the setV\ {v}and defineK_−vas the temporal structure K_−v= (η₀|V₋v, η₁|V₋v, η₂|V₋v, . . .)

overV_−v whereη_i|V₋v is the restriction of the valuationη_i to the setV_−v. IfLis a language overVthen

L−v={K_−v |K∈ L}

is the projection ofLtoV_−v.

Theorem 4.3.2. IfLisω-regular overVthenL₋v isω-regular overV₋v.

Proof. The idea of the proof is to have the automaton forL−vguess a suitable value forvat every transition. More formally, assume thatLis defined by the B¨uchi au- tomatonΩ = (V,Q,Q₀, δ,Q_f). We will show thatL−v is recognized by the au- tomatonΩ_−v = (V_−v,Q,Q₀, δ_−v,Q_f)where

δ_−v(q,q) = (δ(q,q))_v(true)∨(δ(q,q))_v(false)

(δ(q,q)_v(true)andδ(q,q)_v(false)are obtained fromδ(q,q)by replacing all oc- currences ofvby true or false, respectively). This definition ensures that

_ηδ(q,q) ⇔ _η|

V−vδ_−v(q,q)

for any locationsq,q and any valuationη. Therefore, any run ofΩ over some temporal structureKis also a run ofΩ_−v overK_−v. Conversely, given a run of Ω_−v over a temporal structureK⁻forV_−v, one can find a structureKforVsuch thatK⁻ =K_−v andis a run ofΩoverK. Because any run is accepting forΩif and only if it is accepting forΩ_−v, this suffices to establish the assertion.

Finally, we now set out to prove thatω-regular languages are closed under com- plement. For a regular languageL(of finite words), the proof of the analogous result relies on determinization: one first constructs a deterministic finite automaton (DFA) that recognizesL, and then obtains a DFA that accepts the complement ofLby ex- changing accepting and non-accepting locations. This proof idea does not carry over to B¨uchi automata: as we remarked earlier, one cannot always determinize a given B¨uchi automaton. Besides, exchanging accepting and non-accepting locations in a deterministic B¨uchi automaton does not necessarily result in an automaton accepting the complement language. For example, consider the leftmost automaton of Fig. 4.2, which is deterministic and recognizes those structures that satisfy23v. Makingq0

the accepting location instead ofq1, we obtain an automaton that corresponds to the class of temporal structures satisfying23¬v, which is not the complement of those that satisfy23v.

In the present case the result will be proved in several steps as follows. Firstly, we represent all possible runs of a B¨uchi automaton in a directed acyclic graph (dag):

the run dag of a B¨uchi automatonΩ = (V,Q,Q0, δ,Qf)and a temporal structure K= (η0, η1, η2. . .)forV, denoteddag(Ω,K), is the rooted directed acyclic graph (with multiple roots) with elements fromQ ×Nas nodes given by the following inductive definition.

q0

q1

η η η¯ η¯ η

r r r r r r r r r

HHH HHH HHH ^q_q⁰₁

η η η¯ η η

r r r r r r r r r r HHH HHH HHH HHH Fig. 4.4. Two run dags

q0

q1

η η η¯ η¯ η

2 2

2 1 2

1 1 1

HHH HHH HHH0 ^q_q⁰₁

η η η¯ η η

2 2

2 1 2

1 1

0 1 HHH HHH HHH HHH0 Fig. 4.5. Rankings of run dags

• The roots ofdag(Ω,K)are the nodes(q,0)for every initial locationqofΩ.

• The successor nodes of any node(q,i)are the possible successors(q,i+ 1)in a run ofΩoverK. Formally, if(q,i)is a node ofdag(Ω,K)andq ∈ Q is a location ofΩsuch that _η

iδ(q,q)thendag(Ω,K)contains a node(q,i + 1) and an edge((q,i),(q,i+ 1)).

Clearly,(q0,q1,q2, . . .)is a run ofΩ overK if and only ifdag(Ω,K)contains a path ((q0,0),(q1,1),(q2,2), . . .). Let us call a node(q,i)accepting ifq∈Qf is an accepting location ofΩ.

Figure 4.4 shows (prefixes of) run dags for the automatonΩ₂from Fig. 4.2 and the two temporal structuresK₁ = (η, η,η,¯ η, . . .)¯ andK₂= (η, η,η, η, η, . . .)¯ where η(respectively,η) is a state that satisfies (respectively, does not satisfy)¯ v:K₁alter- nates between two states satisfyingvand two states that do not satisfyvwhereasK₂ eventually always satisfiesv. For conciseness, the figure only indicates the structure of the dag (together with the corresponding temporal structure) but does not show the precise designations of the nodes. Observe thatK1is accepted byΩ2whereasK2

is not.

Our next proof step is to define a labeling of anydag(Ω,K)by which the (non-) acceptance ofKbyΩcan be characterized. A rankingrk of dag(Ω,K)assigns a rankrk(d)to every nodedsuch that the two following conditions are satisfied:

• rk(d)≤rk(d)wheneverdis a successor node ofd,

• ranks of accepting nodes are even.

Consider any infinite pathπ = (d0,d1,d2, . . .)in the dag. The ranks of the nodes alongπare non-increasing; hence they must eventually stabilize: there exists some nsuch thatrk(d_m) =rk(d_n)for allm ≥n, and we callrk(d_n)the stable rank of pathπ(for the rankingrk). We say that the rankingrk is odd if the stable rank of all infinite paths is odd. Otherwise, i.e., if the run dag contains some infinite path whose stable rank is even,rk is even.

Possible rankings for the prefixes of the run dags of Fig.4.4 are shown in Fig. 4.5.

Continuing the rankings in a similar manner, it is easy to see that the ranking for the left-hand dag is even, whereas the ranking for the right-hand dag is odd. In fact, one cannot find an odd ranking for the left-hand run dag, and we will now show that a B¨uchi automatonΩdoes not accept the temporal structureKif and only ifdag(Ω,K)

D0: q0

q1

η η η¯ η η

r r r r r r . . .

r r r r ^{. . .}

HHH HHH HHH HHH D1: q0

q1

r r r r r r ^{. . .}

HHH r D²: q0

q1

r r HHHr Fig. 4.6. A dag sequence

admits an odd ranking. (Observe in passing that any run dag trivially admits an even ranking, for example by assigning rank0to each node.) The “if” part of this theorem is quite obvious.

Lemma 4.3.3. Ifrk is an odd ranking ofdag(Ω,K)thenK∈ L(Ω)./

Proof. We must show that no run ofΩoverKis accepting. So let= (q₀,q₁,q₂, . . .) be some run of Ω over K. Then π = ((q₀,0),(q₁,1),(q₂,2), . . .) is a path of dag(Ω,K). Because rk is an odd ranking fordag(Ω,K), the stable ranksrk_π of πfor rk must be odd; hence there exists some n such thatrk((q_m,m)) = srk_π for allm ≥n. Sincerk must assign even ranks to accepting nodes, it follows that qm ∈/Qf holds for allm ≥n; sois not accepting, as we intended to prove.

The proof of the “only if” part is more difficult: given some structureK∈ L/ (Ω), we must construct an odd ranking fordag(Ω,K). Let us call a noded useless in dag(Ω,K) if either no accepting node is reachable from d or only finitely many nodes are reachable fromd. Obviously, if(q,n)is useless thenq cannot occur at thenth position of any accepting run ofΩoverK. Successively eliminating useless nodes will help us to construct an odd ranking. Given a (finite or infinite) dagDand some setUof nodes ofD, we writeD \ Ufor the dag from which all nodes inUand all edges adjacent to these nodes have been removed. The width of a dagDat level kis the number of nodes ofDof the form(q,k).

Given the run dag dag(Ω,K)of Ω over K, we inductively define a sequence D0,D1,D2, . . .of dags as follows:

• D0=dag(Ω,K),

• D2i+1=D2i\ {d|only finitely many nodes are reachable fromdinD2i},

• D2i+2=D2i+1\ {d|no node reachable fromdinD2i+1is accepting}.

Figure 4.6 illustrates this construction for the right-hand dag of Fig. 4.4 (we know that the temporal structure underlying this run dag is not accepted by the automaton).

The dagsD3,D4, . . .are all empty.

We say that nodedis useless at stagei if it is eliminated in the construction of Di+1. That is,d is useless at stage i if it is a node of dagDi and eitheri is even and only finitely many nodes are reachable fromd inDi, ori is odd and no node

reachable fromd inDi is accepting. Observe that if noded is useless at stage i and nodedis reachable fromd in dagDi thendis also useless at stagei. Since all nodes ofD0are reachable from some root node by definition ofdag(Ω,K), this continues to hold for allDi. The following lemma shows that ifΩdoes not acceptK then each node ofdag(Ω,K)becomes useless at some stage.

Lemma 4.3.4. If K ∈ L(Ω)/ whereΩis a B¨uchi automaton withn locations then each node ofdag(Ω,K)is useless at some stagei≤2n.

Proof. We will show inductively that for everyi ∈Nthere exists some levellisuch that the width of dagD2iat any levell≥liis at mostn−i. It then follows that the width of dagD2n at all levels beyondln is0, i.e.,D2n does not contain any nodes beyond levelln. Therefore, all nodes of dagD2nare useless at stage2n.

Fori= 0, we may choosel0= 0because the width of dagD0=dag(Ω,K)at any level is bounded by the numbernof locations ofΩ.

For the induction step, assume that the assertion holds fori. We first observe that for each noded, the dagD2i+1contains an infinite path starting atd: sinced was already a node ofD2i and was not useless at stage 2i, infinitely many nodes must have been reachable fromdinD2i. Furthermore, each level ofD2iis of finite width, because D2i is a subdag of dag(Ω,K). Therefore, by a general graph-theoretical argument, known as K¨onig’s lemma, there must be an infinite path fromd inD2i, none of whose nodes is useless at stage2i, and which therefore continues to exist in D2i+1. In particular, infinitely many nodes are reachable from any nodedofD2i+1. We now consider two cases. EitherD2i+1is empty; then so isD2i+2, and the as- sertion holds trivially. Otherwise, we now show thatD2i+1contains some node that is useless at stage2i+ 1: assume that this were not the case and pick some root node d0ofD2i+1 (recall that all nodes inD2i+1are reachable from some root soD2i+1

must contain a root node if it is non-empty). By assumption,d0is not useless at stage 2i+ 1, and therefore there must be some accepting noded₀that is reachable fromd0. Moreover, infinitely many nodes are reachable fromd₀ inD2i+1, by the observation above. In particular,d₀ has some successor noded₁. By our assumption, d₁ is not useless at stage2i+1; hence there is some accepting noded₁reachable fromd₁. Con- tinuing inductively, we find an infinite path(d₀, . . . ,d₀,d₁, . . . ,d₁,d₂, . . . ,d₂, . . .) inD2i+1that contains infinitely many accepting nodes. However, this path must al- ready have existed inD0 =dag(Ω,K), and it corresponds to an accepting run ofΩ overK, contradicting the assumption thatK∈ L(Ω)./

Hence,D2i+1contains some node, say,(q,l)that is useless at stage2i+1. Recall thatD2i+1 contains an infinite path from node(q,l). By definition, all nodes along this path are useless at stage2i+ 1and will therefore be removed in the construction ofD2i+2. In particular, the width at all levels beyond l inD2i+2 must be strictly smaller than that of the corresponding levels inD2i+1, which is at most the width at these levels inD2i. Therefore, we may chooseli+1 = max(li,l)and conclude that the width at any level beyondli+1in dagD2i+1is bounded byn −(i+ 1), which

completes the proof.

We now define the (partial) functionrk_ulthat assigns to each nodedofdag(Ω,K) the numberi ifd is useless at stagei. IfK ∈ L/ (Ω), then Lemma 4.3.4 shows that rk_ulis a total function, and we now prove thatrk_ulis indeed an odd ranking.

Lemma 4.3.5. IfK∈ L/ (Ω)thenrk_ulis an odd ranking ofdag(Ω,K).

Proof. Letdbe any node ofdag(Ω,K)andda successor node ofd. Ifrkul(d) =i thend is useless at stagei. Ifd has already been eliminated at an earlier stage, we haverk_ul(d)<iby definition. Otherwise,dis still a successor node ofdin dag Diand is therefore also useless at stagei; hencerk_ul(d) =i. In either case we have rk_ul(d)≤rk_ul(d).

Ifdis an accepting node ofdag(Ω,K)thenrk_ul(d)cannot be odd by definition.

Sincerk_ul is a total function,rk_ul(d)must be even and, hence,rk_ulis a ranking of dag(Ω,K).

Finally, let(d0,d1,d2, . . .)be an infinite path indag(Ω,K), and assume that its stable ranki is even. Then we find somen ∈ Nsuch that alldm form ≥ n are useless at stagei, which is impossible ifiis even and proves the claim.

Taking the preceding lemmas together, the non-acceptance of B¨uchi automata can be characterized as follows.

Theorem 4.3.6. IfΩ is a B¨uchi automaton withn locations and K is a temporal structure, thenK∈ L(Ω)/ if and only if there exists an odd rankingrk ofdag(Ω,K) that assigns to each nodeda rankrk(d)≤2n.

Proof. The claim follows immediately from the Lemmas 4.3.3, 4.3.4, and 4.3.5.

We turn now to the final step of our proof of the claimed closure property. Given a B¨uchi automatonΩ= (V,Q,Q₀, δ,Q_f)withnlocations, we construct the com- plement automatonΩthat accepts a temporal structureKif and only if there exists an odd ranking of range{0, . . . ,2n}fordag(Ω,K). The idea is thatΩ“guesses” an odd ranking while it reads the temporal structure. We identify a rankingrk with an infinite sequence(rk0,rk1,rk2, . . .)of assignmentsrki :Q → {0, . . . ,2n} ∪ {⊥}

whererki(q) = rk(q,i)if the node(q,i)appears indag(Ω,K), andrki(q) = ⊥ otherwise. For example, the ranking shown in the left-hand side of Fig. 4.5 is identi- fied with the sequence

2

⊥

, 2

2

, 1

2

, 1

⊥

, 1

⊥

, 1

0

, . . .

. Let us denote byZthe set of assignmentsψ:Q →

{0, . . . ,2n} ∪ {⊥} such thatψ(q)is even ifq ∈ Q_f. The transition relation ofΩensures that ranks do not increase along any path of the run dag. Formally,ψ ∈ Z is a successor assignment ofψ∈ Zfor a stateηif for allq∈Qwithψ(q)=⊥and allq∈Qwith_ηδ(q,q), we haveψ(q)=⊥andψ(q)≤ψ(q). The automatonΩverifies that the guessed ranking is odd by ensuring that each even-ranked node along any path is eventually followed by an odd-ranked node. For this reason, the locations ofΩare pairs(ψ,Y)