aa r X i v : . [ c s . F L ] N ov First Order Alternation
Radu Iosif and Xiao Xu
CNRS, Verimag, Universit´e de Grenoble AlpesEmail: { Radu.Iosif,Xiao.Xu } @univ-grenoble-alpes.fr Abstract.
We introduce first order alternating automata, a generalization of booleanalternating automata, in which transition rules are described by multisorted firstorder formulae, with states and internal variables given by uninterpreted predicateterms. The model is closed under union, intersection and complement, and itsemptiness problem is undecidable, even for the simplest data theory of equality.To cope with this limitation, we develop an abstraction refinement semi-algorithmbased on lazy annotation of the symbolic execution paths with interpolants, ob-tained by applying (i) quantifier elimination with witness term generation and (ii)Lyndon interpolation in the quantifier-free data theory with uninterpreted predi-cate symbols. This provides a method for checking inclusion of timed and finite-memory register automata, and emptiness of quantified predicate automata, pre-viously used in the verification of parameterized concurrent programs, composedof replicated threads, with a shared-memory communication model.
Many results in formal language theory rely on the assumption that languages are de-fined over finite alphabets. In practice, this assumption is problematic when attemptingto use automata as models of real-time systems or even simple programs, whose inputand observable output requires taking into account data values, ranging over very largedomains, better viewed as infinite mathematical abstractions.Alternating automata are a generalization of nondeterministic automata with uni-versal transitions, that create several copies of the automaton, which synchronize onthe same input word. Alternating automata are appealing for verification because theyallow encoding of problems such as temporal logic model checking in linear time, asopposed to the exponential time required by nondeterministic automata [26]. A finite-alphabet alternating automaton is typically described by a set of transition rules q a −→ φ ,where q is a state, a is an input symbol and φ is a positive boolean combinations ofstates, viewed as propositional variables.Here we introduce a generalized alternating automata model in which states arepredicate symbols q ( y , . . . , y k ), the input has associated data variables x , . . . , x n , rang-ing over an infinite domain and transitions are of the form q ( y , . . . , y k ) a ( x ,..., xn ) −−−−−−−→ φ , where φ is any formula in the first-order theory of the data domain, in which each state pred-icate occurs under an even number of negations. In this model, the arguments of apredicate atom q ( y , . . ., y k ) track the values of the internal variables associated withthe state. Together with the input values x , . . . , x n , these values are used to compute thesuccessor states and are invisible in the input sequence.revious attempts to generalize classical Rabin-Scott automata to infinite alphabets,such as timed automata [1] and finite-memory (register) automata [14] face the comple-ment closure problem: there exist automata for which the complement language cannotbe recognized by an automaton in the same class. This excludes the possibility of en-coding a language inclusion problem L ( A ) ⊆ L ( B ) as the emptiness of an automatonrecognizing the language L ( A ) ∩ L c ( B ), where L c ( B ) denotes the complement of L ( B ).The solution we adopt here is a tight coupling of internal variables to control states,using uninterpreted predicate symbols. As we show, this allows for linear-time com-plementation just as in the case of boolean alternating automata. Complementation is,moreover, possible when the transition formulae contain first-order quantifiers, gener-ating infinitely-branching execution trees. The price to be paid for this expressivity isthat emptiness of first-order alternating automata is undecidable, even for the simplestdata theory of equality [4].The main contribution of this paper is an e ff ective emptiness checking semi-algorithmfor first-order alternating automata, in the spirit of the IMPACT procedure, originallydeveloped for checking safety of nondeterministic integer programs [18]. However,checking emptiness of first-order alternating automata by lazy annotation with inter-polants faces two problems:1. Quantified transition rules make it hard, or even impossible, to decide if a givensymbolic trace is spurious. This is mainly because adding uninterpreted predicatesymbols to decidable first-order theories, such as Presburger arithmetic, results inundecidability [8]. To deal with this problem, we assume that the first order datatheory, without uninterpreted predicate symbols, has a quantifier elimination pro-cedure, that instantiates quantifers with e ff ectively computable witness terms .2. The interpolants that prove the spuriousness of a symbolic path are not local , as theymay refer to input values encountered in the past. However, the future executionsare oblivious to when these values have been seen in the past and depend only onthe data constraints between the values. We use this fact to define a labeling ofnodes, visited by the lazy annotation procedure, with conjunctions of existentiallyquantified interpolants combining predicate atoms with data constraints.As applications of first order alternating automata, we identified several undecidableproblems for which no semi-algorithmic methods exist: inclusion between recognizabletimed languages [1], languages recognized by finite-memory automata [14] and empti-ness of predicate automata, a subclass of first-order alternating automata used to checksafety and liveness properties of parameterized concurrent programs [4,5].For reasons of space, all proofs of technical results in this paper are given in [12]. Related Work
The first order alternating automata model presented in this paper stemsfrom our previous work on boolean alternating automata extended with variables rang-ing over infinite data [11]. There we considered states to be propositional variables, asin the classical textbook alternating automata model, and all variables of the automatonto be observable in the input. The model in this paper overcomes this latter restrictionby allowing for internal variables, whose variables are not visible in the language.This solves an older language inclusion problem T ni = L ( A i ) ⊆ L ( B ), between finite-state automata with data variables, whose languages are alternating sequences of inputevents and variable valuations [10]. There, we assumed that all variables of the observer2utomaton B must be declared in the automata A , . . . , A n that model the concurrentcomponents of the system under check. Using first-order alternating automata allows tobypass this limitation of our previous work.The work probably closest to the one reported here concerns the model of pred-icate automata (PA) [4,5,15], applied to the verification of parameterized concurrentprograms with shared memory. In this model, the alphabet consists of pairs of programstatements and thread identifiers, thus being infinite because the number of threads isunbounded. Because thread identifiers can only be compared for (dis-)equality, the datatheory in PA is the theory of equality. Even with this simplification, the emptinessproblem is undecidable when either the predicates have arity greater than one [4] orquantified transition rules [15]. Checking emptiness of quantifier free PA is possiblesemi-algorithmically, by explicitly enumerating reachable configurations and checkingcoverage by looking for permuations of argument values. However, no semi-algorithmis given for quantified PA. Dealing with quantified transition rules is one of the contri-butions of the work reported in this paper. For two integers 0 ≤ i ≤ j , we denote by [ i , j ] the set { i , i + , . . ., j } and by [ i ] the set[0 , i ]. We consider two sorts D and B , where D is an infinite domain and B = {⊤ , ⊥} isthe set of boolean values true ( ⊤ ) and false ( ⊥ ), respectively. The D sort is equippedwith finitely many function symbols f : D f ) → D , where f ) ≥ f . When f ) =
0, we say that f is a constant. A predicate is afunction symbol p : D p ) → B , denoting a relation of arity p ) and we write Pred forthe set of predicates.In the following, we shall consider that the interpretation of all function symbols f : D f ) → D that are not predicates is fixed by the interpretation of the D sort, e.g. if D is the set of integers Z , the function symbols are zero, the successor function and thearithmetic operations of addition and multiplication. For simplicity, we further blur thenotational distinction between function symbols and their interpretations.Let Var = { x , y , z , . . . } be an infinite countable set of variables, ranging over D . Termsare either constants of sort D , variables or function applications f ( t , . . . , t f ) ), where t , . . . , t f ) are terms. The set of first order formulae is defined by the syntax below: φ : = t ≈ s | p ( t , . . . , t p ) ) | ¬ φ | φ ∧ φ | ∃ x . φ where t , s , t , . . ., t p ) denote terms. We write φ ∨ φ , φ → φ and ∀ x . φ for ¬ ( ¬ φ ∧¬ φ ), ¬ φ ∨ φ and ¬∃ x . ¬ φ , respectively. We denote by FV( φ ) the set of free variablesin φ . The size | φ | of a formula φ is the number of symbols needed to write it down.A sentence is a formula φ in which each variable occurs under the scope of a quanti-fier, i.e. FV( φ ) = ∅ . A formula is positive if each predicate symbol occurs under an evennumber of negations and we denote by Form + ( Q , X ) the set of positive formulae withpredicates from the set Q ⊆ Pred and free variables from the set X ⊆ Var .A formula is in prenex form if it is of the form ϕ = Q x . . . Q n x n . φ , where φ hasno quantifiers. In this case we call φ the matrix of ϕ . Every first order formula can be3ritten in prenex form, by renaming each quantified variable to a unique name andmoving the quantifiers upfront.An interpretation I maps each predicate p into a set p I ⊆ D p ) , if p ) >
0, or intoan element of D if p ) =
0. A valuation ν maps each variable x into an element of D . Given a term t , we denote by t ν the value obtained by replacing each variable x bythe value ν ( x ) and evaluating each function application. For a formula φ , we define theforcing relation I , ν | = φ recursively on the structure of φ , as usual. I , ν | = t ≈ s ⇔ t ν = s ν I , ν | = p ( t , . . ., t p ) ) ⇔ h t ν , . . . , t ν p ) i ∈ p I I , ν | = ¬ φ ⇔ I , ν = φ I , ν | = φ ∧ φ ⇔ I , ν | = φ i , for all i = , I , ν | = ∃ x . φ ⇔ I , ν [ x ← d ] | = φ , for some d ∈ D where ν [ x ← d ] is the valuation which assigns d to x and behaves like ν elsewhere. For aformula φ and a valuation ν , we define [[ φ ]] ν def = {I | I , ν | = φ } and drop the ν subscript forsentences. A sentence φ is satisfiable ( unsatisfiable ) if [[ φ ]] , ∅ ([[ φ ]] = ∅ ). An elementof [[ φ ]] is called a model of φ . A formula φ is valid if I , ν | = φ for every interpretation I and every valuation ν . For two formulae φ and ψ we write φ | = ψ for [[ φ ]] ⊆ [[ ψ ]], inwhich case we say that φ entails ψ .Interpretations are partially ordered by the pointwise subset order, defined as I ⊆I if and only if p I ⊆ p I for each predicate p ∈ Pred . Given a set S of interpretations,a minimal element I ∈ S is an interpretation such that for no other interpretation I ′ ∈S \ {I} do we have I ′ ⊆ I . For a formula φ and a valuation ν , we denote by [[ φ ]] µν and[[ φ ]] µ the set of minimal interpretations from [[ φ ]] ν and [[ φ ]], respectively. Let Σ be a finite alphabet Σ of input events . Given a finite set of variables X ⊆ Var , wedenote by X D the set of valuations of the variables X and Σ [ X ] = Σ × ( X D ) bethe possibly infinite set of data symbols ( a , ν ), where a is an input symbol and ν is avaluation. A data word (simply called word in the following) is a finite sequence w = ( a , ν )( a , ν ) . . . ( a n , ν n ) of data symbols. Given a word w , we denote by w Σ def = a . . . a n its sequence of input events and by w D the valuation associating each time-stampedvariable x ( i ) the value ν i ( x ), for all x ∈ Var and i ∈ [1 , n ]. We denote by ε the emptysequence, by Σ ∗ the set of finite sequences of input events and by Σ [ X ] ∗ the set of datawords over the variables X .Formally, a first order alternating automaton is a tuple A = h Σ, X , Q , ι, F , ∆ i , where Σ is a finite set of input events, X is a finite set of input variables, Q is a finite set ofpredicates denoting control states, ι ∈ Form + ( Q , ∅ ) is a sentence defining initial config-urations, F ⊆ Q is the set of predicates denoting final states, and ∆ is a set of transitionrules of the form q ( y , . . . , y q ) ) a ( X ) −−−→ ψ , where q ∈ Q is a predicate, a ∈ Σ is an input eventand ψ ∈ Form + ( Q , X ∪ { y , . . . , y q ) } ) is a positive formula, where X ∩ { y , . . . , y q ) } = ∅ .The quantifiers occurring in the right-hand side formula of a transition rule are referredto as transition quantifiers . The size of A is defined as |A| = | ι | + P q ( y ) a ( X ) −−−→ ψ ∈ ∆ | ψ | .4he intuition of a transition rule q ( y , . . . , y q ) ) a ( X ) −−−→ ψ is the following: a is theinput event and X are the input data values that trigger the transition, whereas q and y , . . . , y q ) are the current control state and data values in that state, respectively. With-out loss of generality, we consider, for each predicate q ∈ Q and each input event a ∈ Σ ,at most one such rule, as two or more rules can be joined using disjunction.The execution semantics of automata is given in close analogy with the case ofboolean alternating automata, with transition rules of the form q a −→ φ , where q is aboolean constant and φ a positive boolean combination of such constants. For instance, q a −→ q ∧ q ∨ q means that the automaton can choose to transition in either both q and q or in q alone. This intuition leads to saying that the steps of the automaton aredefined by the minimal boolean models of the transition formulae. In this case, both { q ← ⊤ , q ← ⊤ , q ← ⊥} and { q ← ⊥ , q ← ⊥ , q ← ⊤} are minimal models, however { q ← ⊤ , q ← ⊤ , q ← ⊤} , is a model but is not minimal. The original definition ofalternating finite-state automata [3] works around this problem by considering booleanvaluations (models) instead of formulae. However, describing first-order alternating au-tomata using interpretations instead of formulae would be rather hard to follow.Given a predicate q ∈ Q and a tuple of data values d , . . ., d q ) , the tuple q ( d , . . ., d q ) )is called a configuration . To formalize the execution semantics of automata, we re-late sets of configurations to models of first order sentences, as follows. Each first-order interpretation I corresponds to a set of configurations c ( I ) def = { q ( d , . . . , d q ) ) | q ∈ Q , h d , . . . , d q ) i ∈ q I } , called a cube . For a set S of interpretations, we define c ( S ) def = { c ( I ) | I ∈ S} . Definition 1.
Given a word w = ( a , ν ) . . . ( a n , ν n ) ∈ Σ [ X ] ∗ and a cube c, an execu-tion of A = h Σ, X , Q , ι, F , ∆ i over w, starting with c, is a (possibly infinite) forest T = { T , T , . . . } , where each T i is a tree labeled with configurations, such that:1. c = { T ( ǫ ) | T ∈ T } is the set of configurations labeling the roots of T , T , . . . and2. if q ( d , . . . , d q ) ) labels a node on the level j ∈ [ n − in T i , then the labels of itschildren form a cube from c ([[ ψ ]] µη ) , where η = ν j + [ y ← d , . . . , y q ) ← d q ) ] andq ( y , . . . , y q ) ) aj + X ) −−−−−→ ψ ∈ ∆ is a transition rule of A . Definition 2.
An execution T over w, starting with c, is accepting if and only if – all paths in T have the same length n, and – the frontier of each tree T ∈ T is labeled with final configurations q ( d , . . . , d q ) ) ,where q ∈ F.If A has an accepting execution over w starting with a cube c ∈ c ([[ ι ]] µ ) , then A accepts w and let L ( A ) be the set of words accepted by A . In this paper, we address the following questions:1. boolean closure : given automata A i = h Σ, X , Q i , ι i , F i , ∆ i i , for i = ,
2, do there existautomata A ∩ , A ∪ and A such that L ( A ∩ ) = L ( A ) ∩ L ( A ), L ( A ∪ ) = L ( A ) ∪ L ( A ) and L ( A ) = Σ [ X ] ∗ \ L ( A ) ?2. emptiness : given an automaton A , is L ( A ) = ∅ ? Note that a configuration is not a logical term since data values cannot be written in logic. .1 Symbolic Execution In the upcoming developments it is sometimes more convenient to work with logicalformulae defining executions of automata, than with low-level execution forests. Forthis reason, we first introduce path formulae Θ ( α ), which are formulae defining theexecutions of an automaton, over words that share a given sequence α of input events.Second, we restrict a path formula Θ ( α ) to an acceptance formula Υ ( α ), which definesonly accepting executions over words that share a given input sequence. Otherwisestated, Υ ( α ) is satisfiable if and only if the automaton accepts a word w such that w Σ = α .Let A = h Σ, X , Q , ι, F , ∆ i be an automaton for the rest of this section. For any i ∈ N , we denote by Q ( i ) = { q ( i ) | q ∈ Q } and X ( i ) = { x ( i ) | x ∈ X } the sets of time-stampedpredicates and variables, respectively. As a shorthand, we write Q ( ≤ n ) (resp. X ( ≤ n ) ) for theset { q ( i ) | q ∈ Q , i ∈ [ n ] } (resp. { x ( i ) | x ∈ X , i ∈ [ n ] } ). For a formula ψ and i ∈ N , we define ψ ( i ) def = ψ [ X ( i ) / X , Q ( i ) / Q ] the formula in which all input variables and state predicates (andonly those symbols) are replaced by their time-stamped counterparts. As a shorthand,we shall write q ( y ) for q ( y , . . . , y q ) ), when no confusion arises.Given a sequence of input events α = a . . . a n ∈ Σ ∗ , the path formula of α is: Θ ( α ) def = ι (0) ∧ n ^ i = ^ q ( y ) ai ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q ( i − ( y ) → ψ ( i ) (1)The automaton A , to which Θ ( α ) refers, will always be clear from the context. Toformalize the relation between the low-level configuration-based execution semanticsand the symbolic path formulae, consider a word w = ( a , ν ) . . . ( a n , ν n ) ∈ Σ [ X ] ∗ . Anyexecution forest T of A over w is associated an interpretation I T of the set of time-stamped predicates Q ( ≤ n ) , defined as: I T ( q ( i ) ) def = {h d , . . . , d q ) i | q ( d , . . . , d q ) ) labels a node on level i in T } , ∀ q ∈ Q ∀ i ∈ [ n ] Lemma 1.
Given an automaton A = h Σ, X , Q , ι, F , ∆ i , for any word w = ( a , ν ) . . . ( a n , ν n ) ,we have [[ Θ ( w Σ )]] µ w D = {I T | T is an execution of A over w } .Proof : “ ⊆ ” Let I be a minimal interpretation such that I , w D | = Θ ( w Σ ). We show thatthere exists an execution T of A over w such that I = I T , by induction on n ≥
0. For n =
0, we have w = ǫ and Θ ( w Σ ) = ι (0) . Because ι is a sentence, the valuation w D isnot important in I , w D | = ι (0) and, moreover, since I is minimal, we have I ∈ [[ ι (0) ]] µ .We define the interpretation J ( q ) = I ( q (0) ), for all q ∈ Q . Then c ( J ) is an executionof A over ǫ and I = I c ( J ) is immediate. For the inductive case n >
0, we assume that w = u · ( a n , ν n ) for a word u . Let J be the interpretation defined as I for all q ( i ) , with q ∈ Q and i ∈ [ n − ∅ everywhere else. Then J , u D | = Θ ( u Σ ) and J is moreoverminimal. By the induction hypothesis, there exists an execution G of A over u , suchthat J = I G . Consider a leaf of a tree T ∈ G , labeled with a configuration q ( d , . . . , d q ) )and let ∀ y . . . ∀ y q ) . q ( n − ( y ) → ψ ( n ) be the subformula of Θ ( w Σ ) corresponding to theapplication(s) of the transition rule q ( y ) an −→ ψ at the ( n − ν = w D [ y ← d , . . . , y q ) ← d q ) ]. Because I , w D | = ∀ y . . . ∀ y q ) . q ( n − ( y ) → ψ ( n ) , we have I ∈ [[ ψ ( n ) ]] ν and let K be one of the minimal interpretations such that K ⊆ I and
K ∈ [[ ψ ( n ) ]] ν . It is6ot hard to see that K exists and is unique, otherwise we could take the pointwiseintersection of two or more such interpretations. We define the interpretation K ( q ) = K ( q ( n ) ) for all q ∈ Q . We have that K ∈ [[ ψ ]] µν — if K was not minimal, K was notminimal to start with, contradiction. Then we extend the execution G by appending toeach node labeled with a configuration q ( d , . . . , d q ) ) the cube c ( K ). By repeating thisstep for all leaves of a tree in G , we obtain an execution of A over w .“ ⊇ ” Let T be an execution of A over w . We show that I T is a minimal inter-pretation such that I T , w D | = Θ ( w Σ ), by induction on n ≥
0. For n = T is a cubefrom c ([[ ι ]] µ ), by definition. Then I T | = ι (0) and moreover, it is a minimal such in-terpretation. For the inductive case n >
0, let w = u · ( a n , ν n ) for a word u . Let G bethe restriction of T to u . Consequently, I G is the restriction of I T to Q ( ≤ n − . By theinductive hypothesis, I G is a minimal interpretation such that I G , u D | = Θ ( u Σ ). Since I T ( q ( n ) ) = {h d , . . . , d q ) i | q ( d , . . . , d q ) ) labels a node on the n -th level in T } , we have I T , w D | = ϕ , for each subformula ϕ = ∀ y . . . ∀ y q ) . q ( n − ( y ) → ψ ( n ) of Θ ( w Σ ), by theexecution semantics of A . This is the case because the children of each node labeledwith q ( d , . . . , d q ) ) on the ( n − T form a cube from c ([[ ψ ]] µν ), where ν is avaluation that assigns each y i the value d i and behaves like w D , otherwise. Now supp-pose, for a contradiction, that I T is not minimal and let J ( I T be an interpretationsuch that J , w D | = Θ ( w Σ ). First, we show that the restriction J ′ of J to S n − i = Q ( i ) mustcoincide with I G . Assuming this is not the case, i.e. J ′ ( I G , contradicts the mini-mality of I G . Then the only possibility is that J ( q ( n ) ) ( I T ( q ( n ) ), for some q ∈ Q . Let p ( y , . . . , y p ) ) an −→ ψ , . . . , p k ( y , . . . , y p k ) ) an −→ ψ k be the set of transition rules in whichthe predicate symbol q occurs on the right-hand side. Then it must be the case that, forsome node on the ( n − G , labeled with a configuration p i ( d , . . . , d p i ) ), theset of children does not form a minimal cube from c ([[ ψ i ( n ) ]] µ ), which contradicts theexecution semantics of A . ⊓⊔ Next, we give a logical characterization of acceptance, relative to a given sequenceof input events α ∈ Σ ∗ . To this end, we constrain the path formula Θ ( α ) by requiringthat only final states of A occur on the last level of the execution. The result is the acceptance formula for α : Υ ( α ) def = Θ ( α ) ∧ ^ q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( n ) ( y ) → ⊥ (2)The top-level universal quantifiers from a subformula ∀ y . . . ∀ y q ) . q ( i ) ( y ) → ψ of Υ ( α )will be referred to as path quantifiers , in the following. Notice that path quantifiers aredistinct from the transition quantifiers that occur within a formula ψ of a transition rule q ( y , . . . , y q ) ) a ( X ) −−−→ ψ of A .The acceptance formula Υ ( A ) is false in every interpretation of the predicates thatassigns a non-empty set to a non-final predicate occurring on the last level in the execu-tion forest. The relation between the words accepted by A and the acceptance formulaabove, is formally captured by the following lemma: Lemma 2.
Given an automaton A = h Σ, X , Q , ι, F , ∆ i , for every word w ∈ Σ [ X ] ∗ , thefollowing are equivalent: . there exists an interpretation I such that I , w D | = Υ ( w Σ ) ,2. w ∈ L ( A ) .Proof : “(1) ⇒ (2)” Let I be an interpretation such that I , w D | = Υ ( w Σ ). By Lemma1, A has an execution T over w such that I = I T . To prove that T is accepting, weshow that (i) all paths in T have length n and that (ii) the frontier of T is labeledwith final configurations only. First, assume that (i) there exists a path in T of length0 ≤ m < n . Then there exists a node on the m -th level, labeled with some configura-tion q ( d , . . . , q q ) ), that has no children. By the definition of the execution semanticsof A , we have c ([[ ψ ]] µη ) = ∅ , where q ( y ) am + X ) −−−−−→ ψ is the transition rule of A that appliesfor q and a m + and η = w D [ y ← d , . . . , y q ) ← d q ) ]. Hence [[ ψ ]] η = ∅ , and because I , w D | = Υ ( α ), we obtain that I , η | = q ( y ) → ψ ( m + , thus h d , . . . , d q ) i < I ( q ). However,this contradicts the fact that I = I T and that q ( d , . . . , d q ) ) labels a node of T . Sec-ond, assume that (ii), there exists a frontier node of T labeled with a configuration q ( d , . . ., d q ) ) such that q ∈ Q \ F . Since I , w D | = ∀ y . . . ∀ y q ) . q ( y ) → ⊥ , by a similarreasoning as in the above case, we obtain that h d , . . . , d q ) i < I ( q ), contradiction.“(2) ⇒ (1)” Let T be an accepting execution of A over w . We prove that I T , w D | = Υ ( w Σ ). By Lemma 1, we obtain I T , w D | = Θ ( w Σ ). Since every path in T is of length n and all nodes on the n -th level of T are labeled by final configurations, we obtain that I T , w D | = V q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( n ) ( y ) → ⊥ , trivially. ⊓⊔ As an immediate consequence, one can decide whether A accepts some word w with a given input sequence w Σ = α , by checking whether Υ ( α ) is satisfiable. How-ever, unlike non-alternating infinite-state models of computation, such as counter au-tomata (nondeterministic programs with integer variables), the satisfiability query foran acceptance (path) formula falls outside of known decidable theories, supported bystandard SMT solvers. There are basically two reasons for this, namely(i) the presenceof predicate symbols, and (ii) the non-trivial alternation of quantifiers. To understandthis point, consider for example, the decidable theory of Presburger arithmetic [23].Adding even only one monadic predicate symbol to it yields undecidability in the pres-ence of non-trivial quantifier alternation [8]. However the quantifier-free fragment ofPresburger arithmetic extended with predicate symbols can be shown to be decidable,using a Nelson-Oppen style congruence closure argument [20].To tackle this problem, we start from the observation that acceptance formulae havea particular form, which allows the elimination of path quantifiers and of predicates, bya couple of satisfiability-preserving transformations. The result of applying these trans-formations is a formula with no predicate symbols, whose only quantifiers are thoseintroduced by the transition rules of the automaton, referred to as transition quantifiers.We shall further assume ( §
4) that the first order theory of the data sort D has quantifierelimination, which allows to e ff ectively decide the satisfiability of such formulae.For the time being, let us formally define the elimination of transition quantifiersand predicates, respectively. Consider a given sequence of input events α = a . . . a n anddenote by α i the prefix a . . . a i of α , for i ∈ [ n ], where α = ǫ .8 efinition 3. Let b Θ ( α ) , . . ., b Θ ( α n ) be the sequence of formulae defined by b Θ ( α ) def = ι (0) and, for all i ∈ [1 , n ] : b Θ ( α i ) def = b Θ ( α i − ) ∧ ^ q ( i − ( t ,..., t q ) ) occurs in b Θ ( α i − ) q ( y ,..., y q ) ) ai ( X ) −−−→ ψ ∈ ∆ q ( i − ( t , . . . , t q ) ) → ψ ( i ) [ t / y , . . . , t q ) / y q ) ] We write b Υ ( α ) for the prenex normal form of the formula: b Θ ( α n ) ∧ ^ q ( n ) ( t ,..., t q ) ) occurs in b Θ ( α n ) q ∈ Q \ F q ( n ) ( t , . . . , t q ) ) → ⊥ . Observe that b Υ ( α ) contains no path quantifiers, as required. On the other hand, thescope of the transition quantifiers in b Υ ( α ) exceeds the right-hand side formulae fromthe transition rules, as shown by the following example. Example 1.
Consider the automaton A = h{ a , a } , { x } , { q , q f } , ι, { q f } , ∆ i , where: ι = ∃ z . z ≥ ∧ q ( z ) ∆ = { q ( y ) a x ) −−−→ x ≥ ∧ ∀ z . z ≤ y → q ( x + z ) , q ( y ) a x ) −−−→ y < ∧ q f ( x + y ) } For the input event sequence α = a a , the acceptance formula is: Υ ( α ) = ∃ z . z ≥ ∧ q (0) ( z ) ∧∀ y . q (0) ( y ) → [ x (1) ≥ ∧ ∀ z . z ≥ y → q (1) ( x (1) + z )] ∧∀ y . q (1) ( y ) → [ y < ∧ q f (2) ( x (2) + y )]The result of eliminating the path quantifiers, in prenex normal form, is shown below: b Υ ( α ) = ∃ z ∀ z . z ≥ ∧ q (0) ( z ) ∧ [ q (0) ( z ) → x (1) ≥ ∧ ( z ≥ z → q (1) ( x (1) + z ))] ∧ [ q (1) ( x (1) + z ) → x (1) + z < ∧ q f (2) ( x (2) + x (1) + z )] (cid:4) The next lemma establishes a formal relation between the satisfiability of an ac-ceptance formula Υ ( α ) and that of the formula b Υ ( α ), obtained by eliminating the pathquantifiers from Υ ( α ). Lemma 3.
For any input event sequence α = a . . . a n and each valuation ν : X ( ≤ n ) → D ,the following hold:1. for all interpretations I , if I , ν | = Υ ( α ) then I , ν | = b Υ ( α ) .2. if there exists an interpretation I such that I , ν | = b Υ ( α ) then there exists an inter-pretation J ⊆ I such that J , ν | = Υ ( α ) .Proof : (1) Trivial, since every subformula q ( t , . . . , t q ) ) → ψ [ t / y , . . . , t q ) / y q ) ] of b Υ ( α ) is entailed by a subformula ∀ y . . . ∀ y q ) . q ( y , . . . , y q ) ) → ψ of Υ ( α ).(2) By repeated applications of the following fact:9 act 1 Given formulae φ and ψ , such that no predicate atom with predicate symbol qoccurs in ψ ( y , . . ., y q ) ) , for each valuation ν , if there exists an interpretation I suchthat I , ν | = φ ∧ V q ( t ,..., t q ) ) occurs in φ q ( t , . . . , t q ) ) → ψ [ t / y , . . . , t q ) / y q ) ] then there ex-ists a valuation J such that J ( q ) ⊆ I ( q ) and J ( q ′ ) = I ( q ′ ) for all q ′ ∈ Q \ { q } and J , ν | = φ ∧ ∀ y . . . ∀ y q ) . q ( y , . . . , y q ) ) → ψ .Proof : Assume w.l.o.g. that φ is quantifier free. The proof can be easily generalized tothe case φ has quantifiers. Let J ( q ) = {h t ν , . . . , t ν q ) i ∈ I ( q ) | q ( t , . . . , t q ) ) occurs in φ } and J ( q ′ ) = I ( q ′ ) for all q ′ ∈ Q \ { q } . Since I , ν | = φ , we obtain that also J , ν | = φ because the tuples of values in I ( q ) \ J ( q ) are not interpretations of terms that occurwithin subformulae q ( t , . . . , t q ) ) of φ . Moreover, V q ( t ,..., t q ) ) occurs in φ q ( t , . . . , t q ) ) → ψ [ t / y , . . . , t q ) / y q ) ] and ∀ y . . . ∀ y q ) . q ( y , . . . , y q ) ) → ψ are equivalent under J ,thus J , ν | = ∀ y q ) . q ( y , . . . , y q ) ) → ψ , as required. ⊓⊔ This concludes the proof. ⊓⊔ We proceed with the elimination of predicate atoms from b Υ ( α ), defined below. Definition 4.
Let Θ ( α ) , . . ., Θ ( α n ) be the sequence of formulae defined by Θ ( α ) def = ι (0) and, for all i ∈ [1 , n ] , Θ ( α i ) is obtained by replacing each occurrence of a predicate atomq ( i − ( t , . . . , t q ) ) in Θ ( α i − ) with the formula ψ ( i ) [ t / y , . . . , t q ) / y q ) ] , where q ( y ) ai ( X ) −−−→ ψ ∈ ∆ . We write Υ ( α ) for the formula obtained by replacing, in Θ ( α ) , each occurrenceof a predicate q ( n ) , such that q ∈ Q \ F (resp. q ∈ F), by ⊥ (resp. ⊤ ).Example 2 (Contd. from Example 1). The result of the elimination of predicate atomsfrom the acceptance formula in Example 1 is shown below: Υ ( α ) = ∃ z ∀ z . z ≥ ∧ [ x (1) ≥ ∧ ( z ≥ z → x (1) + z < w with input eventsequence w Σ = a a is accepted by the automaton A from Example 1. (cid:4) At this point, we prove the formal relation between the satisfiability of the formulae b Υ ( α ) and Υ ( α ). Since there are no occurrences of predicates in Υ ( α ), for each valuation ν : X ( ≤ n ) → D , there exists an interpretation I such that I , ν | = Υ ( α ) if and only if J , ν | = Υ ( α ), for every interpretation J . In this case we omit I and simply write ν | = Υ ( α ). Lemma 4.
For any input event sequence α = a . . . a n and each valuation ν : X ( ≤ n ) → D ,there exists a valuation I such that I , ν | = b Υ ( α ) if and only if ν | = Υ ( α ) .Proof : By induction on n ≥
0. The base case n = b Υ ( A ) = Υ ( A ) = ι (0) .For the induction step, we rely on the following fact: Fact 2
Given formulae φ and ψ , such that φ is positive q ( t , . . . , t q ) ) is the only oneoccurrence of the predicate symbol q in φ and no predicate atom with predicate symbolq occurs in ψ ( y , . . ., y q ) ) , for each interpretation I and each valuation ν , we have: I , ν | = φ ∧ q ( t , . . . , t q ) ) → ψ [ t / y , . . . , t q ) / y q ) ] ⇔ ν | = φ [ ψ [ t / y , . . ., t q ) / y q ) ] / q ( t , . . . , t q ) )] . roof : We assume w.l.o.g. that φ is quantifier-free. The proof can be easily generalizedto the case φ has quantifiers.” ⇒ ” We distinguish two cases: – if h t ν , . . . , t ν q ) i ∈ I ( q ) then I , ν | = ψ [ t / y , . . . , t q ) / y q ) ]. Since φ is positive, replac-ing q ( t , . . ., t q ) ) with ψ [ t / y , . . . , t q ) / y q ) ] does not change the truth value of φ under ν , thus ν | = φ [ ψ [ t / y , . . . , t q ) / y q ) ] / q ( t , . . . , t q ) )]. – else, h t ν , . . . , t ν q ) i < I ( q ), thus ν | = φ [ ⊥ / q ( t , . . ., t q ) )]. Since φ is positive and ⊥ en-tails ψ [ t / y , . . . , t q ) / y q ) ], we obtain ν | = φ [ ψ [ t / y , . . . , t q ) / y q ) ] / q ( t , . . . , t q ) )]by monotonicity.“ ⇐ ” Let I be any interpretation such that I ( q ) = {h t ν , . . . , t ν q ) i | ν | = ψ [ t / y , . . . , t q ) / y q ) ] } .We distinguish two cases: – if I ( q ) then I , ν | = q ( t , . . . , t q ) ) and ν | = ψ [ t / y , . . . , t q ) / y q ) ]. Thus replacing ψ [ t / y , . . . , t q ) / y q ) ] by q ( t , . . . , t q ) ) does not change the truth value of φ under I and ν , and we obtain I , ν | = φ . Moreover, I , ν | = ψ [ t / y , . . . , t q ) / y q ) ] implies I , ν | = q ( t , . . . , t q ) ) → ψ [ t / y , . . . , t q ) / y q ) ]. – else I ( q ) = ∅ , hence ν = ψ [ t / y , . . . , t q ) / y q ) ], thus ν | = φ [ ⊥ / q ( t , . . . , t q ) )]. Be-cause φ is positive, we obtain I , ν | = φ by monotonicity. But I , ν | = q ( t , . . . , t q ) ) → ψ [ t / y , . . . , t q ) / y q ) ] trivially, because I , ν = q ( t , . . . , t q ) ). ⊓⊔ This concludes the proof. ⊓⊔ Finally, we define the acceptance of a word with a given input event sequence bymeans of a formula in which no predicate atom occurs. As previously discussed, sev-eral decidable theories, such as Presburger arithmetic, become undecidable if predicateatoms are added to them. Therefore, the result below makes a step forward towards de-ciding whether the automaton accepts a word with a given input sequence, by reducingthis problem to the satisfiability of a quantified formula without predicates.
Lemma 5.
Given an automaton A = h Σ, X , Q , ι, F , ∆ i , for every word w ∈ Σ [ X ] ∗ , wehave w D | = Υ ( w Σ ) if and only if w ∈ L ( A ) .Proof : By Lemma 2, w ∈ L ( A ) if and only if I , w D | = Υ ( w Σ ), for some interpretation I . By Lemma 3, there exists an interpretation I such that I , w D | = Υ ( w Σ ) if and only ifthere exists an interpretation J such that J , ν | = b Υ ( w Σ ). By Lemma 4, there exists aninterpretation J such that J , ν | = b Υ ( w Σ ) if and only if ν | = Υ ( w Σ ). ⊓⊔ Given a positive formula φ , we define the dual formula φ ∼ recursively as follows:( φ ∨ φ ) ∼ = φ ∼ ∧ φ ∼ ( φ ∧ φ ) ∼ = φ ∼ ∨ φ ∼ ( t ≈ s ) ∼ = ¬ ( t ≈ s )( ∃ x . φ ) ∼ = ∀ x . φ ∼ ( ∀ x . φ ) ∼ = ∃ x . φ ∼ ( ¬ ( t ≈ s )) ∼ = t ≈ s ( q ( x , . . ., x q ) )) ∼ = q ( x , . . . , x q ) )Observe that, because predicate atoms do not occur negated in φ , there is no need todefine dualization for formulae of the form ¬ q ( x , . . . , x q ) ). The following theoremshows closure of automata under all boolean operations:11 heorem 1. Given automata A i = h Σ, X , Q i , ι i , F i , ∆ i i , for i = , , such that Q ∩ Q = ∅ ,the following hold:1. L ( A ∩ ) = L ( A ) ∩ L ( A ) , where A ∩ = h Σ, X , Q ∪ Q , ι ∧ ι , F ∪ F , ∆ ∪ ∆ i ,2. L ( A i ) = Σ [ X ] ∗ \ L ( A i ) , where A i = h Σ, X , Q i , ι ∼ , Q i \ F i , ∆ ∼ i i and, for i = , : ∆ ∼ i = { q ( y ) a ( X ) −−−→ ψ ∼ | q ( y ) a ( X ) −−−→ ψ ∈ ∆ i } . Moreover, |A ∩ | = O ( |A | + |A | ) and |A i | = O ( |A i | ) , for all i = , .Proof : (1) “ ⊆ ” Let w ∈ L ( A ∩ ) be a word and T be an execution of A ∩ over w . Since Q ∩ Q = ∅ , it is possible to partition T into T and T such that the roots of T i forma cube from c ([[ ι i ]] µ ), for all i = ,
2. Because ∆ ∩ ∆ = ∅ , by induction on | w | ≥ T i is an execution of A i over w , for all i = ,
2. Finally, because T isaccepting, we obtain that T and T are accepting, respectively, hence w ∈ L ( A ) ∩L ( A ). “ ⊇ ” Let w ∈ L ( A ) ∩ L ( A ) and let T i an accepting execution of A i over w , forall i = ,
2. We show that T ∪ T is an execution of A ∩ over w , by induction on | w | ≥ | w | =
0, we have T i ∈ c ([[ ι i ]] µ ) for all i = , Q ∩ Q = ∅ ,we have T ∪ T ∈ c ([[ ι ∧ ι ]] µ ). The induction step follows as a consequence of thefact that ∆ ∪ ∆ is the set of transition rules of A ∩ . Finally, since both T and T areaccepting, T ∪ T is accepting as well. Moreover, we have: |A ∩ | = | ι ∧ ι | + X q ( y ) a ( X ) −−−→ ψ ∈ ∆ ∪ ∆ | ψ | = + | ι | + | ι | + X q ( y ) a ( X ) −−−→ ψ ∈ ∆ | ψ | + X q ( y ) a ( X ) −−−→ ψ ∈ ∆ | ψ | . (2) Let w ∈ Σ [ X ] ∗ be a word. We denote by Υ A ( w Σ ) and Υ A ( w Σ ) [resp. Υ A ( w Σ ) and Υ A ( w Σ )] the formulae Υ ( w Σ ) and Υ ( w Σ ) for A and A , respectively. It is enough toshow that Υ A ( w Σ ) = ¬ Υ A ( w Σ ) and apply Lemma 5 to prove that w ∈ L ( A ) ⇔ w < L ( A ). Since the choice of w was arbitrary, this proves L ( A ) = Σ [ X ] ∗ \ L ( A ). Byinduction on the number of predicate atoms in Υ A ( w Σ ) that are replaced during thegeneration of Υ A ( w Σ ). The proof relies on the following fact: Fact 3
Let φ be a positive formula and let q ( t , . . . , t q ) ) be the only occurrence ofa predicate symbol within φ . Then, every formula φ with no predicate occurrences: ¬ φ [ ψ [ t / y , . . . , t q ) / y q ) ] / q ( t , . . . , t q ) )] ≡ φ ∼ [ ¬ ψ [ t / y , . . . , t q ) / y q ) ] / q ( t , . . . , t q ) )] .Proof : By induction on the structure of φ . ⊓⊔ The problem of checking emptiness of a given automaton is undecidable, even for au-tomata with predicates of arity two, whose transition rules use only equalities and dise-qualities, having no transition quantifiers [4]. Since even such simple classes of alternat-ing automata have no general decision procedure for emptiness, we use an abstraction-refinement semi-algorithm based on lazy annotation [18,19].12n a nutshell, a lazy annotation procedure systematically explores the set of execu-tion paths (in our case, sequences of input events) in search of an accepting execution.Each path has a corresponding path formula that defines all words accepted along thatpath. If the path formula is satisfiable, the automaton accepts a word. Otherwise, thepath is said to be spurious . When a spurious path is encountered, the search backtracksand the path is annotated with a set of learned facts, that marks this path as infeasible.The semi-algorithm uses moreover a coverage relation between paths, ensuring that thecontinuations of already covered paths are never explored. Sometimes this coveragerelation provides a sound termination argument, when the automaton is empty.We check emptiness of first order alternating automata using a version of the IM-PACT lazy annotation semi-algorithm [18]. An analogous procedure is given in [11],for a simpler model of alternating automata, that uses only predicates or arity zero(booleans) and no transition quantifiers. For simplicity, we do not present the details ofthis algorithm and shall content ourselves of several high-level definitions.Given a finite input event alphabet Σ , for two sequences α, β ∈ Σ ∗ , we say that α is aprefix of β , written α (cid:22) β , if α = βγ for some sequence γ ∈ Σ ∗ . A set S of sequences is: – prefix-closed if for each α ∈ S , if β (cid:22) α then β ∈ S , and – complete if for each α ∈ S , there exists a ∈ Σ such that α a ∈ S if and only if α b ∈ S for all b ∈ Σ .Observe that a prefix-closed set is the backbone of a tree whose edges are labeled withinput events. If the set is, moreover, complete, then every node of the tree has eitherzero successors, in which case it is called a leaf , or it has a successor edge labeled with a for each input event a ∈ Σ . Definition 5. An unfolding of an automaton A = h Σ, X , Q , ι, F , ∆ i is a finite partial map-ping U : Σ ∗ ⇀ fin Form + ( Q , ∅ ) , such that:1. dom( U ) is a finite prefix-closed complete set,2. U ( ǫ ) = ι , and3. for each sequence α a ∈ dom( U ) , such that α ∈ Σ ∗ and a ∈ Σ :U ( α ) (0) ∧ ^ q ( y ) a ( X ) −−−→ ψ ∀ y . . . ∀ y q . q (0) ( y ) → ψ (1) | = U ( α a ) (1) Moreover, U is safe if for each α ∈ dom( U ) , the formula U ( α ) ∧ V q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( y ) →⊥ is unsatisfiable. Lazy annotation semi-algorithms [18,19] build unfoldings of automata trying todiscover counterexamples for emptiness. If the automaton A in question is non-empty,a systematic enumeration of the input event sequences from Σ ∗ will su ffi ce to discovera word w ∈ L ( A ), provided that the first order theory of the data domain D is decidable(Lemma 2). However, if L ( A ) = ∅ , the enumeration of input event sequences may, inprinciple, run forever. The typical way of fighting this divergence problem is to definea coverage relation between the nodes of the unfolding tree. For instance, using breadth-first search. efinition 6. Given an unfolding U of an automaton A = h Σ, X , Q , ι, F , ∆ i a node α ∈ dom( U ) is covered by another node β ∈ dom( U ) , denoted α ⊑ β , if and only if thereexists a node α ′ (cid:22) α such that U ( α ′ ) | = U ( β ) . Moreover, U is closed if and only if everyleaf from dom( U ) is covered by an uncovered node. A lazy annotation semi-algorithm will stop and report emptiness provided that itsucceeds in building a closed and safe unfolding of the automaton. Notice that, byDefinition 6, for any three nodes of an unfolding U , say α, β, γ ∈ dom( U ), if α ≺ β and α ⊑ γ , then β ⊑ γ as well. As we show next (Theorem 2), there is no need to expandcovered nodes, because, intuitively, there exists a word w ∈ L ( A ) such that α (cid:22) w Σ and α ⊑ γ only if there exists another word u ∈ L ( A ) such that γ (cid:22) u Σ . Hence, exploringonly those input event sequences that are continuations of γ (and ignoring those of α )su ffi ces in order to find a counterexample for emptiness, if one exists.An unfolding node α ∈ dom( U ) is said to be spurious if and only if Υ ( α ) is unsat-isfiable. In this case, we change (refine) the labels of (some of the) prefixes of α (andthat of α ), such that U ( α ) becomes ⊥ , thus indicating that there is no real execution ofthe automaton along that input event sequence. As a result of the change of labels, ifa node γ (cid:22) α used to cover another node from dom( U ), it might not cover it with thenew label. Therefore, the coverage relation has to be recomputed after each refinementof the labeling. The semi-algorithm stops when (and if) a safe complete unfolding hasbeen found. For a detailed presentation of the emptiness procedure, we refer to [11]. Theorem 2.
If an automaton A has a nonempty safe closed unfolding then L ( A ) = ∅ .Proof : Let U be a safe and complete unfolding of A , such that dom( U ) , ∅ . Suppose,by contradiction, that there exists a word w ∈ L ( A ) and let α def = w Σ . Since w ∈ L ( A ),by Lemma 2, there exists an interpretation I such that I , w D | = Υ ( α ). Assume firstthat α ∈ dom( U ). In this case, one can show, by induction on the length n ≥ w , that Θ ( α ) | = U ( α ) ( n ) , thus I , w D | = U ( α ) ( n ) . Since I , w D | = Υ ( α ), we have I , w D | = V q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( n ) ( y ) → ⊥ , hence U ( α ) ( n ) ∧ V q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( n ) ( y ) → ⊥ . Byrenaming q ( n ) with q in the previous formula, we obtain U ( α ) ∧ ∀ y . . . ∀ y q ) . q ( y ) → ⊥ is satisfiable, thus U is not safe, contradiction.We proceed thus under the assumption that α < dom( U ). Since dom( U ) is a nonemptyprefix-closed set, there exists a strict prefix α ′ of α that is a leaf of dom( U ). Since U is closed, the leaf α ′ must be covered and let α (cid:22) α ′ (cid:22) α be a node such that U ( α ) | = U ( β ), for some uncovered node β ∈ dom( U ). Let γ be the unique sequencesuch that α γ = α . By Definition 6, since α ⊑ β and w Σ = α γ ∈ L ( A ), there ex-ists a word w and a cube c ∈ c ([[ U ( α )]]) ⊆ c ([[ U ( β )]]), such that w Σ = γ and A accepts w starting with c . If β γ ∈ dom( U ), we obtain a contradiction by a simi-lar argument as above. Hence β γ < dom( U ) and there exists a leaf of dom( U ) whichis also a prefix of β γ . Since U is closed, this leaf is covered by an uncovered node β ∈ dom( U ) and let α ∈ dom( U ) be the minimal (in the prefix partial order) node suchthat β (cid:22) α (cid:22) β γ and α ⊑ β . Let γ be the unique sequence such that α γ = β γ .Since β is uncovered, we have β , α and thus | γ | > | γ | . By repeating the above rea-14oning for α , β and γ , we obtain an infinite sequence | γ | > | γ | > . . . , which is againa contradiction. ⊓⊔ As mentioned above, we check emptiness of first order alternating automata usingthe same method previously used to check emptiness of a simpler model of alternatingautomata, which uses boolean constants for control states and whose transition ruleshave no quantifiers [11]. The higher complexity of the automata model considered here,manifests itself within the interpolant generation procedure, used to refine the labelingof the unfolding. We discuss generation of interpolants in the next section.
Typically, when checking the unreachability of a set of program configurations [18], theinterpolants used to annotate the unfolded control structure are assertions about the val-ues of the program variables in a given control state, at a certain step of an execution.However, in an alternating model of computation, it is useful to distinguish between(i) locality of interpolants w.r.t. a given control state (control locality) and (ii) local-ity w.r.t. a given time stamp (time locality). In logical terms, control-local interpolantsare defined by formulae involving a single predicate symbol, whereas time-local inter-polants involve only predicates q ( i ) and variables x ( i ) , for a single i ≥ Remark
When considering an alternating model of computation, control-local inter-polants are not always enough to prove emptiness, because of the synchronization ofseveral branches of the computation on the same sequence of input values. Consider,for instance, an automaton with the following transition rules and final state q f : q ( y ) a ( x ) −−→ q ( y + x ) ∧ q ( y − x ) q ( y ) a ( x ) −−→ y + x > ∧ q f q ( y ) a ( x ) −−→ q ( y + x ) q ( y ) a ( x ) −−→ y − x > ∧ q f q ( y ) a ( x ) −−→ q ( y − x )Started in an initial configuration q (0) with an input word ( a , ν ) . . . ( a , ν n − )( a , ν n ), suchthat ν i ( x ) = k i , the automaton executes as follows: q (0) ( a ,ν −−−→ { q ( k ) , q ( − k ) } . . . ( a ,ν n − −−−−−→ { q ( P n − i = k i ) , q ( − P n − i = k i ) } ( a ,ν n ) −−−→ ∅ An overapproximation of the set of cubes generated after one or more steps is defined bythe formula: ∃ x ∃ x . q ( x ) ∧ q ( x ) ∧ x + x ≈
0. Observe that a control-local formulausing one occurrence of a predicate would give a too rough overapproximation of thisset, unable to prove the emptiness of the automaton. (cid:4)
First, let us give the formal definition of the class of interpolants we shall work with.Given a formula φ , the vocabulary of φ , denoted V( φ ) is the set of predicate symbols q ∈ Q ( i ) and variables x ∈ X ( i ) , occurring in φ , for some i ≥
0. For a term t , its vocabularyV( t ) is the set of variables that occur in t . Observe that quantified variables and theinterpreted function symbols of the data theory do not belong to the vocabulary of aformula. By P + ( φ ) [P − ( φ )] we denote the set of predicate symbols that occur in φ underan even [odd] number of negations. E.g., the arithmetic operators of addition and multiplication, when D is the set of integers. efinition 7 ([17]). Given formulae φ and ψ such that φ ∧ ψ is unsatisfiable, a Lyndoninterpolant is a formula I such that φ | = I, the formula I ∧ ψ is unsatisfiable, V( I ) ⊆ V( φ ) ∩ V( ψ ) , P + ( I ) ⊆ P + ( φ ) ∩ P + ( ψ ) and P − ( I ) ⊆ P − ( φ ) ∩ P − ( ψ ) . In the rest of this section, let us fix an automaton A = h Σ, X , Q , ι, F , ∆ i . Due to theabove observation, none of the interpolants considered will be control-local and weshall use the term local to denote time-local interpolants, with no free variables. Definition 8.
Given a non-empty sequence of input events α = a . . . a n ∈ Σ ∗ , a gener-alized Lyndon interpolant (GLI) is a sequence ( I , . . ., I n ) of formulae such that, for allk ∈ [ n − :1. P − ( I k ) = ∅ ,2. ι (0) | = I and I k ∧ (cid:16) V q ( y ) ai ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q ( k ) ( y ) → ψ ( k + (cid:17) | = I k + ,3. I n ∧ V q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( y ) is unsatisfiable.Moreover, the GLI is local if and only if V( I k ) ⊆ Q ( k ) , for all k ∈ [ n ] . The following proposition states the existence of local GLI for the theories in whichLyndon’s Interpolation Theorem holds.
Proposition 1.
If there exists a Lyndon interpolant for any two formulae φ and ψ , suchthat φ ∧ ψ is unsatisfiable, then any sequence of input events α = a . . . a n ∈ Σ ∗ , such that Υ ( α ) is unsatisfiable, has a local GLI ( I , . . ., I n ) .Proof : By definition, Υ ( α ) is the formula: ι (0) ∧ n ^ i = ^ q ( y ) ai ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q ( i − ( y ) → ψ ( i ) ∧ ^ q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( n ) ( y ) → ⊥ We define the formulae: ϕ i def = V q ( y ) ai ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q ( i − ( y ) → ψ ( i ) , for all i ∈ [1 , n ] ψ def = V q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( n ) ( y ) → ⊥ Observe that V( ι (0) ) ⊆ Q (0) , V( ϕ i ) ⊆ Q ( i − ∪ Q ( i ) ∪ X ( i ) , for all i ∈ [1 , n ], and V( ψ ) ⊆ Q ( n ) .We apply Lyndon’s Interpolation Theorem for the formulae ι (0) and V ni = ϕ i ∧ ψ andobtain a formula I , such that ι (0) | = I , I ∧ V ni = ϕ i ∧ ψ is unsatisfiable, V( I ) ⊆ V( ι (0) ) ∩ ( S ni = V( ϕ i ) ∪ V( ψ )) ⊆ Q (0) and P − ( I ) ⊆ P − ( ι (0) ) ∩ ( S ni = P − ( ϕ ) ∪ P − ( ψ )) = ∅ . Repeatingthe reasoning for the formulae I ∧ ϕ and V ni = ϕ i ∧ ψ , we obtain I , such that I ∧ ϕ | = I , I ∧ V ni = ϕ i ∧ ψ is unsatisfiable, V( I ) ⊆ (V( I ) ∪ V( ϕ )) ∩ ( S ni = V( ϕ i ) ∪ V( ψ )) ⊆ Q (1) and P − ( I ) ⊆ (P − ( I ) ∪ P − ( ϕ )) ∩ ( S ni = P − ( ϕ i ) ∪ P − ( ψ )) = ∅ . Continuing in this way, weobtain formulae I , I , . . . , I n as required. ⊓⊔ The main problem with the local GLI construction described in the proof of Propo-sition 1 is that the existence of Lyndon interpolants (Definition 7) is guaranteed in prin-ciple, but the proof is non-constructive. Building an interpolant for an unsatisfiableconjunction of formulae φ ∧ ψ is typically the job of the decision procedure that proves16he unsatisfiability and, in general, there is no such procedure, when φ and ψ containpredicates and have non-trivial quantifier alternation. In this case, some provers useinstantiation heuristics for the universal quantifiers that are su ffi cient for proving unsat-isfiability, however these heuristics are not always suitable for interpolant generation.Consequently, from now on, we assume the existence of an e ff ective Lyndon interpo-lation procedure only for decidable theories, such as the quantifier-free linear (integer)arithmetic with uninterpreted functions (UFLIA, UFLRA, etc.) [25].This is where the predicate-free path formulae (Definition 4) come into play. For agiven event sequence α , the automaton A accepts a word w such that w Σ = α if and onlyif Υ ( α ) is satisfiable. Assuming further that the equality atoms in the transition rules of A are written in the language of a decidable first order theory, such as Presburger arith-metic, Lemma 5 gives us an e ff ective way of checking emptiness of A , relative to agiven event sequence. However, this method does not cope well with lazy annotation,because there is no way to extract, from the unsatisfiability proof of Υ ( α ), the inter-polants needed to annotate α . This is because (i) the formula Υ ( α ), obtained by repeatedsubstitutions (Definition 4) loses track of the steps of the execution, and (ii) quantifiersthat occur nested in Υ ( α ) make it di ffi cult to write Υ ( α ) as an unsatisfiable conjunctionof formulae from which interpolants are extracted (Definition 7).The solution we adopt for the first issue (i) consists in partially recovering the time-stamped structure of the acceptance formula Υ ( α ) using the formula b Υ ( α ), in which onlytransition quantifiers occur. The second issue (ii) is solved under the additional assup-tion that the theory of the data domain D has witness-producing quantifier elimination .More precisely, we assume that, for each formula ∃ x . φ ( x ), there exists an e ff ectivelycomputable term τ , in which x does not occur, such that ∃ x . φ and φ [ τ/ x ] are equisat-isfiable. These terms, called witness terms in the following, are actual definitions of theSkolem function symbols from the following folklore theorem: Theorem 3 ([2]).
Given Q x . . . Q n x n . φ a first order sentence, where Q , . . . , Q n ∈{∃ , ∀} and φ is quantifier-free, let η i def = f i ( y , . . . , y k i ) if Q i = ∀ and η i def = x i if Q i = ∃ ,where f i is a fresh function symbol and { y , . . . , y k i } = { x j | j < i , Q j = ∃} . Then theentailment Q x . . . Q n x n . φ | = φ [ η / x , . . . , η n / x n ] holds.Proof : See [2, Theorem 2.1.8] and [2, Lemma 2.1.9]. ⊓⊔ Examples of witness-producing quantifier elimination procedures can be found inthe literature for e.g. linear integer (real) arithmetic (LIA,LRA), Presburger arithmeticand boolean algebra of sets and Presburger cardinality constraints (BAPA) [16].Under the assumption that witness terms can be e ff ectively built, let us describethe generation of a non-local GLI for a given input event sequence α = a . . . a n . First,we generate successively the acceptance formula Υ ( α ) and its equisatisfiable forms b Υ ( α ) = Q x . . . Q m x m . b Φ and Υ ( α ) = Q x . . . Q m x m . Φ , both written in prenex form,with matrices b Φ and Φ , respectively. Because we assumed that the first order theory of D has quantifier elimination, the satisfiability problem for Υ ( α ) is decidable. If Υ ( α ) issatisfiable, we build a counterexample for emptiness w such that w Σ = α and w D is asatisfying assignment for Υ ( α ). Otherwise, Υ ( α ) is unsatisfiable and there exist witnessterms τ i . . . τ i ℓ , where { i , . . . , i ℓ } = { j ∈ [1 , m ] | Q j = ∀} , such that Φ [ τ i / x i , . . . , τ i ℓ / x i ℓ ]17s unsatisfiable (Theorem 3). Then it turns out that the formula b Φ [ τ i / x i , . . . , τ i ℓ / x i ℓ ],obtained analogously from the matrix of b Υ ( α ), is unsatisfiable as well (Lemma 6). Be-cause this latter formula is structured as a conjunction of formulae ι (0) ∧ φ . . . ∧ φ n ∧ ψ ,where V( φ k ) ∩ Q ( ≤ n ) ⊆ Q ( k − ∪ Q ( k ) and V( ψ ) ∩ Q ( ≤ n ) ⊆ Q ( n ) , it is now possible to use anexisting interpolation procedure for the quantifier-free theory of D , extended with un-interpreted function symbols, to compute a sequence of non-local GLI ( I , . . . , I n ) suchthat V( I k ) ∩ Q ( ≤ n ) ⊆ Q ( k ) , for all k ∈ [ n ]. Example 3 (Contd. from Examples 1 and 2).
The formula Υ ( α ) (Example 2) is unsat-isfiable and let τ = z be the witness term for the universally quantified variable z .Replacing z with τ in the matrix of b Υ ( α ) (Example 1) yields the unsatisfiable con-junction: z ≥ ∧ q (0) ( z ) ∧ q (0) ( z ) → x (1) ≥ ∧ ( z ≥ z → q (1) ( x (1) + z )) ∧ q (1) ( x (1) + z ) → x (1) + z < ∧ q f (2) ( x (2) + x (1) + z )A non-local GLI for the above is ( q (0) ( z ) ∧ z ≥ , x (1) ≥ ∧ q (1) ( x (1) + z ) ∧ z ≥ , ⊥ ). (cid:4) A function ξ : N → N is [strictly] monotonic i ff for each n < m we have ξ ( n ) ≤ ξ ( m )[ ξ ( n ) < ξ ( m )] and finite-range i ff for each n ∈ N the set { m | ξ ( m ) = n } is finite. If ξ isfinite-range, we denote by ξ − ( n ) ∈ N the maximal value m such that ξ ( m ) = n . Thelemma below gives the proof of correctness for the construction of non-local GLI. Lemma 6.
Given a non-empty input event sequence α = a . . . a n ∈ Σ ∗ , such that Υ ( α ) is unsatisfiable, let Q x . . . Q m x m . b Φ be a prenex form of b Υ ( α ) and let ξ : [1 , m ] → [ n ] be a monotonic function mapping each transition quantifier to the minimal index fromthe sequence b Θ ( α ) , . . . , b Θ ( α n ) where it occurs. Then one can e ff ectively build:1. witness terms τ i , . . . , τ i ℓ , where { i , . . . , i ℓ } = { j ∈ [1 , m ] | Q j = ∀} and V( τ i j ) ⊆ X ( ≤ ξ ( ij )) ∪{ x k | k < i j , Q k = ∃} , ∀ j ∈ [1 , ℓ ] such that b Φ [ τ i / x i , . . . , τ i ℓ / x i ℓ ] is unsatisfiable, and2. a GLI ( I , . . . , I n ) for α , such that V( I k ) ⊆ Q ( k ) ∪ X ( ≤ k ) ∪ { x j | j < ξ − ( k ) , Q j = ∃} , forall k ∈ [ n ] .Proof : (1) If Υ ( α ) is unsatisfiable, by Lemmas 3 and 4, we obtain that, successively b Υ ( α ) and Υ ( α ) are unsatisfiable. Let Q x . . . Q m x m . b Φ and Q x . . . Q m x m . Φ be prenexforms for b Υ ( α ) and Υ ( α ), respectively. Since we assumed that the first order theory ofthe data domain has witness-producing quantifier elimination, using Theorem 3 one cane ff ectively build witness terms τ i , . . . , τ i ℓ , where { i , . . . , i ℓ } = { i ∈ [1 , m ] | Q i = ∀} and: – V( τ i j ) ⊆ X ( ≤ ξ ( ij )) ∪ { x k | k < i j , Q k = ∃} , for all j ∈ [1 , ℓ ] and – Φ [ τ i / x i , . . ., τ i ℓ / x i ℓ ] is unsatisfiable.Let b Φ , . . . , b Φ n be the sequence of quantifier-free formulae, defined as follows: – b Φ is the matrix of some prenex form of ι (0) , – for all i = , . . . , n , let b Φ i be the matrix of some prenex form of: b Φ i def = b Φ i − ∧ ^ q ( i − ( t ,..., t q ) ) occurs in b Φ i − q ( y ,..., y q ) ) ai ( X ) −−−→ ψ ∈ ∆ q ( i − ( t , . . . , t q ) ) → ψ ( i ) [ t / y , . . . , t q ) / y q ) ] | {z } def = φ i
18t is easy to see that b Φ is the matrix of some prenex form of: b Φ n ∧ ^ q ( n ) ( t ,..., t q ) ) occurs in b Φ n q ∈ Q \ F q ( n ) ( t , . . ., t q ) ) → ⊥ | {z } def = ψ Applying the equivalence from Fact 2 in the proof of Lemma 4, we obtain a sequenceof quantifier-free formulae Φ , . . . , Φ n such that Φ i ≡ b Φ i , for all i ∈ [ n ] and Φ is ob-tained from Φ n by replacing each occurrence of a predicate atom q ( t , . . . , t q ) ) in Φ n by ⊥ if q ∈ Q \ F and by ⊤ if q ∈ F . Clearly Φ ≡ b Φ , thus b Φ [ τ i / x i , . . . , τ i ℓ / x i ℓ ] ≡ Φ [ τ i / x i , . . . , τ i ℓ / x i ℓ ] ≡ ⊥ .(2) With the notation introduced at point (1), we have b Φ = b Φ ∧ V ni = φ i ∧ ψ . Consider thesequence of witness terms τ i , . . . , τ i ℓ , whose existence is proved by point (1). BecauseV( τ i j ) ⊆ X ( ≤ ξ ( ij )) ∪ { x k | k < i j , Q k = ∃} , for all j ∈ [1 , ℓ ], and moreover ξ − is strictlymonotonic, we obtain: – V( b Φ [ τ i / x i , . . . , τ i ℓ / x i ℓ ]) ⊆ Q (0) ∪ X (0) ∪ { x j | j < ξ − (0) , Q j = ∃} , – V( φ i [ τ i / x i , . . . , τ i ℓ / x i ℓ ]) ⊆ Q ( i − ∪ Q ( i ) ∪ X ( ≤ i ) ∪ { x j | j < ξ − ( i ) , Q j = ∃} , for all i ∈ [1 , n ], – V( ψ [ τ i / x i , . . . , τ i ℓ / x i ℓ ]) ⊆ Q ( n ) ∪ X ( ≤ n ) ∪ { x j | j ∈ [1 , m ] , Q j = ∃} .By repeatedly applying Lyndon’s Interpolation Theorem, we obtain a sequence of for-mulae ( I , . . . , I n ) such that: – b Φ [ τ i / x i , . . . , τ i ℓ / x i ℓ ] | = I and V( I ) ⊆ Q (0) ∪ X (0) ∪ { x j | j < ξ − (0) , Q j = ∃} , – I k − ∧ φ i [ τ i / x i , . . . , τ i ℓ / x i ℓ ] | = I k and V( I k ) ⊆ Q ( k ) ∪ X ( ≤ k ) ∪ { x j | j < ξ − ( k ) , Q j = ∃} ,for all k ∈ [1 , n ], – I n ∧ ψ [ τ i / x i , . . ., τ i ℓ / x i ℓ ] is unsatisfiable.To show that ( I , . . . , I n ) is a GLI for a . . . a n , it is su ffi cient to notice that ^ q ( y ) ak ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q ( k ) ( y ) → ψ ( k + | = φ k for all k ∈ [1 , n ]. Consequently, we obtain: – ι (0) | = b Φ | = I , by Theorem 3, – I k − ∧ (cid:16) V q ( y ) ak ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q ( k − ( y ) → ψ ( k ) (cid:17) | = I k − ∧ φ k | = I k , and – I n ∧ (cid:16) V q ∈ Q \ F ∀ y . . . ∀ y q ) . q ( y ) → ⊥ (cid:17) | = I n ∧ ψ | = ⊥ ,as required by Definition 8. ⊓⊔ In conclusion, under two assumptions about the first order theory of the data do-main, namely the(i) witness-producing quantifier elimination, and (ii) Lyndon inter-polation for the quantifier-free fragment with uninterpreted functions, we developpeda rather generic method that produces generalized Lyndon interpolants for unfeasi-ble input event sequences. Moreover, each formula I k in the interpolant refers onlyto the current predicate symbols Q ( Ik ) , the current and past input variables X ( ≤ k ) andthe existentially quantified transition variables introduced at the previous steps { x j | j < − ( k ) , Q j = ∃} . The remaining question is how to use such non-local interpolants tolabel the unfolding of an automaton (Definition 5) and to compute the coverage betweennodes of the unfolding (Definition 6). As required by Definition 5, the unfolding U of an automaton A = h Σ, X , Q , ι, F , ∆ i islabeled by formulae U ( α ) ∈ Form + ( Q , ∅ ), with no free symbols, other than predicatesymbols, such that the labeling is compatible with the transition relation of the au-tomaton, according to the point (3) of Definition 5. The following lemma describesthe refinement of the labeling of an input sequence α of length n by a non-local GLI( I , . . . , I n ), such that V( I k ) ⊆ Q ( k ) ∪ X ( ≤ k ) ∪ x k , where x k are the existentially quantifiedvariables from the prenex normal form of b Υ ( α k ). Lemma 7.
Let U be an unfolding of an automaton A = h Σ, X , Q , ι, F , ∆ i such that α = a . . . a n ∈ dom( U ) and ( I , . . . , I n ) be a GLI for α . The mapping U ′ : dom( U ) → Form + ( Q , ∅ ) defined as: – U ′ ( α k ) = U ( α k ) ∧ J k , for all k ∈ [ n ] , where J k is the formula obtained from I k by re-placing each time-stamped predicate symbol q ( k ) by q and existentially quantifyingeach free variable in I k , – U ′ ( β ) = U ( β ) if β ∈ dom( U ) and β α ,is an unfolding of A .Proof : The new set of formulae U ′ ( α ) , . . ., U ′ ( α n ) complies with Definition 5, because: – U ′ ( α ) ≡ ι , since, by point 2 of Definition 8, we have ι (0) | = I , thus ι | = J and U ′ ( α ) = U ( α ) ∧ J ≡ ι ∧ J ≡ ι , and – by Definition 8 (3) we have, for all k ∈ [ n − I k ∧ ^ q ( y ) ak ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q ( k ) ( y ) → ψ ( k + | = I k + We write I h j i k for the formula in which each predicate symbol q ( k ) is replaced by q ( j ) .Then the following entailment holds: I h i k ∧ ^ q ( y ) ak ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q (0) ( y ) → ψ (1) | = I h i k + Because J k is obtained by removing the time stamps from the predicate symbolsand existentially quantifying all the free variables of I k , we also obtain, applyingFact 4 below: J (0) k ∧ ^ q ( y ) ak ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q (0) ( y ) → ψ (1) | = J (1) k + Since U satisfies the labeling condition of Definition 5 (3) and U ′ ( α k ) = U ( α k ) ∧ J k ,we obtain, as required: U ′ ( α k ) (0) ∧ ^ q ( y ) ak ( X ) −−−→ ψ ∈ ∆ ∀ y . . . ∀ y q ) . q (0) ( y ) → ψ (1) | = U ′ ( α k + ) (1) . act 4 Given formulae φ ( x , y ) and ψ ( x ) such that φ ( x , y ) | = ψ ( x ) , we also have ∃ x . φ ( x , y ) | = ∃ x . ψ ( x ) .Proof : For each choice of a valuation for the existentially quantified variables on theleft-hand side, we chose the same valuation for the variables on the right-hand side. ⊓⊔⊓⊔ Observe that, by Lemma 6 (2), the set of free variables of a GLI formula I k con-sists of (i) variables X ( ≤ k ) keeping track of data values seen in the input at some earliermoment in time, and (ii) variables that track past choices made within the transitionrules. Basically, it is not important when exactly in the past a certain input has beenread or when a choice has been made, as only the value of the variable determines thefuture behavior. Intuitively, existential quantification of these variables does the job ofignoring when in the past these values have been seen.The last ingredient of the lazy annotation semi-algorithm based on unfoldings con-sist in the implementation of the coverage check, when the unfolding of an automatonis labeled with conjunctions of existentially quantified formulae with predicate sym-bols, obtained from interpolation. By Definition 6, checking whether a given node α ∈ dom( U ) is covered amounts to finding a prefix α ′ (cid:22) α and a node β ∈ dom( U )such that U ( α ′ ) | = U ( β ), or equivalently, the formula U ( α ′ ) ∧ ¬ U ( β ) is unsatisfiable.However, the latter formula, in prenex form, has quantifier prefix in the language ∃ ∗ ∀ ∗ and, as previously mentioned, the satisfiability problem for such formulae becomes un-decidable when the data theory subsumes Presburger arithmetic [8].Nevertheless, if we require just a yes / no answer (i.e. not an interpolant) recentlydevelopped quantifier instantiation heuristics [24] perform rather well in answering alarge number of queries in this class. Observe, moreover, that coverage does not needto rely on a complete decision procedure. If the prover fails in answering the abovesatisfiability query, then the semi-algorithm assumes that the node is not covered andcontinues exploring its successors. Failure to compute complete coverage may lead todivergence (non-termination) and ultimately, to failure to prove emptiness, but does nota ff ect the soundness of the semi-algorithm (real counterexamples will still be found). The main application of first order alternating automata is checking inclusion betweenvarious classes of automata extended with variables ranging over infinite domains thatrecognize languages over infinite alphabets. The most widely known such classes are timed automata [1] and finite-memory (register) automata [14]. In both cases, comple-mentation is not possible inside the class and inclusion is undecidable. Our contributionis providing a systematic semi-algorithm for these decision problems. In addition, themethod described in § generic register automata [10] inclu-sion checking framework, by allowing monitor (right-hand side) automata to have localvariables, that are not visible in the language.21nother application is checking safety (mutual exclusion, absence of deadlocks,etc.) and liveness (termination, lack of starvation, etc.) properties of parameterized con-current programs, consisting of an unbounded number of replicated threads that com-municate via a fixed set of global variables (locks, counters, etc.). The verification ofparametric programs has been reduced to checking the emptiness of a (possibly infinite)sequence of first order alternating automata, called predicate automata [4,5], encodingthe inclusion of the set of traces of a parametric concurrent program into increasinglygeneral proof spaces , obtained by generalization of counterexamples. The program andthe proof spaces are first order alternating automata over the infinite alphabet of pairsconsisting of program statements and thread identifiers. The standard definition of a finite timed word is a sequence of pairs ( a , τ ) , . . ., ( a n , τ n ) ∈ ( Σ × R ) ∗ , where R is the set of real numbers, such that 0 ≤ τ i < τ i + , for all i ∈ [1 , n − τ i is the moment in time where the input event a i occurs. Given a set C of clocks , the set Φ ( C ) of clock constraints is defined inductively as the set of formulae x ≤ c , x ≥ c , ¬ δ , δ ∧ δ , where x ∈ C , c ∈ Q is a rational constant and δ, δ , δ ∈ Φ ( X ).A timed automaton is a tuple T = h Σ, S , S , F , C , E i , where: Σ is a finite set of inputevents, S is a finite set of states, S , F ⊆ S are sets of initial and final states, respec-tively, C is a finite set of clocks and E ⊆ S × Σ × S × C × Φ ( C ) is the set of transitions( s , a , s ′ , λ, δ ) from state s to state s ′ with symbol a , λ is the set of clocks to be reset and δ is a clock constraint. A run of T over a timed word w = ( a , τ ) . . . ( a n , τ n ) is a sequence( s , γ ) . . . ( s n , γ n ), where s i ∈ S , γ i : C → R are clock valuations, for all i ∈ [ n ], and: – s ∈ S and γ ( x ) = x ∈ C , – for all i ∈ [ n ], there exists a transition ( s i , a i , s i + , λ i , δ i ) ∈ E such that γ i + τ i + − τ i | = δ i , and for all x ∈ C , γ i + ( x ) = x ∈ λ i and γ i + ( x ) = γ i ( x ) + τ i + − τ i , otherwise.Here τ def = γ i + τ i + − τ i is the valuation mapping each x ∈ C to γ i ( x ) + τ i + − τ i .The run is accepting i ff s n ∈ F , in which case T accepts w . As usual, we denote by L ( T ) the set of finite words accepted by T . It is well-known that, in general, there is notimed automaton accepting the complement language ( Σ × R ) ∗ \ L ( T ) and, moreover,the language inclusion problem is undecidable [1].Given a timed automaton T = h Σ, S , S , F , C , E i , we define a first order alternatingautomaton A T = h Σ, { t } , Q T , ι T , F T , ∆ T i , with a single input variable t , ranging over R ,such that each timed word w = ( a , τ ) . . . ( a n , τ n ) corresponds to a unique data word d ( w ) = ( a , ν ) . . . ( a n , ν n ) such that ν i ( t ) = τ i for all i ∈ [1 , n ] and L ( A T ) = { d ( w ) | w ∈L ( T ) } . The only di ffi culty here is capturing the fact that all the clocks of T evolve at thesame pace, which is easily done using a technique from [7], which replaces each clock x i of T by a variable y i tracking the di ff erence between the values of t and x i .Formally, if C = { x , . . . , x k } and S = { s , . . . , s m } , we define Q T def = { q , . . . , q m } , where q i ) = k + i ∈ [1 , m ], ι T def = W s i ∈ S q i (0 , . . ., F T def = { q i | s i ∈ F } and, for eachtransition ( s i , a , s j , λ, δ ) ∈ E , ∆ T contains the rule: q i ( y , . . . , y k , z ) a ( t ) −−→ t > z ∧ δ ( z − y , . . . , z − y k ) ∧ q j ( y ′ , . . . , y ′ k , t )22here y ′ i stands for z if x i ∈ λ and for y i , otherwise. Moreover, nothing else is in ∆ T . Weestablish the following connection between a timed automaton and its correspondingfirst order alternating automaton. Proposition 2.
Given a timed automaton T = h Σ, S , S , F , C , E i , the first order alternat-ing automaton A T = h Σ, { t } , Q T , ι T , F T , ∆ T i recognizes the language L ( A T ) = { d ( w ) | w ∈ L ( T ) } .Proof : “ ⊆ ” Let w = ( a , ν ) . . . ( a n , ν n ) ∈ L ( A T ) be a data word. We show the existence ofa timed word ( a , τ ) . . . ( a n , τ n ) ∈ L ( T ) such that ν i ( t ) = τ i , for all i ∈ [1 , n ], by inductionon n ≥
0. In fact we shall prove the following stronger statements:1. each execution of A T over w starting with a cube c ∈ c ([[ ι T ]] µ ) is a linear tree, inwhich each node has at most one child.2. for each execution q i ( d , . . . , d k , τ ) . . . q i n ( d n , . . . , d nk , τ n ) of A T , T has an execution( s i , γ ) . . . ( s i n , γ n ) over the timed word ( a , τ ) . . . ( a n , τ n ), such that, for all i ∈ [1 , n ]and all ℓ ∈ [1 , k ], we have γ i ( x ℓ ) = τ i − − d i ℓ .The first point above is by inspection of ι T = W s i ∈ S q i (0 , . . .,
0) and of the rules from ∆ T . Indeed, each minimal model of ι T corresponds to a cube q (0 , . . .,
0) and each rulehas exactly one predicate atom on its right-hand side, thus each node of the executionwill have at most one successor. The second point is by induction on n ≥ ⊇ ” Let w = ( a , τ ) . . . ( a n , τ n ) ∈ L ( T ) be a timed word. By induction on n ≥ s i , γ ) . . . ( s i n , γ n ) of T over w , A T has a linear execution q i ( d , . . . , d k , τ ) . . . q i n ( d n , . . . , d nk , τ n ) such that, for all i ∈ [1 , n ] and all ℓ ∈ [1 , k ], wehave γ i ( x ℓ ) = τ i − − d i ℓ . ⊓⊔ An easy consequence is that the timed language inclusion problem “given timedautomata T and T , does L ( T ) ⊆ L ( T ) ?” is reduced in polynomial time to the empti-ness problem L ( A T ) ∩L ( A T ) = ∅ , for which ( §
4) provides a semi-algorithm. Observe,moreover, that no transition quantifiers are needed to encode timed automata as first or-der alternating automata.
Finite-memory automata, most commonly referred to as register automata [14] areamong the first attempts at lifting the finite alphabet restriction of classical Rabin-Scottautomata. In a nutshell, a register automaton is a finite-state automaton equipped witha finite set of registers x , . . . , x r able to copy input values and compare them with sub-sequent input. Consequently, basic results from classical automata theory, such as thepumping lemma or the closure under complement do not hold in this model and, more-over, inclusion of languages recognized by register automata is undecidable [21].Let Σ be an infinite alphabet, Σ and r > assignment is a word v = v . . . v r such that if v i = v j and i , j then v i = i , j ∈ [1 , r ]. We write [ v ] for the set { v i | i ∈ [1 , r ] } of values inthe assignment v . A finite-memory (register) automaton is a tuple R = h S , q , u , ρ, µ, F i ,where S is a finite set of states, q ∈ S is the initial state, u = u . . . u r is the initialassignment, ρ : S → [1 , r ] is the reassignment partial function, µ ⊆ S × [1 , r ] × S is the23ransition relation and F ⊆ S is the set of final states. A run of A over an input word a . . . a n ∈ Σ ∗ is a sequence ( s , v ) . . . ( s n , v n ) such that v = u and, for all i ∈ [1 , n ],exactly one of the following holds: – if there exists k ∈ [1 , r ] such that a i = ( v i − ) k then v i = v i − and ( s i − , k , s i ) ∈ µ , – otherwise a i < [ v i − ], ρ ( s i − ) is defined, ( v i ) ρ ( s i − ) = a i , for each k ∈ [1 , r ] \ { ρ ( s i − ) } ,we have ( v i ) k = ( v i − ) k and ( s i − , ρ ( s i − ) , s i ) ∈ µ .Intuitively, if the input symbol is already stored in some register, the automaton movesto the next state if, moreover, the transition relation allows it, otherwise it copies theinput to the register indicated by the reassignment, erasing its the previous value, andmoves according to the transition relation.The translation of register automata to first order alternating automata is quite natu-ral, because registers can be encoded as arguments of predicate atoms. Formally, givena register automaton R = h S , s , u , ρ, µ, F i , such that S = { s , . . . , s m } , we define the al-ternating automaton A R = h{ α } , { x } , Q R , ι R , F R , ∆ R i , where α < Σ , Q R def = { q , . . . , q m } and q i ) = r for all i ∈ [ m ], ι R def = q ( u ), F R def = { q i | s i ∈ F } and, for each transition ( s i , k , s j ) ∈ µ , ∆ T contains the rule: q i ( y , . . . , y r ) α ( x ) −−→ y k = x ∧ q j ( y , . . . , y r ) ∨ r ^ i = x , y i ∧ q j ( y , . . . , y k − , x , y k + , . . . , y r )Moreover, nothing else is in ∆ R . The connection between register automata and firstorder alternating automata is stated below. Proposition 3.
Given a register automaton R = h S , s , u , ρ, µ, F i over an infinite alpha-bet Σ , the first order alternating automaton A R = h{ α } , Q R , ι R , F R , ∆ R i recognizes thelanguge L ( A R ) = { ( α, a ) . . . ( α, a n ) | a . . . a n ∈ L ( R ) } .Proof : “ ⊆ ” Let w = ( α, a ) . . . ( α, a n ) ∈ L ( A R ). First, it is easy to show that each execu-tion of A R , that starts in some cube c ∈ c ([[ ι R ]] µ ), is a linear tree with labels q ( v ) , . . . , q n ( v )such that v = u . Second by induction on n ≥
0, we prove that A R has a run as aboveover w only if R has a run ( q , v ) , . . . , ( q n , v n ) over a . . . a n . “ ⊇ ” Let w = a . . . a n ∈ L ( R )and q ( v ) , . . . , q n ( v ) be a run of R over w , such that v = u . By induction on n ≥ A R over ( α, a ) . . . ( α, a n ) that is a linear tree with labels q ( v ) , . . . , q n ( v n ). ⊓⊔ Consequently, the language inclusion problem “given register automata R and R ,does L ( R ) ⊆ L ( R )?” is reduced in polynomial time to emptiness problem L ( A R ) ∩L ( A R ) = ∅ , for which ( §
4) provides a semi-algorithm. Notice further that the encodingof register automata as first order alternating automata uses no transition quantifiers.
The model of predicate automata [4,5] has emerged recently as a tool for checkingsafety and liveness properties of parameterized concurrent programs, in which thereis an unbounded number of replicated threads that communicate via global variables.Predicate automata recognize finite sequences of actions that are pairs ( σ, i ), where σ
24s from a finite set Σ of program statements and i ∈ N ranges over an unbounded setof thread identifiers. To avoid clutter, we shall view a pair ( σ, i ) as a data symbol ( σ, ν )where ν ( x ) = i , for a designated input variable x .Since thread identifiers can only be compared for equality, the data theory of pred-icate automata is the first order theory of equality. Moreover, transition quantifiers areonly needed for checking termination and, generally, liveness properties [5].However, the execution semantics of predicate automata di ff ers from that of firstorder automata with respect to the following detail: initial configurations and successorsof predicate automata are defined using the entire sets of models of the initial sentenceand transition rules, not just the minimal ones, as in our case.Formally, a run of a predicate automaton P = h Σ, { x } , Q , ι, F , ∆ i over a word ( a , ν ) . . . ( a n , ν n ) is a sequence of interpretations I , . . . , I n such that I ∈ [[ ι ]] and for each i ∈ [1 , n ], each q ∈ Q and each tuple h d , . . . , d q ) i ∈ I i − ( q ), we have I i ∈ [[ ψ ]] ν , foreach rule q ( y , . . . , y q ) ) ai ( x ) −−−→ ψ ∈ ∆ , where ν = ν i [ y ← d , . . . , y q ) ← d q ) ]. The run isaccepting if and only if I ( q ) = ∅ for all q ∈ Q \ F .In fact, as shown next, this more simple execution semantics is equivalent, from thelanguage point of view, with the semantics given by Definitions 1 and 2. We believe thatthe semantics of first order alternating automata based on minimal models is importantfor its relation to the textbook semantics of boolean alternating automata [3]. Proposition 4.
Given a predicate automaton P = h Σ, { x } , Q , ι, F , ∆ i , let A P be the firstorder alternating automaton that has the same description as P. Then L ( P ) = L ( A P ) .Proof : “ ⊆ ” Let w = ( a , ν ) . . . ( a n , ν n ) ∈ L ( P ) be a word and I , . . ., I n be an acceptingexecution of P over w . Let I ( i ) j be the interpretation that associates each predicate q ( i ) theset I j ( q ), for i , j ∈ [ n ]. Then one builds, by induction on n ≥
0, an execution T of A P such that I T ⊆ S ni = I ( i ) i , where I T is the unique interpretation associated with T . Since I , . . . , I n is accepting, we have I ( n ) n ( q ( n ) ) = ∅ , for all q ∈ Q \ F and hence I T ( q ( n ) ) = ∅ ,for all q ∈ Q \ F and, consequently w ∈ L ( A P ). “ ⊇ ” Let w = ( a , ν ) . . . ( a n , ν n ) ∈ L ( A P )be a word and T be an accepting execution of A P over w . We define the sequenceof interpretations I , . . . , I n as I i ( q ) = I T ( q ( i ) ), for each i ∈ [ n ] and each q ∈ Q . Byinduction on n ≥ I , . . . , I n is an execution P . Moreover, since T isaccepting, we have I n ( q ) = I T ( q ( n ) ) = ∅ , for each q ∈ Q \ F , thus w ∈ L ( P ). ⊓⊔ As before, this result enables using the semi-algorithm from § We have implemented a version of the IMPACT semi-algorithm [18] in a prototype toolcalled FOADA, which is avaliable online [6]. The tool is written in Java and uses the Z3SMT solver [27], via the JavaSMT interface [13], for spuriousness and coverage queries25nd also for interpolant generation. The experiments were carried out on a MacOS x64- 1.3 GHz Intel Core i5 - 8 GB 1867 MHz LPDDR3 machine.The experimental results, reported in Table 1, come from several sources, namelypredicate automata models (*.pa) [4,5] available online [22], timed automata inclu-sion problems ( abp.ada , train.ada , rr-crossing.foada ), array logic entailments( array rotation.ada , array simple.ada , array shift.ada ) and hardware cir-cuit verification ( hw1.ada , hw2.ada ), initially considered in [10]. The train-simpleN.foada and fischer-mutexN.foada examples are parametric verification problems inwhich one checks inclusions of the form T Ni = L ( A i ) ⊆ L ( B ), where A i is the i -th copyof the same template automaton.The advantage of using FOADA over the INCLUDER [9] tool from [10] is thepossibility of having infinite alphabet automata with hidden (local) variables, whosevalues are not visible in the input. In particular, this is essential for checking inclusionof timed automata that use internal clocks to control the computation. Example |A| (bytes) L ( A ) = ∅ ? Nodes Expanded Nodes Visited Time (ms)incdec.pa 499 no 21 17 779localdec.pa 678 no 49 35 1814ticket.pa 4250 no 229 91 9543count thread0.pa 9767 no 154 128 8553count thread1.pa 10925 no 766 692 76771local0.pa 10595 no 73 27 1431local1.pa 11385 no 1135 858 101042array rotation.ada 1834 yes 9 8 1543array simple.ada 3440 yes 11 10 6787array shift.ada 874 yes 6 5 413abp.ada 6909 no 52 47 4788train.ada 1823 yes 68 67 7319hw1.ada 322 Solver Error / / / hw2.ada 674 yes 20 22 4974rr-crossing.foada 1780 yes 67 67 7574train-simple1.foada 5421 yes 43 44 2893train-simple2.foada 10177 yes 111 113 8386train-simple3.foada 15961 yes 196 200 15041fischer-mutex2.foada 3000 yes 23 23 808fischer-mutex3.foada 4452 yes 33 33 1154 Table 1.
Experiments with First Order Alternating Automata
References
1. R. Alur and D. L. Dill. A theory of timed automata.
Theor. Comput. Sci. , 126(2):183–235,1994.2. E. B¨orger, E. Gr¨adel, and Y. Gurevich.
The Classical Decision Problem . Perspectives inMathematical Logic. Springer, 1997.3. A. K. Chandra, D. C. Kozen, and L. J. Stockmeyer. Alternation.
J. ACM , 28(1):114–133,1981.4. A. Farzan, Z. Kincaid, and A. Podelski. Proof spaces for unbounded parallelism.
SIGPLANNot. , 50(1):407–420, Jan. 2015.5. A. Farzan, Z. Kincaid, and A. Podelski. Proving liveness of parameterized programs. In
Proceedings of the 31st Annual ACM / IEEE Symposium on Logic in Computer Science , LICS’16, pages 185–196. ACM, 2016. . First Order Alternating Data Automata (FOADA). https: // github.com / cathiec / FOADA.7. L. Fribourg. A closed-form evaluation for extended timed automata. Research Report LSV-98-2, Laboratoire Sp´ecification et V´erification, ENS Cachan, France, Mar. 1998.8. J. Y. Halpern. Presburger arithmetic with unary predicates is π complete. The Journal ofSymbolic Logic , 56(2):637–642, 1991.9. Includer. http: // / research / groups / verifit / tools / includer / .10. R. Iosif, A. Rogalewicz, and T. Vojnar. Abstraction refinement and antichains for traceinclusion of infinite state systems. In Tools and Algorithms for the Construction and Analysisof Systems (TACAS 2016) , pages 71–89, 2016.11. R. Iosif and X. Xu. Abstraction refinement for emptiness checking of alternating data au-tomata. In
Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2018) ,pages 93–111, 2018.12. R. Iosif and X. Xu. First Order Alternation. Technical Report ArXiv 1811.02398,https: // arxiv.org / abs / // github.com / sosy-lab / java-smt.14. M. Kaminski and N. Francez. Finite-memory automata. Theoretical Computer Science ,134(2):329 – 363, 1994.15. Z. Kincaid.
Parallel Proofs for Parallel Programs . PhD thesis, University of Toronto, 2016.16. V. Kuncak, M. Mayer, R. Piskac, and P. Suter. Software synthesis procedures.
Commun.ACM , 55(2):103–111, 2012.17. R. C. Lyndon. An interpolation theorem in the predicate calculus.
Pacific J. Math. , 9(1):129–142, 1959.18. K. L. McMillan. Lazy abstraction with interpolants. In
Proc. of CAV’06 , volume 4144 of
LNCS . Springer, 2006.19. K. L. McMillan. Lazy annotation revisited. In
CAV2014, Proceedings , pages 243–259.Springer International Publishing, 2014.20. G. Nelson and D. C. Oppen. Fast decision procedures based on congruence closure.
J. ACM ,27(2):356–364, Apr. 1980.21. F. Neven, T. Schwentick, and V. Vianu. Finite state machines for strings over infinite alpha-bets.
ACM Trans. Comput. Log. , 5(3):403–435, 2004.22. Predicate Automata. https: // github.com / zkincaid / duet / tree / ark2 / regression / predicateAutomata.23. M. Presburger. ¨Uber die Vollstandigkeit eines gewissen Systems der Arithmetik. Comptesrendus du I Congr´es des Pays Slaves , Warsaw 1929.24. A. Reynolds, T. King, and V. Kuncak. Solving quantified linear arithmetic bycounterexample-guided instantiation.
Formal Methods in System Design , 51(3):500–532,2017.25. A. Rybalchenko and V. Sofronie-Stokkermans. Constraint solving for interpolation.
J. Symb.Comput. , 45(11):1212–1233, 2010.26. M. Y. Vardi.
Alternating automata and program verification , pages 471–485. Springer BerlinHeidelberg, 1995.27. Z3 SMT Solver. https: // rise4fun.com / z3.z3.