"Most of" leads to undecidability: Failure of adding frequencies to LTL
““Most of ” leads to undecidability: Failure ofadding frequencies to LTL
Bartosz Bednarczyk
Computational Logic Group, TU Dresden, GermanyInstitute of Computer Science, University of Wrocław, [email protected]
Jakub Michaliszyn
Institute of Computer Science, University of Wrocław, [email protected]
Abstract
Linear Temporal Logic (LTL) interpreted on finite traces is a robust specification framework popularin formal verification. However, despite the high interest in the logic in recent years, the topic oftheir quantitative extensions is not yet fully explored. The main goal of this work is to study theeffect of adding weak forms of percentage constraints ( e . g . that most of the positions in the pastsatisfy a given condition, or that σ is the most-frequent letter occurring in the past) to fragmentsof LTL. Such extensions could potentially be used for the verification of influence networks orstatistical reasoning. Unfortunately, as we prove in the paper, it turns out that percentage extensionsof even tiny fragments of LTL have undecidable satisfiability and model-checking problems. Ourundecidability proofs not only sharpen most of the undecidability results on logics with arithmeticsinterpreted on words known from the literature, but also are fairly simple.We also show that the undecidability can be avoided by restricting the allowed usage of thenegation, and briefly discuss how the undecidability results transfer to first-order logic on words. Theory of computation → Logic and verification
Keywords and phrases satisfiability, model-checking, LTL, frequency constraints, undecidability
Digital Object Identifier
Funding
Bartosz Bednarczyk : supported by “Diamentowy. Grant” no. DI2017 006447.
Jakub Michaliszyn : supported by NCN grant no. 2017/27/B/ST6/00299.
Linear Temporal Logic [1] (LTL) interpreted on finite traces is a robust logical frameworkused in formal verification [16, 12, 13]. However, LTL is not perfect: it can express whethersome event happens or not, but it cannot provide any insight on how frequently such anevent occurs or for how long such an event took place. In many practical applications, such quantitative information is important: think of optimising a server based on how frequentlyit receives messages or optimising energy consumption knowing for how long a system isusually used in rush hours. Nevertheless, there is a solution: one can achieve such goals byadding quantitative features to LTL.It is known that adding quantitative operators to LTL often leads to undecidability.The proofs, however, typically involve operators such as “next” or “until”, and are quitecomplicated (see the discussion on the related work below). In this work, we study the logicLTL F , a fragment of LTL where the only allowed temporal operator is “sometimes in thefuture” F . We extend its language with two types of operators, sharing a similar “percentage”flavour: with the Past-Majority PM ϕ operator (stating that most of the past positionssatisfy a formula ϕ ), and with the Most-Frequent-Letter
MFL σ predicates (meaning thatthe letter σ is among the most frequent letters appearing in the past). These operators © Bartosz Bednarczyk and Jakub Michaliszyn;licensed under Creative Commons License CC-BY???.Editors: ???; Article No. ; pp. :1– :16Leibniz International Proceedings in InformaticsSchloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany a r X i v : . [ c s . L O ] J u l can be used to express a number of interesting properties, such as if a process failed toenter the critical section, then the other process was in the critical section the majority oftime . Of course, for practical applications, we could also consider richer languages, such asparametrised versions of these operators, e . g . stating that at least a fraction p of positionsin the past satisfies a formula . However, we show, as our main result, that even these verysimple percentage operators raise undecidability when combined with F .To make the undecidability proof for both operators similar, we define an intermediateoperator, Half , which is satisfied when exactly half of the past positions satisfy a givenformula. The
Half operator can be expressed easily with PM , but not with MFL — weshow, however, that we can simulate it to an extent enough to show the undecidability. Ourproof method relies on enforcing a model to be in the language ( { wht }{ shdw } ) + , for someletters wht and shdw , which a priori seems to be impossible without the “next” operator.Then, thanks to the specific shape of the models, we show that one can transfer the truthof certain formulae from positions into their successors, hence the “next” operator can bepartially expressed. With a combination of these two ideas, we show that it is possible to writeequicardinality statements in the logic. Finally, we perform a reduction from the reachabilityproblem of Two-counter Machines [22]. In the reduction, the equicardinality statements willbe responsible for handling zero-tests. The idea of transferring predicates from each positioninto its successor will be used for switching the machine into its next configuration.The presented undecidability proof of LTL with percentage operators can be adjustedto extensions of fragments of first-order logic on finite words. We show that FO M [ < ], i . e .the two-variable fragment of first-order logic admitting the majority quantifier M andlinear order predicate < has an undecidable satisfiability problem. Here the meaning of aformula M x.ϕ ( x, y ) is that at least a half of possible interpretations of x satisfies ϕ ( x, y ). Ourresult sharpens an existing undecidability proof for (full) FO with Majority from [18] (since inour case the number of variables is limited) but also FO [ <, succ ] with arithmetics from [17](since our counting mechanism is weaker and the successor relation succ is disallowed).On the positive side, we show that the undecidability heavily depends on the presence ofthe negation in front of the percentage operators. To do so, we introduce a logic, extendingthe full LTL, in which the usage of percentage operators is possible, but suitably restricted.For this logic, we show that the satisfiability problem is decidable.All the above-mentioned results can be easily extended to the model checking problem,where the question is whether a given Kripke structure satisfies a given formula. The first paper studying the addition of quantitative features to logic was [10], where theauthors proved undecidability of Weak MSO with Cardinalities. They also developed a modelof so-called Parikh Automaton, a finite automaton imposing a semi-linear constraint on theset of its final configurations. Such an automaton was successfully used to decide logics withcounting as well as logics on data words [20, 9]. Its expressiveness was studied in [5].Another idea in the realm of quantitative features is availability languages [14], whichextend regular expressions by numerical occurrence constraints on the letters. However,their high expressivity leads to undecidable emptiness problems. Weak forms of arithmeticshave also attracted interest from researchers working on temporal logics. Several extensionsof LTL were studied, including extensions with counting [11], periodicity constraints [27],accumulative values [28], discounting [26], averaging [24] and frequency constraints [3]. Alot of work was done to understand LTL with timed constraints, e . g . a metric LTL wasconsidered in [15]. However, its complexity is high and its extensions are undecidable [25]. . Bednarczyk and J. Michaliszyn :3 Arithmetical constraints can also be added to the First-Order logic (FO) on words via so-called counting quantifiers. It is known that weak MSO on words is decidable with thresholdcounting and modulo-counting (thanks to the famous Büchi theorem [4]), while even FO onwords with percentage quantifiers becomes undecidable [18]. Extensions of fragments of FOon words are often decidable, e . g . the two-variable fragment FO with counting [29] or FO with modulo-counting [17]. The investigation of decidable extensions of FO is limited bythe undecidability of FO on words with Presburger constraints [17].Among the above-mentioned logics, the formalisms of this paper are most similar toFrequency LTL [3]. The satisfiability problem for Frequency LTL was claimed to be un-decidable, but the undecidability proof as presented in [3] is bugged (see [24, Sec. 8] fordiscussion). It was mentioned in [24] that the undecidability proof from [3] can be patched,but no correction was published so far. Our paper not only provides a valid proof but alsosharpens the result, as we use a way less expressive language ( e . g . we are allowed to useneither the “until” operator nor the “next” operator). We also believe that our proof issimpler. The second-closest formalism to ours is average-LTL [24]. The main difference isthat the averages of average-LTL are computed based on the future, while in our paper, theaverages are based on the past. The second difference, as in the previous case, is that theirundecidability proof uses more expressive operators, such as the “until” operator. We recall classical definitions concerning logics on words and temporal logics ( cf . [8]). Let AP be a countably-infinite set of atomic propositions , called here also letters . A finite word w ∈ (2 AP ) ∗ is a finite sequence of positions labelled with sets of letters from AP . A setof words is called a language . Given a word w , we denote its i -th position with w i (wherethe first position is w ) and its prefix up to the i -th position with w ≤ i . With | w | we denotethe length of w .The syntax of LTL F , a fragment of LTL with only the finally operator F , is defined asusual with the following grammar: ϕ, ϕ ::= a (with a ∈ AP ) | ¬ ϕ | ϕ ∧ ϕ | F ϕ .The satisfaction relation | = is defined for words as follows: w , i | = a if a ∈ w i w , i | = ¬ ϕ if not w , i | = ϕ w , i | = ϕ ∧ ϕ if w , i | = ϕ and w , i | = ϕ w , i | = F ϕ if ∃ | w | > j ≥ i such that w , j | = ϕ . We write w | = ϕ if w , | = ϕ . The usual Boolean connectives: > , ⊥ , ∨ , → , ↔ can be defined,hence we will use them as abbreviations. Additionally, we use the operator G ϕ := ¬ F ¬ ϕ tospeak about events happening globally in the future. In our investigation, percentage operators PM , MFL and
Half are added to LTL F .The operator PM ϕ (read as: majority in the past ) is satisfied if at least half of thepositions in the past satisfy ϕ : w , i | = PM ϕ if |{ j < i : w , j | = ϕ }| ≥ i A r X i v
For example, the formula G ( r ↔ ¬ g ) ∧ G PM r ∧ G F PM g is true over words whereeach request r is eventually fulfilled by a grant g , and where each grant corresponds to atleast one request. This can be also seen as the language of balanced parentheses, showingthat with the operator PM one can define properties that are not regular.The operator MFL σ (read as: most-frequent letter in the past ), for σ ∈ AP , is satisfiedif σ is among the letters with the highest number of appearances in the past, i . e . w , i | = MFL σ if ∀ τ ∈ AP . |{ j < i : w , j | = σ }| ≥ |{ j < i : w , j | = τ }| For example, the formula G ¬ ( r ∧ g ) ∧ G PM r ∧ G F MFL g again defines words whereeach request is eventually fulfilled, but this time the formula allows for states where nothinghappens ( i . e . when both r and g are false).The last operator, Half is used to simplify the forthcoming undecidability proofs. Thisoperator can be satisfied only at even positions, and its intended meaning is exactly half ofthe past positions satisfy a given formula . w , i | = Half ϕ if |{ j < i : w , j | = ϕ }| = i It is not difficult to see that the operator
Half ϕ can be defined in terms of the past-majorityoperator as PM ( ϕ ) ∧ PM ( ¬ ϕ ) and that Half ϕ can be satisfied only at even positions.In the next sections, we distinguish different logics by enumerating the allowed operatorsin the subscripts, e . g . LTL F , PM or LTL F , MFL . Kripke structures are commonly used in verification to formalise abstract models. A Kripkestructure is composed of a finite set S of states , a set of initial states I ⊆ S , a total transition relation R ⊆ S × S , and a labelling function ‘ : S → AP . A trace of a Kripke structure is afinite word ‘ ( s ) , ‘ ( s ) , . . . for any s , s , . . . satisfying s ∈ I and ( s i , s i +1 ) ∈ R for all i ∈ N .The model-checking problem amounts to checking whether some trace of a given Kripkestructure satisfies a given formula ϕ . In the satisfiability problem , or simply in SAT , we checkwhether an input formula ϕ has a model , i . e . a word w witnessing w | = ϕ . Before we jump into the encoding of Minsky machines, we present some exercises to help thereader understand the expressive power of the logic LTL F , Half . The tools established in theexercises play a vital role in the undecidability proofs provided in the following section.We start from the definition of shadowy words. (cid:73)
Definition 1.
Let wht and shdw be fixed distinct atomic propositions from AP . A word w is shadowy if its length is even, all even positions of w are labelled by wht, all odd positionsof w are labelled by shdw, and no position is labelled by both letters.wht shdw wht shdw wht shdw We will call the positions satisfying wht simply white and their successors satisfying shdw simply their shadows .The following exercise is simple in LTL, but becomes much more challenging withoutthe X operator. . Bednarczyk and J. Michaliszyn :5 (cid:73) Exercise 2.
There is an
LTL F , Half formula ψ shadowy defining shadowy words. Solution.
We start with the “base” formula ϕ ex init := wht ∧ G ( wht ↔ ¬ shdw ) ∧ G ( wht → F shdw ), which states that the position 0 is labelled by wht , each position is labelled byexactly one letter among wht , shdw and that every white eventually sees a shadow in thefuture. What remains to be done is to ensure that only odd positions are shadows and thatonly even positions are white.In order to do that, we employ the formula ϕ ex odd := G (( Half wht ) ↔ wht ). Since Half is never satisfied at odd positions, the formula ϕ ex odd stipulates that odd positions are labelledby shdw . An inductive argument shows that all the even positions are labelled by wht : forthe position 0, it follows from ϕ ex init . For an even position p >
0, assuming (inductively) thatall even positions are labelled by wht , the formula ϕ ex odd ensures that p is labelled by wht .Putting it all together, the formula ψ shadowy := ϕ ex init ∧ ϕ ex odd is as required. (cid:74) In the next exercise, we show that it is possible to transfer the presence of certain lettersfrom white positions into their shadows. It justifies the usage of “shadows” in the article.We introduce the so-called counting terms . For a formula ϕ , word w and a position p ,by <ϕ ( w , p ) we denote the total number of positions among 0 , . . . , p − ϕ , i . e . thesize of { p < p | w , p | = ϕ } . We omit w in counting terms if it is known from the context. (cid:73) Exercise 3.
Let σ and ˜ σ be distinct letters from AP \ { wht , shdw } . There is an LTL F , Half formula ϕ trans σ (cid:32) ˜ σ , such that w | = ϕ trans σ (cid:32) ˜ σ iff: w is shadowy, only white (resp., shadow) positionsof w can be labelled σ (resp., ˜ σ ), and for any even position p we have: w , p | = σ ⇔ w , p +1 | = ˜ σ .wht shdw wht shdw wht shdw σ ˜ σ ¬ σ ¬ ˜ σ ¬ σ ¬ ˜ σ Solution.
Note that the first parts from the above definition of ϕ trans σ (cid:32) ˜ σ can be defined as theconjunction of ψ shadowy , G ( σ → wht ) and G (˜ σ → shdw ). The last part (the one speakingabout the successors) is more involving. By induction, one may easily see that expressingsuch a property is equivalent to expressing that all white positions p satisfy the equation ( ♥ ):( ♥ ) : < wht ∧ σ ( w , p ) = < shdw ∧ ˜ σ ( w , p )and supplementing it with a formula ϕ ( ♦ ) that ensures the correctness for the last shadow(not followed by any white position). We show how to define ( ♥ ) and ( ♦ ) in LTL F , Half ,taking advantage of shadowness of the intended models. Take an arbitrary white position p of w . The equation ( ♥ ) is clearly equivalent to:( ♥ ) : < wht ∧ σ ( w , p ) + (cid:16) p − < shdw ∧ ˜ σ ( w , p ) (cid:17) = p p is even, we infer that p ∈ N . From the shadowness of w , we know that there areexactly p shadows in the past of p . Moreover, each shadow satisfies either ˜ σ or ¬ ˜ σ . Hence, theexpression p − < shdw ∧ ˜ σ ( w , p ) from ( ♥ ), can be replaced with < shdw ∧¬ ˜ σ ( w , p ). Finally, since wht and shdw label disjoint positions, the property that every white position p satisfies ( ♥ )can be written as an LTL F , Half formula ϕ ( ♥ ) := G ( wht → Half ([ wht ∧ σ ] ∨ [ shdw ∧ ¬ ˜ σ ])).For the second property, we first need to define formulae detecting the last and the secondto last positions of the model. Detecting the last position is easy: since the last position of w is shadow, it is sufficient to express it sees only shadows in its future, i . e . ϕ ex last := G ( shdw ).Similarly, a position is second to last if it is white and it sees only white or last positions inthe future, which results in a formula ϕ ex stl := wht ∧ G ( wht ∨ ϕ ex last ). Hence, we define ϕ ( ♦ ) as F ( ϕ ex stl ∧ σ ) ↔ F ( ϕ ex last ∧ ˜ σ ). The conjunction of ϕ ( ♥ ) and ϕ ( ♦ ) formulae leads to ϕ trans σ (cid:32) ˜ σ . (cid:74) A r X i v
We consider a generalisation of shadowy models, where each shadow mimics all lettersfrom a finite set Σ ⊆ AP rather than just a single letter σ . Such a generalisation is describedbelow. In what follows, we always assume that for each σ ∈ Σ there is a unique ˜ σ , which isdifferent from σ , and ˜ σ Σ. Moreover, we always assume that σ = σ implies ˜ σ = ˜ σ . (cid:73) Definition 4.
Let Σ ⊆ AP \ { wht , shdw } be a finite set. A shadowy word w is called truly Σ-shadowy , if for every letter σ ∈ Σ only the white (resp. shadow) positions of w canbe labelled with σ (resp. ˜ σ ) and every white position p of w satisfies w , p | = σ ⇔ w , p +1 | = ˜ σ .wht shdw wht shdw wht shdw α, β ˜ α, ˜ β ¬ α, β ¬ ˜ α, ˜ β α, ¬ β ˜ α, ¬ ˜ β Knowing the solution for the previous exercise, it is easy to come up with a formula ψ truly − Σ shadowy defining truly Σ-shadowy models: just take the conjunction of ψ shadowy and ϕ trans σ (cid:32) ˜ σ over allletters σ ∈ Σ. The correctness follows immediately from from Exercise 3. (cid:73)
Corollary 5.
The formula ψ truly − Σ shadowy defines the language of truly Σ -shadowy words. The next exercise shows how to compare cardinalities in LTL F , Half over truly Σ-shadowymodels. We are not going to introduce any novel techniques here, but the exercise is of greatimportance: it is used in the next section to encode zero tests of Minsky machines. (cid:73)
Exercise 6.
Let Σ be a finite subset of AP \ { wht , shdw } and let α = β ∈ Σ . There existsan LTL F , Half formula ψ α = β such that for any truly Σ -shadowy word w and any of itswhite positions p : the equivalence w , p | = ψ α = β ⇔ < wht ∧ α ( w , p ) = < wht ∧ β ( w , p ) holds.wht shdw wht shdw ψ α = βα, β ˜ α, ˜ β ¬ α, β ¬ ˜ α, ˜ β α = β We left this exercise to the reader as is it an easy modification of the previous exercise. Ahint and a solution are provided below.
Hint.
Follow the previous exercise. The main difficulty is to express the equality of countingterms, written as
LHS = RHS . Note that it is clearly equivalent to
LHS + ( p − RHS ) = p .Unfold p on the left hand side, i . e . replace it with the total number of shadows in the past.Use the fact that w satisfies ϕ trans σ (cid:32) ˜ σ , which implies the equality < wht ∧ β ( w , p ) = < shdw ∧ ˜ β ( w , p ).Finally, get rid of subtraction and write an LTL F , Half formula by employing
Half . Solution.
Theformulais ψ α = β := Half ([ wht ∧ α ] ∨ [ shdw ∧¬ ˜ β ]). (cid:74) The presented exercises show that the expressive power of LTL F , Half is so high that, undera mild assumption of truly-shadowness, it allows us to perform cardinality comparison. Fromhere, we are only a step away from showing undecidability of the logic, which is tackled next.
This section is dedicated to the main technical contribution of the paper, namely thatLTL F , Half , LTL F , PM and LTL F , MFL have undecidable satisfiability and model checkingproblems. We start from LTL F , Half . Then, the undecidability of LTL F , PM will follow im-mediately from the fact that Half is definable by PM . Finally, we will show how theundecidability proof can be adjusted to LTL F , MFL .We start by recalling the basics on Minsky Machines. . Bednarczyk and J. Michaliszyn :7Minsky machines A deterministic Minsky machine is, roughly speaking, a finite transition system equipped withtwo unbounded-size natural counters, where each counter can be incremented, decremented(only in the case its positive), and tested for being zero. Formally, a Minsky machine A iscomposed of a finite set of states Q with a distinguished initial state q and a transitionfunction δ : ( Q × { , + } ) → ( {− , , } × ( Q \ { q } ) satisfying three additional requirements:whenever δ ( q, f, s ) = (¯ f , ¯ s , q ) holds, ¯ f = − f = +, ¯ s = − s = + ( i . e . itmeans that only the positive counters can be decremented) and q = q (the machine cannotenter the same state two times in a row).We define a run of a Minsky machine A as a sequence of consecutive transitions of A .Formally, a run of A is a finite word w ∈ ( Q ×{ , + } × {− , , } × Q \ { q } ) + such that,when denoting w i as ( q i , f i , s i , ¯ f i , ¯ s i , q iN ), all the following conditions are satisfied: P1 q = q and f = s = 0, P2 for each i we have δ ( q i , f i , s i ) = (¯ f i , ¯ s i , q iN ) P3 for each i < | w | we have q iN = q i +1 , P4 for each i , f i equals 0 iff ¯ f + . . . + ¯ f i − = 0, and + otherwise; similarly s i is 0 iff¯ s + . . . + ¯ s i − = 0 and + otherwise.It is not hard to see that this definition is equivalent to the classical one [22]. We say that aMinsky machine reaches a state q ∈ Q if there is a run with a letter containing q on its lastcoordinate. It is well known that the problem of checking whether a given Minsky machinereaches a given state is undecidable [22]. We start from presenting the overview of the claimed reduction. Until the end of Section 4,let us fix a Minsky machine A = ( Q, q , δ ) and its state q ∈ Q . Our ultimate goal is to definean LTL F , Half formula ψ q A such that ψ q A has a model iff A reaches q . To do so, we define aformula ψ A such that there is a one-to-one correspondence between the models of ψ A andruns of A . Expressing the reachability of q , and thus ψ q A , based on ψ A is straightforward.Intuitively, the formula ψ A describes a shadowy word w encoding on its white positionsthe consecutive letters of a run of A . In order to express it, we introduce a set Σ A , composedof the following distinguished atomic propositions: from q and to q for all states q ∈ Q , fstVal c and sndVal c for counter values c ∈ { , + } , and fstOP op and sndOP op for all operations op ∈ {− , , } .We formalise the one-to-one correspondence as the function run , which takes an appro-priately defined shadowy model and returns a corresponding run of A . More precisely, thefunction run ( w ) returns a run whose i th configuration is ( q, f, s, ¯ f , ¯ s , q N ) if and only if the i th white configuration of w is labelled by from q , fstVal f , sndVal s , fstOP ¯ f , sndOP ¯ s and to q N .The formula ψ A ensures that its models are truly Σ A -shadowy words representing arun satisfying properties P1–P4. To construct it, we start from ψ truly − Σ A shadowy and extending itwith four conjuncts. The first two of them represent properties P1–P2 of runs. They can bewritten in LTL F in a straightforward way.To ensure the satisfaction of the property P3, we observe that in some sense the let-ters from q and to q are paired in a model, i . e . always after reaching a state in A you needto get out of it (the initial state is an exception here, but we assumed that there are notransitions to the initial state). Thus, to identify for which q we should set the from q letteron the position p , it is sufficient to see for which state we do not have a corresponding pair, A r X i v i . e . for which state q the number of white from q to the left of p is not equal to the number ofwhite to q to the left of p . We achieve this in the spirit of Exercise 6.Finally, the satisfaction of the property P4 can be achieved by checking for each posi-tion p whether the number of white fstOP +1 to the left of p is the same as the number ofwhite fstOP − to the left of p , and similarly for the second counter. This reduces to checkingan equicardinality of certain sets, which can be done by employing shadows and Exercise 6. The reduction
Now we are ready to present the claimed reduction.We first restrict the class of models under consideration to truly Σ A -shadowy words (forthe feasibility of equicardinality encoding) with a formula ψ truly − Σ A shadowy , Then, we expressthat the models satisfy properties P1 and P2. The first property can be expressed with ψ P := from q ∧ fstVal ∧ sndVal .The property P2 will be a conjunction of two formulae. The first one, namely ψ P , isa straightforward implementation of P2. The second one, i . e . ψ P , is not necessary, butsimplifies the proof; we require that no position is labelled by more than six letters from Σ A . ψ P := G ( wht → _ δ ( q,f,s )=(¯ f , ¯ s ,q N ) from q ∧ fstVal f ∧ sndVal s ∧ fstOP ¯ f ∧ sndOP ¯ s ∧ to q N ) ,ψ P := G ^ p ,...,p ∈ Σ A p ,...,p are pairwise different ¬ ( p ∧ p ∧ . . . ∧ p ) . We put ψ P := ψ P ∧ ψ P and ψ enc-basics := ψ truly − Σ A shadowy ∧ ψ P ∧ ψ P .We now formalise the correspondence between intended models and runs. Let run bethe function which takes a word w satisfying ψ enc-basics and returns the word w A suchthat | w A | = | w | / i we have:( (cid:33) ) : w A i = ( q, f, s, ¯ f , ¯ s , q N ) iff w i = { wht , from q , fstVal f , sndVal s , fstOP ¯ f , sndOP ¯ s , to q N } . Note that the definition of ψ enc-basics makes the function run correctly defined andunambiguous, and that the results of run satisfy properties P1 and P2. We summarise thisas the following fact. (cid:66) Fact 7.
The function run is uniquely defined and returns words satisfying P1 and P2.What remains to be done is to ensure properties P3 and P4. We start from the former one.The formula ψ P relies on the tools established in Exercise 6 and is defined as follows: ψ P := G wht → ^ q ∈ Q \{ q } ( from q ∨ ψ from q = to q ) . (cid:66) Fact 8. If w satisfies ψ enc-basics ∧ ψ P , then run ( w ) satisfies P1–P3. Proof.
The satisfaction of the properties P1 and P2 follows from Fact 7. Hence, it is sufficientto prove that also the property P3 is satisfied.Ad absurdum, assume that the fact does not hold. It implies that there is a white position p such that w , p | = to q but w , p +2 | = from q for some q = q . Then, from the definition ofMinsky machines we infer that w , p | = from q for some q = q . Hence, w , p = from q . Fromthe satisfaction of ψ P we infer w , p | = ψ from q = to q . Let k be the number of positions . Bednarczyk and J. Michaliszyn :9 labelled with from q before p . Since w , p | = ψ from q = to q , by Exercise 6 we conclude that thenumber of positions satisfying to q before p is also equal to k . Since w , p +2 = from q and fromsatisfaction of ψ P we again infer w , p +2 | = ψ from q = to q , which clearly cannot happen sincethe number of to q in the past is equal to k + 1, but the number of from q in the past is k . (cid:74) Finally, to express the property P4, we once again employ the tools from Exercise 6, i . e .: ψ P := G ( ψ fstOP +1 = fstOP − ↔ fstVal ) ∧ G ( ψ sndOP +1 = sndOP − ↔ sndVal )The use of ↔ guarantees that fstVal labels exactly the white positions having the counterempty (and similarly for the second counter). The counters are never decreased from 0, thusthe white positions not satisfying fstVal are exactly those having the first counter positive.Finally, let us define ψ A as ψ enc-basics ∧ ψ P ∧ ψ P . The proof of the following fact relieson the correctness of Exercise 6 and is similar to the proof of Fact 8, thus we omit it. (cid:66) Fact 9. If w satisfies ψ A , then run ( w ) is a run of A .Lastly, to show that the encoding is correct, we need to show that each run has acorresponding model. It is again easy: it can be shown by constructing an appropriate w ; thewhite positions are defined according to ( (cid:33) ), and the shadows can be constructed accordingly. (cid:66) Fact 10. If w A is a run of A , then there is a word w such that run ( w ) = w A .Let ψ q A := ψ A ∧ F ( to q ). Observe that the formula ψ q A is satisfiable if and only if A reaches q . The “if” part follows from Fact 9 and the satisfaction of the conjunct F ( to q )from ψ A . The “only if” part follows from Fact 10. Hence, from undecidability of the reachabilityproblem Minsky machines we infer our main theorem: (cid:73) Theorem 11.
The satisfiability problem for
LTL F , Half is undecidable.
For a given alphabet Σ, we can define a Kripke structure K Σ whose set of traces is thelanguage (2 Σ ) + : the set of states S of K Σ is composed of all subsets of Σ, all states are initial( i . e . I = S ), a transition relation is the maximal relation ( R = S × S ) and ‘ ( X )= X for anysubset X ⊆ Σ. It follows that a formula ϕ over an alphabet Σ is satisfiable if and only if thereis a trace of K Σ satisfying ϕ . Hence, from the undecidability of the satisfiability problemfor LTL F , Half we get: (cid:73)
Theorem 12.
Model-checking of
LTL F , Half formulae over Kripke structures is undecidable.
The decidability can be regained if additional constraints on the shape of Kripke structuresis imposed: model-checking of LTL F , Half formulae over flat structures is decidable [23].As discussed earlier, the
Half operator can be expressed in terms of the PM operator.Hence, as a corollary, we obtain: (cid:73) Theorem 13.
Model-checking and satisfiability problems for
LTL F , PM are undecidable. The
MFL operator is a little bit problematic. Typically, formulae depend only on the atomicpropositions that they explicitly mentioned. Here, it is not the case. Consider a formula ϕ = MFL a and words w = { a }{}{ a } and w = { a, b }{ b }{ a, b } . Clearly, w , | = ϕ whereas w , = ϕ . This can be fixed in many ways – for example, by parametrising MFL with a
A r X i v
10 “Most of” leads to undecidability: Failure of adding frequencies to LTL domain, so that it expresses that “ a is the most frequent letter among b . . . b n ”. We show,however, that even this very basic version of MFL allows us to show undecidability. Theproof is an adaptation of the proof from the previous section with a little twist inside.Let us consider the macro Halfish ϕ := MFL p ϕ ∧ MFL p ¬ ϕ . It would be tempting toclaim that Halfish b and Half b are equivalent, which would immediately allow us to repeatthe undecidability proof of LTL F , Half in our new setting. Unfortunately, the claim is false.Consider a word w = { a } , { a, b } , { a } . Then, w , | = Half b , but w , = Halfish b , as a is themost frequent letter in the past. Thus, we need to work harder to define something Half -like.Note that the presented counterexample distinguished
Half and Halfish in a way thatthe letter a appeared more than half times in the past of the w ,
2. We will call such a letterimportunate. Formally, a letter p is importunate in w if there is an even prefix of w (whichmight be the whole word) such that p occurs at more than half of the positions in this prefix.We claim that the presence of importunate letters is the only reason for Half and Halfish notto be equivalent. The next fact follows immediately from the semantics of Halfish and
Half : (cid:66) Fact 14.
The formulae Halfish ϕ and Half ϕ are equivalent over a word w satisfy-ing G [( p ϕ ↔ ϕ ) ∧ ( p ¬ ϕ ↔ ¬ ϕ )], iff w does not have any importunate letters.By employing the above fact, we can implement the formula ψ MFLenc-basics , equivalentto ψ enc-basics from the previous section. To do so, we replace each Half ϕ by Halfish p ϕ andsupplement it with G [( p ϕ ↔ ϕ ) ∧ ( p ¬ ϕ ↔ ¬ ϕ )]. It can be easily checked that none of theletters p ϕ , p ¬ ϕ are importunate, and hence ψ MFLenc-basics works as expected.The rewritings of ψ P and ψ P are no longer that simple. The main ingredient of ψ P ,namely ψ from q = to q , expands to Half ([ wht ∧ from q ] ∨ [ shdw ∧ ¬ f to q ]) and at any whiteposition i > q such that the formula ¬ ([ wht ∧ from q ] ∨ [ shdw ∧ ¬ f to q ]) issatisfied by more than half of the past positions. Hence, we cannot define a letter equivalentto this formula, because such a letter would necessary be importunate. To overcome thisdifficulty, we observe that it is sufficient to require that when from q is not satisfied, then thenumber of previous occurrences of from q is greater than or equal to the number of occurrencesof to q in the past. One can show that by induction (by employing the fact that each whiteposition is labelled by exactly one from q and to q for some q ∈ Q and it must be the state inwhich there are more from q than to q ) that the number of from q and to q letters in the past isactually equal. To express the above, we employ the formula ψ MFL P defined as: ψ MFL P := G ( wht → ^ q ∈ Q \{ q } ( from q ∨ MFL p q )) ∧ ^ q ∈ Q \{ q } G ( p q ↔ ( shdw ∧ ( from q ∨¬ f to q )))Similarly, to express that the value of the first counter is 0, we employ a letter p fstOP , whichis satisfied by exactly half of the positions of an even prefix if the counter is zero, of by lessthan half of the positions of an even prefix otherwise. G (cid:16) ( p fstOP ↔ ( shdw ∧ ( fstOP − ∨ ¬ (cid:94) fstOP +1 )) ∧ ( p sndOP ↔ ( shdw ∧ ( sndOP − ∨ ¬ (cid:94) sndOP +1 )) (cid:17) We rewrite ψ P to the formula ψ MFL P defined as the conjunction of the above formula andthe counterpart of ψ P , namely G ( MFL p fstOP ↔ fstVal ) ∧ G ( MFL p sndOP ↔ sndVal ).Finally, let ( ψ q A ) MFL := ψ MFLenc-basics ∧ ψ MFL P ∧ ψ MFL P ∧ F to q . The proof that ( ψ q A ) MFL hasa model iff the machine A reaches q is basically the same as the proof of Theorem 11 —the main difference amounts to checking whether the intended models have no importunateletters. Undecidability of the model-checking problem is concluded by virtually the sameargument as in Section 4.2. Hence: (cid:73) Theorem 15.
The model-checking and the satisfiability problems for
LTL F , MFL are unde-cidable. . Bednarczyk and J. Michaliszyn :11
We have shown that LTL F with frequency operators lead to undecidability. Without theoperators that can express F ( e . g . F , G or U ), the decision problems become NP -complete.Below we assume the standard semantics of LTL operator X , i . e . w , i | = X ϕ iff w , i +1 | = ϕ . (cid:73) Theorem 16.
Model-checking and satisfiability problems for
LTL X , MFL , PM are N P -complete.
Proof.
Let ϕ ∈ LTL X , MFL , PM be a formula of temporal depth d ( i . e . the number of mostnested X operators). Then it is easy to see that w | = ϕ iff w ≤ d +1 | = ϕ . Thus to solve thesatisfiability problem it is sufficient to guess a word w ≤ d +1 and to check (in polynomial time)if it satisfies ϕ . Thus the satisfiability problem is in NP . For the model checking problem,it amounts to guessing a fragment of a trace of a Kripke structure (of length ≤ d +1) andtest if it satisfies ϕ , which can be done in NP . The matching lower bounds come fromLTL X [21]. (cid:74) The reason why the complexity of the logic LTL X , MFL , PM is so low is that the truth of theformula depends only on some initial fragment of a trace. This is, however, a big restriction ofthe expressive power. Thus, we consider a different approach motivated by the work of [28].In the new setting, we allow to use arbitrary LTL formulae as well as percentage operators aslong as the they are not mixed with G . We introduce a logic LTL % , which extends the classicalLTL [1] with the percentage operators of the form P ./k % ϕ for any ./ ∈ { ≤ , <, = , >, ≥ } , k ∈ N and ϕ ∈ LTL. By way of example, the formula P < ( a ) is true at a position p if lessthen 20% of positions before p satisfy a . The past majority operator is a special case of thepercentage operator: PM ≡ P ≥ . Formally: w , i | = P ./k % ϕ if |{ j < i : w , j | = ϕ }| ./ k i To avoid undecidability, the percentage operators cannot appear under negation or benested. Therefore, the syntax of LTL % is defined with the following grammar: ϕ, ϕ ::= ψ LTL | ϕ ∨ ϕ | ϕ ∧ ϕ | F ( ψ LTL ∧ P ./k % ψ LTL ) , where ψ LTL , ψ LTL are (full) LTL formulae.The main tool used in the forthcoming decidability proof is the Parikh Automata [10].A Parikh automaton P = ( A , E ) over the alphabet Σ is composed of a finite-state automaton A accepting words from Σ ∗ and a semi-linear set E given as a system of linear inequalities withinteger coefficients, where the variables are x a for a ∈ Σ. We say that P accepts a word w if A accepts w and the mapping assigning to each variable x a from E the total numberof positions of w carrying the letter a , is a solution to E . Checking non-emptiness of thelanguage of P can be done in NP [9].Now we proceed with our main decidability results. It is obtained by constructing anappropriate Parikh automaton recognising the models of an input LTL % formula. (cid:73) Theorem 17.
The satisfiability problem for
LTL % is decidable. Proof.
Let ϕ ∈ LTL % . By turning ϕ into a DNF, we can focus on checking satisfiability ofsome of its conjuncts. Hence, w.l.o.g. we assume that ϕ = ϕ ∧ V ni =1 ϕ i , where ϕ is in LTLand all ϕ i have the form F ( ψ i, ∧ P ./k i % ψ i, ) for some LTL formulae ψ i, and ψ i, .Observe that a word w is a model of ϕ iff it satisfies ϕ and for each conjunct ϕ i we can picka witness position p i from w such that w , p i | = ψ i, ∧ P ./k i % ψ i, . Moreover, the percentage A r X i v
12 “Most of” leads to undecidability: Failure of adding frequencies to LTL constraints inside such formulae speak only about the prefix w
NExpTime upper bound on the problem: the auto-maton P that we constructed is exponential in ϕ (translating ϕ to DNF does not increasethe complexity since we only guess one conjunct, which is of polynomial size in ϕ ). Moreover,checking non-emptiness can be done non-deterministically in time polynomial in the size ofthe automaton. Thus, the problem is decidable in NExpTime . The bound is not optimal: weconjuncture that the problem is
PSpace -complete. We believe that by employing techniquessimilar to [28], one can construct P and check its non-emptiness on the fly, which shouldresult in the PSpace upper bound.For the model-checking problem, we observe that determining whether some trace of aKripke structure K = ( S, I, R, l ) satisfies ϕ is equivalent to checking if the formula ϕ K ∧ ϕ ,where ϕ K is a formula describing all the traces of K . Such a formula can be constructed in astandard manner. For simplicity, we treat S as a set of auxiliary letters, and consider theconjunction of (1) W s ∈ I s , (2) G ( X > → W ( s,s ) ∈ R ( s ∧ X s )) and (3) V s ∈ S G ( s → V p ∈ ‘ ( s ) p ),expressing that the trace starts with an initial state, consecutive positions describe consecutivestates and that the trace is labelled by the appropriate letters. Therefore, the model-checkingproblem can be reduced in polynomial time to the satisfiability problem. The
Two-Variable First-Order Logic on words , denoted here with FO [ < ], is a robust fragmentof First-Order Logic FO interpreted on finite words. It involves quantification over variables x and y (ranging over the words’ positions) and it admits a linear order predicate < (interpretedas a natural order on positions) and the equality predicate =. . Bednarczyk and J. Michaliszyn :13 In this section, we investigate the logic FO M [ < ], namely the extension of FO [ < ] withthe so-called Majority quantifier M . Such quantifier was intensively studied due to its closeconnection with circuit complexity and algebra, see e . g . [2, 6, 7]. Intuitively, the formula M x.ϕ specifies that at least half of all the positions in a model, after substituting x with them,satisfy ϕ . Formally w | = M x.ϕ holds, if and only if | w | ≤ |{ p | w , p | = ϕ [ x/p ] }| . We stressthat the formula M x.ϕ may contain free occurrences of the variable y .The Majority quantifier shares similarities to the PM operator, but in contrast to PM ,the M quantifier counts globally . Taking advantage of the technique developed in the previoussections, we show that the satisfiability problem for FO M [ < ] is also undecidable. It significantlysharpens an existing undecidability result for FO with Majority from [18] (since in our casethe number of variables is limited) and for FO [ <, succ ] with Presburger Arithmetics from [17](since our counting mechanism is limited and the successor relation succ is disallowed). There are three possible approaches to proving the undecidability of FO M [ < ]. The first oneis to reproduce all the results for LTL F , PM , which is rather uninspiring. The second one isto define a translation from LTL F , PM to FO M [ < ] that produces an equisatisfiable formula.This is possible, but because of models of odd length, it involves a lot of case study. Here wepresent a third approach, which, we believe, gives the best insight: we show a translationfrom LTL F , PM to FO M [ < ] that works for LTL F , PM formulae whose all models are shadowy.Since we only use such models in the proof of the undecidability of LTL F , PM , this provesthe undecidability of FO M [ < ]. We first focus on defining shadowy words in FO M [ < ]. Before we start, let us introduce abunch of useful macros in order to simplify the forthcoming formulae. Their names coincidewith their intuitive meaning and their semantics. Half x.ϕ := M x.ϕ ∧ M x. ¬ ϕ , first ( x ) := ¬∃ y y < x, second ( x ) := ∃ y y < x ∧ ∀ y y < x → first ( y ), last ( x ) := ¬∃ y y > x, sectolast ( x ) := ∃ y y > x ∧ ∀ y y > x → last ( y )The last macro “ uniquely distributes ” letters from a finite set Σ among the model, i . e . itensures that each position is labelled with exactly one σ from Σ. udistr Σ := ∀ x _ σ ∈ Σ σ ( x ) ∧ ^ σ,σ ∈ Σ ,σ = σ (cid:0) ¬ σ ( x ) ∨ ¬ σ ( x ) (cid:1) (cid:73) Lemma 18.
There is an FO M [ < ] formula ψ FOshadowy defining shadowy words.
Proof.
Let ϕ lem base be a formula defining the language of all (non-empty) words, where theletters wht and shdw label disjoint positions in the way that the first position satisfies wht and the total number of shdw and wht coincide. It can be written, e . g . with udistr { wht , shdw } ∧∃ x ( first ( x ) ∧ wht ( x )) ∧ Half x. wht ( x ) ∧ Half x. shdw ( x ). To define shadowy words, it would besufficient to specify that no neighbouring positions carry the same letter among { wht , shdw } .This can be done with, rather complicated at the first glance, formulae: ϕ forbidwht · wht ( x ) := wht ( x ) → Half y. ([ y < x ∧ wht ( y )] ∨ [ x < y ∧ shdw ( y )]) ,ϕ forbidshdw · shdw ( x ) := shdw ( x ) → Half y. ([( y < x ∨ x = y ) ∧ shdw ( y )] ∨ [ x < y ∧ wht ( y )]) . A r X i v
14 “Most of” leads to undecidability: Failure of adding frequencies to LTL
Finally, let ψ FOshadowy := ϕ lem base ∧ ∀ x. (cid:16) ϕ forbidwht · wht ( x ) ∧ ϕ forbidshdw · shdw ( x ) (cid:17) .Showing that shadowness implies the satisfaction of ψ FOshadowy can be done via a straight-forward induction. For the opposite direction, take w | = ψ FOshadowy . Since w | = ϕ lem base the onlypossibility for w to not be shadowy is to have two consecutive positions p, p +1 carrying thesame letter. W.l.o.g assume they are both white. Let w be the number of white positions tothe left of p and let s be the number of shadows to the right of p . By applying ϕ forbidwht · wht to p we infer that w + s = | w | . On the other hand, by applying ϕ forbidwht · wht to p +1 it follows that( w +1)+ s = | w | , which contradicts the previous equation. Hence, w is shadowy. (cid:74) It is a classical result from [19] that FO [ < ] can express LTL F . We define a translation tr v ( ϕ )from LTL F , PM to FO M [ < ], parametrised by a variable v (where v is either x or y and ¯ v denotes the different variable from v ), inductively. For LTL F cases, we follow [19]: tr v ( a ) := a ( v ), for a fresh unary predicate a for each a ∈ AP , tr v ( ¬ ϕ ) := ¬ tr v ( ϕ ), tr v ( ϕ ∧ ϕ ) := tr v ( ϕ ) ∧ tr v ( ϕ ), tr v ( F ϕ ) := ∃ ¯ v ( v < ¯ v ∨ v = ¯ v ) ∧ tr ¯ v ( ϕ ) tr v ( PM ϕ ) := M ¯ v ((¯ v < v ∧ tr v ( ϕ )) ∨ ( ¬ (¯ v < v ) ∧ wht )).Finally, for an LTL F , PM formula ϕ , let tr ( ϕ ) stand for ψ FOshadowy ∧ ∃ x. first ( x ) ∧ tr x ( ϕ ).The correctness of the translation can be shown by a straightforward induction employingthe correctness of the translation from LTL F to FO [ < ] from [19]. The only non-classicalpart here is the correctness of the last presented rule for the operator PM . We employ thefollowing observation. Consider a word w , a position p and a formula ϕ . Assume that thereare k positions before p satisfying ϕ . Observe that k ≥ p if and only if k + b | w |− p c ≥ | w | .Indeed, if p is even, then the above can be obtained by adding | w |− p to both sides. Otherwise, p is odd, and by adding | w |− p to both sides we obtain k + b | w |− p c ≥ p + b | w |− p c = | w | − .Since the left-hand side is a natural number and the right-hand side is not, we can round thelatter up and obtain the required inequality. Observe that b | w |− p c is exactly the number ofwhite positions that are not before p . Thus, k is at least p if and only if k plus the numberof white positions that are not before p is greater than or equal to w . Thus we conclude: (cid:73) Lemma 19. An LTL F , PM formula ϕ has a shadowy model if and only if tr ( ϕ ) has a model. Since the formulae used in our undecidability proof for LTL F , PM have only shadowymodels, by Lemma 19 we immediately conclude that FO M [ < ] is also undecidable. (cid:73) Theorem 20.
The satisfiability problem for FO M [ < ] is undecidable. We have provided a simple proof showing that adding different percentage operators to LTL F yields undecidability. We showed that our technique can be applied to an extension of first-order logic on words, and we hope that our work will turn useful in showing undecidability forother extensions of temporal logics. Decidability results for logics with percentage operatorsin restricted contexts are also provided. . Bednarczyk and J. Michaliszyn :15 References Amir Pnueli. The Temporal Logic of Programs. In
FOCS 1977 . Andreas Krebs.
Typed semigroups, majority logic, and threshold circuits . PhD thesis, Universityof Tübingen, Germany, 2008. [URL]. Benedikt Bollig, Normann Decker, and Martin Leucker. Frequency Linear-time TemporalLogic. In
TASE 2012 . [URL]. J. Richard Büchi. Weak Second-Order Arithmetic and Finite Automata.
Mathematical LogicQuarterly 1960 . [URL]. Michaël Cadilhac, Alain Finkel, and Pierre McKenzie. Affine Parikh automata.
RAIRO Theor.Informatics Appl. 2012 . Christoph Behle and Andreas Krebs. Regular Languages in MAJ[>] with three variables.
ECCC 2011 . [URL]. Christoph Behle, Andreas Krebs, and Stephanie Reifferscheid. Regular Languages Definableby Majority Quantifiers with Two Variables. In
DLT 2009 . Stéphane Demri, Valentin Goranko, and Martin Lange.
Temporal Logics in Computer Sci-ence: Finite-State Systems . Cambridge Tracts in Theoretical Computer Science. CambridgeUniversity Press, 2016. Diego Figueira and Leonid Libkin. Path Logics for Querying Graphs: Combining Expressivenessand Efficiency. In
LICS 2015 . [URL]. Felix Klaedtke and Harald Rueß. Monadic Second-Order Logics with Cardinalities. In
ICALP2003 . François Laroussinie, Antoine Meyer, and Eudes Petonnet. Counting LTL. In
TIME 2010 .[URL]. Giuseppe De Giacomo and Moshe Y. Vardi. Linear Temporal Logic and Linear DynamicLogic on Finite Traces. In
IJCAI 2013 . [URL]. Giuseppe De Giacomo and Moshe Y. Vardi. Synthesis for LTL and LDL on Finite Traces. In
IJCAI 2015 . [URL]. Jochen Hoenicke, Roland Meyer, and Ernst-Rüdiger Olderog. Kleene, Rabin, and Scott AreAvailable. In
CONCUR 2010 . [URL]. Joël Ouaknine and James Worrell. On the decidability and complexity of Metric TemporalLogic over finite words.
Logical Methods in Computer Science 2007 . [URL]. Jorge A. Baier and Sheila A. McIlraith. Planning with First-Order Temporally ExtendedGoals using Heuristic Search. In
AAAI 2006 . [URL]. Kamal Lodaya and A. V. Sreejith. Two-Variable First Order Logic with Counting Quantifiers:Complexity Results. In
DLT 2017 . [URL]. Klaus-Jörn Lange. Some Results on Majority Quantifiers over Words. In
CCC 2004 . [URL]. Kousha Etessami, Moshe Y. Vardi, and Thomas Wilke. First-Order Logic with Two Variablesand Unary Temporal Logic.
Inf. Comput. 2002 . [URL]. Matthias Niewerth.
Data definition languages for XML repository management systems . PhDthesis, Technical University of Dortmund, Germany, 2016. [URL]. Michael Bauland, Martin Mundhenk, Thomas Schneider, Henning Schnoor, Ilka Schnoor, andHeribert Vollmer. The tractability of model checking for LTL: The good, the bad, and theugly fragments.
ACM Trans. Comput. Log. 2011 . [URL]. Marvin L. Minsky.
Computation: Finite and Infinite Machines . Prentice-Hall Series inAutomatic Computation. Prentice-Hall, 1967. Normann Decker, Peter Habermehl, Martin Leucker, Arnaud Sangnier, and Daniel Thoma.Model-Checking Counting Temporal Logics on Flat Structures. In
CONCUR 2017 . [URL]. Patricia Bouyer, Nicolas Markey, and Raj Mohan Matteplackel. Averaging in LTL. In
CONCUR 2014 . [URL]. Rajeev Alur and Thomas A. Henzinger. Real-Time Logics: Complexity and Expressiveness.
Inf. Comput. 1993 . [URL].
A r X i v
16 “Most of” leads to undecidability: Failure of adding frequencies to LTL Shaull Almagor, Udi Boker, and Orna Kupferman. Discounting in LTL. In
TACAS 2014 .[URL]. Stéphane Demri. LTL over integer periodicity constraints.
Theor. Comput. Sci. 2006 . [URL]. Udi Boker, Krishnendu Chatterjee, Thomas A. Henzinger, and Orna Kupferman. TemporalSpecifications with Accumulative Values.
ACM Trans. Comput. Log. 2014 . Witold Charatonik and Piotr Witkowski. Two-variable Logic with Counting and a LinearOrder.