Synchronized CTL over One-Counter Automata

A One Counter Automaton (OCA) is a triple ${\mathcal{A}}=\langle S,\Delta,L\rangle$, where $S$ is a finite set of states, $\Delta\subseteq(S\times\{\texttt{=0},\texttt{>0}\}\times\{0,+1,-1\}\times S)$ is a transition relation, and $L:S\to AP$, for some finite set $AP$ of atomic propositions, is the state labeling.

A pair $(s,v)\in S\times\mathbb{N}$ is a configuration of ${\mathcal{A}}$. We write $(s,v)\to_{t}(s^{\prime},v^{\prime})$ for a transition $t\in\Delta$ if one of the following holds:

• •

  $t=(s,\texttt{=0},e,s^{\prime})$, with $e\in\{0,+1\}$, $v=0$ and $v^{\prime}=e$, or

• •

  $t=(s,\texttt{>0},e,s^{\prime})$, with $e\in\{0,+1,-1\}$, $v>0$ and $v^{\prime}=v+e$.

We write $(s,v)\to(s^{\prime},v^{\prime})$ if $(s,v)\to_{t}(s^{\prime},v^{\prime})$ for some $t\in\Delta$.

We require that $\Delta$ is total, in the sense that for every configuration $(s,v)$ we have $(s,v)\to(s^{\prime},v^{\prime})$ for some configuration $(s^{\prime},v^{\prime})$. Note that this is a syntactic requirement — every state should have outgoing transitions on both =0 and >0. This corresponds to the standard requirement of Kripke structures that there are no deadlocks. We denote by $|{\mathcal{A}}|$ the number of states of ${\mathcal{A}}$. Note that the description size of ${\mathcal{A}}$ is therefore polynomial in $|{\mathcal{A}}|$.

A path of ${\mathcal{A}}$ is a sequence of transitions $\tau=t_{1},\ldots,t_{k}$ such that there exist states $s_{0},\ldots,s_{k}$ where $t_{i}=(s_{i-1},\bowtie_{i},e_{i},s_{i})$ with $\bowtie_{i}\in\{\texttt{=0},\texttt{>0}\}$ for all $1\leq i\leq k$. We say that $\tau$ is valid from starting counter $v_{0}$ (or from configuration $(s_{0},v_{0})$), if there are counters $v_{0},\ldots,v_{k}\in\mathbb{N}$ such that for all $1\leq i<k$ we have $(s_{i-1},v_{i-1})\to_{t_{i}}(s_{i},v_{i})$. We abuse notation and refer to the sequence of configurations also as a path, starting in $(s_{0},v_{0})$ and ending in $(s_{k},v_{k})$. The length of the path $\tau$ is $k$, and we define its $\emph{effect}(\pi)=\sum_{i=1}^{k}e_{i}$.

We also allow infinite paths, in which case there are no end configurations and the length is $\infty$. In this case we explicitly mention that the path is infinite. We say that $\tau$ is balanced/positive/negative if $\emph{effect}(\tau)$ is zero/positive/negative, respectively. It is a cycle if $s_{0}=s_{k}$, and it has a cycle $\beta$, if $\beta$ is a cycle and is a contiguous infix of $\tau$.

A CTL+Sync formula $\varphi$ is given by the following syntax, where $q$ stands for an atomic proposition from a finite set $AP$ of atomic propositions.

We proceed to the semantics. Consider an OCA ${\mathcal{A}}=\langle S,\Delta,L\rangle$, a configuration $(s,v)$, and a CTL+Sync formula $\varphi$. Then ${\mathcal{A}}^{(s,v)}$ satisfies $\varphi$, denoted by ${\mathcal{A}}^{(s,v)}\models\varphi$ , as defined below.

• Boolean Opeartors:

  • –

    ${\mathcal{A}}^{(s,v)}\models\mathtt{true}$; ${\mathcal{A}}^{(s,v)}\not\models\mathtt{false}$  •  ${\mathcal{A}}^{(s,v)}\models q$ if $q\in L(s)$.

  • –

    ${\mathcal{A}}^{(s,v)}\models\neg\varphi$ if ${\mathcal{A}}^{(s,v)}\not\models\varphi$.       •  ${\mathcal{A}}^{(s,v)}\models\varphi\land\psi$ if ${\mathcal{A}}^{(s,v)}\models\varphi$ and ${\mathcal{A}}^{(s,v)}\models\psi$ .

• CTL temporal operators:

  • –

    ${\mathcal{A}}^{(s,v)}\models EX\varphi$ if $(s,v)\to(s^{\prime},v^{\prime})$ for some configuration $(s^{\prime},v^{\prime})$ such that ${\mathcal{A}}^{(s^{\prime},v^{\prime})}\models\varphi$.

  • –

    ${\mathcal{A}}^{(s,v)}\models E\varphi U\psi$ if there exists a valid path $\tau$ from $(s,v)$ and $k\geq 0$, such that ${\mathcal{A}}^{\tau[k]}\models\psi$ and for every $j\in[0..k-1]$, we have ${\mathcal{A}}^{\tau[j]}\models\varphi$.

  • –

    ${\mathcal{A}}^{(s,v)}\models A\varphi U\psi$ if for every valid path $\tau$ from $(s,v)$ there exists $k\geq 0$, such that ${\mathcal{A}}^{\tau[k]}\models\psi$ and for every $j\in[0..k-1]$, we have ${\mathcal{A}}^{\tau[j]}\models\varphi$.

• Synchronization operators:

  • –

    ${\mathcal{A}}^{(s,v)}\models\varphi UA\psi$ if there exists $k\geq 0$, such that for every valid path $\tau$ from $(s,v)$ of length $k$ and for every $j\in[0..k-1]$ we have ${\mathcal{A}}^{\tau[j]}\models\varphi$ and ${\mathcal{A}}^{\tau[k]}\models\psi$.

  • –

    ${\mathcal{A}}^{(s,v)}\models\varphi UE\psi$ if there exists $k\geq 0$, such that for every $j\in[0..k-1]$ there exists a valid path $\tau$ from $(s,v)$ of length $k$ such that ${\mathcal{A}}^{\tau[j]}\models\varphi$ and ${\mathcal{A}}^{\tau[k]}\models\psi$.

Presburger Arithmetic (PA) [20] is the first-order theory $\textrm{Th}(\mathbb{N},0,1,+,<,=)$ of $\mathbb{N}$ with addition and order. We briefly survey the results we need about PA, and refer the reader to [14] for a detailed survey.

For our purposes, a PA formula $\varphi(x_{1},\ldots,x_{d})$, where $x_{1},\ldots,x_{d}$ are free variables, is evaluated over $\mathbb{N}^{d}$, and defines the set $\{(a_{1},\ldots,a_{d})\in\mathbb{N}^{d}\mid(a_{1},\ldots,a_{d})\models\varphi(x_{1},\ldots,x_{d})\}$. It is known that PA is decidable in 2-\NEXP [8, 11].

A linear set is a set of the form $\mathrm{Lin}(B,P)=\{\boldsymbol{b}+\lambda_{1}\boldsymbol{p_{1}}+\ldots\lambda_{k}\boldsymbol{p_{k}}\mid\boldsymbol{b}\in B,\ \lambda_{1}\ldots,\lambda_{k}\in\mathbb{N}\}$ where $B\subseteq\mathbb{N}^{d}$ is a finite basis and $P=\{\boldsymbol{p_{1}},\ldots,\boldsymbol{p_{k}}\}\subseteq\mathbb{N}^{d}$ are the periods. A semilinear set is then a finite union of linear sets. A fundamental result about PA [12] is that the sets definable in PA are exactly the semilinear sets, and moreover, one can effectively obtain from a PA formula $\varphi$ a description of the semilinear set satisfying a formula $\varphi$, and vice versa.

In dimension $1$, semilinear sets are finite unions of arithmetic progressions. By taking the $\mathrm{lcm}$ of the (nonzero) periods of the progressions and modifying the basis accordingly, we can assume a uniform nonzero period, and an additional finite set (corresponding to the zero period). That is, a semilinear set $S\subseteq\mathbb{N}$ is $\mathrm{Lin}(B,\{p\})\cup C$ for effectively computable finite sets $B,C\subseteq\mathbb{N}$ and $p\in\mathbb{N}$.

A fundamental part of our proof involves delicately pumping and removing cycles to achieve specific counter values and/or lengths of paths. We do this with the following technical tools.

For a path $\tau$, we define the slope of $\tau$ as $\frac{\emph{effect}(\tau)}{|\tau|}$. Recall that a basic path is of the form $\tau=\alpha_{0}\beta_{1}^{e_{1}}\alpha_{1}\cdots\beta_{k}^{e_{k}}\alpha_{k}$ adhering to some LPS, where $k=O(|{\mathcal{A}}|)$ and each $\alpha_{i}$ and $\beta_{i}$ is of length $poly(|{\mathcal{A}}|)$. We denote by $b$ the maximum flat length of any LPS for a basic path. In particular, $b$ bounds the flat length of the LPS, the size of it, and the length of any cycle or path in it.

We call a cycle basic if it is of length at most $b$. A slope of a path is basic if it may be the slope of a basic cycle, namely if it equals $\frac{x}{y}$, where $x\in[-b..b],y\in[1..b]$ and $|x|\leq y$. We denote the basic slopes by $\texttt{s}_{i}$, starting with $\texttt{s}_{1}$ for the smallest. For example for $b=3$, the basic slopes are $(\texttt{s}_{1}\!\!=\!\!-1,\,\texttt{s}_{2}\!\!=\!\!-\frac{2}{3},\,\texttt{s}_{3}\!\!=\!\!-\frac{1}{2},\,\texttt{s}_{4}\!\!=\!\!-\frac{1}{3},\,\texttt{s}_{5}\!\!=\!\!0,\,\texttt{s}_{6}\!\!=\!\!\frac{1}{3},\,\texttt{s}_{7}\!\!=\!\!\frac{1}{2},\,\texttt{s}_{8}\!\!=\!\!\frac{2}{3},\,\texttt{s}_{9}\!\!=\!\!1)$. Observe that for every $i$, we have $|\texttt{s}_{i}|\geq\frac{1}{b}$, and for every $j>i$, we have $\texttt{s}_{j}-\texttt{s}_{i}\geq\frac{1}{b^{2}}$ and when they are both negative, also $\frac{\texttt{s}_{j}}{\texttt{s}_{i}}\leq 1-\frac{1}{b^{2}}$.

In order to prove Theorem 5.1, we show that every computation tree of ${\mathcal{A}}$, starting from a big enough counter value $v>\texttt{cT}$, has a ‘segmented periodic’ structure with respect to $\varphi$. That is, we can divide its levels into $poly(n)$ many segments, such that only the first $\texttt{sT}\in Exp(n,|\varphi|$) levels in each segment are in the ‘core’, while every other level $\ell$ is a sort-of repetition of the level $\ell-\texttt{P}$, for a period $\cP$. We further show that there is a similarity between the cores of computation trees starting with counter values $v$ and $v+\texttt{P}$. We depict the segmentation in Figure 2, and formalize it as follows.

Consider a formula $\varphi=\psi_{1}UA\psi_{2}$, where $\psi_{1}$ and $\psi_{2}$ are $(\texttt{cT}(\psi_{1}),\texttt{P}(\psi_{1}))$- and $(\texttt{cT}(\psi_{2}),\texttt{P}(\psi_{2}))$-periodic, respectively. We define several constants to use throughout the proof.

• Constants depending only on the number $n$ of states in the OCA

• •

  $b\in Poly(n)$: the bound on the length of a linear path scheme on ${\mathcal{A}}$.

• •

  $B=\mathrm{lcm}[1..2b^{3}]$.

• Constants depending on $n$ and the CTL+UA formula $\varphi$

• •

  ${\texttt{P}_{prev}}(\varphi)=\mathrm{lcm}(\texttt{P}(\psi_{1}),\texttt{P}(\psi_{2}))$ – the unified period of the subformulas.

• •

  ${\texttt{cT}_{prev}}(\varphi)=\max(\texttt{cT}(\psi_{1}),\texttt{cT}(\psi_{2}))$ – the unified counter threshold of the subformulas.

• •

  $\texttt{P}(\varphi)=B\cdot{\texttt{P}_{prev}}(\varphi)$ – the ‘period’ of $\varphi$.

• •

  $\texttt{sT}(\varphi)=b^{9}\cdot\texttt{P}(\varphi)$ – the ‘segment threshold’ of $\varphi$.

• •

  $\texttt{cT}(\varphi)=b^{11}\cdot\texttt{P}(\varphi)$ – the ‘counter threshold’ of $\varphi$.

Eventually, these periodicity constants are plugged into the inductive cases of Theorem 3.3, as shown in the proof of Theorem 5.1. Then, all the constants are single-exponential in $n$ and the nesting depth of $\varphi$. Notice that the following relationship holds between the constants.

When clear from the context, we omit the parameter $\varphi$ from $\texttt{P},\texttt{sT},\texttt{cT},{\texttt{P}_{prev}},{\texttt{cT}_{prev}}$.

We provide below an intuitive explanation for the choice of constants above.

The period has two different roles: level-periodicity within each segment of a computation tree, and counter-value periodicity between two computation trees starting with different counter values.

Level periodicity within a segment: For lengthening or shortening a basic path by P, we add and/or remove some copies of its cycles. Adding or removing ${\texttt{P}_{prev}}$ copies of the same cycle guarantees that the end counter values of the original and new paths are equivalent modulo ${\texttt{P}_{prev}}$. Since the cycles in a basic path are of length in $[0..b]$, setting P to be divisible by ${\texttt{P}_{prev}}\cdot\mathrm{lcm}[1..b]$, allows to add or remove $\frac{\texttt{P}}{|c|}$ copies of a cycle $c$, where $\frac{\texttt{P}}{|c|}$ is divisible by ${\texttt{P}_{prev}}$, as desired. Yet, we might need to add copies of one cycle and remove copies of another, thus, as per Proposition 5.6, we need P to be divisible by ${\texttt{P}_{prev}}\cdot lcm[1..2b^{2}]$.

Counter periodicity between computation trees: We change a path $\tau$ that starts with a counter value $v$ to a path that starts with a counter value $v+\texttt{P}$, or vice versa, by lengthening or shortening it by $\frac{\texttt{P}}{\texttt{s}}$, respectively, where s is a positive basic slope. In some cases, we need to also make sure that the longer or shorter path has a drop bigger or smaller, respectively, than $\tau$ by exactly P.

As $\frac{\texttt{P}}{\texttt{s}}$ is bounded by $b\cdot\texttt{P}$, if there are at least $b\cdot\texttt{P}$ repetitions of a cycle $c$ in $\tau$ whose slope is $-\texttt{s}$, we can just add or remove $\frac{b\cdot\texttt{P}}{|c|}$ copies of $c$, so we need P to be divisible by ${\texttt{P}_{prev}}\cdot\mathrm{lcm}[1..b]$, for guaranteeing that the counter values at the end of the original and new paths are equivalent. Yet, in some cases we need to combine two cycles, as per Proposition 5.5. As the combination of the two cycles might be of length up to $2b^{3}$, we need P to be divisible by ${\texttt{P}_{prev}}\cdot\mathrm{lcm}[1..2b^{3}]$.

In order to apply Propositions 5.5 and 5.6, we need to have in the handled path many repetitions of two cycles of different slopes. We thus choose cT and sT to be large enough so that paths in which only one (negative) cycle slope is repeated many times must hit zero within a special region called the ‘core’ of the tree, as defined below.

For every counter value ${v}>\texttt{cT}$, the ‘core’ with respect to a fixed formula $\varphi$, denoted by $\texttt{core}({v})\subseteq\mathbb{N}$, of a computation tree of ${\mathcal{A}}$ that starts with a counter value ${v}$ consists of $m+1<b^{2}$ segments, with each segment corresponding to a negative basic slope and having sT consequent numbers. For every $i\in[0..m]$, the start of Segment $i$ depends on the initial counter value $v$ of the computation tree, it is denoted by $\mathsection_{i}(v)$, and it is defined as follows:

• •

  $\mathsection_{0}(v)=0$,

• •

  For $i\in[1..m]$, we set $\mathsection_{i}(v)=\frac{-1}{\texttt{s}_{i}}(v-{\texttt{cT}_{prev}})-b^{8}\cdot\texttt{P}$.

• •

  For convenience, we also define $\mathsection_{m{+}1}(v)=\infty$.

Then, we define $\texttt{core}(v)=\bigcup_{i=0}^{m}[\mathsection_{i}(v)..(\mathsection_{i}(v)+\texttt{sT}-1)]$.

Observe that the core of every tree is an ordered list of $((m+1)\cdot\texttt{sT})$ numbers (levels), while just the starting level of every segment depends on the initial counter value $v$. We can thus define a bijection $\textsf{shift}:\texttt{core}(v)\to\texttt{core}(v+\texttt{P})$ that maps the $i$-th number in $\texttt{core}({v})$ to the $i$-th number in $\texttt{core}({v+\texttt{P}})$ (see also Figure 2).

Recall that we define sT so that, intuitively, if a path is long enough to reach $\mathsection_{i}(v)+\texttt{sT}$ without reaching counter value ${\texttt{cT}_{prev}}$, then the path must have many cycles with a slope larger than $\texttt{s}_{i}$, and if the path manages to reach ${\texttt{cT}_{prev}}$ before $\mathsection_{i+1}(v)$ (namely the end of Segment $i$), then it must have many cycles with a slope at least as small as $\texttt{s}_{i}$. This is formalized as follows.

As a sanity check, the lemma states that if a path $\tau$ reaches ${\texttt{cT}_{prev}}$ for the first time at length $\ell\in[\mathsection_{1}(v){+}\frac{\texttt{sT}}{2}\leavevmode\nobreak\ ..\leavevmode\nobreak\ \mathsection_{2}(v))$, then it has many cycles with slope $\texttt{s}_{1}=-1$ (enough to decrease down to ${\texttt{cT}_{prev}}$ before $\mathsection_{2}(v)$), as well as many cycle with slope at least $\texttt{s}_{2}=\frac{-(b-1)}{b}$ (enough to keep above ${\texttt{cT}_{prev}}$ through $\mathsection_{1}(v)+\frac{\texttt{sT}}{2}$). Observe also that a path cannot reach ${\texttt{cT}_{prev}}$ at Segment $0$, namely before $\mathsection_{1}(v)$.

Consider a threshold $T$ and period $P$. We say that counter values $u,v$ are $(T,P)$-equivalent, denoted by $u\equiv_{T,P}v$ if either $u,v\geq T$ and $P$ divides $|u-v|$, or $u,v<T$ and $u=v$. That is, either both $u,v$ are greater than $T$, in which case they are equivalent modulo $P$, or they are both smaller than $T$ and are equal.

The segment periodicity within a computation tree is then stated as Claim 1 in Lemma 5.9 below, while the similarity between computation trees starting from counters $v$ and $v+\texttt{P}$ as Claim 2. (By $(s,v)\stackrel{{\scriptstyle\ell}}{{\leadsto}}(s^{\prime},v^{\prime})$ we mean that the computation tree starting with state $s$ and counter value $v$ has a path of length $\ell$ ending in state $s^{\prime}$ and counter value $v^{\prime}$.)