Symbolic model checking of tense logics on rational Kripke models

Sym b olic mo del c hec king of tense logics on rational Kripk e mo dels Wilmari Bekker 1 and V alentin Goranko 2 1 Universit y of Johannesburg and Univers ity of the Wit watersra nd , Johannesburg, bekkerw@gm ail.com 2 Universit y of the Witw atersrand, Johannesburg, goranko@ma ths.wits.ac.za Abstract. W e in tro duce the class of r ational Kripke mo dels and study symbolic mod el chec king of the basic tense logic K t and some extensions of i t in models from that class. R ational Kripke models are based on (gen- erally infi nite) r ational gr aphs , with vertice s lab eled by the words in some regular language and transitions recognized by asynchronous tw o-head finite automata, also known as r ational tr ansduc ers . Every atomic prop o- sition in a rational Kripke model is ev aluated in a regular set of states. W e show that ev ery formula of K t has an effectively compu table regu- lar ex tension in every rational Kripke mo del, and therefore local model chec king and global model checking of K t in rational Kripke mo dels are decidable. These results are lif ted to a num b er of extensions of K t . W e study and partly determine th e complexity of the mod el c hecking proced ures. 1 In tro duction V erification of mo dels with infinite state space s using algorithmic sy mbo lic mo del chec king techniques has been an increasingly a ctive a rea o f resea rch ov er recent years. O ne v ery successful appr oach to infinite sta te verification is based on the representation of sets o f states and tra nsitions by means o f automa ta. It is the basis of v arious automata-bas ed techniques for mo de l chec king, e.g., of linea r and branching-time tempor al logics on finite tr a nsition systems [23,17], r egular mo del chec king [7], pushdown systems [8,24,11], automatic structures [14,6] etc. In most of the studied cases of infinite-state s y mbolic mo de l ch ecking (except for automatic structures ), the logical languages ar e sufficiently express ive for v arious reachabilit y pr op erties, but the clas ses o f mo dels are relatively restricted. In this pap er we study a la rge and natural class of r ational Kripke mo dels , on which global mo del checking of the basic tense 3 logic K t (with fo r ward and backw ard one-step mo dalities) and o f some extensions thereof, a re decidable. The language of K t is sufficient for expres s ing lo c al pr op ert ies , i.e., those referr ing to a b ounded width neighborho o d of predecess ors or s uccessor s of the current s tate. 3 W e u se the term ‘tense’ rather than ‘temp oral’ to emphasize that th e accessi bility relation is not assumed transitiv e, as in a u sual flow of time. In particular , pr e-conditions and p os t- c onditions are lo cal, but not r eachabilit y prop erties. Kesten et al [15] have formulated the following minimal requir ements for an assertional language L to b e ade quate for symb olic mo del che cki ng : 1. The p rop erty to b e verifie d and the i n itial conditions (i.e., the set of initial states) should be expressible in L . 2. L should b e effectively clo sed under the b o olean op eratio ns, and should p ossess an algorithm for deciding equivalence of tw o assertions. 3. There should exist an algorithm for co nstructing the predicate transformer pr ed , where pred ( φ ) is an assertion characterizing the set of states that have a successor state satisfying φ . Assuming that the pro p er ty to be verified is express ible in K t , the first con- dition ab ov e is satisfied in our case. Regarding the set of initial states, it is usually assumed a sing le ton, but certainly an effective s et, and it can b e r e pre- sented by a specia l moda l constant S . The second condition is clearly satisfied, assuming the equiv alence is with resp ect to the mo del on which the v erifica tio n is b eing do ne. As for the third co ndition, pr e d ( φ ) = h R i φ . Th us, the basic mo da l logic K is the minimal natur al lo gic al language satisfying these r e quir ements , and hence it suffices for sp ecification o f pr e-c onditions ov er reg ula r sets of states. The tense extension K t enables spec ific a tion of p ost-conditions, a s w ell, thus b eing the basic adequate logic for s pe c ifying lo c al pr op erties of transition systems and warrant ing the p o tential utilit y of the work done in the present pap er. In par - ticular, p otential areas of applications of mo del c hecking o f the basic tense lo gic to verification of infinite state systems a re b ounde d mo del che cking [2], applied to infinite state systems , and (when extended with reachabilit y) r e gular mo del che cking [7] – a framework for alg orithmic verification of gener ally infinite state systems which essentially inv olves co mputing reachability sets in regula r Kripke mo dels. The pap er is or ganized as follows: in Section 2 we in tro duce K t and rational transducers. Section 3 intro duces and discuss e s r ational K r ipke models, and in Section 4 we intro duce synchronized pro ducts of transducer s and automata. W e use them in Section 5 to show decida bilit y of globa l and lo cal symbo lic mo del chec king of K t in rational Kripke mo dels and in Section 6 we dis cuss its complexity . The mo del chec king results a re str engthened in Section 7 to h ybr id and other extensions of H t ( U ), for which some mode l checking tasks remain decidable. 2 Preliminaries 2.1 The basic tense logic K t W e consider tr ansition systems with one transition relation R . The b asic t en se lo gic K t for such tra nsition sys tems extends the clas sical pr op ositional log ic with t wo unar y mo dalities: one asso ciated with R and the other with its inv ers e R − 1 , resp ectively deno ted by [ R ] and [ R − 1 ]. The generaliza tion o f what follows to the cas e of lang uages and mo dels for transition s ystems with many relations is straightforward. Note that the relation R is not as s umed tra ns itive, and therefore the language o f K t cannot express R -reachability pro p erties. 2.2 Rational transducers and rational relations Rational transducers , studied by Eile nber g [9], Elgot and Mezei [10], Niv at, Berstel [1], etc., a re asynchr onous automata on pa ir s o f words. Intuitiv ely , these are finite auto mata with tw o autonomous heads that read the input pa ir of words asynchronously , i.e. each of them c a n read a rbitrar ily farther ahea d of the other . The transitions ar e determined by a finite set of pairs of (p os sibly empt y) words; alternatively , a tra nsition can b e la b eled either by a pair of letters (when both heads make a mov e on their resp ective words) or b y h a, ǫ i or h ǫ, a i , w he r e a is a letter, and ǫ is the empty word (when one of the hea ds r eads on, while the o ther is w aiting). The formal definition follows. Definition 1. A (r ational) tr ansduc er is a tuple T = h Q, Σ , Γ, q i , F, ρ i wher e Σ and Γ ar e the input and output alphab ets r esp e ctively , Q a set of states, q i ∈ Q a un ique starting state, F ⊆ Q a set of ac c epting states and ρ ⊆ Q × ( Σ ∪ { ε } ) × ( Γ ∪ { ε } ) × Q is the tr ansition r elation, c onsisting of finitely many t u ples, e ach c ontaining the curr ent state, the p air of letters (or ε ) triggering the tr ansition, and the new state. Al ternatively, one c an take ρ ⊆ Q × Σ ∗ × Γ ∗ × Q . The language r e c o gnize d by the tra nsduc er T is the set of al l p airs of wor ds for which it has a r e ading t hat ends in an ac c epting state. Thus, the tr ansduc er T r e c o gnizes a binary r elation R ⊆ Σ ∗ × Γ ∗ . This is the ‘static’ definition of r ational transducer s; they can a lso b e defined ‘dynamically’, as r eading an input word, and transfor ming it into an output word, according to the transition relation which is now regarded as a mapping from w ords to sets of words (b ecause it can be non-deterministic). Example 1. F o r T = h Q, Σ , Γ , q i , F, ρ i let: Q = { q 1 , q 2 } ; Σ = { 0 , 1 } = Γ ; q i = q 1 ; F = { q 2 } ; ρ = { ( q 1 , 0 , 0 , q 1 ) , ( q 1 , 1 , 1 , q 1 ) , ( q 1 , ǫ, 0 , q 2 ) , ( q 1 , ǫ, 1 , q 2 ) } Notice tha t in the r epresentation of T there is only one edge between tw o states but that an edge may hav e mor e than one lab el. A re la tion R ⊆ Σ ∗ × Γ ∗ is rational if it is reco g nizable by a rationa l trans- ducer. E quiv alen tly (see [1]), given finite alphab ets Σ , Γ , a (binary) rational relation over ( Σ , Γ ) is a rational subset of Σ ∗ × Γ ∗ , i.e., a subset ge nerated by a rational expr ession (built up using union, co ncatenation, and iteratio n) o ver a finite subset o f Σ ∗ × Γ ∗ . Hereafter, we will as sume that the input and output alphab ets Σ and Γ co incide. Besides the r eferences ab ov e, rational r e lations hav e also b een studied by Johnson [13], F rougn y a nd Sak arovic h [1 2], and mo r e recently by Morv an [2 0]. It is imp or tant to note that the class of rational relations is closed under unions , c omp osi tions , and inverses [1 ]. On the other ha nd, the cla ss of r ational r elations is not clo sed under intersections, complemen ts, and transitive closure ( ibi d ). Fig. 1. The trans ducer T whic h r ecognizes pairs o f words of the forms ( u, u 0) or ( u, u 1) wher e u ∈ Σ ∗ q 1 q 2 ǫ/ 0 ǫ/ 1 0 / 0 1 / 1 3 Rational Kripk e mo dels 3.1 Rational graphs Definition 2. A gr aph G = ( S, E ) is r ational , if the set of vertic es S is a r e gular language in some finite alphab et Σ and the set of e dges E is a r ational r elation on Σ . Example 2. The i nfinite grid. Let Σ = { 0 , 1 } , then the infinite grid with v er- tices in Σ ∗ is given by Figure 2 and the edge r e lation o f this g raph is recognized by the transducer given in Figur e 2 . Fig. 2. The infinite grid with set of vertices S = 0 ∗ 1 ∗ and a transduce r that recognizes the infinite gr id. ǫ 0 00 1 11 01 001 011 0011 q 1 q 2 q 3 q 4 ǫ/ 1 ǫ/ 0 1 / 01 0 / 0 1 / 1 0 / 0 1 / 1 Example 3. The complete bi nary tree Λ . Figure 3 co nt ains the complete binary tree with vertices in { 0 , 1 } ∗ and lab eled by Γ = { a, b } , a s well as the transduce r r ecognizing it, in w hich the accepting states a re lab eled r esp ectively by a and b . The pa irs of words for which the transducer ends in the acc e pting state q 4 belo ng to the left success or relatio n in the tree (lab eled by a ), a nd those for which the trans duce r ends in the a ccepting state q 5 belo ng to the rig ht successor relation in the tree (labeled by b ). Fig. 3. The complete binary tree Λ and a labeled transducer recognizing it. ǫ a b 0 1 a b 00 01 a b 10 11 q 1 q 2 q 3 q 4 q 5 0 / 0 1 / 1 0 / 0 1 / 1 0 / 0 1 / 1 ǫ/ 1 ǫ/ 0 ǫ/ 0 ǫ/ 1 ǫ/ 0 ǫ/ 1 a b An imp ortant and extensively studied sub class of ra tional gr aphs is the class of automatic gr aphs [14,6]. These are r ational graphs whose transition relations are recognized b y synchr o nize d tra nsducers. As shown by Blumensath [5], the configuration gr aph of every T uring machine is an a utomatic graph. Consequent ly , imp ortant quer ies, suc h as reachabilit y , are g enerally undecidable on a utomatic gr aphs, a nd hence on rational g raphs. F urthermor e , Morv an show ed in [20] that the configur ation gra phs of Petri nets [21] are ra tional (in fact, automa tic) graphs, too. Moreov er , Johnson [13] proved that even v er y simple first-order definable prop erties of a rational relation, e.g., reflex ivity , tra nsitivity , symmetry , turn o ut to b e undecida ble (with an input the transducer reco g nizing the relation), by re- duction fr o m the P os t Corresp ondence Pr oblem (PCP). Indep endently , Morv an [20] has shown that the query ∃ xRxx on ra tional frames is undecidable, as well. The reduction o f PCP her e is stra ightforw ard: given a PCP { ( u 1 , v 1 ) , . . . , ( u n , v n ) } , consider a transducer with only o ne state, which is b oth initial and accepting , and it allows the transitions ( u 1 , v 1 ) , . . . , ( u n , v n ). Then, the PCP has a s olution precisely if so me pair ( w, w ) is acce pted by the transducer. Inclusion and equality of rational r elations are undecida ble, too , [1]. F urthermor e , in [22] W. Thomas has constructed a single ra tional g raph with undecidable first-o r der theo r y , by enco ding the halting pro blem o f a univ er sal T uring machine. 3.2 Rational Kripk e mo del s Rational g raphs can b e viewed as Kripke frames, hereafter called r ational Kripke fr ames . Definition 3. A Kripke m o del M = ( F , V ) = ( S, R, V ) is a r ational Kripke mo del (RKM) if the fr ame F is a r ational Kripke fr ame, and the valuation V assigns a r e gular language to e ach pr op ositional variable, i.e., V ( p ) ∈ REG ( Σ ∗ ) for every p ∈ Φ . A valuation satisfying this c onditio n is c al le d a ra tional valua- tion. Example 4. In this e xample we will present a RKM based on the co nfig uration graph of a Petri net. T o make it s elf-contained, we give the ba sic r elev an t def- initions here; for more de ta il see e.g., [2 1]. A Petri net is a tuple ( P , T , F , M ) where P a nd T are disjoint finite sets a nd their elements ar e called plac es and tr ansitions resp ectively . F : ( P × T ) ∪ ( T × P ) → N is called a flow function and is such that if F ( x, y ) > 0 then there is an a rc from x to y and F ( x, y ) is the m ultiplicity of that arc. Each of the places co ntain a num b er o f tokens and a v ector of integers M ∈ N | P | is called a c onfigur ation (or , marking ) of the Petri net if the i th comp onent of M is equal to the num b er of tokens at the i th place in the Petri net. The c onfigur ation gr aph o f N has as vertices all po ssible configuratio ns of N and the edges re pr esent the p os s ible transitions b etw een configuratio ns. Now, let N = ( P, T , F , M ) b e a Petri net, where P = { p 1 , p 2 } , T = { t } , F ( p 1 , t ) = 2 , F ( t, p 2 ) = 3 and M = (4 , 5). Let M = ( S, R , V ) where S = 0 ∗ 10 ∗ , R the transition relation of the configuration graph of N and V the v aluation defined by V ( p ) = 0010 ∗ and V ( q ) = 0 ∗ 1000. Then M is a RKM and can be presented by the v arious mac hines in Figure 4. Fig. 4. A finite pr esentation M : A 1 , A 2 and A 3 recognize S, V ( p ) a nd V ( q ) resp ectively , a nd T r ecognizes R . A 1 : q 1 q 2 0 0 1 A 2 : p 1 p 2 001 0 A 3 : r 1 r 2 1000 0 T : s 1 s 2 s 3 001 / 1 ǫ/ 000 0 / 0 0 / 0 4 Sync hronized pro ducts of transducers and automata In this section ǫ will denote the empty word, but will also b e treated as a sp ecia l symbol in a n ex tended alphabe t. Definition 4. L et u b e a wor d in some alphab et Γ and γ ∈ Γ . The γ -r e duction of u , denote d u | γ , is the wor d obtaine d fr om u after deleting al l o c curr enc es of γ . Likewise, if Y is a language in the alphab et Γ , then t he γ - r e duction of Y , denote d Y | γ , is the language c onsisting of al l γ -r e ductions of wor ds in Y . Lemma 1. If Y is a r e gular language over an alphab et Γ then Y | γ is a r e gular language over the alphab et Γ − { γ } . Pr o of . (Sketch) An a utomaton A| γ recognizing Y | γ , called her e the γ -reduction of A c an be constructed from a n a utomaton A r ecognizing Y as follows: 1. Remov e all γ - tr ansitions. 2. Add ( q , γ ′ , q ′′ ) as a tr a nsition in A| γ whenever ( q , γ , q ′ ) and ( q ′ , γ ′ , q ′′ ) ar e transitions in A a nd γ 6 = γ ′ . 3. Finally , define the accepting states of A| γ as all accepting states o f A plus those states q such that ( q γ ∗ → q ′ ) in A and q ′ is an a ccepting state in A . ⊳ Definition 5. A run of a fi nite au t omaton A =  Q, Σ , q 0 , F, δ  is a se quenc e of states and t r ansitions of A : q 0 x 1 → q 1 x 2 → q 2 · · · x n → q n , such that q 0 = q 0 , q j ∈ Q, x j ∈ Σ , and q j ∈ δ ( q j − 1 , x j ) for every j = 1 , 2 , . . . , n . A run is ac c epting if it ends in an ac c epting state. Run and ac c epting runs of tr ansduc ers ar e define d likewise. Definition 6. A stutteri ng ru n of a fi nite automaton A =  Q, Σ , q 0 , F, δ  is a se quenc e q 0 x 1 → q 1 x 2 → q 2 · · · x n → q n , such that q 0 = q 0 , q j ∈ Q , and either x j ∈ Σ and q j ∈ δ ( q j − 1 , x j ) , or x j = ǫ and q j = q j − 1 for every j = 1 , 2 , . . . , n . Thus, a stu ttering run of an automaton c an b e obtaine d by insert ing ǫ - tr ansitions fr om a state to itself into a ru n of that automaton. If the latter run is ac c epting, we de clar e the stuttering run to b e an ac c epting stuttering run . A stuttering w or d in an alphab et Σ is any wor d in Σ ∪ { ǫ } . The stuttering language of the automaton A is the set L ǫ ( A ) of al l stut- tering wor ds whose ǫ -r e ductions ar e r e c o gnize d by A ; e quivalently, al l st uttering wor ds for which ther e is an ac c epting stut tering run of the automaton. Definition 7. L et T =  Q T , Σ , q 0 T , F T , ρ T  b e a tr ansduc er, and let A b e a (non-deterministic) fin ite automaton given by A =  Q A , Σ , q 0 A , F A , δ A  . The synchr onize d pr o duct of T with A is the finite automaton: T ⋌ A =  Q T × Q A , Σ ,  q 0 T , q 0 A  , F T × F A , δ T ⋌ A  wher e δ T ⋌ A : ( Q T × Q A ) × ( Σ ∪ { ǫ } ) → P ( Q T × Q A ) is such t hat, for any p 1 T , p 2 T ∈ Q T and p 1 A , p 2 A ∈ Q T then  p 2 T , p 2 A  ∈ δ T ⋌ A  p 1 T , p 1 A  , x  if and only if 1. either ther e exists a y ∈ Σ such that δ A  p 1 A , y  = p 2 A and  p 1 T , x, y , p 2 T  ∈ ρ T , 2. or  p 1 T , x, ǫ, p 2 T  ∈ ρ T and p 1 A = p 2 A . Note that every run R T ⋌ A = ( p 0 T , p 0 A ) u 1 → ( p 1 T , p 1 A ) u 2 → · · · u n → ( p n T , p n T ) of the automaton T ⋌ A can be obtained from a pair: a run R T = p 0 T ( u 1 /w 1 ) → p 1 T ( u 2 /w 2 ) → p 2 T · · · ( u n /w n ) → p n T in T , and a s tuttering run R s A = p 0 A w 1 → p 1 A w 2 → p 2 A · · · w n → p n A in A , by pairing the resp ective states p j T and p j A and removing the output symbo l w j for ev ery j = 1 , 2 , . . . , n . Let the reduction of R s A be the run R A = q 0 A v 1 → q 1 A v 2 → q 2 A · · · v m → q m A , with m ≤ n . Then we say that the run R T ⋌ A is a s ync hronization of the runs R T and R A . Note, that the synchronization of accepting runs of T and A is an accepting run of R T ⋌ A . The follo wing lemma is now immediate: Lemma 2. L et T =  Q T , Σ , q 0 T , F T , ρ T  b e a tr ansduc er r e c o gnizing the r elation R ( T ) and let A =  Q A , Σ , q 0 A , F A , δ A  b e a fin it e automaton r e c o gnizing the language L ( A ) . Then the language r e c o gnize d by the synchr onize d pr o duct of T and A is L ( T ⋌ A ) = { u | ∃ w ∈ L ǫ ( A )( uR ( T ) w ) . } 5 Mo del chec king of K t in rational Kripke mo dels In this sec tio n w e will establish decidability of the basic mo del chec king pro blems for form ulae of K t in rational K ripke models . Lemma 3. L et Σ b e a finite non-empty alphab et, X ⊆ Σ ∗ a r e gular su bset, and let R ⊆ Σ ∗ × Σ ∗ b e a r ational r elation. Then the sets h R i X = { u ∈ Σ ∗ |∃ v ∈ X ( uRv ) } and  R − 1  X = { u ∈ Σ ∗ |∃ v ∈ X ( v Ru ) } ar e r e gular subsets of Σ ∗ . Pr o of . This claim essentially follows from results of Niv at (see [1]). How ever, us- ing Lemma s 1 and 2, we g ive a co nstructive pro of, which explicitly pro duces au- tomata that recognize the res ulting regula r la nguages. Let A be a finite automa- ton recog nizing X and T b e a transducer re cognizing R . Then, the ǫ -reduction of the synchronized pro duct o f T with A is an automa ton r ecognizing h R i X ; for  R − 1  X we take instead of T the tra nsducer for R − 1 obtained from T by swapping the input and output symbo ls in the tra nsition relation 4 . ⊳ 4 Note t h at, in general, th e resulting automata n eed not b e minimal, b ecause they ma y have redun dant states and transitions. Example 5. Conside r the automa ton A and transducer T in Figure 5. The lan- guage recogniz e d by A is X = 1 ∗ (1 + 0 + ) and the r elation R recog nized by T is R =  (1 n 0 , 10 n 1) m  1 k , 10 k  | n, m, k ∈ N  ∪  (1 n 0 , 10 n 1) m  01 k , 11 k  | n, m, k ∈ N  , where X 1 X 2 denotes the c o mp o nent-wise concatenation o f the rela tions X 1 and X 2 , i.e., X 1 X 2 = { ( u 1 u 2 , v 1 v 2 ) | ( u 1 , v 1 ) ∈ X 1 , ( u 2 , v 2 ) ∈ X 2 } . F or insta nce, if we ta ke n = 1, m = 2 a nd k = 3 we obtain that (10 , 101 ) 2 (1 3 , 10 3 ) = (10101 11 , 10 11011000) ∈ R (coming fro m the first set of the union) and (10 , 101 ) 2 (01 3 , 11 3 ) = (101001 11 , 10 11011111) ∈ R (coming fro m the second set of that union). Then, the synchronized pro duct T ⋌ A is the finite automaton given in Figur e 6 recog nizing h R i X = 0 ∗ + 0 ∗ 1 + . Note that it ca n b e simplified by removing redundant states and edges. Fig. 5. The automaton A a nd the transducer T . A : p 1 p 2 p 3 0 1 1 0 T : q 1 q 2 q 3 ǫ/ 1 0 / 1 0 / 1 1 / 0 1 / 1 Fig. 6. The synchronized pro duct T ⋌ A recog nizing h R i X . T ⋌ A : q 1 , p 1 q 1 , p 2 q 1 , p 3 q 2 , p 1 q 2 , p 2 q 2 , p 3 q 3 , p 1 q 3 , p 2 q 3 , p 3 ǫ 0 0 1 1 ǫ 0 0 1 1 Theorem 1. F or every formula ϕ ∈ K t and r ational Kripke mo del M = ( Σ ∗ , R, V ) , the set [ [ ϕ ] ] M is a r ational language, effe ctively c omputable fr om ϕ and t he r a- tional pr esentation of M . Pr o of . W e prov e the claim b y induction on ϕ . 1. If ϕ is an a to mic prop os ition, the claim follows from the definitio n of a rational model. 2. The bo olean cases follow from the effective clos ur e o f regular langua ges under bo olean ope r ations. 3. If ϕ = h R i ψ then [ [ ϕ ] ] M = h R i [ [ ψ ] ] M , which is reg ula r by the inductive hypothesis and Lemma 3. Likewise for the case ϕ =  R − 1  ψ . ⊳ W e now consider the following algorithmic mo del chec king problems , where the Kripke mo de l is supp osed to be given by so me effectiv e presen tatio n: 1. L o c a l mo del che cking: given a K ripke model M , a state s in M , and a formula ϕ of K t , determine whether M , s | = ϕ . 2. Glob al mo del che cking: given a Kr ipke mo del M and a formula ϕ of K t , determine (effectiv ely) the set [ [ ϕ ] ] M of all sta tes in M where ϕ is true. 3. Che cki ng s atisfiability in a mo del: given a Kripke mo del M and a formula ϕ of K t , determine whether [ [ ϕ ] ] M 6 = ∅ . Corollary 1. L o c al mo del che cki ng, glob al mo del che cking, and che cki ng satis- fiability in a mo del, of formulae in K t in r ational Kripke mo dels ar e de cidable. Pr o of . Decidabilit y of the glo bal mo del chec king follows immediately fro m Theo- rem 1. Then, decidability of the lo cal mo del chec king and o f chec king satisfia bilit y in a r ational mo del follo w resp ectively from the decida bility of mem b ership in a regular language, and of non-emptiness of a r egular language (see e.g., [18]). ⊳ 6 Complexit y W e will now attempt to analyze the complexity of global mo del chec king a formula in K t on a ratio nal K ripke mo del. Dep ending on which of these is fixed, we distinguis h tw o complexity measures (see e.g., [16]): formula (expressi on) complexity (when the mo del is fixed and the formula is feeded a s input) and structure comp l exit y (when the formula is fixed and the mo del is feeded as input). 6.1 Normal forms and ranks of formulae W e will first need to define some sta ndard tec hnical notions. A formula ϕ ∈ K t is in negation normal form if every o ccurrence of the negation immediately precedes a pro po sitional v ariable. Clearly every formula ϕ ∈ K t is equiv alent to a formula ψ ∈ K t in nega tion nor mal form, of size line a r in the size ϕ . F or the r emainder of this section, we will assume that a formula ϕ we wish to mo del chec k is in a negation normal form. The mo dal rank of a formula counts the g reatest num b er of nested mo dalities in the formula, while the alterna ting b ox (resp., diamond) rank of a formu la counts the greatest num b er o f nested a lternations o f mo dalities w ith an outmost box (resp., diamond) in that formula. F orma lly: Definition 8. The m o dal rank for a formula ϕ ∈ K t , denote d by mr ( ϕ ) is define d inductively as fol lows: 1. if p is an atomic pr op o sition, then m r ( p ) = 0 and mr ( ¬ p ) = 0 ; 2. mr ( φ 1 ∨ ψ 2 ) = mr ( φ 1 ∧ ψ 2 ) = max { mr ( ψ 1 ) , mr ( ψ 2 ) } ; 3. mr ( △ ψ ) = mr ( ψ ) + 1 wher e △ ∈  [ R ] , h R i ,  R − 1  ,  R − 1  . Definition 9. The alternating b ox rank and alternating diamond rank of a formula ϕ ∈ K t , denote d r esp e ctively by ar ✷ ( ϕ ) and ar ✸ ( ϕ ) , ar e define d by simultane ous induction as fol lows, wher e △ ∈ { ✷ , ✸ } : 1. if p is an atomic pr op o sition, then a r △ ( p ) = 0 and ar △ ( ¬ p ) = 0 ; 2. ar △ ( ψ 1 ∨ ψ 2 ) = ar △ ( ψ 1 ∧ ψ 2 ) = max { ar △ ( ψ 1 ) , ar △ ( ψ 2 ) } ; 3. ar ✸ ( h R i ψ ) = ar ✷ ( ψ ) + 1 and ar ✷ ( h R i ψ ) = ar ✷ ( ψ ) . Likewise for ar ✸  R − 1  ψ  and ar ✷  R − 1  ψ  . 4. ar ✷ ([ R ] ψ ) = ar ✸ ( ψ ) + 1 and ar ✸ ([ R ] ψ ) = ar ✸ ( ψ ) . Likewise for ar ✸  R − 1  ψ  and ar ✷  R − 1  ψ  . Final ly, the alternation rank of ϕ , denote d a r ( ϕ ) is define d to b e ar ( ϕ ) = ma x { ar ✷ ( ϕ ) , ar ✸ ( ϕ ) } . F or instance, ar ✷ ([ R ] ( h R i [ R ] p ∨ [ R ]  R − 1  ¬ q )) = 3 and ar ✸ ([ R ] ( h R i [ R ] p ∨ [ R ]  R − 1  ¬ q )) = 2, hence ar ([ R ] ( h R i [ R ] p ∨ [ R ]  R − 1  ¬ q )) = 3. 6.2 F orm ula complexity W e measur e the size of a finite automaton or transducer M by the n umber o f transition edges in it, denoted |M| . Prop ositi o n 1. If A is an automaton r e c o gnizing the r e gular language X and T a tr ansduc er r e c o gnizing the r ational r elation R , then the time c omplexity of c omputing an automaton r e c o gnizing h R i m X is in O ( |T | m |A| ) . Pr o of . The size of the synchronized pro duct T ⋌ A of T and A is b ounded a bove by |T ||A| a nd it ca n b e computed in time O ( |T ||A| ). The claim now follows by iterating that proce dur e m times. ⊳ How ever, w e a re going to show that the time complexity o f computing a n automaton recognizing [ R ] X is far w orse. F or a re g ular langua ge X reco g nized by an a utomaton A , we define R X = { ( u, ǫ ) | u ∈ X } . A transducer T reco gnizing R X can b e co nstructed fr o m A by simply replacing e very edge ( q , x, p ) in A with the edge ( q , x, ǫ, p ). Lemma 4. L et X b e a r e gular language. Then the c omplementation X of X e quals [ R X ] ∅ . Pr o of . Routine v erifica tion. ⊳ Consequently , computing [ R X ] ∅ cannot be done in less than ex po nential time in the s ize of the (non-deterministic) automaton A for X . This result sug gests the follo wing conjecture. Conje ctur e 1. T he formula complexity o f globa l mo del checking of a K t -formula is non-elementary in ter ms of the alterna ting box ra nk o f the formula. 6.3 Structure complexi t y Next we a nalyze the s tructure complexity , i.e. the co mplexity of global mo del chec king a fixed formula ϕ ∈ K t on an input ra tional Kripke model. Here the input is a ssumed to b e the transducer and a utomata presenting the mo del. Fix a formula ϕ ∈ K t in nega tion normal form, then fo r any input ra tional Kripke mo del M there is a fixed n umber of op erations to perform on the input transducer and automata that can lea d to subsequent expo nential blowups of the size o f the automaton co mputing [ [ ϕ ] ] M . That num ber is b ounded b y the mo dal r ank mr ( ϕ ) o f the formula ϕ , and there fo re the structure complexity is bo unded a bove b y an ex po nential tower of a height not exceeding that mo dal rank: 2 ··· ( mr ( ϕ ) times ) ··· 2 |T ||A| How ever, using the alternation rank of ϕ and Pr op osition 1 we can do b etter. Prop ositi o n 2. The struct ur e c omplexity of glob al mo de l che cking for a fixe d formula ϕ ∈ K t on an input r ational Kripke mo del M , pr esente d by t he tr ans- duc er and aut omata {T , A 1 , . . . , A n } , is b ounde d ab ove by 2 ··· ( ar ( ϕ ) time s ) ··· 2 P ( |T | ) wher e P ( |T | ) is a p olynomial in |T | with le ading c o efficie nt not gr e ater t hat n 2 c wher e c ≤ max { |A i | | i = 1 , . . . n } and de gr e e no gr e ater than mr ( ϕ ) . Pr o of . The num b er of steps in the computation of [ [ ϕ ] ] M , following the struc- ture of ϕ , that pr o duce nested exp onential blo w-ups ca n be b ounded by the alternation r ank, since nes ting of a ny num ber of diamonds do e s not c a use an exp onential blow-up, while nesting of any num b e r of b oxes can be reduced by double complementation to nesting of diamonds; e.g ., [ R ] ([ R ] [ R ] p ∨  R − 1  ¬ q ) can b e equiv alen tly re-written as ¬ h R i ( h R i h R i ¬ p ∧  R − 1  q ). The initial syn- chronized pro duct construction (when a diamo nd or b ox is applied to a bo olea n formula) pro duces an automaton of size at most 2 c |T | , the num b er of nes ted pro duct cons tr uctions is b ounded ab ov e by mr ( ϕ ), and e a ch of these mult iplies the size of the cur rent automaton by |T | . In the worst c ase, all alterna tions would take place after a ll pro duct co nstructions, hence the upp er b ound. ⊳ 7 Mo del chec king extensions of K t on rational mo dels 7.1 Mo del c heck ing hybrid e xtensions of K t A ma jor limitation o f the basic mo dal lang ua ge is its inability to refer ex plicitly to states in a K ripke mo del, a lthough the mo dal semantics ev aluates mo da l formulae a t states. Hybrid logics pro vide a remedy for that pro blem. W e will only introduce some basic hybrid lo gics of in teres t here; for more details consult e.g., [3,4]. The b asic hybrid tense lo gic H t extends the basic tense logic K t with a s e t of new ato mic sym b ols Θ called nominals which syntactically form a seco nd t yp e of atomic formulae, which ar e ev aluated in Kripke mo dels in singleton sets of states. The unique state in the v aluation of a no minal is called its denotation . Thu s, nominals can be used in H t to r efer directly to states . Here is the formal definition of the set of formulae o f H t : ϕ = p | i | ¬ ϕ | ϕ ∨ φ | h R i ϕ |  R − 1  ϕ, where i ∈ Θ and p ∈ Φ . The basic h ybrid logic H t can be further extended to H t (@) by adding the satisfaction op er ator @, where the formula @ i ϕ means ‘ ϕ is tr u e at t he denotation of i ’. A more expres sive extension of H t is H t ( U ) inv olving the un iversal mo dality with semantics M , v | = [ U ] ϕ iff M , w | = ϕ for every w ∈ M . The oper ator @ is definable in H t ( U ) by @ i ϕ := [ U ]( i → ϕ ). Moreov er , H t can b e extended with the more expr essive differ enc e mo dality h D i (and its dual [ D ]), wher e M , v | = h D i ϕ iff there exists a w 6 = v such that M , w | = ϕ . Note tha t [ U ] is definable in H t ( D ) b y [ U ] ϕ := ϕ ∧ [ D ] ϕ . Y et another extension o f H t (@) is H t (@ , ↓ ) which also involv es state vari- ables a nd binders that bind these v ariables to states. Thus, in a ddition to H t (@), formulae also include ↓ x.ϕ for x a state v ariable. F or a formula ϕ poss ibly con- taining free o ccurrences of a sta te v ariable x , and w a state in a given mo del, let ϕ [ x ← i w ] denote the re s ult of substitution of all free o ccurr ences of x by a nominal i w in ϕ , where w is the deno tation of i w . Then the semantics of ↓ x.ϕ is defined b y: M , w | = ↓ x.ϕ iff M , w | = ϕ [ x ← i w ]. Prop ositi o n 3. F or every formula ϕ of t he hybri d language H t ( D ) (and ther e- for e, of H t (@) and of H t ( U ) ) and every r ational Kripke mo del M , the set [ [ ϕ ] ] M is an effe ctively c omputable r ational language. Pr o of . The cla im follows from Theor em 1 since the v aluations of no minals, b eing singletons, are rational se ts , and the difference r elation D is a rational r elation. The la tter can be shown by explicitly constr ucting a transduce r rec o gnizing D in a given r ational set, or by noting that it is the complement of the automatic rela- tion of eq uality , hence it is automatic itself, a s the family o f automatic rela tions is closed under complements (see e.g., [14] or [6]). ⊳ Corollary 2. Glob al and lo c al mo del che cking, as wel l as sat isfiability che cking, of formulae of the hybrid language H t ( D ) (and ther efor e, of H t (@) and H t ( U ) , to o) in ra tional K ripke mo dels ar e de cida ble. Prop ositi o n 4. Mo del che cking of the H t (@ , ↓ ) -formula ↓ x. h R i x in H t (@ , ↓ ) on a given input r ational Kripke mo del is not de cidable. Pr o of . Immediate consequence from Morv an’s ea r lier men tioned reduction [20] of the model c hecking o f ∃ xR xx to the Post Co rresp ondence Problem. ⊳ Prop ositi o n 5. Ther e is a r ational Kripke m o del on which mo del che cking for- mulae fr om t he hybrid language is unde cidable. Pr o of . (Sketch) The rational graph constructed by Thomas [2 2] ca n be used to prov e this undecidability , since the first-order prop erties q ueried there are also expressible in H t (@ , ↓ ). ⊳ 7.2 Coun ting mo dalitie s W e now consider extensions o f K t with coun ting (or, graded) modalities: – ✸ ≥ k ϕ with sema nt ics: ‘there exist at least k successor s w her e ϕ holds’; – ✸ ≤ k ϕ with sema nt ics: ‘there exist at most k successors wher e ϕ holds’; – ✸ k ϕ with sema nt ics: ‘there exist exactly k successo rs wher e ϕ holds’; – ✸ ∞ ϕ with semantics: ‘there exist infinitely man y succes sors wher e ϕ holds’. Clearly , so me o f these are in ter- de fina ble: ✸ k ϕ := ✸ ≥ k ϕ ∧ ✸ ≤ k ϕ , while ✸ ≥ k ϕ := ¬ ✸ ≤ k − 1 ϕ and ✸ ≤ k ϕ := ¬ ✸ ≥ k +1 ϕ . W e denote by C t the extension of K t with ✸ ∞ ϕ and all co unt ing mo da lities for all integers k ≥ 0. F ur ther, we deno te by C 0 t the fragment o f C t where no o ccurrence of a counting mo dality is in the scop e of any mo da l op er ator. Prop ositi o n 6. L o c al mo del che cking of formulae in the language C 0 t in r ational Kripke mo dels is de cidable. Pr o of . First we note that e ach of the following problems: ‘ Given an automaton A , do es its language c ontain at m ost / at le ast / exactly k / finit ely / infinitely many wor ds? ’ is decidable. Indeed, the case o f finite (r esp ectively infinite) language is well-kno wn (see e.g., [18], pp. 18 6–189 ). A decision pro cedure 5 for recog nizing if the lang ua ge of a given automa ton A co ntains at least k words can be co nstructed recursively on k . When k = 1 that boils down to chec king non-emptiness of the language ( ibid ). Supp ose we have such a pro cedure P k for a given k . Then, a pro cedure for k + 1 can b e des igned as follows: first, test the lang uage L ( A ) of the given automato n for non-emptiness by lo oking for a ny w or d re c ognized b y it (by sea r ching for a path from the initial state to any accepting state). If suc h a word w is found, mo dify the curr ent a uto maton to exc lude (only) w from its language, i.e. construct an auto ma ton for the lang uage L ( A ) \ { w } , us ing the 5 The pro cedure designed here is p erhaps not t h e most efficien t one. bu t, it will not make the complexity of the mo del c hecking w orse, give n the high ov erall complexity of the latter. standard automata cons tr uctions. Then, apply the pro cedure P k to the resulting automaton. T esting L ( A ) for having at most k w ords is re duce d to testing for at leas t k + 1 words; likewise, tes ting fo r exactly k words is a c o mbination of these. Now, the claim follows from Theorem 1. Indeed, given a RKM M and a formula ϕ ∈ C 0 t , for every s ubfor mula ✸ c ψ o f ϕ , whe r e ✸ c is any of the counting mo dalities listed ab ove, the subformula ψ is in K t , a nd there fo re an automaton for the regular langua ge [ [ ψ ] ] M is effectively computable, and hence the question whether ✸ c ψ is true at the state where the lo cal mo del chec king is p erformed can b e answered effectively . It remains to note that ev ery form ula o f C 0 t is a bo olean combin atio n o f subfor mu lae ✸ c ψ where ψ ∈ K t . ⊳ A t pres ent, w e do not know whether any of the c o untin g mo dalities preserves regular ity in ra tional mo dels, and resp ectively whether global mo del chec king in rational models of either of these lang ua ges is decidable. 7.3 A presenta tio n based extension Here w e consider a ‘presentation-based’ extension of the m ulti-mo da l version of K t , where the new moda lities a r e defined in ter ms of w or d op eratio ns, so they only hav e meaning in Kripke models where the states are lab eled by words (suc h as the r ational K ripke mo dels) hereafter called Kr ipke wor d-mo dels . T o begin with, for a g iven alphab et Σ , with e very language X ⊆ Σ ∗ we can uniformly asso ciate the fo llowing binar y relations in Σ ∗ : X ? := { ( u , u ) | u ∈ X } ; − → X := { ( uv , v ) | u ∈ X , v ∈ Σ ∗ } . Prop ositi o n 7. F or every r e gular langu age X ⊆ Σ ∗ the r elations X ? and − → X ar e r ational. Pr o of . F or each o f these, there is a simple uniform construc tio n that pro duces from the a utomaton r ecognizing X a transducer recognizing the resp ective re- lation. F or instance, the transducer for − → X is constructed as comp ositio n of the transducers (defined just like the comp osition of finite automata) for the r ational relations { ( u, ε ) | u ∈ X } and { ( v , v ) | v ∈ Σ ∗ } . The for mer is constructed from the automaton A for X by conv erting every a -tra nsition in A , for a ∈ Σ , to ( a, ε )-transition, and the latter is constructed fro m an a utomaton recognizing Σ ∗ by conv erting every a -transition, for a ∈ Σ , to ( a, a )-transition. ⊳ This s uggests a natural extension of (m ulti-mo dal) K t with an infinite family of new mo dalities asso ciated with rela tions a s ab ov e defined over the extensions of fo r mulae. The re s ult is a richer, PDL-like language which extends the star- free fragment of P DL with test a nd conv erse by additiona l pro gram c o nstructions corres p o nding to the regularity pres erving o p e r ations defined ab ove. W e ca ll that language ‘ wor d-b ase d st ar-fr e e PDL (with test and c onverse) ’, hereafter denoted WPDL . F ormally , WPDL has tw o syntactic categories, viz., pr o gr ams PR OG and formulae FOR , defined o ver g iven alphab et Σ , set of atomic pro p ositions AP , and s et of atomic pro grams (re la tions) REL , by mutual induction a s follo ws: F ormulae FOR : ϕ ::= p | l a | ¬ ϕ | ϕ 1 ∨ ϕ 2 | h α i ϕ for p ∈ AP , a ∈ Σ , and α ∈ PROG , wher e for each a ∈ Σ we hav e a dded a sp ecia l new atomic prop ositio n l a , used further to trans late extended star-free regula r expressions to WPDL-fo rmulae. Progr ams PROG : α ::= π | α ′ | α 1 ∪ α 2 | α 1 ◦ α 2 | ϕ ? | − → ϕ where π ∈ R EL and ϕ ∈ FOR . W e note that WPDL is not a purely log ical language, as it do es not hav e se- mantics on abstra ct mo dels but only on word-mo dels (including r ational Kripke mo dels), defined as follows. Let M = ( S, { R π } π ∈ REL , V ) b e a K ripke w ord- mo del over an a lphab et Σ , with a set of states S ⊆ Σ ∗ , a family of basic relations indexed with R EL , and a v aluation V of the a tomic prop os itions from AP . Then every formula ϕ ∈ FOR is a sso ciated with the lang uage [ [ ϕ ] ] M ⊆ Σ ∗ , defined as befor e, whe r e [ [ p ] ] M := V ( p ) for every p ∈ AP and [ [ l a ] ] := { a } ∩ S for every a ∈ Σ . Respectively , ev ery program α is a s so ciated with a binar y rela tion R α in Σ ∗ , defined inductively as follows (where ◦ is compo sition of rela tions): – R α ′ := R − 1 α , – R α 1 ∪ α 2 := R α 1 ∪ R α 2 , – R α 1 ◦ α 2 := R α 1 ◦ R α 2 , – R ϕ ? := [ [ ϕ ] ]?, – R − → ϕ := − → [ [ ϕ ] ]. Lemma 5. F or every WPDL -formulae ϕ, ψ and a K ripke wor d-mo del M : 1. [ [ h ϕ ? i ψ ] ] M = [ [ ϕ ] ] M ∩ [ [ ψ ] ] M . 2. [ [ h − → ϕ i ψ ] ] M = [ [ ϕ ] ] M ; [ [ ψ ] ] M (wher e ; denotes c onc atenatio n of languages). Pr o of . Routine v erifica tion: 1. [ [ h ϕ ? i ψ ] ] M = { w ∈ Σ ∗ | wR ϕ ? v for s ome v ∈ [ [ ψ ] ] M } = { w ∈ Σ ∗ | w = v for some v ∈ [ [ ϕ ] ] M and v ∈ [ [ ψ ] ] M } = [ [ ϕ ] ] M ∩ [ [ ψ ] ] M . 2. [ [ h − → ϕ i ψ ] ] M = { w ∈ Σ ∗ | wR − → ϕ v for s ome v ∈ [ [ ψ ] ] M } = { uv ∈ Σ ∗ | u ∈ [ [ ϕ ] ] M , v ∈ [ [ ψ ] ] M } = [ [ ϕ ] ] M ; [ [ ψ ] ] M . ⊳ Corollary 3. F or every WPDL -formula ϕ and a r ational Kripke mo del M , the language [ [ ϕ ] ] M is an effe ctively c omputable fr om ϕ r e gular language. Corollary 4. L o c al and glob al mo del che cking, as wel l as satisfiability che cking, of WPDL -formulae in r ational K ripke mo dels is de cidable . Extende d star-fr e e r e gular expr essions ov er an alphab et Σ ar e defined as follows: E := a | ¬ E | E 1 ∪ E 2 | E 1 ; E 2 , where a ∈ Σ . E very such expression E defines a regular language L ( E ), where ¬ , ∪ , ; denote res pe c tively complementation, union, and concatenation of la n- guages. The question whether tw o extended star- free regular expressions define the same language has b een prov ed to have a no n- elementary complexity in [19]. Every extended s tar-free regular express ion can be linearly tra nslated to an WPDL -formula: – τ ( a ) := l a , – τ ( ¬ E ) := ¬ τ ( E ), – τ ( E 1 ∪ E 2 ) := τ ( E 1 ) ∨ τ ( E 2 ), – τ ( E 1 ; E 2 ) := h − − − → τ ( E 1 ) i τ ( E 2 ). Lemma 6. Given an alphab et Σ , c onside r the r ational Kripke mo del M Σ with set of states Σ ∗ , over empty sets of b asic r elations and atomic pr op osi tions. Then, for every extende d st ar-fr e e r e gular expr ession E , L ( E ) = [ [ τ ( E )] ] M Σ . Pr o of . Straightforw ard induction o n E . The only non-obvious cas e E = E 1 ; E 2 follows from Lemma 5 . ⊳ Consequently , for any extended star-free reg ular express io ns E 1 and E 2 , we hav e that L ( E 1 ) = L ( E 2 ) iff [ [ τ ( E 1 )] ] M Σ = [ [ τ ( E 2 )] ] M Σ iff M Σ | = τ ( E 1 ) ↔ τ ( E 2 ). Th us, w e obtain the following. Corollary 5. Glob al mo del che cking of WPDL -formulae in r ational Kripke mo dels has n on- elementary formula-c omplexity. Remark: since the − → ϕ -free frag ment o f WPDL is ex pr essively equiv alen t to K t , a tra nslation of b ounded exp onential blow-up from the family of extended star-free regular expressions to the latter fragment w ould prov e Co njecture 1. 8 Concluding remarks W e hav e intro duced the class of rationa l K ripke mo dels and shown that all for- m ulae of the ba sic tens e logic K t , and v arious extensio ns o f it, hav e effectively computable r ational extensions in such models, and therefo r e globa l mo del c heck- ing a nd lo cal mo del c hecking of suc h form ulae o n ra tional Kr ipke models are decidable, albeit proba bly with non-elementary formula complexity . Since mo del chec king r eachabilit y on such mo dels is g e ne r ally undecidable, a n impo rtant directio n for further resea r ch would be to identify natural large sub- classes of ratio nal Kripke mo dels on whic h model chec king of K t extended with the reachability mo dality h R i ∗ is decidable. Some such cases, defined in terms of the pre s entation, ar e k nown, e.g., ra tional mo dels with length-preserv ing o r length-monotone tra nsition relation [20]; the problem of finding structura lly de - fined large cla sses of rationa l mo dels with decida ble r eachabilit y is still essentially op en. Other imp orta nt questions c oncern deciding bisim ulatio n equiv alence b e- t ween ratio nal Kripke mo dels, as that would allow us to tra nsfer mo del chec king of any prop erty definable in the mo dal mu-calculus from o ne to the other. These questions are studied in a follow-up to the pr esent work. Ac kno wledgemen ts This r esearch has b een supp orted by the Nationa l Resear ch F o undation of South Africa thro ug h a resea rch grant and a student bursar y . W e wish to thank Ar- naud Caray ol, Balder ten Cate, Ca rlos Ar eces, Christophe Mo rv an, and St´ ephane Demri, for v arious useful comments and sugges tions. W e a re also gra teful to the anonymous r eferee for his/her car e ful reading o f the submitted version and many remarks and correc tions which have help ed us improv e the conten t and presen- tation of the pap er. References 1. Berstel, J.: T ransductions and Context-F ree Languages. T eu bner Studienb¨ ucher Informatik. B.G. T eubner, Stu ttgart (1979) 2. Biere, A., Cimatti, A ., Clarke, E., Strichman, O ., Zhu, Y .: Bounded mo del chec k- ing. Adv ances in Computers 58 ( 2003) 118–1 49 3. Blac kb urn, P ., d e Rijke, M., V enema, Y.: Modal Logic. CUP (2001) 4. Blac kb urn, P .: Representation, reasoning, and relational structures: a hybrid logic manifesto. Logic Journal of th e IGPL 8 (3) (2000) 339–365 5. Blumensath, A.: Au tomatic structures. Dip loma th esis, R WTH-Aac hen (1999) 6. Blumensath, A., Gradel, E.: Automatic structu res. In: Logic in Computer Science. (2000) 51–62 7. Boua jjani, A ., Jonsson, B., Nilsson, M., T ouili, T.: Regular mo del c hecking. I n: Proc. of CA V’2000, LN CS 1855, Springer (2000) 403–418 8. Boua jjani, A ., Esparza, J., Maler, O.: Reac hability analysis of pushdown automata: Application to mo del-chec king. In Mazurkiewicz, A., Winko wski, J., ed s.: Proc. of CONCUR ’97. V olume 1243 of LNCS., Springer (1997) 135–150 9. Eilenberg, S.: Automata, Languages and Machines, vol . A . A cademic Press, N ew Y ork (1974) 10. Elgot, C., Mezei, J.: On relations defined by fin ite automata. IBM J. of Researc h and Developmen t 9 (1965) 47–68 11. Esparza, J., Kucera, A., Sch woon, S .: Mo del-Checking L TL with regular v aluations for pu shdow n systems. In: Proc. of T A CS ’2001. V olume 2215 of Lecture Notes in Computer Science. (2001) 306 –339 12. F rougny , C., Sak aro vitch, J.: S ynchronized rational relations of finite and infinite w ords. Theor. Comput. Sci. 108 (1) (1993) 45–82 13. Johnson, J.H.: Rational equiv alence relations. Theor. Comput. Sci. 47 (3) (1986) 39–60 14. Khoussainov, B., N erode, A .: Aut omatic presentations of structures. In Leiv ant, D., ed.: Logic and Comput ational Complexit y . Sp ringer, Berlin, (1994) 367–392 15. Kesten, Y., Maler, O., Marcus, M., Pnueli, A., Shahar, E.: Symb olic model chec king with rich assertional languages. Theor. Comput. Sci. 256 (1-2) ( 2001) 93–11 2 16. Kup er, G.M., V ardi, M.Y.: On the complexity of q ueries in the logical data mo del. In: Lecture notes in computer science on ICDT ’88, New Y ork, NY, USA, Springer- V erlag New Y ork, Inc. (1988) 267–280 17. Kupferman, O ., V ardi, M.Y., W olper, P .: An automata-theoretic approach to branching-time mo del c hecking. Journal of the ACM 47 (2) (March 2000) 312–360 18. Martin, J.C.: Introduction to Lan gu ages and the Theory of Computation, ed. 3. McGra w-Hill, In c., New Y ork (2002) 186– 189 19. Meyer, A., Sto ckmey er, L.: W ord problems requiring exp onential time: Preliminary rep ort. In: Pro c. of th e 5th AMS Symp osium on Theory of Computing. (1973) 20. Morv an, C.: On rational graphs. In Tiuryn, J., ed.: Proc. of FOSSACS 2000. V olume 1784 of LNCS. ( 2000) 252–2 66 21. Reisig, W.: P etri n ets: and in tro duction. Springer-V erlag, New Y ork, NY , US A (1985) 22. Thomas, W.: Constructing infinite graphs with a decidable mso-th eory . I n: Pro- ceedings of the 28th International Symp osium on Mathematical F oundations of Computer Science. V olume 2747 of Lecture Notes in Computer Science., Sp ringer (2003) 113 – 124 23. V ardi, M.: An automata-th eoretic approach to linear temp oral logic. I n Moller, F., Birt wistle, G., eds.: Logics for Concurrency: Stru ct ure vers us A utomata. V olume 1043 of Lecture Notes in Computer Science., Springer-V erla g, Berlin (1996) 238– 266 24. W al uk iewicz, I.: Model c hecking CTL prop erties of pushdown systems. In Kap o or, S., Prasad, S., ed s.: FSTTCS. V olume 1974 of Lecture Notes in Computer Science., Springer (2000) 127–138