Model Checking Strategies from Synthesis Over Finite Traces

$\mathsf{LTLf}$ [1, 13] extends propositional logic with finite-horizon temporal operators. In effect, $\mathsf{LTLf}$ is a variant of $\mathsf{LTL}$ [23] that is interpreted over finite rather than infinite traces. The syntax of an $\mathsf{LTLf}$ formula over a finite set of propositions $\mathsf{Prop}$ is identical to $\mathsf{LTL}$, and defined as

where X (Next) and U (Until), are temporal operators. We also include their dual operators, N (Weak Next) and R (Release), defined as $\text{N}\varphi\equiv\neg\text{X}\neg\varphi$ and $\varphi_{1}\text{R}\varphi_{2}\equiv\neg(\neg\varphi_{1}\text{U}\neg\varphi_{2})$. We also use typical abbreviations such as $\text{F}\varphi\equiv\mathsf{true}\text{U}\varphi$, $\text{G}\varphi\equiv\mathsf{false}\text{R}\varphi$, $\varphi_{1}\vee\varphi_{2}=\neg(\neg\varphi_{1}\land\neg\varphi_{2})$, $\varphi_{1}\rightarrow\varphi_{2}\equiv\neg\varphi_{1}\lor\varphi_{2}$. We denote by $|\phi|$ the length/size of a formula $\phi$, i.e., the number of operators in $\phi$.

The semantics of $\mathsf{LTLf}$ is similar to $\mathsf{LTL}$ but is interpreted over finite traces. A finite sequence $\rho$ over $2^{\mathsf{Prop}}$ is said to satisfy an $\mathsf{LTLf}$ formula $\phi$ over $\mathsf{Prop}$, denoted by $\rho\models\phi$, if $\rho,0\models\phi$ where for all positions $0\leq i<|\rho|$, $\rho,i\models\phi$ is defined inductively on $\phi$ as follows:

• •

  $\rho,i\models\textsf{true}$; $\rho,i\not\models\textsf{false}$; $\rho,i\models a$ iff $a\in\rho_{i}$

• •

  $\rho,i\models\neg\varphi$ iff $\rho,i\not\models\varphi$

• •

  $\rho,i\models\phi_{1}\land\phi_{2}$ iff $\rho,i\models\phi_{1}$ and $\rho,i\models\phi_{2}$;

• •

  $\rho,i\models\text{X}\phi$ iff $i+1<|\rho|$ and $\rho,i+1\models\phi$

• •

  $\rho,i\models\phi_{1}\text{U}\phi_{2}$ iff there exists $j$ s.t. $i\leq j<|\rho|$ and $\rho,j\models\phi_{2}$, and for all $k$, $i\leq k<j$, we have $\rho,k\models\phi_{1}$

Observe that X requires that there exists a next position; In the context of finite traces, its negation also contains the situation that no next position exists, formulated as $\neg(\text{X}\textsf{true})$ or equivalently Nfalse. This differs from $\mathsf{LTL}$ where the Next operator is applied to all positions. Also, note that $\mathsf{LTLf}$ formulas are evaluated on traces of non-zero length.

The language of an $\mathsf{LTLf}$ formula $\phi$ over $\mathsf{Prop}$ is the set of all finite sequences $\rho$ over $2^{\mathsf{Prop}}$ such that $\rho\models\phi$. The language of an $\mathsf{LTLf}$ formula is regular. The NFA and DFA representing $\mathsf{LTLf}$ are of size singly exponential and doubly exponential, respectively, in the size of the formula [13]. We note that a letter $\sigma\in\Sigma$ of the NFA/DFA corresponds to a valuation over the set $\mathsf{Prop}$ of propositions.

Let $\mathsf{LTLf}$ formula $\phi$ be defined over propositional variables partitioned into $\mathcal{I}$ and $\mathcal{O}$ representing the input and output variables, respectively. Given such an $\mathsf{LTLf}$ formula $\phi$, the problem of $\mathsf{LTLf}$ realizability is to determine whether there exists a strategy $f:(2^{\mathcal{I}})^{*}\rightarrow 2^{\mathcal{O}}$ such that for all $\lambda_{\mathcal{I}}=I_{0},I_{1},\cdots\in(2^{\mathcal{I}})^{\omega}$, there is an integer $k\geq 0$ such that the finite trace $\rho=(I_{0}\cup f(\varepsilon)),(I_{1}\cup f(I_{0})),\cdots,(I_{k}\cup f(I_{0},I_{1},\cdots,I_{k-1}))$ satisfies $\phi$. The $\mathsf{LTLf}$ synthesis problem is to generate such a function, if the given formula is realizable [12]. Intuitively, $\mathsf{LTLf}$ synthesis can be viewed as a game between two agents, an environment and a system, who continually take turns to assign values to the input and output variables, respectively, to generate a sequence of input and output variables. W.l.o.g., we assume the system plays first, followed by the environment, and so on. The goal of synthesis is to generate a strategy for the system agent so that all resulting plays with the environment satisfy the given specification. We note that our model-checking results also hold when the environment plays first, as we will model strategies as transition systems in model checking for generality (cf. Section 3).

This section formally defines the prefix language/automata for $\mathsf{LTLf}$ formulas and proves that their automata constructions involve an unavoidable double-exponential blow-up. The upper and lower bounds are shown in Theorem 4.1 and Theorem 4.2, respectively.

Recall that the semantics of $\mathsf{LTLf}$ requires traces of non-zero length only (see Section 2). So we only need $n>0$, instead of $n\geq 0$, ignoring the empty word. By abuse of notation, we let $\mathsf{pref}(\phi)$ denote both the prefix language and its corresponding automaton, called the prefix automaton.

We start by showing $\mathsf{pref}(\phi)$ is $\omega$-regular for $\mathsf{LTLf}$ formula $\phi$:

Observe that the Büchi automaton $B$ constructed above is deterministic. One of our key discoveries is that the doubly exponential blow-up appears even in the construction of NBAs for $\mathsf{pref}(\phi)$, demonstrating that the blow-up is fundamentally unavoidable. Theorem 4.2 presents such an $\mathsf{LTLf}$ formula to demonstrate the blow-up. The rest of the section builds up to that construction.

We observe that the blow-up is caused by the combination of two aspects: First is the universal quantification on prefixes of words in $\mathsf{pref}(\phi)$; Second is the ability of an $\mathsf{LTLf}$ formula to identify the $k$-th last positions of finite words using the X (Next) modality. At first, we identify an $\omega$-regular language, parameterized with $n\geq 1$, such that all NBAs accepting the language have at least $2^{2^{n}}$ states. Let $n\in\mathbb{N}$ and $\Sigma=\{0,1,\#,\&\}$. Consider the language $L_{n}\subseteq\Sigma^{\omega}$ where

where $w\in\{0,1\}^{n}$, $u\in\{0,1,\#\}^{*}$ and $v\in\{0,1,\#\}^{\omega}$. Intuitively, $L_{n}$ consists of infinite words that are (a) split into two parts by a special character “$\&$” and (b) all words of the form $\#w\#$ appearing after “$\&$” must have appeared before “$\&$”, for all $n$-length words $w\in\{0,1\}^{n}$. Essentially, $L_{n}$ is a bit-level adaption of the language $K_{d}$ where $x\cdot\&\cdot y\in K_{d}$ if digits appearing in $y$ are a subset of digits appearing in $x$, where $x\in D^{*}$ and $y\in D^{\omega}$ for $D=\{0,1,\cdots,d-1\}$. Obviously, the words $14\&1$ and $134\&4$ are good prefixes of a word $x\cdot\&\cdot y\in K_{d}$ when $d>5$. There are also less obvious good prefixes, such as a permutation of $D$ followed by the letter $\&$. We need to recognize all good prefixes in order to accept the language $K_{d}$. So, it is necessary to keep track of the digits (i.e., subsets of $D$) that the automaton has seen so far in an input word. Hence, the NBA of $K_{d}$ needs $2^{\Omega(d)}$ states. The same proof can be adapted to show that the NBA of $L_{n}$ consists of $2^{2^{\Omega(n)}}$ states. We defer a full proof to the supplemental material.

Next, we need to identify a regular language $F_{n}$ such that, by abuse of notation, $\mathsf{pref}(F_{n})$ corresponds to $L_{n}$ and $F_{n}$ can be represented by an $\mathsf{LTLf}$ formula of polynomial length in the parameter $n>0$. A natural choice would be to let $F_{n}$ to be the finite-word version of $L_{n}$. In other words, $u\cdot\&\cdot v\in F_{n}$ s.t. if $\#w\#$ appears in $v$ then $\#w\#$ must have appeared in $u$ for all $w\in\{0,1\}^{n}$ and $u,v\in\{0,1,\#\}^{*}$. The issue is that $F_{n}$ cannot be represented by a short $\mathsf{LTLf}$ formula for the same reason why $L_{n}$ cannot be expressed by a short $\mathsf{LTL}$ formula.

We need $F_{n}$ to be a simpler language. The roadmap would be to leverage the universal quantification over all prefixes to generate $L_{n}$. This is also where we leverage the ability of $\mathsf{LTLf}$ to refer to the last $k$-th positions of a finite trace. Keeping these goalposts, we define regular language $F_{n}\subseteq\Sigma^{*}$ as

where $w\in\{0,1\}^{n}$ and $u,v\in\{0,1,\#\}^{*}$. Intuitively, by applying universal quantification on all finite-length prefixes, focusing on the last $n+2$ characters of words in $F_{n}$ is sufficient to ensure that every occurrence of the form $\#w\#$ after the symbol “$\&$” appears in the portion before the “$\&$”.

There is one last caveat. There are infinitely many prefixes of words in $L_{n}$ that may not contain the symbol $\&$. This issue can be easily remedied by including words without symbol $\&$ to both languages. We overload the notation of $\mathsf{pref}(L)$ to refer to the prefix language of a language over finite words $L$. Then,

The last piece is to show that the language $F_{n}\uplus\{0,1,\#\}^{*}$ can be expressed using an $\mathsf{LTLf}$ formula $\phi_{n}$ of length polynomial in $n$, as shown below:

Note that the $\mathsf{LTLf}$ formulation makes heavy use of $\mathsf{Ends}$, which in turn uses the X modality. Essentially, $\mathsf{Ends}$ serves as a unique identifier of a specific position at the end of all traces. This enables us to anchor at that location without any artificial constructs and to express the desiderata accordingly. This is a crucial difference between $\mathsf{LTLf}$ and $\mathsf{LTL}$.

In this section, we show that a singly exponential construction of NBAs is possible for a fragment of $\mathsf{LTLf}$ formulas. Through an exposition of the prefix language for fragments of $\mathsf{LTLf}$, we highlight some of the peculiarities of the prefix language. Consider the fragment of $\mathsf{LTLf}$, denoted as $\mathsf{LTLf}_{\setminus\{\text{R},\lor\}}$, which permits all but the R (Release) modality and allows $\neg$ and $\vee$ on literals only, as defined below:

where $\ell:=a\in\mathsf{Prop}\mid\neg a\mid\ell\land\ell\mid\ell\lor\ell$. We show that the prefix language of this fragment is equivalently represented by an $\mathsf{LTL}$ formula of the same size, hence its NBA is singly exponential in the size of the formula. The said $\mathsf{LTL}$ formula can be obtained using the translation $t:\mathsf{LTLf}_{\setminus\{\text{R},\lor\}}\rightarrow\mathsf{LTL}$ described below (Since $\mathsf{LTL}$ and $\mathsf{LTLf}$ share the same syntax, to avoid confusion, we add the subscript $\infty$ to temporal operators in $\mathsf{LTL}$, indicating that we have $|\rho|=\infty$. For instance, Globally in $\mathsf{LTL}$ becomes $\text{G}_{\infty}$):

• •

  $t(\ell)=\ell$, $t(\neg\ell)=\neg\ell$

• •

  $t(\text{X}\psi)=\textsf{false}$, $t(\text{N}\psi)=\text{X}_{\infty}t(\psi)$

• •

  $t(\psi_{1}\land\psi_{2})=t(\psi_{1})\land t(\psi_{2})$

• •

  $t(\text{F}\psi)=t(\psi)$

• •

  $t(\psi_{1}\text{U}\psi_{2})=t(\psi_{2})$

• •

  $t(\text{G}\psi)=\text{G}_{\infty}(t(\psi))$

The insight behind this translation is to identify that the criteria for a formula to hold on all finite-length prefixes simplifies to the formula holding on a prefix of length one. The proof is presented below:

An immediate consequence of Lemma 2 is that the prefix automata for $\mathsf{LTLf}_{\setminus\{\text{R},\lor\}}$ are singly exponential in the size of the formula [33]:

Note that, in all the cases above, every conjunct holds on all finite prefixes. This may not be true if $\lor$ (or) is permitted in the formula. For example, consider $\phi=\text{G}a\lor\text{F}b$. Now, the word $w=\{a\}\{b\}\{\}^{\omega}\in\mathsf{pref}(\phi)$ since the prefix of length one satisfies $\text{G}a$ and all other prefixes satisfy $\text{F}b$. Hence, with disjunction, different prefixes can satisfy different disjuncts. In fact, the $\mathsf{LTL}$ formula for $\mathsf{pref}(\phi)$ is $a\text{U}_{\infty}b\lor\text{G}_{\infty}a$. However, such translations may increase the formula length because of duplicating the formula under $\text{G}_{\infty}$ modality. An open problem here is to identify the largest fragment for which the prefix automata have only singly exponential blow-up. This goes hand-in-hand with uncovering the core behind the doubly exponential blow-up for prefix automata.

We prove EXPSPACE-hardness of $\mathsf{LTLf}$ model checking of non-terminating systems by a polynomial-time reduction from the problem of whether an exponential-space Turing machine $T=(Q,\Gamma,\delta,q_{0},F)$ accepts an input word $x=x_{1}\ldots x_{n}$. The components of the Turing machine are defined as follows:

• •

  $Q$ is the set of states and $q_{0}\in Q$ is the initial state.

• •

  $\Gamma$ is the tape alphabet, which is assumed to include the blank symbol $\emptyset$.

• •

  $\delta:Q\times\Gamma\rightarrow Q\times\Gamma\times\{\leftarrow,\rightarrow\}$ is the transition function. $\delta(q,\gamma)=(q^{\prime},\gamma^{\prime},d)$ means that if the machine is in state $q$ and the head reads symbol $\gamma$, it moves to state $q^{\prime}$, writes symbol $\gamma^{\prime}$, and moves the head in direction $d$.

• •

  $F\subseteq Q$ is the set of accepting states. The machine accepts if it reaches a state in $F$.

Since $T$ is an exponential-space Turing machine, we can assume that its tape has $2^{cn}$ cells, where $n$ is the size of the input and $c$ is a constant.