On model construction for modal mu-calculus

Nan Qu

Institute of Software, Chinese Academy of Sciences

Graduate School of Chinese Academy of Sciences

P.O.Box 8718, 100190 Beijing, China

qunan@ios.ac.cn

Abstract—This paper presents a tableau system for checkingsatisfiability of modal μ-calculus formulas. When a formula F issatisfiable, a model with size bounded by 2|F | can be extractedfrom the tableau. We also show that the asymptotic lower boundfor the model size of formulas is greater than any polynomialfunction of the size of formulas.

Keywords- μ-calculus, tableau, model size, satisfiability

I. INTRODUCTION

Modal μ-calculus, introduced by Kozen in [1], is one of the

most well known logic for labeled transition systems. Because

of its expressiveness, not long after its introduction it replaced

Propositional Dynamic Logic (PDL) [2], [3] to become the

major logic for analysis of programs. The logic is an exten-

sion of propositional modal logic with the least and greatest

fixed point operators. Such an extension enables the logic

to encode many well-known branching-time temporal logics

and program logics including CTL, CTL∗, and PDL. The

enriched expressiveness achieved by incorporation of fixed

point operators, however, introduces difficulties when solving

computational and logical problems. For example it defies the

technique of filtration which has been successfully applied in

the study of PDL, and as a consequence many results such

as small model property, decision procedure for satisfiability,

and complete axiomatization are much harder to obtain for

the μ-calculus. In this paper we focus on the problem of

deciding satisfiability, i.e. to find a decision procedure which

determines whether a formula is satisfiable. In the literature, so

far there are two types of decision procedures for the problem.

One employs results from the theory of automata on infinite

objects [4], [6]. The other using a tableau system which can

be directly used to check the satisfiability of a formula [5],

where tableaux are constructed for the formulas in question.

A successful tableau can be seen as a model for the initial

formula. Since it is shown that every tableau is finite, the

soundness and completeness of the tableau system entails the

decidability of satisfiability.

Based on the work of [5], in this paper we present a

simplified tableau system to decide the satisfiability of a

formula. In case a formula F is satisfiable, our tableau system

will produce a model with size bounded by 2|F |. We also show

that the worst case asymptotic lower bound for the model size

of formulas is greater than any polynomial function of the size

of formulas.

In the following section we define the syntax and semantics

of modal μ-calculus. The tableau system is presented in section

3. The soundness and completeness of the tableau system

are discussed in section 4 and 5 respectively. In section 6

we discuss the asymptotic lower bound of model sizes. We

conclude in section 7 with related works.

II. PRELIMINARIES

This section presents the syntax and semantics of μ-

calculus. We use meta variables E,F,G etc. to range over

formulae. Fix a countable set V of variables, ranged over by

X,Y etc., the set of all μ-calculus formulae, denoted Φ, is

defined by the following BNF rules:

F ::= � ⊥ X ¬X F ∧G F ∨G

[a]F 〈a〉F νX.F μX.F.

The variable X in formulae μX.F and νX.F must appear

positive, i.e. not proceeded by any ¬. We will use σ to denote

both μ and ν.

The syntax used here are the so-called positive normal formin that the negation operator ¬ only can occur in front of

variables. Arbitrary negation of any formula can be represented

in positive normal form via the following equivalences:

1) ¬¬X = X ,¬� = ⊥,¬⊥ = �;

2) ¬(F ∧G) = (¬F ) ∨ (¬G),¬(F ∨G) = (¬F ) ∧ (¬G);3) ¬[a]F = 〈a〉¬F ,¬〈a〉F = [a]¬F ;

4) ¬νX.F = μX.¬F [¬X/X],¬μX.F = νX.¬F [¬X/X].

Thus positive normal form loses no generality.

Assume the standard notions of bound and free occurrences

of variables, and capture of variables, and α-conversion. If

F,E1, . . . , En are formulae and X1, . . . , Xn are variables,

F [E1/X1, . . . , En/Xn] is the result of capture avoiding si-

multaneously substitution of each Ei for all free occurrences

of Xi in F .

A variable X in a formula F is said to be guarded if Xonly occurs in sub-formula of the form [a]G or 〈a〉G.

formulae are interpreted on states of a labeled transition

system(LTS)M = 〈S, { a−→}a∈A,A〉, where for each a ∈A, a−→⊆ S × S is a transition relation. A model is a LTS

M and a valuation ρ which assigns each free variable X ∈ Va set of states: ρ(X) ⊆ S . In such a model, the set of states

satisfying a formula F , denoted [[F ]]Mρ , is defined inductively

2012 IEEE Sixth International Symposium on Theoretical Aspects of Software Engineering

978-0-7695-4751-0/12 $26.00 © 2012 IEEE

DOI 10.1109/TASE.2012.49

257

on the structure of F as follows:

[[�]]Mρ = S[[⊥]]Mρ = ∅[[X]]Mρ = ρ(X)

[[¬X]]Mρ = S\ρ(X)

[[F ∧G]]Mρ = [[F ]]Mρ ∩ [[G]]Mρ[[F ∨G]]Mρ = [[F ]]Mρ ∪ [[G]]Mρ[[[a]F ]]Mρ = {s ∈ S|whenever s

a−→ s′, s′ ∈ [[F ]]Mρ }[[〈a〉F ]]Mρ = {s ∈ S|∃s′ ∈ [[F ]]Mρ , s

a−→ s′}[[μX.F ]]Mρ =

⋂{W ⊆ S | [[F ]]Mρ[W/X] ⊆W}[[νX.F ]]Mρ =

⋃{W ⊆ S | [[F ]]Mρ[W/X] ⊇W}

where ρ[W/X] is a valuation that ρ[W/X](X) = W , and

ρ[W/X](Y ) = ρ(Y ) when Y is not X .

If s ∈ [[F ]]Mρ then we say formula F is true at state s of amodel M under ρ, also written M, s |=ρ F . A formula F is

universally valid, denoted by |= F , iff s ∈ [[F ]]Mρ for any M,

ρ and all states s ∈ M. A formula F is satisfiable iff there

exists a model M with a valuation ρ and a state s such that

s ∈ [[F ]]Mρ . In this case we also say that F is satisfied in M.

An approximation for σX.F is a formula of the form

στX.F (where τ is an ordinal), whose semantics can be given

as follows:

(1) [[μ0X.F ]]Mρ = ∅ and [[ν0X.F ]]Mρ = S;

(2) [[στ+1X.F ]]Mρ = [[F ]]Mρ(X→[[στX.F ]]Mρ );

(3) [[μτX.F ]]Mρ =⋃

τ ′<τ [[μτ ′X.F ]]Mρ ,[[ντX.F ]]Mρ =

⋂τ ′<τ [[μ

τ ′X.F ]]Mρ

Let O be the set of all ordinals. It is well-known as

Knaster-Tarski theorem that [[νX.F ]]Mρ =⋂

τ∈O[[ντX.F ]]Mρ

and [[μX.F ]]Mρ =⋃

τ∈O[[μτX.F ]]Mρ .

Definition 1 (well-named formulae). A formula F is well-named iff, for each variable X, there is at most one operatorof the form σX in F and ,if X occurs free in F , there is nooperator σX in F .

Let Γ be a set of formulae, we write∨Γ (and

∧Γ) for the

disjunction (and conjunction) of all members of Γ. A set of

formula Γ is well-named if∨Γ is well-named.

Every formula can be rewritten to a well-named formula

by replacing bounded variables to distinguished ones. For a

well-named formula F , we use V ar(F ) to represent the set

of variables that appear in F .

Since all fixed point variables are distinguished in well-

named formulae, we can identify a sub-formula σX.F to

variable X and use a binding function D to denote the bindingdefinition of every bound variable. Now for a given well-

named formula F ,we can write 〈|X|〉F to denote the unique

sub-formulae of F of the form σX.E. For two bound variables

X and Y in a well-named formula F , we say X is higher than

Y if 〈|Y |〉F is a sub-formula of 〈|X|〉F , written as X <F Yor just X < Y if F is known from the context.

III. TABLEAU SYSTEM

In this section we will introduce the tableau system which

helps us to find a model of a satisfiable formula. Our tableaux

system has some similarity to the model-checking tableaux in

[6] and the tableaux system for satisfiability in [5].

A tableau is a tree whose nodes are in the form of Γf and

generated by following some tableau rules, where Γ is a set of

formulae and counter f is a function from variables to natural

numbers. We use u to denote a node Γf in a tableau and L(u)denote Γ.

A tableau is generated follow the tableau rules. A tableau

rule is a rule of the form

N :Γf

Γf ′1 . . . Γf ′

n

C

where N is the label or name of the rule, C is side condition

which can be void when nothing more is required. The coun-

ters f and f ′ are used to count the times that the least fixed-

point variables are unfolded during tableau constructing. For

formulae F1, . . . , Fn and a set of formulae Γ, we will simply

write {F1, . . . , Fn,Γ} to mean the set {F1, . . . , Fn} ∪ Γ.

The following are the set of tableau rules.

R∧:{F1 ∧ F2,Γ}f{F1, F2,Γ}f

R∨:{F1 ∨ F2,Γ}f{F1,Γ}f

{F1 ∨ F2,Γ}f{F2,Γ}f

Rσ:{σX.F,Γ}f{X,Γ}f

Unfoldμ:{X,Γ}f{F,Γ}f ′

〈|X|〉 = μX.F,

f ′ = f [X �→ f(X) + 1]

Unfoldν :{X,Γ}f{F,Γ}f 〈|X|〉 = νX.F

Modal:{〈a1〉F1, . . . , 〈an〉Fn,Γ�,ΓAP }f{F1,Γ1}f . . . {Fn,Γn}f

where Γ� collects [a]-guarded formulae, ΓAP collects

variables and their negations, and Γi = {H|[ai]H ∈ Γ�}.Here is an example of an application of Modal Rule:

(〈a〉F1, 〈a〉F2, 〈b〉F3, [a]H1, [b]H2,¬X,Y )f

(F1, H1)f (F2, H1)f (F3, H2)f

In a tableau, when Modal rule is applied on a node, then

the node is called a modal node. The number of son nodes

of a modal node is exactly equal to the number of 〈〉-guarded

formulae. When there is no such formula in a modal node,

there is no son node. Such a modal node is called a natural

termination node or a natural termination.

When Unfold rule is applied and the fixed-point variable is

X , we say that the variable X is regenerated. When the set of

258

formulae on a node is exactly the same with an ancestor node,

the node is called a recursive termination node or a recursive

termination, and the ancestor is the companion.

For a recursive termination node u and its companion u′,there are counters f and f ′ accompanying them. Suppose the

set of formulae in u and u′ is L(u) and the set of variables that

occur in L(u) is V arL(u), we write f =u f ′ if f(X) = f ′(X)for all X ∈ V arL(u), and in this case we say f and f ′ are

equal based on the recursive termination u.

For a given formula F , its closure CL(F ) is the smallest

set which contains F and which is closed with respect to the

following rules:

1) if E1∧E2 ∈ CL(F ) or E1∨E2 ∈ CL(F ) then E1, E2 ∈CL(F );

2) if [a]E ∈ CL(F ) or 〈a〉E ∈ CL(F ) then E ∈ CL(F );3) if σX.E ∈ CL(F ) then E ∈ CL(F ) where σ denotes

μ or ν.

A termination tableau is one in which each leaf node is

either a natural termination or a recursive termination. It can

be proved that CL(F ) is a finite set for any formula F , and

every set of formulae of a tableau node is a subset of CL(F ).A tableau construction must terminate. Otherwise according to

the Konig’s lemma there is an infinite path of non- termination

nodes. This is impossible since there are only finitely many

different subsets of CL(F ), thus any such infinite path must

contain recursive termination nodes. The size of the tableau

with {F} on its root is bounded by 2|F |.Now we define what is a consistent tableau and successful

tableau. A tableau is said to be local consistent if there

is no contradictory formulae in each formulae set through

the tableau; a tableau is global consistent if all counters on

recursive terminations are equal to their companion’s based

on the termination node. A consistent tableau is one which

is both local consistent and global consistent. A tableau is

successful if and only if it is terminating and consistent.

IV. SOUNDNESS

If a formula has a successful tableau, we can extract an

LTS from the tableau. A node is called near another node

if any rule but modal rule is applied and reduce the node

to the other; we also say a recursive termination is near its

companion. Then we expand the relation near to its reflexive

and transitive closure. It can be proved that every node in a

tableau is either a modal node or near a modal node.

Definition 2. Suppose T is a successful tableau for a formulaF , we can define an LTS MT : 〈S, { a−→}a∈A,A〉 correspond-ing to T as follows:

1) for each modal node u in T , there is a state [u] in Scorresponding to u and all nodes near it;

2) [s] →a [t] iff, for some node u ∈ [t] and v ∈ [s], aformula 〈a〉F in v is reduced to F in u.

Now we employ the notion of trail [5] to prove that F is

satisfied in MT when T is a successful tableau.

Definition 3 (trail). A trail is a sequence(u1, F

f11 ), (u2, F

f22 ), . . . such that each ui is reduced to

ui+1 in a given tableau and Fi+1 is corresponding Fi in thereduction, Fi is a formula in L(ui) and fi is the counter atthe node ui,i ∈ N .

If a trail is infinite, then there must be some variables

regenerated.

Definition 4 (μ-trail). An infinite trail is a μ-trail if the highestvariable which is regenerated infinitely in this trail is a μ-variable.

Lemma 1. There is no μ-trail in a successful tableau.

Lemma 2. If a tableau T for F contains no μ-trail, u is theroot node of T , then MT , [u] |=ρ F , where ρ(X) = {[v] ∈S |X ∈ L(v)}.

Similar results appear in various forms in literature, for

example [5].These two lemmas immediately imply the soundness of our

tableau system.

Theorem 1 (Soundness). If a formula has a successfultableau, then it is satisfiable.

V. COMPLETENESS

In this section, we will prove the completeness of the

tableau system, that is each satisfiable formula has a successful

tableau. First, we need a few more notations.For a well-named formula F , we have a binding function

DF such that DF (X) = σX.E(X) where σX.E(X) is a sub-

formula of F . For every sub-formula E of F we can define

the expansion of E with respect to DF as

EDF= E[DF (Xn)/Xn] . . . [DF (Xn)/Xn]

where the sequence (X1, X2, . . . , Xn) is a linear ordering

of all bound variables of F compatible with the dependency

partial order.When a formula F and its binding function D are given,

consider a sub-formula E of F such that EDFis satisfied

in a state s of a model M with a valuation ρ, we can

define a signature of E in s, Sig(E, s), as the least, in the

lexicographical ordering, sequence of ordinals (τ1, . . . , τn)such that M, s |=ρ ED′ , where D′ is a binding function

constructed from D by replacing, for each μ-variable Ui and

D(Ui) = μX.H(X) by D′(Ui) = μτiX.H(X).It can be shown that signature has the following property.

Lemma 3 ([6]). Let s be a state of a model M and ρ is avaluation, let D be a binding function based on a formula F .For any sub-formula of F the following holds:

1) If s |=ρ (E1 ∧ E2)D then Sig(E1 ∧ E2, s) =max(Sig(E1), Sig(E1));

2) If s |=ρ (E1 ∨ E2)D then Sig(E1 ∨ E2, s) = Sig(E1)or Sig(E1 ∨ E2, s) = Sig(E2));

3) If s |=ρ (〈a〉E)D then there is a s′ such that s a−→ s′

and Sig(〈a〉E, s) = Sig(E, s′);4) If s |=ρ ([a]E)D then for all s′ such that s a−→ s′ it is

Sig([a]E, s) = Sig(E, s′);

259

5) If s |=ρ (νX.E)D and D(V ) = νX.E thenSig(νX.E, s) = Sig(V, s);

6) If s |=ρ (μX.E)D and D(U) = μX.E then the prefixesup to U of Sig(νX.E, s) and Sig(V, s) are equal;

7) If s |=ρ (V )D and D(V ) = νX.E then Sig(V, s) =Sig(E(V ), s);

8) If s |=ρ (U)D and D(U) = μX.E then Sig(U, s) >Sig(E(U), s).

Suppose F is satisfiable, there is at least one state s in a

model M and a signature Sig(F, s). Consider all the states

satisfying F , there is a state s0 with the least signature

Sig(F, s). Now we construct a tableau based on the model

M within the state s0.

For the unary rules R∧, Rσ, Unfoldμ and Unfoldμ the

construction is determined. When the rule R∨ is applied, since

a state s satisfies F1 ∨ F2, it must satisfy F1 or F2. A proper

rule can be applied based on which formula the state satisfies.

When Modal rule is applied, for each formula 〈a〉E, there

must be at least one state t such that sa−→ t. For every state

t such that there is a t′ minimized Sig(E, t), choose t′ for Eas the reference state to continue the tableau construction. At

last we can get a tableau with sets of states corresponding the

nodes and the signature of the state and the node is minimized.

Now we need to prove that the tableau is successful.

Since the tableau is constructed corresponding a model, local

consistent is guaranteed; to prove global consistent, we need

to prove that for all recursive termination u and its companion

u′, the counter f and f ′ are equal on all variables higher than

the ones occur in u. Suppose not so, then there is a variable

U such that the rule Unfoldμ is applied about X on the path

from u to u′. According the method we construct the tableau,

there are states s and s′ such that Sig(u′, s′) < Sig(u, s), but

u = u′ and Sig(u, s) is minimum, it is a contradiction.

Theorem 2. Every satisfiable formula has a successfultableau.

VI. LOWER BOUND FOR MODEL SIZES

As we know that if a formula F is satisfiable, through

our tableau system we can obtain a model with size bounded

by 2|F |. This gives an upper bound for the model size as an

exponential function of the formula size. Can one do better?

In this section we will show that any upper bound function for

the model size cannot be a polynomial function of the formula

size.

To show this, we will construct a sequence of formulae

G2, . . . , Gn, . . . such that each formula in the sequence is

satisfiable, and as the position n increases, the size of the

smallest model for Gn grows faster than any polynomial

function of the size of Gn. In the rest of this section we

construct such a sequence.

For any prime number p, let Fp = νX.[a](¬Y ∧[a](. . .¬Y ∧ [a]X)), that is there are total p number of

[a]’s in Fp. For example F2 = νX.[a](¬Y ∧ [a]X) and

F3 = νX.[a](¬Y ∧ [a](¬Y ∧ [a]X)). It is easy to see that

Fp has the following property: if s ∈ [[F ]]Mρ , then in any

sequence s = s0, s1, . . . , si, . . . such that si−1a−→ si, Y may

only hold in position np for n = 0, 1, . . .. Now let

Gk = F2 ∧ . . . Fpk∧ μX.〈a〉(X ∨ Y )

where pk is the kth prime. Note that μX.〈a〉(X ∨ Y ) says

that there exists a sequence of a transitions leading to a state

where Y holds.

Now we have the following observation. Each Gk has a

model. Let s0, s1, . . . , sn be a sequence of states where n =2× . . .× pk, si−1

a−→ si for i = 1, . . . , n, and ρ(Y ) = {sn},and there are no other transitions, call this model M. It is easy

to see that s0 ∈ [[Gk]]Mρ . On the other hand, any model of Gk

cannot have fewer states, since μX.〈a〉(X ∨ Y ) requires that

there must be an a transition sequence s0a−→ s1

a−→ reaching

a state satisfying Y , while each Fpirequires that if sm is a

state in this sequence where Y holds then pi must be a devisor

of m, so the first state sn in the sequence that satisfies Y must

satisfy n = 2× . . .× pk.

It is easy to see that the formula size of Gk is proportional

to 2+3+ . . .+pk, while as we just argued above the smallest

model size for Gk is 2×. . .×pk. According to [7] 2+3+. . .+pk ∼ k2lnk, and according to [8], [9] 2 × . . . × pk ∼ eklnk.

Thus in this sequence the size of the smallest model grows

faster than any polynomial function on the size of the formula.

Otherwise the size of the smallest model in the sequence is

bounded by some polynomial function of k (since |Gk| ∼k2lnk < k3), which would imply that eklnk is bounded by

some polynomial function of k, and we know this is not true.

VII. CONCLUSION

In this work we propose a tableau system for deciding satis-

fiability of formulas of modal μ-calculus. It is a simplification

of the tableau system of [5]. We also showed that the worst

case asymptotic lower bound of the model size of formulas is

greater than any polynomial function of the size of formulas.

ACKNOWLEDGMENT

I wish to thank my supervisor. Prof. Xinxin Liu, for

comments and guidance on the result in this paper.

REFERENCES

[1] D. Kozen, Results on the propositional mu-calculus. Theoret. Comput.Sci. 27, 333-354(1983).

[2] M.M.Fischer and R.E.Ladner, Propositional dynamic logic of regularprograms. J. Comput. System Sci., 18(2),1979.

[3] D.Harel and D.Kozen and J.Tiuryn, Dynamic Logic, The MIT Press 2000.[4] R.Streett and A.Emerson, An automata theoretic decision procedure for

the propositional mu-calculus. Information and Computation, 81:249-264,1989.

[5] N. Jungteerapanich, A tableau System for the Modal μ-calculus, in M.Giese and A. Waaler (Eds.): TABLEAUX 2009, LNAI 5607, pp. 220-234,2009.

[6] I. Walukiewicz, On completeness of the mu-calculus,in proceedings ofLogic in Computer Science, pp. 136-146, 1993

[7] S.M. Ruiz, A result on prime numbers, Math. Gaz., 81, 269, 1997.[8] C.D. Pruitt, A theorem and proof on the density of primes utilizing

primorials, http://www.mathematicl.com/mathprimorialproof.html.[9] S.R. Finch, Mathematical constants, Cambridge university press, 2003.

260