The ins and outs of first-order runtime verification

Abstract

The main purpose of this paper is to introduce a first-order temporal logic, \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \), and a corresponding monitor construction based on a new type of automaton, called spawning automaton. Specifically, we show that monitoring a specification in \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) boils down to an undecidable decision problem. The proof of this result revolves around specific ideas on what we consider a “proper” monitor. As these ideas are general, we outline them first in the setting of standard LTL, before lifting them to the setting of first-order logic and \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \). Although due to the above result one cannot hope to obtain a complete monitor for \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \), we prove the soundness of our automata-based construction and give experimental results from an implementation. These seem to substantiate our hypothesis that the automata-based construction leads to efficient runtime monitors whose size does not grow with increasing trace lengths (as is often observed in similar approaches). However, we also discuss formulae for which growth is unavoidable, irrespective of the chosen monitoring approach. Specifically, we provide a general categorisation of so called monitorable languages, which is closely related to this notion of “growth-inducing” (that is, trace-length dependent) formulae. It relates to the well-known safety-progress hierarchy, yet is orthogonal to it.

Appendix: Detailed proofs

Lemma 1

Let \(\varphi \) be a sentence in first-order logic, then we can construct a corresponding \(\psi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) s.t. \(\varphi \) has a finite model iff \(\psi \) is satisfiable.

Proof

We construct \(\psi \) as follows. We first introduce a new unary \(\mathbf {U}\)-operator \(d\) whose arity is \(\tau \) and that does not appear in \(\varphi \). We then replace every subformula in \(\varphi \), which is of the form \(\forall x.\ \theta \), with \(\forall x:d.\ \theta \) (resp. for \(\exists x.\ \theta \)). Next, we encode some restrictions on the interpretation of function and predicate symbols:

• For each constant symbol \(c\) in \(\varphi \), we conjoin the obtained \(\psi \) with \(d(c)\).

• For each function symbol \(f\) in \(\varphi \) of arity \(n\), we conjoin the obtained \(\psi \) with \(\forall x_1:d.\ \ldots \forall x_n:d.\ d(f(x_1, \ldots , x_n))\).

• For each predicate symbol \(p\) in \(\varphi \) of arity \(n\), we conjoin the obtained \(\psi \) with \(\forall (x_1, \ldots , x_n):p.\ d(x_1) \wedge \cdots \wedge d(x_n)\).

• We conjoin \(\exists x:d.\ d(x)\) to the obtained \(\psi \) to ensure that the domain is not empty.

Finally, we fix the arities of symbols in \(\psi \) appropriately to one of the following \(\tau \), \(\tau \times \cdots \times \tau \), \(\tau \times \cdots \times \tau \rightarrow \tau \).

Obviously, the formula \(\psi \), constructed by the procedure above, is a syntactically correct \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) formula. Now, if \(\psi \) is satisfiable by some \((\mathfrak {A}', \sigma )\), where \(\mathfrak {A}' = (|\mathfrak {A}'|, I')\) and \(\sigma \in (\mathfrak {A}')\text{- }{{\mathrm{Ev}}}\), it is easy to construct a finite model \(\mathfrak {A}= (|\mathfrak {A}|, I)\) s.t. \(\mathfrak {A}\models \varphi \) holds in the classical sense of first-order logic: set \(|\mathfrak {A}|= d^{I'}\), \(c^I = c^{I'}\), \(f^I = f^{I'}|_{d^{I'} \times \cdots \times d^{I'}}\), \(p^I=p^{I'}\), respectively. By an inductive argument one can show that the \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \)semantics is preserved. The other direction, if \(\varphi \) is finitely satisfiable, is trivial: set \(|\mathfrak {A}'| = \tau ^{I'} = |\mathfrak {A}|\), \(c^{I'} = c^I\), \(f^{I'} = f^I\), respectively, and \(\sigma = \{ (p,\mathbf {e}) \mid \mathbf {e} \in p^I\} \cup \{ (d,e) \mid e \in |\mathfrak {A}|\}\). \(\square \)

Theorem 3

The word problem for \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) is PSpace-complete.

Proof

To evaluate a formula \(\varphi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) over some linear Kripke structure, \(\mathcal {K}\), we can basically use the inductive definition of the semantics of \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \): If used as a function, starting in the initial state of \(\mathcal {K}\), \(s_0\), it evaluates \(\varphi \) in a depth-first manner with the maximal depth bounded by \(|\varphi |\).

To show hardness, we reduce the following problem, which is known to be PSpace-complete: Let \(F = Q_1x_1.\ Q_2x_2.\ \ldots Q_nx_n.\ E(x_1, x_2, \ldots , x_n)\), where \(Q \in \{ \forall , \exists \}\) and \(E\) is a Boolean expression over variables \(x_1, x_2, \ldots , x_n\). Does \(F\) evaluate to \(\top \) (cf. [35])? The reduction of this problem proceeds as follows. We first construct a formula \(\varphi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) in prenex normal form,

$$\begin{aligned} \varphi = Q_1x_1:d.\ Q_2x_2:d.\ \ldots Q_nx_n:d.\ E\big (p_{x_1}(x_1), p_{x_2}(x_2), \ldots , p_{x_n}(x_n)\big ). \end{aligned}$$

Then, using an \(\mathbf {U}\)-operator \(p_{x_i}\) for every variable \(x_i\), we construct a singleton Kripke structure, \(\mathcal {K}\), s.t. \(\lambda (s_0) = (\mathfrak {A}, \{ (d,0), (d,1), (p_{x_1},1), (p_{x_2},1), \ldots , (p_{x_n},1) \}), \) where \(|\mathfrak {A}|= \{ 0, 1 \}\) and \(I\) defined accordingly. It can easily be seen that \(F\) evaluates to \(\top \) iff \(\mathcal {K}\) is a model for \(\varphi \). Moreover, this construction can be obtained in no more than a polynomial number of steps wrt. the size of the input. \(\square \)

Theorem 4

The model checking problem for \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) is in ExpSpace.

Proof

For a given \(\varphi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) and \((\mathfrak {A})\)-Kripke structure \(\mathcal {K}\) defined as usual, where \(\mathfrak {A}= (|\mathfrak {A}|, I)\), we construct a propositional Kripke structure \(\mathcal {K}'\) and \(\varphi ' \in {{\mathrm{LTL}}}\), s.t. \(\mathcal {L}(\mathcal {K}) \subseteq \mathcal {L}(\varphi )\) iff \(\mathcal {L}(\mathcal {K}') \subseteq \mathcal {L}(\varphi ')\) holds. Assuming variable names in \(\varphi \) have been adjusted so that each has a unique name, the construction of \(\varphi '\) proceeds as follows.

Wlog. we can assume \(|\mathfrak {A}|\) to be a finite set \(\{ d_0, \ldots , d_n \}\). We first set \(\varphi '\) to \(\varphi \) and extend the corresponding \(\varGamma \) by the constant symbols \(c_{d_0}, \ldots , c_{d_n}\), s.t. \(c_{d_i}^I = d_i\), respectively; that is, we add the respective interpretations of each \(c_{d_i}\) to \(I\). This step obviously does not require more than polynomial space. We then replace all subformulae in \(\varphi '\) of the form \(\nu = Q{{\mathrm{\mathbf {x}}}}:p.\ \psi ({{\mathrm{\mathbf {x}}}})\) exhaustively with the following constructed \(\psi '\):

• Set \(\psi ' = \top \).

• For each state \(s \in S\) do the following:

  • Let \(T = \{ {{\mathrm{\mathbf {d}}}}\mid \lambda (s) = (\mathfrak {A}', \sigma ), \mathfrak {A}' \sim \mathfrak {A}\hbox { and } (p,{{\mathrm{\mathbf {d}}}}) \in \sigma \}\).

  • If \(Q = \forall \), then

    $$\begin{aligned} \psi ' = \psi ' \wedge (\tilde{s} \Rightarrow \bigwedge _{{{\mathrm{\mathbf {d}}}}\in T} \psi ({{\mathrm{\mathbf {x}}}})[{{\mathrm{\mathbf {c}}}}/{{\mathrm{\mathbf {x}}}}]), \quad \hbox {where } {{\mathrm{\mathbf {c}}}}\hbox { is s.t.}\ {{\mathrm{\mathbf {c}}}}^I = {{\mathrm{\mathbf {d}}}}, \end{aligned}$$

    otherwise

    $$\begin{aligned} \psi ' = \psi ' \wedge (\tilde{s} \Rightarrow \bigvee _{{{\mathrm{\mathbf {d}}}}\in T} \psi ({{\mathrm{\mathbf {x}}}})[{{\mathrm{\mathbf {c}}}}/{{\mathrm{\mathbf {x}}}}]), \quad \hbox {where } {{\mathrm{\mathbf {c}}}}\hbox { is s.t.}\ {{\mathrm{\mathbf {c}}}}^I = {{\mathrm{\mathbf {d}}}}, \end{aligned}$$

    where \(\tilde{s}\) is a fresh, unique predicate symbol meant to represent state \(s\).

Then, for all subformulae in \(\varphi '\) of the form \(\tilde{s} \Rightarrow \psi \) we do the following:

• For each \(r({{\mathrm{\mathbf {t}}}})\) occurring in \(\psi \), where \(r \in \mathbf {R}\) and \({{\mathrm{\mathbf {t}}}}\) are terms, let \({{\mathrm{\mathbf {d}}}}= {{\mathrm{\mathbf {t}}}}^I\), and replace \(r({{\mathrm{\mathbf {t}}}})\) by a fresh, unique predicate symbol \(r_{{{\mathrm{\mathbf {d}}}}}\).

It is easy to see that, indeed, \(\varphi '\) is a syntactically correct standard LTL formula, where all quantifiers have been eliminated. In terms of space complexity, note that in the first loop, we replace each quantified formula by an expression at least \(|\mathcal {K}|\) times longer than the original quantified formula. In the worst case, the final formula’s length will be exponential in the number of quantifiers.

We now define the propositional Kripke structure \(\mathcal {K}' = (S', s'_0, \lambda ', \rightarrow ')\) as follows. Let \(S' = S\), \(s'_0 = s_0\), and \(\rightarrow ' = \rightarrow \). In what follows, let \(s\) be a state and \(\lambda (s) = ((|\mathfrak {A}|, I), \sigma )\). (Note, this is the labelling function of \(\mathcal {K}\).) The alphabet of \(\mathcal {K}'\) is given by \(2^{{{\mathrm{AP}}}}\), where \({{\mathrm{AP}}}= \{ r_{{{\mathrm{\mathbf {d}}}}} \mid r \in \mathbf {R}\hbox { and } {{\mathrm{\mathbf {d}}}}\in |\mathfrak {A}|\} \cup \{\tilde{s} \mid s \in S\}\). Finally, we define the labelling function of \(\mathcal {K}'\) as \( \lambda '(s) = \{ \tilde{s} \} \cup \{ r_{{{\mathrm{\mathbf {d}}}}} \mid r \in \mathbf {R}\hbox { and } r^I({{\mathrm{\mathbf {d}}}}) \hbox { is true} \}. \) It is easy to see that, indeed, \(\mathcal {K}'\) preserves all the runs possible through \(\mathcal {K}\).

One can show by an easy induction on the structure of \(\varphi '\) that, indeed, \(\mathcal {L}(\mathcal {K}) \subseteq \mathcal {L}(\varphi )\) iff \(\mathcal {L}(\mathcal {K}') \subseteq \mathcal {L}(\varphi ')\) holds. \(\square \)

Lemma 2

Let \(\mathfrak {A}\) be a first-order structure and \(\varphi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \), then \(\mathcal {L}(\varphi )_{\mathfrak {A}} = \{ (\overline{\mathfrak {A}}, w) \mid \overline{\mathfrak {A}}\sim \mathfrak {A}, w \in {{\mathrm{Ev}}}^\omega , \hbox { and } (\overline{\mathfrak {A}}, w) \models \varphi \}\). Testing if \(\mathcal {L}(\varphi )_{\mathfrak {A}} \ne \emptyset \) is generally undecidable.

Proof

Let \(K = (x_1, y_1), \ldots , (x_k, y_k)\) be an instance of Post’s Correspondence Problem over \(\varSigma = \{ 0, 1 \}\), where \(x_i,y_i \in \varSigma ^+\), which is known to be undecidable in this form. Let us now define a formula \(\varphi _K = \exists \gamma :z.\ pcp(\gamma )\), a structure \(\mathfrak {A}= (\varSigma ^+, I)\), s.t. \(pcp^I(u) \Leftrightarrow u = x_{i_1}\ldots x_{i_n} = y_{i_1}\ldots y_{i_n}\), where \(u \in \varSigma ^+\) and \(pcp\) is of corresponding arity. Obviously, \(pcp^I(u)\) can be computed in finite time for any given \(u\). Let us now show that \(\mathcal {L}(\varphi _K)_\mathfrak {A}\ne \emptyset \) iff \(K\) has a solution.

(\(\Rightarrow \):) Because \(\mathcal {L}(\varphi _K)_\mathfrak {A}\ne \emptyset \), let’s assume there is a word \(u \in \varSigma ^+\) st. \((z,u) \in \sigma \) and \((\mathfrak {A},\sigma ) \in \mathcal {L}(\varphi _K)_{\mathfrak {A}}\). By the choice of \(pcp^I\), there exists a sequence of indices, \(i_1, \ldots , i_n\), st. \(u = x_{i_1}\ldots x_{i_n} = y_{i_1}\ldots y_{i_n}\), i.e., \(K\) has a solution.

(\(\Leftarrow \):) Let’s assume \(K\) has a solution, i.e., there exists a word \(u \in \varSigma ^+\) and a sequence of indices, \(i_1, \ldots , i_n\), st. \(u = x_{i_1}\ldots x_{i_n} = y_{i_1}\ldots y_{i_n}\). We now have to show that \(\mathcal {L}(\varphi _K)_{\mathfrak {A}} \ne \emptyset \). For this purpose, set \(\sigma = \{ (z,u) \}\), then \((\mathfrak {A},\sigma ) \in \mathcal {L}(\varphi _K)_{\mathfrak {A}}\) and, consequently, \(\mathcal {L}(\varphi _K)_{\mathfrak {A}} \ne \emptyset \). \(\square \)

Theorem 5

The prefix problem for \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) is undecidable.

Proof

By way of a similar reduction used in Theorem 1 already, i.e., for any \(\varphi \), \(\mathfrak {A}\), and \(\sigma \in {{\mathrm{Ev}}}\) we have that \((\mathfrak {A}, \sigma ) \in {{\mathrm{bad}}}(\mathsf {X}\varphi )\) iff \(\mathcal {L}(\varphi )_\mathfrak {A}= \emptyset \).

The \(\Leftarrow \)-direction is obvious. For the other direction:

$$\begin{aligned} \begin{array}{ll} &{} (\mathfrak {A}, \sigma ) \in {{\mathrm{bad}}}(\mathsf {X}\varphi ) \\ \Rightarrow &{} \hbox {for all }\overline{\mathfrak {A}}\sim \mathfrak {A}\quad \hbox { and }\quad w \in {{\mathrm{Ev}}}^\omega , \hbox { we have that } (\mathfrak {A}\overline{\mathfrak {A}}, \sigma w) \not \models \mathsf {X}\varphi \\ \Rightarrow &{} \hbox {for all }\overline{\mathfrak {A}}\sim \mathfrak {A}\quad \hbox { and }\quad w \in {{\mathrm{Ev}}}^\omega , \hbox { we have that } (\overline{\mathfrak {A}}, w) \not \models \varphi \\ \Rightarrow &{} \mathcal {L}(\varphi )_\mathfrak {A}= \emptyset \quad \hbox { (which is generally undecidable by Lemma 2)}. \end{array} \end{aligned}$$

\(\square \)

Lemma 3

Let \(\varphi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) (not necessarily a sentence) and \(v\) be a valuation. For each accepting run \(\rho \) in \(\mathcal {A}_{\varphi ,v}\) over input \((\overline{\mathfrak {A}}, w)\), \(\psi \in {{\mathrm{cl}}}(\varphi )\), and \(i \ge 0\), we have that \(\psi \in \rho (i)\) iff \((\overline{\mathfrak {A}}, w, v, i) \models \psi \).

Proof

We proceed by a nested induction on \({{\mathrm{depth}}}(\varphi )\) and the structure of \(\psi \in {{\mathrm{cl}}}(\varphi )\). For the base case let \({{\mathrm{depth}}}(\varphi ) = 0\): We fix \(\rho \) to be an accepting run in \(\mathcal {A}_{\varphi ,v}\) over \((\overline{\mathfrak {A}}, w)\), and proceed by induction over those formulae \(\psi \in {{\mathrm{cl}}}(\varphi )\) which are of depth zero (i.e., without quantifiers) since \({{\mathrm{depth}}}(\varphi ) = 0\). Therefore, this case basically resembles the correctness argument of Büchi automata for propositional LTL (cf. [13, Sect. 5]). For an arbitrary \(i \ge 0\), we have

• \(\psi = r({{\mathrm{\mathbf {t}}}})\):

  $$\begin{aligned} \begin{array}{lcl} r({{\mathrm{\mathbf {t}}}}) \in \rho (i) &{} \Leftrightarrow &{} {{\mathrm{\mathbf {t}}}}^{I_i} \in r^{I_i} (\hbox {by the definition of } \delta _\rightarrow ),\\ &{} &{} \hbox {where, as before, for any variable } x \hbox { in } {{\mathrm{\mathbf {t}}}}, \hbox { by } x^{I_i} \hbox { we mean } v(x) \\ &{} \Leftrightarrow &{}(\overline{\mathfrak {A}}, w, v, i) \models r({{\mathrm{\mathbf {t}}}})\ (\hbox {by the semantics of } {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}}) \end{array} \end{aligned}$$

• \(\psi = p({{\mathrm{\mathbf {t}}}})\): analogous to the above.

• \(\psi = \lnot \psi '\):

  $$\begin{aligned} \begin{array}{ll} \lnot \psi ' \in \rho (i) &{} \Leftrightarrow \psi ' \not \in \rho (i)\ (\hbox {by the completeness assumption of all } q \in Q)\\ &{} \Leftrightarrow (\overline{\mathfrak {A}}, w, v, i) \not \models \psi '\ (\hbox {by induction hypothesis})\\ &{} \Leftrightarrow (\overline{\mathfrak {A}}, w, v, i) \models \lnot \psi '\ (\hbox {by the semantics of } {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}}) \end{array} \end{aligned}$$

• \(\psi = \psi _1 \wedge \psi _2\):

  $$\begin{aligned} \begin{array}{ll} \psi _1 \wedge \psi _2 \in \rho (i) &{} \Leftrightarrow \{\psi _1, \psi _2\} \subseteq \rho (i)\ (\hbox {by the completeness assumption of all } q \in Q)\\ &{} \Leftrightarrow (\overline{\mathfrak {A}}, w, v, i) \models \psi '_1 \hbox { and } (\overline{\mathfrak {A}}, w, v, i) \models \psi _2\ (\hbox {by induction hypothesis})\\ &{} \Leftrightarrow (\overline{\mathfrak {A}}, w, v, i) \models \psi _1 \wedge \psi _2\ (\hbox {by the semantics of } {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}}) \end{array} \end{aligned}$$

• \(\psi = \mathsf {X}\psi '\):

  $$\begin{aligned} \begin{array}{ll} \mathsf {X}\psi ' \in \rho (i) &{} \Leftrightarrow \psi ' \in \rho (i+1)\ (\hbox {by the definition of } \delta _\rightarrow )\\ &{} \Leftrightarrow (\overline{\mathfrak {A}}, w, v, i+1) \models \psi '\ (\hbox {by induction hypothesis})\\ &{} \Leftrightarrow (\overline{\mathfrak {A}}, w, v, i) \models \mathsf {X}\psi '\ (\hbox {by the semantics of } {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}}) \end{array} \end{aligned}$$

• \(\psi = \psi _1 \mathsf {U}\psi _2\): we first show the \(\Rightarrow \)-direction. For this, let us first show that there is a \(j \ge i\), such that \((\overline{\mathfrak {A}}, w, v, j) \models \psi _2\) holds. For suppose not, then for all \(j \ge i\), we have that \((\overline{\mathfrak {A}}, w, v, j) \not \models \psi _2\) and, consequently, by induction hypothesis \(\psi _2 \not \in \rho (j)\). By definition of \(\delta _\rightarrow \), since \(\psi _1 \mathsf {U}\psi _2 \in \rho (i)\) and there isn’t a \(j\) s.t. \(\psi _2 \in \rho (j)\), we have that \(\psi _1 \mathsf {U}\psi _2 \in \rho (j)\) for all \(j \ge 0\). On the other hand, \(\rho \) is accepting in \(\mathcal {A}_\varphi \), thus there exist infinitely many \(j \ge i\), s.t. \(\psi _1 \mathsf {U}\psi _2 \not \in \rho (j)\) or \(\psi _2 \in \rho (j)\) by the definition of the generalised Büchi acceptance condition \(\mathcal {F}\), which is a contradiction. Let us, in what follows, fix the smallest such \(j\). We still need to show that for all \(i \le k \le j\), \((\overline{\mathfrak {A}}, w, v, k) \models \psi _1\) holds. As \(j\) is the smallest such \(j\), where \(\psi _2 \in \rho (j)\) it follows that \(\psi _2 \not \in \rho (k)\) for any such \(k\). As \(\psi _1 \mathsf {U}\psi _2 \in \rho (i)\), it follows by definition of \(\delta _\rightarrow \) that \(\psi _1 \in \rho (i)\) and \(\psi _1 \mathsf {U}\psi _2 \in \rho (i+1)\). We can then inductively apply this argument to all \(i \le k < j\), such that \(\psi _1 \in \rho (k)\) and \(\psi _1 \mathsf {U}\psi _2 \in \rho (k+1)\) hold. The statement then follows from the induction hypothesis. Let us now focus on the \(\Leftarrow \)-direction, i.e., suppose \((\overline{\mathfrak {A}}, w, v, i) \models \psi _1 \mathsf {U}\psi _2\) implies that \(\psi _1 \mathsf {U}\psi _2 \in \rho (i)\). By assumption, there is a \(j \ge i\), such that \((\overline{\mathfrak {A}}, w, v, j) \models \psi _2\) and for all \(i \le k < j\), we have that \((\overline{\mathfrak {A}}, w, v, k) \models \psi _1\). Therefore, by induction hypothesis, \(\psi _2 \in \rho (j)\) and \(\psi _1 \in \rho (k)\) for all such \(k\). Then, by the completeness assumption of all \(q \in Q\), we also get \(\psi _1 \mathsf {U}\psi _2 \in p_j\), and if \(j = i\), we are done. Otherwise with an inductive argument similar to the previous case on \(k = j - 1\), \(k = j - 2\), ..., \(k = i\), we can infer that \(\psi _1 \mathsf {U}\psi _2 \in \rho (k)\).

Let \({{\mathrm{depth}}}(\varphi ) = n > 0\), i.e., we suppose that our claim holds for all formulae with quantifier depth less than \(n\). We continue our proof by structural induction, where the quantifier free cases are almost exactly as above. Therefore, we focus only on the following case.

• \(\psi = \forall \mathbf {x}:p.\ \psi '\): for this case, as before with the \(\mathsf {U}\)-operator, we will first show the \(\Rightarrow \)-direction, i.e., for all \(i \ge 0\) we have \(\forall \mathbf {x}:p.\ \psi ' \in \rho (i)\) implies \((\overline{\mathfrak {A}}, w, v, i) \models \forall \mathbf {x}:p.\ \psi '\). By the semantics of \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \), the latter is equivalent to for all \((p,{{\mathrm{\mathbf {d}}}}) \in w_i\), \((\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i) \models \psi '\). If there is no \((p, {{\mathrm{\mathbf {d}}}}) \in w_i\) the statement is vacuously true. Otherwise, there are some actions \((p,{{\mathrm{\mathbf {d}}}}) \in w_i\) and

  $$\begin{aligned} \delta _\downarrow (\rho (i), (\mathfrak {A}_i, w_i)) = B \wedge \bigwedge _{(p, {{\mathrm{\mathbf {d}}}}) \in w_i}\mathcal {A}_{\psi ', v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}}, \end{aligned}$$

  where \(B\) is a Boolean combination of SAs corresponding to the remaining elements in \(\rho (i)\). As \(\rho \) is accepting in \(\mathcal {A}_{\varphi ,v}\), there exists a \(Y_i\) satisfying \(\delta _\downarrow (\rho (i), (\mathfrak {A}_i, w_i))\), s.t. all \(\mathcal {A}\in Y_i\) have an accepting run on input \((\overline{\mathfrak {A}}^i, w^i)\). It follows that \(Y_i\) contains an automaton \(\mathcal {A}_{\psi ', v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}}\) for each action \((p, {{\mathrm{\mathbf {d}}}}) \in w_i\) that has an accepting run \(\rho '\). As the respective levels of these automata is \(n-1\), we can use the induction hypothesis and note that the following holds true for each of the \(\mathcal {A}_{\psi ', v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}} \in Y_i\):

  $$\begin{aligned} \hbox {for all: } \nu \in {{\mathrm{cl}}}(\psi ') \hbox { and } l \ge 0, \nu \in \rho '(l) \hbox { iff } (\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i+l) \models \nu , \end{aligned}$$

  We can now set \(\nu = \psi '\), respectively, and \(l = 0\), from which it follows that \(\psi ' \in \rho '(0)\) iff \((\overline{\mathfrak {A}}, w,v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i) \models \psi '\), respectively. As by construction of an SA the initial states of runs contain the formula which the SA represents, we have \(\psi ' \in \rho '(0)\) and hence \((\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i) \models \psi '\), respectively. As this holds for all \(\mathcal {A}_{\psi ', v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}}\), where \((p,{{\mathrm{\mathbf {d}}}}) \in w_i\), it follows by semantics of \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) that \((\overline{\mathfrak {A}}, w, v, i) \models \forall \mathbf {x}:p.\ \psi '\).

  Let us now consider the \(\Leftarrow \)-direction, i.e., \((\overline{\mathfrak {A}}, w, v, i) \models \forall \mathbf {x}:p.\ \psi '\) implies \(\forall \mathbf {x}:p.\ \psi ' \in \rho (i)\), which we show by contradiction. Suppose \(\forall \mathbf {x}:p.\ \psi ' \not \in \rho (i)\), which implies by the completeness assumption of all \(q \in Q\) that \(\lnot \forall \mathbf {x}{:}p.\ \psi ' \in \rho (i)\) holds. If there is no \((p,{{\mathrm{\mathbf {d}}}}) \in w_i\), then \(\delta _\downarrow (\rho (i), (\mathfrak {A}_i, w_i))\) is equivalent to \(\bot \) and \(\rho \) could not be accepting. Therefore there must be some \((p,{{\mathrm{\mathbf {d}}}}) \in w_i\), s.t.

  $$\begin{aligned} \delta _\downarrow (\rho (i), (\mathfrak {A}_i, w_i)) = B \wedge \bigvee _{(p,{{\mathrm{\mathbf {d}}}}) \in w_i} \mathcal {A}_{\lnot \psi ', v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}}, \end{aligned}$$

  where \(B\) is a Boolean combination of SAs corresponding to the remaining elements in \(\rho (i)\). Because \(\rho \) is accepting in \(\mathcal {A}_{\varphi ,v}\), there exists a \(Y_i\), such that \(Y_i \models \delta _\downarrow (\rho (i), (\mathfrak {A}_i, w_i))\), and there is at least one SA, \(\mathcal {A}'=\mathcal {A}_{\lnot \psi ', v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}} \in Y_i\), with corresponding \((p, {{\mathrm{\mathbf {d}}}}) \in w_i\), s.t. \((\overline{\mathfrak {A}}^i, w^i)\) is accepted by \(\mathcal {A}'\) as input; that is, \(\mathcal {A}'\) has an accepting run, \(\rho '\), on said input. As this automaton’s level is \(n - 1\), we can apply the induction hypothesis and obtain

  $$\begin{aligned} \hbox {for all: } \nu \in {{\mathrm{cl}}}(\lnot \psi ')\quad \hbox {and} \quad l \ge 0, \nu \in \rho '(l) \hbox { iff } (\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i+l) \models \nu . \end{aligned}$$

  We can now set \(\nu = \lnot \psi '\) and \(l = 0\), and since \(\nu \) belongs to the initial states in accepting runs, we derive \((\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i) \models \lnot \psi '\), which is a contradiction to our initial hypothesis. \(\square \)

Theorem 6

The constructed SA is correct in the sense that for any sentence \(\varphi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \), we have that \(\mathcal {L}(\mathcal {A}_\varphi ) = \mathcal {L}(\varphi )\).

Proof

\(\subseteq \): Follows from Lemma 3: let \(\rho \) be an accepting run over \((\overline{\mathfrak {A}}, w)\) in \(\mathcal {A}_\varphi \). By definition of an (accepting) run, \(\varphi \in \rho (0)\), and therefore \((\overline{\mathfrak {A}}, w) \in \mathcal {L}(\varphi )\).

\(\supseteq \): We show the more general statement: Given a (possibly not closed) formula \(\varphi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) and valuation \(v\). It holds that \(\{(\overline{\mathfrak {A}}, w) \mid (\overline{\mathfrak {A}}, w, v, 0) \models \varphi \} \subseteq \mathcal {L}(\mathcal {A}_{\varphi ,v})\). We define for all \(i \ge 0\) the set \(\rho (i) = \{ \psi \in {{\mathrm{cl}}}(\varphi ) \mid (\overline{\mathfrak {A}}, w, v, i) \models \psi \}\) for some arbitrary but fixed formula \(\varphi \in {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \) and valuation \(v\), and arbitrary but fixed \((\overline{\mathfrak {A}}, w)\), where \((\overline{\mathfrak {A}}, w, v, 0) \models \varphi \). Let us now show that \(\rho = \rho (0) \rho (1) \ldots \) is a well-defined run in \(\mathcal {A}_{\varphi ,v}\) over \((\overline{\mathfrak {A}}, w)\): Firstly, from the construction of \(Q\), it follows that for all \(i\), \(\rho (i) \in Q\). Secondly, since \(\varphi \in {{\mathrm{cl}}}(\varphi )\) and \((\overline{\mathfrak {A}}, w, v, 0) \models \varphi \), \(\rho (0)\) always contains \(\varphi \). Thirdly, \(\rho (i+1) \in \delta _\rightarrow (\rho (i), (\mathfrak {A}_i, w_i))\) holds for all \(i\). The latter is the case iff;

• for all \(\mathsf {X}\psi \in {{\mathrm{cl}}}(\varphi )\): \(\mathsf {X}\psi \in \rho (i)\) iff \(\psi \in \rho (i+1)\), and

• for all \(\psi _1 \mathsf {U}\psi _2 \in {{\mathrm{cl}}}(\varphi )\): \(\psi _1 \mathsf {U}\psi _2 \in \rho (i)\) iff \(\psi _2 \in \rho (i)\) or (\(\psi _1 \in \rho (1)\) and \(\psi _1 \mathsf {U}\psi _2 \in \rho (i + 1)\)).

The first condition can be shown as follows:

$$\begin{aligned} \begin{array}{ll} \mathsf {X}\psi \in \rho (i) &{} \Leftrightarrow (\overline{\mathfrak {A}}, w, v, i) \models \mathsf {X}\psi \ (\hbox {by definition of } \rho (i))\\ &{} \Leftrightarrow (\overline{\mathfrak {A}}, w, v, i+1) \models \psi \ (\hbox {by the semantics of} {{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}})\\ &{} \Leftrightarrow \psi \in \rho (i+1)\ (\hbox {by the definition of } \rho (i+1)). \end{array} \end{aligned}$$

The second can be shown as follows:

$$\begin{aligned} \begin{array}{ll} \psi _1 \mathsf {U}\psi _2 \in \rho (i) &{} \Leftrightarrow \big (\overline{\mathfrak {A}}, w, v, i \big ) \models \psi _1\mathsf {U}\psi _2\ [\hbox {by definition of } \rho (i)]\\ &{} \Leftrightarrow \big (\overline{\mathfrak {A}}, w, v, i \big ) \models \psi _2 \vee \big (\psi _1 \wedge \mathsf {X}(\psi _1 \mathsf {U}\psi _2)\big ) \\ &{} \Leftrightarrow \big (\overline{\mathfrak {A}}, w, v, i \big ) \models \psi _2 \hbox { or } \bigg (\big (\overline{\mathfrak {A}}, w, v, i\big ) \models \psi _1 \hbox { and } \big (\overline{\mathfrak {A}}, w, v, i+1 \big ) \models \psi _1 \mathsf {U}\psi _2 \bigg )\\ &{} \Leftrightarrow \psi _2 \in \rho (i) \hbox { or } \big (\psi _1 \in \rho (1) \hbox { and } \psi _1 \mathsf {U}\psi _2 \in \rho (i+1)\big )\ [\hbox {by definition of } \rho ]. \end{array} \end{aligned}$$

It remains to show that \(\rho \) is also accepting in \(\mathcal {A}_{\varphi ,v}\). We proceed by induction on \({{\mathrm{depth}}}(\varphi )\). In what follows, let \({{\mathrm{depth}}}(\varphi ) = 0\), i.e., we are showing local acceptance only. By the definition of acceptance we must have that for all \(\psi _1\mathsf {U}\psi _2 \in {{\mathrm{cl}}}(\varphi )\), there exist infinitely many \(i \ge 0\), s.t. \(\rho (i) \in F_{\psi _1\mathsf {U}\psi _2}\), where \(F_{\psi _1\mathsf {U}\psi _2} \in \mathcal {F}\). For suppose not, i.e., there are only finitely many such \(i\), then there is a \(k \ge 0\), s.t. for all \(j \ge k\) we have \(\rho (j) \not \in F_{\psi _1\mathsf {U}\psi _2}\) and therefore \(\psi _1\mathsf {U}\psi _2 \in \rho (j)\) and \(\psi _2 \not \in \rho (j)\) by definition of \(F_{\psi _1\mathsf {U}\psi _2}\). In particular, from \(\psi _1\mathsf {U}\psi _2 \in \rho (k)\) we derive by construction of \(\rho (k)\) that there must be some \(g \ge k\), s.t. \((\overline{\mathfrak {A}}^g, w^g) \in \mathcal {L}(\psi _2)\) and thus \(\psi _2 \in \rho (k)\) with \(g \ge k\). Contradiction.

Let us now assume the statement holds for all formulae with depth strictly less than \(n\) and assume \({{\mathrm{depth}}}(\varphi ) = n\), where \(n > 0\). We don’t show local acceptance of \(\rho \) as it is virtually the same as in the base case, and instead go on to show that for all \(i \ge 0\), there is a \(Y_i\), s.t. \(Y_i \models \delta _\downarrow (\rho (i), (\mathfrak {A}_i, w_i))\) and all \(\mathcal {A}\in Y_i\) are accepting \((\overline{\mathfrak {A}}^i, w^i)\).

Let us define the following two sets:

$$\begin{aligned} Y_i^\forall = \{ \mathcal {A}_{\psi , v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}} \mid \forall \mathbf {x}:p.\ \psi \in \rho (i) \hbox { and } (p,{{\mathrm{\mathbf {d}}}}) \in w_i \} \end{aligned}$$

and

$$\begin{aligned} \begin{array}{lll} Y_i^\exists = \{ \mathcal {A}_{\lnot \psi , v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}} &{} \mid &{} \lnot \forall \mathbf {x}:p.\ \psi \in \rho (i), (p,{{\mathrm{\mathbf {d}}}}) \in w_i, \\ &{} &{} \hbox { and } (\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i) \not \models \psi \}. \end{array} \end{aligned}$$

Set \(Y_i = Y_i^\forall \cup Y_i^\exists \), which by construction satisfies \(\delta _\downarrow (\rho (i), (\mathfrak {A}_i, w_i))\). We still need to show that every automaton in this set accepts \((\overline{\mathfrak {A}}^i, w^i)\). Now for \(\mathcal {A}_{\nu ,v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}} \in Y_i\) we have either \(\nu =\psi \) for some \(\forall \mathbf {x}:p.\ \psi \in \rho (i)\) and \((p, {{\mathrm{\mathbf {d}}}}) \in w_i\), or \(\nu = \lnot \psi \) for some \(\lnot \forall \mathbf {x}:p.\ \psi \in \rho (i)\) and \((p, {{\mathrm{\mathbf {d}}}}) \in w_i\) s.t. \((\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i) \not \models \psi \) holds. In either case by definition of \(\rho (i)\) and semantics of \({{\mathrm{LTL}}}^{{{{{\mathrm{FO}}}}}} \), it follows that \((\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i) \models \nu \). Since the level of \(\mathcal {A}_{\nu ,v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}}\) is strictly less than \(n\), we can apply the induction hypothesis and construct an accepting run for \((\overline{\mathfrak {A}}^i, w^i)\), where \((\overline{\mathfrak {A}}, w, v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}, i) \models \nu \), in \(\mathcal {A}_{\nu ,v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}}\). The statement follows. \(\square \)

Theorem 7

\(M_{\varphi }\big (\overline{\mathfrak {A}}, u \big ) = \top \Rightarrow \) \(\big (\overline{\mathfrak {A}}, u \big ) \in {{\mathrm{good}}}(\varphi )\) [resp. for \(\bot \) and \({{\mathrm{bad}}}(\varphi )\)].

Proof

We prove the more general statement \(M_{\varphi ,v}\big (\overline{\mathfrak {A}}, u \big ) = \top \Rightarrow \) \(\big (\overline{\mathfrak {A}}, u\big ) \in {{\mathrm{good}}}(\varphi ,v)\), where \(\varphi \) possibly has some free variables and \(v\) is a valuation, by a nested induction over \({{\mathrm{depth}}}(\varphi )\).

• For the base case let \({{\mathrm{depth}}}(\varphi )=0\), where \(\varphi \) possibly has free variables, \((\overline{\mathfrak {A}}, u)\) be an arbitrary but fixed prefix and \(v\) a valuation. Suppose \(M_{\varphi ,v}(\overline{\mathfrak {A}},u)\) returns \(\top \) after processing \((\overline{\mathfrak {A}}, u)\), but \((\overline{\mathfrak {A}}, u) \not \in {{\mathrm{good}}}(\varphi ,v)\). By M3 and T10, the buffer of \(T_{\lnot \varphi ,v}\) is empty, i.e., \(B_{\lnot \varphi ,v}= \emptyset \). By T3 and because \(\mathcal {A}_{\lnot \varphi ,v}\) has an accepting run \(\rho \) over \((\overline{\mathfrak {A}}, u)\) with some suffix, \(B_{\lnot \varphi ,v}\) contains \((\rho (|u|), [\top ])\) after processing \((\overline{\mathfrak {A}}, u)\). Furthermore, because \(\delta _\downarrow \) yields \(\top \) for any input iff \({{\mathrm{depth}}}(\lnot \varphi ) = 0\), no run in the buffer is ever removed in T7. Contradiction.

• Let \(depth(\varphi ) > 0\), \((\overline{\mathfrak {A}}, u)\) be an arbitrary but fixed prefix and \(v\) a valuation. Under the same assumptions as above, we will reach a contradiction showing that after processing \((\overline{\mathfrak {A}}, u)\), there is a sequence of obligations \((\rho (|u|), [obl_0, \ldots , obl_n])\) in buffer \(B_{\lnot \varphi ,v}\), which corresponds to an accepting run \(\rho \) in \(\mathcal {A}_{\lnot \varphi ,v}\) over \((\overline{\mathfrak {A}}, u)\) with some suffix \((\overline{\mathfrak {A}}',w')\). That is, M\(_{\varphi ,v}\) cannot return \(\top \), after \(B_{\lnot \varphi ,v}\) is empty, and \(B_{\lnot \varphi ,v}\) containing the above mentioned sequence at the same time. By T3, \(B_{\lnot \varphi ,v}\) contains a sequence \((\rho (|u|), [obl_0, \ldots , obl_n])\) that was incrementally created processing \((\overline{\mathfrak {A}}, u)\) wrt. \(\delta _\rightarrow \), eventually with some obligations removed if they were detected to be met by the input. We now show that this sequence is never removed from the buffer in T7. Suppose the run has been removed, then there was an \(obl_j=\delta _\downarrow (\rho (j), (\overline{\mathfrak {A}}_j, u_j))\), that is

  $$\begin{aligned} \left( \bigwedge _{\forall {{\mathrm{\mathbf {x}}}}:p. \psi \in \rho (j)} \left( \bigwedge _{(p,{{\mathrm{\mathbf {d}}}}) \in u_j} \mathcal {A}_{\psi ,v'} \right) \right) \wedge \left( \bigwedge _{\lnot \forall {{\mathrm{\mathbf {x}}}}:p. \psi \in \rho (j)} \left( \bigvee _{(p,{{\mathrm{\mathbf {d}}}}) \in u_j} \mathcal {A}_{\lnot \psi ,v''} \right) \right) , \end{aligned}$$

  with \(v'=v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}\) and \(v''=v \cup \{{{\mathrm{\mathbf {x}}}}\mapsto {{\mathrm{\mathbf {d}}}}\}\), evaluated to \(\bot \) after \(l\) steps, with \(0 \le j \le l < |u|\). That is, at least one submonitor corresponding to an automaton in the second conjunction has returned \(\bot \) (or all submonitors corresponding to automata in a disjunction, for which the following argument would be similar). Wlog. let \(\forall \mathbf {x}:p. \psi \in \rho (j)\), \((p,{{\mathrm{\mathbf {d}}}}) \in u_j\), and M\(_{\psi ,v'}(\mathfrak {A}_j, \ldots , \mathfrak {A}_l, u_j, \ldots , u_l)=\bot \), i.e., M\(_{\psi ,v'}\) is the submonitor corresponding to \(\mathcal {A}_{\psi ,v'}\). As \(level(\psi ) < level(\varphi )\), from the induction hypothesis follows that \((\mathfrak {A}_j, \ldots , \mathfrak {A}_l, u_j, \ldots , u_l) \in bad(\psi ,v')\), i.e., \((\mathfrak {A}_j, \ldots , \mathfrak {A}_l\overline{\mathfrak {A}}'', u_j, \ldots , u_lw'') \models \psi \) with evaluation \(v'\) for any \((\overline{\mathfrak {A}}'', w'')\), and therefore \((\mathfrak {A}_j, \ldots , \mathfrak {A}_l\overline{\mathfrak {A}}'', u_j, \ldots , u_lw'') \models \lnot \forall x:p.\psi \) under valuation \(v\). But as \(\rho \) over \((\overline{\mathfrak {A}}\overline{\mathfrak {A}}', uw')\) is an accepting run in \(\mathcal {A}_{\lnot \varphi ,v}\) and \(\forall x:p.\psi \in \rho (j)\), it follows that \((\overline{\mathfrak {A}}^j\overline{\mathfrak {A}}', u^jw') \models \forall x:p.\psi \). Now, we choose \((\overline{\mathfrak {A}}'', w'')\) to be \((\overline{\mathfrak {A}}_{l+1},\ldots ,\overline{\mathfrak {A}}_{|u|}\overline{\mathfrak {A}}', u_{l+1},\ldots ,u_{|u|}w')\). Contradiction.

  As for our second statement above, it can be shown similar as before. \(\square \)