Alternation-free modal mu-calculus for data trees (Extended abstract)

Marcin Jurdzi´nski and Ranko Lazi´c∗ Department of Computer Science, University of Warwick, UK

Abstract The recent survey by Segoufin [30] summarises the sub- stantial progress made on reasoning about data words and An alternation-free modal µ-calculus over data trees is data trees. A data word is a word over a finite alphabet, introduced and studied. A data tree is an unranked or- with an equivalence relation on word positions. Implicitly, dered tree whose every node is labelled by a letter from every word position is labelled by an element (“datum”) a finite alphabet and an element (“datum”) from an infi- from an infinite set (“data domain”), but since the infinite nite set. For expressing data-sensitive properties, the calcu- set is equipped only with the equality predicate, it suffices lus is equipped with freeze quantification. A freeze quanti- to know which word positions are labelled by equal data, fier stores in a register the datum labelling the current tree and that is what the equivalence relation represents. Simi- node, which can then be accessed for equality comparisons larly, a data tree is a tree (countable, unranked and ordered) deeper in the formula. whose every node is labelled by a letter from a finite alpha- The main results in the paper are that, for the fragment bet, with an equivalence relation on the set of its nodes. with forward modal operators and one register, satisfiabi- First-order logic for data words was considered in [5], lity over finite data trees is decidable but not primitive re- where variables range over word positions ({0,...,l− 1} cursive, and that for the subfragment consisting of safety or N), there is a unary predicate for each letter from the formulae, satisfiability over countable data trees is decid- finite alphabet, and there is a binary predicate x ∼ y for able but not elementary. The proofs use alternating tree the equivalence relation representing equality of data labels. 2 automata which have registers, and establish correspon- FO (+1,<,∼) denotes such a logic with two variables and dences with nondeterministic tree automata which have binary predicates x +1 = y and xtemporal logic ex- with freeze quantification. In fact, already over data words, ↓ tended by freeze quantification (for short, LTL ) were stud- strict inclusions between deterministic and nondeterminis- ied. Freeze quantification was introduced in the context of tic register automata, and between nondeterministic and al- timed logics (cf., e.g., [1]). A freeze quantifier ↓r stores ternating, were established in [19] and [25]. in register r the equivalence class of the current word posi- The second step consists of translations from alternating tion. In its scope, the atomic formula ↑r is true at a word tree register automata to faulty counter automata over trees position iff the latter belongs to the equivalence class stored without data. The translations preserve nonemptiness, and in r. Thus, freeze quantification enables data at different involve nondeterminisation and quotienting. The counter word positions to be compared for equality. automata are faulty in the sense that counters may sponta- ↓ Over finite data words, satisfiability for LTL with fu- neously increase at any time. That feature makes their tran- ture temporal operators and one register is decidable and not sition relations downwards compatible with a well-quasi- primitive recursive1 [11]. Moreover, the problem becomes ordering (cf. [15]), upon which the proofs of decidability undecidable if infinite (i.e., ω) data words are considered, for those automata are based. or if past temporal operators are allowed, or if one more That satisfiability for the safety subfragment is not el- register is available [11]. To overcome undecidability over ↓ ementary is the most surprising result in the paper. It is infinite data words, the safety fragment of LTL with future relatively easy to obtain 2EXPTIME-hardness, by general- temporal operators and one register was proposed in [22]. ising the reduction that shows EXPSPACE-hardness for sa- Whenever an infinite data word does not satisfy a safety sen- fety future LTL↓ with one register [22]. It is then natural to tence, it has a finite prefix whose every infinite extension expect that 2EXPTIME-membership for the safety subfrag- also does not satisfy the sentence. The safety restriction ment over data trees can also be shown by extending the does not affect expressiveness over finite data words. Over argument in [22] for EXPSPACE-membership. infinite data words, satisfiability for the safety fragment is By encoding computations of faulty counter tree au- EXPSPACE-complete, and refinement and model checking tomata as data trees, we provide a translation from the for- are decidable and not primitive recursive [22]. The frag- mer to the forward alternation-free modal µ-calculus with ment is not closed under negation, but decidability of re- one register, which closes the circle that was begun by the finement implies that satisfiability of Boolean combinations translations used for the decidability of finitary satisfiabi- of safety sentences is decidable. lity. That yields a correspondence between languages of data trees defined by the forward fragment with one register Contributions. This paper addresses one of the open re- and languages of trees defined by the counter automata. search directions proposed in [30]: investigating compu- tation tree logic extended by freeze quantification for rea- It is worth noting that, with only forward modal opera- soning about data trees. The principal logic we study, the tors and over finite data trees, there is no difference between alternation-free modal µ-calculus with freeze quantifica- least and greatest fixed points. Hence, the full modal mu- tion, is more general. We focus on expressiveness and on calculus, the alternation-free fragment and the safety sub- complexity of satisfiability. Motivated partly by applica- fragment all coincide in that setting. However, over ar- tions to XML data streams (cf., e.g., [27]), we consider both bitrary (i.e., possibly infinite) data trees, restricting to the finite and countably infinite data trees. By finitary satisfiabi- alternation-free fragment enables us still to obtain a circle of translations as above and the consequent correspondence 1Recall the Ritchie-Cobham property [26, page 297]: a decision prob- with languages of trees defined by faulty counter automata. lem is primitive recursive iff it is solvable in primitive recursive time/space. That fact, and an equivalence with alternating tree register automata whose acceptance mechanism is weak parity, has b led us to emphasise alternation freeness in this paper.
2 We show that FO (+1, ∼), the first-order logic for which a
 finitary satisfiability was proved decidable in [4], is as ex-
a

 pressive as a certain fragment of the alternation-free modal a b f
 
→ µ-calculus with one register, which is incomparable with
a a a the forward fragment. Indeed, forward modal operators can a    b   be iterated by means of fixed points, whereas the “descen-
dant” and “younger sibling” predicates are not available in a FO2(+1, ∼). E.g., the “nonces” property (cf. Example 1) does not seem expressible in FO2(+1, ∼). Moreover, tem-  poral operators based on the “until” linear temporal opera- Figure 1. Applying f = {a → a ,b → ε} tor are expressible in the forward fragment, but not even in FO2(+1,<,∼) (cf. [14]). On the other hand, the forward sibling, and each node is reachable from nR or a sibling of fragment has only forward modalities, whereas first-order 2 nR by a finite number of
edges; λ : N → Σ is a labelling. quantifiers in FO (+1, ∼) range over all tree nodes. Let  and  denote the inverses of
and ,and
1 be We define forward XPath to be the largest downward and    the “first child” relation, i.e., n
1n iff n
n and n . rightward fragment in which, whenever two attribute values As can be seen in the definition above, the trees we are compared for equality, one of them must be at the cur- consider in this paper are actually forests, where “the rent node. By translating from forward XPath to the forward root” is the oldest node with no parent. Like in [3], we alternation-free modal µ-calculus with one register, we ob- take that approach for technical reasons. However, each tain decidability of finitary satisfiability and decidability for N,Σ,nR,
, ,λ as above can be seen as a binary tree a safety subfragment, both in the presence of DTDs. In con- with root nR, where left-hand and right-hand children are trast to the decidable fragments of XPath mentioned above, given by relations
1 and , respectively. In fact, those two forward XPath has sibling axes, recursive axes, concatena- relations will be used for navigation in the forward modal µ- tion, negation, and data comparisons. calculus, forward register automata, and counter automata (cf. Sections 2.2, 2.3 and 2.4). Hence, we shall refer to the 2. Preliminaries defined structures as trees. By K¨onig’s Lemma, a tree is infinite iff some node has Let N and N+ denote the sets of all nonnegative integers infinitely many siblings or some downward path is infinite. and of all positive integers, respectively. We write P(X) for the powerset of X. Contractions. We now define a class of operations on For a relation R on a set X, we say that x is an R prede- trees, which will be used in Section 2.4 for extracting trees cessor of y, or equivalently that y is an R successor of x,or from accepting runs of automata with ε-transitions.  equivalently that there is an R edge from x to y,iffxRy. A contraction is a mapping f :Σ→ Σ {ε},where  We say that a mapping f on a complete lattice X,  is Σ and Σ are finite alphabets and ε is the empty word. t n ∈ N ε upwards continuous iff, for
each chain x
0  x1  ··· of Given a tree as above, we say that is an -node X f x f x iff f(λ(n)) = ε. We say that t is f-good iff: no ε-node elements of ,wehave ( i∈N i)=
i∈N ( i).The i ε ε least fixed point of such f is lfp(f)= i∈N f (⊥),where has a next sibling, and from every -node, some non- ⊥ is the least element of X. The notions of downward con- node is reachable by
edges. For such f and t,thetree f t N , ,n ,
, ,λ tinuity and greatest fixed point are obtained by reversing the ( )= Σ R is defined as follows. An ordering. The latter is denoted by gfp(f). example is shown in Figure 1.  • The nodes N are maximal paths n1
1 ···
1nk such 2.1. Trees, contractions and data trees that n1,...,nk−1 are ε-nodes and nk is not. • n n Trees. We shall work with countable trees which are un- The root R is the path which contains R.  ranked, ordered, and whose every node is labelled by a letter • (n1
1 ···
1nk)
(m1
1 ···
1mk) iff nk
m1.  from a finite alphabet. More precisely, a tree will be a tu- • (n1
1 ···
1nk)  (m1
1 ···
1mk) iff nk  m1. N, ,n ,
, ,λ N ple Σ R such that: is a countable set of  • λ (n1
1 ···
1nk)=f(λ(nk)). nodes; Σ is a finite alphabet; nR ∈ N is the root node;
is the “child” relation on N;  is the “next sibling” rela- tion on N; each node has an oldest sibling, from which it Data trees. We shall mainly consider trees whose ev- is reachable by a finite number of  edges; nR is an oldest ery node is also labelled by an element from an infinite set which is equipped only with equality. Formally, a data tree We restrict our attention to alternation-free systems, is a tree as above, with an equivalence relation ∼ on N. which are defined as follows. For every i ∈{1,...,k},we For n ∈ N,let[n]∼ denote the class of ∼ which con- write block(i) for the maximum subset of {1,...,k} that tains n. We write N/∼ for the set of all classes of ∼.We contains i, that is contiguous, and for whose every member shall use the terms ‘datum’ and ‘class of ∼’ interchangably. j we have πj = πi. A system as above is alternation free For a data tree τ,lettree(τ) be the underlying tree. iff, whenever Vj occurs in ϕi, either j ∈ block(i) or j

 π1 πk τ Example 1 With the definitions above, we have that the where u = V1 = ϕ1,...,Vk = ϕk  . u,v sentence G
AG(↓1
AX
AG ¬↑1) is expressible as a safety ↓,1 For closed σ, its language LΣ(σ) is defined as the set of closed system in µ (
, ), the forward fragment with one τ all data trees τ with alphabet Σ such that nR ∈ σ∅,∅(Vk). register. It is satisfied by a data tree iff, for each node, there <ω  We write LΣ (σ) for the subset of all finite data trees in is no descendant which is labelled by the same datum. LΣ(σ). We say that σ is satisfiable (resp., finitely satisfi- <ω A consequence of Corollary 5 below will be that, when able) iff LΣ(σ) (resp., LΣ (σ)) is nonempty. considering only finite data trees, the two remaining CTL Boolean operations. For closed σ, its dual (i.e., negation) operators
ER and
AU are also expressible. π1 πk σ is defined as V1 = ϕ1,...,Vk = ϕk, where for each i, Lower bounds for satisfiability. The following theorem πi = µ iff πi = ν and ϕi is obtained from ϕi by replacing contains a number of lower bounds for the complexity of each construct with its dual. The duals of
ϕ, ϕ, ϕ and deciding satisfiability for fragments of the alternation-free ϕ are down ∨
ϕ, up ∨ ϕ, right∨ ϕ and left ∨ ϕ, modal µ-calculus with freeze quantification. They are ob- respectively. The freeze quantifiers ↓r are self-dual. By tained from similar results in [16, 9, 11], which are for LTL inductions over formulae and the number of blocks, we have τ τ with freeze quantification. Closely matching upper bounds that σ (Vi)=N \ σ (Vi) for each i. ∅,v ∅,v will be established in Theorem 6 and Corollary 10 below. The conjunction (resp., disjunction) of two systems π π π1 πk  1   k  µ↓,1
µ↓,1  V1 = ϕ1,...,Vk = ϕk and V1 = ϕ1,...,Vk = ϕk Theorem 2 (a) For ( ) and ( ), fin. satisfiabi- 0 over the same alphabet is defined as their concatenation fol- lity is not primitive recursive and satisfiability is Π1-hard.  ↓,1 ↓,1 ↓,2 ↓,2  π   (b) For µ (
, ), µ (, ), µ (
) and µ (), fin. lowed by an equation V = ϕ ,whereπ is arbitrary and 0 1    satisfiability is Σ1-hard and satisfiability is Σ1-hard. ϕ is Vk ∧ Vk (resp., Vk ∨ Vk ). We say that a closed system σ is valid iff σ is not satis- fiable. For closed systems σ and σ over the same alphabet, 2.3. Alternating tree register automata we say that σ refines (resp., finitely refines) σ iff σ ⇒ σ (i.e., σ ∨ σ) is valid (resp., finitely valid). Corresponding to the addition of freeze quantification to the modal µ-calculus, finite automata can be extended by Expressing CTL operators. We consider operators of registers. We now define alternating register automata over computation tree logic [8] of the form QLfor directed path data trees, and establish their equiexpressiveness with the quantifiers Q ∈{
E,
A, , , } and linear-time opera- calculus. For running over trees, the automata can move to tors L ∈{X, U, R}. The quantifiers
E and
A are existen- the first child, parent, previous sibling or next sibling nodes. tial and universal (respectively) over all maximal downward Existential and universal branchings are expressed by tran- paths, where a path is downward iff it consists of
edges. sition formulae which are disjunctions and conjunctions, re- Unique maximal upward, rightward and leftward paths are spectively. Using atomic transition formulae, the automata specified by the quantifiers ,  and , respectively. The can check whether a move down, up, right or left is pos- “release” operator R is the dual of the “until” operator U. sible. Consequently, there is no need for final locations. The “eventually” and “always” operators Fφ and Gφ can be Each location has a rank, in terms of which weak parity ac- defined as Uφ and ⊥Rφ, respectively. ceptance will be defined in a standard manner [21]. Weak We say that a CTL operator QL is existential iff Q ∈ parity acceptance is self-dual, is a special case of B¨uchi ac- {
E, , , } and L ∈{X, U}. Those operators can be ex- ceptance, and suffices for translating alternation-free modal pressed in µ↓(
, , , ) as below. Their duals are the µ-calculus to alternating automata. Locations also have heights, which ensure that the automata cannot make infi- We write n, q, v  S iff S is a set of states which may nite progress without performing a move. That constraint, result by performing transitions from n, q, v up to first which corresponds to system guardedness, simplifies some moves. The relation is defined recursively over γ(q):ifδ(q) τ,n proofs while not reducing expressiveness. It enables runs to is a move formula, then n, q, v  S iff S ∈ δ(q)v ;  be defined using “big-step” transitions, which are sequences otherwise, n, q, v  S iff S = n,q,v ∈S S n,q,v  τ,n     of moveless “small-step” transitions followed by a move. for some S ∈ δ(q)v and, for each n ,q ,v ∈S ,      some S    such that n ,q ,v   S    .Ob- Automata. The set Φ(Σ,Q,k) of all transition formulae n ,q ,v n ,q ,v serve that, for every n, q, v, there are finitely many S with over a finite alphabet Σ, over a finite set Q of locations and n, q, v  S, and each such S is finite. with k ∈ N registers is defined as: Now, a run G of A of length 0 <κ≤ ω over τ is a   {a, a, , ⊥,q∧ q ,q∨ q , down, up, right, left, sequence G(i):0≤ i<κ of sets of states of A for τ, down, up, right, left,
q, q, q, q, ↓rq, ↑r, ↑r together with relations →i ⊆ G(i) × G(i +1), such that: : a ∈ Σ,q,q ∈ Q, r ∈{1,...,k}} • G(0) = {nR,qI , ∅}; An alternating tree register automaton A is a tuple  • for every i +1<κ, G(i +1)= Si Σ,Q,qI ,k,δ,ρ,γ such that: n,q,v ∈G(i) n,q,v for some n, q, v  Si ; • Σ is a finite alphabet; n,q,v •n, q, v→ n,q,v n,q,v∈Si • Q is a finite set of locations; i iff n,q,v . • qI ∈ Q is the initial location; ArunG of length κ<ωis considered accepting iff • k ∈ N is the number of registers; G(κ − 1) = ∅. Suppose G is an infinite run, and θ is an in- nR,qI , ∅ = n0,q0,v0→0 n1,q1,v1→1 • δ : Q → Φ(Σ,Q,k) is a transition function; finite thread ··· in G.Wehaveρ(q0) ≥ ρ(q1) ≥ ···, so we can define • ρ Q → N : specifies ranks and is such that, whenever ρ(θ) as the eventually constant location rank. We consider q δ q ρ q ≤ ρ q occurs in ( ),wehave ( ) ( ); G accepting iff, for each infinite thread θ, ρ(θ) is even. • γ : Q → N specifies heights and is such that, whenever We say that A accepts τ iff A has an accepting run  q occurs in δ(q) which is not a move formula (i.e., not over τ. The language L(A) is the set of all data trees τ with      one of
q , q , q or q ), we have γ(q ) <γ(q). alphabet Σ which are accepted by A. We write L<ω(A) A We write ATRA(M) for the set of all automata which for the subset of all finite data trees in L( ). We say that A A contain only moves from the set M⊆{
, , , }.We is nonempty (resp., finitely nonempty) iff L( ) (resp., <ω A consider subsets defined by restricting to automata with a L ( )) is nonempty. specified alphabet and/or a specified number of registers. From logic to automata. . . The following result is the For example, ATRA1(
, ) is the set of all forward au- first step towards several upper complexity bounds for sa- tomata with one register. tisfiability for fragments of the calculus, which will be es- A safety (resp., co-safety) automaton is one in which tablished in Theorem 6, Corollary 10 and Theorem 15. We each location rank is even (resp., odd). remark that unguarded systems can be translated in logarith- Runs and languages. Let τ = N,Σ,nR,
, ,λ,∼ be mic space to heightless automata, but the latter are translat- a data tree. To define runs of A over τ,wefirstdefineastate able to heighted automata in polynomial space. of A for τ to be a triple n, q, v where n ∈ N, q ∈ Q,and ↓,k Theorem 3 For each closed system σ of µΣ (M), an au- v is a register valuation for τ. Σ k Σ tomaton A in ATRA (M), such that LΣ(σ)=L(A ), For φ ∈ Φ(Σ,Q,k),letφτ,n denote the set of sets of σ Σ σ v is computable in logarithmic space. If σ is safety (resp., states that results from φ with respect to τ, n and v.The co-safety), then so is AΣ. following are the representative cases: σ  τ,n def  Example 4 Let G
AG(↓1
AX
AG ¬↑1) be the “nonces” q ∧ q v = {{n, q, v, n, q ,v}} def sentence from Example 1. The automaton pictured in Fig- q ∨ qτ,n {{n, q, v}, {n, q,v}} v =  ure 2 has the same language, is in ATRA1(
, ),andissa- {∅}, n
n n  τ,n def if 1 for some fety. For readability, we used ternary conjunctions, and
q down v = ∅,  otherwise and q to abbreviate down ∨
q and right ∨ q (respec- {{n,q,v}}, n
n 
qτ,n def if 1 tively). Each location has even rank (e.g., 0), and suitable v = ∅, otherwise heights are straightforward to assign.  τ,n def ↓rqv = {{n, q, v[r → [n]∼]}} τ,n def {∅}, if r ∈ dom(v),n∈ v(r) By K¨onig’s Lemma, every infinite run has an infinite ↑r = v ∅, otherwise thread. Therefore, if A is a forward automaton and τ is   will be two “lights”: “final” and “B¨uchi”. A run will be ac- cepting iff each location produced for the first child of a leaf node is final, each location produced for the next sibling of a ∧ ↓1
∧ ↑1 last sibling is final, and each infinite sequence of transitions contains a B¨uchi location infinitely often. The formalisation

below, where we omit technical details, is suited to the uses in Section 3.

Automata. An incrementing tree counter automaton Figure 2. An alternating tree reg. automaton (ITCA) C, which is top-down, with ε-transitions, and with zero testing, is a tuple Σ,Q,qI ,k,δ,F,B such that: Σ is a finite alphabet; Q is a finite set of locations; qI is A τ finite, then every run of over is finite. From that ob- the initial location; k ∈ N is the number of counters; servation and the translation in the proof of Theorem 3, we δ ⊆ (Q×Σ×L×Q×Q)∪(Q×{ε}×L×Q) is a transition obtain the next corollary. It shows that, with only forward relation, where L = {inc, dec, ifzero}×{1,...,k} is the modal operators and over finite data trees, safety is not a instruction set; F, B ⊆ Q are the sets of final and B¨uchi lo- restriction (and neither is alternation freeness). cations (respectively), such that whenever q, ε, l, q∈δ,   ↓ we have q ∈ F, B. Corollary 5 If closed systems σ and σ of µΣ(
, ) differ <ω σ <ω σ only in types, then LΣ ( )=LΣ ( ). Runs and languages. A counter valuation is a function {1,...,k}→N.LetΣ† =(Q × Σ × L × Q × Q) ∪ (Q × Using Theorem 3 and the concept of consistent signature † {ε}×L × Q).ArunofC is a tree t = N,Σ ,nR,
, ,λ assignment [31], the following two basic upper complexity  together with mappings β and β from N to counter valua- bounds for satisfiability can be obtained. They match the tions. For each n ∈ N, β(n) is the counter valuation before lower bounds in Theorem 2(b).  performing the transition λ(n),andβ (n) is a counter valu- µ↓
, , ,  ation after the transition is performed. Theorem 6 For ( ), finitary satisfiability is in † 0 1 Let proj : Σ → Σ {ε} be the contraction defined Σ1 and satisfiability is in Σ1. by proj(q, a, l, q,q)=a and proj(q, ε, l, q)=ε.  ...and back. Together with Theorem 3, the next result For every accepting run t, β, β ,wehavethatt is proj-  shows that the alternation-free modal µ-calculus with freeze good (cf. Section 2.1). We say that C accepts a tree t with  quantification is as expressive as alternating tree register au- alphabet Σ iff C has an accepting run t, β, β  such that  tomata, and without significant differences in succinctness. t =proj(t). The language L(C), nonemptiness of C,and their finitary versions, are defined as usual. k Theorem 7 For each A in ATRAΣ(M), a closed system σA ↓,k Complexity of nonemptiness. As is well-known, with- of µΣ (M), such that L(A)=LΣ(σA), is computable in logarithmic space. Safety and co-safety are preserved. out incrementing errors and already over words, finitary nonemptiness of deterministic 2-counter automata is unde- 0 cidable (more precisely, Σ1-hard) [24], and nonemptiness 2.4. Faulty tree counter automata 1 of 2-counter automata is Σ1-hard[1,Lemma8].Inthethe- 0 In Section 3, we shall establish a correspondence be- orem below, decidability and Π1-membership are shown us- ing well-quasi-orderings (cf., e.g., [15]). Non-primitive re- tween closed systems of the forward alternation-free modal 0 µ-calculus with one register and faulty tree automata with cursiveness and Π1-hardness follow from results in [29, 28]. counters. We now define the latter, and determine the com- Theorem 8 For incrementing tree counter automata, fini- plexity of deciding their nonemptiness. tary nonemptiness is decidable and not primitive recursive, Each automaton will have a finite number of natural- and nonemptiness is Π0-complete. valued counters, on which increment, decrement (if non- 1 zero) and zero-test instructions are available. It will run over trees in a top-down nondeterministic manner: if the current 3. Correspondence with counter automata node is labelled by a letter a,ana-transition can be per- formed, producing states for the first child and next sibling The next theorem states that, given a forward alternat- nodes (if any); alternatively, performing an ε-transition can ing tree automaton A with one register, an incrementing change the state, but we remain at the same node. The au- tree counter automaton CA, which is nonempty iff A is tomata will be faulty in the sense that runs can contain errors nonempty, is computable in polynomial space. It is proved which increase one or more counters. For acceptance, there by extending to trees the translation in the proof of [11, Theorem 12], which is from one-way alternating word au- A consequence of Theorems 3, 13 and 14 is decidabil- tomata with one register to incrementing word counter au- ity of satisfiability for the safety fragment of µ↓,1(
, ). tomata. The theorem enables us to conclude, using The- Non-elementarity is shown by encoding as data trees com- orems 3 and 8 above, that for the forward alternation-free putations of Minsky machines of size k whose counters are modal µ-calculus with one register, finitary satisfiability is bounded by a tower of exponentiations of height k.The decidable, and satisfiability is co-r.e. data trees involve iterated balanced binary trees which wit- ness the boundedness. Note that, by Theorem 2(a) and from 1 Theorem 9 For each A in ATRA (
, ),anITCACA, with the proof of Theorem 2(b), dropping the safety restriction, the same alphabet and such that L(CA)={tree(τ):τ ∈ or adding ,  or one more register, each cause satisfiabi- 0 L(A)}, is computable in polynomial space. lity to become Π1-hard.

Corollary 10 For µ↓,1(
, ), finitary satisfiability is de- Theorem 15 Satisfiability for safety µ↓,1(
, ) is decid- 0 cidable and satisfiability is in Π1. able and not elementary.

The following result completes the correspondence be- The final result in this section is obtained using Theo- tween the forward alternation-free modal µ-calculus with rem 3 and the proofs of Theorems 9, 13, 14 and 2(a). Non- one register and incrementing tree counter automata. It primitive recursiveness holds already for validity. From de- shows that, for each ITCA C, a closed system whose models cidability of refinement, we have decidability of satisfiabi- are exactly all accepting runs of C is computable in logarith- lity of arbitrary Boolean combinations of safety systems. mic space. We then recall Theorems 3 and 9 above to infer that contractions of projections of languages of closed sys- Theorem 16 Refinement for safety µ↓,1(
, ) is decidable tems in the fragment coincide with languages of ITCA. and not primitive recursive.

Theorem 11 For each ITCA C with alphabet Σ, a closed σ µ↓,1
,  5. First-order logic system C of Σ† ( ), such that the set of all accepting runs of C equals {tree(τ):τ ∈ LΣ† (σC)}, is computable in logarithmic space. In this section, we show that there are two-way transla- tions between first-order logics with 2 variables over data Corollary 12 For every finite alphabet Σ,thesetofall trees which were considered in [4] and certain fragments of L(C) for ITCA C with alphabet Σ is equal to the set of CTL with freeze quantification and one register. The main 2 , ∼ all {f(tree(τ)) : τ ∈ LΣ(σ)} for contractions f :Σ→ result in [4] is that finitary satisfiability for FO (+1 ) ↓,1 Σ {ε} and closed systems σ of µ (
, ) such that is in 3NEXPTIME. By Theorem 17(b) below, it follows Σ that finitary satisfiability for the fragment SCTL↓,1(+1) of tree(τ) is f-good for all τ ∈ LΣ(σ). ↓,1 µ (
, , , ) also is in 3NEXPTIME. Recall that, in Corollary 10 above, we established decidability of finitary 4. Safety fragment satisfiability for µ↓,1(
, ). However, by the proof of [11, Theorem 17], finitary satisfiability for µ↓,1(
, ) extended 0 Let ITCANT denote the extension of ITCA by nonde- by the operator ↓1EXXF (see below) is Σ1-hard. 2 terministic transfers. Such an instruction transf,c,C As in [4], let FOΣ(+1,<,∼) denote first-order logic transfers the value of counter c to the counters in set C, whose models are data trees with alphabet Σ,andwhich distributing it among the latter nondeterministically. (Sep- has 2 variables which range over tree nodes, unary predi- + arate zero-test instructions are no longer necessary, since cates a for each a ∈ Σ, and binary predicates
, ,
, + transf,c,∅ has the same effect as ifzero,c.) Safety  and ∼. An atomic formula a(x) is true iff the label ITCANT are automata obtained from ITCANT by omitting at node x is a. The predicates
and  are interpreted by + the B¨uchi acceptance mechanism, so that there is no re- the “child” and “next sibling” relations, the predicates
+ quirement on infinite sequences of transitions for a run to and  by the transitive closures of those two relations, be accepting. The following two results are obtained from and the predicate ∼ by the “equality of data labels” rela- 2 + the proof of Theorem 9, and using well-quasi-orderings. tion. FOΣ(+1, ∼) denotes the fragment without
and + 2  predicates, and FOΣ(<, ∼) the fragment without
and Theorem 13 For each safety A in ATRA1(
, ), a safety  predicates. When ‘Σ’ is omitted, we consider all finite ITCANT CA with the same alphabet, such that L(CA)= alphabets. Writing φ(x) means that the formula φ contains {tree(τ):τ ∈ L(A)}, is computable in polynomial space. free occurences of at most the variable x. ↓,1 Let SCTLΣ (+1,<) be the following “simple” fragment Theorem 14 Nonemptiness of safety ITCANT is decidable. of CTL with freeze quantification and one register: • the atomic formulae are , ↑1,anda for a ∈ Σ; |atts(n)| children are labelled by the elements of atts(n), d r • there are Boolean operators ¬ and ∧, and temporal op- and which has two children labelled by and . The only d r n erators QLfor Q ∈{
E, , , } and L ∈{X, XXF}; child of the (resp., ) child of is the node which repre- sents the first child (resp., next sibling) of n (if any). Equal- • each occurence of a temporal operator is immediately ities between data labels are represented by the equiva- ↓ preceded by the freeze quantifier 1. lence relation between nodes which are labelled by attribute ↓,1 names. We say that such a data tree is an XML tree. AsshowninSection2.2,SCTL (+1,<) is contained Σ Following [2, 4], we assume without loss of generality µ↓,1
, , ,  ↓,1 in Σ ( ).LetSCTLΣ (+1) denote the sub- that document type definitions (DTDs) [6] are given as reg-
   fragment with temporal operators EX, X, X, X and ular tree languages. More precisely, we consider a DTD to EXXF,whereEXXFφ is equivalent to (
EXXFφ)∨(XXFφ)∨ T ↓,1 be a nondeterministic top-down tree automaton with al-  φ ∨  φ <  ( XXF ) ( XXF ).LetSCTLΣ ( ) denote the subfrag- phabet (Σ∪Σ ) {d, r} and without ε-transitions. Such au- ment with temporal operators
EXF, XF, XF and XF. ε 2 tomata can be defined by omitting counters and -transitions Let a formula φ(x) of FOΣ(+1,<,∼) and a closed sys- T ↓ from ITCA (cf. Section 2.4). We say that is safety iff ev- tem σ of µΣ(
, , , ) with no free occurences of regis- ery location of T is B¨uchi. An XML tree τ as above is ters be equivalent iff, for each data tree τ with alphabet Σ regarded to satisfy T iff tree(τ) is accepted by T . τ and node n,wehaveτ |=[x→n] φ iff n ∈ σ∅,∅(V ),where V is the last left-hand side in σ. The result below is proved Fragments of XPath. The fragment of XPath [7] below by generalising the translations in the proof of [11, Proposi- contains all operators commonly found in practice and was tion 6], which is for first-order logic with two variables over considered in [2, 17]. The grammars of queries p and qual- data words and linear temporal logic with one register. ifiers q are mutually recursive. The element types a and attribute names a range over Σ and Σ, respectively. Theorem 17 Suppose ∅ = R⊆{+1,<}. (a) For each φ x 2 R, ∼ ψΣ p ::= ε |
|  |  |  | q ::= ¬q | q ∧ q | p | a | formula ( ) of FOΣ( ), an equivalent sentence φ,x ∗ ∗ ∗ ∗   ↓,1
|  |  |  | p/@a = p/@a | of SCTLΣ (R) is computable in polynomial space. (b) For   ↓,1 p/p | p ∪ p | p[q] p/@a = p/@a each sentence ψ of SCTLΣ (R), an equivalent formula Σ 2 φψ (x) of FOΣ(R, ∼) is computable in logarithmic space. We say that a query is forward iff: • it does not contain , , ∗, ∗; 6. XPath   • for every subqualifier of the form p1/@a1  p 2/@a2, we have that p1 = ε and that p2 is of the form ε or In this section, we first describe how XML documents  
/p or /p . and DTDs can be represented by data trees and tree au- 2 2 tomata. We then introduce a forward fragment of XPath, A safety query is one in which each occurence of
,
∗ or and a safety subfragment. By translating XPath queries to ∗ is under an odd number of negations. systems of the alternation-free modal µ-calculus with freeze The semantics of queries and qualifiers is standard (cf., quantification, and applying results in Sections 3 and 4, we e.g., [17]). We write the satisfaction relations as τ,n,n |= establish that finitary satisfiablity for forward XPath and sa- p and τ,n |= q,whereτ is an XML tree over Σ and Σ with  tisfiability for safety forward XPath are decidable. root nR,andn and n are Σ-labelled nodes. We say that τ   satisfies p iff τ,nR,n |= p for some n . XML trees. Suppose Σ is a finite set of element types, Σ     is a finite set of attribute names, and Σ and Σ are disjoint. Example 18 Suppose a1,a2 ∈ Σ . The forward query ∗  ∗  An XML document [6] is an unranked ordered tree whose pa ,a =
[ε/@a1 =(
/
)/@a2] is satisfied by Σ- n n ∈ 1 2 every node is labelled by some type( ) Σ andbya labelled nodes n0 and n1 iff n1 is equal to or a descendant n ⊆  datum for each element of some atts( ) Σ . Motivated of n0 and there exists a descendant n2 of n1 such that the  by processing of XML streams (cf., e.g., [27]), we do not value of attribute a1 at n1 is equal to the value of attribute  restrict our attention to finite XML documents. a2 at n2. The safety forward query ε[¬pa ,a ] is satisfied by  1 2  Concerning the data in XML documents, we shall con- an XML tree over Σ and Σ iff the value of a1 at a node is  sider only the equality predicate between data labels. Equal- never equal to the value of a2 at a descendant.  ity comparisons with constants are straightforward to en- code using additional attribute names. Therefore, similarly Suppose a query p and a DTD T are over the same ele- as in [4], we represent an XML document by a data tree ment types and attribute names. We say that p is satisfiable with alphabet (Σ∪Σ) {d, r}, where each node n is repre- relative to T iff there exists an XML tree which satisfies p sented by a node which is labelled by type(n), whose first and T . Finitary satisfiability restricts to finite XML trees. Complexity of satisfiability. For a system σ and a vari- [6] T. Bray, J. Paoli, and C. Sperberg-McQueen. Extensible able W , writing σ(W ) means that σ contains free oc- markup language (XML) 1.0. W3C Recommendation, 1998. curences of at most the variable W and no free occurences [7] J. Clark and S. DeRose. XML path language (XPath). W3C of registers. Let a query p over element types Σ and Recommendation, 1999.  σ W [8] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic attribute names Σ be equivalent to a system ( ) of verification of finite-state concurrent systems using temporal µ↓
, , ,  τ (Σ∪Σ){d,r}( ) iff, for every XML tree over logic specifications. ACM TOPLAS, 8(2):244–263, 1986. Σ and Σ, Σ-labelled node n,andsetM of nodes, we [9] C. David. Mots et donn´ees infinies. Master’s thesis, LIAFA, τ Universit´e Paris 7, 2004. have n ∈ σ[W →M],∅(V ) iff there exists m ∈ M with τ,n,m | p V σ [10] P. deGroote, B. Guillaume, and S. Salvati. Vector addition = ,where is the last left-hand side in . tree automata. In LICS, pages 64–73. IEEE, 2004. [11] S. Demri and R. Lazi´c. LTL with the freeze quantifier and  Theorem 19 For each forward query p over Σ and Σ , register automata. In LICS, pages 17–26. IEEE, 2006. Σ,Σ ↓,1 an equivalent system σp (W ) of µ(Σ∪Σ){d,r}(
, ) is [12] S. Demri, R. Lazi´c, and D. Nowak. On the freeze quanti- computable in logarithmic space. Safety is preserved. fier in Constraint LTL: decidability and complexity. I&C, 205(1):2–24, 2007. [13] E. A. Emerson and C.-L. Lei. Efficient model checking in The following decidability results are obtained from fragments of the propositional mu-calculus. In LICS, pages Theorems 19, 3, 9, 8, 13 and 14. 267–278. IEEE, 1986. [14] K. Etessami, M. Vardi, and T. Wilke. First-order logic with Theorem 20 (a) Finitary satisfiability for forward XPath two variables and unary temporal logic. I&C, 179(2):279– and arbitrary DTDs is decidable. (b) Satisfiability for sa- 295, 2002. fety forward XPath and safety DTDs is decidable. [15] A. Finkel and P. Schnoebelen. Well-structured transitions systems everywhere! TCS, 256(1–2):63–92, 2001. [16] T. French. Quantified propositional temporal logic with re- 7. Conclusion peating states. In TIME-ICTL, pages 155–165. IEEE, 2003. [17] F. Geerts and W. Fan. Satisfiability of XPath queries with sibling axes. In DBPL, volume 3774 of LNCS, pages 122– The principal objective of the paper was to analyse the 137. Springer, 2005. complexity of satisfiability for fragments of the alternation- [18] S. Hall´e, R. Villemaire, and O. Cherkaoui. CTL model free modal µ-calculus with freeze quantification, with and checking for labelled tree queries. In TIME, pages 27–35. without restricting to finite data trees. An overview of the IEEE, 2006. main results is in the following table, where ‘R, not PR’ [19] M. Kaminski and N. Francez. Finite-memory automata. means ‘decidable and not primitive recursive’, and ‘R, not TCS, 134(2):329–363, 1994. EL’ means ‘decidable and not elementary’. [20] M. Kaminski and T. Tan. Tree automata over infinite alpha- bets. Poster at CIAA, 2006. [21] O. Kupferman and M. Vardi. Weak alternating automata are fin. sat. satisfiability not that weak. ACM TOCL, 2(3):408–429, 2001. ↓,1 safety µ (
, ) R, not PR R, not EL [22] R. Lazi´c. Safely freezing LTL. In FSTTCS, volume 4337 of Boolean closure of LNCS, pages 381–392. Springer, 2006. ↓,1 R, not PR R, not PR λ safety µ (
, ) [23] A. Lisitsa and I. Potapov. Temporal logic with predicate - ↓,1 0 abstraction. In TIME, pages 147–155. IEEE, 2005. µ (
, ) R, not PR Π1-complete ↓,1 ↓,1 [24] M. Minsky. Computation, Finite and Infinite Machines. µ (
, ), µ (, ), 0 1 ↓,2 ↓,2 Σ1-complete Σ1-complete Prentice Hall, 1967. µ (
), µ () [25] F. Neven, T. Schwentick, and V. Vianu. Finite state machines for strings over infinite alphabets. ACM TOCL, 5(3):403– 435, 2004. References [26] P. Odifreddi. Classical Recursion Theory II. Elsevier, 1999. [27] D. Olteanu, T. Furche, and F. Bry. An efficient single-pass [1] R. Alur and T. Henzinger. A really temporal logic. JACM, query evaluator for XML data streams. In SAC, pages 627– 41(1):181–204, 1994. 631. ACM, 2004. [2] M. Benedikt, W. Fan, and F. Geerts. XPath satisfiability in [28] J. Ouaknine and J. Worrell. On Metric temporal logic and thepresenceofDTDs.InPODS, pages 25–36. ACM, 2005. faulty Turing machines. In FOSSACS, volume 3921 of [3] H. Bj¨orklund and M. Boja´nczyk. Bounded depth data trees. LNCS, pages 217–230. Springer, 2006. In ICALP, LNCS. Springer, 2007. [29] P. Schnoebelen. Verifying lossy channel systems has non- [4] M. Boja´nczyk, C. David, A. Muscholl, T. Schwentick, and primitive recursive complexity. IPL, 83(5):251–261, 2002. [30] L. Segoufin. Automata and logics for words and trees over L. Segoufin. Two-variable logic on data trees and XML rea- an infinite alphabet. In CSL, volume 4207 of LNCS, pages soning. In PODS, pages 10–19. ACM, 2006. 41–57. Springer, 2006. [5] M. Boja´nczyk, A. Muscholl, T. Schwentick, L. Segoufin, [31] I. Walukiewicz. Pushdown processes: Games and model- and C. David. Two-variable logic on words with data. In checking. I&C, 164(2):234–263, 2001. LICS, pages 7–16. IEEE, 2006.