Constructing the Product Automaton

We now introduce the notion of the product automaton for a given CTLK formula and an interpreted system P. We remind the reader that the product automaton AP,ψshould

accept the language L AD,ψ
∩ {hTP,VPi} and therefore should be non-empty iff P

satisfies ψ.

Let AD,ψ =2P, D, Qψ, δψ, q0, At, Fψ be an epistemic alternating tree automa-

ton that accepts all the D-trees in T that satisfy ψ, as constructed in the previ- ous section. Let P =R, s0_{, I be an interpreted system such that the degrees of}

hTP,VPi are in D. We introduce the weak epistemic alternating word automaton

AP,ψ={a}, Π × Qψ, δ , ((ρ, 0), q0), F such that ρ(0) = s0and δ , F are defined as

follows:

• Epistemic: Let q ∈ Qψ, (ρ, n) ∈ Π , {s0∈ S | s0∼iρ (n)} =s0,i, . . . , sdi(ρ(n))−1,i, wheres0,i, . . . , sdi(ρ(n))−1,i is set the succi(ρ (n)) is the set of i successors for ρ (n) and δψ(q, I(ρ(n)), ~d(ρ(n))) = θ . Then δ (((ρ, n), q), a) = θ0, where θ0is obtained

from θ by replacing each atom (cj, i, qj) in θ by the atom ((ρcj,i, ncj,i), qj) for some point (ρcj,i, ncj,i) such that ρcj,i(ncj,i) = scj,i.

• Temporal: Let q ∈ Qψ, (ρ, n) ∈ Π , {ρ0∈ R | ρ0n= ρn} =ρ0,t, . . . , ρdt(ρ(n))−1,t, where ρ0,t, . . . , ρdt(ρ(n))−1,t is the set succt(ρ (n)) of t successors for ρ (n) and let δψ(q, I(ρ(n)), ~d(ρ(n))) = θ . Then δ (((ρ, n), q), a) = θ0, where θ0is obtained

from θ by replacing each atom (cj,t, qj) in θ by the atom ((ρcj,t, n + 1), qj). • The acceptance condition F is defined according to the acceptance condition Fψof

4.5 Constructing the Product Automaton 91

It is easy to see that if AD,ψ is a WEAA with a weakness partition {Q1, . . . , Qn},

then so is AP,ψ with a partition {Π × Q1, . . . , Π × Qn}.

We remark that the word automaton AP,ψ defined above is not unique given P.

However, we can recover uniqueness by considering states in S rather than points in Π . Thus, the product automaton of AD,ψ and P is defined as the weak epistemic

alternating word automaton AP,ψ={a}, S × Qψ, δ , (s0, q0), F where F = S × Fψ

and if δ (((ρ, n), q), a) = θ the δ ((ρ(n), q), a) = θ0, where θ0 is obtained from θ by replacing each atom ((ρ, n), q) in θ by (ρ(n), q).

Observation 1.Tree automata to word automata.

We expand on the notion of translating the tree automaton to a word automaton. It follows that transforming every node in AD,ψ

((c, j) , q) ⇒ (sjc, q)

where sjc is the c-th j-successor ( j ∈ At) in P, converts the alternating tree automaton AD,ψfor the formula into the alternating word automaton AP,ψ. This is because AP,ψ

no longer has a set of degrees D, and simply has a fixed set of successors.

To this end, each disjunction and conjunction in the formula over nodes in the tree (i.e., over each c in dj, j ∈ At), becomes a disjunction/conjunction of successors in the

word automaton.

The automaton AP,ψis also over one letter, i.e., Σ = {a}, as each node in AP,ψex-

actly encapsulates a given state in the tree hTP,VPi and therefore also in the interpreted

system P. Consequently, the automaton AP,ψdoes not have to “read” a letter from P –

this information is already captured by the automaton by construction. Theorem 4.2. L(AP,ψ) is nonempty iff ψ is true in P.

Proof. We show that L(AP,ψ) is nonempty if and only if AD,ψaccepts the tree hTP,VPi

built from the IS P as shown in Section 4.4. Since AD,ψ accepts exactly all the D-trees

in T that satisfy ψ, and since all the degrees of P are in D, the latter holds if and only if ψ is true in P. Given an accepting run of AD,ψover hTP,VPi, we construct an

accepting run of AP,ψ. Also, given an accepting run of AP,ψ, we construct an accepting

run of AD,ψover hTP,VPi.

Assume first that AD,ψaccepts hTP,VPi. Thus, there exists an accepting run hTr, ri

of AD,ψover hTP,VPi. Recall that Tris labelled with (N × At)∗× Qψ. A node y ∈ Tr

with r(y) = (x, q) corresponds to a copy of AD,ψthat is in the state q and reads the tree

obtained by unwinding P from VP(x). Consider the tree hTr0, r0i where Tr0 is the tree

obtained from Tr by the function f as follows. Suppose that δψ(q,VP(x), ~d(x)) = θ

and there are (possibly empty) sets Sj= {(c0, j, q0), . . . , (cnj, j, qnj)} ⊆ {0, . . . , dj(x) − 1} × { j} × Q such thatS

j∈AtSjsatisfies θ , and for 0 ≤ i < nj, we have y · (i, j) ∈ Tr and r(y · (i, j)) = (x · (ci, j), qi). Then,

• f (y · (i, j)) = f (y) ·Σ_jj∈A0_{< j}tnj0+ i



The tree T_r0 is labelled with 0∗× S × Q, and for every y ∈ T_rwith r(y) = (x, q), we have r0( f (y)) = (0|x|,VP(x), q). We show that hTr0, r0i is an accepting run of AP,ψ. In fact,

since F = S × Fψ, we only need to show that hTr0, r0i is a run of A_P,ψ; this follows from the definition of δ . Acceptance follows from the fact that hTr, ri is accepting.

Assume now that AP,ψ accepts aω. Thus, there exists an accepting run hTr, ri of

AP,ψ. Recall that Tris labelled with 0∗× S × Qψ. Consider the tree hTr0, r0i labelled

with (N × At)∗× Qψ, where Tr0 and r0are obtained from T_rand r by means of a function g: Tr→ Tr0 as follows:

• g(ε) = ε and r0_{(ε) = (ε, q} 0)

• if y · c ∈ Tr, r0(g(y)) ∈ {x} × Qψ, r(y · c) = (0|x+1|, s, q) and i, j are such that VP(x ·

(i, j)) = s, then g(y · c) = g(y) · (i, j) and r0(g(y · c)) = (x · (i, j), q)

As in the previous direction, we can check that hT_r0, r0i is an accepting run of A_D,ψover

hTP,VPi. ut

By Theorem 4.7 in [Kupferman et al., 2000] we know that the 1-letter non-emptiness problem for weak alternating automata is decidable in linear-time. This concludes the automata-theoretic model checking procedure for CTLK.

Observation 2.In the proof of Theorem 4.2, the function f transforms a node as follows: f(y · (i, j)) = f (y) ·Σ_jj∈A0_{< j}tnj0+ i



This takes the sum of all indices prior to the current index, such that we have a consistent number for all indices for all directions in At. Furthermore, we have that nj= |dj|, i.e.,

njis the degree for the direction j.

As T_r0is a word automaton, this also means that each node is labelled with 0n, where nis the length of the corresponding node in the tree automaton Tr. When we have n = |x|,

this represents the depth in the tree that the current node sits at (e.g., x = (1, i) · (0,t), |x| = 2).

4.5.1 Example – The Product Automaton A

Using the approach developed so far, it can be shown that the language of the product automaton obtained from the composition of AD,ϕ and the tree unwinding of the IS

from Figure 4.1 is non-empty.

Figure 4.3 shows a sub-tree of the full product automaton. This sub-tree shows the accepting sub-tree for the formula