Satisfiability Games for Branching-Time Logics

The satisfiability problem for branching-time temporal logics like CTL*, CTL and CTL+ has important applications in program specification and verification. Their computational complexities are known: CTL* and CTL+ are complete for doubly exponential time, CTL is complete for single exponential time. Some decision procedures for these logics are known; they use tree automata, tableaux or axiom systems. In this paper we present a uniform game-theoretic framework for the satisfiability problem of these branching-time temporal logics. We define satisfiability games for the full branching-time temporal logic CTL* using a high-level definition of winning condition that captures the essence of well-foundedness of least fixpoint unfoldings. These winning conditions form formal languages of \omega-words. We analyse which kinds of deterministic {\omega}-automata are needed in which case in order to recognise these languages. We then obtain a reduction to the problem of solving parity or B\"uchi games. The worst-case complexity of the obtained algorithms matches the known lower bounds for these logics. This approach provides a uniform, yet complexity-theoretically optimal treatment of satisfiability for branching-time temporal logics. It separates the use of temporal logic machinery from the use of automata thus preserving a syntactical relationship between the input formula and the object that represents satisfiability, i.e. a winning strategy in a parity or B\"uchi game. The games presented here work on a Fischer-Ladner closure of the input formula only. Last but not least, the games presented here come with an attempt at providing tool support for the satisfiability problem of complex branching-time logics like CTL* and CTL+.


Introduction
The full branching-time temporal logic CTL * is an important tool for the specification and verification of reactive [GP08] or agent-based systems [LSS + 05], and for program synthesis [PR88], etc. Emerson and Halpern have introduced CTL * [EH86] as a formalism which supersedes both the branching-time logic CTL [CE81] and the linear-time logic LTL [Pnu77].
Other approaches.Apart from these automata-theoretic approaches, a few different ones have been presented as well.For instance, there is Reynolds' proof system for validity [Rey01].Its completeness proof is rather intricate and relies on the presence of a rule which violates the subformula property.In essence, this rule quantifies over an arbitrary set of atomic propositions.Thus, while it is possible to check a given tree for whether ot not it is a proof for a given CTL * formula, it is not clear how this system could be used in order to find proofs for given CTL * formulas.
Reynolds has also presented a tableaux system for CTL * [Rey09,Rey11] which shares some commonalities with the automata-theoretic approach by Emerson and others as well as the game-based approach presented here.However, one of the main differences between tableaux on one side and automata and games on the other has a major effect in the case of such a complex branching-time logic: while automata-and game-based approaches typically separate the characterisation (e.g.tree automaton or parity game) from the algorithm (e.g.emptiness test or check for winning strategy), tableaux are often designed monolithically, i.e. with the characterisation and algorithm as one procedure.As a result, Reynolds' tableaux rely on some repetition test which, done in a naïve way, is hopelessly inefficient in practice.On the other hand, it is not immediately clear how a more clever and thus more efficient repetition check could be designed for these tableaux, and we predict that it would result in the introduction of Büchi determinisation.
A method that is traditionally used for predicate logics is resolution.It has also been used to devise decision procedures for temporal logics, starting with the linear-time temporal logic LTL [Fis91], followed by the simple branching-time temporal logic CTL [BF99,ZHD10].Finally, there is also a resolution-based approach to CTL * which combines linear-time temporal logic resolution with additional techniques to handle path quantification [BDF99].However, all resolution methods rely on the fact that the input formula is transformed into a specialised normal form.The known transformations are not trivial, and they only produce equi-satisfiable formulas.Thus, such methods also do not preserve a close connection between the models of the input formula and its subformulas.
The game-based framework.In this paper we present a game-based characterisation of CTL * satisfiability.In such games, two players play against each other with competing objectives: player 0 should show that the input formula is satisfiable whereas player 1 should show that it is not.Formally, the CTL * satisfiability game for some input formula is a graph of doubly exponential size on which the two players move a token along its edges.There is a winning condition in the form of a formal language of infinite plays which describes the plays that are won by player 0. This formal language turns out to be ω-regular, and it is known that arbitrary games with such a winning condition can be solved by a reduction to parity games.This yields an asymptotically optimal decision procedure.Still, the games only use subformulas of the input formula, and automata are only needed in the actual decision procedure but not in the definition of the satisfiability games as such.Thus, it moves the "delicate combinatorial constructions" to a place where they do not destroy a "clear relationship between the [. . .] input formula" and the parity game anymore.This is very useful in the setting of a user interacting with a satisfiability checker or theorem prover for CTL * , when they may want to be given a reason for why a formula is not satisfiable for instance.
The delicate combinatorial procedures, i.e.Büchi determinisation and complementation is kept at minimum by analysing carefully where it is needed.We decompose the winning condition such that the transformation of a nondeterministic Büchi into a deterministic parity automaton [Saf88,Pit06,KW08,Sch09] is only needed for some part.The other is handled directly using manually defined deterministic automata.
We also consider two important fragments of CTL * , namely the well-known CTL and the lesser known CTL + .The former has less expressive power and is computationally simpler: CTL satisfiability is complete for deterministic singly exponential time only [EH85].The latter already carries the full complexity of CTL * despite sharing its expressive power with the weaker CTL [EH85]: CTL + satisfiability is also complete for doubly exponential time [JL03].The simplicity of CTL when compared to CTL * also shows through in this game-based approach.The rules can be simplified a lot when only applied to CTL formulas, resulting in an exponential time procedure only.Even more so, the simplification gets rid of the need for automata determinisation procedures at all.Again, it is possible to construct a very small and deterministic Büchi automaton directly that can be used to check the winning conditions when simplified to CTL formulas.
The computational complexity of CTL + suggests that no major simplifications in comparison to CTL * are possible.Still, an analysis of the combinatorics imposed by CTL + formulas on the games shows that for such formulas it suffices to use determinisation for co-Büchi automata [MH84] instead of that for Büchi automata.This yields asymptotically smaller automata, is much easier to implement and also results in Büchi games rather than general parity games.
Advantages of the game-based approach.The game-theoretic framework achieves the following advantages.
-The framework uniformally treats the standard branching-time logics from the relatively simple CTL to the relatively complex CTL * .-It yields complexity-theoretic optimal results, i.e. satisfiability checking using this framework is possible in exponential time for CTL and doubly exponential time for CTL * and CTL + .-Like the automata-theoretic approaches, it separates the characterisation of satisfiability through a syntactic object (a parity game) from the test for satisfiability (the problem of solving the game).Thus, advances in the area of parity game solving carry over to satisfiability checking.-Like the tableaux-based approach, it keeps a very close relationship between the input formula and the structure of the parity game thus enabling feedback from a (counter-)model for applications in specification and verification.-Satisfiability checking procedures based on this framework are implemented in the MLSolver platform [FL10] which uses the high-performance parity game solver PG-Solver [FL09] as its algorithmic backbone -see the corresponding remark about the separation between characterisation and algorithm above.
Organisation.The rest of the paper is organised as follows.Section 2 recalls CTL * .Section 3 presents the satisfiability games.Section 4 gives the formal soundness and completeness proofs for the presented system.Section 5 describes the decision procedure, i.e. the reduction to parity games.Section 6 presents the simplifications one can employ in both the games and the reduction when dealing with formulas of CTL, respectively CTL + .Section 7 compares the games presented here with other decision procedures for branching-time logics, in particular with respect to technical similarities, pragmatic aspects, results that follow from them, etc. Section 8 concludes with some remarks on possible further work into this direction.

The Full Branching Time Logic
Let P be a countably infinite set of propositional constants.A transition system is a tuple T = (S, s * , →, λ) with (S, →) being a directed graph, s * ∈ S being a designated starting state and λ : S → 2 P is a labeling function.We assume transition systems to be total, i.e. every state has at least one successor.A path π in T is an infinite sequence of states s 0 , s 1 , . . .s.t.s i → s i+1 for all i.With π k we denote the suffix of π starting with state s k , and π(k) denotes s k in this case.
Branching-time temporal formulas in negation normal form 1 are given by the following grammar.
where p ∈ P. Formulas of the form tt, ff, p or ¬p are called literals.
Boolean constructs other than conjunction and disjunction, like → for instance, are derived as usual.Temporal operators other than the ones given here are also defined as usual: Fϕ := ttUϕ and Gϕ := ffRϕ.
The set of subformulas of a formula ϕ, written as Sub(ϕ), is defined as usual, in particular the set contains ϕ.In contrast, a formula ψ is a proper subformula of ϕ if both are different and ψ is a subformula of ϕ.The Fischer-Ladner closure of ϕ is the least set FL(ϕ) that is closed under taking subformulas, and contains, for each ψ 1 Uψ 2 or ψ 1 Rψ 2 , also the formulas X(ψ 1 Uψ 2 ) respectively X(ψ 1 Rψ 2 ).Note that |FL(ϕ)| is at most twice the number of subformulas of ϕ.Let FL R (ϕ) consist of all formulas in FL(ϕ) that are of the form ψ 1 Rψ 2 or X(ψ 1 Rψ 2 ).The notation is extended to formula sets in the usual way.The size |ϕ| of a formula ϕ is number of its subformulas.Formulas are interpreted over paths π of a transition systems T = (S, s * , →, λ).We have T , π |= tt but not T , π |= ff for any T and π; and the semantics of the other constructs is given as follows.
Two formulas ϕ and ψ are equivalent, written ϕ ≡ ψ, if for all paths π of all transition systems T : A formula ϕ is called a state formula if for all T , π, π with π(0) = π (0) we have T , π |= ϕ iff T , π |= ϕ.Hence, satisfaction of a state formula in a path only depends on the first state of the path.Note that ϕ is a state formula iff ϕ ≡ Eϕ.For state formulas we also 1 Alternatively, we could have admitted negations everywhere-not only in front of a proposition.However, for any formula of one form there is an equivalent and linearly sized formula of the other form: just apply De Morgan's laws to the binary propositional connectors, e.g.¬(ϕ1 ∧ ϕ2) ≡ (¬ϕ1) ∨ (¬ϕ2), fixpoint duality to fixpoints, e.g.¬(ϕ1Uϕ2) ≡ (¬ϕ1)R(¬ϕ2) and the property ¬Xϕ ≡ X¬ϕ.write T , s |= ϕ for s ∈ S. CTL * is the set of all branching-time formulas which are state formulas.A CTL * formula ϕ is satisfiable if there is a transition system T with an initial state s * s.t.T , s * |= ϕ.
Finally, we introduce the two most well-known fragments of CTL * , namely CTL and CTL + .In CTL, no Boolean combinations or nestings of temporal operators are allowed; they have to be immediately preceded by a path quantifier.The syntax is given by the following grammar starting with ϕ. (2.1) Formulas generated by ϕ are state formulas.
The logic CTL + lifts the syntactic restriction slightly: it allows Boolean combinations of path operators inside a path quantifier, but no nestings thereof.It is defined by the following grammar starting with ϕ.
It should be clear that CTL is a fragment of CTL + which is, in turn, a fragment of CTL * .However, only the latter inclusion is proper w.r.t.expressivity as stated in the following.
Nevertheless, there are families of properties which can be expressed in CTL + using a family of formulas that is linearly growing in size, whereas every family of CTL formulas expressing these properties must have exponential growth.This is called an exponential succinctness gap between the two logics.
Proposition 2 ([Wil99, AI01, Lan08]).There is an exponential succinctness gap between CTL + and CTL.Such a succinctness gap can cause different complexities of decision procedures for the involved logics despite equal expressive power.This is true in this case.
The exponential succinctness gap causes on exponentially more difficult satisfiability problem which is shared with that of the more expressive CTL * .

Satisfiability Games for CTL *
Here we are concerned with special 2-player zero-sum games of perfect information.They can be seen as a finite, directed graph whose node set is partitioned into sets belonging to each player.Formally, a game is a tuple G = (V, V 0 , E, v 0 , L) where (V, E) is a directed graph.We restrict our attention to total graphs, i.e. every node is assumed to have at least one successor.The set V 0 ⊆ V consists of all nodes owned by player 0. This naturally induces the set V 1 := V \ V 0 of all nodes owned by player 1.The node v 0 is the designated initial node.
Any play starts from this initial node by placing a token there.Whenever the token is on a node that belongs to player i, it is his/her turn to push it along an edge to a successor node.In the infinite, this results in a play, and the winning condition L ⊆ V ω prescribes which of these plays are won by player 0.
A strategy for player i is a function σ : V * V i → V which tells him/her how to move in any given situation in a play.Formally, a play v 0 , v 1 , . . .conforms to strategy σ for player i, if for every j with v j ∈ V i we have v j+1 = σ(v 0 . . .v j ).A winning strategy for player i is a strategy such that he/she wins any play regardless of the opponent's choices.Formally, σ is a winning strategy if for all plays π = v 0 , v 1 , . . .that conform to σ we have π ∈ L.
It is easy to relax the requirements of totality.In that case we attach two additional designated nodes win 0 and win 1 such that every node originally without successors gets an edge to either of them, each of these only has one edges to itself, and the winning condition L includes all words of the form V * win ω 0 and excludes all of the form V * win ω 1 .In the following we will therefore allow ourselves to have plays ending in states without successors which can be turned into total games using this simple transformation.In other words every dead end is lost by the player who owns the node.
3.1.The Game Rules.We present satisfiability games for branching-time state formulas in negation normal form.Let ϑ be a CTL * -formula fixed for the remainder of this section.For convenience, the games will be presented w.r.t. to this particular formula ϑ.
We need the following notions: Σ and Π are finite (possibly empty) sets of formulas with Σ being interpreted as a disjunction of formulas and Π as a conjunction.A quantifier-bound formula block is an E-or A-labelled set of formulas, i.e. either a EΠ or a AΣ.Any set under an E-bound resp.A-bound block is assumed to be read as a conjunction resp.disjunction of the formulas.We identify an empty Σ with ff and an empty Π with tt.We write Λ for a set of literals.For a set of formulas Γ let XΓ := {Xψ | ψ ∈ Γ}.
In order to ease readability we will omit as many curly brackets as possible and often use round brackets to group formulas into a set.For instance E(ϕ ∧ ψ, Π) denotes a block that is prefixed by E and which consists of the union of Π and {ϕ ∧ ψ}, implicitly assuming that this does not occur in Π already.
A configuration (for ϑ) is a non-empty set of the form where n, m ≥ 0, and Σ 1 , . . ., Σ n , Π 1 , . . ., Π m , Λ are subsets of FL(ϑ).The meaning of such a configuration is given by the state formula Note that a configuration only contains existentially quantified conjunctions and universally quantified disjunctions as blocks.There are no blocks of the form EΣ or AΠ simply because an existential path quantifier commutes with a disjunction, and so does a universal path quantifier with a conjunction.Thus, AΣ would be equivalent to {Aϕ | ϕ ∈ Σ} for instance.A configuration C is consistent if it does not contain ff and there is no p ∈ P s.t.p ∈ C and ¬p ∈ C. Note that the meaning of an inconsistent configuration is unsatisfiable, but the Figure 1: The game rules for CTL * .
converse does not hold because consistency is only concerned with the occurrence of literals.Unsatisfiability can also be given be conflicting temporal operators, e.g.E(Xp, X¬p).
We write Conf (ϑ) for the set of all consistent configurations for ϑ.Note that this is a finite set of at most doubly exponential size in |ϑ|.
Definition 5.The satisfiability game G ϑ for the formula ϑ is a game (Conf (ϑ), V 0 , E, v 0 , L) whose nodes are all possible configurations and whose edge relation is given by the game rules in Figure 1.They also determine which configurations belong to player 0, i.e. to V 0 , namely all but those to which rule (X 1 ) is applied.
Note that the rules are written such that a configuration at the bottom of the rule has, as its successors, all configurations at the top of the rule.It is only rules (Al), (AA), (AE), (E∨), (EU), and (ER) which always produce two successors, rule (X 1 ) can have an arbitrary number of successors that is at least one.It is understood that the formulas which are stated explicitly under the line do not occur in the sets Λ or Φ.The symbol stands for an arbitrary literal.
The initial configuration is v 0 = Eϑ.The winning condition L will be described in Definition 15 in the next subsection.
As for the representation, examples in this paper will use tailored rules for the abbreviations F and G instead of the rules (AU), (EU), (AR) and (ER).Take for instance a construct of the form AFψ. A rule for this can easily be derived by applying the rules for the unabbreviated version of this.
A(ψ, Σ), A(XGψ, Σ), Φ (AG) E(Gψ, Π), Φ Note that for the (EG) rule -which is based on the (ER) rule -it is never the wrong choice to select the right alternative instead of the left one.Choosing the left one would leave us with a configuration denoting E(ψ ∧ ff ∧ Π) ∧ Φ which can never be satisfied because of the constant ff.Example 6.A strategy for player 0 in the game on AFGp ∧ EGEF¬p is represented in Figure 2. Note that such strategies can be seen as infinite trees.The bold arrows in Figure 2 point towards repeating configurations in this strategy.This is meant to represent the infinite tree that is obtained by repeatedly continuing as it is done in the two finite branches.Also note that in general, strategies may not be representable in a finite way like this.The twin lines indicate hidden configurations whenever unary rules can be applied in parallel.For instance, the double line at the bottom represents the application of the rules (AF) and (EG).The thin arrows will only be used in the next subsection in order to explain the winning conditions in the satisfiability games.A strategy for player 0 induces canonically a tree model by collapsing successive configurations that are not separated by applications of the rules (X 0 ) and (X 1 ).Doing this to the strategy in Figure 2 results in the following transition system.Note that the tableau of Figure 2 gives no specification on whether p should be included in the right-most node.It is natural to only include those propositions that are required to be true.

p ¬p ¬p
Note that it does not satisfy the formula AFGp ∧ EGEF¬p.The overall goal is to characterise satisfiability in CTL * through these games.Hence, it is important to define the winning conditions such that this strategy is not a winning strategy.

The Winning
Conditions.An occurrence of a formula is called principal if it gets transformed by a rule.For example, the occurrence of ϕ ∧ ψ is principal in (E∧).A principal formula has descendants in the successor configurations.For example, both occurrences of ϕ and ψ are descendants of the principal ϕ ∧ ψ in rule (E∧).Note that in the modal rules (X 0 ) and (X 1 ), every formula apart from those in the literal part is principal.Literals in the literal part can never be principal, but literals inside of an A-or E-block are principal in rules (Al) and (El).Finally, any non-principal occurrence of a formula in a configuration may have a copy in one of the successor configurations.The copy is the same formula since it has not been transformed.For instance, any formula in Σ in rule (Al) has a copy in the successor written on the right but does not have a copy in the successor on the left.The gap between the existence of strategies for player 0 and satisfiability is caused by unfulfilled eventualities: an eventuality is a formula of the form U or its abbreviation F. Note how the rules handle these by unfolding using the CTL * equivalence Q(ψ 1 Uψ 2 ) ≡ Q(ψ 2 ∨ (ψ 1 ∧ X(ψ 1 Uψ 2 ))) for any Q ∈ {E, A}.The rules for the Boolean operators and for the X-modalities can lead to a configuration in which ψ 1 Uψ 2 occurs again inside of a Q-block.Note that inside an E-block this is only possible if player 0 decides not to choose the successor containing ψ 2 .Inside of an A-block the situation is slightly different; player 0 has no choices there.Still, it is important to note that a U-formula should not be unfolded infinitely often because ψ 1 Uψ 2 asserts that eventually ψ 2 will be true, and unfolding postpones this by one state in a possible model.Thus, the winning conditions have to ensure that player 0 cannot let an eventuality formula get unfolded infinitely many times without its right argument being satisfied infinitely many times as well.
In order to track the infinite behaviour of eventualities, one needs to follow single formulas through the branches that get transformed by a rule from time to time.Note that a formula can occur inside of several blocks.Thus it is important to keep track of the block structure as well.
In the following we develop the technical definitions that are necessary in order to capture such unfulfilled eventualities and present some of their properties.Definition 7. A quantifier-bound block AΣ or EΠ is called principal as well if it contains a principal formula.A quantifier-bound block might have descendants in the successor(s).For example, A(ϕ ∧ ψ, Σ) has two descendants A(ϕ, Σ) and A(ψ, Σ) in an application of (A∧).
Definition 8. Let C 1 be a configuration to which a rule r is applicable and let C 2 be one of its successors.Furthermore, let If the rule instance can be inferred from the context we may also simply write If the rule instance can be inferred from the context we may also simply write The only rules that possibly induce a spawning block connection are (EE), (EA), (AA) and (AE).For example Definition 9. Let C 0 , C 1 , . . .be an infinite play of a satisfiability game for some formula ϑ.A trace Ξ in this play is an infinite sequence We say that a trace is finitely spawning if it contains only finitely many spawning block connections.
Lemma 10.Every infinite play contains infinitely many applications of rules (X 0 ) or (X 1 ).
Proof.First, we define the duration of a formula ψ as the syntactic height when X-subformulas are treated as atoms.More formally: A well-ordering < on the duration of formulas is induced by the well-ordering on natural numbers.Let F be {dur(ϕ) | ϕ ∈ FL(ϑ)}, the range of these durations, and let B be the range of all block sizes, that is {0, . . ., |FL(ϑ)|}.Both sets are finite.
Second, we define the duration of a block Q∆ as a map dur(Q∆) : F → B that returns the number of subformulas of a certain duration.More formally: A well-ordering ≺ on the duration of blocks is given as follows (as the domain of the duration is finite and its range is well-founded).
Third, we define the duration of a configuration C as a map dur(C) : B F → N that returns the number of blocks of a certain duration.More formally: A well-ordering ¡ on the duration of configurations is given as follows.
Indeed, ¡ is well-founded as the domain of durations, B F , is finite.
The claim now follows from the fact that every rule application except for (X 0 ) and (X 1 ) strictly decreases the duration of the configuration.
An E-trace is called good iff it has no U-thread; similarly, an A-trace is called good iff it has an R-thread.In other words, an E-trace is called bad if it contains an U-thread, and an A-trace is called bad if it contains no R-thread.
Lemma 12. Every trace in an infinite play is either an A-trace or an E-trace, and is only finitely spawning.
. .be the ascending sequence of numbers in this infinite set and let φ i j denote the formula in the singleton set ∆ i j +1 .Note that for all j it is the case that φ i j+1 is a proper subformula of φ i j .Hence the set cannot be infinite.Now note that every finitely spawning trace eventually must be either an A-or an E-trace because the change of the quantifier on the current block in a trace is only possible in a moment that the trace is spawning.
Lemma 13.Every thread in a trace of an infinite play is either a U-or an R-thread.
Proof.Let t = ψ 0 , ψ 1 , . . .be a thread.Assume that t is neither a U-nor an R-thread, hence there is a position i * s.t.ψ i is neither of the form ψ Uψ nor of the form ψ Rψ for all i ≥ i * , hence ψ i+1 is a subformula of ψ i for all i ≥ i * .By Lemma 10 it follows that ψ i+1 = ψ i for infinitely many i which cannot be the case, hence t has to be a U-or an R-thread.Finally, assume that t is both a U-and an R-thread, i.e. there are positions i 0 < i 1 < i 2 s.t.ψ i 0 = ψ i 2 = ψ Rψ and ψ i 1 = ϕ Uϕ .Hence ψ i 1 is a proper subformula of ψ i 0 and ψ i 2 is a proper subformula of ψ i 1 , thus ψ i 0 would be a proper subformula of itself.Lemma 14.For every U-and every R-thread ψ 0 , ψ 1 , . . . in a trace of an infinite play there is an i ∈ N such that ψ i is a U-, or an R-formula resp., and ψ j = ψ i or ψ j = Xψ i for all j ≥ i.
Proof.For all i ∈ N, it holds that ψ i+1 is a subformula ψ i , or ψ i+1 = Xψ i provided that ψ i is a U-or an R-formula.The map which removes the frontal X from a formula converts the thread into a chain which is weakly decreasing with respect to the subformula order.Because this order is well-founded, the chain is eventually constant, say from n onwards.By Lemma 10, either (X 0 ) or (X 1 ) has been applied at a position i − 1 for some i > n.Hence, ψ i is either a U-or an R-formula, and i meets the claimed property.
We now have obtained all the necessary technical material that is needed to define the winning conditions in the satisfiability game G ϑ .
Definition 15.The winning condition L of G ϑ = (Conf (ϑ), V 0 , E, v 0 , L) consists of every finite play which ends in a consistent set of literals, and of every infinite play which does not contain a bad trace.
In other words, player 0's objective is to create a play in which every U-formula inside of an E-trace gets fulfilled eventually.She can control this using rule (EU).Inside of an A-trace Figure 3: A winning strategy for player 0 in the satisfiability game on AFGp ∧ EGEF¬p.
She must hope that not every formula that gets unfolded infinitely often is of the U-type.
Note that sets inside of an E-block are conjunctions, hence, one unfulfilled formula makes the entire block false.Inside of an A-block the sets are disjunctions though, hence, in order to make this block true it suffices to satisfy one of the formula therein.An R-formula that gets unfolded infinitely often is-unlike an U-formula-indeed satisfied.
Example 16.Consider the strategy in Figure 2 again.It is not a winning strategy because its left branch contains a bad A-trace, i.e. the eventuality FGp is postponed for an infinite number of steps, which is the only thread contained in the trace.Since this thread is an U-thread, there is no R-thread contained in the trace.
Figure 3 shows a winning strategy for player 0 in the game on this formula AFGp ∧ EGEF¬p.Infinite threads are being depicted using thin arrows.It is not hard to see that every A-trace contains a R-thread and that every E-trace only contains R-threads.Again, this strategy induces a canonic model, but this time a satisfying one because it is in fact a winning strategy: Note that in this case, all paths starting in the leftmost state will eventually only visit states that satisfy p.Furthermore, there is a path-namely the loop on this state-on which every state is the beginning of a path-namely the one moving over to the right-on which ¬p holds at some point.
Winning strategies, as opposed to ordinary strategies, exactly characterise satisfiability of CTL * -formulas in the following sense.
Theorem 17.For all ϑ ∈ CTL * : ϑ is satisfiable iff player 0 has a winning strategy for the satisfiability game G ϑ .
The proof is given in the following section.

Correctness Proofs
This section contains the proof of Theorem 17; both implications -soundness and completeness -are considered separately.The completeness proof is technically tedious but does not use any heavy machinery once the right invariants are found.Given a model for ϑ we use these invariants to construct a winning strategy for player 0 in a certain way.Soundness can be shown by collapsing a winning strategy into a tree-like transition system and verifying that it is indeed a model of ϑ.

Soundness.
Theorem 18. Suppose that player 0 has a winning strategy for the satisfiability game G ϑ .Then ϑ is satisfiable.
Proof.We treat the winning strategy, say σ, as a tree T with nodes V and a root r.The nodes are labelled with configurations corresponding to the strategy.Thus, labels which belong to player 0 have at most one successor.Only a node which is the objective of the rule (X 1 ) can have more successors.
Let S be those nodes which are leaves or on which the rules (X 0 ) or (X 1 ) are applied.The tree defines a transition system as described just before of Subsection 3.2.Formally, for any node s let s be the oldest descendants -including s-of s in S. Since player 0 owns all configurations besides those which rule (X 1 ) can handle, Lemma 10 ensures that this assignment is total.The edge relation → ⊆ S × S is defined as The induced transition system is T ϑ = (S, r, →, ) where (s) = C ∩ P for any s ∈ S labelled with a configuration C. Note that T ϑ is total.In the following, we omit the transition system T ϑ in front of the symbol |=.Moreover, we identify a node with its annotated configuration.
For the sake of a contradiction, assume that T ϑ , r |= Eϑ.We will show that the winning strategy σ admits an infinite play which contains a bad trace.For this purpose, we simultaneously construct a maximal play C 0 , C 1 , . . .which conforms to σ, a maximal connected sequence of blocks Q 0 Γ 0 , Q 1 Γ 1 , . . . in this play, and a partial sequence π i of paths in T ϑ such that the following properties hold for all indices i and for all formulas ϕ and ψ.
the rule (EE) or (EA) is applied to C i with EΓ i and ϕ as principals, and The construction is straight forward.We detail the proof for some cases, and thereto use formulas and notations as shown in Figure 1.As for the rule (EA), if If the first case does not apply then the trace is continued with EΠ.
Otherwise, Q i+1 Γ i+1 = Aϕ holds and π i+1 is an arbitrary path in T ϑ which starts at C i and which fulfills π i+1 |= ϕ.As for the rule (AR), we have π i |= ϕRψ ∨ Σ.Using that π i = π i+1 and an unrolling of the R-operator, π i+1 |= ψ or π i+1 |= ϕ ∨ X(ϕRψ) holds.In the first case the trace is continued with A(ψ, Σ), and with A(ϕ, X(ϕRψ), Σ) otherwise.As for case of (X 0 ) and (X 1 ), the constraints determine the successor uniquely.Back to the main proof: if the play is finite the last configuration consists of literals only.On the other hand, the last block of the sequence Ξ reaches this leaf.Therefore, the play must be infinite.In particular, the sequence Ξ is a trace, and by Lemma 12 it is either an E-or an A-trace.Trace Ξ is an E-trace: Let n be minimal such that (Q i Γ i , Q i+1 Γ i+1 ) is not spawning for all i ≥ n.Therefore, all these quantifiers Q i s are E, and the set Γ n is a singleton.By π we denote the subsequence of the play (C i ) i≥n which consists of nodes in S only.For a node C in the play, we write π C to denote the suffix of π starting at C. The trace contains a thread ξ 0 , ξ 1 , . . .such that (ξ-1) π C i |= ξ i , and (ξ-2) if ξ i = ϕRψ, the rule (ER) is applied to C i with EΓ i and ξ i as principals, and π C i |= ψ, then ξ i+1 = ψ.for all i ≥ n and all formulas ϕ and ψ.Indeed, the thread can be constructed step by step.Obviously, there is a sequence of connected formulas ξ 0 , . . .ξ n within the trace because the set Γ n is a singleton.The rules (E∨), (E∧), (EU) and (ER) clearly preserve the properties (ξ-1) and (ξ-2).As for the rule (El), the formula ξ i cannot be the principal literal because π C i is a countermodel of ξ i but the literal survives until the next application of the model rules which defines the first state of π C i .If the rule (EE) or (EA) is applied, the property (Ξ-2) keeps ξ i from being the principal formula because the considered suffix is the trace is not spawning.
By Lemma 13, ξ is either a U-or an R-thread.In the first case, the thread ξ attests that the trace is bad although player 0 wins the play.Otherwise, suppose that ξ is an R-thread.By Lemma 14, there are m ≥ n and formulas ϕ and ψ such that ξ m = ϕRψ, and ξ i = ϕRψ or ξ i = X(ϕRψ) for all i ≥ m, Along the play (C i ) i≥m , between any two consecutive applications of the rules (X 0 ) or (X 1 ), the rule (ER) must have been applied with ξ i = ϕRψ and Q i Γ i as principals for some i ≥ m.The property (ξ-2) ensures that π C i |= ψ.Since this is true for any such two consecutive applications, π C i |= ψ for all i ≥ m.Therefore, π Cm models ϕRψ.But this situation contradicts the property (ξ-1) for i being one the infinity many positions on which the rule (ER) is applied to Q i Γ i and ξ i .Trace Ξ is an A-trace: It suffices to show that Ξ is a bad trace.Suppose for the sake of a contradiction that Ξ contains an R-thread (ξ i ) i∈N .Let n ∈ N and ϕ, ψ ∈ FL(ϑ) such that Q i = A, ξ n = ϕRψ, and ξ i = ϕRψ or ξ i = X(ϕRψ) for all i ≥ n, cf.Lemma 14.Along the play (C i ) i≥n , between any two consecutive applications of the rules (X 0 ) or (X 1 ), the rule (AR) must have been applied such that ξ i and Q i Γ i are principal for some i ∈ N. In this situation, the formula ξ i is ϕRψ.Because ξ i+1 is either ϕRψ or X(ϕRψ), the following element, Q i+1 Γ i+1 , of the trace is A(ϕ, X(ϕRψ), Σ) for some Σ ⊆ FL(ϑ).Hence, thanks to (Ξ-6) we have π i |= ψ.Because the block quantifier remains A, the properties (Ξ-4) and (Ξ-5) show that π j n |= ψ for all j ∈ N. Therefore, π n |= ϕRψ holds.
As the formula ϕRψ is ξ n , the path π n satisfies Γ n .However, this situation contradicts the property (Ξ-3).Thus, the considered play contains Ξ as a bad trace.
4.2.Completeness.To show completeness, we need a witness for satisfiable E-formulas.
For this purpose, let T = (S, s * , →, λ) be a transition system, s ∈ S be a state and ψ be a formula such that s |= Eψ.We may assume a well-ordering ¡ T on the set of paths in T [Zer04].The minimal s-rooted path that satisfies ψ is denoted by ξ T (s, ψ) and fulfills the following properties: ξ T (s, ψ)(0) = s, ξ T (s, ψ) |= ψ, and there is no path π with π¡ T ξ T (s, ψ), π(0) = s and π |= ψ.
A T -labelled (winning) strategy is a (winning) strategy with every configuration being labelled with a state such that the root is labelled with s * , and for every s-labelled configuration and every s -labelled successor configuration it holds that s → s if the corresponding rule application is (X 1 ) or (X 0 ) and s = s otherwise.
Theorem 19.Let ϑ ∈ CTL * be satisfiable.Then player 0 has a winning strategy for the satisfiability game G ϑ .
Proof.Let ϑ be a formula, T = (S, s * , →, λ) be a transition system, and s * ∈ S be a state s.t.T , s * |= Eϑ.In the following we may omit the system T in front of the symbol |=.
We inductively construct an S-labelled strategy for player 0 as follows.Starting with the labelled configuration s * : Eϑ, we apply the rules in an arbitrary but eligible ordering systematically by preserving s |= Φ for every state-labelled configuration s : Φ and by preferring small formulas.In particular, the strategy is defined the following properties.(S-1) If the rule application to follow Φ is (Al), (AE) or (AA), with A(ψ, Σ) being the principal block in Φ and ψ being the principal (state) formula, and s |= ψ, then the successor configuration of Φ follows ψ and discards the original A-block.(S-2) If the rule application to follow Φ is (EU), with E(ϕUψ, Π) being the principal block in Φ and ϕUψ being the principal formula, then the successor configuration of Φ follows ψ iff ξ T (s, (ϕUψ) ∧ Π) |= ψ. (S-3) If the rule application to follow Φ is (E∨), with E(ψ 1 ∨ ψ 2 , Π) being the principal block in Φ and ψ 1 ∨ ψ 2 being the principal formula, and ξ T (s, (ψ 1 ∨ ψ 2 ) ∧ Π) |= ψ i for some i ∈ {1, 2}, then the successor configuration of Φ follows ψ i .(S-4) If the rule application to follow Φ is (X 0 ) and its successor configuration is labelled with a state s such that s → s and successor configuration Φ then player 0 labels this successor with the state s .(S-5) If player 1 applies the rule (X 1 ) to a configuration Φ which is labelled with a state s and obtains successor configuration EΠ, Φ then player 0 labels this successor with the state ξ T (s, XΠ)(1).Such a strategy exists because the property s : Φ can be maintained.Note that every finite play ends in a node labelled with consistent literals only.Clearly, player 0 wins such a play.
For the sake of contradiction, assume that player 0 does not win if she follows the strategy.Hence, there is an infinite labelled play s 0 : Φ 0 , s 1 : Φ 1 , . . .(with s 0 = s * and Φ 0 = Eϑ) containing a bad trace B 0 , B 1 , . ... We define a lift operation i that selects the next modal rule application as follows.
i := min{j ≥ i | Φ j is the bottom of an application of (X 1 ) or (X 0 )} Due to Lemma 10, i is well-defined for every i.Additionally, we define the modal distance δ(i, k) := |{j | i ≤ j < k and j = j}| as well that counts the number of modal rule application between i and k.Every position i induces a generic path π i by π i : j → s min{k|k≥i and δ(i,k)=j} and note that the path π i indeed is well-defined for every i.
By Lemma 12, the bad trace is either an A-or an E-trace that is eventually not spawning, i.e. there is a position n such that B i ≡ EΠ i or B i ≡ AΣ i for all i ≥ n with (B i , B i+1 ) being not spawning.Let n be the least of such kind.
Next, the bad trace gives rise to a U-thread in it that is satisfied by the transition system.For this purpose we construct a U-thread φ 0 , φ 1 , . . . in B 0 , B 1 , . . .such that all i ≥ n satisfy the following properties.
(φ-1) π i |= φ i .(φ-2) For all formulas ϕ and ψ we have: If The construction of the thread depends on the kind of the trace.Trace B 0 , B 1 , . . . is an E-trace: The paths π i and ξ T (s i , Π i ) coincide for all i ≥ n for two reasons.First, whenever a rules besides (X 0 ) and (X 1 ) justifies the move from the configuration Φ i to Φ i+1 for i ≥ n, then ξ T (s i , Π i ) and ξ T (s i+1 , Π i+1 ) are equal.Second, this E-trace overcomes the application of the rules (X 0 ) and (X 1 ).Thus, the minimal paths ξ T define the labels s n , s n+1 , . . .and, in this way, the paths π.
Since n is the least index s.t.(B i , B i+1 ) is not spawning for all i ≥ n, the set Π n has to be a singleton.Define φ n to be the single formula in Π n .Because s n |= EΠ n , the path ξ T (s n , Π n ) satisfies φ n .
As the trace is assumed to be bad, it contains a U-thread, say φ 0 , φ 1 , . ... The construction of the strategy ensures that ξ T (s i , Π i ) |= φ i for all i ≥ n.Hence, π i |= φ i .Additionally, the constraint (S-2) yields the property (φ-2).Trace B 0 , B 1 , . . . is an A-trace: Since n is the least index such that (B i , B i+1 ) is not spawning i ≥ n, the set Σ n has to be a singleton.Define φ n to be the single formula in Σ n .For i ≥ n the formula φ i+1 bases on φ i as follows.If i = i, that is, one of the modal rules (X 0 ) and (X 1 ) is to be applied next, then set φ i+1 = φ where φ i = X(φ ) for some formula φ .Otherwise, i = i holds.If B i or φ i is not principal in the rule instance then set φ i+1 := φ i .Because (B i , B i+1 ) is not spawning, φ i+1 belongs to B i+1 .Otherwise, B i and φ i are principal.The formula φ is neither a literal nor an E-nor an A-formula, because otherwise the property (S-1) together with π i |= φ i would entail the end of this sequence of blocks or would show that the connection (B i , B i+1 ) is spawning.Thus, the applied rule is either (AR), (AU), (A∧) or (A∨).If φ i = ψ 1 Rψ 2 let φ i+1 be one of the successors ψ of φ i contained in B i+1 with π i |= ψ and note that there is at least one.If φ i = ϕUψ, then set φ i+1 := ψ iff π i |= ψ and, otherwise, set φ i+1 to the other successor, that is ϕ or X(ϕUψ), of φ i in B i+1 .Finally, if Putting suitable formulas in front of the sequence φ n , φ n+1 , . . .entails a thread in the trace B 0 , B 1 , . . ., B n , B n+1 , . ... By assumption the trace is bad and by Lemma 13, the thread is a U-thread.
Since φ 0 , φ 1 , . . . is a U-thread, there are formulas ϕ 0 and ϕ 1 such that φ i = ϕ 0 Uϕ 1 for infinitely many indices i.The set is infinite by Lemma 10 and 14.Let i 0 < i 1 < . . .be the ascending enumeration of A. Between every two immediately consecutive elements either the rule (X 1 ) or (X 0 ) is applied exactly once.Therefore, π 1 i j = π i j+1 for all indices j ≥ 0. By property (φ-1) we have π i 0 |= ϕ 1 Uϕ 2 .Hence, there is a k ≥ 0 such that π k i 0 |= ϕ 2 .In particular, π i k |= ϕ 2 and so π i k |= ϕ 1 Uϕ 2 .For some between i k and i k+1 the formula φ must be turned from ϕ 1 Uϕ 2 into X(ϕ 1 Uϕ 2 ) to finally pass the application of (X 0 ) and (X 1 ) at position i k+1 − 1.However, the property (φ-2) shows that φ is just ϕ 2 .5. A Decision Procedure for CTL * 5.1.Using Deterministic Automata to Check the Winning Condition.Plays can be represented as infinite words over a certain alphabet, and we will show that the language of plays that are won by player 0 is ω-regular, i.e. recognisable by a nondeterministic Büchi automaton for instance.
The goal is then to replace the global condition on plays of having only good traces by an annotation of the game configurations with automaton states and a global condition on these states.For instance, if the resulting automaton was of Büchi type, then the game would become a Büchi game: in order to solve the satisfiability game it suffices to check whether player 0 has a winning strategy in the game with the annotations in the sense that she can enforce plays which are accepted by the Büchi automaton for the annotations.Now note that the automaton recognising such plays needs to be deterministic: suppose there are two plays uv and uw with a common prefix u s.t.both are accepted by an automaton A. If A is nondeterministic then it may have two different accepting runs on uv and uw that differ on the common prefix u already.This could be resolved by allowing two annotations on the nodes of the common prefix, but an infinite tree can have infinitely many branches and it is not clear how to bound the number of needed annotations.However, if A is deterministic then it has a unique run on the common prefix, and an annotation with a single state of a deterministic automaton suffices.
It is known that every ω-regular language can be recognised by a deterministic Muller [McN66], Rabin [Saf88] or parity automaton [Pit06].A simple consequence of the last result is the fact that every game with an ω-regular winning condition can be reduced to a parity game.Thus, we could simply show that the winning conditions of the satisfiability games of Section 3 are ω-regular and appeal to this result as well as known algorithms for solving parity games in order to have a decision procedure for CTL * .While this does not seem avoidable entirely, it turns out that the application of this technique, which is not very efficient in practice, can be reduced to a minimum.The rest of this section is devoted to the analysis of the satisfiability games' winning conditions as a formal and ω-regular language with a particular focus on the question of determinisability.
In our proposed reduction to parity games we will use annotations with states from two different deterministic automata: one checks that all E-traces are good, the other one checks that all A-traces are good.The reason for this division is the fact that the former check is much simpler than the latter.It is possible to directly define a deterministic automaton that checks for absence of a bad E-trace.It is not clear at all though, how to directly define a deterministic automaton that checks for absence of a bad A-trace.We therefore use nondeterministic automata and known constructions for complementing and determinising them.The next part recalls the automata theory that is necessary for this, and in particular shows how these two automata used in the annotations can be merged into one.5.2.Büchi, co-Büchi and Parity Automata on Infinite Words.We will particularly need the models of Büchi, co-Büchi and parity automata [GTW02].
Definition 20.A nondeterministic parity automaton (NPA) is a tuple A = (Q, Σ, q 0 , δ, Ω) with Q being a finite set of states, Σ a finite alphabet, q 0 ∈ Q an initial state, δ ⊆ Q × Σ × Q the transition relation and Ω : Q → N a priority function.A run of A on a a 0 a 1 . . .∈ Σ ω is an infinite sequence q 0 , q 1 , . . .s.t.(q i , a i , q i+1 ) ∈ δ for all i ∈ N. It is accepting if max{Ω(q) | q = q i for infinitely many i ∈ N} is even, i.e. if the maximal priority of a state that is seen infinitely often in this run is even.The language of the NPA A is L(A) = {w | there is an accepting run of A on w}.The index of an NPA A is the number of different priorities occurring in it, i.e. |Ω[Q]|.The size of A, written as |A|, is the number of its states.
Nondeterministic Büchi and co-Büchi automata (NBA / NcoBA) are special cases of NPA.An NBA is an NPA as above with Ω : Q → {1, 2}, and an NcoBA is an NPA with Ω : Q → {0, 1}.Hence, an accepting run of an NBA has infinitely many occurrences of a state with priority 2, and an accepting run of an NcoBA has almost only occurrences of states with priority 0. Traditionally, in an NBA the states with priority 2 are called the final set, and one defines an NBA as (Q, Σ, q 0 , δ, F ) where, in our terminology, F := {q ∈ Q | Ω(q) = 2}.An NcoBA can equally defined with an acceptance set F rather than a priority function Ω, but then F := {q ∈ Q | Ω(q) = 0}.
An NPA / NBA / NcoBA with transition relation δ is deterministic (DPA / DBA / DcoBA) if |{q | (q, a, q ) ∈ δ}| = 1 for all q ∈ Q and a ∈ Σ.In this case we may view δ as function from Q × Σ into Q.
Determinism and the duality between Büchi and co-Büchi condition as well as the self-duality of the parity acceptance condition makes it easy to complement a DcoBA to a DBA as well as a DPA to a DPA again.The following is a standard and straight-forward result [GTW02, Section 1.2] in the theory of ω-word automata.
In order to be able to turn presence of a bad trace-which may be easy to recognise using a nondeterministic automaton-into absence of such which is required by the winning condition, we need complementation of nondeterministic automata as well.Luckily, an NcoBA can be determinised into a DcoBA using the Miyano-Hayashi construction [MH84] which can easily be complemented into a DBA according to Lemma 21.

Theorem 22 ([MH84]
).For every NcoBA A with n states there is a DBA A with at most 3 n states s.t.L(A) = L(A).
NBA cannot be determinised into DBA, but into automata with stronger acceptance conditions [Saf88, Pit06, KW08, Sch09].We are particularly interested in constructions that yield parity automata.

Theorem 23 ([Pit06]
).For every NBA with n states there is an equivalent DPA with at most n 2n+2 states and index at most 2n − 1.
For the decision procedure presented below we also need a construction that intersects a deterministic Büchi and a deterministic parity automaton.This will allow us to consider absence of bad E-and bad A-traces separately.
Lemma 24.For every DBA A with n states and DPA B with m states and index k there is a DPA C with at most n • m • k many states and index at most k + 1 s.t.L(C) = L(A) ∩ L(B).Σ, (q 0 1 , q 0 2 , Ω(q 0 2 )), δ, Ω ) where δ (q 1 , q 2 , p), a := δ 1 (q 1 , a), δ 2 (q 2 , a), Ω(δ 2 (q 2 , a))) , if q 1 ∈ F δ 1 (q 1 , a), δ 2 (q 2 , a), max{p, Ω(δ 2 (q 2 , a))} , if q 1 ∈ F Note that C simulates two runs of A and B in parallel on a word w ∈ Σ ω , and additionally records in its third component the maximal priority that has been seen in B's run since the last visit of a final state in the run of A if it exists.Thus, in order to determine whether or not both simulated runs are accepting it suffices to examine the priorities at those positions at which the A-component is visiting a final state.In all other cases we choose a low odd priority.Ω (q 1 , q 2 , p) F Then the highest priority occurring infinitely often in a run of C is even iff so is the one in the simulated run of B and A visits infinitely many final states at the same time.
It should be clear that the number of states in C is bounded by n • m • k, and that it uses at most one priority more than B.
To define an automaton which checks the absence of bad A-traces, we need the intersection of Büchi with co-Büchi automata as well as alphabet projections of Büchi automata.
Lemma 25.For every DBA A with n states and every DcoBA B with m states there is an , where δ realises the synchronous product of δ 1 and δ 2 on Q 1 × Q 2 × {0} and on Q 1 × F 2 × {1}.In addition, for every transition from (q 1 , q 2 , 0) to (q 1 , q 2 , 0) there is also one with the same alphabet symbol to (q 1 , q 2 , 1) if q 2 ∈ F 2 .Note that this creates nondeterminism.
Lemma 26.Let C be an NBA over the alphabet Σ A × Σ B .There is a NBA A over the alphabet Σ A such that |A| ≤ |C| and for all words a 0 a 1 . . .
The automaton C is almost A. Let δ A be the transition relation of A. Clearly, the set {(q, a, q ) | (q, (a, b), q ) ∈ δ A for some b ∈ Σ B } is adequate as a transition relation for C.

An Alphabet of Rule Applications.
Clearly, an infinite play in the game for some formula ϑ can be regarded as an ω-word over the alphabet of all possible configurations.This alphabet would have doubly exponential size in the size of the input formula.It is possible to achieve the goals stated above with a more concise alphabet.Definition 27.A rule application in a play for ϑ is a pair of a configuration and one of its successors.Note that such a pair is entirely determined by the principal block and the principal formula of the configuration and a number specifying the successor.This enables a smaller symbolic encoding.For instance, the transition from the configuration A(Eϕ, Σ), Φ to the successor AΣ, Φ in rule (AE) can be represented by the quadruple (A, {Eϕ} ∪ Σ, Eϕ, 1).The other possible successor would have index 0 instead.There are three exceptions to this: applications of rules (Ett) and (X 0 ) can be represented using a constant name, and the successor in rule (X 1 ) is entirely determined by one of the E-blocks in the configuration.Hence, let |ϑ|) .An infinite play π = C 0 , C 1 , . . .then induces a word π = r 0 , r 1 , . . .∈ (Σ pl ϑ ) ω in a straight-forward way: r i is the symbolic representation of the configuration/successor pair (C i , C i+1 ).We will not formally distinguish between an infinite play π and its induced ω-word π over Σ pl ϑ .For every r ∈ Σ pl ϑ let con E r (•) be a partial function from E-blocks to E-blocks which satisfies the connection relation Y and avoids spawning connections.Thus, the function is undefined for r = Ett and the argument E∅, only.For all other parameters and arguments the function is uniquely defined.5.4.DPA for the Absence of Bad A-Traces.An A-trace-marked play is a (symbolic representation of a) play together with an A-trace therein.It can be represented as an infinite word over the extended alphabet ϑ) .The second and the last components of the alphabet simply name a block on the marked trace.Note that these components are half a step behind the first component because the latter links between two consecutive configuration.Remember that an A-trace can proceed through finitely many E-blocks before it gets trapped in A-blocks only.We define a co-Büchi automaton C A ϑ which recognises exactly those A-trace-marked plays which contain an R-thread in the marked trace.It is . We describe the transition relation δ intuitively.A formal definition can easily be derived from this.Starting in the waiting state W it eventually guesses a formula of the form ψ 1 Rψ 2 which occurs in the marked A-trace.It then tracks this formula in its state for as long as it is unfolded with rule (AR) and remains in the marked trace.If it leaves the marked trace in the sense that the trace proceeds through a block which does not contain this subformula anymore, or an E-block occurs as part of the marked trace then C A ϑ simply stops.The following proposition is easily seen to be true using Definition 9 and Lemma 14.
Lemma 28.Let w ∈ (Σ tmp ϑ ) ω be an A-trace-marked play of a game for ϑ.Then w ∈ L(C A ϑ ) iff the marked trace of w contains an R-thread.On the way to construct an automaton which recognises plays without bad A-traces we need to eliminate the restriction on w in the previous lemma.In other words, an automaton is needed which decides whether or not the annotated sequence of blocks is an A-trace.
Lemma 29.There is a DcoBA B A ϑ over Σ tmp ϑ of size O(2 |ϑ| ) such that the equivalence i∈N is an A-trace in the play (r i ) i∈N holds for all infinite plays r 0 , r 1 , . . .∈ Σ pl ϑ and all sequences of blocks (Q i ∆ i ) i∈N .Proof.Take as B A ϑ the deterministic co-Büchi automaton with states initial state (E, {ϑ}) and final states {A} × 2 FL(ϑ) .The automaton verifies that the last two components of the input indeed form an A-trace.For this purpose, the state bridges between two successive blocks in the input sequence.Due to the co-Büchi acceptance condition, the input is accepted if the block quantifier eventually remains A. However, these properties define an A-trace.
Formally, given a state (Q 0 , ∆ 0 ) and a letter (r, and the rule instance r transfers the block Q 1 ∆ 1 into the block Q 2 ∆ 2 .Note that the sequence of blocks might end if the rules (Ett) and (X 1 ) are applied.In such a situation, the automaton gets stuck and rejects thereby.
Figure 4 explains how the previously defined automata C A ϑ and B A ϑ can then be transformed into a deterministic parity automaton, called A A ϑ , that checks for presence of an R-thread in all A-traces of a given play.It is obtained using complementation twice, intersection and the projection of the alphabet Σ tmp ϑ to Σ pl ϑ .The four automata shown at the top are defined over the extended alphabet of plays with marked traces, whereas the others work on the alphabet Σ pl ϑ of symbolic rule applications only.Almost all operations keep the automata small besides the determinisation.All in all, we obtain the following property.
5.5.DBA for the Absence of Bad E-Traces.Remember that a bad E-trace is one that contains a U-thread.It is equally possible to construct an NcoBA which checks in a play for such a trace and then use complementation and determinisation constructions as it is done for A-traces.However, it is also possible to define a DBA A E ϑ directly which accepts a play iff it does not contain a bad E-trace.This requires a bit more insight into the combinatorics of plays but leads to smaller automata in the end.
Let ϕ 0 Uψ 0 , . . ., ϕ k−1 Uψ k−1 be an enumeration of all U-formulas in ϑ.The DBA B ϑ consists of the disjoint union of k components C 0 , . . ., C k−1 with C i = {i} ∪ {i} × 2 FL(ϑ) .In the i-th component, state i is used to wait for either of two occurrences: the i-th U-formula gets unfolded or one of the rules for X-formulas is being seen.In the first case the automaton starts to follow the thread of this particular U-formula.In the second case, the automaton starts to look for the next U-formula in line to check whether it forms a thread.Hence, the transitions in state i are the following.
In order to follow a thread of the i-th U-formula, the automaton uses the states of the form {i} × 2 FL(ϑ) in which it can store the block that the current formula on the thread occurs in.It then only needs to compare this block to the principal block of the next rule application to decide whether or not this block has been transformed.If it has been then the automaton changes its state accordingly, otherwise it remains in the same state because the next rule application has left that block unchanged.Once a rule application terminates the possible thread of the i-th U-formula, the automaton starts observing the next U-formula in line.
There are two possibilities for this: either the next rule application fulfils the U-formula, or the E-trace simply ends, for instance through an application of rule (X 1 ).
where con E r is defined at the end of Subsection 5.3.The function δ is always defined as the second component of the state contains ϕ i Uψ i or X(ϕ i Uψ i ) whenever the first component is i.
Note that there is no transition for the case of the next rule being (X 0 ) because it only applies when there is no E-block which is impossible if the automaton is following an U-formula inside an E-trace.
It is helpful to depict the transition structure graphically.
Note that every occurrence of rule (X 0 ) or (X 1 ) sends this automaton from any state i into the next component modulo k.Furthermore, when unfolding the i-th U-formula in state i, it moves up into the component C i where it follows the E-trace that it is in.From this component it can only get to state i + 1 mod k if this U-formula gets fulfilled.Thus, since any infinite play must contain infinitely many applications of rule (X 0 ) or (X 1 ), there are only two possible types of runs of this automaton on such plays: those that eventually get trapped in some component C i \ {i}, and those that visit all of 0, 1, . . ., k − 1 infinitely often in this order.
It remains to be seen that this automaton-equipped with a suitable acceptance condition-recognises exactly those plays that do not contain a bad E-trace.
Theorem 31.For every CTL * formula ϑ with k U-subformulas there is a DBA Proof.As above, suppose that ϕ 0 Uψ 0 , . . ., ϕ k−1 Uψ k−1 are all the U-formulas occurring in FL(ϑ).Let A E ϑ := (C 0 ∪ . . .∪ C k−1 , Σ ϑ , 0, δ, {0}) be a Büchi automaton whose state set is the (disjoint) union of the components defined above and whose transition relation δ is also as defined above.It is easy to check that A E ϑ is indeed deterministic and of the size that is stated above.It remains to be seen that it is correct.
Let π be play.First we prove completeness, i.e. suppose that π ∈ L(A E ϑ ).Observe that in states of the form i it can always react to any input symbol whereas in states of the form (i, Π) it can react to all input symbols apart from (X 0 ).However, such states are only reachable from states of the former type by reading a symbol of the form (E, Π, ϕUψ, 1) which is only possible when there is an E-block to which this rule is being applied.Furthermore, the automaton only stays in such states for as long as this block still contains this U-formula, and E-blocks can only disappear with rule (Ett) when they become empty.Thus, A E ϑ has a (necessarily unique) run on every play, and π can therefore only be rejected if this run does not contain infinitely many occurrences of state 0.
Next we observe that A E ϑ cannot get trapped in a state of the form i because every infinite play contains infinitely many applications of rule (X 0 ) or (X 1 )-cf.Lemma 10-which send it to state (i + 1) mod k.Thus, in order not to accept π it would have to get trapped in some component of states of the form (i, Π) for a fixed i.However, it only gets there when the i-th U-formula gets unfolded inside an E-block, and it leaves this component as soon as this formula gets fulfilled.Thus, if it remains inside such a component forever, there must be an U-thread inside E-blocks, i.e. a bad E-trace.
For soundness suppose that π contains a bad E-trace.We claim that A E ϑ must get trapped in some component C i \ {i}.Since this does not contain any final states, it will not accept π.Now note that at any moment in a play, all U-formulas which are top-level in some E-block need to be unfolded with rule (EU) before rule (X 0 ) or (X 1 ) can be applied.Thus, if A E ϑ is in some state i, and the i-th U-formula occurs inside an E-block at top-level position, then it will move to the component C i \ {i} instead of to (i + 1) mod k because the latter is only possible with a rule that occurs later than the rule which triggers the former transition.
As observed above, A E ϑ cannot remain in the only final state 0 forever.In order to visit it infinitely often, it has to visit all states 0, 1, . . ., k − 1 infinitely often in this order.Thus, if there is a bad E-trace with an U-thread formed by the i-th U-formula then there will eventually be a moment in which this i-th U-formula gets unfolded and A E ϑ is trapped in some component C j \ {j} for j = i and the rest of the run, or it is in state i.If the latter is the case then it gets trapped in C i \ {i} for the rest of the run before the next application of rule (X 0 ) or (X 1 ).In either case, π is not accepted.E) is a finite, directed graph with total edge relation E. V 0 denotes the set of nodes owned by player 0, and we write V 1 := V \ V 0 for its complement.The node v 0 ∈ V is a designated starting node, and Ω : V → N assigns priorities to the nodes.A play is an infinite sequence v 0 , v 1 , . . .

The Reduction to Parity
A strategy σ for player i is a winning strategy in node v if player i wins every play that begins in v and conforms to σ.A (positional) strategy for player i is a strategy σ for player i s.t. for all v 0 . . .v n ∈ V * V i and all w 0 . . .w m ∈ V * V i we have: if v n = w m then σ(v 0 . . .v n ) = σ(w 0 . . .w m ).Hence, we can identify positional strategies with σ : V i → V .It is a well-known fact that for every node v ∈ V , there is a winning strategy for either player 0 or player 1 for node v.In fact, parity games enjoy positional determinacy meaning that there is even a positional winning strategy for node v for one of the two player [EJ91].The problem of solving a parity game is to determine which player has a winning strategy for v 0 .It is solvable [Sch07]  Definition 32.Let ϑ be a state formula, A A ϑ be the DPA deciding absence of bad A-traces according to Theorem 30, A E ϑ be the DBA deciding absence of bad E-traces according to Theorem 31 and A ϑ = (Q, Σ pl ϕ , q 0 , δ, Ω) the DPA recognising the intersection of the languages of A A ϑ and A E ϑ according to Lemma 24.The satisfiability parity game for ϑ is P ϑ = (V, V 0 , v 0 , E, Ω ), defined as follows.
) is an instance of a rule application which is symbolically represented by r ∈ Σ pl ϑ and q = δ(q, r), or no rule is applicable to C and C = C and q = q , • Ω (C, q) := if C is a consistent set of literals Ω(q) if there is a rule applicable to C 1 otherwise The following theorem states correctness of this construction.It is not difficult to prove.In fact, winning strategies in the satisfiability games and the satisfiability parity games basically coincide.
Theorem 33.Player 0 has a winning strategy for P ϑ iff player 0 has a winning strategy for G ϑ .
Proof.Let π be a play (C 0 , q 0 ), (C 1 , q 1 ), . . . of P ϑ , and let π = C 0 , C 1 , . . .be its projection onto the first components which ends at the first configuration on which no rule can be applied.The sequence π is indeed a play in G ϑ .Note that this projection is invertible: for every play π in G ϑ there is a unique annotation with states of the deterministic automaton A ϑ leading to a play π in P ϑ .Now we have the following.
π is won by player 0 ⇔ π is accepted by A ϑ , or π ends in a consistent set of literals ⇔ π is won by player 0 Thus, the projection of a winning strategy for player 0 in P ϑ is a winning strategy for her in G ϑ , and conversely, every winning strategy there can be annotated with automaton states in order for form a winning strategy for her in P ϑ .
Proof.The number of states in P ϑ is bounded by Note that the out-degree of the parity game graph is at most 2 |ϑ| because of rule (X 1 ).The game's index is 2 O(|ϑ|) .It is known that parity games of size m and index k can be solved in time m O(k) [Sch07] from which the claim follows immediately.Proof.Suppose ϑ is satisfiable.According to Theorems 17 and 33, player 0 has a winning strategy for P ϑ .It is well-known that she then also has a positional winning strategy [Zie98].A positional strategy can be represented as a finite graph of size bounded by the size of the game graph.A model for ϑ can be obtained from this winning strategy as it is done exemplarily in Section 3 and in detail in the proof of Theorem 18.The upper-bound on the branching-width is given by the fact that rule (X 1 ) can have at most 2 |ϑ| many successors.
The exponential branching-width stated in Corollary 35 can be improved to a linear one by restricting the rule applications.The following argumentation implicitly excludes the rules (X 0 ) and (X 1 ).Therefore, any considered rule application has exactly one principal formula.
We limit the application of every rule besides (X 0 ) and (X 1 ) to those applications where the principal formula is a largest formula among those formulas in the configuration which do not have X as their outermost connectives.Following the proof of Theorem 19, any ordering on the rules does not affect the completeness.
As a measure of a configuration we take the number of its E-blocks plus the number of formulas having the form Eϕ such that this formula is a subformula, but not under the scope of an X-connective, of some formula in the configuration and such that E{ϕ} is not a block in this configuration.This measure is bounded by |ϑ| + 1 at the initial configuration E{ϑ} and at every successor of the rules (X 0 ) and (X 1 ).
The size restriction ensures that any rule instance apart from (X 0 ) and (X 1 ) weakly decreases the measure.First, we consider the contribution of formulas to the measure.An inspection of the rules entails that any subformula Eϕ which contributes to the measure of the configuration at the top of a rule occurs at the bottom as a subformula.For the sake of contradiction, assume that Eϕ does not contribute to the measure of the configuration at the bottom.Hence, the principal block is preventing Eϕ from being counted and, hence, it has the shape E{ϕ}.Therefore, the formula which hosts Eϕ is larger than the principal.But this situation contradicts the size restriction.Secondly, only the rules (EE) and (AE) can produce new E-blocks.If a formula Eϕ is excluded from the measure of the configuration at the bottom then and only then E{ϕ} is a block in this configuration.Therefore, in the positive case this block is not new at the top.And in the negative case the new block at the top is paid by the formula at the bottom and prevents other instances of this formula at the top from being counted.
Putting this together with the argumentation in Corollary 35 yields the following.
These upper bounds are asymptotically optimal, c.f. the proof of the 2EXPTIME-lowerbound [VS85] and the satisfiable formula n i=1 EX(¬p i ∧ p i+1 ) ∧ n i=1 AX(p i → p i+1 ) which forces any model to be of branching-width n.

On Fragments of CTL *
The logic CTL * has two prominent fragments: CTL + and CTL.These logics allow refining the decision procedure detailed in Section 5.The obtained procedures are conceptionally simpler and have an optimal time-complexity.
6.1.The Fragment CTL + .The satisfiability problem for CTL + is 2EXPTIME-hard [JL03] and hence -as a fragment of CTL * -it is also 2EXPTIME-complete.Nevertheless, CTL + is as expressive as CTL [EH85].Hence, the question arises whether the lower expressivity compared to CTL * leads to a simpler decision procedure.
As CTL + is a fragment of CTL * we can apply the introduced games.However, the occurring formulas will not necessarily be CTL + -formulas again, because the fixpoint rules can prefix an X-constructor to the respective U-or R-formula.Nevertheless, the grammar for CTL + can be expanded accordingly.The new kinds are attached to line (2.4).
The lines (2.3) and (2.4') now define the grammar which every game follows.The usage of these new formulas does not affect any of the used asymptotic measures.The restriction to CTL + does not allow major simplification for the automata A E ϑ constructed in Subsection 5.5.However, the automata A A ϑ which rejects plays containing bad A-traces can be essentially simplified: The refined construction bases on a coBüchi-instead of a Büchi-determinisation, and hence leads to a simpler acceptance condition.Due to Theorem 22 it suffices to construct an exponentially sized NcoBA which detects an A-trace which does not contain any R-thread.
For the rest of the subsection, fix a CTL + -formula ϑ and consider an infinite play in the game G ϑ .Let (Q i ∆ i ) i∈N be a trace in this play.A position i 0 in this trace is called X-stable iff -firstly-the index i 0 addresses some top configuration either of the rule (X 0 ) or of (X 1 ), and -secondly-the connection Q i ∆ i Y Q i+1 ∆ i+1 is not spawning for every i ≥ i 0 .By Lemma 10 and 12 every trace has infinitely many X-stable indices.
Lemma 37. Let (Q i ∆ i ) i∈N be a trace, let i 0 be one of its X-stable positions, let N ∈ N and let (ψ i ) i≤N be a sequence of connected formulas in the trace.If there is an i 1 ≥ i 0 such that ψ i 1 is a state formula then ψ j is a state formula for all j ≥ i 1 .
Proof.Every state formula in this trace eventually either disappears entirely -by the rule (Al) for instance-, forms a new block outside the trace -by rule (EE) for instance-, or get decomposed into a smaller state formula -by rule (E∨) for instance-.One of these cases must happen before the rules (X 0 ) or (X 1 ) are applied.Finally, one of the two modal rules must be applied eventually due to Lemma 10.
For every thread Lemma 14 reveals a position which describes the corresponding suffix of the thread.Next, we can strengthen this position to an X-stable position.
Lemma 38.Let (Q i ∆ i ) i∈N be a trace and let i 0 be one of its X-stable positions.Every thread (ψ i ) i∈N in the trace satisfies: Proof.The thread cannot hit any state formula, because by Lemma 37 the thread would violate Lemma 14.The application of the rule (X 0 ) or (X 1 ) to the configuration at index i 0 − 1 entails that ψ i 0 is a U-or an R-formula.In particular along the remaining suffix, the thread must not hit a state formula.Therefore, the formula ψ i is either ψ i 0 or Xψ i 0 for all i ≥ i 0 .
Theorem 39.Let (Q i ∆ i ) i∈N be an A-trace and let i 0 be one of its X-stable positions.We have that: the trace is bad, iff ∆ i does not contain any R-or XR-formula for some i ≥ i 0 .
Proof.It suffices to show that the trace contains an R-thread iff ∆ i contains a R-or XRformula for every i ≥ i 0 .The "only if" direction is a consequence of Lemma 38.As for the "if" direction, every R-or XR-formula can be reached from the initial configuration of the game by a connected sequence of formulas.Due to König's lemma there is a corresponding infinite sequence.By Lemma 13, this sequence is either a U-or an R-thread.If the latter case applies, we are done.In the first case, infinitely many of the said R-and XR-formulas are reachable from a U-formula.Due to the grammar, a state formula must occur between the U-formula and each of the considered R-and XR-formulas.However, this situation contradicts Lemma 37.
The previous theorem is specific for CTL + .For CTL * an A-trace (Q i ∆ i ) i∈N can be good, even if ∆ i does not contain any R-or XR-formula for some i ≥ i 0 .Indeed, the R-formula witnessing that the trace is good might be hosted within a U-formula.A play might delay the fulfillment of this U-formula by several applications of (X 0 ) or (X 1 ).
The automaton starts in the waiting state W. Every A-trace contains a spawning connection for the last time -at least one such connection occurs because the initial configuration is an E-block.This connection is generated either by the rule (AA) or by (EA).Thus, C A,CTL + ϑ eventually jumps after the corresponding input symbol, that is (A, , Aϕ, 0) or (E, , Aϕ, ), into the state ({ϕ}, 0).Then, C A,CTL + ϑ tries to successively guess an A-trace using the first component.If the block sequence stops or is spawning then the automaton rejects.The value 0 in the second component indicates the range between the last spawning connection and the first application of rules (X 0 ) and (X 1 ) afterwards.This application marks an X-stable position.The flags 1 and 2 are responsible for the remaining sequence starting with value 1.The value is switched to 2 iff a block contains neither an R-nor a XR-formula.In such a situation, the automaton has to verify that the sequence does not break down.Therefore, the final states of the NcoBA is defined as stated above.
The size of the automaton C A,CTL + ϑ is exponential in |ϑ|.Hence, the complement of its Miyano-Hayashi determinisation is of double-exponential size -c.f.Theorem 22-and can be used in Subsection 5.6 instead of the general DPA A A ϑ .Thus the time complexity of the whole decision procedure is double-exponential.
The advantage of this approach tailored to CTL + is the Miyano-Hayashi determinisation.Their construction is simple to implement because it bases on an elaborated subset-construction only compared to known determinisation procedures for general Büchi automata [Saf88,Pit06].
Because the small-formula strategy in Subsection 5.7 is indepenent of the fragement, Corollary 36 also holds for CTL + .The lower bound for the size is also doubly exponential [Lan08].
6.2.The Fragment CTL.The satisfiability problem for CTL is EXPTIME-complete.Again, the question arises whether the lower expressivity compared to CTL * leads to a simpler decision procedure.
As CTL is a fragment of CTL * we could apply the introduced satisfiability game.However, this would lead to games of doubly exponential size, resulting in an unoptimal decision procedure.
Hence, we define a new set of configurations and games rules that handle CTL-formulas in an optimal way.Due to the fact that subformulas of fixpoints in CTL are always state formulas, there is no need to keep the immediate subformulas in the respective block after unfolding.By placing them at the top-level of the configurations, we can do without the concept of blocks, since every block contains exactly one subformula.Hence, these blocks can be understood as CTL-formulas.
Here, a configuration (for ϑ) is a non-empty set of state formulas of the set {ϕ, EXϕ, AXϕ | ϕ ∈ Sub(ϑ)}.The additional formulas EXϕ and AXϕ will be generated when unfolding fixpoints.In return, the Fischer-Ladner closure is replaced with the set of subformulas.The definition of consistency etc. is exactly the same as before.
Again, we write Conf (ϑ) for the set of all consistent configurations for ϑ.Note that this is a finite set of at most exponential size in |ϑ|.
Definition 40.The satisfiability game for a CTL-formula ϑ is a directed graph G ϑ = (Conf (ϑ), V 0 , E, v 0 , L) whose nodes are all possible configurations and whose edge relation is given by the game rules in Figure 5.It is understood that the formulas which are stated an enumeration of all U-formulas in ϑ.We can simplify the automaton dramatically here by considering the components C i = {i} ∪ {i} × {ϕ, EXϕ, AXϕ | ϕ ∈ Sub(ϑ)} instead.The transition function is updated accordingly, following now single formulas instead of blocks.We can get a result similar to Theorem 31: Theorem 44.For every CTL formula ϑ with k U-subformulas there is a DBA A of size at most k • (1 + 3|ϑ|) s.t. for all plays π: π ∈ L(A) iff π does not contain a U-thread.
By attaching this automaton to our parity game, we obtain an optimal decision procedure for CTL: Corollary 45.Deciding satisfiability for some ϕ ∈ CTL is in EXPTIME.
Proof.The number of states in the constructed parity game is bounded by Note that the out-degree of the parity game graph is at most |ϑ| because of rule (X 1 ) which is bounded by the number of E-formulas in ϑ.The game's index is 2 which makes it, in fact, a Büchi game.It is well-known [CHP06] that Büchi games with n states and m edges can be solved in time O(n • m) from which the claim follows immediately.
The previous upper bound is optimal because the satisfiability problem for CTL-fragment PDL is EXPTIME-hard [FL79].Since each block in the configurations is mainly a subformula of ϑ, the branching-width is bounded by |ϑ|.This bound is independent of the strategy as compared with Corollary 36.
Emerson/Jutla's procedure transforms a CTL * -formula ϕ in some normal form into a tree-automaton recognising exactly the tree-unfoldings of fixed branching-width of all models of ϕ.This uses a translation of linear-time formulas into Büchi automata and then into deterministic (Rabin) automata for the same reasons as outlined in Subsection 5.1.The game-based approach presented here does not use tree-automata as such, but player-0-strategies resemble runs of a tree automaton.The crucial difference is the separation between the use of machinery for the characterisation of satisfiability in CTL * and the use of automata only in order to make the abstract winning conditions effectively decidable.In particular, we do not need translations of linear-time temporal formula into ω-word automata.The relationship between input formula and resulting structure (here: game) is given by the rules.Furthermore, this separation enables the branching-width of models of ϕ to be flexible; it is given by the number of successors of the rule (X 1 ).In a tree automaton setting it is a priori fixed to a number which is linear in the size of the input formula.While this does not increase the asymptotic worst-case complexity, it may have an effect on the efficiency in practice.Not surprisingly, we do not know of any attempt to implement the tree-automata approach.an implementable decision procedure.The only price to pay for this is the characterisation of satisfiability through infinite objects instead.Reynold's tableau system [Rey11] shares some similarities with the games presented here.He also uses sets of sets of formulas as well as traces (which he calls threads), etc.Even though his tableaux are finite, the difference in this respect is marginal.Finiteness is obtained through looping back, i.e. those branches might be called infinite as well.One of the real differences between the two systems lies in the way that the semantics of the CTL * operators shows up.In Reynolds' system it translates into technical requirements on nodes in the tableaux, whereas the games come with relatively straight-forward game rules.The other main difference is the loop-check.Reynolds says that ". . .we are only able to give some preliminary results on mechanisms for tackling repetition.[. . .] The task of making a quick and more generally usable repetition checker will be left to be advanced and presented at a later date."The game-based method comes with a non-trivial repetition checker: it is given by the annotated automata.7.2.The Fragments CTL + and CTL.To the best of our knowledge, there are no decision procedures that are especially tailored towards CTL + .Thus, the restriction of the satisfiability games to CTL + as presented in Section 6.1 is the first decision procedure for this logic which does not also decide the whole of CTL * .
The situation for CTL is entirely different.The first decision procedure for CTL was given by Emerson and Halpern [EH85] using filtration.It starts with a graph of Hintikka sets and successively removes edges from this graph in order to exclude unfulfilled eventualities.This is similar to the game-based approach in that the game rules for Boolean connectives mimic the rules for being a Hintikka set.On the other hand, the machinery for excluding unfulfilled eventualities is an entirely different one.
There is a purely automata-theoretic decision procedure for CTL [VW86]: as such, it constructs a tree automaton which recognises all tree-unfoldings of models of the input formula.In order to obtain an asymptotically optimal decision procedure for CTL, Vardi/Wolper use a new type of acceptance condition resulting in eventuality automata whose emptiness problem can be decided in polynomial time.An exponential translation from CTL into such automata then yields a decision procedure for CTL.There are certain similarities to the game-based approach presented here: the design of the simpler type of acceptance condition is reminiscent of the manual creation of deterministic automata that check the winning conditions.
There is a tableau-based decision procedure for CTL [AGW07].As with Reynold's tableaux for CTL * , the main difference to the game-based (and also automata-theoretic) approach is the fact that the tableau calculi do not separate the decision procedure into a syntactical characterisation (e.g.winning strategy) and an algorithm deciding existence of such objects.This leads to correctness proofs which are even more complicated than the ones for the CTL * games presented here.Also, this method does not yield a common framework for dealing with unfulfilled eventualities which is given by the different types of (deterministic) automata which are being used here in order to characterise the winning conditions.
The work that is most closely related to the one presented here consists of the focus game approach to CTL [LS01].These are also satisfiability games, and the rules there extend the rules here with a focus on a particular subformula which is under player 1's control.The focus game approach does not explicitly give an algorithm for deciding satisfiability.A close analysis shows that the focus can be seen as an annotation with a nondeterministic co-Büchi automaton to the game configurations, and a decision procedure could be obtained by determinising this automaton.In this respect, the games presented here improve over the focus games by showing how small deterministic Büchi automata suffice for this task.
Table 2 tabulates the comparison of the CTL satisfiability games with these other approaches.

Further Work
The results of the previous section show that the game/automata approach to deciding CTL * is reasonably viable in practice.Note that the implementation so far only features optimisations on one of three fronts: it uses the latest and optimised technology for solving the resulting games.However, there are two more fronts for optimisations which have not been exploited so far.The main advantage of this approach is-as we believe-the combination of tableau-, automata-and game-machinery and therefore the possible benefit from optimisation techniques in any of these areas.It remains to be seen for instance whether the automaton determinisation procedure can be improved or replaced by a better one.Also, the tableau community has been extremely successful in speeding up tableaubased procedures using various optimisations.It also remains to be seen how those can be incorporated in the combined method.
Furthermore, it remains to expand this work to extensions of CTL * , for example CTL * with past operators, multi-agent logics based on CTL * , etc.

Figure 2 :
Figure 2: A strategy for player 0 in the satisfiability game for AFGp ∧ EGEF¬p.

Figure 4 :
Figure 4: Construction of the DPA for Theorem 30.
in time polynomial in |V | and exponential in |Ω[V ]|.

Table 2 :
Comparison of the main decision methods for satisfiability of CTL-formulas.