Enriched MU-Calculi Module Checking

The model checking problem for open systems has been intensively studied in the literature, for both finite-state (module checking) and infinite-state (pushdown module checking) systems, with respect to Ctl and Ctl*. In this paper, we further investigate this problem with respect to the \mu-calculus enriched with nominals and graded modalities (hybrid graded Mu-calculus), in both the finite-state and infinite-state settings. Using an automata-theoretic approach, we show that hybrid graded \mu-calculus module checking is solvable in exponential time, while hybrid graded \mu-calculus pushdown module checking is solvable in double-exponential time. These results are also tight since they match the known lower bounds for Ctl. We also investigate the module checking problem with respect to the hybrid graded \mu-calculus enriched with inverse programs (Fully enriched \mu-calculus): by showing a reduction from the domino problem, we show its undecidability. We conclude with a short overview of the model checking problem for the Fully enriched Mu-calculus and the fragments obtained by dropping at least one of the additional constructs.


Introduction
Model-checking is a formal method, applied in system design, to automatically verify the ongoing behavior of reactive systems ( [CE81,QS81]).In this verification technique the behavior of a system, formally described by a mathematical model, is checked against a behavioral constraint, usually specified by a formula in an appropriate temporal logic (for a survey, see [CGP99]).
In the process of modeling a system, we distinguish between closed and open systems [HP85].While the behavior of a closed system is completely determined by the state of the system, the behavior of an open system depends on the ongoing interaction with its environment [Hoa85].In model checking open systems, introduced and called modulechecking in [KVW01], one should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment.In such a framework, the open finite-state system is described by a labeled state-transition graph, called in fact details, see also [BLMV08]).The upper bound result is based on an automata-theoretic approach via two-way graded alternating parity tree automata ( 2GAPT), along with the fact that each fragment of the Fully enriched µ-calculus enjoys the quasi-forest model property.Intuitively, 2GAPT generalize alternating automata on infinite trees as inverse programs and graded modalities enrich the standard µ-calculus: 2GAPT can move up to a node's predecessor and move down to at least n or all but n successors.Moreover, a quasi-forest is a forest where nodes can have roots as successors and having quasi-forest model property means that any satisfiable formula has a quasi-forest as model.Using 2GAPT and the quasi-forest model property, it has been shown in [SV01,BLMV06] that given a formula ϕ of a fragment of the Fully enriched µ-calculus, it is possible to construct a 2GAPT accepting all trees encodings 1 quasi-forests modeling ϕ.Then, the exponential-upper bound follows from the fact that the emptiness problem for 2GAPT is solvable in Ptime [KPV02].
In this paper, we further investigate the module checking problem and its infinitestate extension, with respect to the hybrid graded µ-calculus.To see an example of module checking a finite-state open system w.r.t. an hybrid graded µ-calculus specification, consider again the above two-drink dispenser machine with the following extra feature: whenever a customer can choose a drink, he can also call the customer service or the security service.Suppose also that by taking one of these two new choices, the drink-dispenser machine stops dispensing drinks, up to the moment the customer finishes operating with the service.Assume that, for the labeled state-transition graph modeling the system, we label by choose the choosing state and by the nominals o c and o s the states in which the interaction with the customer and the security services start, respectively.Moreover, suppose we want to check the following property: "whenever the customer comes at a choice, he can choose for both the customer and the security services".This property can be formalized by the hybrid graded µ-calculus formula νx.((choose → 1, call (o c ∨ o s )) ∧ [0, −]x), which reads "it is always true that whenever the drink-dispenser is in the choose state, there are at least 2 call-successors in which (o c ∨ o s ) holds".Clearly, the considered open system does not satisfy this formula.Indeed, it is not satisfied by the particular behavior that chooses always the same service.
By exploiting an automata-theoretic approach via tree automata, we show that hybrid graded µ-calculus module checking is decidable and solvable in Exptime in the size of the formula and Ptime in the size of the system.Thus, as in general, we pay an exponentialtime blowup with respect to the model checking problem (and only w.r.t. the size of the formula) for the module checking investigation.In particular, we reduce the addressed module checking problem to the emptiness problem for graded alternating parity tree automata (GAPT ).In more details, given a model M and an hybrid graded µ-calculus formula ϕ, we first construct in polynomial time a Büchi tree automaton (NBT ) A M accepting exec(M ).The construction of A M we propose here extends that used in [KVW01] by also taking into account that M must be unwound in a quasi-forest, rather than a tree, with both nodes and edges labeled.Thus, the set exec(M) is a set of quasi-forests, and the automaton A M we construct will accept all trees encodings of all quasi-forests of exec(M).From the formula side, accordingly to [BLMV06], we can construct in a polynomial time a GAPT A |=ϕ accepting all models that do not satisfy ϕ, with the intent to check that none of these models are in exec(M).Thus, we check that M models ϕ for every possible choice of the 1 Encoding is done by using a new root node that connects all roots of the quasi-forest and new atomic propositions which are used to encode programs and successor nodes corresponding to nominals.
environment by checking whether the L(A M ) ∩ L(A |=ϕ ) is empty.The results follow from the fact that an NBT is a particular case of GAPT , which are closed under intersection and have the emptiness problem solvable in Exptime [BLMV06].We also show a lower bound matching the obtained upper bound by using a reduction from the module checking for CTL, known to be Exptime-hard.
By exploiting again an automata-theoretic approach, we show that hybrid graded µcalculus pushdown module checking is decidable and solvable in 2Exptime in the size of the formula and Exptime in the size of the system.Thus, as in general, with respect to the finite-state model checking case we pay an exponential-time blowup in the size of both the system and the formula for the use of pushdown systems, and an another exponential-time blowup in the size of the formula for the module checking investigation.Our approach allow us do not take the trivial 2Exptime result on both the size of the system and the formula, which can be easily obtained by combining the algorithms existing in the literature along with that one we introduce in this paper for the finite-state case.We solve the hybrid graded µ-calculus pushdown module checking by using a reduction to the emptiness problem for nondeterministic pushdown parity tree automata (PD-NPT ).The algorithm we propose extends that given for the finite-state case.In particular, given an OPD S, a module M induced by the configurations of S, and an hybrid graded µ-calculus formula ϕ, we first construct in polynomial time a pushdown Büchi tree automaton (PD-NBT ) A M , accepting exec(M).From the formula side, accordingly to [BLMV06], we can construct in a polynomial time a GAPT A |=ϕ accepting all models that do not satisfy ϕ.Thus, we can check that M models ϕ for every possible choice of the environment by checking whether L(A M ) ∩ L(A |=ϕ ) is empty.By showing a non-trivial exponential reduction of 2GAPT into NPT , we show a 2Exptime upper bound for the addressed problem.Since the pushdown module checking problem for CTL is 2Exptime-hard, we get that the addressed problem is then 2Exptime-complete.
As regarding the Fully enriched µ-calculus, we also investigate the module checking problem in a "rewind" framework in the following sense.As far as backward modalities concern, everytime the system goes back to an environment's node, he is always able to redefine a new pruning choice.Given a module M and a Fully enriched µ-calculus formula ϕ, we solve the rewind module checking problem by checking that all trees in exec(M), always taking the same choice in duplicate environment nodes, satisfy ϕ.By showing a reduction from the tiling problem [Ber66], we show that the addressed problem is undecidable.
We conclude the paper with short considerations on the model checking on all of the fragments of the Fully enriched µ-calculus.In particular we show the problem to be Exptime-complete for a pushdown system which is allowed to push one symbol per time onto the stack, with respect to any fragment not including the graded modality: for the fragments with the graded modality, we show a 2Exptime upper bound.
The rest of the paper is organized as follows.In Section 2, we give all the necessary preliminaries, Section 3 contains the definition of module checking w.r.t.hybrid graded µ-calculus, and Section 4 contains definitions and known results about 2GAPT and PD-NPT .In Sections 5 and 6, we give our main results on module checking for the hybrid graded µ-calculus.In Section 7, we show the undecidability result for the Fully enriched module checking and conclude in Section 8 with some complexity considerations on model checking with all the fragments of the Fully enriched µ-calculus.

Preliminaries
In this section, we recall definitions of labeled forests and hybrid graded µ-calculus.We refer to [BLMV06] for more technical definitions and motivating examples.
2.1.Labeled Forests.For a finite set X, we denote the size of X by |X|, the set of words over X by X * , the empty word by ε, and with X + we denote X * \ {ε}.Given a word w in X * and a symbol a of X, we use w • a to denote the word wa.Let IN be the set of positive integers.For n ∈ IN, let N denote the set {1, 2, . . ., n}.A forest is a set F ⊆ N + such that if x • c ∈ F , where x ∈ N + and c ∈ N, then also x ∈ F .The elements of F are called nodes, and words consisting of a single natural number are roots of F .For each root r ∈ F , the set is a tree of F (the tree rooted at r).For x ∈ F , the nodes x • c ∈ F where c ∈ N are the successors of x, denoted sc(x), and x is their predecessor.The number of successors of a node x is called the degree of x (deg(x)).The degree h of a forest F is the maximum of the degrees of all nodes in F and the number of roots.A forest with degree h is an h-ary forest.A full h-ary forest is a forest having h roots and all nodes with degree h.
Let F ⊆ N + be a forest, x a node in F , and c ∈ N. As a convention, we take and c • −1 as undefined.We call x a leaf if it has no successors.A path π in F is a word π = x 1 x 2 . . . of F such that x 1 is a root of F and for every x i ∈ π, either x i is a leaf (i.e., π ends in x i ) or x i is a predecessor of x i+1 .Given two alphabets Σ 1 and Σ 2 , a (Σ 1 , Σ 2 )-labeled forest is a triple F, V, E , where F is a forest, V : F → Σ 1 maps each node of F to a letter in Σ 1 , and E : F × F → Σ 2 is a partial function that maps each pair (x, y), with y ∈ sc(x), to a letter in Σ 2 .As a particular case, we consider a forest without labels on edges as a Σ 1 -labeled forest F, V , and a tree as a forest containing exactly one tree.A quasi-forest is a forest where each node may also have roots as successors.For a node x of a quasi-forest, we set children(x) as sc(x) \ N.All the other definitions regarding forests easily extend to quasi-forests.Notice that in a quasi-forest, since each node can have a root as successor, a root can also have several predecessors, while every other node has just one.Clearly, a quasi-forest can always be transformed into a forest by removing root successors.
2.2.Hybrid Graded µ-Calculus.Let AP , Var , Prog , and Nom be finite and pairwise disjoint sets of atomic propositions, propositional variables, atomic programs (which allow to travel the system along accessibility relations), and nominals (which are particular atomic propositions interpreted as singleton sets).The set of hybrid graded µ-calculus formulas is the smallest set such that • true and false are formulas; • p and ¬p, for p ∈ AP , are formulas; • o and ¬o, for o ∈ Nom, are formulas; • x ∈ Var is a formula; • if ϕ 1 and ϕ 2 are formulas, α ∈ P rog, n is a non negative integer, and y ∈ V ar, then the following are also formulas: ϕ 1 , µy.ϕ 1 (y), and νy.ϕ 1 (y).
Observe that we use positive normal form, i.e., negation is applied only to atomic propositions.
We call µ and ν fixpoint operators.A propositional variable y occurs free in a formula if it is not in the scope of a fixpoint operator.A sentence is a formula that contains no free variables.We refer often to the graded modalities n, α ϕ 1 and [n, α]ϕ 1 as respectively atleast formulas and allbut formulas and assume that the integers in these operators are given in binary coding: the contribution of n to the length of the formulas n, α ϕ and [n, α]ϕ is ⌈log n⌉ rather than n.
The semantics of the hybrid graded µ-calculus is defined with respect to a Kripke structure, i.e., a tuple K = W, W 0 , R, L where W is a non-empty set of states, W 0 ⊆ W is the set of initial states, R : Prog → 2 W ×W is a function that assigns to each atomic program a transition relation over W , and L : AP ∪ Nom → 2 W is a labeling function that assigns to each atomic proposition and nominal a set of states such that the sets assigned to nominals are singletons and subsets of W 0 .If (w, w ′ ) ∈ R(α), we say that w ′ is an α-successor of w.Informally, an atleast formula n, α ϕ holds at a state w of K if ϕ holds in at least n + 1 α-successors of w.Dually, the allbut formula [n, α]ϕ holds in a state w of K if ϕ holds in all but at most n α-successors of w.Note that ¬ n, α ϕ is equivalent to [n, α]¬ϕ, and the modalities α ϕ and [α]ϕ of the standard µ-calculus can be expressed as 0, α ϕ and [0, α]ϕ, respectively.
To formalize semantics, we introduce valuations.Given a Kripke structure K = W , W 0 , R, L and a set {y 1 , . . ., y n } of variables in Var , a valuation V : {y 1 , . . ., y n } → 2 W is an assignment of subsets of W to the variables y 1 , . . ., y n .For a valuation V, a variable y, and a set W ′ ⊆ W , we denote by V[y ← W ′ ] the valuation obtained from V by assigning W ′ to y.A formula ϕ with free variables among y 1 , . . ., y n is interpreted over K as a mapping ϕ K from valuations to 2 W , i.e., ϕ K (V) denotes the set of points that satisfy ϕ under valuation V.The mapping ϕ K is defined inductively as follows: For a state w of a Kripke structure K, we say that K satisfies ϕ at w if w ∈ ϕ K .In what follows, a formula ϕ counts up to b if the maximal integer in atleast and allbut formulas used in ϕ is b − 1.

Hybrid graded µ-calculus module Checking
In this paper we consider open systems, i.e., systems that interact with their environment and whose behavior depends on this interaction.The (global) behavior of such a system is described by a module M = W s , W e , W 0 , R, L , which is a Kripke structure where the set of states W = W s ∪ W e is partitioned in system states W s and environment states W e .
Given a module M, we assume that its states are ordered and the number of successors of each state w is finite.For each w ∈ W , we denote by succ(w) the ordered tuple (possibly empty) of w's α-successors, for all α ∈ P rog.When M is in a system state w s , then all states in succ(w s ) are possible next states.On the other hand, when M is in an environment state w e , the possible next states (that are in succ(w e )) depend on the current environment.Since the behavior of the environment is not predictable, we have to consider all the possible sub-tuples of succ(w e ).The only constraint, since we consider environments that cannot block the system, is that not all the transitions from w e are disabled.
The set of all (maximal) computations of M, starting from W 0 , is described by a (W, P rog)-labeled quasi-forest F M , V M , E M , called computation quasi-forest, which is obtained by unwinding M in the usual way.The problem of deciding, for a given branchingtime formula ϕ over AP ∪ N om, whether ]. On the other hand, for an open system M, the quasi-forest F M , V M , E M corresponds to a very specific environment, i.e., a maximal environment that never restricts the set of its next states.Therefore, when we examine a branching-time formula ϕ w.r.t.M, the formula ϕ should hold not only in F M , V M , E M , but in all quasi-forests obtained by pruning from F M , V M , E M subtrees rooted at children of environment nodes, as well as inhibiting some of their jumps to roots (that is, successor nodes labeled with nominals), if there are any.The set of these quasi-forests, which collects all possible behaviors of the environment, is denoted by exec(M) and is formally defined as follows.

Open Pushdown Systems (OPD).
An OPD over AP , N om and P rog is a tuple to be the set of (pushdown) configurations, and for each configuration (q, A • γ), we set top((q, A • γ)) = (q, A) to be a top configuration.The function ∆ : is a finite set of transition rules such that ♭ is always present at the bottom of the stack and nowhere else (thus whenever ♭ is read, it is pushed back).Note that we make this assumption also about the various pushdown automata we use later.The set C 0 ⊆ Conf is a finite set of initial configurations, ρ 1 : AP → 2 Q×Γ ♭ and ρ 2 : N om → C 0 are labeling functions associating respectively to each atomic proposition p a set of top configurations in which p holds and to each nominal exactly one initial configuration.Finally, The OPD moves in accordance with the transition relation ∆.Thus, ((q, A), (q ′ , γ)) ∈ ∆(α) implies that if the OPD is in state q and the top of the stack is A, it can move along with an α-transition to state q ′ , and substitute γ for A. Also note that the possible operations of the system, the labeling functions, and the designation of configurations as environment configurations, are all dependent only on the current control state and the top of the stack.
An OPD S induces a module M S = W s , W e , W 0 , R, L , where:

the set of pushdown configurations, and
The hybrid graded (µ-calculus) pushdown module checking problem is to decide, for a given OPD S and an enriched µ-calculus formula ϕ, whether M S |= r ϕ.

Tree Automata
4.1.Two-way Graded Alternating Parity Tree Automata (2GAPT ).These automata have been introduced and deeply investigated in [BLMV06].In this section we just recall the main definitions and results and refer to the literature for more details.Intuitively, 2GAPT are an extension of nondeterministic tree automata in such a way that a 2GAPT can send several copies of itself to the same successor (alternating), send copies of itself to the predecessor (two-way), specify a number n of successors to which copies of itself are sent (graded), and accept trees along with a parity acceptance condition.To give a more formal definition, let us recall some technicalities from [BLMV06].
For a given set Y , let B + (Y ) be the set of positive Boolean formulas over Y (i.e., Boolean formulas built from elements in Y using ∧ and ∨), where we also allow the formulas true and false and ∧ has precedence over ∨.For a set X ⊆ Y and a formula θ ∈ B + (Y ), we say that X satisfies θ iff assigning true to elements in X and assigning false to elements in Y \ X makes θ true.
Intuitively, D b collects all possible directions in which the automaton can proceed.
Formally, a 2GAPT on Σ-labeled trees is a tuple and F is a parity acceptance condition (see below).Intuitively, an atom ( n , q) (resp.([n], q)) means that A sends copies in state q to n + 1 (resp.all but n) different successors of the current node, (ε, q) means that A sends a copy (in state q) to the current node, and (−1, q) means that A sends a copy to the predecessor of the current node.A run of A on an input Σ-labeled tree T, V is a tree T r , r in which each node is labeled by an element of T × Q. Intuitively, a node in T r labeled by (x, q) describes a copy of the automaton in state q that reads the node x of T .Runs start in the initial state and satisfy the transition relation.Thus, a run T r , r with root z has to satisfy the following: (i) r(z) = (1, q 0 ) for the root 1 of T and (ii) for all y ∈ T r with r(y) = (x, q) and δ(q, V (x)) = θ, there is a (possibly empty) set S ⊆ D b × Q, such that S satisfies θ, and for all (d, s) ∈ S, the following hold: defined, and there is j ∈ N such that y • j ∈ T r and r(y , there are at least n + 1 distinct indexes i 1 , . . ., i n+1 such that for all 1 ≤ j ≤ n + 1, there is j ′ ∈ N such that y • j ′ ∈ T r , x • i j ∈ T , and r(y Note that if θ = true, then y does not need to have successors.This is the reason why T r may have leaves.Also, since there exists no set S as required for θ = false, we cannot have a run that takes a transition with θ = false. A run T r , r is accepting if all its infinite paths satisfy the acceptance condition.In the parity acceptance condition, F is a set {F 1 , . . ., F k } such that F 1 ⊆ . . .⊆ F k = Q and k is called the index of the automaton.An infinite path π on T r satisfies F if there is an even i such that π contains infinitely many states from F i and finitely many states from F i−1 .An automaton accepts a tree iff there exists an accepting run of the automaton on the tree.We denote by L(A) the set of all Σ-labeled trees that A accepts.The emptiness problem for an automaton P is to decide whether L(P) = ∅.
A 2GAPT is a GAPT (i.e., "one-way") if δ : As a particular case of 2APT , we also consider nondeterministic parity tree automata (NPT ) [KVW00].Formally, an NPT on Σ-labeled trees is a tuple A = Σ, D, Q, δ, q 0 , F , where Σ, Q, q 0 , and F are as in 2APT , D is a finite set of branching degree and δ : and d ∈ D. Finally, we also consider Büchi acceptance condition F ⊆ Q, which simply is a special parity condition {∅, F, Q}.Thus, we use in the following the acronym NBT to denote nondeterministic Büchi tree automata on Σ-labeled trees.
The following results on 2GAPT will be useful in the rest of the paper.

Theorem 1. [BLMV06]
The emptiness problem for a GAPT A = Σ, b, Q, δ, q 0 , F can be solved in time linear in the size of Σ and b, and exponential in the index of the automaton and number of states.
Lemma 1. [BLMV06] Given two GAPT A 1 and A 2 , there exists a GAPT A such that L(A) = L(A 1 ) ∩ L(A 2 ) and whose size is linear in the size of A 1 and A 2 .
We now recall a result on GAPT and hybrid graded µ-calculus formulas.

Lemma 2 ([BLMV06]
).Given an hybrid graded µ-calculus sentence ϕ with ℓ atleast subsentences and counting up to b, it is possible to construct a GAPT with O(|ϕ| 2 ) states, index |ϕ|, and counting bound b that accepts exactly each tree that encodes a quasi-forest model of ϕ.

Nondeterministic Pushdown Parity Tree Automata (PD-NPT ).
A PD-NPT (without ε-transitions), on Σ-labeled full h-ary trees, is a tuple P = Σ, Γ, ♭, Q, q 0 , γ 0 , ρ, F , where Σ is a finite input alphabet, Γ, ♭, Γ ♭ , and Q are as in OPD , (q 0 , γ 0 ) is the initial configuration, ρ : h is a transition function, and F is a parity acceptance condition over Q. Intuitively, when P is in state q, reading an input node x labeled by σ ∈ Σ, and the stack contains a word A • γ ∈ Γ * • ♭, then P chooses a tuple (q 1 , γ 1 ), . . ., (q h , γ h ) ∈ ρ(q, σ, A) and splits in h copies such that for each 1 ≤ i ≤ h, a copy in configuration (q i , γ i • γ) is sent to the node x • i in the input tree.A run of P on a Σ-labeled full h-ary tree T, V is a (Q × Γ * • ♭)-labeled tree T, r such that • r(ε) = (q 0 , γ 0 ), and • for each x ∈ T with r(x) = (q, A • γ), there is (q 1 , γ 1 ), . . ., (q h , γ h ) ∈ ρ(q, V (x), A) such that, for all 1 ≤ i ≤ h, we have r(x • i) = (q i , γ i • γ).The notion of accepting path is defined with respect to the control states that appear infinitely often in the path (thus without taking into account any stack content).Then, the notions given for 2GAPT regarding accepting runs, accepted trees, and accepted languages, along with the parity acceptance condition, easily extend to PD-NPT .In the following, we denote with PD-NBT a PD-NPT with a Büchi condition.We now recall two useful results on the introduced automata.).Given a PD-NBT P = Σ, Γ, Q, q 0 , γ 0 , ρ, Q on Σ-labeled full h-ary trees, and an NPT A = Σ, Q ′ , q ′ 0 , δ, F ′ , there is a PD-NPT P ′ on Σ-labeled full h-ary trees, such that L(P ′ ) = L(P) ∩ L(A).Moreover, P ′ has |Q| • |Q ′ | states, the same index as A, and the size of the transition relation is bounded by |ρ| • |δ| • h.

Deciding Hybrid Graded µ-calculus Module Checking
In this section, we solve the module checking problem for the hybrid graded µ-calculus.
In particular, we show that this problem is decidable and Exptime-complete.For the upper bound, we give an algorithm based on an automata-theoretic approach, by extending an of [KVW01].For the lower bound, we give a reduction from the module checking problem for CTL, known to be Exptime-hard.We start with the upper bound.
Let M be a module and ϕ an hybrid graded µ-calculus formula.We decide the module checking problem for M against ϕ by building a GAPT A M× |=ϕ as the intersection of two automata.Essentially, the first automaton, denoted by A M , is a Büchi automaton that accepts trees encoding of labeled quasi-forests of exec(M), and the second automaton is a GAPT A |=ϕ that accepts all trees encoding of labeled quasi-forests that do not satisfy ϕ (i.e, ¬ϕ is satisfied at all initial nodes).Thus, M |= r ϕ iff L(A M× |=ϕ ) is empty.
The construction of A M proposed here extends that given in [KVW01] for solving the module checking problem for finite-state open systems with respect to CTL and CTL * .The extension concerns the handling of forest models instead of trees and formulas of the hybrid graded µ-calculus.Before starting, there are a few technical difficulties to be overcome.First, we notice that exec(M) contains quasi-forests, with labels on both edges and nodes, while Büchi automata can only accept trees with labels on nodes.This problem is overcome by using the following three step transformation (1) move the label of each edge to the target node of the edge (formally using a new propositional symbol p α , for each atomic program α), (2) substitute edges to roots with new propositional symbols ↑ α o (which represents an αlabeled edge from the current node to the unique root node labeled by the nominal o), and (3) add a new root, labeled with a new symbol root , and connect it with the old roots of the quasi-forest.
Another technical difficulty to handle is relate to the fact that quasi-forests of exec(M) (and thus their encoding) may not share the same structure, since they are obtained by pruning some subtrees from the computation quasi-forest the computation tree of M obtained from F M , V M , E M using the above encoding.By extending an idea of [KVW01], we solve the technical problem by considering each tree T, V ′ , encoding of a quasi-forest of exec(M), as a (2 AP ′ ∪N om ∪ {root , ⊥})-labeled tree T M , V ′′ (where ⊥ is a fresh proposition name not belonging to AP ∪ N om ∪ {root }) such that for each node x ∈ T M , if x ∈ T then V ′′ (x) = V ′ (x), otherwise V ′′ (x) = {⊥}.Thus, we label each node pruned in the T M , V ′ M with {⊥} and recursively, we label with {⊥} its subtrees.In this way, all trees encoding quasi-forests of exec(M) have the same structure of T M , V ′ M , and they differ only in their labeling.Accordingly, we can think of an environment as a strategy for placing {⊥} in T M , V ′ M , with the aim of preventing the system to satisfy a desired property while not considering the nodes labeled with ⊥.Moreover, the environment can also disable jumps to roots.This is performed by removing from nodes corresponding with environment states some of ↑ α o labels.Notice that since we consider environments that do not block the system, each node associated with an environment state has at least one successor not labeled by {⊥}, unless it has ↑ α o in its label.Let us denote by exec(M) the set of all (2 AP ′ ∪N om ∪ {root , ⊥})-labeled T M , V ′′ trees obtained from F, V, E ∈ exec(M) in the above described manner.The required NBT A M must accept all and only the (2 AP ′ ∪N om ∪ {root , ⊥})-labeled trees in exec(M).The automaton A M = Σ, D, Q, δ, q 0 , F is defined for a module M = W s , W e , W 0 , R, L as follows: is, D contains, for each state in W , the number of its successors, but its jumps to roots).• Q = (W × {⊥, ⊤, ⊢}) ∪ {q 0 }, with q 0 ∈ W . Thus every state w of M induces three states (w, ⊥), (w, ⊤), and (w, ⊢) in A M .Intuitively, when A M is in state (w, ⊥), it can read only ⊥, in state (w, ⊤), it can read only letters in 2 AP * ∪ N om , and in state (w, ⊢), it can read both letters in 2 AP * ∪N om and ⊥.In this last case, it is left to the environment to decide whether the transition to a state of the form (w, ⊢) is enabled.The three types of states are used to ensure that the environment enables all transitions from enabled system states, enables at least one transition from each enabled environment state, and disables transitions from disabled states.

• The transition function
that is δ(q 0 , root , m) contains exactly one m-tuple of all the roots of the forest.In this case, all transitions cannot be disabled; − if root ∈ V (x), let V (x) = w and succ(w) \ W 0 = w 1 , . . ., w n be the set of non-roots successors of w, then we have * for w ∈ W e ∪ W s and g ∈ {⊢, ⊥} we have δ((w, g), ⊥, n) = { (w 1 , ⊥), . . ., (w n , ⊥) }, that is δ((w, g), ⊥, n) contains exactly one n-tuple of all non-roots successors of w.
that is, δ((w, g), L(w), n) contains n different n-tuples of all non-roots successors of w.When A M proceeds according to the i-th tuple, the environment can disable all transitions to successors of w, except that to w i ; * for w ∈ W e and g ∈ {⊤, ⊢} with L(w) ∩ {↑ α o | α ∈ P rog and o ∈ N om} = ∅ (i.e., w has at least one jump to roots enabled), we have δ((w, g), L(w), n) = { (w 1 , ⊢), . . ., (w n , ⊢) }, that is δ((w, g), L(w), n) contains one n-tuple of non-roots successors of w, that can be successively disabled.Notice that δ is not defined when n is different from the number of non-roots successors of w, and when the input does not meet the restriction imposed by the ⊤, ⊢, and ⊥ annotations or by the labeling of w.
The We recall that a node labeled by either {⊥} or {root } stands for a node that actually does not exist.Thus, we have to take this into account when we interpret formulas of the hybrid graded µ-calculus over trees T M , V ′ ∈ exec(M).In order to achieve this, as in [KVW01] we define a function f that transforms the input formula ϕ in a formula of the hybrid graded µ-calculus ϕ ′ = 0, α f (ϕ) (where α ∈ P rog is an arbitrary atomic program), that restricts path quantification to only paths that never visit a state labeled with {⊥}.The function f we consider extends that given in [KVW01] and is inductively defined as follows: • f (true) = true and f (false) = false; • f (p) = p and f (¬p) = ¬p for all p ∈ AP ∪ N om; • f (x) = x for all x ∈ V ar; • f (ϕ 1 ∨ϕ 2 ) = f (ϕ 1 )∨f (ϕ 2 ) and f (ϕ 1 ∧ϕ 2 ) = f (ϕ 1 )∧f (ϕ 2 ) for all hybrid graded µ-calculus formulas ϕ 1 and ϕ 2 ; • f (µx.ϕ(x)) = µx.f(ϕ(x)) and f (νx.ϕ(x)) = νx.f(ϕ(x)) for all x ∈ V ar and hybrid graded µ-calculus formulas ϕ; • f ( n, α ϕ) = n, α (¬⊥ ∧ f (ϕ)) for n ∈ IN and for all atomic programs α and hybrid graded µ-calculus formulas ϕ; and for all atomic programs α and hybrid graded µ-calculus formulas ϕ.By definition of f , it follows that for each formula ϕ and T, V ∈ exec(M), T, V satisfies ϕ ′ = 0, α f (ϕ) iff the 2 AP ′ ∪N om -labeled forest, obtained from T, V removing the node labeled with {root } and all nodes labeled by {⊥}, satisfies ϕ.Therefore, we solve the module checking problem of M against an hybrid graded µ-calculus formula ϕ by checking (for its negation) that in exec(M) = L(A M ) does not exist any tree T, V satisfying ¬ϕ ′ = [0, α]f (¬ϕ) (note that |f (¬ϕ)| = O(|¬ϕ|)).We reduce the latter to check the emptiness of a GAPT A M× |=f (ϕ) that is defined as the intersection of the NBT A M with a GAPT A |=f (ϕ) accepting exactly the 2 AP ′ ∪N om ∪{root , ⊥} trees encodings of quasi-forests not satisfying f (ϕ).By Lemma 2, if ϕ is an hybrid graded µ-calculus formula, then A |=f (ϕ) has O(|ϕ| 2 ) states, index |ϕ|, and counting bound b.Therefore, by Lemma 1, A M× |=f (ϕ) has O(|W | + |ϕ| 2 ) states, index |ϕ|, and counting bound b.By recalling that the emptiness problem for a GAPT can be decided in exponential-time (Theorem 1), we obtain that the module checking problem for hybrid graded µ-calculus formulas is solvable in exponentialtime.To show a tight lower bound we recall that CTL module checking is Exptime-hard [KVW01] and every CTL formula can be linearly transformed in a modal µ-calculus formula [Jur98].This leads to the module checking problem w.r.t.modal µ-calculus formulas to be Exptime-hard and thus to the following result.
Theorem 2. The module checking problem with respect to hybrid graded µ-calculus formulas is Exptime-complete.

Deciding Hybrid Graded µ-calculus PD-module Checking
In this section, we show that hybrid graded pushdown module checking is decidable and solvable in 2Exptime.Since CTL pushdown module checking is 2Exptime-hard, we get that the addressed problem is 2Exptime-complete.For the upper bound, the algorithm works as follows.Given an OPD S and the module M S induced by S, by combining and extending the constructions given in [BMP05] and Section 5, we first build in polynomialtime a PD-NBT A S accepting each tree that encodes a quasi-forest belonging to exec(M S ).Then, given an hybrid graded µ-calculus formula ϕ, according to [BLMV06], we build in polynomial-time a GAPT A |=ϕ (Lemma 2) accepting all models that do not satisfy ϕ, with the intent of checking that none of these models are in exec(M S ).Then, accordingly to the basic idea of [KVW01], we check that M S |= r ϕ by checking whether L(A S ) ∩ L(A |=ϕ ) is empty.Finally, we get the result by using an exponential-time reduction of the latter to the emptiness problem for PD-NPT , which from Proposition 4.1 can be solved in Exptime.As a key step of the above reduction, we use the exponential-time translation from GAPT into NPT showed in Lemma 5.
Let us start dealing with A S .Before building the automaton, there are some technical difficulties to overcome.First, notice that A S is a PD-NBT and it can only deal with trees having labels on nodes.Also, quasi-forests of exec(M S ) may not share the same structure, since they are obtained by pruning subtrees from the computation quasi-forest F M S , V M S , E M S of M S .As in Section 5, we solve this problem by considering 2 AP ′ ∪N om ∪ {root , ⊥}-labeled trees encoding of quasi-forests F, V, E ∈ exec(M S ), where AP ′ = AP ∪ {p α | α ∈ P rog} ∪ {↑ α o | α ∈ P rog and o ∈ N om}.Another technical difficulty to handle with is related to the fact that quasi-forests of exec(M S ) (and thus their encodings) may not be full h-ary, since the nodes of the OPD from which M S is induced may have different degrees.Technically, we need this property since the emptiness problem for PD-NPT to which we reduce our problem has been solved in the literature only for PD-NPT working on full trees.Similarly as we did for pruned nodes, we transform each tree encoding of a quasi-forest of exec(M S ) into a full h-ary tree by adding missing nodes labeled with {⊥}.Therefore the proposition ⊥ is used to denote both "disabled" states and "completion" states.In this way, all trees encodings of quasi-forests of exec(M S ) are all full h-ary trees, and they differ only in their labeling.Let us denote with exec(M S ) the set of all 2 AP ′ ∪N om ∪ {root , ⊥}-labeled full h-ary trees obtained from F M S , V M S , E M S using all the transformations described above.
In [BMP05] it has been shown how to build a PD-NBT accepting full h-ary trees embedded in an OPD corresponding to all behaviors of the environment.In particular, the PD-NBT constructed there already takes into account the above transformation regarding {⊥}-labeled nodes.By extending the construction proposed there in the same way the construction showed in Section 5 extends the classical construction of A M proposed in [KVW01], it is not hard to show that the following result holds.Let us now go back to the hybrid graded µ-calculus formula ϕ.Using the function f introduced in Section 5 and Lemma 2, we get that given an hybrid graded µ-calculus formula ϕ, we can build in polynomial-time a GAPT A |=f (ϕ) accepting all models of ¬ϕ ′ = [0, α]f (¬ϕ) (as done in Section 5).
By using the classical Exptime transformation from GAPT to GNPT [KSV02] and a simple Exptime transformation from GNPT to NPT , we directly get a 3Exptime algorithm for the hybrid graded µ-calculus pushdown module checking.To obtain an exponential-time improvement, here we show a not trivial Exptime transformation from 2GAPT to NPT .The translation we propose uses the notions of strategies, promises and annotations, which we now recall.
Let A = Σ, b, Q, δ, q 0 , F be a 2GAPT with For each control state q ∈ Q, let index(q) be the minimal i such that q ∈ F i .A strategy tree for A on T, V is a 2 Q×D b ×Q -labeled tree T, str such that, defined head(w) = {q : (q, d, q ′ ) ∈ w} as the set of sources of w, it holds that (i) q 0 ∈ head(str(root (T ))) and (ii) for each node x ∈ T and state q, the set {(q, q ′ ) : (q, d, q ′ ) ∈ str(x)} satisfies δ(q, V (x)).
A promise tree for A on T, V is a 2 Q×Q -labeled tree T, pro .We say that pro fulfills str for V if the states promised to be visited by pro satisfy the obligations induced by str as it runs on V .Formally, pro fulfills str for V if for every node x ∈ T , the following hold: "for every (q, n , q ′ ) ∈ str(x) (resp.(q, [n], q ′ ) ∈ str(x)), at least n + 1 (resp deg(x) − n) successors x • j of x have (q, q ′ ) ∈ pro(x • j)".
A downward path induced by str, pro, and ann on T, V is a sequence x 0 , q 0 , t 0 , x 1 , q 1 , t 1 , . . .such that x 0 = root(T ), q 0 is the initial state of A and, for each i ≥ 0, it holds that x i ∈ T , q i ∈ Q, and ] and there exists c ∈ {1, . . ., deg(x i )} such that x i+1 = x i • c and (q i , q i+1 ) ∈ pro(x i+1 ).In the first case we set index(t i ) = d and in the second case we set index(t i ) = min{j ∈ {1, . . ., k} | q i+1 ∈ F j }.Moreover, for a downward path π, we set index(π) as the minimum index that appears infinitely often in π.Finally, we say that π is accepting if index(π) is even.
The following lemma relates languages accepted by 2GAPT with strategies, promises, and annotations.

Lemma 4 ([BLMV06]
).Let A be a 2GAPT.A Σ-labeled tree T, V is accepted by A iff there exist a strategy tree T, str , a promise tree T, pro for A on T, V such that pro fulfills str for V , and an annotation tree T, ann for A on T, V , T, str and T, pro such that every downward path induced by str, pro, and ann on T, V is accepting.
Given an alphabet Σ for the input tree of a 2GAPT with transition function δ, let D δ b be the subset containing only the elements of D b appearing in δ.Then we denote by Σ ′ the extended alphabet for the combined trees, i.e., Σ ′ = Σ × 2 Q×D δ b ×Q × 2 Q×Q × 2 Q×{1,...k}×Q .
Lemma 5. Let A be a 2GAPT running on Σ-labeled trees with n states, index k and counting bound b that accepts h-ary trees.It is possible to construct in exponential-time an NPT A ′ running on Σ ′ -labeled h-ary trees that accepts a tree iff A accepts its projection on Σ.
Proof.Let A = Σ, b, Q, q 0 , δ, F with F = F 1 , . . ., F k .By Lemma 4, we construct A ′ as the intersection of two NBT A ′ , A ′′ , and an NPT A ′′′ .In particular, all these automata have size exponential in the size of A. Moreover, since each NBT uses as accepting all its states, it is easy to intersect in polynomial-time all of them by using a classical automata product.These automata are defined as follows.Given a Σ ′ -labeled tree T ′ = T, (V, str, pro, ann) , (1) A ′ accepts T ′ iff str is a strategy for A on T, V and pro fulfills str for V , (2) A ′′ accepts T ′ iff ann is an annotation for A on T, V , T, str and T, pro , and (3) A ′′′ accepts T ′ iff every downward path induced by str, pro, and ann on T, V is accepting.
The automaton A ′ = Σ ′ , D ′ , Q ′ , q ′ 0 , δ ′ , F ′ works as follows: on reading a node x labeled (σ, η, ρ, ω), then it locally checks whether η satisfies the definition of strategy for A on T, V .In particular, when A ′ is in its initial state, we check that η contains a transition starting from the initial state of A. Moreover, the automaton A ′ sends to each child x • i the pairs of states that have to be contained in pro(x • i), in order to verify that pro fulfills str.To obtain this, we set To define δ ′ , we first give the following definition.For each node x ∈ T labeled (σ, η, ρ, ω), we set x) such that [for each (q, m , p) ∈ η there is P ⊆ {1, . . .deg(x)} with |P | = m + 1 such that for all i ∈ P, (q, p) ∈ S i ] and [for each (q, [m], p) ∈ η there isP ⊆ {1, . . .deg(x)} with |P | = deg(x) − m such that for all i ∈ P, (q, p) ∈ S i ]} to be the set of all tuples with size deg(x), each fulfilling all graded modalities in str(x).
Hence, in A ′′ we have |δ|+k) , and index 2. Finally, to define A ′′′ we start by constructing a 2APT B whose size is polynomial in the size of A and accepts T, (V, str, pro, ann) iff there is a non accepting downward path (w.r.t.A) induced by str, pro, and ann on T, V .The automaton B = Σ ′ , Q B , q B 0 , δ B , F B (which in particular does not need direction −1) essentially chooses, in each state, the downward path to walk on, and uses an integer to store the index of the state.We use a special state ♯ not belonging to Q to indicate that B proceeds in accordance with an annotation instead of a strategy.Therefore, Q B = ((Q ∪ {♯}) × {1, . . ., k} × Q) ∪ {q B 0 }.To define the transition function on a node x, let us introduce a function f that for each q ∈ Q, strategy η ∈ 2 Q×D δ b ×Q , and annotation ω ∈ 2 Q×{1,...,k}×Q gives a formula satisfied along downward paths consistent with η and ω, starting from a node reachable in A with the state q.That is, in each node x, the function f either proceeds according to the annotation ω or the strategy η (note that f does not check that the downward path is consistent with any promise).Formally, f is defined as follows, where index(p) is the minimum i such that p ∈ F i : Then, we have δ B (q B 0 , (σ, η, ρ, ω)) = f (q 0 , η, ω) and δ B ((q, d, p), (σ, η, ρ, ω)) = false if q = ♯ and (q, p) ∈ ρ f (p, η, ω) otherwise. .
A downward path π is non accepting for A if the minimum index that appears infinitely often in π is odd.Therefore, F B = F B 1 , . . ., F B k+1 , Q B where F B 1 = ∅ and, for all i ∈ {2, . . ., k + 1}, we have and the index is k + 2.Then, since B is alternating, we can easily complement it in polynomial-time into a 2APT B that accepts a tree iff all downward paths induced by str, pro, and ann on T, V are accepting.Finally, following [Var98] we construct in exponential-time the desired automaton A ′′′ .
By applying the transformation given by Lemma 5 to the automaton A ¬ϕ ′ defined above, we obtain in exponential time in the size of ϕ, an NPT that accepts all the trees encoding of quasi-forests that do not satisfy ϕ.From Proposition 4.2, then we can build a PD-NPT A S× |=ϕ with size polynomial in the size of S and exponential in the size of ϕ such that L(A S× |=ϕ ) = L(A S ) ∩ L(A ¬ϕ ′ ).Hence, from Proposition 1 we obtain that hybrid graded µ-calculus pushdown module checking can be solved in Exptime in the size of S and in 2Exptime in the size of ϕ.Finally, from the fact that CTL pushdown module checking is known to be 2Exptime-hard with respect to the size of ϕ and Exptime-hard with respect to the size of S [BMP05], we obtain the following theorem.
Theorem 3. The hybrid graded µ-calculus pushdown module checking problem is 2Exptimecomplete with respect to the size of the formula and Exptime-complete with respect to the size of the system.

Fully Enriched µ-calculus Module Checking
In this section, we consider a memoryless restriction of the module checking problem and investigate it with respect to formulas of the Fully enriched µ-calculus.Given a formula ϕ, a memoryless module checking problem checks whether all trees in exec(M), always taking the same choice in duplicate environment nodes, satisfy ϕ.In this section, we show that the (memoryless) module checking problem for Fully enriched µ-calculus is undecidable.
Fully enriched µ-calculus is the extension of hybrid graded µ-calculus with inverse programs.Essentially, inverse programs allow us to specify properties about predecessors of a state.Given an atomic program a ∈ P rog, we denote its inverse program with a − and the syntax of the fully enriched µ-calculus is simply obtained from the one we introduced for hybrid graded µ-calculus, by allowing both atomic and inverse programs in the graded modalities.Similarly, the semantics of fully enriched µ-calculus is given, identically to the one for hybrid graded µ-calculus, with respect to a Kripke structure K = W, W 0 , R, L in which, to deal with inverse programs, we define, for all a ∈ P rog, R(a Let us note that, since the fully enriched µ-calculus does not enjoy the forest model property [BP04], we cannot unwind a Kripke structure in a forest.However, it is always possible to unwind it in an equivalent acyclic graph that we call computation graph.In order to take into account all the possible behaviors of the environment, we consider all the possible subgraphs of the computation graph obtained disabling some transitions from environment nodes but one.We denote with graphs(M ) the set of this graphs.Given a Fully enriched µ-calculus formula ϕ, we have that M |= r ϕ iff K |= ϕ for all K ∈ graphs(M ).
To show the undecidability of the addressed problem, we need some further definitions.An (infinite) grid is a tuple G = IN 2 , h, v such that h and v are defined as h( x, y ) = x + 1, y and v( x, y ) = x, y + 1 .Given a finite set of types T , we will call tile on T a function ρ : IN 2 → T that associates a type from T to each vertex of an infinite grid G, and we call tiled infinite grid the tuple G, T, ρ .A grid model is an infinite Kripke structure K = W, {w 0 }, R, L , on the set of atomic programs P rog = {l − , v}, such that K can be mapped on a grid in such a way that w 0 corresponds to the vertex 0, 0 , R(v) corresponds to v and R(l − ) corresponds to h.We say that a grid model K "corresponds" to a tiled infinite grid G, T, ρ if every state of K is labeled with only one atomic proposition (and zero or more nominals) and there exists a bijective function ρ : T → AP such that, if w x,y is the state of K corresponding with the node x, y of G, then ρ(ρ( x, y )) ∈ L(w x,y ).
Theorem 4. The module checking problem for fully enriched µ-calculus is undecidable.Proof.To show the result, we use a reduction from the tiling problem (also known as domino problem), known to be undecidable [Ber66].The tiling problem is defined as follows.
Let T be a finite set of types, and H, V ⊆ T 2 be two relations describing the types that cannot be vertically and horizontally adjacent in an infinite grid.The tiling problem is to decide whether there exists a tiled infinite grid G, T, ρ such that ρ preserves the relations H and V .We call such a tile function a legal tile for G on T .
In [BP04], Bonatti and Peron showed undecidability for the satisfiability problem for fully enriched µ-calculus by also using a reduction from the tiling problem.Hence, given a set of types T and relations H and V , they build a (alternation free) fully enriched µcalculus formula ϕ such that ϕ is satisfiable iff the tiling problem has a solution in a tiled infinite grid, with a legal tile ρ on T (with respect to H and V ).In particular, the formula they build can be only satisfiable on a grid model K corresponding to a tiled infinite grid with a legal tile ρ on T .In the reduction we propose here, we use the formula ϕ used in [BP04].It remains to define the module.
Let {G 1 , G 2 , . ..} be the set of all the infinite tiled grids on T (i.e., G i = G, T, ρi ), we build a module M such that graphs(M ) contains, for each i ≥ 1, a grid models corresponding to G i .Therefore, we can decide the tiling problem by checking whether M |= r ¬ϕ.Indeed, if M |= r ¬ϕ, then all grid models corresponding to G i do not satisfy ϕ and, therefore, there is no solution for the tiling problem.On the other if M |= r ¬ϕ, then there exists a model for ϕ; since ϕ can be satisfied only on a grid model corresponding to a tiled infinite grid with a legal tile on T with respect to H and V , we have that the tiling problem has a solution.
Formally, let T = {t 1 , . . ., t m } be the set of types, the module M = W s , W e , W 0 , R, L with respect to atomic programs P rog = {l − , v}, atomic propositions AP = T , and nominals N om = {o 1 , . . ., o m }, is defined as follows:

, m}}
Notice that we duplicate the set of nodes labeled with tiles since we cannot have pairs of nodes in M labeled with more than one atomic program (in our case, with both v and l − ).Moreover the choice of labeling nodes x i with nominals is arbitrary.Finally, from the fact that the module contains only environment nodes, it immediately follows that, for each i, the grid model corresponding to the infinite tiled grid G i is contained in graphs(M ).In this section, for the sake of completeness, we investigate the model checking problems for Fully enriched µ-calculus and its fragments, for both pushdown and finite-states systems.
In particular, we first consider the model checking problem for formulas of the µcalculus enriched with nominal (hybrid µ-calculus) or graded modalities (graded µ-calculus) or both, for pushdown systems (PDMC, for short) and finite states systems (FSMC, for short), i.e.Kripke structures.In particular, we show that for graded µ-calculus, PDMC is solvable in 2Exptime and FSMC is solvable in Exptime.Moreover we show that for hybrid µ-calculus PDMC is Exptime-complete and FSMC is in UP ∩ co-UP, thus matching the known results for (propositional) µ-calculus model checking (see [Wal96] for PDMC and [Wil01] for FSMC), and that, for hybrid graded µ-calculus, PDMC is solvable in 2Exptime and FSMC is solvable in Exptime.
By considering also µ-calculus enriched (among the others) with inverse programs, we also consider PDMC w.r.t. a reduced pushdown system that, in each transition, can increase the size of the stack by at most one (single-push system).To this aim, we define a single-push system with three stack operations: for A ∈ Γ, sub(A) changes the top of the stack into A, push(A) pushes the symbol A on the top of the stack, and pop() pops the top symbol of the stack.Formally, a single-push system S is a pushdown system in which the transition function is ∆ : P rog → 2 (Q×Γ ♭ )×(Q×{sub,push,pop}×Γ) .For consistency reasons, we assume that if the top of the stack is ♭ then sub(A) = push(A) and pop() has no effect.
We call the model checking problem for single-push systems single-push model checking (SPMC, for short).In this case, we show that for full hybrid µ-calculus (µ-calculus enriched with inverse programs and nominals), SPMC is Exptime-complete and FSMC is in UP ∩ co-UP, and that for Fully enriched and full graded µ-calculus (µ-calculus enriched with inverse programs and graded modalities), SPMC is in 2Exptime and FSMC is in Exptime.In Figure 8 we report known and new results on model checking problems for the Fully enriched µ-calculus and its fragments.
To prove our results, we simply rule out inverse programs and nominals from the input formula.In particular, we first observe that, from a model checking point of view, checking a formula with inverse programs on a graph (finite or infinite) is equivalent to check the formula in "forward" on the graph enriched with opposite edges.That is, we consider inverse programs in the formula as special atomic programs to be checked on the opposite edges we have added in the graph.Note that this observation does not apply to PDMC.Indeed, to transform previous configurations to inverse next configurations, we need to limit the power of a PDMC to be single push.Thus, we obtain the following result.Lemma 6.Let X µ be an enrichment of the µ-calculus with inverse programs.Then a SPMC (resp., FSMC) w.r.t.X µ can be reduced in linear time to SPMC (resp., FSMC) w.r.t.X µ without inverse programs.
Proof.Here we only show the proof for FSMC since the one for SPMC is similar.Let K = W, W 0 , R, L be a model that uses atomic programs from P rog, and let ϕ be a formula of X µ .Then, we define a new model K ′ and a new formula ϕ ′ as follows: K ′ = W, W 0 , R ′ , L uses atomic programs from the set P rog ′ = P rog ∪ {â s.t. a ∈ P rog} (it doesn't use inverse programs) and has the transition relation defined as R ′ (a) = R(a) and R ′ (â) = R(a − ) for all a ∈ P rog.On the other side, ϕ ′ is a formula of X µ without inverse programs equal to ϕ except for the fact that a − is changed into â for all a ∈ P rog.Thus it can be easily seen that K |= ϕ iff K ′ |= ϕ ′ and this completes the proof of this lemma.
Furthermore, from the model checking point of view, one can consider each nominal in the input formula as a particular atomic proposition.Thus we obtain the following result.
Lemma 7. Let X µ be the µ-calculus enriched with nominals and possibly with graded modalities.Then PDMC, SPMC and FSMC w.r.t.X µ can be respectively reduced in linear time to PDMC, SPMC and FSMC w.r.t.X µ without nominals.
Proof.In this case too, we show the proof only for FSMC.Let K = W, W 0 , R, L be a model that uses atomic propositions from AP and nominals from N om, and let ϕ be a formula of X µ .Then, we consider the new model K ′ = W, W 0 , R, L that uses atomic propositions from the set AP ′ = AP ∪ N om (K ′ does not use nominals); moreover, let ϕ ′ be the formula ϕ interpreted as a formula of X µ without nominals on the set of atomic propositions AP ′ .Then, it is easy to see that K |= ϕ iff K ′ |= ϕ ′ .
From Lemmas 6 and 7 and the fact that for propositional µ-calculus PDMC is Exptime-Complete [Wal96] and FSMC is in UP ∩ co-UP [Wil01], we directly have that hybrid µ-calculus PDMC is Exptime-Complete, (full) hybrid µ-calculus SPMC is solvable in Exptime and (full) hybrid µ-calculus FSMC is in UP ∩ co-UP.Now, in [Wal96] it has been showed that µ-calculus PDMC is Exptime-hard.The proof used there can be easily adapted to handle single-push systems without incurring in any complexity blowup.Thus, we obtain the following result.
Finally, from Lemmas 6 and 7 we have that hybrid graded µ-calculus PDMC can be reduced in linear time to graded µ-calculus PDMC, Fully enriched µ-calculus SPMC can be reduced in linear time to graded µ-calculus SPMC (note that SPMC is a special case of PDMC) and Fully enriched µ-calculus FSMC can be reduced in linear time to graded µcalculus FSMC.Since model checking is a special case of module checking, from Theorems 2 and 3 we have the following result.Theorem 6. PDMC is solvable in 2Exptime for (hybrid) graded µ-calculus, SPMC is solvable in 2Exptime for Fully enriched µ-calculus and FSMC is solvable in Exptime for Fully enriched µ-calculus.