A Probabilistic Higher-order Fixpoint Logic

We introduce PHFL, a probabilistic extension of higher-order fixpoint logic, which can also be regarded as a higher-order extension of probabilistic temporal logics such as PCTL and the $\mu^p$-calculus. We show that PHFL is strictly more expressive than the $\mu^p$-calculus, and that the PHFL model-checking problem for finite Markov chains is undecidable even for the $\mu$-only, order-1 fragment of PHFL. Furthermore the full PHFL is far more expressive: we give a translation from Lubarsky's $\mu$-arithmetic to PHFL, which implies that PHFL model checking is $\Pi^1_1$-hard and $\Sigma^1_1$-hard. As a positive result, we characterize a decidable fragment of the PHFL model-checking problems using a novel type system.


Introduction
Temporal logics such as CTL and CTL* have been playing important roles in system verification.Among the most expressive temporal logics is the higher-order fixpoint logic (HFL for short) proposed by Viswanathan and Viswanathan [VV04], which is a higher-order extension of the modal µ-calculus [Koz83].HFL is known to be strictly more expressive than the modal µ-calculus but the model-checking problem against finite models is still decidable.
In view of the increasing importance of probabilistic systems, temporal logics for probabilistic systems (such as PCTL [HJ94]) and their model-checking problems have been studied and applied to verification and analysis of probabilistic systems and randomized distributed algorithms [KNP11].Recently Castro et al. [CKP15] have proposed a probabilistic extension of the modal µ-calculus, called the µ p -calculus.They showed that the µ p -calculus is strictly more expressive than PCTL and that the model-checking problem for the µ p -calculus belongs to NP ∩ co-NP.
In the present paper, we introduce PHFL, a probabilistic higher-order fixpoint logic, and studies the model checking problem.PHFL can be regarded as a probabilistic extension of HFL and as a higher-order extension of the µ p -calculus.PHFL strictly subsumes the µ p -calculus [CKP15], which coincides with order-0 PHFL.
We prove that PHFL model checking for finite Markov chains is undecidable even for the order-1 fragment of PHFL without fixpoint alternations, by giving a reduction from the value problem of probabilistic automata [Rab63,Paz71].In the presence of fixpoint alternations (i.e., with both least and greatest fixpoint operators), PHFL model checking Definition 2.1.Let AP be a set of atomic propositions.A Markov chain over AP is a tuple (S, P, ρ AP , s in ), where: • S is a finite set of states, • P : S × S → [0, 1] satisfying s ∈S P (s, s ) = 1 for every s ∈ S, describes transition probabilities, • ρ AP : AP → 2 S is a labeling function, and • s in ∈ S is an initial state.For a Markov chain M = (S, P, ρ AP , s in ), its embedded Kripke structure is K = (S, R, ρ AP , s in ) where R ⊆ S × S is a relation such that R = {(s, s )|P (s, s ) > 0}.
Intuitively, P (s, s ) denotes the probability that the state s transits to the state s , and ρ AP (p) gives the set of states where p is true.Throughout the paper, we assume that the set AP of atomic propositions is closed under negations, in the sense that for any p ∈ AP , there exists p ∈ AP such that ρ AP (p) = S \ ρ AP (p).
Given a Markov chain M , we often write S M , P M , ρ AP ,M , s in,M for its components; we omit the subscript M when it is clear from the context.Γ p : Prop Γ, X : τ X : τ Thus, intuitively, the formula represents the function that maps the current state s to the value sup k≥0 q k where q k is the probability that a k-step transition sequence starting from the state s ends in a state satisfying p.
Remark 2.4.Following the definition of HFL by Kobayashi et al. [KLB17], we have excluded out negations.By a transformation similar to that in [Loz15] and our assumption that the set of atomic propositions is closed under negations, any closed ground-type formula of PHFL extended with negations can be transformed to an equivalent negation-free formula (as long as the occurrences of negations are restricted as in the original HFL [VV04] so that fixpoint operators are applied to only monotonic functions).
We define the order of a type τ by: The order of a formula φ such that Γ φ : τ is the largest order of types used in the derivation of Γ φ : τ .The order-k PHFL is the fragment of PHFL consisting of formulas of order up to k. Order-0 PHFL coincides with the µ p -calculus [CKP15].
2.3.Semantics.We first give the semantics of types.We write ≤ R for the natural order over the set R of real numbers, and often omit the subscript when there is no danger of confusion.For a map f , we write dom(f ) for the domain of f .Definition 2.5 (Semantics of Types).Let M be a Markov chain.For each τ , we define a partially ordered set τ M = (D τ , τ ) inductively by: For a type environment Γ, we write Γ M for the set of maps f such that dom(f ) = dom(Γ) and f (x) ∈ D Γ(x) for every x ∈ dom(Γ).
We omit the subscript M below.Note that τ forms a complete lattice for each τ .We write ⊥ τ for the least element of τ , and for a set V ⊆ D τ , we write τ V ( τ V , resp.) for the least upper bound (greatest lower bound, resp.) of V with respect to τ ; we often omit the subscript τ if it is clear from the context.Note also that for every functional type τ 1 → τ 2 , every element of D τ 1 →τ 2 is monotonic.Thus, for every type τ and every function f ∈ D τ →τ , there exist the least and greatest fixed points of f , which we write LFP (f ) and GFP (f ) respectively.They are given by: We now define the semantics of formulas.Since the meaning of a formula depends on its type environment, we actually define the semantics Γ φ : τ M for each type judgment Γ φ : τ .Here, the subscript M denotes the underlying Markov chain, which is often omitted.
Definition 2.6 (Semantics of Type Judgement).Let M be a Markov chain and assume that Γ φ : τ is derivable.Then its semantics Γ φ : τ M ∈ Γ → τ is defined by induction on the (unique) derivation of Γ φ : τ by: In the last equality, τ 2 is uniquely determined from Γ and φ 2 .In the definitions of the semantics of φ and ♦φ, the set {s ∈ S M |P (s, s ) > 0} is non-empty and finite, because We often omit M , the type of the formula, and the type environment, and just write φ or Γ φ for Γ φ : τ M when there is no danger of confusion.For a Markov chain M = (S, P, ρ AP , s in ) and a closed PHFL formula φ of type Prop, we write Example 2.8.Recall the PHFL formula φ = ψ p where ψ = µF.λX.X ∨ F ( X) in Example 2.3.We have: for every n ≥ 0. Thus, we have: Actually, the equality holds, because the righthand side is a fixpoint of λv ∈ D Prop→Prop .λx∈ D Prop .λs∈ S. max(x s, v(λs ∈ S. The semantics of φ is, therefore, given by φ = λs ∈ S. sup k≥0 s 0 s 1 ...s k ∈S k+1 ,s 0 =s,s k ∈ρ AP (p) 0≤j≤k−1 P (s j , s j+1 ).
Theorem 2.9.Order-1 PHFL is strictly more expressive than the µ p -calculus, i.e., there exists an order-1 PHFL proposition φ such that φ is not equivalent to any µ p -formula.
Proof.Let M be the set of Markov chains M = (S, P, ρ AP , s in ) that satisfy the following conditions.
• There are three atomic propositions a, b, c with ρ AP (a Let φ be the order-1 PHFL formula of type Prop: Note that, for M ∈ M, M |= φ holds just if n is even, ρ AP (a) = {s 0 , s 1 , . . ., s n 2 −1 } and ρ AP (b) = {s n 2 , s n 2 +1 , . . ., s n−1 }.We show that there is no µ p -formula equivalent to φ. Suppose that a µ p -formula φ were equivalent to φ, which would imply that M |= φ if and only if M |= φ for any M ∈ M. For M ∈ M, let us write K M for the embedded Kripke structure of M .Since all the transitions in M are deterministic, there exists a modal µ-calculus formula φ such that M |= φ if and only if K M |= φ (note that φ is obtained by replacing with ♦, and replacing [φ 1 ] J with true if J is "≥ 0" and with φ 1 otherwise).That would imply that K M |= φ for M ∈ M, just if n is even and ρ AP satisfies ρ AP (a) = {s 0 , s 1 , . . ., s n 2 −1 } and ρ AP (b) = {s n 2 , s n 2 +1 , . . ., s n−1 }.But then φ would describe the non-regular language {a m b m | m ≥ 1}, which contradicts the fact that the modal µ-calculus can express only regular properties.
Remark 2.10.For non-probabilistic logics, HFL was known to be strictly more expressive than the modal µ-calculus [VV04].The above proof can be easily adapted to show that fact.

Undecidability of PHFL Model Checking
In this section we prove the undecidability of the following problem.We prove that the problem is undecidable even for the order-1 fragment of PHFL without fixpoint alternations, by a reduction from the undecidability of the value-1 problem [GO10] for probabilistic automata [Rab63].In contrast to the undecidability of PHFL model checking, the corresponding model-checking problems are decidable for the full fragments of the µ p -calculus [CKP15] and (non-probabilistic) HFL [VV04], with fixpoint alternations.Thus, the combination of probabilities and higher-order predicates introduces a new difficulty.
In Section 3.1, we review the definition of probabilistic automata and the value-1 problem.Section 3.2 shows the reduction from the value-1 problem to the PHFL model-checking problem.
1 } is the set of probabilistic distributions over the set Q, represents transition probabilities, and For a word w = w 1 • • • w n ∈ Σ n , the probability that w is accepted by A = (Q, Σ, q I , ∆, F ), written A(w), is defined by: The value of a probabilistic automaton A, denoted by val(A), is defined by The problem of deciding whether val(A) = 1, called the value-1 problem, is known to be undecidable.

The Undecidability Result.
Let A = (Q, Σ, q I , ∆, F ) be a probabilistic automaton, where Σ = {c 1 , . . ., c |Σ| } with |Σ| > 0. We shall construct a Markov chain M A and a PHFL formula φ A , so that val(A) = 1 if and only if M A |= φ A .The undecidability of PHFL model checking then follows immediately from Theorem 3.3.
We first construct the Markov chain • The transition probability P is given by: P ((q, c), q ) = ∆(q, c)(q ) (c ∈ Σ and q, q ∈ Q) The first transition (from (q, c) to q ) is used to simulate the transition of A from q to q for the input symbol c.The second transition (from q to (q, c)) is used to choose the next input symbol to be supplied to the automaton; the probability is not important, and replacing 1/|Σ| with any non-zero probability does not affect the arguments below.• ρ AP is defined by: • The initial state is s in = q I .Intuitively, the Markov chain M A simulates the behavior of A. The atomic proposition p c means that A is currently reading the symbol c, and p F means that A is in a final state.
Based on this intuition, we now construct the PHFL formula φ A .For each c ∈ Σ, we define a formula f c of type Prop → Prop by: Intuitively f c (φ) denotes the probability that the automaton transits to a state satisfying φ given c as the next input.Given a word w = w 1 w 2 . . .w n ∈ Σ * , we define the formula g w by

. )). 15:9
We write A q for the automaton obtained from A by replacing the initial state with q.
The following lemma states that g w represents the probability that w is accepted by the automaton from the current state q.
Lemma 3.4.A q (w) = g w M A (q) for every q ∈ Q.
Proof.Let A = (Q, Σ, q I , ∆, F ).The proof proceeds by induction on the length |w| of w.
We have the required result, as g = p F .• Case where |w| > 0: Let w = w 1 • • • w n = w 1 w .We have: we have: By the induction hypothesis, we have A q (w ) = g w (q ), which implies the the required result.
Using Lemma 3.4, we obtain val(A) = sup n∈ω w∈Σ ≤n g w M A (q I ), where Σ ≤n is the set of words of length up to n.This can be expressed by using the least fixpoint operator.
Theorem 3.5.Let θ A be the formula of type Prop → Prop defined by: Then, we have | n ∈ ω} where ⊥ := λZ.µU.U is the formula of type Prop → Prop, and ξ n (x) denotes n-times applications of ξ to x.In fact, Prop→Prop { ξ n (⊥) | n ∈ ω} is a fixpoint of ξ , because: Since ξ is monotonic and ⊥ is the least element, we also have: for any n ∈ ω hence also Thus, we have the equality.
By a straightforward induction on n, we also have: ξ n+1 (⊥) p F M = w∈Σ ≤n g w M .Therefore, by using also Lemma 3.4, we obtain: which implies the required result.
The following is an immediate corollary of Theorems 3.3 and 3.5.

Corollary 3.6 (Undecidability of PHFL Model-Checking Problem).
There is no algorithm that, given a Markov chain M and a closed order-1 formula φ of type Prop, decides whether M |= φ.
We close this section with some remarks.1 Remark 3.7.Note that the value val(A) of a probabilistic automaton cannot even be approximately computed [Fij17]: there is no algorithm that outputs "Yes" if val(A) = 1 and "No" if val(A) ≤ 1 2 .Thus, the proof of Theorem 3.5 (in particular, the result val(A) = θ A p F M A (q I )) also implies that for a qualitative formula of PHFL ψ, ψ is not approximately computable in general.
Remark 3.8.It would be interesting to study a converse encoding, i.e., to find an encoding of some fragment of the PHFL model checking problem into the value-1 problem.Such an encoding may help us find a decidable class of the PHFL model checking problem, based on decidable subclasses for the value-1 problem, such as the one studied in [FGKO15].

Hardness of the PHFL Model-Checking Problem
In the previous section, we have seen that PHFL model checking is undecidable even for the fragment of PHFL without fixpoint alternations.In this section, we give a lower bound of the hardness of the PHFL model-checking problem in the presence of fixpoint alternations.The following theorem states the main result of this section.
Note that Π 1 1 and Σ 1 1 , defined in terms of the second-order arithmetic, contain very hard problems.For example, those classes contain the problem of deciding whether a given first-order Peano arithmetic formula is true.
We prove this theorem by reducing the validity checking problem of the µ-arithmetic [Lub89] to the PHFL model-checking problem.Even the validity checking problem of a higher-order extension of the µ-arithmetic can be reduced to the PHFL model-checking problem.The key in the proof is a representation of natural numbers as quantitative propositions such that all the operations on natural numbers in the µ-arithmetic are expressible in PHFL.
This section is structured as follows.Section 4.1 reviews the basic notions of the µ-arithmetic.Section 4.2 describes the reduction and proves the theorem above.
As in PHFL, we first define the types of µ-arithmetic formulas.The set of types, ranged over by A, is given by: The type N is for natural numbers, Ω for (qualitative) propositions, and A → T for functions.We do not allow functions to return values of type N .We define the order of types of the µ-arithmetic similarly to the PHFL types, by: order (N ) = order (Ω) = 0 and order (A → T ) = max(order (A) + 1, order (T )).Assume a countably infinite set Var of variables ranged over by X.The set of formulas, ranged over by ϕ, is given by the following grammar.
Here, Z and S respectively denote the constant 0 and the successor function on natural numbers.
The typing rules are shown in Fig. 2; they are just standard typing rules for the simplytyped λ-calculus, with several constructors such as Z : N , S : N → N , and ∧ : Ω → Ω.We shall consider only well-typed formulas.We define the order of a formula as the largest order of the types of its subformulas.Definition 4.2 (Semantics of Types).The semantics of a type A is a partially ordered set A µ = (D A , A ) defined inductively on the structure of A as follows.
(1) The semantics of N and Ω: (2) The semantics of A → T : The semantics T µ of a type T forms a complete lattice (while N µ is not); we write T (resp.T ) for the least upper bound (resp.greatest lower bound) operation, and ⊥ T for the least element.
The interpretation Γ µ of a type environment Γ is the set of functions θ such that dom(θ) = dom(Γ) and that θ(X) ∈ Γ(X) µ for every X ∈ dom(Γ).It is ordered by the point-wise ordering.
Definition 4.3 (Semantics of Formulas).The semantics of a formula ϕ with judgment Γ µ ϕ : A is a monotone map from Γ µ to A µ , defined as follows.
The validity checking problem of the higher-order fixpoint arithmetic is the problem of, given a closed formula ϕ of type Ω, deciding whether ϕ µ = 1.The following result is probably folklore, which follows from the well-known fact that the fair termination problem for programs is Π 1 1 -complete (see, e.g., Harel [Har86]), and the fact that the fair termination of a program can be reduced to the validity of a first-order fixpoint arithmetic formula (see, e.g., [KTW18] for the reduction).Theorem 4.5.The validity checking problem of the first-order fixpoint arithmetic is Π 1 1 -hard and Σ 1 1 -hard.Remark 4.6.As for an upper bound, Lubarsky [Lub89] has shown that predicates on natural numbers definable by µ-arithmetic formulas belong to ∆ 1 2 .One can prove that the validity problem for the µ-arithmetic is ∆ 1 2 as well.
4.2.Hardness of PHFL Model Checking.We give a reduction from the validity checking problem of the higher-order fixpoint arithmetic to the PHFL model-checking problem.The main theorem of this section (Theorem 4.1) is an immediate consequence of this reduction and Theorem 4.5.Given a formula ϕ of the higher-order fixpoint arithmetic, we need to effectively construct a pair (φ, M ) of a formula of PHFL and a Markov chain such that ϕ is true if and only if M |= φ.The Markov chain M is independent of the formula ϕ.We first define the Markov chain and then explain the intuition of the translation of formulas.
As mentioned at the beginning of this section, the key of the reduction is the representation of natural numbers, as well as operations on natural numbers.We encode a propositional formula ϕ into a quantitative propositional formula φ such that φ M = ( ϕ µ , , , ), and encode a natural number n into a quantitative propositional formula ψ such that Here, denotes a "don't care" value.We implement primitives on natural numbers Z, S and ≤, as follows.
Assuming that φ represents n (i.e.φ M = (1/2 n , 1 − (1/2 n ), , )), the successor n + 1 can be represented by Indeed, we have: It remains to encode ≤.We use the fact that, for any natural numbers n and m, The s 0 -component of the representation of a natural number plays an important role below.Assume that φ and χ represent n and m respectively.Then we have ).Thus, n ≤ m if and only if the s 0 -component of the above formula is ≥ 1 2 .In other words, ).Let us formalize the above argument.We first give the translation of types: The translation can be naturally extended to type environments.Following the above discussion, the translation of formulas of type N is given by The comparison operator can be translated as follows: The translation of other connectives is straightforward: The following lemma states that the translation preserves types.Proof.This follows by straightforward induction on the derivation of Γ µ ϕ : A. 15:15 We prove the correctness of the translation.For each type A of the higher-order fixpoint arithmetic, we define a relation (∼ A ) ⊆ A µ × tr(A) M by induction on A as follows: This relation can be naturally extended to the interpretations of type environments: given a type environment Γ of the µ-arithmetic, the relation The following theorem states the correspondence between the source and the target of the translation.A proof is provided in Appendix A.
Theorem 4.8.Let Γ µ ϕ : A be a formula of the higher-order fixpoint arithmetic.Assume Corollary 4.9.The validity problem of the order-k fixpoint arithmetic is reducible to the order-k PHFL model-checking problem.

Decidable Subclass of Order-1 PHFL Model Checking
As we have seen in Section 3, PHFL model checking is undecidable, even for order 1.In this section, we identify a decidable subclass of the order-1 PHFL model-checking problems (i.e., a set of pairs (φ, M ) such that whether M |=φ is decidable).We identify the subclass by using a type system: we define a type system T M for PHFL formulas, parameterized by M , so that if φ is a proposition well-typed in T M , then M |=φ is decidable.
This section is structured as follows.In Section 5.1, we introduce the type system T M , and prove that the semantics of any order-1 well-typed formula is an affine function.Section 5.2 introduces a matrix representation of affine functions and shows the decidability of M |=φ by appealing to the decidability of the first-order theory of reals [Tar51].Section 5.3 shows that the restricted fragment is reasonably expressive, by giving an encoding of the termination problem for recursive Markov chains into the restricted fragment of PHFL model checking.
5.1.Type-based Restriction of Order-1 PHFL.We first explain the idea of the restriction imposed by our type system.By definition, the semantics of a (closed) order-1 PHFL formula φ of type Prop → Prop with respect to the Markov chain M is a map f φ from the set of functions S → [0, 1] to the same set, where S is the set of states of M .Thus, if S = {s 1 , s 2 , . . ., s n } is fixed, f φ can be regarded as a function from [0, 1] n to [0, 1] n .Now, if the function f φ were affine, i.e., if there are functions f 1 , f 2 , . . ., f n such that f φ (r 1 , r 2 , . . ., r n ) = (f 1 (r 1 , r 2 , . . ., r n ), . . ., f n (r 1 , r 2 , . . ., r n )), where r n for some real numbers c i,j , then the function f φ would be representable by a finite number of reals c i,j .The semantics of a fixpoint formula would then be given as a solution of a fixpoint equation on the coefficients, which is solvable by appealing to the decidability of first-order theories of reals [Tar51].
Based on the observation above, we introduce a type system to restrict the formulas so that the semantics of every well-typed order-1 formula is affine.The conjunction φ 1 ∧ φ 2 is one of the problematic logical connectives that may make the semantics of an order-1 formula non-affine: recall that the min operator was used to define the semantics of conjunction.We require that for every subformula of the form φ 1 ∧ φ 2 and for each state s ∈ S, one of the values φ 1 (s) and φ 2 (s) is the constant 0 or 1.We can then remove the min operator, since we have min(0, x) = 0 and min(1, x) = x for every x ∈ [0, 1].
We parameterize the type system by the Markov chain M , since it often depends on M whether the semantics of an order-1 formula is affine.For example, the semantics of (p ∧ φ 1 ) ∨ (q ∧ φ 2 ) is affine if the semantics of φ 1 and φ 2 are affine and if p and q cannot be simultaneously true (i.e., if ρ AP ,M (p) ∩ ρ AP ,M (q) = ∅).Without the parameterization, the resulting type system would be too conservative.
The discussion above motivates us to refine the type Prop of propositions to Prop T,U where T, U ⊆ S and T ∩U = ∅.Intuitively, the type Prop T,U describes propositions φ ∈ Prop such that φ (s) = 0 for all s ∈ T and φ (s) = 1 for all s ∈ U ; there is no guarantee on the value of φ (s) for s ∈ S \ (T ∪ U ).The syntax of refined types is given by: where T and U range over the set of subsets of S satisfying T ∩ U = ∅.Note that each type κ can be expressed as where k ≥ 0.
We define the translation from the set of refined types to the set of types in PHFL by tr(Prop T,U ) = Prop tr(κ 1 → κ 2 ) = tr(κ 1 ) → tr(κ 2 ) and the translation of type environment K by (tr(K))(x) = tr(K(x)).The semantics of refined types is defined as follows.As explained above, the values of function types are restricted to affine functions.
Remark 5.2.Note that κ is not closed under various operations.For example, the greatest lower bound of affine functions λ(x, y).x and λ(x, y).y ∈ [0, 1]2 → [0, 1] is λ(x, y).min(x, y), which is not affine.This means that the conjunction does not preserve affinity, as mentioned above.A similar observation applies to fixpoints: for a monotone function h on tr(κ) , even if h x ∈ κ for every x ∈ κ , it is not necessarily the case that LFP (h) ∈ κ .For example, let S = {s}, κ = Prop ∅,∅ → Prop ∅,{s} , and h(f ) = λv.λs.max(f (v)(s), v(s) 2 ).For any f ∈ κ and v ∈ Prop ∅,∅ , h(f We restrict PHFL formulas by a type system parameterized by a Markov chain M .We consider a type judgment of the form: K; ∆ M φ : κ.Here, K is a type environment of the form X 1 : κ 1 , . . ., X k : κ k ; it is for fixpoint variables, i.e., those bound by µ or ν.The other type environment ∆ is of the form Y 1 : Prop T 1 ,U 1 , . . ., Y m : Prop T ,U ; it is for variables bound by λ.We require that the domains of K and ∆ are disjoint.The intended meaning of the judgment K; ∆ M φ : κ, where ∆ = Y 1 : Prop T 1 ,U 1 , . . ., Y : Prop T ,U and κ = Prop T +1 ,U +1 → • • • → Prop T +m ,U +m → Prop T,U is as follows.Assume: (i) each fixpoint variable X is bound to an affine function as described by K(X), (ii) each Y i (1 ≤ i ≤ + m) is bound to a value (x i,1 , . . ., x i,n ) described by Prop T i ,U i .Then the value of φ Y +1 • • • Y +m is an affine function on x i,j .Note that the value of φ Y +1 • • • Y +m need not be affine on the values of fixpoint variables.Below ∆ is treated as a sequence of type bindings, while K is treated as a set.
The typing rules are given in Figure 4. We explain key rules below.The rule T-WeakTU is for weakening the information represented by T and U ; this rule is required, for example, for adjusting the types between a function and its argument.The rule T-Weak is a usual weakening rule for adding type bindings to ∆.The rule T-AP is for atomic propositions; recall that ρ AP (p) denotes the set of states where p holds with probability 1.The rule T-Mu is for least fixpoint formulas.The second premise means that κ is of the form , where U = ∅. 2 Without this restriction, the value of φ φ 1 • • • φ k at a state in U may be wrongly estimated to be 1.For example, consider the case where φ = X and the simple type of X is Prop.Then, the value of µX.X should be the map f such that f (s) = 0 for every state.Without the restriction, however, we could wrongly derive µX.X : Prop ∅,S M .Note also that ∆ is empty in T-Mu; this is just for technical convenience, and is not a fundamental restriction.Indeed, if µX.φ contains a free variable Y of type Prop T,U , then we can replace it with (µX .λY.[X Y /X]φ)Y , without changing the semantics.Analogous conditions are imposed in the rule T-Nu for greatest fixpoint formulas.In the rule T-Conj for conjunctions, the first two premises imply that the value of φ i at a state in T i is 0; therefore, the value of φ 1 ∧ φ 2 at a state in T 1 ∪ T 2 is 0, which explains T 1 ∪ T 2 in the conclusion.Similarly for U 1 ∩ U 2 .The third premise (on the second line) ensures that the value of φ 1 ∧ φ 2 is an affine function on the value of the variables in ∆.That is guaranteed if ∆ = ∅.Otherwise, we require T 1 ∪ U 1 ∪ T 2 ∪ U 2 = S M ; recall the earlier discussion on a sufficient condition for the semantics of an order-1 formula to be affine.The rule T-Disj for disjunctions is analogous.In the rules T-J, T-Min, and T-Max, we require that the type environment ∆ for λ-bound variables be empty, since the operators [•] J , , and ♦ break the affinity.The sets T and U in the conclusions of those rules are conservatively approximated.In T-J, recall that we have excluded out trivial We can thus obtain Note that, by the same argument as the proof of Theorem 2.9, there exists no µ p -calculus formula equivalent to φ 1 .
The following lemma states that a formula that is well-typed in T M is also well-typed in the original PHFL type system.Lemma 5.4.Let φ be a PHFL formula such that K; ∆ M φ : κ.Then we have tr(K, ∆) φ : tr(σ).
Proof.This follows by a straightforward induction on the derivation of K; ∆ M φ : κ.
The following lemma states that the refined type system does not impose any restriction on the order-0 fragment of PHFL.Thus, together with the observation in Example 5.3, the lemma implies that our decidable fragment is strictly more expressive than the µ p -calculus.
Proof.This follows by a straightforward induction on the derivation of Γ φ : τ .Note that since ∆ is always empty, the condition In the rest of this subsection, we prove the following properties.
(1) The type system is sound in the sense that the semantics of any formula φ of type κ indeed belongs to κ ; see Theorem 5.8 for the precise statement.
(2) The calculation of the semantics of a well-typed formula (especially, the least/greatest fixpoint computation) can be performed up to the equivalence relation ∼ κ , where f ∼ Prop T 1 ,U 1 →•••→Prop Tm,Um →Prop T,U g just if f and g are equivalent on the intended domain, i.e., if . ., v m ∈ Prop Tm,Um ; see Lemmas 5.10 and 5.11.
The reason why the type system ensures affinity has been intuitively explained already, except for the fixpoints.Here we show (in Lemma 5.7) that the fixpoint of a typable fixpoint operator is indeed affine.The key observation is that κ ⊆ tr(κ) is closed under the limit of chains, as stated in the following lemma.
Proof.We prove the former.Assume We first give an alternative characterization of affinity.For each i ≤ k, given v i ∈ Prop T i ,U i and r ∈ [0, 1], we define r • v i by (r • v i )(s) = r(v i (s)).Note that r • v i may not be a member of Prop T i ,U i , but r • v i + (1 − r) • v i ∈ Prop T i ,U i for every v i , v i ∈ Prop T i ,U i and r ∈ [0, 1] (here the sum is the point-wise sum on reals).Then f ∈ Prop k → Prop is affine on Prop T 1 ,U 1 × • • • × Prop T k ,U k if and only if, for every (v 1 , . . ., v k ), (v 1 , . . ., v k ) ∈ Let (f α ) α<γ be an increasing chain and f = α<γ f α .Then f can be characterized in terms of the limits in real numbers as f y 1 . . .y k = lim α<γ (f α y 1 . . .y k ) for every y 1 , . . ., y k ∈ Prop .Since lim α<γ commutes with linear operations, for every (v 1 , . . ., v k ), (v 1 , . . ., v k ) ∈ Prop T 1 ,U 1 × • • • × Prop T k ,U k and r ∈ [0, 1], we have: The latter is the dual of the former, and can be proved in the same manner, by just replacing with .
Lemma 5.7.Let κ = Prop T 1 ,U 1 → • • • → Prop T k ,U k → Prop T,U be a refined type and h be a monotone function on tr(κ) such that x ∈ κ implies h x ∈ κ .
Here LFP and GFP are taken in tr(κ) .15:31

Conclusion
We have introduced PHFL, a probabilistic logic which can be regarded as both a probabilistic extension of HFL and a higher-order extension of the probabilistic logic µ p -calculus.We have shown that the model-checking problem for PHFL for a finite Markov chain is undecidable for the µ-only and order-1 fragment.We have also shown that the model-checking problem for the full order-1 fragment of PHFL is Π 1 1 -hard and Σ 1 1 -hard.As positive results, we have introduced a decidable subclass of the PHFL model-checking problem, and showed that the termination problem of Recursive Markov Chains can be encoded in the subclass.
Finding an upper bound of the hardness of the PHFL model-checking problem is left for future work.It is also left for future work to find a larger decidable class of PHFL model-checking problems.
Definition 3.1 (PHFL Model Checking).The PHFL model-checking problem for finite Markov chains is the problem of deciding whether M |= φ, given a (finite) Markov chain M and a closed PHFL formula φ of type Prop as input.

Figure 3 :
Figure 3: The Markov Chain for Reduction from Higher-order Fixpoint Arithmetic to PHFL.