Stratified guarded first-order transition systems

In the example from Fig. 1, \({{\mathcal {R}}_{ state }}\) consists of the predicates \(\textsf {conf}\), \(\textsf {auth}\), \(\textsf {assign}\), \(\textsf {report}\) and \(\textsf {discuss}\) while \({{\mathcal {A}}}\) consists of the predicates \(A_1\ldots A_4\). No constants are needed, so \({\mathcal {C}}= \emptyset \). The edge from node 1 to 2 has no assumption and specifies a single substitution \(\theta \) that updates \(\textsf {assign}\) withwhile leaving literals of predicates \(\textsf {conf},\textsf {auth},\textsf {report}\) or \(\textsf {discuss}\) unchanged. \(\square \)

Consider formula \(\varphi \) that specifies that the author of a paper p should never be assigned to provide a review for p:Applying the substitution \(\theta \) from Example 1 results in\(\square \)

According to the specification in eq. (1) for the example transition system in Fig. 1, the single initial state (w.r.t. any given universe) is the pair of node 0 and the FO structure which interprets the relations \(\textsf {auth},\textsf {assign},\textsf {report}\) and \(\textsf {discuss}\) with empty relations each. \(\square \)

Let \({\mathcal {T}}\) be a FO transition system and let \(\Psi \) an invariant. Assume that for some \(h\ge 0,\) \( \Psi ^{(h)} = \Psi ^{(h+1)} \) holds. Then \(\Psi ^{(h)}\) is the weakest inductive invariant implying \(\Psi \). Moreover, \(\Psi \) is valid iff \({{\mathcal {H}}}\rightarrow \Psi ^{(h)}[v_0]\). \(\square \)

In [3], formulas with universal SO quantifiers and universal as well as existential quantifiers are strengthened to formulas with universal quantifiers only. The idea is to replace an existentially quantified subformula \(\exists x.\varphi \) with a disjunction \(\bigvee _{y\in Y}\varphi [y/x]\) where Y is the subset of constants and those universally quantified variables in whose scope \(\varphi \) occurs. So, the formula \(\forall y_1,y_2.\exists x. R(x)\) is abstracted by \(\forall y_1,y_2.R(y_1)\vee R(y_2)\). This abstraction is particularly useful, since SO universal quantifiers can be eliminated from universally quantified formulas. \(\square \)

Fixpoint iteration for universally quantified formulas still may not terminate due to an ever increasing number of quantified variables. The universally quantified variable x in an otherwise quantifier-free formula \(\psi \) in negation normal form can be removed by replacing each literal containing x with \(\textsf {false}\). In this way, the formula \(\forall x.\;(Rx\vee \lnot Sy\vee Tz)\wedge (\lnot Rx\vee \lnot Ty)\) is strengthened to \((\lnot Sy\vee Tz)\wedge \lnot Ty\). \(\square \)

Assume that the quantifier-free formula \(\psi \) is a conjunction of clauses. Then \(\psi \) is implied by the single clause c consisting of all literals which all clauses in \(\psi \) have in common. The formula \((Rx\vee \lnot Sy\vee Tz)\wedge (Rx\vee Tz\vee \lnot Tx)\), e.g., can be strengthened to \(Rx\vee Tz\). \(\square \)

Consider the FO transition system \({\mathcal {T}}\) over a monadic state predicate R, a binary state predicate E and a constant a. \({\mathcal {T}}\) consists of a single node u with a single transition \((u,\theta ,u)\) where \(\theta \) is given byConsider the invariant \(\Psi [u] = \lnot R(a)\). Then for \(h\ge 0\),The weakest inductive invariant thus states that the unary predicate R only holds for elements which are not reachable from a via the edge predicate E. This property is not expressible in FO predicate logic. Accordingly, \(\Psi ^{(h)}[u]\ne \Psi ^{(h+1)}[u]\) must hold for all \(h\ge 0\). \(\square \)

There exists a FO transition system \({\mathcal {T}}\) without assumptions, using stratified strictly guarded updates and resets, with simultaneous substitutions of predicates at different levels, together with some universal invariant \(\Psi \) such that for each \(h\ge 0\), \(\Psi ^{(h)}\) is universal FO definable, but \(\Psi ^{(h)}[u] \not \rightarrow \Psi ^{(h+1)}[u]\) for some program point u.

Consider the FO transition system \({\mathcal {T}}\) as shown in Fig. 2 for some binary predicate E, together with the invariant \(\Psi =\{0\mapsto \top ,1\mapsto \top ,2\mapsto \textsf {error}\vee \lnot \textsf {hull}(a,b), 3\mapsto \top \}\) for constants a, b. Initially, the predicate \(\textsf {hull}\) is set to E. By executing the loop k times, either the error flag \(\textsf {error}\) is set to \(\top \), or \(\textsf {hull}\) receives at most \((k+1)\)fold compositions of E. Still, we can assign levels to the predicates used by \({\mathcal {T}}\) which meet the requirements of a stratification, namely,For the required SO quantifier elimination of \(A_1,A_2\), we note that in order to avoid \(\textsf {error}\) to be set to \(\top \), \(\textsf {add}(x,y,z)\) must imply \(\textsf {hull}(x,y)\wedge E(y,z)\). In order to falsify the invariant at program point 1 whenever possible, thus, \(A_1(x,y,z)\) should be set to \(\textsf {hull}(x,y)\wedge E(y,z)\), and \(A_2(x,z,y)\) at least to \(\textsf {add}(x,y,z)\). For the iterates \(\Psi ^{(h)}\) at program point 2, we therefore obtainAltogether, the weakest inductive invariant for program point 0 is given by \(\textsf {error}\vee \lnot E^+(a,b)\) where \(E^+\) is the transitive closure of E. As the transitive closure of a binary relation is not FO definable, we conclude that the fixpoint iteration cannot terminate. \(\square \)

Consider the substitution \(\theta \)Then \(\theta (R(a)\vee \lnot R(b))\) is given byA closer inspection reveals that here SO quantifier elimination of A is possible where \(\forall A.\,\theta (R(a)\vee \lnot R(b))\) is equivalent toIn particular, the resulting FO formula has universal FO quantifiers only. \(\square \)

Assume that A is a predicate of arity r and \({\bar{y}}=(q_1,\ldots ,q_r)\) is a sequence of distinct variables from \({{\mathcal {Y}}}\).

We apply Ackermann’s lemma in negated form. According to the form provided in [24], it states thatif \(\varphi \) contains no occurrence of A, and \(\psi \) only contains negative occurrences of A.

Then the equivalence for (8) follows by choosingwhere for \(i=1,\ldots ,m\), \({\bar{y}}_i\) is the prefix of \({\bar{y}}\) of length \(\vert {\bar{a}}_i\vert \), while \({\bar{z}}_i\) is considered as the corresponding suffix, i.e., \({\bar{y}}= {\bar{y}}_i{\bar{z}}_i\). The equivalence for (10) is obtained by using the same definition for \(\varphi \), but replacing the formula \(\psi \) with\(\square \)

Consider the second update in the loop of the transition system from Fig. 1.Let \(\theta _4\) denote this update, and consider the invariant (2) from the introduction. Application of \(\theta _4\) results in the formulaSince \(A_4\) only occurs negatively, universal SO quantifier elimination of \(A_4\) yields\(\square \)

Assume that \({\mathcal {T}}\) is a FO transition systems with guarded updates and resets only, and assumptions g of the formwhere \(\varphi _0,\varphi _1,\varphi _2,\varphi _3\) are quantifierfree formulas not containing occurrences of the SO variable A. Let \(\Psi \) a universal FO invariant. Then the following holds:

Due to lemma 3, for each universal FO formula \(\psi \), each guard g of appropriate form, and each guarded update or reset \(\theta \) with input predicate A, \(\forall A.\,(\lnot g\vee \theta \psi )\) is equivalent to a universal FO formula. That implies statement (1). Now assume for for each \(h\ge 0\) and each \(v\in V\), \(\Phi ^{(h)}[v]\) is FO definable. Then due to the compactness theorem for FO predicate logic [25], there is some \(h\ge 0\) such that \(\Psi ^{(h)}[v] \leftrightarrow \Psi ^{(h+j)}[v]\) holds for all \(v\in V\) and \(j\ge 0\), iff for each \(v\in V\), the conjunction \(\bigwedge _{h\ge 0} \Psi ^{(h)}[v]\) is again FO definable. \(\square \)

Consider again the specification from Fig. 1, and let \(\theta _1,\theta _2,\theta _3,\) and \(\theta _4\) denote the substitutions occurring therein.

Assume that \(\Psi \) equals the universal formula in (2), and we are interested in its validity at program point 2 of the transition system. The formula \(\forall A_3.\,\theta _3(\forall A_4.\,\theta _4(\Psi ))\) is given byThe resulting formula \(\Psi '\) already equals the fixpoint for the loop.

Since the predicate \(\textsf {assign}\) only occurs negatively in \(\Psi '\) and \(\textsf {conf}\) only negatively in the right-hand side for \(\textsf {assign}\), the formula \(\forall A_1.\theta _1(\forall A_2.\theta _2(\Phi '))\) is constructed from \(\Psi '\) via the substitution \(\theta _\textsf {assign}\) defined byThis means the formula \(\Psi ''\) for the initial node 0 of the transition system is given byBy the initial condition \({{\mathcal {H}}}\) from the introduction, \(\lnot \textsf {discuss}(x_1,x_2,p,d)\) generally holds at node 0 of the transition system, as well as \(\lnot \textsf {report}(x_i,p,r_i),\lnot \textsf {assign}(x_i,p),\) and \(\lnot \textsf {conf}(x_i,p)\) for \(i=1,2\). Therefore, \({{\mathcal {H}}}\) implies \(\Psi ''\), and the property \(\Psi \) at node 3 of the transition system is valid. \(\square \)

Assume we are given a strictly guarded and stratified FO transition system. Then for every universal invariant \(\Psi \), the weakest inductive invariant strengthening \(\Psi \) can be represented by universal FO formulas, and can effectively be computed.

For this proof, it is convenient to use the notation \(\Phi \ni \forall {\bar{x}}.\,c\) for a universal FO formula \(\Phi \), a clause c, and a list \({\bar{x}}\) of distinct variables so that for the prenex CNF \(\forall {\bar{z}}.\,c_1\wedge \ldots \wedge c_m\) of \(\Phi \), c occurs among the \(c_j\), and \({\bar{x}}\) is the subsequence of variables in \({\bar{z}}\) which occur in c. We rely on the following technical lemma.

Assume that c is a clause and \(\theta \) a stratified reset or a stratified strictly guarded update with input predicate A which substitutes predicates of level s.

Let \(c'\) be a clause with \(\forall A.\,\theta (c)\ni \forall {\bar{z}}.\,c'\) where \({\bar{z}}\) is the list of newly introduced variables in \(c'\). Then either \(c=c'\) and \({\bar{z}}\) is empty, or the number of literals at level s of \(c'\) is less than the corresponding number of literals in c, while the set of literals at levels exceeding s stays the same.

Assume that the clause c is of the formwhere \(R_i{\bar{y}}_i, R_j{\bar{y}}_j\) are the literals of c substituted by \(\theta \), while \(c_0\) does not contain occurrences of left-hand sides of \(\theta \).

If \(\theta \) is a reset, all literals containing \(R_i\) are eliminated from c.

Therefore, the assertion of the lemma holds. Now assume that \(\theta \) is a strictly guarded update where \(\theta (R_i{\bar{y}}_{R_i}) = R_i{\bar{y}}_{R_i}\vee \exists {\bar{z}}_{i}. A{\bar{y}}_{R_i}^{\sigma _i}{\bar{z}}_{i} \wedge \psi _i\) for some permutation \(\sigma _i\). Then by lemma 3,where \({\bar{z}}_j\) is a fresh list of FO variables of the same length as \({\bar{z}}\), and \({\bar{z}}_J\) is the concatenation of all lists \({\bar{z}}_j,j\in J\).

In particular for \(J=\emptyset \), \({\bar{z}}_J\) is empty and the corresponding clause equals c. If on the other hand \(J\ne \emptyset \), the number of negated literals occurring in the clause has decreased. \(\square \)

Assume that \({\mathcal {T}}\) is a positive FO transition system where all updates are single. Then for every universal invariant \(\Psi \), the weakest inductive invariant implying \(\Psi \) is again universal and can effectively be computed.

Let \(\Theta \) denote the substitutions occurring at edges in \({\mathcal {T}}\). For \(\theta \in \Theta \), let \([\![ \theta ]\!]\) denote the transformation of universal FO formulas which maps every universal FO formula \(\psi \) to a universal FO formula equivalent to \(\forall A.\theta (\psi )\), if A is the input predicate corresponding to \(\theta \). Let \(\pi = \theta _L\ldots \theta _1\) denote a sequence of substitutions from \(\Theta \). Then \([\![ \pi ]\!] = [\![ \theta _N ]\!]\circ \ldots \circ [\![ \theta _1 ]\!]\) is the composition of the transformations corresponding to the substitutions occurring in \(\pi \). Now consider a quantifierfree formula \(\psi \) in conjunctive normal form with predicates from \({{\mathcal {R}}_{ state }}\) and FO variables from X. Consider some \(\theta \in \Theta \). Since \(\theta \) is a stratified reset or a stratified guarded update which is single and positive, \([\![ \theta ]\!](\psi )\) can be chosen in such a way that all occurring argument lists \({\bar{b}}\) of positive literals \(R{\bar{b}}\), \(R\in {\mathcal {R}}\), only use variables from X. Since \(\theta \) is single, SO quantifier elimination of the input predicate A of \(\theta \) can be realized by a single substitution of the formfor suitable \(n\ge 0\) and sequences \({\bar{a}}_{i}\) of FO variables from X. Let us call the right-hand side here a worst attacker. This means that, for all levels \(t=L,\ldots ,1\), there are only finitely many possibilities of worst attackers to substitute the occurring input predicates. Let L denote the maximal level of predicates from \({{\mathcal {R}}_{ state }}\). Moreover for \(t=L,\ldots ,1\), let \({\bar{z}}_t\) denote one distinct enumeration of variables occurring in substitutions in \(\Theta \) whose right-hand sides are of level t. The formulas \([\![ \pi _N ]\!](\psi )\) thus can all be represented as finite conjunctions g of generalized clauses \(c^{(L)}\) according to the following grammar:where \(c_0\) is a disjunction of literals without negative literals \(\lnot R{\bar{b}}\) using FO variables from X; while for \(0\le t\le L\), the clause \(c^{(t)}\) satisfies the following side constraints:Moreover, for \(o^{(t)}\), all FO variables occurring in the lists \({\bar{a}}_i\) are from X only, while those occurring in \({\bar{b}}\) are either from X or occur in \({\bar{z}}_L\ldots {\bar{z}}_{t-1}\). By induction on t, we verify that for each level \(t\ge 0\), the number of non-equivalent formulas \(o^{(t)}\) and thus also the number of non-equivalent formulas \(c^{(t)}\) is finite. We conclude that also the number on non-equivalent formulas c as well as the number of non-equivalent formulas g is finite.

Accordingly, the number of non-equivalent formulas \(\forall A_1\ldots A_N.\,\pi (\psi )\) is finite — implying that for every universal invariant \(\Psi \), \(\Psi ^{(h+1)} = \Psi ^{(h)}\) for some \(h\ge 0\). From that, the statement of the theorem follows. \(\square \)

Assume that \({\mathcal {T}}\) is a stratified guarded FO transition system where resets only occur for predicates of level 1 and the maximal level L. Then for every universal invariant \(\Psi \), the weakest inductive invariant is again universal and can effectively be computed.

We show that there is some \(h\ge 0\), so that \(\Psi ^{(h+1)} = \Psi ^{(h)}\). Since by lemma 3, \(\Psi ^{(h)}[u]\) is a universal formula for all \(h\ge 0\) and program points u, the statement of the theorem follows.

Let \(\Theta \) denote the finite set of stratified guarded substitutions occurring in \({\mathcal {T}}\). W.l.o.g., we assume that each substitution in \(\Theta \) simultaneously substitutes all predicates at a given level t. Let \(\psi \) a quantifierfree FO formula in negation normal form. Let \(\pi = \theta _N,\ldots ,\theta _1\) be any sequence of substitutions where for each \(i = 1,\ldots ,N\), \(\theta _i = \theta '[A_i/A_{e_i}]\) holds for a fresh input predicate \(A_i\), and some substitution \(\theta '\in \Theta \). Thereby, let \(\lambda (A_i)\) denote the level of left-hand sides of \(\theta '\). Termination of fixpoint iteration is based on the following lemma. \(\square \)

There is a fixed finite sequence \({{\textbf {z}}}\) of variables only depending on \(\psi \) and the substitutions from \({\mathcal {T}}\) so that \(\forall A_N\ldots A_1.\pi (\psi ) = \forall {{\textbf {z}}}.\psi '\) for some quantifierfree FO formula \(\psi '\). In particular, \({{\textbf {z}}}\) can be chosen independently of the length N of \(\pi \).

Let us first consider the case where there is no reset of predicates. Let \({{\mathcal {R}}_{ state }}\) denote the finite set of predicate symbols used by \({\mathcal {T}}\). Let X and Z denote the finite sets of variables occurring in \(\psi \) and introduced by substitutions from \(\Theta \), respectively. Let L denote the maximal level of a predicate in \({\mathcal {R}}\). For \(1\le t\le L\), let \(V_t\) denote the set of all variableswith \(z\in Z\), \(\lambda (R) = t\), and \({\bar{b}}\) a sequence of variables from \(X\cup V_L\cup \ldots \cup V_{t+1}\) whose length equals the arity of R. We then will use the set \(V = V_1\cup \ldots \cup V_L\) as our set of bound variables. According to the definition of the \(V_t\), the set V is finite. By induction on the length N of \(\pi \), we construct a formula in a particular normal form \(\psi _N\) which is equivalent to \(\pi (\psi )\). In this construction, we make sure that all variables bound by existential or universal quantifiers are always taken from V. The normal form g of formulas we rely on, consists of a finite conjunction of generalized clauses c which are built up according to the following abstract grammarIn the second line, \(c_0\) is an ordinary clause without occurrences of input predicates, \(A'\) is an input predicate where all predicates occurring in \(g'\) have levels less than \(\lambda (A')\). In the third line, R is a predicate, \({\bar{b}}\) are sequences of arguments, \({\bar{z}}_R\) is a sequence of FO variables whose length only depends on R and contains all FO variables required by substitutions of R, \(A_n\) are input predicates of levels \(\lambda (R)\), and all predicates occurring in any of the \(c_n\) have levels less than \(\lambda (R)\). A formula \(f_{R,{\bar{b}}}\) is also called negation tree with head \(\lnot R{\bar{b}}\). \(f_{R,{\bar{b}}}\) is called non-trivial, if it contains occurrences of input predicates, i.e., the conjunction in the second conjunct is non-empty. Thereby, we maintain the invariant that on the toplevel, i.e., outside the scopes of all quantifiers, the heads of all negation trees are distinct.

This normal form can be obtained for \(\psi \) by constructing the conjunctive normal form of \(\psi \) and thereby, removing all duplicates of literals in clauses. Let \(\psi _0\) denote the resulting conjunction for \(\psi \). Now assume that we have already constructed the normal form \(\psi _{N-1}\). By using distributivity of \(\wedge \), the corresponding normal form for \(\psi _N = \theta _N(\psi _{N-1})\) can be readily computed. For maintaining the invariant on negation trees, we recall that \(\lnot R{\bar{b}}\vee \lnot R{\bar{b}}\wedge g \longleftrightarrow \lnot R{\bar{b}}\), i.e., newly created literals \(\lnot R{\bar{b}}\) in clauses kill already existing negation trees with this head.

Given the normal form \(\psi _N\) for \(\pi (\psi )\), we now successively apply SO quantifier elimination. We proceed from input predicates \(A_i\) of higher levels downwards towards the input predicates of smaller levels. For each clause, we thereby collect the lists of FO variables \({\bar{z}}_t\) required to be universally quantified and prove that these lists possibly introduced for level t, consist of variables from \(V_t\) only. In the end, we thus arrive at a formula \(\forall {{\textbf {z}}}_1\ldots {{\textbf {z}}}_L.\psi '\) where \({{\textbf {z}}}_t\) is the sequence of variables in \(V_t\), and \(\psi '\) is a quantifierfree conjunction of (plain) clauses with variables from \(X\cup V\) only. Since there is only a finite set of of such clauses, the theorem follows.

So, let \(\tau \) denote a permutation of \(\{1,\ldots ,N\}\) so that \(\lambda (A_{\tau (N)})\le \ldots \le \lambda (A_{\tau (1)})\) holds. In particular, \(\lambda (A_{\tau (1)})\) and \(\lambda (A_{\pi (N)})\) denote input predicates of highest and lowest occurring levels, respectively. Then we successively remove the occurrences of \(A_{\tau (1)},A_{\tau (2)},\ldots \) by maintaining the normal form of the resulting formulas — while introducing fresh bound variable names just from the set V. Let \(\psi '_{L+1} = \psi _N\). Now we proceed level by level. for \(L\ge t >0\), assume that \(\forall {{\textbf {z}}}_{t+1}\ldots {{\textbf {z}}}_{L}.\psi '_{t+1}\) has already been constructed such that \(\psi '_{t+1}\) is in our normal form where the heads of all non-trivial negation trees on top-level are distinct and have levels at most t. Let us consider a single generalized clause c of \(\psi '_{t+1}\). Let \(f_{R_1,{\bar{b}}_1},\ldots , f_{R_m{\bar{b}}_m}\) denote the sequence of top-level negation trees in \(\psi '_{t+1}\) of level t in c.

If this sequence is empty, then we set \({{\textbf {z}}}_{t} = \epsilon \) (the empty sequence) and \(\psi '_t\) as the formula obtained from \(\psi '_{t+1}\) by removing all occurrences of subformulas \(\exists {\bar{z}}_R.A'{\bar{b}}{\bar{z}}\wedge \psi '\) with \(\lambda (A') = t\).

Otherwise, let \(A_{\tau (j_1)}\ldots A_{\tau (j_2)}\) denote the subsequence of input predicates of level t occurring in c. Then for each \(j=1,\ldots ,m\), the negation tree \(f_{R_j,{\bar{b}}_j}\) is of the formfor suitable input predicates \(A'_k\) of level t, subsequences \({\bar{z}}_{jk}\) of \({\bar{z}}_{R_j}\) and (generalized) clauses \(c_{jk}\) containing predicates only of levels less than t. Since the heads of the negation trees \(f_{R_j,{\bar{b}}_j}\) are all distinct, we can rename the corresponding universally quantified variables to distinct sequences \({\bar{z}}_{R_j,{\bar{b}}_j} = z_{(R_j,{\bar{b}}_j),1}\ldots z_{(R_j,{\bar{b}}_j),l_j}\) if \(l_j\) is the length of the corresponding list of bound variables and let the sequences \({\bar{z}}_{{\bar{b}}_j,jk}\) be appropriate subsequences of this list for the \({\bar{z}}_{jk}\). By inductive hypothesis for variables in \({\bar{b}}_j\) and the definition of the set \(V_t\), all these variables are contained in \(V_t\). Therefore, c is equivalent to the formula \(\forall {{\textbf {z}}}_t.c'\) where \(c'\) coincides with c up the negation trees of level t, which now take the form(\(j=1,\ldots ,m\)). Performing SO quantifier elimination of all input predicates \(A_{\tau (j_1)},\ldots ,A_{\tau (j_2)}\) in a row removes all subformulas \(\exists {\bar{z}}_{R'}.A'{\bar{a}}{\bar{z}}_{R'}\wedge \psi '\) where \(\lambda (A') = t\) from \(c'\), and additionally replaces the subformulas (18) with formulasfor suitable conjunctions of (generalized) clauses \(g_{ji}\) in with constants from X and free variables from \({\bar{z}}_{R}\) and some list of parameters \({\bar{y}}\) for which a subformula \(\exists {\bar{z}}_{ji}.A'_k{\bar{a}}_{ji}^{\sigma _{ji}}{\bar{z}}_{ji}\wedge g_{ji}[{\bar{a}}_{ji}/{\bar{y}}]\) has occurred in \(c'\). In particular, each predicate occurring in any of the \(g_{ji}\) is of level less than t. By distributivity, the resulting formula is equivalent to a conjunction \(g'\) of (generalized) clauses \(c''\) each of which is obtained from \(c'\) by replacing each of the subformulas (18) with \(\lnot R_j{\bar{b}}_j\), or, for some k and some subset \(I\subseteq \{1,\ldots ,n_j\}\), with the clausewhere \(c'_{ji}\) is any clause of \(g_{ji}\). The clauses from \(g'\) constructed in this way, may contain negation trees which agree in their heads. Consider two such negation trees both with head \(\lnot R{\bar{b}}\) occurring in the same clause \(c''\) of \(g'\) on top-level. If both originate from \(\psi \) or have been introduced by means of the same substitution, say, \(\theta _j\), the same sequence of substitutions has been applied to both, and subsequently also to their negation trees. Accordingly, the two negation trees are equivalent, meaning that one of them can be removed from \(c''\). Therefore, now assume that one literal \(\lnot R{\bar{b}}\) has been introduced by substitution \(\theta _j\) while the the other did already occur in \(\psi _{j-1}\). That means that the sequence of substitutions applied to the later one and its negation tree, also is applied to the earlier one and its negation tree. In their disjunction (now introduced due to SO quantifier elimination), therefore, the negation tree of the earlier literal implies the negation tree of the later, and therefore can be omitted. Performing this normalization on the clauses of \(g'\), we achieve that in the resulting conjunction \(g''\) of (generalized) clauses all heads of top-level negation trees are distinct. Then we set \(\psi '_t\) to \(g''\).

In order to compute an explicit bound on the number of possible FO variables occurring as arguments to predicates of level \(t=L,\ldots ,0\), let us introduce the following structural parameters:For \(t=L,\ldots ,0\), we inductively determine a bound \(B_t\) to the number of distinct FO variables possibly occurring as arguments of literals at level t. Thereby, we set \(B_L = v\), since the only literals at level L occurring in \(c'\) already must have occurred in \(\psi \). Therefore, assume that \(t < L\) and a bound \(B_{t+1}\) has already been found. Given the number \(B_{t+1}\), the number of negated literals of predicates at level \(t+1\) can be bound by \(m\cdot B_{t+1}^r\). For each of these literals, a fresh list of variables of length at most l may be provided. Accordingly, we setAltogether, this means that the total number B of variables possibly occurring in literals of \(c'\) at level at least 0 is bounded byIt remains to consider the case when resets occur either on the highest level L or at level 1. We claim that with these kinds of resets, still the same set V for bound variables suffices to construct a FO universally quantified formula for \(\forall A_1\ldots A_N.\pi (\psi )\). Let us first consider resets of predicates at top-level L. Each of these, either has no effect or replaces all occurrences of one predicate R with \(\lambda (R) = L\) with a quantifierfree formula with occurrences of state predicates of lower levels and no input predicates. The only FO variables occurring in literals \(R{\bar{b}}\) or \(\lnot R{\bar{b}}\) for predicates R of level L are the variables from X occurring already in \(\psi \). Accordingly, we modify the first phase of constructing \(\psi _1,\ldots ,\psi _N\) as follows. We put the list \({{\textbf {z}}}_L\) as universally prenex in front of all \(\psi _j\) in order to have a reservoir of FO variables for all univerally quantified bound variables introduced at level L. As soon as an update substitution \(\theta _i\) of a predicate R at level L occurs, we rename in each clause the universally quantified variables from \({\bar{z}}_R\) introduced for \(\lnot R{\bar{b}}\) to \({\bar{z}}_{R,{\bar{b}}}\) from the reservoir and immediately perform SO quantifier elimination for \(A_i\). Then we bring the resulting formula into the format g to obtain \(\psi _i\). With this preparation, a reset \(\theta _j\) at level L can be dealt with during the construction of the sequence \(\psi _1,\ldots ,\psi _N\) just by replacing literals at level L with appropriate clauses of literals with predicates of lower level all using variables from X as arguments only. In particular, no new variables are introduced. For the second phase, it then remains to perform SO quantifier elimination just for the levels \(L-1,\ldots ,1\).

Now additionally, consider resets of predicates at level 1. In principle, we proceed as before. The resets at level 1, however, may additionally introduce subformulas of the form \(o_{{\bar{b}}}\) in clauses wherewhere \({\bar{b}}\) is a sequence of variables, \(A_k\) are input variables of level 1, and \(c_n\) contains predicates of level 0 only with arguments possibly from X, \({\bar{b}}\), and \({\bar{z}}\). No uniqueless can be guaranteed for subformulas of the form \(o_{{\bar{b}}}\). We note, however, that in the second phase when we perform SO quantifier elimination of SO predicates of level 1 for a (generalized) clause c, a formula is encountered of the formwhere \(c_0\) consists of literals using variables from \(V'\), the lists of variables \({\bar{a}}_{lji}\) are only from \(V'\), and the subformulas \(g_{lji}\) and \(c_{lj}\) use state predicates of level 0 only where all occurring FO variables are from \(V'\cup Z\). The number of non-equivalent such formulas \(g_{lji}\) as well as \(c_{lj}\) with this restriction onto the occurring FO variables, however, is finite. Therefore, there is a fixed finite prefix of FO variables, independent of the length of the sequence of substitutions \(\pi \) to take all universal quantifications from (23) into account.

Altogether, therefore, the number of FO variables in quantified clauses \(\forall {\bar{z}}'.c'\) contained in \(\pi (\psi )\) remains bounded – even when we allow resets both on the maximal level and on level 1. This completes the proof of lemma 9.

Consider in Fig. 1 the update\(A_3\) is a secret oracle with corresponding declassification formula \(\lnot \textsf {conf}(a,p)\). Let us first consider stubborn agents only: Then the transformation results in the sequence of three updatesIn case of causal agents, subsequently also the informedness predicate \(I\) must be updated byNow consider the substitutionwhere \(A_4\) is a choice predicate, allowing agent \(x_2\) to decide which tuples to add. In case of stubborn agents, agent choices are independent of acquired information about secrets. Therefore, the transformation results in just one (simultaneous) update of both \(\textsf {discuss}\) and \(\textsf {discuss}'\) together with an update of the predicate \(I\). In case of causal agents, however, four updates are introduced in a row, namely,Splitting the updates to \(\textsf {discuss}\) and \(\textsf {discuss}'\) into three only takes effect for agents \(x_2\) which are already informed, i.e., for which \(I(x_2)\) holds true. For the others, just the first (simultaneous) update takes effect. \(\square \)

[ [3]] Let \({\mathcal {T}}\) without assumptions and stratified guarded updates and resets only.

Let \({{{\mathcal {P}}}}^{(s)}_a({\mathcal {T}})\) (\({{{\mathcal {P}}}}^{(c)}_a({\mathcal {T}})\)) denote FO transition systems obtained as the self-composition of \({\mathcal {T}}\) for stubborn (causal) agents. Let \(\Phi _{\text {NDA}}\) denote the universal invariant mapping each node u to the formulawhere for each predicate \(R\in {{\mathcal {R}}_{ state }}\), \({\bar{y}}'_R\) is an appropriate list of distinct FO variables, and \({\bar{y}}\) is an enumeration of the FO variables occurring in any of the \({\bar{y}}'_R\).

Then the following holds for \({\mathcal {T}}\) with initial hypothesis \({{\mathcal {H}}}\).

Consider a FO transition system \({\mathcal {T}}\) without assumptions, but with resets and stratified guarded updates Assume that for each oracle O queried in some update \(\theta \), the corresponding declassification formula \(\delta _O\) is quantifierfree where each predicate occurring in \(\delta _O\) has level less than the level of the left-hand sides in \(\theta \). Assume further that one of the two conditions are met: Assume that the initial hypothesis \({{\mathcal {H}}}\) for \({\mathcal {T}}\) is given as a FO formula from the prenex class \(\exists ^*\forall ^*\). Assume that all agents participating in \({\mathcal {T}}\) are stubborn. Then NDA for \({\mathcal {T}}\) with stubborn agents is effectively decidable.

Under each of the two assumptions, the self-composition \({{{\mathcal {P}}}}^{(s)}_a({\mathcal {T}})\) can be effectively constructed and satisfies either the assumptions of Theorem 5 or Theorem 8. Therefore for every universal invariant \(\Phi _{\text {NDA}}\), the weakest inductive invariant \(\Psi \) can be effectively computed so that \(\Psi [u]\rightarrow \Phi [u]\) for every is again uniform and leveled. This invariant then holds iff the conjunction of the formula (32) and \(\lnot \Psi [v_0]\) is unsatisfiable. Since both formulas are effectively contained in the prenex class \(\exists ^*\forall ^*\), the claim of the theorem follows. \(\square \)

Consider again the FO transition system \({\mathcal {T}}\) from Fig. 1 where all participating agents are stubborn. In order to prove NDA for the arbitrary agent a, it suffices to verify for every program point of the self-compostion \({{{\mathcal {P}}}}^{(s)}_a({\mathcal {T}})\) the following invariant holds:Since the self-composition \({{{\mathcal {P}}}}^{(s)}_a({\mathcal {T}})\) is stratified strictly guarded (here even without resets), the iterative strengthening of the invariant terminates with a weakest inductive invariant. This invariant is too complicated to be spelled out here. We argue, however, that throughout all program points 0, 1, 2, 3 of the FO transition system,holds. Moreover, we have at all program points,whereholds. The latter property can, e.g., be proven for the original FO transition system \({\mathcal {T}}\). Each of these invariants is already inductive. Together, they imply thatholds for all program points as well — implying that the invariant (34) holds. \(\square \)

Consider a FO transition system \({\mathcal {T}}\) and declassification formulas satisfying the same assumptions as in theorem 11, and assume that at most \(t\ge 0\) of the agents participating in \({\mathcal {T}}\) are causal, while all other agents are stubborn. Then NDA for \({\mathcal {T}}\) is effectively decidable. \(\square \)

Consider again the FO transition system from Fig. 1, but now with causal agents and the self-composition \({{{\mathcal {P}}}}^{(c)}_a({\mathcal {T}})\) where informedness of agents is maintained via the explicit auxiliary predicate \(I\). Interestingly, the fixpoint iteration for proving the invariant (34) still terminates with a rather complicated inductive invariant. The latter, however, is not weak enough to prove NDA. In fact, this property cannot be guaranteed, as is indicated by the following counterexample:Intuitively, pc member a has declared conflict with paper p, but has been assigned paper \(p'\). Pc member \(a'\) on the other hand, has declared no conflict and has been assigned both papers p and \(p'\). Since pc members \(a,a'\) share a common paper \(p'\) for which both have received a report, they may start a discussion on paper \(p'\). This discussion can be used by \(a'\) to leak secret information on paper p, i.e., depending on the received report on p, \(a'\) may contribute \(d_1\) or \(d_2\) to the discussion of \(p'\). \(\square \)