Conservative Extensions in Guarded and Two-Variable Fragments
Jean Christoph Jung, Carsten Lutz, Mauricio Martel, Thomas Schneider,, Frank Wolter

TL;DR
This paper explores the decidability and complexity of conservative extensions in fragments of first-order logic, showing undecidability in most fragments and decidability with high complexity in a specific intersection.
Contribution
It establishes the boundaries of decidability for conservative extensions in guarded and two-variable first-order logic fragments.
Findings
Conservative extensions are undecidable in FO fragments containing FO$^2$ or GF.
Decidable and 2 ext{ExpTime}-complete in GF$^2$ (intersection of FO$^2$ and GF).
Abstract
We investigate the decidability and computational complexity of (deductive) conservative extensions in fragments of first-order logic (FO), with a focus on the two-variable fragment FO and the guarded fragment GF. We prove that conservative extensions are undecidable in any FO fragment that contains FO or GF (even the three-variable fragment thereof), and that they are decidable and 2\ExpTime-complete in the intersection GF of FO and GF.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\Copyright
J. C. Jung, C. Lutz, M. Martel, T. Schneider, and F. Wolter
Conservative Extensions in Guarded and Two-Variable Fragments111Funded by DFG grant LU 1417/2.
Jean Christoph Jung
University of Bremen, Bremen, Germany
{jeanjung,clu,martel,ts}@informatik.uni-bremen.de
Carsten Lutz
University of Bremen, Bremen, Germany
{jeanjung,clu,martel,ts}@informatik.uni-bremen.de
Mauricio Martel
University of Bremen, Bremen, Germany
{jeanjung,clu,martel,ts}@informatik.uni-bremen.de
Thomas Schneider
University of Bremen, Bremen, Germany
{jeanjung,clu,martel,ts}@informatik.uni-bremen.de
Frank Wolter
University of Liverpool, Liverpool, UK
Abstract
We investigate the decidability and computational complexity of (deductive) conservative extensions in fragments of first-order logic (FO), with a focus on the two-variable fragment FO2 and the guarded fragment GF. We prove that conservative extensions are undecidable in any FO fragment that contains FO2 or GF (even the three-variable fragment thereof), and that they are decidable and 2ExpTime-complete in the intersection GF2 of FO2 and GF.
1 Introduction
Conservative extensions are a fundamental notion in logic. In mathematical logic, they provide an important tool for relating logical theories, such as theories of arithmetic and theories that emerge in set theory [38, 34]. In computer science, they come up in diverse areas such as software specification [14], higher order theorem proving [18], and ontologies [27]. In these applications, it would be very useful to decide, given two sentences and , whether is a conservative extension of . As expected, this problem is undecidable in first-order logic (FO). In contrast, it has been observed in recent years that conservative extensions are decidable in many modal and description logics [16, 29, 30, 7]. This observation is particularly interesting from the viewpoint of ontologies, where conservative extensions have many natural applications including modularity and reuse, refinement, versioning, and forgetting [11, 27].
Regarding decidability, conservative extensions thus seem to behave similarly to the classical satisfiability problem, which is also undecidable in FO while it is decidable for modal and description logics. In the case of satisfiability, the aim to understand the deeper reasons for this discrepancy and to push the limits of decidability to more expressive fragments of FO has sparked a long line of research that identified prominent decidable FO fragments such as the two-variable fragment FO2 [37, 32], its extension with counting quantifiers C2 [22], the guarded fragment GF [1], and the guarded negation fragment GNF [4], see also [6, 19, 36, 26] and references therein. These fragments have sometimes been used as a replacement for the modal and description logics that they generalize, and in particular the guarded fragment has been proposed as an ontology language [3]. Motivated by this situation, the aim of the current paper is to study the following two questions:
Are conservative extensions decidable in relevant fragments of FO such as FO2, C2, GF, and GNF? 2. 2.
What are the deeper reasons for decidability of conservative extensions in modal and description logics and how far can the limits of decidability be pushed?
To be more precise, we concentrate on deductive conservative extensions, that is, is a conservative extension of if for every sentence formulated in the signature of , implies . There is also a model-theoretic notion of conservative extension which says that is a conservative extension of if every model of can be extended to a model of by interpreting the additional symbols in . Model-theoretic conservative extensions imply deductive conservative extensions, but the converse fails unless one works with a very expressive logic such as second-order logic [27]. In fact, model-theoretic conservative extensions are undecidable even for some very inexpressive description logics that include neither negation nor disjunction [28]. Deductive conservative extensions, as studied in this paper, are closely related to other important notions in logic, such as uniform interpolation [33, 40, 5]. For example, in logics that enjoy Craig interpolation, a decision procedure for conservative extensions can also be used to decide whether a given sentence is a uniform interpolant of a given sentence regarding the symbols used in .
Instead of concentrating only on conservative extensions, we also consider two related reasoning problems that we call -entailment and -inseparability, where denotes a signature. The definitions are as follows: a sentence -entails a sentence if for every sentence formulated in , implies . This can be viewed as a more relaxed notion of conservative extension where it is not required that one sentence actually extends the other as in the conjunction used in the definition of conservative extensions. Two sentences are -inseparable if they -entail each other. We generally prove lower bounds for conservative extensions and upper bounds for -entailment, in this way obtaining the same decidability and complexity results for all three problems.
Our first main result is that conservative extensions are undecidable in FO2 and (the three-variable fragment of) GF, and in fact in all fragments of FO that contain at least one of the two; note that the latter is not immediate because the separating sentence in the definition of conservative extensions ranges over all sentences from the considered fragment, giving greater separating power when we move to a larger fragment. The proofs are by reductions from the halting problem for two-register machines and a tiling problem, respectively. We note that undecidability of conservative extensions also implies that there is no extension of the logic in question in which consequence is decidable and that has effective uniform interpolation (in the sense that uniform interpolants exist and are computable). We then show as our second main result that, in the two-variable guarded fragment GF2, -entailment is decidable in 2ExpTime. Regarding the satisfiability problem, GF2 behaves fairly similarly to modal and description logics. It is thus suprising that deciding -entailment (and conservative extensions) in GF2 turns out to be much more challenging than in most modal and description logics. There, the main approach to proving decidability of -entailment is to first establish a suitable model-theoretic characterization based on bisimulations which is then used as a foundation for a decision procedure based on tree automata [30, 7]. In GF2, an analogous characterization in terms of appropriate guarded bisimulation fails. Instead, one has to demand the existence of -bounded (guarded) bisimulations, for all , and while tree automata can easily handle bisimulations, it is not clear how they can deal with such an infinite family of bounded bisimulations. We solve this problem by a very careful analysis of the situation and by providing another characterization that can be viewed as being ‘half way’ between a model-theoretic characterization and an automata-encoding of -entailment.
We also observe that a 2ExpTime lower bound from [16] for conservative extensions in description logics can be adapted to GF2, and consequently our upper bound is tight. It is known that GF2 enjoys Craig interpolation and thus our results are also relevant to deciding uniform interpolants and to a stronger version of conservative extensions in which the separating sentence can also use ‘helper symbols’ that occur neither in nor in .
2 Preliminaries
We introduce the fragments of classical first-order logic (FO) that are relevant for this paper. We generally admit equality and disallow function symbols and constants. With FO2, we denote the two-variable fragment of FO, obtained by fixing two variables and and disallowing the use of other variables [37, 32]. In FO2 and fragments thereof, we generally admit only predicates of arity one and two, which is without loss of generality [20]. In the guarded fragment of FO, denoted GF, quantification is restricted to the pattern
[TABLE]
where is a GF formula with free variables among and is an atomic formula or an equality that in either case contains all variables in [1, 19]. The formula is called the guard of the quantifier. The -variable fragment of GF, defined in the expected way, is denoted GF. Apart from the logics introduced so far, in informal contexts we shall also mention several related description logics. Exact definitions are omitted, we refer the reader to [2].
A signature is a finite set of predicates. We use GF to denote the set of all GF-sentences that use only predicates from (and possibly equality), and likewise for GF and other fragments. We use to denote the set of predicates that occur in the FO formula . Note that we consider equality to be a logical symbol, rather than a predicate, and it is thus never part of a signature. We write if is a logical consequence of . The next definition introduces the central notions studied in this paper.
Definition 2.1**.**
Let be a fragment of FO, -sentences and a signature. Then
* -entails , written , if for all -sentences , implies ;* 2. 2.
* and are -inseparable if -entails and vice versa;* 3. 3.
* is a conservative extension of if -entails .*
Note that -entailment could equivalently be defined as follows when is closed under negation: -entails if for all -sentences , satisfiability of implies satisfiability of . If does not -entail , there is thus an -sentence such that is satisfiable while is not. We refer to such as a witness sentence for non--entailment.
Example 2.2**.**
(1) -entailment is a weakening of logical consequence, that is, implies for any . The converse is true when .
(2) Consider the GF2 sentences and and let . Then is a witness for . If is replaced by we obtain since GF2 cannot count the number of -successors.
It is important to note that different fragments of FO give rise to different notions of -entailment, -inseparability and conservative extensions. For example, if and belong to GF2, then they also belong to GF and to FO2, but it might make a difference whether witness sentences range over all GF2-sentences, over all GF-sentences, or over all FO2-sentences. If we want to emphasize the fragment in which witness sentences are formulated, we speak of -entailment instead of -entailment and write , and likewise for -inseparability and -conservative extensions.
Example 2.3**.**
Let , , and be from Example 2.2 (2). Then GF-entails but does not FO-entail ; a witness is given by .
Note that conservative extensions and -inseparability reduce in polynomial time to -entailment (with two calls to -entailment required in the case of -inseparability). Moreover, conservative extensions reduce in polynomial time to -inseparability. We thus state our upper bounds in terms of -entailment and lower bounds in terms of conservative extensions.
There is a natural variation of each of the three notions in Definition 2.1 obtained by allowing to use additional ‘helper predicates’ in witness sentences. For a fragment of FO, -sentences , and a signature , we say that strongly -entails if -entails for any with . Strong -inseparability and strong conservative extensions are defined accordingly. Strong -entailment implies -entailment, but the converse may fail.
Example 2.4**.**
GF-entailment does not imply strong GF-entailment. Let state that the binary predicate is irreflexive and symmetric and let be the conjunction of and . Thus, an -structure satisfying can be extended to a model of if it contains no -cycles of odd length. Now observe that any satisfiable GF sentence is satisfiable in a forest -structure (see Section 4 for a precise definition). Hence, if a GF-sentence is satisfiable in an irreflexive and symmetric structure then it is satisfiable in a structure without odd cycles and so GF-entails . In contrast, for the fresh ternary predicate and we have but and so witnesses that does not GF-entail .
The example above is inspired by proofs that GF does not enjoy Craig interpolation [24, 13]. This is not accidental, as we explain next. Recall that a fragment of FO has Craig interpolation if for all -sentences with there exists an -sentence (called an -interpolant for ) such that and . has uniform interpolation if one can always choose an -interpolant that does not depend on , but only on and . Thus, given , and with and , then is a uniform -interpolant of iff strongly -entails . Both Craig interpolation and uniform interpolation have been investigated extensively, for example for intuitionistic logic [33], modal logics [40, 12, 31], guarded fragments [13], and description logics [30]. The following observation summarizes the connection between (strong) -entailment and interpolation.
Theorem 2.5**.**
Let be a fragment of FO that enjoys Craig interpolation. Then -entailment implies strong -entailment. In particular, if and , then is a uniform -interpolant of iff -entails .
Proof 2.6**.**
Assume does not strongly -entail . Then there is an -sentence with such that and is satisfiable. Let be an interpolant for and in . Then witnesses that does not -entail .
The uniform interpolant recognition problem for is the problem to decide whether a sentence is a uniform -interpolant of a sentence . It follows from Theorem 2.5 that in any fragment of FO that enjoys Craig interpolation, this problem reduces in polynomial time to -inseparability in and that, conversely, conservative extension in reduces in polynomial time to the uniform interpolant recognition problem in . Neither GF nor FO2 nor description logics with role inclusions enjoy Craig interpolation [24, 10, 27], but GF2 does [24]. Thus, our decidability and complexity results for -entailment in GF2 also apply to strong -entailment and the uniform interpolant recognition problem.
3 Undecidability
We prove that conservative extensions are undecidable in GF3 and in FO2, and consequently so are -entailment and -inseparability (as well as strong -entailment and the uniform interpolant recognition problem). These results hold already without equality and in fact apply to all fragments of FO that contain at least one of GF3 and FO2 such as the guarded negation fragment [4] and the two-variable fragment with counting quantifiers [22].
We start with the case of GF3, using a reduction from the halting problem of two-register machines. A (deterministic) two-register machine (2RM) is a pair with a set of states and a sequence of instructions. By definition, is the initial state, and the halting state. For all ,
- •
either is an incrementation instruction with a register and the subsequent state;
- •
or is a decrementation instruction with a register, the subsequent state if register contains 0, and the subsequent state otherwise.
A configuration of is a triple , with the current state and the register contents. We write if one of the following holds:
- •
, , and ;
- •
, , and ;
- •
, , , and .
The computation of on input is the unique longest configuration sequence such that , , and . The halting problem for 2RMs is to decide, given a 2RM , whether its computation on input is finite (which implies that its last state is ).
We show how to convert a given 2RM into GF3-sentences and such that halts on input iff is not a conservative extension of . Let with and . We assume w.l.o.g. that and that if , then . In , we use the following set of predicates:
- •
a binary predicate connecting a configuration to its successor configuration;
- •
binary predicates and that represent the register contents via the length of paths;
- •
unary predicates representing the states of ;
- •
a unary predicate denoting points where a computation starts.
We define to be the conjunction of several GF2-sentences. First, we say that there is a point where the computation starts:222The formulas that are not syntactically guarded can easily be rewritten into such formulas.
[TABLE]
And second, we add that whenever is not in the final state, there is a next configuration. For :
[TABLE]
The second sentence is constructed so as to express that either does not halt or the representation of the computation of contains a defect, using the following additional predicates:
- •
a unary predicate used to represent that does not halt;
- •
binary predicates used to describe defects in incrementing, decrementing, and keeping register ;
- •
ternary predicates used as guards for existential quantifiers.
In fact, is the disjunction of two sentences. The first sentence says that the computation does not terminate:
[TABLE]
while the second says that registers are not updated properly:
[TABLE]
In this second sentence, additional conjuncts that implement the desired behaviour of and are also needed; they are constructed analogously to the last three lines above (but using guards and ), details are omitted. The following is proved in the appendix of this paper.
Lemma 3.1**.**
If halts, then is not a -conservative extension of . 2. 2.
If there exists a -structure that satisfies and cannot be extended to a model of (by interpreting the predicates in ), then halts.
In the proof of Point 1, the sentence that witnesses non-conservativity describes a halting computation of , up to global GF-bisimulations. This can be done using only two variables. The following result is an immediate consequence of Lemma 3.1.
Theorem 3.2**.**
In any fragment of FO that extends the three-variable guarded fragment GF 3, the following problems are undecidable: conservative extensions, -inseparability, -entailment, and strong -entailment.
Since Point 1 of Lemma 3.1 ensures GF2-witnesses, Theorem 3.2 can actually be strengthened to say that GF2-conservative extensions of GF3-sentences are undecidable.
Our result for FO2 is proved by a reduction of a tiling problem that asks for the tiling of a rectangle (of any size) such that the borders are tiled with certain distinguished tiles. Because of space limitations, we defer details to the appendix and state only the obtained result.
Theorem 3.3**.**
In any fragment of FO that extends FO2, the following problems are undecidable: conservative extensions, -inseparability, -entailment, and strong -entailment.
It is interesting to note that the proof of Theorem 3.3 also shows that FO2-conservative extensions of -TBoxes are undecidable while it follows from our results below that GF2-conservative extensions of -TBoxes are decidable.
4 Characterizations
The undecidability results established in the previous section show that neither the restriction to two variables nor guardedness alone are sufficient for decidability of conservative extensions and related problems. In the remainder of the paper, we show that adopting both restrictions simultaneously results in decidability of -entailment (and thus also of conservative extensions and of inseparability). We proceed by first establishing a suitable model-theoretic characterization and then use it as the foundation for a decision procedure based on tree automata. We in fact establish two versions of the characterization, the second one building on the first one.
We start with some preliminaries. An atomic 1-type for is a maximal satisfiable set of atomic GF-formulas and their negations that use the variable , only. We use to denote the atomic 1-type for realized by the element in the structure . An atomic 2-type for is a maximal satisfiable set of atomic GF-formulas and their negations that use the variables and , only, and contains . We say that is guarded if it contains an atom of the form or , a predicate symbol. We use to denote the atomic 2-type for realized by the elements in the structure . A relation is a GF-bisimulation between and if the following conditions hold whenever :
; 2. 2.
for every such that is guarded, there is a such that and (forth condition); 3. 3.
for every such that is guarded, there is an such that and (back condition).
We write and say that and are GF-bisimilar if there is a GF-bisimulation between and with . If the domain and range of coincide with and , respectively, then is called a global GF-bisimulation.
We next introduce a bounded version of bisimulations. For , we write and say that and are -GF-bisimilar if there is a such that the first condition for bisimulations holds and the back and forth conditions can be iterated up to times starting from and ; a formal definition is in the appendix. It is straightforward to show the following link between -GF2-bisimilarity and GF2-sentences of guarded quantifier depth (defined in the obvious way).
Lemma 4.1**.**
Let and be structures, a signature, and . Then the following conditions are equivalent:
for all there exists with and vice versa; 2. 2.
* and satisfy the same GF*-sentences of guarded quantifier depth at most .
The corresponding lemma for GF-sentences of unbounded guarded quantifier depth and GF-bisimulations holds if and satisfy certain saturation conditions (for example, if and are -saturated). It can then be proved that an FO-sentence is equivalent to a GF2 sentence iff its models are preserved under global GF-bisimulations [21, 17]. In modal and description logic, global -bisimulations can often be used to characterize -entailment in the following natural way [30]: -entails iff every for every (tree) model of , there exists a (tree) model of that is globally -bisimilar to . Such a characterization enables decision procedures based on tree automata, but does not hold for GF2.
Example 4.2**.**
Let and let . Let be the model of that consists of an infinite -path with an initial element. Then there is no model of that is globally GF-bisimilar to since any such model has to contain an infinite -path with no initial element. Yet, is a conservative extension of which can be proved using Theorem 4.3 below.
We give our first characterization theorem that uses unbounded bisimulations in one direction and bounded bisimulations in the other.
Theorem 4.3**.**
Let be -sentences and a signature. Then iff for every model of of finite outdegree, there is a model of such that
for every there is a such that 2. 2.
for every and every , there is an such that .
The direction () follows from Lemma 4.1 and () can be proved using compactness and -saturated structures. Because of the use of -bounded bisimulations (for unbounded ), it is not clear how to use Theorem 4.3 to find a decision procedure based on tree automata. In the following, we formulate a more ‘operational’ but also more technical characterization that no longer mentions bounded bisimulations. It additionally refers to forest models of (of finite outdegree) instead of unrestricted models, but we remark that Theorem 4.3 also remains true under this modification.
A structure is a forest if its Gaifman graph is a forest. Thus, a forest admits cycles of length one and two, but not of any higher length. A (-)tree in a forest structure is a maximal ()-connected substructure of . When working with forest structures , we will typically view them as directed forests rather than as undirected ones. This can be done by choosing a root for each tree in the Gaifman graph of , thus giving rise to notions such as successor, descendant, etc. Which node is chosen as the root will always be irrelevant. Note that the direction of binary relations does not need to reflect the successor relation. When speaking of a path in a forest structure , we mean a path in the directed sense; when speaking of a subtree, we mean a tree that is obtained by choosing a root and restricting the structure to and its descendants. We say that is regular if it has only finitely many subtrees, up to isomorphism.
To see how we can get rid of bounded bisimulations, reconsider Theorem 4.3. The characterization is still correct if we pull out the quantification over in Point 2 so that the theorem reads ‘…iff for every model of of finite outdegree and every , there is…’. In fact, this modified version of Theorem 4.3 is even closer to the definition of -entailment. It also suggests that we add a marking of elements in , representing ‘break-off points’ for bisimulations, and then replace -bisimulations with bisimulations that stop whenever they have encountered the second marked element on the same path—in this way, the distance between marked elements (roughly) corresponds to the bound in -bisimulations. However, we would need a marking , for any , such that there are infinitely many markers on any infinite path and the distance between any two markers in a tree is at least . It is easy to see that such a marking may not exist, for example when and is the infinite full binary tree. We solve this problem as follows. First, we only demand that the distance between any two markers on the same path is at least . And second, we use the markers only when following bisimulations upwards in a tree while downwards, we use unbounded bisimulations. This does not compromise correctness of the characterization.
We next introduce a version of bisimulations that implement the ideas just explained. Let and be forest models, a signature, and . Two relations form an -delimited GF-bisimulation between and if the following conditions are satisfied:
if , then and
- (a)
for every with guarded, there is a such that where if is the predecessor of and , and otherwise; 2. (b)
for every with guarded, there is an such that where if is the predecessor of and , and otherwise; 2. 2.
if and the predecessor of in is not in , then and
- (a)
for every with guarded, there is a such that where if is the predecessor of and , and otherwise; 2. (b)
for every with guarded, there is an such that where if is the predecessor of and , and otherwise.
Then and are -delimited GF-bisimilar, in symbols , if there exists an -delimited GF-bisimulation between and such that .
Let be a GF2-sentence. We use to denote the set of all subformulas of closed under single negation and renaming of free variables (using only the available variables and ). A -type for is a subset that contains only formulas of the form and such that is satisfiable. For a model of and , we use to denote the -type , assuming that is understood from the context. We say that the -type is realized in if there is an with . We are now ready to formulate our final characterizations.
Theorem 4.4**.**
Let be GF 2-sentences and a signature. Then iff for every regular forest model of that has finite outdegree and for every set with infinite for any infinite -path in , there is a model of such that
for every , there is a such that ; 2. 2.
for every 1-type for that is realized in , there are and such that and .
Regularity and finite outdegree are used in the proof of Theorem 4.4 given in the appendix, but it follows from the automata constructions below that the theorem is still correct when these qualifications are dropped.
5 Decidability and Complexity
We show that -entailment in GF2 is decidable and 2ExpTime-complete, and thus so are conservative extensions and -inseparability. The upper bound is based on Theorem 4.4 and uses alternating parity automata on infinite trees. Since Theorem 4.4 does not provide us with an obvious upper bound on the outdegree of the involved tree models, we use alternating tree automata which can deal with trees of any finite outdegree, similar to the ones introduced by Wilke [41], but with the capability to move both downwards and upwards in the tree.
A tree is a non-empty (and potentially infinite) set of words closed under prefixes. We generally assume that trees are finitely branching, that is, for every , the set is finite. For any , as a convention we set . If , we additionally set . For an alphabet , a -labeled tree is a pair with a tree and a node labeling function.
A two-way alternating tree automata (2ATA) is a tuple where is a finite set of states, is the input alphabet, is the initial state, is a transition function as specified below, and is a priority function, which assigns a priority to each state. The transition function maps a state and some input letter to a transition condition which is a positive Boolean formula over the truth constants and and transitions of the form , , , , where . The automaton runs on -labeled trees. Informally, the transition expresses that a copy of the automaton is sent to the current node in state , means that a copy is sent in state to the predecessor node, which is then required to exist, means the same except that the predecessor node is not required to exist, means that a copy is sent in state to some successor, and that a copy is sent in state to all successors. The semantics is defined in terms of runs in the usual way, we refer to the appendix for details. We use to denote the set of all -labeled trees accepted by . It is standard to verify that 2ATAs are closed under complementation and intersection. We show in the appendix that the emptiness problem for 2ATAs can be solved in time exponential in the number of states.
We aim to show that given two GF2-sentences and and a signature , one can construct a 2ATA such that iff . The number of states of the 2ATA is polynomial in the size of and exponential in the size of , which yields the desired 2ExpTime upper bounds.
Let , , and be given. Since the logics we are concerned with have Craig interpolation, we can assume w.l.o.g. that . With , we denote the set of all pairs where is an atomic 2-type for and . For , we use to denote and to denote . A -labeled tree represents a forest structure with universe and where if and if one of the following conditions is satisfied: (1) and ; (2) is a successor of and ; (3) is a successor of and . Thus, the atoms in a node label that involve only the variable describe the current node, the atoms that involve both variables and describe the connection between the predecessor and the current node, and the atoms that involve only the variable are ignored. The -components of node labels are used to represent a set of markers . It is easy to see that, conversely, for every tree structure over , there is a -labeled tree such that .
To obtain the desired 2ATA , we construct three 2ATAs and then define so that it accepts . The 2ATA only makes sure that the set is such that for any infinite -path , is infinite (as required by Theorem 4.4), we omit details. We construct so that it accepts a -labeled tree iff is a model of . The details of the construction, which is fairly standard, can be found in the appendix. The number of states of is polynomial in the size of and independent of . The most interesting automaton is .
Lemma 5.1**.**
There is a 2ATA that accepts a -labeled tree iff there is a model of s.t. Conditions 1 and 2 from Theorem 4.4 are satisfied when is replaced with .
The general idea of the construction of is to check the existence of the desired model of by verifying that there is a set of 1-types for from which can be assembled, represented via the states that occur in a successful run. Before we can give details, we introduce some preliminaries.
A [math]-type for is a maximal set of sentences such that is satisfiable. A -type for is a maximal set of formulas that contains and such that is satisfiable. If a 2-type contains the atom or for at least one binary predicate , then it is guarded. If additionally , then it is -guarded. Note that each -type contains a (unique) [math]-type and each -type contains two (unique) -types. Formally, we use to denote the 1-type obtained by restricting the 2-type to the formulas that do not use the variable , and likewise for and the variable . We use to denote the set of -types for , . For and a , we say that is compatible with and write if the sentence is satisfiable; for and a set of guarded 2-types, we say that is a neighborhood for and write if the sentence
[TABLE]
is satisfiable. Note that each of the mentioned sentences is formulated in GF2 and at most single exponential in size (in the size of and ), thus satisfiability can be decided in 2ExpTime.
To build the automaton from Lemma 5.1, set where is
[TABLE]
assigns two to all states except for those of the form , to which it assigns one.
The automaton begins by choosing the [math]-type realized in the forest model of whose existence it aims to verify. For every , it then chooses a 1-type in which is realized in and sends off a copy of itself to find a node where is realized. To satisfy Condition 1 of Theorem 4.4, at each node it further chooses a 1-type that is compatible with , to be realized at that node. This is implemented by the following transitions:
[TABLE]
where ranges over . When a state of the form is assigned to a node , this is an obligation to prove that there is a GF-bisimulation between the element in and an element of type in . A state of the form represents the obligation to verify that there is an -delimited GF-bisimulation between and an element of type in . We first verify that the former obligations are satisfied. This requires to follow all successors of and to guess types of successors of to be mapped there, satisfying the back condition of bisimulations. We also need to guess successors of in (represented as a neighborhood for ) to satisfy the existential demands of and then select successors of to which they are mapped, satisfying the “back” condition of bisimulations. Whenever we decide to realize a 1-type in that does not participate in the bisimulation currently being verified, we also send another copy of the automaton in state to guess an that we can use to satisfy Condition 2 from Theorem 4.4:
[TABLE]
[TABLE]
where means that the atoms in that mention only are identical to the -relational atoms in (up to renaming to ), means that the restriction of to -atoms is exactly , and is obtained from by swapping and . We need further transitions to satisfy the obligations represented by states of the form , which involves checking -delimited bisimulations. Details are given in the appendix where also the correctness of the construction is proved.
Theorem 5.2**.**
In GF 2, -entailment and conservative extensions can be decided in time , for some polynomial . Moreover, -inseparability is in 2ExpTime.
Note that the time bound for conservative extensions given in Theorem 5.2 is double exponential only in the size of (that is, the extension). In ontology engineering applications, will often be small compared with .
A matching lower bound is proved using a reduction of the word problem of exponentially space-bounded alternating Turing machines, see the appendix for details. The construction is inspired by the proof from [16] that conservative extensions in the description logic are 2ExpTime-hard, but the lower bound does not transfer directly since we are interested here in witness sentences that are formulated in GF2 rather than in .
Theorem 5.3**.**
In any fragment of FO that contains GF 2, the problems -entailment, -inseparability, conservative extensions, and strong -entailment are 2ExpTime-hard.
6 Conclusion
We have shown that conservative extensions are undecidable in (extensions of) GF and FO2, and that they are decidable and 2ExpTime-complete in GF2. It thus appears that decidability of conservative extensions is linked even more closely to the tree model property than decidability of the satisfiability problem: apart from cycles of length at most two, GF2 enjoys a ‘true’ tree model property while GF only enjoys a bounded treewidth model property and FO2 has a rather complex regular model property that is typically not even made explicit. As future work, it would be interesting to investigate whether conservative extensions remain decidable when guarded counting quantifiers, transitive relations, equivalence relations, or fixed points are added, see e.g. [35, 25, 23]. It would also be interesting to investigate a finite model version of conservative extensions.
Appendix A Proofs for Section 3
We split the proof of Lemma 3.1 into two parts.
Lemma A.1**.**
If halts then is not a GF2-conservative extension of .
Proof A.2**.**
Assume that halts. We define a witness for non-conservativity. It says that every element participates in a substructure that represents the computation of on input , that is: if the computation is , then there is an -path of length (but not longer) such that any object reachable in steps from the beginning of the path is labeled with , has an outgoing -path of length and no longer outgoing -path, and likewise for and . In more detail, consider the -structure with
[TABLE]
in which
[TABLE]
Then let be a -sentence that describes up to global GF-bisimulations. Clearly satisfies . It thus remains to show that is unsatisfiable. But this is clear as there are no -paths of length in any model of and since there are no defects in register updates in any model of .
Lemma A.3**.**
If there exists a -structure that satisfies and cannot be extended to a model of , then halts.
Proof A.4**.**
Let be a -structure satisfying that cannot be extended to a model of . Then and there exists an -path labeled with states in starting in . Since cannot be extended to a model of the computation starting from is finite. Moreover, one can readily prove by induction that no register update defects occur since otherwise can be satisfied.
We now prove Theorem 3.3 using a reduction of an undecidable tiling problem.
Definition A.5**.**
A tiling system consists of a finite set of tiles, horizontal and vertical matching relations , and subsets , , , and of containing the right tiles, left tiles, top tiles, and bottom tiles, respectively. A solution to is a triple where and such that the following hold:
, for all and ; 2. 2.
, for all and ; 3. 3.
* and , for all ;* 4. 4.
* and , for all .*
We show how to convert a tiling system into FO2-sentences and such that has a solution iff is not a conservative extension of . In particular, models of witness sentences will define solutions of .
Let be a tiling system. The formula uses the following set of predicates:
- •
binary predicates and (representing a grid) and and (for technical reasons),
- •
unary predicates for every , (for the domain of the grid), (for the lower left corner of the grid), , , , and (for the borders of the grid).
Then is the conjunction of the following sentences:
Every position in the grid is labeled with exactly one tile and the matching conditions are satisfied:
[TABLE] 2. 2.
The predicates , , , and mark the borders of the grid:
[TABLE]
and similarly for , , and . 3. 3.
There is a grid origin:
[TABLE] 4. 4.
The grid elements are marked by :
[TABLE] 5. 5.
The tiles on border positions are labeled with appropriate tiles:
[TABLE]
and similarly for , , and . 6. 6.
The predicates and occur in : any FO2-tautology using them.
This finishes the definition of . The sentence introduces two new unary predicates and and is the conjuntion of and
[TABLE]
where
[TABLE]
Thus, describes a defect in the grid: there exist an -successor and an -successor of such that every -successor of is labeled with and every -successor of is labeled with . Informally, we can satisfy only if from some element of , there is an infinite -path or a non-closing grid cell can be reached by a finite such path. To make this precise, we introduce some notation. Let and let be a -structure. Then the -structure obtained from by removing the interpretation of predicates in is called the -reduct of and is called a -extension of . For a -structure , we say that is the root of a non-closing grid cell if there are and such that there does not exist a with and . Now, it is straightforward to show the following characterization of .
Lemma A.6**.**
* can be satisfied in a -extension of a -structure iff there exists an element of that starts an infinite -path or a finite -path to a root of a non-closing grid cell.*
We now argue that has a solution iff is not a conservative extension of .
Lemma A.7**.**
If has a solution then is not a FO2-conservative extension of .
Proof A.8**.**
Assume that has a solution . We define a witness , first using additional fresh unary predicates and then argueing that these can be removed. Thus introduce fresh unary predicates for all and . Intuitively, identifies grid position . Set
[TABLE]
We first show that is satisfiable. As the model, simply take the standard -grid in which all positions are labeled with , , , etc in the expected way, and that is tiled according to . It is easily verified that this structure satisfies both and . It thus remains to show that is unsatisfiable. By Lemma A.6 it suffices to show that there is no model of in which there exists an element of starting an infinite -path or a finite -path leading to a root of a non-closing grid cell. Assume for a proof by contradiction that there exists such a model and . Then we find a sequence with and such that either some is the root of a non-closing grid cell or the sequence is infinite. By and the first conjunct of for each there exists with . By the last conjunct of , . By the remaining conjuncts of we have if and it follows that there is no with . Thus, assume some is the root of a non-closing grid. Then we have and such that there is no with and . By , there are with and . By the second set of conjuncts of there exists . By , . But then again using we obtain that and we have derived a contradiction.
As announced, we now show how to remove the additional predicates . To this end, we use the binary predicates . In the sentence , we replace every occurrence of with a formula saying: there is an outgoing -path of length , but not of length and an outgoing -path of length , but not of length . When we build a model of , we now need to introduce additional elements for the “counting paths”. We make the predicate false on all those elements and true everywhere on the grid.
Lemma A.9**.**
If there exists a -structure that satisfies and cannot be extended to a model of , then has solution.
Proof A.10**.**
Take a -structure satisfying that cannot be extended to a model of . By the conjunct of given in Item 3, . Take . By Lemma A.6, does not start an infinite -path or a finite -path leading to the root of a non-closing grid cell. Using the conjuncts of it is now straightforward to read off a tiling from .
Theorem 3.3 is an immediate consequence of Lemmas A.7 and A.9.
Note that the sentences and can be replaced by equivalent -TBoxes: in , we can replace the conjunct which cannot be expressed in by the concept inclusion with a fresh binary predicate. Consequently, FO-inseparability of -TBoxes is undecidable.
Appendix B Preliminaries on Bisimulations
We first show that GF-bisimulations characterize the expressive power of GF. The proofs are standard [21, 17, 1]. We start by giving a precise definition of -GF bisimilarity. Let and be structures, , and . The definition is by induction on . Then iff and iff and
for every such that is guarded there exists such that and 2. 2.
for every such that is guarded there exists such that and .
Denote by openGF2 the fragment of GF2 consisting of all GF2 formulas with one free variable in which equality is not used as a guard and which do not contain a subformula that is a sentence. It is not difficult to prove the following result.
Lemma B.1**.**
Every GF 2 sentence is equivalent to a Boolean combination of sentences of the form , where is a openGF 2 formula.
A structure is -saturated if for every finite set and every set of FO formulas using elements of as constants the following holds: if every finite subset of is satisfiable in the structure , then is satisfiable in . For every structure there exists an elementary extension of that is -saturated [9]. Mostly we only require a weaker form of saturation. A structure is successor-saturated if for any and set of openGF2 formulas the following holds for any atomic guarded binary type : if for any finite subset of there exists with and for all , then there exists with and for all . Observe that structures of finite outdegree and -saturated structures are successor-saturated.
The depth of a GF2 formula is the number of nestings of guarded quantifications in . We first characterize openGF2. The proof is standard and omitted.
Lemma B.2**.**
Let and be structures, a signature, and , .
The following conditions are equivalent for all :
- •
* iff holds for all openGF** formulas of depth ;*
- •
. 2. 2.
If , then iff holds for all openGF* formulas . The converse direction holds if and are successor-saturated. *
We also require the following link between bounded bisimulations and unbounded bisimulations which follows from Lemma B.2.
Lemma B.3**.**
*Let and be successor-saturated structures, , and . If for all , then . *
We now consider ‘global’ versions of the bounded bisimulations introduced above to characterize GF2. Call structures and globally -GF-bisimilar if for all there exists such that and, conversely, for every there exists with . and are globally finitely GF-bisimilar iff they are globally -GF-bisimilar for all . The following characterization result now follows from Lemma B.1 and Lemma B.2.
Lemma B.4**.**
Let and be structures and a signature.
The following conditions are equivalent:
- •
* iff holds for all GF** sentences ;*
- •
* and are globally finitely GF*-bisimilar. 2. 2.
If and are globally GF-bisimilar, then iff holds for all GF* sentences . The converse direction holds if and are -saturated. *
Observe that in Lemma B.4 we cannot replace -saturation by successor-saturation or finite outdegree.
Appendix C Proofs for Section 4
Based on the results presented in the previous section we prove the following characterization of -entailment in FO2.
Theorem 4.3 Let be GF2-sentences and a signature. Then iff for every model of of finite outdegree, there is a model of such that
for every there is a such that 2. 2.
for every and every , there is an such that .
Proof C.1**.**
“if”. Assume that for every model of of finite outdegree, there is a model of as described in Theorem 4.3. Take a -sentence such that is satisfiable. We have to show that is satisfiable. We find a model of that has finite outdegree. By assumption, there is a model of that satisfies Conditions 1 and 2 of Theorem 4.3. It suffices to show that satisfies . But this follows from Lemma B.4.
“only if”. Assume that . Let be a model of of finite outdegree. Let denote the set of all GF sentences with . Then is satisfiable for every finite subset of . As , is satisfiable for every finite subset of . By compactness is satisfiable. Then there exists an -saturated model of . By -saturatedness, for every there exists such that iff holds for all formulas in openGF. By Lemma B.2, we have , as required for Condition 1. Condition 2 follows from Lemma B.2.
Before we come to the proof of Theorem 4.4 we prove another characterization of -entailment in GF2. If is a forest structure with , then we write iff and are part of the same -tree in and is a ancestor of (recall that a -tree in a forest structure is a maximal -connected substructure of and that we always assume a fixed root in trees within forest structures). For and structures and , an -delimited GF-bisimulation between and is defined like a GF-bisimulation except that Conditions 2 and 3 are not required to hold when . We indicate the existence of an -delimited bisimulation by writing . This requires . We now give a characterization of -entailment using forest models in which we replace the bounded backward condition by an unbounded condition.
Theorem C.2**.**
Let be GF2-sentences and a signature. Then iff for every regular forest model of that has finite outdegree there is a model of such that
for every there is a such that 2. 2.
for every , one of the following holds:
- (a)
there is an such that ; 2. (b)
there are such that and, for all , and .
Proof C.3**.**
Using the proof of Theorem 4.3, the fact that every (successor-saturated/finite outdegree) structure can be unfolded into a globally GF-bisimilar (successor saturated/finite outdegree) forest model , and the fact that, consequently, every satisfiable GF2 formula is satisfiable in a regular forest model of finite outdegree one can easily prove the following variant of Theorem 4.3 based on forest models:
Fact 1.* Let be GF2-sentences and a signature. Then iff for every regular forest model of that has finite outdegree there is a (successor saturated) forest model of such that*
for every there is a such that 2. 2.
for every and every , there is an such that .
To show Theorem C.2 it therefore suffices to show that for every regular forest model of that has finite outdegree and every successor-saturated forest model of , Condition 2 in Fact 1 is equivalent to Condition 2 of Theorem C.2.
Thus, let and be as described. The interesting direction is to prove that if Condition 2 in Fact 1 holds then Condition 2 of Theorem C.2 holds. Thus, assume that Condition 2 in Fact 1 holds. Take . We may assume it is a root of a -tree in . Then there are such that for all , . If infinitely many of the are identical, then there is an such that for all , thus by Lemma B.3 and we are done. Therefore, assume that there are infinitely many distinct . By ‘skipping’ elements in the sequence , we can then achieve that the are all distinct.
Two nodes are downwards isomorphic, written , if they are the roots of isomorphic subtrees. For a forest structure , , and we denote by the path structure obtained by restricting to those elements that can be reached from by traveling at most steps towards the root of the tree in that is part of (including itself). For and , we write if there is an isomorphism from to with such that for all . Since is regular, contains only finitely many equivalence classes for each . By skipping ’s, we can thus achieve that
- ()
* for all with and .*
This also implies that each is at least steps away from the root of the tree in that it is in (since there are infinitely many , they must be unboundedly deep in their respective tree, and it remains to apply ()). Let denote the element of reached from by traveling steps towards the root. Since is regular, there must be an infinite subsequence of such that for all .
Choose some with for all (equivalently: for some ). We can assume w.l.o.g. that each is in the subtree rooted at and that when traveling steps from towards the root of the subtree that is in, then we reach exactly .
Let be the structure obtained in the limit of the neighborhoods . That is, we start with the subtree of rooted at , renaming to , and then proceed as follows: after the -th step, the constructed structure is isomorphic to the subtree of rooted at via an isomorphism that maps to and the root to ; by (), we can thus add a path of predecessor to the root of the structure constructed so far, and then add additional subtrees to the nodes on the path as additional successors, making sure that the obtained structure is isomorphic to the subtree of rooted at via an isomorphism that maps to and the new root to . By construction, for all and thus Lemma B.3 yields .
Take some . We aim to show that . Let be the element reached from in by traveling steps upwards and recall that is the element reached from in by traveling steps upwards. By construction of , we find an isomorphism from the subtree in rooted at to the subtree in rooted at that takes to and to . From , we thus obtain the desired -delimited -bisimulation that witnesses .
It remains to show the existence of the required elements , that is, to show that there is a path through the subtree of rooted at such that each is either on the path or can be reached by branching off at a different point of the path. This can be done in the following straightforward way. Starting at , we define the path step by step. In every step, there must be at least one successor which is the root of a subtree that contains infinitely many ’s since has finite outdegree. We always proceed by choosing such a successor. This almost achieves the desired result, except that not all are reachable from a distinct node on the path by traveling downwards. However, there are infinitely many nodes on the path from which at least one can be reached by traveling downwards, so the problem can be cured by skipping ’s.
We are now in a position to prove Theorem 4.4. We require the following extended version of -GF2-bisimilarity which respects the successor relation in forest structures. Let and be forest structures, , and . The definition is by induction on . Then iff and iff and
for every such that is guarded there exists such that and is a successor of in iff is a successor of in and 2. 2.
for every such that is guarded there exists such that and is a successor of in iff is a successor of in and .
Theorem 4.4 Let be GF2-sentences and a signature. Then iff for every regular forest model of that has finite outdegree and every set with infinite for any infinite -path in there is a model of such that
for every , there is a such that 2. 2.
for every 1-type for that is realized in , there are and such that and .
Proof C.4**.**
() It suffices to show that for every and every regular forest model of that has finite outdegree there exists a model of such that and are globally -GF-bisimilar. Assume and a regular forest model of that has finite outdegree is given. Let be the maximum of and the guarded quantifier depth of . Then denotes the maximal number of nodes in any -forest model which are pairwise -incomparable. Define on every -tree with root in in such a way that iff the distance between and is for some . Let be a forest shaped model of satisfying the conditions of Theorem 4.4. One can easily modify in such a way that in addition to the conditions given in the theorem
* every 1-type for that is realized in is realized in the root of a -tree in and for every root of a -tree in there exists such that .*
To show first pick for every a with . Let be the set of ’s just picked and let be the disjoint union of the structures induced in by the -trees whose roots are in . Next pick for every 1-type for that is realized in a that realizes . Let be the set of ’s just picked and let be the disjoint union of the structures induced in by the -trees whose roots are in . Finally, we add (recursively) witnesses for guarded existential quantifiers not involving binary predicates from to the disjoint union of and . In detail, take for any in its copy in and assume in is such that or is non-empty and contains no predicate in . Then add to a copy of the -tree in whose root realizes the same 1-type for as and connect to by adding for all binary predicates the pair to the extension of if and the pair to the extension of if . We apply this procedure recursively to the new structure (in a fair way) and obtain the desired structure as the limit of the resulting sequence of structures.
We now modify in such a way that the resulting structure is still a model of but in addition globally -GF-bisimilar to . Consider the structure induced by the -tree with root in . If there exists an with then we do not modify and set . If no such exists, then we modify in such a way that every in the resulting -tree is -GF-bisimilar to some . Note that we only know that there exists such that . By construction of this implies that and are -GF-bisimilar. Thus, it suffices to modify in such a way that every node in the -tree becomes -GF-bisimilar to some in the original with distance from . To ensure that is still satisfied we make sure that the following stronger condition holds: every node in the -tree rooted at is -GF2-bisimilar to some in the original with distance from . The construction is by a standard pumping argument. For we say that blocks if and and there is no such that there is an with and . The universe of is the set of words with in and such that either is a successor of or there is a successor of such that blocks . Let . For every unary and we set if and for every binary we set for : if and for :
- •
* if or there is an such that blocks and ;*
- •
* if or there is an such that blocks and .*
We now replace by in . In more detail, take the disjoint union of all , the root of a -tree in . Then add (recursively) witnesses for guarded existential quantifiers not involving binary predicates from to : take for any in and any 1-type for that is realized in some node in such that or is non-empty and contains no predicate in the root of a structure such that realizes in . Then add to a new copy of and connect to by adding for any binary predicate the pair to if and the pair to if . We apply this procedure recursively to the new structure (in a fair way) and obtain the desired structure as the limit of the resulting sequence of structures.
() Assume that . Let be a regular forest model of that has finite outdegree and let be such that is infinite for any maximal infinite -path in . By Theorem C.2, there is a model of such that
for every there is a such that 2. 2.
for every , one of the following holds:
- (a)
there is an such that ; 2. (b)
there are such that and, for all , and .
Let be a 1-type for realized by some . We have to find an such that . If there is an such that then we are done as follows. Otherwise there are such that and, for all , and . Then let be a -path containing . is infinite and so we can choose an such that there are at least two elements of on the path from to . It follows from the definition of that , as required.
Appendix D Proofs for Section 5
We construct the required 2ATAs.
Lemma D.1**.**
*Let be a GF2-sentence. There is a 2ATA that accepts a -labeled tree iff is a model of . *
We assume that in all subformulas of of the form and , consists of exactly one variable and is a relational atom with two variables or an equality atom. This can be done w.l.o.g. because each sentence can be rewritten into , each sentence with a relational atom can be rewritten into , and likewise for universal quantifiers. We further assume that has no subformulas of the form with ; such formulas are equivalent to , that is, the result of replacing in all occurrences of with . The result of these assumptions is that each formula takes the form or , and likewise for universally quantified formulas. We define where
[TABLE]
and assigns two to all states except those of the form , to which it assigns one. The underlining in states of the form and serves as a marking of the variable that is bound to the tree node to which the state is assigned. We define the transition function as follows, for each :
[TABLE]
[TABLE]
where ranges over , range over , and ranges over . With , we mean the result of exchanging in the variables and , and denotes the negation normal form of the negation of .
We now complete the construction of the 2ATA . It remains to implement the obligation represented by states of the form , that is, the existence of -delimited GF-bisimulations. Recall that such a bisimulation consists of two relations and , each of which behaves essentially like a GF-bisimulation except in some special cases that pertain to the -marking of one of the involved structures, which in this case is the structure . To deal with and , we take copies and of every state that is of the form , , , , and , and also copies of the above block of transitions, modified in a suitable way to take care of the special cases. This is implemented for by the following transitions:
[TABLE]
The transitions for are as follows:
[TABLE]
Lemma D.2**.**
* satisfies the condition from Lemma 5.1.*
Proof D.3**.**
“”. Let be a -labeled tree and let be a model of such that Conditions 1 and 2 of Theorem 4.4 are satisfied when is replaced with (and when is the set described by the second component of the -labels). We argue that can be used to guide a run of on so that it is accepting.
In this run, starts with choosing the [math]-type realized by . Then, for each , we guide to proceed in state , where is the -type of some element with . By Condition 2 of Theorem 4.4, there is a such that and . In the search state , we guide the run to reach and switch to state there. The automaton also sends a copy in state to each node . By Condition 1 of Theorem 4.4, there is a such that . We guide the run to proceed in state , the 1-type of .
At this point, the automaton needs to satisfy two kinds of obligations:
states true at a node representing the obligation to verify that there is a with 1-type and such that and 2. 2.
states true at a node representing the obligation to verify that there is a with 1-type and such that .
Note that we have guided the run so that the required bisimulations indeed exist and therefore we can use them to further guide the run. We only consider Case 1 above, thus concentrating on states of the form , , , , and . Suppose the automaton is in state at node . By the way in which we guide the run, there is then a with 1-type and such that . We guide the run to select as the set of all guarded 2-types such that . For each such , there must be a and a with and where is either the predecessor of or a successor of it. In the former case, we guide the automaton to switch to state and in the latter, we guide it to execute . When the automaton was sent in state to a successor of , then there must be a such that and for some guarded 2-type . Guide the run to choose . The decision to be taken for states is handled very similarly.
“”. Let be a -labeled tree that is accepted by . Then there is an accepting run of on . We show how to use to construct a model of such that Conditions 1 and 2 of Theorem 4.4 are satisfied when is replaced with . Along with , we construct the following objects:
- •
a GF-bisimulation between and which witnesses that Condition 1 of Theorem 4.4 is satisfied,
- •
two relations and that form an -delimited GF-bisimulation between and , where is the subset defined by the second component of , and which witness that Condition 2 of Theorem 4.4 is satisfied, and
- •
a function that assigns to each element of the 1-type that we aim to realize there.
Throughout the construction, we make sure that the following invariants are satisfied:
if , then the label occurs in ; 2. 2.
if , , then the label occurs in .
The start of the construction is as follows:
- •
for each label that occurs in , introduce an element of , add to , and set ;
- •
for each label that occurs in , introduce an element of , add to , and set .
We then iteratively extend , , , , and , obtaining the desired structure and bisimulations in the limit. In each step, process every that has not been processed in a previous round. There are three cases.
Case (a)**. There is a . By Invariant 1, we find a node such that . We perform two steps:
- •
For every predecessor or successor of in with guarded, there must be a 2-type such that , occurs as a label in , and . Extend with a new element , extend the interpretation of the predicates in such that , set , and extend with .
- •
There must be a set of guarded 2-types such that and for every , there is a predecessor or successor of in such that , occurs as a label in , and . Extend with a new element (for every ), extend the interpretation of the predicates in such that , set , and extend with .
Case (b)**. There is a . By Invariant 2, we find a node such that . We can now proceed exactly as in Case (a) except that, in both subcases, we add to if is a predecessor of and , and to otherwise.
Case (c)**. There is a . By Invariant 2, we find a node such that . If the predecessor of is not in , then we again proceed as in Case (a) except that, in both subcases, we add to if is a sucessor of and , and to otherwise. If the predecessor of is in , then we we also proceed as in Case (a), but do not add to any of the constructed bisimulations.
Case (d)**. None of the above cases applies. Then we proceed as in Case (a), again not adding to any of the constructed bisimulations.
It can be verified that, as intended the structure obtained in the limit is a model of , that the relation is a GF-bisimulation, and that form an -delimited GF-bisimulation.
Recall that we define the overall 2ATA so that it accepts . Using Theorem 4.4, it can be verified that, as intended, iff . Note that for the “only if” direction, we have to show that implies that there is a regular forest model of that satisfies the negation of the conditions in Theorem 4.4. As is the case for other kinds of tree automata, also for the 2ATA it can be shown that implies that accepts a regular -labeled tree . The corresponding structure must then also be regular.
We show that -entailment, -inseparability, and conservative extensions in GF2 are 2ExpTime-hard. The proof is by reduction of the word problem for exponentially space bounded alternating Turing machines (ATMs). An ATM is of the form . The set of states consists of existential states from , universal states from , an accepting state , and a rejecting state ; is the input alphabet and the work alphabet that contains a blank symbol ; is the starting state; and the transition relation is of the form We write for and assume that for all and .
A configuration of an ATM is a word with and . The intended meaning is that the one-side infinite tape contains the word with only blanks behind it, the machine is in state , and the head is on the symbol just after . The successor configurations of a configuration are defined in the usual way in terms of the transition relation . A halting configuration (resp. accepting configuration) is of the form with (resp. ).
A computation tree of an ATM on input is a tree whose nodes are labeled with configurations of on , such that the descendants of any non-leaf labeled by a universal (resp. existential) configuration include all (resp. one) of the successor configurations of that configuration. A computation tree is accepting if the root is labeled with the initial configuration for and all leaves with accepting configurations. An ATM accepts input if there is a computation tree of on .
Take an exponentially space bounded ATM whose word problem is 2ExpTime-hard [8]. We may w.l.o.g. assume that the length of every computation path of on is bounded by . We can also assume that for each and each , the set has exactly two elements. We assume that these elements are ordered, i.e., is an ordered pair . Furthermore, we assume that never attempts to move left on the left-most tape cell.
Let be an input to . In the following, we construct GF2 sentences and such that is a conservative extension of if and only if does not accept . Informally, the main idea is to construct and such that models of sentences that witness non-conservativity describe an accepting computation tree of on . In such models, each domain element represents a tape cell of a configuration of , the binary predicate indicates moving to the next tape cell in the same configuration, and the binary predicates and indicate moving to left and right successor configurations in accepting configuration trees. Thus, each node of the computation tree (that is, each configuration) is spread out over a sequence of nodes in the model. We actually assume that every non-halting configuration has two successor configurations, also when its state is existential. This can of course easily be achieved by duplicating subtrees in computation trees. The following predicates are used in :
- •
a unary predicate to mark the root of computation trees;
- •
binary predicates , , , as explained above;
- •
unary predicates that represent the bits of a binary counter which identifies tape positions;
- •
a unary predicate that marks the topmost configuration in the configuration tree;
- •
unary predicates , , to represent the tape content of cells that are not under the head;
- •
unary predicates , and , to represent the state of a configuration, the head position, and the tape content of the cell that is under the head;
- •
unary predicates and , with the ranges of and as above, to represent the same information, but for the previous configuration in the tree instead of for the current one;
- •
unary predicates and , , , , to record the transition to be executed in the subsequent configurations;
- •
unary predicates , with the ranges of as above, to record the transition executed to reach the current configuration.
The sentence uses some additional unary predicates, including to implement another counter whose purpose is explained below.
The sentences and are shown in Figures 1 and 2, respectively, where and range over , over , and over , over , and over . The formula , which is easily worked out in detail, expresses that the value of the binary counter implemented by has value exactly at , and likewise for and , and for the primed versions in which refer to the counter implemented by . The formula expresses that the counter value at is obtained from the counter value at by incrementation modulo . Again, we omit the details.
Let us walk through and and give some intuition of what the various conjuncts are good for. In , Lines (1) to (4) ensure that at an element that satisfies , there is an infinite tree of the expected pattern: first -edges without branching, then a binary branching of an -edge and an -edge, then -edges without branching, and so on, ad infinitum. Of course, a computation tree will be represented using only a finite initial piece of this infinite tree. These conjuncts also set up the counter so that it identifies the position of tape cells and the marker so that it identifies the topmost configuration in the tree. Line (5) says that every cell is labeled with exactly one symbol and that the state is unique (locally to one cell; there is no need to express the same globally for the entire configuration), and Line (6) says the same for the representation of the previous configuration. Lines (7) to (9) make sure that the topmost configuration in the infinite tree is the initial configuration of on input . Lines (10) and (11) choose transitions to execute and Lines (12) to (14) propagate this choice down to the subsequent configurations. Assume that the predicates of the and indeed represent the previous configuration, Lines (15) to (20) then implement the chosen transitions. Line (21) says that we do never see a rejecting halting configuration.
Now for . Essentially, we want to achieve that a sentence is a witness for non-conservativity if and only if it expresses that its models contain (a representation of) an accepting computation tree of on whose root is labeled with . This is achieved by designing so that, whenever a tree model of contains only instances of that are not the root of such a computation tree, then this model can be extended to a model of by assigning an interpretation to the additional predicates in . Note that already enforces that, below any instance of , there is a tree that satisfies almost all of the required conditions of an accepting computation tree. In fact, the only way in which that tree cannot be an accepting configuration tree is that the predicates and do not behave in the expected way, that is, there is a configuration and a cell in this configuration that is labeled with , , and in one of the two subsequent configurations the same cell is not labeled with . We thus design so that it can be made true whenever the model contains such a defect. In Line (22), we select the place where the defect is. Line (23) ensures that the counter starts counting with value zero at that place, and that the marker is set there, too. Line (24) memorizes the content of the cell in the upper configuration involved in the defect. Lines (25) to (27) propagate downwards the memorized content and make sure that, at the corresponding cell of at least one subsequent configuration (which is identified using the counter ), we do not find .
Lemma D.4**.**
If accepts , then is not a GF2*-conservative extension of .* 2. 2.
If there exists a -structure that satisfies and cannot be extended to a model of , then does not accept .
Proof D.5**.**
(sketch) For Point 1 assume that accept . Then there is an accepting computation tree of on . Let . We can find a GF-sentence which expresses that the model contains a (homomorphic image of a) finite tree which represents this configuration tree and whose root is labeled with . We can also find a GF-sentence which expresses that nowhere in the model there is a defect situation. It can be verified that is satisfiable w.r.t. , but not w.r.t. because requires the existence of a defect situation whenever the extension of is non-empty.
For Point 2 assume that is a -structure that satisfies . If , then the desired model is obtained from by interpreting all predicates in as empty. Otherwise, take some . We can follow the existential quantifiers in to identify a homomorphic image of an infinite tree in with root whose edges follow the expected pattern and that is labeled in the expected way by the counter . Since is a model of , an initial piece of the identified tree represents an accepting computation tree of on provided that the predicates behave as expected, that is, if there is no defect of the form described above. Since does not accept , there must thus be such a defect, that is a path of length that links a cell of a configuration with the corresponding cell of a subsequent configuration such that the former is labeled with , but the latter is not labeled with . All the elements of the path (with the possible exception of the start point and the end point) are labeled with a different value of the counter and must thus be distinct. Consequently, we can interpret the counter and the other symbols in to extend to a model of , as desired.
It follows directly from Lemma D.4 that -entailment, -inseparability, and conservative extensions in GF2, are 2ExpTime-hard.
Appendix E 2ATAs and Their Emptiness Problem
The aim of this section is to show that the emptiness problem for 2ATAs can be solved in time exponential in the number of states. For proving this, we reduce it to the emptiness problem of the standard two-way alternating tree automata over trees of fixed outdegree [39].
We start with making precise the semantics of 2ATAs. Let be a 2ATA and a -labeled tree. A run for on is a -labeled tree such that:
- •
and ;
- •
For all with and , there is an assignment of truth values to the transitions in such that satisfies and:
- –
if , then for some successor of in ;
- –
if , then and there is a successor of in with ;
- –
if , then or there is a successor of in such that ;
- –
if , then there is a successor of in and a successor of in such that ;
- –
if , then for every successor of in , there is a successor of in such that .
Let be an infinite path in and denote, for all , with the state such that . The path is accepting if the largest number such that for infinitely many is even. A run is accepting, if all infinite paths in are accepting. Finally, a tree is accepted if there is some accepting run for it.
We next introduce strategy trees similar to [39, Section 4]. A strategy tree for a 2ATA is a tree where labels every node in with a subset , that is, with a graph with nodes from and edges labeled with natural numbers or . Intuitively, expresses that, if we reached node in state , then we should send a copy of the automaton in state to . For each label , we define , that is, the set of sources in the graph . A strategy tree is on an input tree if , , and for every , the following conditions are satisfied:
if , then ; 2. 2.
if , then ; 3. 3.
if , then the truth assignment defined below satisfies :
- (a)
iff ; 2. (b)
iff ; 3. (c)
iff or ; 4. (d)
iff there is some with ; 5. (e)
iff , for all ;
A path in a strategy tree is a sequence of pairs from such that for all , there is some such that and . Thus, is obtained by following moves prescribed by the strategy tree. We say that is accepting if the largest number such that , for infinitely many , is even. A strategy tree is accepting if all infinite paths in are accepting.
Lemma E.1**.**
A 2ATA accepts a -labeled tree iff there is an accepting strategy tree for on .
Proof E.2**.**
The “if”-direction is immediate: just read off an accepting run from the accepting strategy tree.
For the “only if”-direction, we observe that acceptance of an input tree can be defined in terms of a parity game between Player 1 (trying to show that the input is accepted) and Player 2 (trying to challenge that). The initial configuration is and Player 1 begins. Consider a configuration . Player 1 chooses a satisfying truth assignment of . Player 2 chooses a transition with and the next configuration is determined as follows:
- •
if , then the next configuration is ,
- •
if , then the next configuration is unless in which case Player 1 loses immediately.
- •
if , then the next configuration is unless in which case Player 2 loses immediately;
- •
if , then Player 1 chooses some with (and loses if no such exists) and the next configuration is ;
- •
if , then Player 2 chooses some with (and loses if no such exists) and the next configuration is .
Player 1 wins an infinite play if the largest number such that , for infinitely many , is even. It is not difficult to see that Player 1 has a winning strategy on an input tree iff accepts the input tree. Observe now that the defined game is a parity game and thus Player 1 has a winning strategy iff she is has a memoryless winning strategy [15]. It remains to observe that a memoryless winning strategy is nothing else than an accepting strategy tree.
Based on the previuos lemma, we show that, if is not empty, then it contains a tree of small outdegree.
Lemma E.3**.**
If , then there is a such that the outdegree of is bounded by the number of states in .
Proof E.4**.**
Let be a -labeled tree and an accepting strategy tree on . We construct a tree and an accepting strategy tree on where is the restriction of to . Start with and the empty mapping. Then exhaustively repeat the following step. Select an with undefined, in a fair way. Then construct as follows:
for every with , include in ; 2. 2.
for every , choose an such that for some , if existant. Then add to and include in for all ; 3. 3.
further include in whenever and for all with .
Clearly, has the desired outdegree. It remains to show that is an accepting strategy tree on . Observe that the following properties hold for all , and :
- (i)
* iff , for ;*
- (ii)
* for some with iff for some with .*
Observe that we have , by Points (i) and (ii) and since . It can be verified that Conditions 1 and 2 of a strategy tree being on an input tree are satisfied due to the construction of and . For Condition 3, take any and . As , we know that the truth assignment defined for satisfies . Let be the truth assignment for . It suffices to show that, for all transitions , implies . By Point (i), this is the case for transitions of the form . For , we know that there is some with . By Point (ii), we know that for some with , and thus, . For , we know that for all with . By construction if , it follows that for all with , as required.
We finally argue that is also accepting. Let be an infinite path in . We construct an infinite path in as follows:
- •
;
- •
if with , then .
- •
if for some with , then, by Point (ii), there is some with and . Set .
Since every infinite path in is accepting, so is , and thus .
We are now reduce to reduce the emptiness problem of 2ATAs to the emptiness of alternating automata running on trees of fixed outdegree [39], which we recall here. A tree is -ary if every node has exactly successors. A two-way alternating tree automaton over -ary trees (2ATAk) that are -labeled is a tuple where is a finite set of states, is the input alphabet, is an initial state, is the transition function, and is a priority function. The transition function maps a state and some input letter to a transition condition , which is a positive Boolean formula over the truth constants , , and transitions of the form where . A run of on a -labeled tree is a -labeled tree such that
; 2. 2.
for all , and , there is a (possibly empty) set such that satisfies and for , we have , is defined, and .
Accepting runs and accepted trees are defined as for 2ATAs. The emptiness problem for 2ATAks can be solved in time exponential in the number of states [39].
Theorem E.5**.**
The emptiness problem for 2ATAs can be solved in time exponential in the number of states.
Proof E.6**.**
Let be a 2ATA with states. We transform into a 2ATAn , running over -ary -labeled trees, where and . The extended alphabet and the extra states are used to simulate transitions of the form . We make sure that the additional component labels the root node with 1 and all other nodes with 0, and based on this use to check whether we are at the root of the input tree.
Formally, we proceed as follows. For all , , and obtain from by replacing with , with , with , with , and with . To enforce the intended labeling in the second component and the correct behaviour for , we set:
[TABLE]
Using Lemma E.3 it is straightforward to verify that iff . Since the translation can be done in polynomial time and the emptiness problem for 2ATAks is in ExpTime, also emptiness for 2ATAs is in ExpTime.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Hajnal Andréka, István Németi, and Johan van Benthem. Modal languages and bounded fragments of predicate logic. J. Philosophical Logic , 27(3):217–274, 1998.
- 2[2] Franz Baader, Diego Calvanese, Deborah Mc Guinness, Daniele Nardi, and Peter F. Patel-Schneider, editors. The Description Logic Handbook: Theory, Implementation and Applications . Cambridge University Press, 2003. (2nd edition, 2007).
- 3[3] Vince Bárány, Georg Gottlob, and Martin Otto. Querying the guarded fragment. Logical Methods in Computer Science , 10(2), 2014.
- 4[4] Vince Bárány, Balder ten Cate, and Luc Segoufin. Guarded negation. J. ACM , 62(3):22:1–22:26, 2015.
- 5[5] Michael Benedikt, Balder ten Cate, and Michael Vanden Boom. Interpolation with decidable fixpoint logics. In Proc. of LICS , pages 378–389. IEEE Computer Society, 2015.
- 6[6] Egon Börger, Erich Grädel, and Yuri Gurevich. The Classical Decision Problem . Perspectives in Mathematical Logic. Springer, 1997.
- 7[7] Elena Botoeva, Boris Konev, Carsten Lutz, Vladislav Ryzhikov, Frank Wolter, and Michael Zakharyaschev. Inseparability and conservative extensions of description logic ontologies: A survey. In Proc. of Reasoning Web , volume 9885 of LNCS , pages 27–89. Springer, 2016.
- 8[8] Ashok K. Chandra, Dexter C. Kozen, and Larry J. Stockmeyer. Alternation. Journal of the ACM , 28(1):114–133, 1981.
