 This is a joint work with two colleagues of mine. Adriano Perron is here with me and Laura Bozzelli. And the presentation consists of two main parts. The first part is a sort of overview of the work, and I hope to have all of you with me in this part. In the second part, I try to give you some not too many detail about the technical stuff. And let's see. And the context is model checking. I think I don't need to say what is model checking here. It's a formal method to automatically check the global correctness of a reactive system against a specification of a behavioral property. The important point here is that properties are usually specified by using so-called point-based proposition on temporal logic formulas. And this logic, standard temporal logic point-based, can be partitioned in two main classes, linear time temporal logics and branching time temporal logics. In the last year, and this is the focus of this story, in the last year, interval temporal logic has been proposed as an alternative formula to model check relevant property of what we can call computation stretches of a state system and represented as finite paper structures. And in the following, I will say something more about this class of logic. The goal of this work can be summarized as follow. We want to check push-down systems, which are infinite state systems, which allow one to easily model the control flow of sequential programs with nested and recursive procedure call. And in particular, to express a requirement which are both branching time and context-free on the behavior of these systems, we will make use of interval-based temporal logic. So this is, in one slide, the aim of the work. Now I give you some, I would say, background knowledge about the two actors of the work, namely push-down system on the one end and interval temporal logic on the other one. Well-known literature that check in context-free property of push-down automata in the general case is undecidable. The language inclusion problem for push-down automata is undecidable. So in the literature, people look at suitable subclasses, fragments of these formalism. And one of the most successful ones is the class of visibly push-down automata. This is the fundamental work on this. And this is a quite robust subclass of push-down automata in which the input symbols over a suitable push-down alphabet allow you to control the admissible stack operation. This is the visibility requirement assumption property. And technically, this means that we have a push-down alphabet, sigma, which can be partitioned into three main classes, the set of symbols for calls, which force push-tack operation, the set of symbols for returns, which force the pop-stack operation, and the set of internal action, which do not make use of the stack. It is known from the literature that the class of language is accepted by a visibly push-down automata is closed under Boolean operation. And the language inclusion problem is expedite complete. And here, I try in a couple of slides to give you the flavor of these formalism, in particular, of the temporal logics, which have been used to formalize property, relevant properties of this system. In particular, in these logics, you have temporal modality that allow you to navigate, to move in the nested like a structure of a word over these push-down alphabets. Now you can look at this example. You have essentially three kind of operation. You have the call, C, you have the return, R, and you have the internal operation. And the idea is that each call is associated with the matching return, if any. You may have one call like this one at point zero, which has not yet a corresponding return in a well-nested manner. One of the most famous useful logic in this contest is the so-called carrot call return logic, which is a linear time contest-free extension of the standard LTL. And this is the paper, where it was introduced. And essentially, this logic provide you with LTL modality, which can be evaluated over two kinds of patterns on input work, which are not regular patterns. The first one are abstract path, which can be used to describe local computation within a given procedure, removing those fragment corresponding to nested call. And the other one is the so-called caller path, which essentially consider the call stack content at the given position in the inputs. And it is possible to show that both the satisfiability problem and the visibly model checking problem for this logic are xp time complete. Here is an example of properties. Again, the word is the previous one, and here we have three examples. The first one is a property of total correctness. We want to say, consider these procedures, call and return, one six. If the precondition p holds when the procedure is call invoked here, point one, then the procedure must return, and the post-condition q must all open return, that is the red interval. Then you have these local response, for instance. Consider again the same procedure in the local computation of this procedure. Every request, a wreck, this one, is followed by response rest, this one. And finally, we have the possibility to check the stack. We have a call stack inspection. Consider this procedure, let's call it a procedure, and the procedure starts here, and we can say things like a procedure a is invoked, only if a procedure b belongs to the call stack. So has been invoked before, and it is still going on. So this is just to give you the idea. Now we move to interval temporal logic. Interval temporal logic essentially take intervals instead of points as the primitive temporal entities. And according to this assumption, this logic can naturally describe some relevant temporal condition, which are not properly naturally dealt with with standard point-based temporal logic. Just to give you an example, you can deal with temporal aggregation. You maybe want to constrain a given device, the speed of a given device to be not below or not above a given threshold, on average. And this is a property that makes sense only if you consider intervals, not points. There are many application fields, actual, I would say, and potential. And here I want to point out the following observation. An interval temporal logic instead of a point-based one seems to be a natural choice for the specification and verification on contest-free requirements. Why? Because the distinctive feature of these systems, like push-down systems, is this existence of matching call and returns. And this pattern has a natural interval flavor. So it bounds, computations, stretches, where we want to check some specific local properties. So there is, I would say, a perfect match between the nature of these systems and interval temporal logic. And in the field of interval temporal logic, the landmark is the Alpern and Schoen model logic of time interval. It is well known from the seminar paper by Alpern and Schoen that the satisfiability problem is highly undecidable for this logic. And later on it was shown that this is the case also with most of its fragments. But here we are interested in model checking. So model checking for HS in the literature has been systematically investigated in the last year against finite creeper structures. And here the natural perspective is that each finite path of a creeper structure can be viewed, can be considered as an interval. And the labeling of this interval can be defined on the basis of the labeling of the single states belonging to the interval. All the work has been done under this strong assumption which is fairly natural in concrete system which is homogeneity assumption, which says that a proposition letter holds over an interval if and only if it holds over each of its component states. This is called homogeneity assumption. The second characteristic of the logic, consider a logic is the so-called state-based semantics which is the most general possible semantics which allows time to branch both in the future and in the past. I show you a picture in a moment. And it has been shown that the model checking problem for HS against finite state creeper structures is designable. And yeah, there are still some interesting open problem. One of these is the exact complexity of this problem because the only known upper bound is non-elementary and the only known lower bound is X space. So we have a very big gap but this is not the topic of this talk. Another recent work, this is a work that was first presented in this conference three years ago. We analyze the expressive power of this logic and if we take the state-based version, the most general one, branching the future, branching the past, we show that it is incomparable with LTL and CTL star and it is strictly more expressive than finitary CTL star. What is finitary STL star is CTL star with restriction of quantification over finite path. This is necessary because we are considering finite path over a finite creeper structure. In that paper, also some semantic variants of the HS have been considered in particular the computation tree semantics in which you restrict time to branch only in the future and in that case, you show that the logic is expressively equivalent to finitary CTL star and the linear time semantics in which you only interpret the logic over the sum path of a given infinite path and in that case, you show that the logic is equivalent to LTL even if it is much more succinct. This was the state of the art before this work which are the contribution of this paper. First of all, we provide a unified view, a unification of the linear time and the branching time semantics in a unique formalism, in a unique framework. We call it binding HS and the idea is the following. Binding HS enriches HS with a new binding operator that allow you to restrict the evaluation of a formula to an interval substructure which is induced by the current interval. So you take the current interval and you restrict your attention only to the subinterval of this interval by using the binding if you want. And the second improvement that we make is to consider both finite and infinite path. You can do that with finite creeper structure but later on we also remove this restriction so we consider arbitrary creeper structures and we consider finite and infinite path on this structure. This is the first step that we did. By the way, notice that in this way we're able to compare interval temporal logic with CTL star which quantify over infinite path. Second, in order to capture, to express branching time, contest-free requirement of push-down system, we make another extension to the logic which is fairly simple in principle. We just add to the binding HS a spatial proposition letter that allows us to capture finite intervals with well-matched pairs of call and return. I have two pictures here. I was prepared. This is one case. You have call, return, and then you have a number of internal action. This is a well-formed word. Here you have a call, return, call, return, internal operation. This is another example of well-formed interval, and here you have another one, C, internal, internal R. All of these are intervals over which these spatial proposition letters hold. And we will also show that these extensions, so at the end we have these nested binding HS differ from the contest-free temporal logic known from the literature where adopt modality were adopted. In our case, the extension are really minimal, I would say. And this is what we prove in this paper. We have both expressiveness results and the decidability result. We put in the general framework the logic we propose, and then we show that the model checking problem for visibly push-down systems against these nested binding HS is decidable. These are the results. This is the end of the first part, 50 minutes. Now I try to give you some more detail, but yeah, not too many. Okay, first of all, this is easy. We are considering creeper structure. At the bottom of the transparency, you have an example. You have two states, as zero, as one. You can associate to each state the set of proposition letters that all of that state. We call trace the sequence of sets of propositional letters. So in that case, you have, for instance, G, P, P, Q, P, Q, Q, and things like that. This is the label, the trace. Parameter, I would say, we can consider finite creeper structure, as in this case, or infinite ones. And we consider infinite ones in this work. And you can consider finite path or infinite path over this structure. And in this case, we consider both. We allow both finite and infinite path. That's what I want to say about the model. Here is the logic. So let me try in a very short way to summarize the feature. This is the syntax. You have proposition letters, the standard Boolean connectives. And then you have a modality for each of the islands relation known from the literature. For instance, you have a modality, say, A, such that A of P is true over the current interval, if and only if there exists an interval to the right, adjacent to the right, where the argument P odds. That's the myth. And then you have the same for the other possible order in relation between a pair of intervals. One interesting is started by, which relates an interval with a prefix of it. And it is interesting because with the corresponding modality, you can do a number of things. I write here, again, an example. You can say that an interval is not a point interval by saying that B of 2, there exists an initial prefix, proper prefix. You can say that an interval is a point interval, just saying that for all prefixes, this is the dual universal modality, false is true. And the only possibility is to have a point 1. And putting together these two modality, you can have these two constructions, sorry, you can also count the size of an interval. So you can do a lot of things with this modality. This is the semantics. I don't want to enter is the obvious one. Remember that intervals for us are finite path or infinite path. And so you can give a natural interpretation of this modality. And I want to remind you that according to our semantics, you can branch both in the future and in the past. So you can say there is an interval adjacent to the right where phi 2 holds, this is 1. But you can also say that there exists an interval adjacent to the left where phi 1 holds. And this is the case. The addition in this work is this binding contest modality operator, which is either epsilon, the empty contest, or a path of k. And the intended semantics, now in the next transparency, I'll give you the full semantics. But the idea here is the following. A path pi belongs to the current binding contest, if and only if. Either the contest is empty. In that case, there is no restriction. Every interval is OK. Or it is a sub-path of the contest. So in this way, we can constrain, from a given point on, all the intervals that come into play in the evaluation of our formula to be sub-interval of a given interval. Notice that in this way, we can force somehow linearity for the interpretation of some sub-formulas. So we are in a branching contest in general, but we're using the binding modality. We can force linearity, local linearity. This is the semantics. The first rule is for proposition letters. And essentially, it's homogeneity. We say that a proposition letter holds over a given path interval, if and only if it holds at each state of this interval. Boolean connectors are standard. Then you have a semantic close for each modality, which is the obvious one. And the only new modality is the binding operator. If you take a quicker structure, the current path and the current contest, and you apply the binding operator to psi, you simply constrain the contest to coincide with the current interval. From this point on, everything is interpreted over the set of sub-interval of the current interval. That's the way in which we can use. And this is important. This is a summary of what we say up to here. A model of a given formula, k is a model of a given formula psi, if and only if k, quicker structure, the current path pi, and epsilon, the empty contest, makes psi true for each initial path. Initial path is a path that starts from the initial state. Now you have to distinguish between two family of modality. There are some modality which have intrinsically a linear time semantics. Given an interval, if you take a prefix, a suffix, or a sub-interval, they are linear by definition. There are others modality which are a branching time semantics, which are the myths that met by we saw before, the overlapping, and so on and so forth. Now, for this second class of modality, we have two possibility. If the binding contest, the current contest, is empty, you give the standard branching semantics to this modality. But if you fix the current contest, it is not empty, you can force a linear semantics also for this modality. So you can play with the two semantics in a given formula syntactically, I would say, by using the binding modality. And this is something new in this contest. OK. Yes. Sure. But now you have this new situation, like you could have two introverts at the same beginning and ending, but they are not identical. With the same beginning and ending, they are not identical. The relations between them is water. You can do that. And you are not forced to fix it in a state-based semantics. In the general, in the state-based semantics, it's perfectly right that you, from a given point, from a given intro, you can move in various directions. No, you don't need to, you branch, you don't. In the tree. In the tree. You are a tree in the future in the past, but it is a tree. And you expand the, no, but you cannot, how can I say? This is one, you have no way to compare this in path. Yeah, you cannot do that. You have not these classical things in HS. You have to do that one. OK. But now we need one more step. I try to be quick here. And it is, how can we express and check contest-free properties of push-down system? And we need one more addition. First of all, we have to encode push-down systems in terms of infinite creeper structures. And this is relatively easy. The only addition is the following one. We assume that in the set of proposition letter, we have this special proposition call return internal. And we essentially define the symbols of our alphabet as a subset of proposition letters, such that in each of these sets, you have one and only one proposition letter in this set. So you have only a crawl state. You have a return state. You have an internal state. And this is recognized by the presence of one and only one of these proposition letters. Then with these, we can turn visibly push-down systems over a given set of proposition into an infinite state creeper structure. And here, the basic correspondence the set of states of the creeper structure is the set of configuration of the original system. That's not that difficult to show. And the traces over the creeper structures are words over the push-down alphabet, this one. An initial computation of the push-down system is turned into the initial path of the creeper structure. The last addition is the following one. We introduce in the set of proposition a special well-matched proposition letter, PWM, which allow us to capture well-built, well-matched, well-formed intervals. And the only requirement is that a word over our alphabet is well-matched if each call has a matching return and vice versa. And here is the case. This call has this matching return. And then there is an extension with internal operation. This call has this matching return. This call has this matching return. This call has this matching return. So these proposition letters allows us to recognize those paths, which are finite, well-matched words over our alphabet. This is the only additional extension that we require. And we also consider, let me say that we need, the linear time fragment of nested binding HS. And the linear time fragment is a syntactical fragment, which is obtained by constraining all non-linear modality to occur in the scope of a binding operator. In this way, we give a linear interpretation to all the modalities of the logic. But this is a syntactic fragment. We can do it in the logic. OK, so now we have the problem we are interested in. Visibly push down model checking for nested BHS formulas, given a push down system over prop and the nested BHS formula psi. Over prop extended with this special proposition letter, we want to check whether the creeper structure corresponding to the system makes the formula psi 2 or not. Now, I would have a couple of examples, but I think I have to skip that, or what you can do with the logic. In particular, it is nice to see that we can give in a natural way a procedural contest version of the classical CTL formula E p1 until p2. There exists a path of starting from the current state, where p1 until p2 holds. And the nice stuff is that you can use this A modality. There exists an interval adjacent to the right to mimic somehow the E modality of CTL. Here, I have an example. If you stay here and you say there exists an interval adjacent to the right, you can go this way. You can go this way. You can go in the direction you want. So in this way, and with the other additional elements that we are using here, you can simulate, you can encode this condition. OK, a summary of the results in a bit more detail. First of all, we compare the linear fragments, syntactic fragment of our logic with a nonlinear time contest free extension of LTL, proposing this paper. In particular, we consider FOMU, carried with this modality, W, and nested word time for logic. All the logic proposed in the literature, it is already known that these two logic, NWTL and carried plus W, are as expressive as first order with MU. And what we prove is summarized here. First of all, we prove that nested BHS linear under the linearity restriction is as expressive as FOMU. We prove that these two logic can be translated in polynomial time into equivalent formulas of our logic linear fragments. And that the full logic without the restriction is strictly more expressive than this logic. Then we have another result. This is something that we can obtain for the basic HS. If you allow to quantify over infinite path, you can show that HS and also our extension is strictly more expressive than standard CTSTAR. This is a summary of the result. In the following slide, you have the decidability result, which make use of a non-trivial automaton construction. You can encode each formula of our logic into a non-deterministic visibly pushed down automata, which encodes the computation of the original system that satisfies the formula psi. And in this way, you can show that the model checking problem is decidable, even if with a non-elementary complexity. Yeah, we have also a non-elementary hardness result. So this is the shenard. And this is the conclusion. We have proposed a new branching time contest-free logical framework. It is based on an extension of HS with state-based semantics. It is strictly subsumed number of linear time contest-free extension of LTL. And it is decidable, even if the complexity is not that nice. There are a number of possible extensions. Some are, I would say, internal. We want to understand if the addition of the binding really extend the expressive power of the original logic. This is not formally proved. We want to prove it. We have some complexity issues still to address. There are still some comparisons we want to do with other formulas. We have some conjecture, in particular the one we've visibly pushed down mocalculus. And last but not least, all these work still make the homogeneity assumption. Our ultimate goal is to remove this assumption, which means that we want to be in a formula in which it can be the case that something is true of an interval and it is false over its subinterval. This is not the case if you take homogeneity. But in general, there are situations in which you want that. But there, you have to find a way of naturally described systems according to this full generality. And if you heard yesterday this work about timelines, this is one direction we are exploring in this respect. But this is only one research direction for the bomb. That's it. Sorry, I was very late. Thank you. I'm sure that, I mean, I don't think this movie goes over to branching time. You also, apart from linear time. And then you say, if you allow infinite paths, you go beyond CTL stuff. Yeah, you have something to do. There's a kind of more things you can do. And you use some intuition. I mean, this is, right? Essentially, in our logic, you can move forward and backward. Then you can take advantage of that. This is one of the things that you can show. So in that formalism, you can choose in between, you can mix both linear semantics and branches. So since they are comparable, you have the ability to process both of them. This increase the ability of the CTL. This is the main reason. This is the second reason, because also the basic logic is already important. And this is an addition that you can do in these four months. I guess, on relaxing this emoji, do we do it completely or? We push, as far as we can, by replacing homogeneity with a regular expression. So we say that the truth of a given proposition of an interval is expressed by means of a regular expression, which is a move that has been done in the literature. We did it. The complexity is almost always the same. In a few cases, it's a little bit worse. But this is not what we really want. So I would say this is a maximum that you can obtain in this. But we want to make a big step. And in that case, the problem in the satisfiability setting, we do not assume homogeneity in general. In this case, the problem is the model. So we have the logic, but we have to understand which is the model, the proper model, if you don't want homogeneity. In most of the systems, homogeneity is fairly natural. So you have to find a way to describe the behavior of a system in which you describe the local evolution of a component. And then you have the possibility to synchronize different components using the Alice relation, the Alice modality. That's the intuition. This is something that you can maybe try to do with the formulas like Timeline. But it's still a thought, not a thought. The framework is fairly robust. And you chose HS. But you could mimic this with CDT of NMR. And it would be non-elementary anyway. So the complexity, would there be any advantage there, or? We deal with extra care with CDT, because there is, you need to be willing to undecide the ability if you take the full. If you want, you can restrict that. Yes, you can do something, surely. I mean, in CDT, the power of CDT is that you take an interval, you can split in two parts. And this gives you additional power, but it's also additional complexity. If you have only the prefix and suffixes, you are weaker. But the complexity is better. The open problem we mentioned there is related to this BE fragment, in which we have not the chop, but we have these two modalities. And we have not been able to prove the exact complexity. We have this big gap for the fragment BE. So we have this weaker version of C of the chop. The OP is that is better from a computational point of view. But yeah, in principle, you can also play with CDT. OK, let's thank everyone. Thank you.