Pushdown model checking for malware detection

Abstract

The number of malware is growing extraordinarily fast. Therefore, it is important to have efficient malware detectors. Malware writers try to obfuscate their code by different techniques. Many well-known obfuscation techniques rely on operations on the stack such as inserting dead code by adding useless push and pop instructions, or hiding calls to the operating system, etc. Thus, it is important for malware detectors to be able to deal with the program’s stack. In this study, we propose a new model-checking approach for malware detection that takes into account the behavior of the stack. Our approach consists in: (1) Modeling the program using a pushdown system (PDS). (2) Introducing a new logic, called stack computation tree predicate logic (SCTPL), to represent the malicious behavior. SCTPL can be seen as an extension of the branching-time temporal logic CTL with variables, quantifiers, and predicates over the stack. (3) Reducing the malware detection problem to the model-checking problem of PDSs against SCTPL formulas. We show how our new logic can be used to precisely express malicious behaviors that could not be specified by existing specification formalisms. We then consider the model-checking problem of PDSs against SCTPL specifications. We reduce this problem to emptiness checking in Symbolic Alternating Büchi Pushdown Systems, and we provide an algorithm to solve this problem. We implemented our techniques in a tool and applied it to detect several viruses. Our results are encouraging.

Appendix

1.1 A.1 Proof of Theorem 1

Theorem 1

VAs are effectively closed under boolean operations.

Proof

We need to prove that variable automata are closed under union, complementation and intersection.

Union. Computing the union of two VAs can be done as for finite automata. Given a PDS \({\mathcal {P}}=(P,\varGamma ,\varDelta ,\sharp )\), let \(M^1=(Q^1,\varGamma ,\delta ^1,q_0^1,A^1)\) and \(M^2=(Q^2,\varGamma ,\delta ^2,q_0^2,A^2)\) be two VAs, we can construct a VA \(M\) as usual, such that \(L(M)=L(M_1)\cup L(M_2)\).

W.l.o.g., we suppose that \(Q^1\cap Q^2=\emptyset \), otherwise we can rename these repeated states. Let \(M=(Q,\varGamma ,\delta ,q_0,A)\) such that

• \(Q=Q^1\cup Q^2\cup \{q_0\}\), where \(q_0\) is an additional initial state of \(M\);

• \(A=A^1\cup A^2\);

• \(\delta =\delta ^1\cup \delta ^2\cup \{q_0\mathop {\longrightarrow }\limits ^{\epsilon }\{q_0^1\}, q_0\mathop {\longrightarrow }\limits ^{\epsilon }\{q_0^2\}\}\).

Thus, we obtain that \(L(M)=L(M_1)\cup L(M_2)\). \(\epsilon \)-transitions can be removed as usual.

Complementation. Given a PDS \({\mathcal {P}}=(P,\varGamma ,\varDelta ,\sharp )\), let \(M=(Q,\varGamma ,\delta ,q_0,A)\) be a VA , we construct a VA \(\overline{M}\) such that \(L(\overline{M})=(P\times \varGamma ^*)\times {\mathcal {B}}{\setminus } L(M)\).

W.l.o.g., we assume that if either \(q\mathop {\longrightarrow }\limits ^{x}\{p_1,\ldots ,p_h\}\in \delta \) or \(q\mathop {\longrightarrow }\limits ^{\lnot x}\{p_1,\ldots ,p_h\}\in \delta \), then there does not exist any other transition rule in the form of \(q\mathop {\longrightarrow }\limits ^{\alpha }\{q_1,\ldots ,q_n\}\) in \(\delta \). Indeed, if there exist two transition rules \(q\mathop {\longrightarrow }\limits ^{x}\{p_1,\ldots ,p_n\}\) and \(q\mathop {\longrightarrow }\limits ^{\alpha }\{q_1,\ldots ,q_m\}\), or \(q\mathop {\longrightarrow }\limits ^{\lnot x}\{p_1,\ldots ,p_n\}\) and \(q\mathop {\longrightarrow }\limits ^{\alpha }\{q_1,\ldots ,q_m\}\), we then can replace these two transition rules by \(q'\mathop {\longrightarrow }\limits ^{x}\{p_1,\ldots ,p_n\}\) and \(q''\mathop {\longrightarrow }\limits ^{\alpha }\{q_1,\ldots ,q_m\}\), or \(q'\mathop {\longrightarrow }\limits ^{\lnot x}\{p_1,\ldots ,p_n\}\) and \(q''\mathop {\longrightarrow }\limits ^{\alpha }\{q_1,\ldots ,q_m\}\), and replace all the transition rules of the form \(g\mathop {\longrightarrow }\limits ^{\alpha '}\{q,g_1,\ldots ,g_h\}\) by two transition rules \(g\mathop {\longrightarrow }\limits ^{\alpha '}\{q',g_1,\ldots ,g_h\}\) and \(g\mathop {\longrightarrow }\limits ^{\alpha '}\{q'',g_1,\ldots ,g_h\}\).

Let \(\overline{M}=(Q\cup \{q_f\},\varGamma ,\delta ',q_0, A')\) be a VA, where \(q_f\not \in Q\) is a final state, \(A'=Q\cup \{q_f\}{\setminus } A\), and \(\delta '\) is the smallest set of transition rules satisfying the following: for every \(p,q\in Q,x\in {\mathcal {X}},\gamma \in \varGamma \),

1. 1.

   if \(p\mathop {\longrightarrow }\limits ^{x}\{q_1,\ldots ,q_m\}\in \delta \); then \(p\mathop {\longrightarrow }\limits ^{x}q_i\in \delta '\) for every \(1\le i\le m\), and \(p\mathop {\longrightarrow }\limits ^{\lnot x}q_f\in \delta '\),

2. 2.

   if \(p\mathop {\longrightarrow }\limits ^{\lnot x}\{q_1,\ldots ,q_m\}\in \delta \); then \(p\mathop {\longrightarrow }\limits ^{\lnot x}q_i\in \delta '\) for every \(1\le i\le m\), and \(p\mathop {\longrightarrow }\limits ^{x}q_f\in \delta '\),

3. 3.

   if there does not exist \(S\subseteq Q\) s.t. neither \(p\mathop {\longrightarrow }\limits ^{\gamma }S\in \delta \), nor \(p\mathop {\longrightarrow }\limits ^{x}S\in \delta \) nor \(p\mathop {\longrightarrow }\limits ^{\lnot x}S\in \delta \); then \(p\mathop {\longrightarrow }\limits ^{\gamma }q_f\in \delta '\),

4. 4.

   \(p\mathop {\longrightarrow }\limits ^{\gamma }\{q_1,\ldots ,q_m\mid \text{ for } \text{ every } 1\le i\le m: p\mathop {\longrightarrow }\limits ^{\gamma }S_i\in \delta \text{ and } q_i\in S_i\}\in \delta '\),

5. 5.

   \(q_f\mathop {\longrightarrow }\limits ^{\gamma }q_f\in \delta '\).

Let us show that \(L(\overline{M})=(P\times \varGamma ^*)\times {\mathcal {B}}{\setminus } L(M)\).

\((\Longrightarrow )\) First we show that \(L(\overline{M})\subseteq (P\times \varGamma ^*)\times {\mathcal {B}}{\setminus } L(M)\). It is sufficient to prove that for every \((\langle p,\omega \rangle ,{ B})\in (P\times \varGamma ^*)\times {\mathcal {B}}\), if \(\overline{M}\) has an accepting run from a state \(f\in Q\) on the word \(\omega \) under the environment \({ B}\), then \(M\) does not have any accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\). We proceed by induction on the length \(|\omega |\) of \(\omega \).

• Basis \(|\omega |=0\): Then \(\omega =\epsilon \). Since \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\), we obtain that the initial state \(f\in A'\). Since \(A'=Q\cup \{q_f\}{\setminus } A\), we get that \(f\not \in A\) which implies that \(M\) does not have any accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\).

• Step:\(|\omega |\ge 1\): Let \(\gamma \in \varGamma ,u\in \varGamma ^*\) such that \(\omega =\gamma u\). \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\). Let \(t\in \delta '\) be the first transition used by this run, and the left side of \(t\) is the state \(f\) and the input is \(\gamma \). The proof depends on the reasoning of the transition rule \(t\) added by the above construction.

  • Case 1: \(t=f\mathop {\longrightarrow }\limits ^{x}q_i\in \delta '\) is added by Item 1, then we get that \(\overline{M}\) has an accepting run from the state \(q_i\) on the word \(u\) under the environment \({ B}\) and \({ B}(x)=\gamma \). By applying the induction hypothesis, we obtain that \({M}\) does not have any accepting run from the state \(q_i\) on the word \(u\) under the environment \({ B}\). Since the transition rule \(t=f\mathop {\longrightarrow }\limits ^{x}q_i\in \delta '\) is added by Item 1, then we get that \(M\) has only one transition \(f\mathop {\longrightarrow }\limits ^{x}\{q_i,p_1,\ldots ,p_m\}\in \delta \) from the state \(f\) due to the assumption, since \({M}\) does not have any accepting run from the state \(q_i\) on the word \(u\) under the environment \({ B}\), we obtain that \({M}\) does not have any accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

  • Case 2: \(t=f\mathop {\longrightarrow }\limits ^{\lnot x}q_i\in \delta '\) is added by Item 2, then we get that \(\overline{M}\) has an accepting run from the state \(q_i\) on the word \(u\) under the environment \({ B}\) and \({ B}(x)\ne \gamma \). By the induction hypothesis, we obtain that \({M}\) does not have any accepting run from the state \(q_i\) on the word \(u\) under the environment \({ B}\). Since the transition rule \(t=f\mathop {\longrightarrow }\limits ^{\lnot x}q_i\in \delta '\) is added by Item 2, then we get that \(M\) has only one transition \(f\mathop {\longrightarrow }\limits ^{\lnot x}\{q_i,p_1,\ldots ,p_m\}\in \delta \) from the state \(f\) due to the assumption, since \({M}\) does not have any accepting run from the state \(q_i\) on the word \(u\) under the environment \({ B}\), we obtain that \({M}\) does not have any accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

  • Case 3: \(t=f\mathop {\longrightarrow }\limits ^{\lnot x}q_f\in \delta '\) is added by Item 1, then we get that \({ B}(x)\ne \gamma \) and \(M\) has only one transition \(f\mathop {\longrightarrow }\limits ^{x}\{p_1,\ldots ,p_m\}\in \delta \) from the state \(f\) due to the assumption. Since \({ B}(x)\ne \gamma \), we get that \({M}\) does not have any accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

  • Case 4: \(t=f\mathop {\longrightarrow }\limits ^{x}q_f\in \delta '\) is added by Item 2, then we get that \({ B}(x)=\gamma \) and \(M\) has only one transition \(f\mathop {\longrightarrow }\limits ^{\lnot x}\{p_1,\ldots ,p_m\}\in \delta \) from the state \(f\) due to the assumption. Since \({ B}(x)= \gamma \), we get that \({M}\) does not have any accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

  • Case 5: \(t=f\mathop {\longrightarrow }\limits ^{\gamma }q_f\in \delta '\) is added by Item 3, then \(M\) does not have any transition in the form of \(f\mathop {\longrightarrow }\limits ^{\gamma }S\in \delta \), \(f\mathop {\longrightarrow }\limits ^{x}S\in \delta \) or \(f\mathop {\longrightarrow }\limits ^{\lnot x}S\in \delta \) for any \(S\subseteq Q\), and we get that \({M}\) does not have any accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

  • Case 6: \(t=f\mathop {\longrightarrow }\limits ^{\gamma }\{q_1,\ldots ,q_m\}\in \delta '\) is added by Item 4, then \(M\) has transitions \(f\mathop {\longrightarrow }\limits ^{\gamma }S_i\in \delta \) such that \(q_i\in S_i\) for every \(1\le i\le m\). Since \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\), we obtain that \(\overline{M}\) has an accepting run from every state \(q_i\) on the word \(u\) under the environment \({ B}\). By applying the induction hypothesis, we obtain that \({M}\) does not have any accepting run from the state \(q_i\) on the word \(u\) under the environment \({ B}\) for every \(1\le i\le m\). Since \(M\) has transitions \(f\mathop {\longrightarrow }\limits ^{\gamma }S_i\in \delta \) for every \(1\le i\le m\) and \(q_i\in S_i\), then each run from the state \(f\) has to go through a state \(q_i\) for some \(1\le i\le m\), we get that \({M}\) does not have any accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

\((\Longleftarrow )\) We show that \(L(\overline{M})\supseteq (P\times \varGamma ^*)\times {\mathcal {B}}{\setminus } L(M)\). It is sufficient to prove that for every \((\langle p,\omega \rangle ,{ B})\in (P\times \varGamma ^*)\times {\mathcal {B}}\), if \(M\) does not have any accepting run from a state \(f\in Q\) on the word \(\omega \) under the environment \({ B}\), then \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\). We proceed by induction on the length \(|\omega |\).

• Basis \(|\omega |=0\): Then \(\omega =\epsilon \). Since \(M\) does not have any accepting run from the state \(f\) on the word \(\epsilon \) under the environment \({ B}\), we get that \(f\not \in A\). Since \(A'=Q\cup \{q_f\}{\setminus } A\), then \(f\in A'\), we get that \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\epsilon \) under the environment \({ B}\).

• Step \(|\omega |\ge 1\): Let \(\gamma \in \varGamma ,u\in \varGamma ^*\) such that \(\omega =\gamma u\). The proof depends on the case whether \(M\) has a transition rule either of the form \(f\mathop {\longrightarrow }\limits ^{x}\{q_1,\ldots ,q_m\}\in \delta \), or \(f\mathop {\longrightarrow }\limits ^{\lnot x}\{q_1,\ldots ,q_m\}\in \delta \), or \(f\mathop {\longrightarrow }\limits ^{\gamma }S_i\in \delta \), or does not have any transition.

  • Case 1: \(f\mathop {\longrightarrow }\limits ^{x}\{q_1,\ldots ,q_m\}\in \delta \), then we get that \(M\) does not have any other transition rule from the state \(f\) due to the assumption. The proof depends on the case whether \({ B}(x)=\gamma \).

    • \({ B}(x)=\gamma \): Then the run of \(M\) from the state \(f\) will move to the states \(q_1,\ldots ,q_m\). Since \(M\) does not have any accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\), we obtain that there are some states \(q_i\in \{q_1,\ldots ,q_m\}\) such that \(M\) does not have any accepting run from the state \(q_i\in Q\) on the word \(u\) under the environment \({ B}\). By applying the induction hypothesis, we obtain that \(\overline{M}\) has an accepting run from these states \(q_i\) on the word \(u\) under the environment \({ B}\). Since \(f\mathop {\longrightarrow }\limits ^{x}\{q_1,\ldots ,q_m\}\in \delta \), we get that \(f\mathop {\longrightarrow }\limits ^{x}q_i\in \delta '\) for every \(1\le i\le m\). Thus, \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

    • \({ B}(x)\ne \gamma \): Since \(f\mathop {\longrightarrow }\limits ^{x}\{q_1,\ldots ,q_m\}\in \delta \), we get that \(f\mathop {\longrightarrow }\limits ^{\lnot x}q_f\in \delta '\). Since \(q_f\mathop {\longrightarrow }\limits ^{\gamma _1}q_f\in \delta '\) for every \(\gamma _1\in \varGamma \) and \(q_f\in A'\), we obtain that \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

  • Case 2: \(f\mathop {\longrightarrow }\limits ^{\lnot x}\{q_1,\ldots ,q_m\}\in \delta \), then we get that \(M\) does not have any other transition rule from the state \(f\) due to the assumption. The proof depends on the case whether \({ B}(x)=\gamma \).

    • \({ B}(x)\ne \gamma \): Then the run of \(M\) from the state \(f\) will move to the states \(q_1,\ldots ,q_m\). Since \(M\) does not have any accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\), we obtain that there are some states \(q_i\in \{q_1,\ldots ,q_m\}\) such that \(M\) does not have any accepting run from the state \(q_i\in Q\) on the word \(u\) under the environment \({ B}\). By applying the induction hypothesis, we obtain that \(\overline{M}\) has an accepting run from these states \(q_i\) on the word \(u\) under the environment \({ B}\). Since \(f\mathop {\longrightarrow }\limits ^{\lnot x}\{q_1,\ldots ,q_m\}\in \delta \), we get that \(f\mathop {\longrightarrow }\limits ^{\lnot x}q_i\in \delta '\) for every \(1\le i\le m\). Thus, \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

    • \({ B}(x)=\gamma \): Since \(f\mathop {\longrightarrow }\limits ^{\lnot x}\{q_1,\ldots ,q_m\}\in \delta \), we get that \(f\mathop {\longrightarrow }\limits ^{x}q_f\in \delta '\). Since \(q_f\mathop {\longrightarrow }\limits ^{\gamma _1}q_f\in \delta '\) for every \(\gamma _1\in \varGamma \) and \(q_f\in A'\), we obtain that \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

  • Case 3: \(f\mathop {\longrightarrow }\limits ^{\gamma }S_i\in \delta \) for every \(1\le i\le m\). Then, the run of \(M\) from the state \(f\) can move to one state \(S_i\) of the states \(\{S_1,\ldots , S_m\}\). Since \(M\) does not have any accepting run from the state \(f\) on the word \(\omega \) under the environment \({ B}\), we obtain that for every \(1\le i\le m\), there exists a state \(q_i\in S_i\) such that \(M\) does not have any accepting run from the state \(q_i\) on the word \(u\) under the environment \({ B}\). By applying the induction hypothesis, we get that \(\overline{M}\) has an accepting run from these states \(q_i\) on the word \(u\) under the environment \({ B}\) for every \(1\le i\le m\). Since \(f\mathop {\longrightarrow }\limits ^{\gamma }S_i\in \delta \) for every \(1\le i\le m\), we get that \(f\mathop {\longrightarrow }\limits ^{\gamma }\{q_1,\ldots ,q_m\}\in \delta '\). \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

  • Case 4: There is no transition in the form \(f\mathop {\longrightarrow }\limits ^{\gamma }S\in \delta \), or \(f\mathop {\longrightarrow }\limits ^{x}S\in \delta \) or \(f\mathop {\longrightarrow }\limits ^{\lnot x}S\in \delta \): then, we get that \(f\mathop {\longrightarrow }\limits ^{\gamma }q_f\in \delta '\) and \(q_f\mathop {\longrightarrow }\limits ^{\gamma _1}q_f\in \delta '\) for every \(\gamma _1\in \varGamma \). Since \(q_f\in A'\), we obtain that \(\overline{M}\) has an accepting run from the state \(f\) on the word \(\gamma u\) under the environment \({ B}\).

Intersection. Given a PDS \({\mathcal {P}}=(P,\varGamma ,\varDelta ,\sharp )\), let \(M^1=(Q^1,\varGamma ,\delta ^1,\,q_0^1,A^1)\) and \(M^2=(Q^2,\varGamma ,\delta ^2,q_0^2,A^2)\) be two VAs, we construct a VA \(M\) such that \(L(M)=L(M_1)\cap L(M_2)\).

Since VA are closed under complementation, let \(\overline{M^1}\) and \(\overline{M^2}\) be two VAs such that \(L(\overline{M^1})=(P\times \varGamma ^*)\times {\mathcal {B}}{\setminus } L(M^1)\) and \(L(\overline{M^2})=(P\times \varGamma ^*)\times {\mathcal {B}}{\setminus } L(M^2)\).

Since VA is closed under union, we construct a VA \(M_3\) such that \(L(M_3)=L(\overline{M^1})\cup L(\overline{M^2})\). Then, we can compute a VA \(\overline{M^3}\) such that \(L(\overline{M^3})=P\times \varGamma ^*\times {\mathcal {B}}{\setminus } L(M^3)\).

According to the above constructions, we obtain that \(L(\overline{M^3})=P\times \varGamma ^*\times {\mathcal {B}}{\setminus } L(M^3) =P\times \varGamma ^*\times {\mathcal {B}}{\setminus }(L(\overline{M^1})\cup L(\overline{M^2}))=L(M_1)\cap L(M_2)\). \(\square \)

1.2 A.2 Proof of Theorem 2

Theorem 2

For every regular expression \(e\in {\mathcal {R}}\), one can effectively compute in polynomial time a VA \(M\) such that \(L(M)=L(e)\).

Proof

To construct a VA \(M\) s.t. \(L(M)=L(e)\). We first construct a Variable Automaton with \(\epsilon \)-transitions (\(\epsilon \)-VA) \(M_\epsilon \) where transition rules are in the form of:

• \(p\mathop {\longrightarrow }\limits ^{\alpha }q\) s.t. \(\alpha \in {\mathcal {X}}\cup \varGamma , p,q\in Q\); or

• \(p\mathop {\longrightarrow }\limits ^{\epsilon }q\) which can be fired without consuming any input symbol.

Then, we can translate the \(\epsilon \)-VA \(M_\epsilon \) into an equivalent VA \(M\) by performing \(\epsilon \)-transitions elimination as usual.

Given a regular expression \(e\in {\mathcal {R}}\), we can construct an \(\epsilon \)-VA \(M_\epsilon \) by induction on the structure of \(e\).

• \(e=\emptyset \): Let \(M_\epsilon =(Q,\varGamma ,\delta ,q_0,A)\) where \(Q=\{q_0,f\},\, A=\{f\},\, \delta =\emptyset \). Then, we obtain that \(L(M_\epsilon )=\emptyset =L(\emptyset )\).

• \(e=\epsilon \): Let \(M_\epsilon =(Q,\varGamma ,\delta ,q_0,A)\) where \(Q=\{q_0,f\},\, A=\{f\}\), \(\delta =\{q_0\mathop {\longrightarrow }\limits ^{\epsilon }f\}\). Then, we obtain that \(L(M_\epsilon )=\{(\langle p,\epsilon \rangle ,\,{ B})\mid \forall p\in P,{ B}\in {\mathcal {B}}\}=L(\epsilon )\).

• \(e=a\in {\mathcal {X}}\): Let \(M_\epsilon =(Q,\varGamma ,\delta ,q_0,A)\) where \(Q=\{q_0,f\},\, A=\{f\},\, \delta =\{q_0\mathop {\longrightarrow }\limits ^{a} f\}\). Then, we obtain that \(L(M_\epsilon )=\{(\langle p,\gamma \rangle ,{ B})\mid \forall p\in P,\gamma \in \varGamma ,{ B}\in {\mathcal {B}}: { B}(a)=\gamma \}=L(a)\).

• \(e=a\in \varGamma \): Let \(M_\epsilon =(Q,\varGamma ,\delta ,q_0,A)\) where \(Q=\{q_0,f\},\, A=\{f\}\), \(\delta =\{q_0\mathop {\longrightarrow }\limits ^{a} f\}\). Then, we obtain that \(L(M_\epsilon )=\{(\langle p,a\rangle ,{ B})\mid \forall p\in P,{ B}\in {\mathcal {B}}\}=L(a)\).

• \(e=e_1+e_2\): By applying the induction hypothesis, there exist \(M_\epsilon ^1=(Q^1,\varGamma ,\delta ^1,q_0^1,\{f^1\})\) and \(M_\epsilon ^2=(Q^2,\varGamma ,\delta ^2,q_0^2,\{f^2\})\) such that \(L(M_\epsilon ^1)=L(e_1)\) and \(L(M_\epsilon ^2)=L(e_2)\). Let \(M_\epsilon =(Q,\varGamma ,\delta ,q_0,\{f\})\), where \(Q=Q^1\cup Q^2\cup \{q_0,f\},\, \delta =\delta ^1\cup \delta ^2\cup \delta '\), \(\delta '\) consists of the following transitions:

  • \(q_0\mathop {\longrightarrow }\limits ^{\epsilon }q_0^1\in \delta '\),

  • \(q_0\mathop {\longrightarrow }\limits ^{\epsilon }q_0^2\in \delta '\),

  • \(f^1\mathop {\longrightarrow }\limits ^{\epsilon }f\in \delta '\),

  • \(f^2\mathop {\longrightarrow }\limits ^{\epsilon }f\in \delta '\).

  For every \((\langle p,\omega \rangle ,{ B})\in P\times \varGamma ^*\times {\mathcal {B}},\, (\langle p,\omega \rangle ,{ B})\in L(M_\epsilon ^1)\) or \((\langle p,\omega \rangle ,{ B})\in L(M_\epsilon ^2)\) iff \((\langle p,\epsilon \omega \epsilon \rangle ,{ B})\in L(M_\epsilon )\). Thus, \(L(M_\epsilon )=L(M_\epsilon ^1)\cup L(M_\epsilon ^2)=L(e_1)\cup L(e_2)=L(e)\).

• \(e=e_1\cdot e_2\): By applying the induction hypothesis, there exist \(M_\epsilon ^1=(Q^1,\varGamma ,\delta ^1,q_0^1,\{f^1\})\) and \(M_\epsilon ^2=(Q^2,\varGamma ,\delta ^2,q_0^2,\{f^2\})\) such that \(L(M_\epsilon ^1)=L(e_1)\) and \(L(M_\epsilon ^2)=L(e_2)\). Let \(M_\epsilon =(Q,\varGamma ,\delta ,q_0^1,\{f^2\})\), where \(Q=Q^1\cup Q^2\), \(\delta =\delta ^1\cup \delta ^2\cup \{f^1\mathop {\longrightarrow }\limits ^{\epsilon }q_0^2\}\). For every \((\langle p,\omega \rangle ,{ B})\in P\times \varGamma ^*\times {\mathcal {B}}\), \((\langle p,\omega _1\rangle ,{ B})\in L(M_\epsilon ^1)\) and \((\langle p,\omega _2\rangle ,{ B})\in L(M_\epsilon ^2)\) iff \((\langle p,\omega _1\epsilon \omega _2\rangle ,{ B})\in L(M_\epsilon )\) (i.e., \((\langle p,\omega _1\omega _2\rangle ,{ B})\in L(M_\epsilon )\)). Thus, \(L(M_\epsilon )=L(e)\).

• \(e=e_1^*\): By applying the induction hypothesis, there exists \(M_\epsilon ^1=(Q^1,\varGamma ,\delta ^1,q_0^1,\{f^1\})\) such that \(L(M_\epsilon ^1)=L(e_1)\). Let \(M_\epsilon =(Q,\varGamma ,\delta ,q_0,\{f\})\), where \(Q=Q^1\cup \{q_0,f\},\, \delta =\delta ^1\cup \delta ',\,\delta '\) consists of the following transitions:

  • \(q_0\mathop {\longrightarrow }\limits ^{\epsilon }q_0^1\in \delta '\),

  • \(q_0\mathop {\longrightarrow }\limits ^{\epsilon }f\in \delta '\)

  • \(f^1\mathop {\longrightarrow }\limits ^{\epsilon }q_0^1\in \delta '\),

  • \(f^1\mathop {\longrightarrow }\limits ^{\epsilon }f\in \delta '\).

  For every \((\langle p,\omega \rangle ,{ B})\in P\times \varGamma ^*\times {\mathcal {B}}: (\langle p,\omega \rangle ,{ B})\in L(M_\epsilon )\) iff \(\omega \in \{u\mid (\langle p,u\rangle ,{ B})\in L(M_\epsilon ^1)\}^*\). Thus, \(L(M_\epsilon )=L(e)\).

Finally, we can eliminate all the \(\epsilon \) transitions from \(M_\epsilon \) in the standard manner obtaining the VA \(M\), i.e., as done for finite-state automata. \(\square \)

1.3 A.3 Proof of Theorem 3

Theorem 3

Given a PDS \({\mathcal {P}}=(P, \varGamma , \varDelta ,\sharp )\), a function \(\lambda :AP _{\mathcal {D}}\longrightarrow 2^P\), a SCTPL formula \(\varphi \), and a configuration \(\langle p,\omega \rangle \) of \({\mathcal {P}}\), we have: for every \({ B}\in {\mathcal {B}},\, \langle p,\omega \rangle \models _{\lambda }^{ B}\varphi \) iff \({\mathcal {BP}}_{\varphi }\) has an accepting run from the configuration \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Proof

\((\Longrightarrow )\) Suppose \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \), we show that \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) by induction on the structure of \(\varphi \).

Case \(\varphi =a(x_1,\ldots ,x_n)\in AP ^+(\varphi )\): Since \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi \), then \(\langle p,\omega \rangle \in \lambda (a({ B}(x_1),\ldots ,{ B}(x_n)))\). This implies that \([{(\!|}p,\varphi {|\!)},{ B}]\) is an accepting control location.

Since \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{id}\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \in \varDelta \) for every \(\gamma \in \varGamma \). Thus, \({\mathcal {BP}}_{\varphi }\) has an accepting run from the configuration \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \), i.e., \({\mathcal {BP}}_{\varphi }\) has a run from the configuration \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) which infinitely often visits some configurations with accepting control locations.

Case \(\varphi =\lnot a(x_1,\ldots ,x_n)\in AP ^+(\varphi )\): Since \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi \), then \(\langle p,\omega \rangle \not \in \lambda (a({ B}(x_1),\ldots ,{ B}(x_n)))\). This implies that \([{(\!|}p,\varphi {|\!)},{ B}]\) is an accepting control location.

Since \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{id}\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \in \varDelta \) for every \(\gamma \in \varGamma \). Thus, \({\mathcal {BP}}_{\varphi }\) has an accepting run from the configuration \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Case \(\varphi =e\): Since \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi \), then \((\langle p,\omega \rangle ,{ B})\in L(M_e)\).

Since the run of \({\mathcal {BP}}_\varphi \) starting from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) moves to \(\langle [s_e,{ B}],\omega \rangle \) where \(s_e\) is the initial state of the VA \(M_e\), and the run of \({\mathcal {BP}}_\varphi \) starting from \(\langle [s_e,{ B}],\omega \rangle \) mimics the run of \(M_e\) on the word \(\omega \). It is sufficient to prove that:

if \(M_e\) has an accepting run from a state \(q\) on the word \(u\) under the environment \({ B}\), then \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q,{ B}],u\rangle \). We proceed by applying induction on the length of \(u\).

• Basis \(|u|=0\): Then \(u=\epsilon \). Then we get that \(q\in A_e\). Since \(\langle q,\sharp \rangle \mathop {\longrightarrow }\limits ^{id}\langle q,\sharp \rangle \) and \([q,{ B}]\) is an accepting control location. Thus, \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q,{ B}],\sharp \rangle \). Note that \(\sharp \) is the bottom of the stack when the stack content is empty.

• Step \(|u|\ge 1\): Let \(\gamma \in \varGamma ,v\in \varGamma ^*\) such that \(u=\gamma v\). Let \(t\) be the first transition rule used by the run of \(M_e\). The proof depends on the type of \(t\).

  • Case \(t=q\mathop {\longrightarrow }\limits ^{x}\{q_1,\ldots ,q_m\}\) and \(x\in {\mathcal {X}}\). Then \({ B}(x)=\gamma \), and \(M_e\) has an accepting run from the state \(q_i\) on the word \(v\) under the environment \({ B}\) for every \(1\le i\le m\). By applying the induction hypothesis, we get that \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q_i,{ B}],v\rangle \) for every \(1\le i\le m\). Since \(\langle q,\gamma \rangle \mathop {\hookrightarrow }\limits ^{join^x_\gamma }\{\langle q_1,\epsilon \rangle ,\ldots ,\langle q_m,\epsilon \rangle \}\in \varDelta \) and the relation \(join^x_\gamma \) guarantees that \({ B}\in join^x_\gamma ({ B},\ldots ,{ B})\) (Since \({ B}(x)=\gamma \)). Thus, \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q,{ B}],\omega \rangle \).

  • Case \(t=q\mathop {\longrightarrow }\limits ^{\lnot x}\{q_1,\ldots ,q_m\}\) and \(x\in {\mathcal {X}}\). Then \({ B}(x)\ne \gamma \), and \(M_e\) has an accepting run from the state \(q_i\) on the word \(v\) under the environment \({ B}\) for every \(1\le i\le m\). By applying the induction hypothesis, we get that \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q_i,{ B}],v\rangle \) for every \(1\le i\le m\). Since \(\langle q,\gamma \rangle \mathop {\hookrightarrow }\limits ^{join^{\lnot x}_\gamma }\{\langle q_1,\epsilon \rangle ,\ldots ,\langle q_m,\epsilon \rangle \}\in \varDelta \) and the relation \(join^{\lnot x}_\gamma \) ensures that \({ B}\in join^{\lnot x}_\gamma ({ B},\ldots ,{ B})\) (Since \({ B}(x)\ne \gamma \)). Thus, \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q,{ B}],\omega \rangle \).

  • Case \(t=q\mathop {\longrightarrow }\limits ^{\gamma }\{q_1,\ldots ,q_m\}\). Then, \(M_e\) has an accepting run from state \(q_i\) on the word \(v\) under the environment \({ B}\) for every \(1\le i\le m\). By applying the induction hypothesis, we get that \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q_i,{ B}],v\rangle \) for every \(1\le i\le m\). Since \(\langle q,\gamma \rangle \mathop {\hookrightarrow }\limits ^{equal}\{\langle q_1,\epsilon \rangle ,\ldots ,\langle q_m,\epsilon \rangle \}\in \varDelta \) and the relation \(equal\) ensures that \({ B}\in equal({ B},\ldots ,{ B})\). Thus, \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q,{ B}],\omega \rangle \).

Case \(\varphi =\lnot e\): It is similar to the case where \(\varphi =e\).

Case \(\varphi =\varphi _1\wedge \varphi _2\): Since \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi \), we get that \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi _1\) and \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi _2\).

By applying the induction hypothesis, we get that \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}],\omega \rangle \) and \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [{(\!|}p,\varphi _2{|\!)},{ B}],\omega \rangle \).

Since \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{equal}[\langle {(\!|}p,\varphi _1{|\!)}, \gamma \rangle ,\langle {(\!|}p,\varphi _2{|\!)},\gamma \rangle ]\) for every \(\gamma \!\in \!\varGamma \) and \({ B}\in equal({ B},{ B})\), we get that \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) is an immediate predecessor of \(\{\langle [{(\!|}p,\varphi _1{|\!)},{ B}],\omega \rangle ,\langle [{(\!|}p,\varphi _2{|\!)}, { B}],\omega \rangle \}.\) Thus, \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle \![{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Case \(\varphi =\varphi _1\vee \varphi _2\): Since \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi \), we get that \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi _1\) or \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi _2\).

By applying the induction hypothesis, we get that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}],\omega \rangle \) or \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi _2{|\!)},{ B}],\omega \rangle \).

Since \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{id}\langle {(\!|}p,\varphi _1{|\!)},\,\gamma \rangle \) or \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{id}\langle {(\!|}p,\varphi _2{|\!)},\gamma \rangle \) and \({ B}\in id(B)\), we get that \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) is an immediate predecessor of \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}],\omega \rangle \) and of \(\langle [{(\!|}p,\varphi _2{|\!)},{ B}],\omega \rangle .\) Thus, \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Case \(\varphi =\forall x\varphi _1\): Since \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi \), we get that \(\langle p,\omega \rangle \models _{\lambda }^{{ B}[x\leftarrow v]}\varphi _1\), for every \(v\in {\mathcal {D}}\). Suppose \({\mathcal {D}}=\{c_1,\ldots ,c_n\}\). By applying the induction hypothesis, we get that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\leftarrow c_i]],\omega \rangle \) for every \(1\le i\le n\). Since \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{meet^x_{\mathcal {D}}}[\langle {(\!|}p,\varphi _1{|\!)},\gamma \rangle ,\ldots ,\langle {(\!|}p,\varphi _1{|\!)},\gamma \rangle ]\) for every \(\gamma \in \varGamma \) and the relation \(meet^x_{\mathcal {D}}\) ensures that \({ B}\in meet^x_{\mathcal {D}}({ B}[x\leftarrow c_1],\ldots ,{ B}[x\leftarrow c_n])\), we get that \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) is an immediate predecessor of \(\{\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\leftarrow c_1]],\omega \rangle ,\ldots ,\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\,\leftarrow c_n]],\omega \rangle \}.\) Thus, \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Case \(\varphi =\exists x\varphi _1\): Since \(\langle p,\omega \rangle \models _{\lambda }^{ B}\varphi \), there exists a \(v\in {\mathcal {D}}\) such that \(\langle p,\omega \rangle \models _{\lambda }^{{ B}[x\leftarrow v]}\varphi _1\).

By applying the induction hypothesis, we get that \({\mathcal {BP}}\) has an accepting run from \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\leftarrow v]],\omega \rangle \).

Since for every \(\gamma \in \varGamma \) \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{meet^x_{\{v\}}}\langle {(\!|}p,\varphi _1{|\!)},\gamma \rangle \) and the relation \(meet^x_{\{v\}}\) ensures that \({ B}\in meet^x_{\{v\}}({ B})\), we get that \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) is an immediate predecessor of \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\leftarrow v]],\omega \rangle \). Thus, \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)}),{ B}],\omega \rangle \).

Case \(\varphi =\mathbf{EX}\varphi _1\): Since \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \), then there exists an immediate successor \(\langle p',\omega '\rangle \) of \(\langle p,\omega \rangle \) such that \(\langle p',\omega '\rangle \models _\lambda ^{ B}\varphi _1\) and \(\langle p,\omega \rangle \Longrightarrow _{{\mathcal {P}}}\langle p',\omega '\rangle \).

By applying the induction hypothesis, we get that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p',\varphi _1{|\!)},{ B}],\omega '\rangle \).

Since \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{id} \langle {(\!|}p',\varphi {|\!)}, \omega \rangle \) and \({ B}\in id({ B})\), we get that \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) is an immediate predecessor of \(\langle [{(\!|}p',\varphi _1{|\!)},{ B}],\omega '\rangle \). Hence, \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Case \(\varphi =\mathbf{AX}\varphi _1\): Let \(n\) be the number of immediate successors of \(\langle p,\omega \rangle \). Since \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \), then for each immediate successors \(\langle p_i,\omega _i\rangle \) of \(\langle p,\omega \rangle \): \(\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi \) and \(\langle p,\omega \rangle \Longrightarrow _{{\mathcal {P}}}\langle p_i,\omega _i\rangle \), for every \(1\le i\le n\).

By applying the induction hypothesis, we obtain that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_i,\varphi _1{|\!)},{ B}],\omega _i\rangle \) for each \(1\le i\le n\).

Since \(\langle {(\!|}p,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{equal} [\langle {(\!|}p_1,\varphi _1{|\!)},\omega _1\rangle ,\ldots ,\langle {(\!|}p_n,\varphi _1{|\!)}, \omega _n\rangle ]\) and \({ B}\in equal({ B},\ldots ,{ B})\), we get that \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) is an immediate predecessor of \(\{\langle [{(\!|}p_1,\varphi _1{|\!)},{ B}],\omega _1\rangle ,\ldots ,\langle [{(\!|}p_n,\varphi _1{|\!)},{ B}],\omega _n\rangle \}\). Hence, \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Case \(\varphi =\mathbf{E}[\varphi _1\mathbf{U}\varphi _2]\): Since \(\langle p,\omega \rangle \models _\lambda ^{ B}\mathbf{E}[\varphi _1\mathbf{U}\varphi _2]\), then there exists a path \(\langle p_0,\omega _0\rangle \langle p_1, \omega _1\rangle ,\langle p_2,\omega _2\rangle \cdots \) from \(\langle p,\omega \rangle \) such that \(\exists i\ge 0,\, \langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _2\) and \(\forall 0\le j< i: ~\langle p_j,\omega _j\rangle \models _\lambda ^{ B}\varphi _1\). Since \(\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _2\) and \(\langle p_j,\omega _j\rangle \models _\lambda ^{ B}\varphi _1\) for every \(0\le j< i\). By applying the induction hypothesis, we get that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}],\omega _i\rangle \) and for every \(0\le j< i,\, {\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_j,\varphi _1{|\!)},{ B}],\omega _j\rangle \).

Since \(\langle {(\!|}p_i,\varphi {|\!)},\gamma \rangle \mathop {\hookrightarrow }\limits ^{id}\langle {(\!|}p_i,\varphi _2{|\!)},\gamma \rangle \) and \({ B}\in id({ B})\), we obtain that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_i,\varphi {|\!)},{ B}],\omega _i\rangle \).

If \(i=0\), then \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle =\langle [{(\!|}p_i,\varphi {|\!)},{ B}],\omega _i\rangle \), \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Otherwise \(i>0\), we prove that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_j,\varphi {|\!)},{ B}],\omega _j\rangle \) by applying induction on \(l=i-j\). (Note that \(\langle [{(\!|}p_0,\varphi {|\!)},{ B}],\omega _0\rangle =\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).)

• Basis. \(l=1\). Then there exists \(\langle p_j,\omega _j\rangle \Longrightarrow _{{\mathcal {P}}}\langle p_i,\omega _i\rangle \). According to the product of \({\mathcal {BP}}_\varphi \), We get that \(\langle [{(\!|}p_j,\varphi {|\!)},{ B}],\omega _j\rangle \) is an immediate predecessor of \(\{\langle [{(\!|}p_j,\varphi _1{|\!)},{ B}],\omega _j\rangle ,\langle [{(\!|}p_i,\varphi {|\!)},\,{ B}],\omega _i\rangle \}\). This implies that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_j,\varphi {|\!)},{ B}],\omega _j\rangle \).

• Step. \(l>1\). Then there exists \(\langle p_{j+1},\omega _{j+1}\rangle \) such that \(\langle p_j,\omega _j\rangle \,\Longrightarrow _{{\mathcal {P}}}\langle p_{j+1},\omega _{j+1}\rangle \Longrightarrow _{{\mathcal {P}}} \langle p_i,\omega _i\rangle \). By the induction hypothesis (induction on \(l\)), we get that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_{j+1},\varphi {|\!)},{ B}],\omega _{j+1}\rangle \). Since \(\langle p_j,\omega _j\rangle \models _\lambda ^{ B}\varphi _1\), by applying the induction hypothesis (induction on structure of \(\varphi \)), we obtain that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_{j},\varphi _1{|\!)},{ B}],\omega _{j}\rangle \). Since \(\langle [{(\!|}p_j,\varphi {|\!)},{ B}],\,\omega _j\rangle \) is an immediate predecessor of \(\{\langle [{(\!|}p_{j},\varphi _1{|\!)},{ B}],\omega _{j}\rangle ,\,\langle [{(\!|}p_{j+1},\varphi {|\!)},{ B}],\omega _{j+1}\rangle \}\), we get that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Case \(\varphi =\mathbf{A}[\varphi _1\mathbf{U}\varphi _2]\): We can prove that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) as done for to \(\varphi =\mathbf{E}[\varphi _1\mathbf{U}\varphi _2]\).

Case \(\varphi =\mathbf{E}[\varphi _1\mathbf{R}\varphi _2]\): Since \(\langle p,\omega \rangle )\models _\lambda ^{ B}\mathbf{E}[\varphi _1\mathbf{R}\varphi _2]\), then there exists a path \(\rho =\langle p_0,\omega _0\rangle \langle p_1\omega _1\rangle ,\langle p_2,\omega _2\rangle \cdots \) from \(\langle p,\omega \rangle \) such that

1. 1.

   \(\forall i\ge 0,~\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _2\),

2. 2.

   or there exists \(i\ge 0\) such that \(\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _1\) and \(\forall 0\le j\le i,~\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _2\)

• First we consider case (2), it can be proved that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) by applying the induction on \(i-j\) similar to the case where \(\varphi =\mathbf{E}[\varphi _1\mathbf{U}\varphi _2]\).

• Considering the case (1), let us prove that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \). According to the semantics of SCTPL, \({\mathcal {P}}\) has an infinite path \(r=\langle p_0,\omega _0\rangle ,\langle p_1\,\omega _1\rangle ,\langle p_2,\omega _2\rangle ,\ldots ,\langle p_i,\omega _i\rangle ,\cdots \) such that \(\langle p_i,\omega _i\rangle \models _{\lambda }^{ B}\varphi _2\) for all \(i\ge 0\). Since the number of control locations and stack alphabet of \({\mathcal {P}}\) is finite and the path \(r\) is infinite, then there exists a configuration \(\langle p_m,\gamma u\rangle \) such that \(\omega _m=\gamma u,\, \langle p_0,\omega _0\rangle \Longrightarrow _{{\mathcal {P}}}\langle p_m,\gamma u\rangle \) and \(\langle p_m,\gamma \rangle \Longrightarrow _{{\mathcal {P}}}\langle p_m,\gamma v\rangle \) (Proposition 3 of [7]). This implies that \(\langle p_m,\gamma u\rangle \Longrightarrow _{{\mathcal {P}}}\langle p_m,\gamma v u\rangle \). Let \(\langle p_n,\omega _n\rangle \) be the first configuration such that \(\langle p_n,\omega _n\rangle =\langle p_m,\gamma v u\rangle \). Since for each configuration \(\langle p_k,\omega _k\rangle \) in the run \(\langle p_m,\gamma u\rangle \Longrightarrow _{{\mathcal {P}}}\langle p_m,\gamma v u\rangle : \langle [{(\!|}p_k,\varphi {|\!)},{ B}],\omega _k\rangle \) is an immediate predecessor of \(\{\langle [{(\!|}p_k,\varphi _2{|\!)},{ B}],\omega _k\rangle ,\langle [{(\!|}p_{k+1},\varphi {|\!)},{ B}], \omega _{k+1}\rangle \}\). According to the definition of the reachability relation of \({\mathcal {BP}}_\varphi \), we obtain that \(\langle [{(\!|}p_m,\varphi {|\!)},{ B}],\gamma u\rangle \in Pre^+(\{\langle [{(\!|}p_m,\varphi {|\!)},{ B}],\gamma v u\rangle ,\langle [{(\!|}p_{m+0},\varphi _2{|\!)},\,{ B}], \omega _{m+0}\rangle ,\ldots ,\langle [{(\!|}p_{n},\varphi _2{|\!)},{ B}],\omega _{n}\rangle \}).\) Since \(\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _2\) for every \(i\ge 0\), by applying the induction hypothesis, we obtain that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}],\omega _i\rangle \). Since for each \(i\ge 0\) \([{(\!|}p_i,\varphi {|\!)},{ B}]\in F\) which implies that \([{(\!|}p_i,\varphi {|\!)},{ B}]\) is an accepting control location, then \({\mathcal {BP}}_\varphi \) has a run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) such that each path will infinitely often visit some configurations \(\langle [{(\!|}p_i,\varphi {|\!)},{ B}],\omega _i\rangle \) with accepting control locations. Thus, \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \).

Case \(\varphi =\mathbf{A}[\varphi _1\mathbf{R}\varphi _2]\): We can prove that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) as done for \(\varphi =\mathbf{E}[\varphi _1\mathbf{R}\varphi _2]\).

\((\Longleftarrow )\, {\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \), we show that \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \) by applying induction on the structure of \(\varphi \).

Case \(\varphi =a(x_1,\ldots ,x_n)\in AP ^+(\varphi )\): Since \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) and \(\langle {(\!|}p,\varphi {|\!)},\omega \rangle \mathop {\hookrightarrow }\limits ^{id}\langle p_\varphi ,\omega \rangle ,\, \langle p,\omega \rangle \in \lambda (a({ B}(x_1),..,{ B}(x_n))\). Thus, \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\lnot a(x_1,\ldots ,x_n)\in AP ^-(\varphi )\): Since \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) and \(\langle {(\!|}p,\varphi {|\!)},\omega \rangle \mathop {\hookrightarrow }\limits ^{id}\langle p_\varphi ,\omega \rangle \), this implies that \(\langle p,\omega \rangle \not \in \lambda (a({ B}(x_1),\ldots ,{ B}(x_n)))\). Thus, \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =e\): Since \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) and \(\langle {(\!|}p,\varphi {|\!)},\omega \rangle \mathop {\hookrightarrow }\limits ^{id}\langle s_e,\omega \rangle \), we get that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [s_e,{ B}],\omega \rangle \). Since the run of \({\mathcal {BP}}_\varphi \) from the configuration \(\langle [s_e,{ B}],\omega \rangle \) mimics the run of \(M_e\). It is sufficient to prove that if \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [q,{ B}],u\rangle \) for every \(q\in Q,u\in \varGamma ^*\), then \(M_e\) has an accepting run from the state \(q\) on the word \(u\) under \({ B}\). We proceed by induction on the length \(|u|\).

• Basis \(|u|=0\): Then \(u=\epsilon \). Since \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q,{ B}],\sharp \rangle \), \(\langle q,\sharp \rangle \mathop {\longrightarrow }\limits ^{id}\langle q,\sharp \rangle \in \varDelta \) and \([q,{ B}]\) is accepting, we get that \(q\in A_e\). \(M_e\) has an accepting run from the state \(q\) on the word \(u\) under \({ B}\). Note that \(\sharp \) is the bottom of the stack (i.e., the stack content is \(\epsilon \)).

• Step \(|u|\ge 1\): Let \(\gamma \in \varGamma ,v\in \varGamma ^*\) such that \(u=\gamma v\). Let \(t\) be the first transition rule used by the run of \({\mathcal {BP}}_{\varphi }\). The proof depends on the type of \(t\).

  • Case \(t=\langle q,\gamma \rangle \mathop {\hookrightarrow }\limits ^{join^x_\gamma }\{\langle q_1,\epsilon \rangle ,\ldots ,\langle q_m,\epsilon \rangle \}\in \varDelta \), then \(q\mathop {\longrightarrow }\limits ^{x}\{q_1,\ldots ,q_m\}\) and \(x\in {\mathcal {X}}\). The relation \(join^x_\gamma \) ensures that \({ B}(x)=\gamma \). \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [q,{ B}],u\rangle \) for every \(q\in Q,u\in \varGamma ^*\), then \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q_i,{ B}],v\rangle \) for every \(1\le i\le m\). By applying the induction hypothesis, we obtain that \(M_e\) has an accepting run from state \(q_i\) on the word \(v\) under \({ B}\) for every \(1\le i\le m\). Since \(q\mathop {\longrightarrow }\limits ^{x}\{q_1,\ldots ,q_m\}\), we get that \(M_e\) has an accepting run from the state \(q\) on the word \(u\) under \({ B}\).

  • Case \(t=\langle q,\gamma \rangle \mathop {\hookrightarrow }\limits ^{join^{\lnot x}_\gamma }\{\langle q_1,\epsilon \rangle ,\ldots ,\langle q_m,\epsilon \rangle \}\in \varDelta \), then \(q\mathop {\longrightarrow }\limits ^{\lnot x}\{q_1,\ldots ,q_m\}\) and \(x\in {\mathcal {X}}\). The relation \(join^{\lnot x}_\gamma \) ensures that \({ B}(x)\ne \gamma \). \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [q,{ B}],u\rangle \) for every \(q\in Q,u\in \varGamma ^*\), then \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q_i,{ B}],v\rangle \) for every \(1\le i\le m\). By applying the induction hypothesis, we obtain that \(M_e\) has an accepting run from state \(q_i\) on the word \(v\) under \({ B}\) for every \(1\le i\le m\). Since \(q\mathop {\longrightarrow }\limits ^{\lnot x}\{q_1,\ldots ,q_m\}\), we get that \(M_e\) has an accepting run from the state \(q\) on the word \(u\) under \({ B}\).

  • Case \(t=\langle q,\gamma \rangle \mathop {\hookrightarrow }\limits ^{equal}\{\langle q_1,\epsilon \rangle ,\ldots ,\langle q_m,\epsilon \rangle \}\in \varDelta \), then \(q\mathop {\longrightarrow }\limits ^{\gamma }\{q_1,\ldots ,q_m\}\). \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [q,{ B}],u\rangle \) for every \(q\in Q,u\in \varGamma ^*\), then \({\mathcal {BP}}_{\varphi }\) has an accepting run from \(\langle [q_i,{ B}],v\rangle \) for every \(1\le i\le m\). By applying the induction hypothesis, we obtain that \(M_e\) has an accepting run from state \(q_i\) on the word \(v\) under \({ B}\) for every \(1\le i\le m\). Since \(q\mathop {\longrightarrow }\limits ^{\gamma }\{q_1,\ldots ,q_m\}\), we get that \(M_e\) has an accepting run from the state \(q\) on the word \(u\) under \({ B}\).

Case \(\varphi =\lnot e\): This case is similar to the case where \(\varphi =e\).

Case \(\varphi =\varphi _1\wedge \varphi _2\): Since \(\langle {(\!|}p,\varphi {|\!)},\omega \rangle \mathop {\hookrightarrow }\limits ^{equal}[\langle {(\!|}p,\varphi _1{|\!)},\omega \rangle ,\langle {(\!|}p, \varphi _2{|\!)},\,\omega \rangle ]\) and \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \), we obtain that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}], \omega \rangle \) and from \(\langle [{(\!|}p,\varphi _2{|\!)},{ B}],\omega \rangle \).

By applying the induction hypothesis, we obtain that \(\langle p,\,\omega \rangle \models _\lambda ^{ B}\varphi _1\) and \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi _2\). These imply that \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\varphi _1\vee \varphi _2\): Since \(\langle {(\!|}p,\varphi {|\!)},\omega \rangle \mathop {\hookrightarrow }\limits ^{id} \langle {(\!|}p,\varphi _1{|\!)},\omega \rangle \) and \(\langle {(\!|}p,\varphi {|\!)},\omega \rangle \mathop {\hookrightarrow }\limits ^{id} \langle {(\!|}p,\varphi _2{|\!)},\omega \rangle \), and \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \), we obtain that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}],\omega \rangle \) or \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi _2{|\!)},{ B}],\omega \rangle \). By applying the induction hypothesis, we have that \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi _1\) or \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi _2\). These imply that \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\forall x\varphi _1\): Let \({\mathcal {D}}=\{c_1,\ldots ,c_n\}\). Since \(\langle {(\!|}p,\varphi {|\!)},\omega \rangle \mathop {\hookrightarrow }\limits ^{meet^x_{\mathcal {D}}}[\langle {(\!|}p,\varphi _1{|\!)},\omega \rangle ,\ldots ,\langle {(\!|}p,\varphi _1{|\!)},\omega \rangle ]\), the relation \(meet^x_{\mathcal {D}}\) implies that the configurations \([\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\longleftarrow c_1]],\omega \rangle ,\ldots ,\langle [{(\!|}p,\varphi _1{|\!)},\,{ B}[x\longleftarrow c_n]],\omega \rangle ]\) are the children of the configuration \(\langle [{(\!|}p,\varphi {|\!)},\,{ B}],\omega \rangle \) in the accepting run.

Since \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \), we obtain that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\longleftarrow c_i]],\omega \rangle \) for every \(1\le i\le n\). By applying the induction hypothesis, we get that \(\langle p,\omega \rangle \models _\lambda ^{{ B}[x\longleftarrow c_i]}\varphi _1\) for every \(1\le i\le n\). Thus, \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\exists x\varphi _1\): Let \({\mathcal {D}}=\{c_1,\ldots ,c_n\}\). Since \(\langle {(\!|}p,\varphi {|\!)},\omega \rangle \mathop {\hookrightarrow }\limits ^{meet^x_{\{c_i\}}}\langle {(\!|}p,\varphi _1{|\!)},\omega \rangle \) for every \(1\le i\le n\), the relation \(meet^x_{\{c_i\}}\) implies that for every \(1\le i\le n\), the configuration \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\longleftarrow c_i]],\omega \rangle \) can be the child of the configuration \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}],\omega \rangle \) in the accepting run.

Since \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \), we obtain that there exists \(i:~1\le i\le n\) such that \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p,\varphi _1{|\!)},{ B}[x\longleftarrow c_i]],\omega \rangle \). By applying the induction hypothesis, we get that \(\langle p,\omega \rangle \models _\lambda ^{{ B}[x\longleftarrow c_i]}\varphi _1\). Hence, \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\mathbf{EX}\varphi _1\): Then, there exists an immediate successor \(\langle [{(\!|}p',\varphi _1{|\!)},{ B}],\omega '\rangle \) of \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) such that \(\langle [{(\!|}p',\varphi _1{|\!)},{ B}],\omega '\rangle \) is a child of \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) in the accepting run. Then \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p',\varphi _1{|\!)},{ B}],\omega '\rangle \).

By applying the induction hypothesis, \(\langle p',\omega '\rangle \models _\lambda ^{ B}\varphi _1\). Thus, we obtain that \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\mathbf{AX}\varphi _1\): Then, the immediate successors \(\{\langle [{(\!|}p_1,\varphi _1{|\!)},{ B}],\,\omega _1\rangle , \cdots ,\langle [{(\!|}p_n,\varphi _1{|\!)},{ B}],\omega _n\rangle \) of \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) are the children of the configuration \(\langle [{(\!|}p,\varphi {|\!)},{ B}],\omega \rangle \) in the accepting run. Then \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_i,\varphi _1{|\!)},{ B}],\omega _i\rangle \), for each \(1\le i\le n\).

By applying the induction hypothesis, \(\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _1\), for each \(1\le i\le n\). Thus, we obtain that \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\mathbf{E}[\varphi _1\mathbf{U}\varphi _2]\): Let \(\rho \) be the accepting run from \(\langle [{(\!|}p,\varphi {|\!)},\,{ B}],\omega \rangle \), then, each configuration \(\langle [{(\!|}p_i,\varphi {|\!)},{ B}],\omega _i\rangle \) in \(\rho \) at most have two children \(\langle [{(\!|}p_i,\varphi _1{|\!)},{ B}],\omega _i\rangle \) and \(\langle [{(\!|}p_{i+1},\varphi {|\!)},{ B}],\omega _{i+1}\rangle \) or has only one child \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}], \omega _i\rangle \).

Since \(\rho \) is an accepting run, there exists a configuration \(\langle [{(\!|}p_n,\varphi {|\!)},{ B}],\omega _n\rangle \) in \(\rho \), such that \(\langle [{(\!|}p_n,\varphi {|\!)},{ B}],\omega _n\rangle \) has only one child \(\langle [{(\!|}p_n,\varphi _2{|\!)},{ B}],\omega _n\rangle \). Let \(\langle [{(\!|}p_0,\varphi {|\!)},{ B}],\omega _0\rangle ,\ldots ,\langle [{(\!|}p_n,\varphi {|\!)},{ B}],\,\omega _n\rangle ,\cdots \) be a path of \(\rho \). Then, \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_i,\varphi _1{|\!)},{ B}],\omega _i\rangle \) for each \(0\le i<n\), and \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_n,\varphi _2{|\!)},{ B}],\omega _n\rangle \).

By applying the induction hypothesis, we obtain that \(\langle p_n,\,\omega _n\rangle \models _\lambda ^{ B}\varphi _2\) and \(\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _1\) for each \(0\le i<n\). Thus, \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\mathbf{A}[\varphi _1\mathbf{U}\varphi _2]\): This case is similar to the case where \(\varphi =\mathbf{E}[\varphi _1\mathbf{U}\varphi _2]\).

Case \(\varphi =\mathbf{E}[\varphi _1\mathbf{R}\varphi _2]\): Let \(\rho \) be the accepting run from \(\langle [{(\!|}p,\varphi ,{ B}{|\!)}],\,\omega \rangle \), then, each configuration \(\langle [{(\!|}p_i,\varphi {|\!)},{ B}],\omega _i\rangle \) in \(\rho \) has two children:

1. 1.

   either \(\langle [{(\!|}p_i,\varphi _1{|\!)},{ B}],\omega _i\rangle \) and \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}],\omega _i\rangle \)

2. 2.

   or \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}],\omega _i\rangle \) and \(\langle [{(\!|}p_{i+1},\varphi {|\!)},{ B}],\omega _{i+1}\rangle \)

1. 1.

   First we consider Item (1). Since \([{(\!|}p_i,\varphi {|\!)},{\mathcal {B}}]\in F'\), we obtain that \([{(\!|}p_i,\varphi {|\!)},{ B}]\) is an accepting control locations, then every configuration \(\langle [{(\!|}p_i,\varphi {|\!)},{ B}],\omega _i\rangle \) in \(\rho \) has two children \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}],\omega _i\rangle \) and \(\langle [{(\!|}p_{i+1},\varphi {|\!)},{ B}],\omega _i\rangle \) for every \(i\ge 0\). By applying the induction hypothesis to \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}],\omega _i\rangle \), we get that \(\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _2\) for every \(i\ge 0\). We obtain that \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \)

2. 2.

   Let us consider Item (2). There is a configuration \(\langle [{(\!|}p_n,\varphi {|\!)},\,{ B}],\omega _n\rangle \) in \(\rho \) such that its two children are \(\langle [{(\!|}p_n,\varphi _1{|\!)},{ B}],\omega _n\rangle \) and \(\langle [{(\!|}p_n,\varphi _2{|\!)},{ B}],\omega _n\rangle \), each configuration \(\langle [{(\!|}p_i,\varphi {|\!)},{ B}],\omega _i\rangle \) from \(\langle [{(\!|}p_0,\varphi {|\!)},{ B}],\omega _0\rangle \) to \(\langle [{(\!|}p_n,\varphi {|\!)},{ B}],\omega _n\rangle \) has children \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}],\omega _i\rangle \) and \(\langle [{(\!|}p_{i+1},\varphi {|\!)},{ B}],\omega _i\rangle \). \({\mathcal {BP}}_\varphi \) has an accepting run from \(\langle [{(\!|}p_n,\varphi _1{|\!)},{ B}],\omega _n\rangle \) and from \(\langle [{(\!|}p_i,\varphi _2{|\!)},{ B}],\,\omega _i\rangle \) for \(0\le i\le n\). By applying the induction hypothesis, \(\langle p_n,\omega _n\rangle \models _\lambda ^{ B}\varphi _1\) and \(\langle p_i,\omega _i\rangle \models _\lambda ^{ B}\varphi _2\) for each \(0\le i\le n\). Thus, \(\langle p,\omega \rangle \models _\lambda ^{ B}\varphi \).

Case \(\varphi =\mathbf{A}[\varphi _1\mathbf{R}\varphi _2]\): This case is similar to the case where \(\varphi =\mathbf{E}[\varphi _1\mathbf{R}\varphi _2]\).\(\square \)