PDL with negation of atomic programs

Propositional dynamic logic (PDL) is one of the most successful variants of modal logic. To make it even more useful for applications, many extensions of PDL have been considered in the literature. A very natural and useful such extension is with negation of programs. Unfortunately, as long-known, reasoning with the resulting logic is undecidable. In this paper, we consider the extension of PDL with negation of atomic programs, only. We argue that this logic is still useful, e.g. in the context of description logics, and prove that satisfiability is decidable and EXPTIME-complete using an approach based on Büchi tree automata.


Introduction
Propositional dynamic logic (PDL) is a variant of propositional modal logic that has been developed in the late seventies as a tool for reasoning about programs [PRA 76, FIS 77, FIS 79, HAR 84, HAR 00]. Since then, PDL was used rather successfully in a large number of application areas such as reasoning about knowledge [FAG 95], reasoning about actions [GIA 95, PRE 96], description logics [GIA 94], and others. Starting almost with its invention around 1979 [FIS 79], many extensions of PDL have been proposed with the goal to enhance the expressive power and make PDL even more applicable; see e.g. [PAS 91, HAR 84, HAR 00]. Some of these extensions are tailored toward specific application areas, such as the halt predicate that allows to state termination in the context of reasoning about programs [HAR 78]. The majority of proposed extensions, however, is of a general nature and has been employed in many different application areas-for instance, the extension of PDL with the widely applied converse operator [VAR 85].
Among the general purpose extensions of PDL, two of the most obvious ones are the addition of program intersection "∩" and of program negation "¬" [DAN 84, HAR 84, HAR 00]. Since PDL already provides for program union "∪", the latter is more general than the former: α ∩ β can simply be expressed as ¬(¬α ∪ ¬β). The main obstacle for using these two extensions in practical applications is that they are problematic w.r.t. their computational properties: first, adding intersection destroys many of the nice model-theoretic properties of PDL. The only known algorithm for reasoning in the resulting logic PDL ∩ is the quite intricate one given in [DAN 84]. Up to now, it is unknown whether the provided 2-EXPTIME upper bound is tightin contrast to EXPTIME-complete reasoning in PDL. Second, the situation with PDL extended with negation (PDL ¬ ) is even worse: it was observed quite early in 1984 that reasoning in PDL ¬ is undecidable [HAR 84].
This undecidability was often regretted [HAR 84, PAS 91, BRO 03], in particular since reasoning in PDL ¬ would be quite interesting for a number of application areas. To illustrate the usefulness of this logic, let us give three examples of its expressive power: first, it was already noted that negation can be employed to express intersection. Intersection, in turn, is very useful for reasoning about programs since it allows to capture the parallel execution of programs. Second, program negation allows to express the universal modality 2 U ϕ by writing [a]ϕ ∧ [¬a]ϕ, with a an arbitrary atomic program. The universal modality is a very useful extension of modal logics that comes handy in many applications; see e.g. [GOR 92]. Third, program negation can be used to express the window operator a [HUM 83, GAR 87, GOR 90], whose semantics is as follows: a ϕ holds at a world w iff ϕ holding at a world w ′ implies that w ′ is a-accessible from w. In PDL ¬ , we can thus just write [¬a]¬ϕ instead of a ϕ. The window operator can be viewed as expressing sufficiency in contrast to the standard box operator of modal logic, which expresses necessity. Moreover, the window operator has important applications, e.g. in description logics [LUT 00].
Due to the usefulness of program negation, it is natural to attempt the identification of fragments of PDL ¬ that still capture some of the useful properties of program negation, but are well-behaved in a computational sense. One candidate for such a fragment is PDL ∩ . As has already been noted, this fragment is indeed decidable, but has a quite intricate model theory. The purpose of this paper is to explore another natural option: PDL (¬) , the fragment of PDL ¬ that allows the application of program negation to atomic programs, only. Note that, in PDL (¬) , negated atomic programs may be freely used inside other program operators. We show that reasoning in PDL (¬) is decidable, and EXPTIME-complete-thus not harder than reasoning in PDL itself. Moreover, PDL (¬) has a simpler model theory than PDL ∩ : we are able to use a decision procedure that is an extension of the standard automata-based decision procedure for PDL [VAR 86], and of the standard automata-based decision procedure for Boolean modal logic [LUT 01]. Finally, we claim that PDL (¬) is still useful for applications: while intersection cannot be expressed any more, the universal modality and the window operator are still available.
To give some more concrete examples of the usefulness of PDL (¬) , we take a description logic perspective. Description logics are a family of logics that originated in artificial intelligence as a tool for the representation of conceptual knowledge [BAA 03]. It is well-known that many description logics (DLs) are notational variants of modal logics [SCH 91, GIA 94]. In particular, the description logic ALC reg , which extends the basic DL ALC with regular expressions on roles, corresponds to PDL [GIA 94]. More precisely, DL concepts can be understood as PDL formulas, and DL roles as PDL programs. Thus, the extension ALC (¬) reg of ALC reg with negation of atomic roles is a notational variant of PDL (¬) . We give two examples of knowledge representation with ALC (¬) reg . These examples, which use DL syntax rather than PDL syntax, illustrate that the combination of regular expressions on roles and of atomic negation of roles is a very useful one.
1. Assume that we want to use ALC (¬) reg to capture the relevant notions of universities and their students. In particular, we want to describe the preferences that universities have when selecting students. Since some private universities prefer to admit students whose ancestors donated money to the university, we could write to state that all students preferred by University X have either passed the (American) SAT test with a top score or have an ancestor that donated money. But perhaps the policy of University X is even stronger in that it prefers all students whose ancestors have donated money. This can be expressed using the window operator (that can, in turn, be expressed via atomic negation): UniversityX → ∀¬prefer.¬(∃parent + .Donator) states that all students with donating ancestors are preferred.
2. Suppose that we want to use ALC (¬) reg to talk about trust and mistrust among negotiating parties. Also assume that we have a very strong notion of trust, namely that it is transitive: if I trust x, and x trusts y, then I trust y as well. An analogous assumption for mistrust should clearly not be made. Then, we can model mistrust by using an atomic role mistrust, and trust by using (¬mistrust) * . We can now say, e.g., that I trust some politicians and never mistrust a family member : Note that reversing the roles of trust and mistrust does not work: first, to achieve transitivity of trust, we'd have to introduce an atomic direct-trust relation. And second, we could then only speak about the negation of direct-trust, but not about the negation of direct-trust * , which corresponds to mistrust. This paper is organized as follows. 1 In Section 2, we introduce PDL ¬ and its fragment PDL (¬) . For illustrative purposes, we give a proof of the undecidability of full PDL ¬ . In preparation for the automata-based decision procedure, we introduce a variant APDL (¬) of PDL (¬) in Section 3. This variant uses finite automata rather than regular expressions as modal parameters and is better suited for automata-based decision procedures. As one of the two core parts of our decision procedure, in Section 4 we then abstract models of PDL (¬) -formulas ϕ to Hintikka-trees for ϕ . The other core part is presented in Section 5, where we define Büchi-tree automata that can be used to check for existence of Hintikka-trees (and thus models) of PDL (¬) formulas. We conclude in Section 6 giving some possible directions for future research.

PDL with negation
In this section, we introduce propositional dynamic logic (PDL) with negation of programs. We start with defining full PDL ¬ , i.e. PDL extended with negation of (possibly complex) programs. Then, the logics PDL and PDL (¬) , are defined as fragments of PDL ¬ .
A formula ϕ ∈ Φ ¬ is called a PDL (¬) -formula (PDL-formula) if, in ϕ, negation occurs only in front of atomic programs and formulas (only in front of formulas).
Throughout this paper, the operator π is called the diamond operator, [π] is called the box operator, and programs of the form ψ? are called tests. Let us note how formulas of PDL ¬ can be converted into concepts of the description logic ALC (¬) reg mentioned in the introduction: simply replace ∧, ∨, π ψ, and [π]ψ with ⊓, ⊔, ∃π.ψ, and ∀π.ψ, respectively. DEFINITION 2 (PDL ¬ SEMANTICS). -Let M = (W, R, V ) be a Kripke structure where W is the set of worlds, R is a family of accessibility relations for atomic programs {R π ⊆ W 2 | π ∈ Π 0 }, and V : Φ 0 → 2 W is a valuation function. In the following, we define accessibility relations for compound programs and the satisfaction relation |= by simultaneous induction, where · * denotes the reflexive-transitive closure: It is well-known that satisfiability and validity of PDL ¬ -formulas are undecidable [HAR 84]. Since this can be established in a very simple way, we give a proof for illustrative purposes.
The most common proof technique is simply to state that undecidability of PDL ¬ is an immediate consequence of the undecidability of the relation algebra that has the operators ¬, ∩, ∪, and • (composition). Though this is of course a valid method, we believe that it is more instructive to directly reduce the undecidable word-problem for finitely presented semi-groups [MAT 67], which is the standard approach for proving undecidability of the afore mentioned relation algebras; see e.g. [AND 01]. This word problem can be formulated as follows: given a set of word equations E = {u 1 ≈ v 1 , . . . , u k ≈ v k } and another equation u ≈ v, the task is to decide whether every semigroup satisfying E also satisfies u ≈ v. To reduce this problem to PDL ¬satisfiability, we need to introduce the universal modality 2 U ϕ, which has the following semantics: Clearly, in PDL ¬ we can replace 2 U ϕ with the equivalent [a]ϕ ∧ [¬a]ϕ, where a ∈ Π 0 is an arbitrary atomic program. Using the universal modality, the reduction is now easy: we assume that, for every generator of the semi-group, there is an atomic program of the same name, and then note that {u 1 ≈ v 1 , . . . , u k ≈ v k } implies u ≈ v if and only if the following formula is unsatisfiable: Here, we assume that the symbols of the words u i and v i (and of u and v) are separated by program composition ";".
Proof sketch: For both directions, the contrapositive is proved. ("only if"). If the set of equations E = {u 1 ≈ v 1 , . . . , u k ≈ v k } does not imply u ≈ v, then there is a semigroup A = (A, ; , a 1 , . . . , a n ) such that A satisfies E but not u ≈ v. From this semigroup, we can construct a model M for the reduction formula as follows: -V is arbitrary.
It can be checked that the reduction formulas is true at ε ∈ W in M.
("if"). Suppose that the reduction formula is satisfiable in a model M = (W, {R a1 , . . . , R an }, V ) at a world u ∈ W . Then we construct a semi-group as follows: A = (A, ; , a 1 , . . . , a n ), where w; w ′ = R ww ′ for any two words w, w ′ (i.e. compositions a i1 ; a i2 ; · · · ; a i k with i 1 , . . . , i k ∈ {1, . . . , n}). Now the first conjunct of the reduction formula implies that A does not satisfy u ≈ v, and the second conjunct implies that A satisfies E. End of proof sketch.
Since PDL ¬ is a very useful logic for a large number of purposes, this undecidability result is rather disappointing. As has been argued in the introduction, it is thus a natural idea to search for decidable fragments of PDL ¬ that still extend PDL in a useful way. In the remainder of this paper, we will prove that PDL (¬) is such a fragment. Note that, in PDL (¬) , we can still define the universal modality as described above. Also note that we can use negated atomic programs nested inside other program operators. Anyway, it is no longer possible to encode the word problem in PDL (¬) since one can express equivalence of atomic programs, but not equivalence of compositions of atomic programs.

An automata-based variant of PDL (¬)
Similar to some related results in [VAR 86], our decidability proof is based on Büchi-automata on infinite trees. It has turned out that, for such proofs, it is rather convenient to use variants of PDL in which complex programs are described by means of automata on finite words, rather than by regular expressions. Therefore, in this section we define a corresponding variant APDL (¬) of PDL (¬) .
The function ∆ can be inductively extended to a function from Q × Σ * to 2 Q in a natural way: To obtain APDL (¬) from PDL (¬) , we replace complex programs (i.e. regular expressions) inside boxes and diamonds with automata. For the sake of exactness, we give the complete definition.
The sets AΠ (¬) of program automata and AΦ (¬) of APDL (¬) -formulas are defined by simultaneous induction, i.e., AΠ (¬) and AΦ (¬) are the smallest sets such that: Note that the alphabet of program automata is composed of atomic programs, of negated atomic programs, and of tests.
Truth, satisfiability, and validity are defined as in the PDL ¬ case.
Since every language defined by a regular expression can also be accepted by a finite automaton and vice versa [KLE 56], it is straightforward to verify that PDL (¬) and APDL (¬) have the same expressive power. Moreover, upper complexity bounds carry over from APDL (¬) to PDL (¬) since conversion of regular expressions to finite automata can be done with at most a polynomial blow-up in size. Note that the converse does not hold true: since there exist automata A accepting languages that can only be defined by regular expressions whose size is exponential in the size of A [EHR 74], there are APDL (¬) -formulas ϕ such that the length of all equivalent PDL (¬) -formulas is exponential in the length of ϕ.
It is interesting to note that, in many automata-based decision procedures for variants of PDL, a deterministic version of APDL is used, i.e. a variant of APDL in which there may be at most one successor for each world and each atomic program [VAR 86]. In a second step, satisfiability in the non-deterministic APDL-variant is then reduced to satisfiability in the deterministic one. We cannot take this approach here since we cannot w.l.o.g. assume that both atomic programs and their negations are deterministic. Indeed, this would correspond to limiting the size of Kripke structures to only two worlds.

Hintikka-trees
This section provides a core step toward using Büchi-tree automata for deciding the satisfiability of APDL (¬) -formulas. The intuition behind this approach is as follows: to decide the satisfiability of an APDL (¬) -formula ϕ, we translate it into a Büchi-tree automaton B ϕ such that the trees accepted by the automaton correspond in some way to models of the formula ϕ. To decide satisfiability of ϕ, it then remains to perform a simple emptiness-test on the automaton B ϕ : the accepted language will be non-empty if and only if ϕ has a model.
In the case of APDL (¬) , one obstacle to this approach is that APDL (¬) does not enjoy the tree model property (TMP), i.e., there are APDL (¬) -formulas that are satisfiable only in non-tree models. For example, for each n ∈ AE the following PDL (¬)formula enforces a cycle of length n: where, for 1 ≤ i ≤ n, ψ n i = p 1 ∧ · · · ∧ ¬p i ∧ · · · ∧ p n with p 1 , . . . , p n propositional variables. Note that the formula [¬a]¬ψ n 1 inside the diamonds simulates the window operator and in this way closes the cycle. Thus, we have to invest some work to obtain tree-shaped representations of (possibly non-tree) models that can then be accepted by Büchi-automata.
As a preliminary, we assume that all APDL (¬) -formulas are in negation normal form (NNF), i.e. that negation occurs only in front of propositional letters. This assumption can be made w.l.o.g. since each formula can be converted into an equivalent one in NNF by exhaustively eliminating double negation, applying DeMorgan's rules, and exploiting the duality between diamonds and boxes.
For the sake of brevity, we introduce the following notational conventions: -for each AP DL (¬) -formula ϕ,¬ϕ denotes the NNF of ¬ϕ; -for each program literal π, π denotes ¬π if π is an atomic program, and a if π = ¬a for some atomic program a; -for each program automaton α, we use Q α , Σ α , q α , ∆ α , and F α to denote the components of α = (Q, Σ, q 0 , ∆, F ); -for each program automaton α and state q ∈ Q α , we use α q to denote the automaton (Q α , Σ α , q, ∆ α , F α ), i.e. the automaton obtained from α by using q as the new initial state.
Before we can develop the tree-shaped abstraction of models, we need to fix a closure, i.e. a set of formulas cl(ϕ) relevant for deciding the satisfiability of an input formula ϕ. This is done analogous to [FIS 79, VAR 86]. In the following, when we talk of a subformula ψ of a formula ϕ, we mean that ψ can be obtained from ϕ by decomposing only formula operators, but not program operators. For example, a is a subformula of b? a, while b is not.
DEFINITION 6 (CLOSURE). -Let ϕ be a APDL (¬) -formula. The set cl(ϕ) is the smallest set which is closed under the following conditions: It is standard to verify that the cardinality of cl(ϕ) is polynomial in the length of ϕ; see e.g. [HAR 00]. We generally assume the diamond formulas (i.e. formulas of the form α ψ) in cl(ϕ) to be linearly ordered and use ǫ i to denote the i-th diamond formula in cl(ϕ), with ǫ 1 being the first one. Note that a changed initial state of an automaton results in a different diamond formula.
To define Hintikka-trees, the tree-shaped abstraction of models underlying our decision procedure, we proceed in three steps. First, we introduce Hintikka-sets that will be used as (parts of) node labels. Intuitively, each node in the tree describes a world of the corresponding model, and its label contains the formulas from the closure of the input formula ϕ that are true in this world. Second, we introduce a matching relation that describes the possible "neighborhoods" that we may find in Hintikka-trees, where a neighborhood consists of a labeled node and its labeled successors. And third, we use these ingredients to define Hintikka-trees.
The set of all Hintikka-sets for ϕ is designated by H ϕ .
The conditions (H1) to (H3) are standard, with one exception: (H3) is stronger than usual since it enforces maximality of Hintikka-sets by stating that, for each formula ψ ∈ cl(ϕ), either ψ or¬ψ must be in the Hintikka-set. This will be used later on to deal with negated programs. The last two conditions (H4) and (H5) deal with the "local" impact of box formulas.
Next, we define the matching relation. The purpose of this relation can be understood as follows: in the Hintikka-tree, each node has exactly one successor for every diamond formula in cl(ϕ). The matching relation helps to ensure that all diamond formulas in a node's label can be satisfied "via" the corresponding successor in the Hintikka-tree, and that none of the box formulas is violated via any successors. We talk of "via" here since going to an immediate successor corresponds to travelling along a single program literal. Since programs in APDL (¬) are automata that may only accept words of length greater one, in general we cannot satisfy diamonds by going only to the immediate successor, but rather we must perform a sequence of such moves.
Before we define the matching relation formally, let us fix the structure of node labels of Hintikka-trees. For reasons that will be discussed below, node labels not only contain a Hintikka-set, but also two additional components. More precisely, if ϕ is an APDL (¬) -formula and cl(ϕ) contains k diamond formulas, then we use -Π (¬) ϕ to denote the set of all program literals occurring in ϕ; and -Λ ϕ to abbreviate H ϕ ×(Π (¬) ϕ ∪{⊥})×{0, . . . , k}, i.e. the set of triples containing a Hintikka-set for ϕ, a program literal of ϕ or ⊥, and a number at most k.
The elements of Λ ϕ will be used as node labels in Hintikka-trees. Intuitively, the first component lists the formulas that are true at a node, the second component fixes the program literal with which the node can be reached from its predecessor (or ⊥ if this information is not important), and the third component will help to ensure that diamond formulas are eventually satisfied when moving through the tree. For a triple λ ∈ Λ ϕ , we refer to the first, second and third triple component with λ 1 , λ 2 , and λ 3 , respectively. For the following definition, recall that we use ǫ i to denote the i-th diamond in cl(ϕ).
DEFINITION 8 (MATCHING). -Let ϕ be a formula and k the number of diamond formulas in cl(ϕ). A k + 1-tuple of Λ ϕ -triples (λ, λ 1 , . . . , λ k ) is matching if, for 1 ≤ i ≤ k and all automata α ∈ AΠ (¬) , the following holds: (M1) if ǫ i = α ψ ∈ λ 1 , then there is a word w = ψ 1 ? · · · ψ n ? ∈ Σ * α , n ≥ 0, and a state q 1 ∈ Q α such that {ψ 1 , . . . , ψ n } ⊆ λ 1 , q 1 ∈ ∆ α (q α , w), and one of the following holds: (a) q 1 is a final state, ψ ∈ λ 1 , λ 2 i = ⊥, and λ 3 i = 0 (b) there is a program literal π ∈ Σ α and a state q 2 ∈ Q α such that As already noted, the purpose of the matching relation is to describe the possible neighborhoods in Hintikka-trees. To this end, think of λ as the label of a node, and of λ 1 , . . . , λ k as the labels of its successors. The purpose of Conditions (M1) and (M2) is to ensure that diamonds are satisfied and that boxes are not violated, respectively. Let us consider only (M1). If a diamond ǫ i = α ψ is in the first component of λ, it can either be satisfied in the node labeled with λ itself (Condition (a)) or we can "delay" its satisfaction to the i-th successor node that is reserved specifically for this purpose (Condition (b)). In Case (a), it is not important over which program literal we can reach the i-th successor, and thus the second component of λ i can be set to ⊥. In the second case, we must choose a suitable program literal π and a suitable state q of α, make sure that the i-th successor is reachable over π via its second λ i -component, and guarantee that the first component of λ i contains the diamond under consideration with the automata α "advanced" to initial state q.
The remaining building block for ensuring that diamonds are satisfied is to enforce that the satisfaction of diamonds is not delayed forever. This is one of the two core parts of the definition of Hintikka-trees, the other being the proper treatment of negation. Before we can discuss the prevention of infinitely delayed diamonds in some more detail, we have to introduce some basic notions.
Let M be a set and k ∈ AE. An (infinite) k-ary M -tree T is a mapping T : is used (now and in the following) as an abbreviation for the set {1, . . . , k}. Intuitively, the node αi is the i-th child of α. We use ε to denote the empty word (corresponding to the root of the tree). An infinite path in a k-ary M -tree is an infinite word γ over the alphabet [k]. We use γ[n], n ≥ 0, to denote the prefix of γ up to the n-th element of the sequence (with γ[0] yielding the empty sequence). Now back to the prevention of infinitely delayed diamonds. Given a formula ϕ with k diamond formulas in cl(ϕ), a Hintikka-tree will be defined as a k-ary Λ ϕ -tree in which every neighborhood is matching and some additional conditions are satisfied. To detect infinite delays of diamonds in such trees, it does not suffice to simply look for infinite sequences of nodes that all contain the same diamond: firstly, diamonds are evolving while being "pushed" through the tree since their initial state might be changed. Secondly, such a sequence does not necessarily correspond to an infinite delay of diamond satisfaction: it could as well be the case that the diamond is satisfied an infinite number of times, but always immediately "regenerated" by some other formula. Also note that we cannot use the standard technique from [VAR 86] since it only works for deterministic variants of PDL.
Precisely for this purpose, the easy detection of infinitely delayed diamonds, we have introduced the third component of node labels in Hintikka-trees: if a diamond was pushed to the current node x from its predecessor, then by (M1) the third component of x's label contains the number of the pushed diamond. Moreover, if the pushed diamond is not satisfied in x, we again use the third component of x: it contains the number of the successor of x to which the diamond's satisfaction is (further) delayed. If no diamond was pushed to x, its third component is simply zero. Thus, the following definition captures our intuitive notion of infinitely delayed diamonds.
We have now gathered all ingredients to define Hintikka-trees formally.
DEFINITION 10 (HINTIKKA-TREE). -Let ϕ be an APDL (¬) -formula with k diamond formulas in cl(ϕ). A k-ary Λ ϕ -tree T is a Hintikka-tree for ϕ if T satisfies, for all nodes x, y ∈ [k] * , the following conditions: Conditions (T1) to (T3) are easily understood. The purpose of Condition (T4) is to deal with negated atomic programs. In particular, for each atomic program a we have to ensure that any pair of nodes x, y of a Hintikka-tree T can be related by one of a and ¬a without violating any boxes. This is done by (T4) together with (H3)indeed, this is the reason for formulating (H3) stronger than usual. Intuitively, the treatment of negation can be understood as follows: suppose that [α]ψ ∈ T (x) 1 , let q ∈ ∆ α (q α , a) for some atomic program a, and let y be a node. By (H3), we have either [α q ]ψ ∈ T (y) 1 or¬[α q ]ψ ∈ T (y) 1 . In the first case, x and y can be related by a. In the second case, (T4) ensures that they can be related by ¬a. This technique is inspired by [LUT 01], but generalized to program automata. Note that the treatment of negated atomic programs in (T4) allows the representation of non-tree models as (Hintikka-)trees.
We now show that Hintikka-trees are indeed proper abstractions of models. In order to do this, we need two new notions. First, we use Σ ϕ to denote the smallest set containing (i) all program literals occurring in ϕ (i.e. Π (¬) ϕ ) and (ii) all tests ψ? occurring in ϕ. Second, let M be a Kripke structure and u a world of M. Then a word w = w 1 · · · w m ∈ Σ * is said to accomplish a diamond formula α ϕ at u if w ∈ L(α), and there are worlds u 0 , . . . , u m of M such that u = u 0 R(w 1 )u 1 R(w 2 ) · · · u m−1 R(w m )u m and M, u m |= ϕ.
PROOF 12. -Let ϕ be an AP DL (¬) -formula and k the number of diamond formulas in cl(ϕ).
To show that T ϕ is indeed a Hintikka-tree for ϕ, we first prove the following claim which will be helpful in showing that our Hintikka-tree does not contain starving diamonds.
Since the first triple components of the node labels in tree T ϕ are Hintikka-sets, T ϕ is a k-ary Λ ϕ -tree. It remains to show that T ϕ additionally satisfies the conditions for Hintikka-trees (T1) to (T4). Let x, y ∈ [k] * be nodes.
Now we can define the accessibility relation for a: R(a) := R 3 (a) ∪ R 2 (a); -The valuation function V (p) for propositional variables p is defined as To show that M is a model of ϕ, we prove two claims. The first is concerned with the relational structure: Claim 1. For each program literal π ∈ Π (¬) ϕ , node x ∈ [k] * , and i ∈ [k], we have that T (xi) 2 = π implies (x, xi) ∈ R(π).
ψ = [α]θ. By the semantics, it needs to be shown that, for any world y ∈ W , (x, y) ∈ R(α) implies M, y |= θ. Thus suppose (x, y) ∈ R(α) for some y ∈ W , i.e., there is a word w = w 1 · · · w m ∈ L(α), m ≥ 0, and worlds x 0 , . . . , x m ∈ W with x = x 0 R(w 1 )x 1 R(w 2 ) · · · x m−1 R(w m )x m = y. Fix an accepting run q 0 · · · q m ∈ Q * α of the program automaton α on w. In the following, it is shown that [α qi ]θ ∈ T (x i ) 1 for i ≤ m. We proceed by induction on i. The induction start is immediate. For the step, assume that [α qi ]θ ∈ T (x i ) 1 has already been shown. We distinguish the following cases: it follows by the semantics that x i = x i+1 , and M, x i |= δ. Suppose by contradiction that¬δ ∈ T (x i ) 1 . The induction hypothesis yields M, x i |=¬δ, a contradiction to M, x i |= δ. Thus¬δ / ∈ T (x i ) 1 , and by (H5) we obtain It thus holds that [α qm ]θ ∈ T (x) 1 . Since q m ∈ F α , by Condition (H4) it follows that θ ∈ T (x) 1 as required.
This finishes the proof of Claim 2. By Condition (T1), we have ϕ ∈ T (ε) 1 . Thus, it follows directly from Claim 2 that M is a model of ϕ. s

Büchi automata for Hintikka-trees
In this section, we show that it is possible to construct, for every APDL (¬) -formula ϕ, a Büchi tree automaton B ϕ that accepts exactly the Hintikka-trees for ϕ. By Proposition 11, since the size of B ϕ is at most exponential in the length of ϕ, and since the emptiness of Büchi-tree automata can be verified in quadratic time [VAR 86], this yields an EXPTIME decision procedure for the satisfiability of APDL (¬) -formulas. We start with introducing Büchi tree automata. We now give the translation of APDL (¬) -formulas ϕ into Büchi-automata B ϕ . To simplify the notation, we write We first introduce our automata formally and then explain the intuition.
Condition (T3) is enforced with the help of the third component of states, which may take the values "⊘" and "↑". Intuitively, the fourth point in the definition of ∆ ensures that, whenever the satisfaction of a diamond is delayed in a node x and r is a run, then r assigns states with third component ↑ to all nodes on the path that "tracks" the diamond delay. Note that, for this purpose, the definition of ∆ refers to the third component of Λ ϕ -tuples, which is "controlled" by (M1) in the appropriate way. All nodes that do not appear on delayed diamond paths are labeled with ⊘. Then, the set of accepting states ensures that there is no path that, from some point on, is constantly labeled with ↑. Thus, we enforce that no diamonds are delayed infinitely in trees accepted by our automata, i.e. no starvation occurs.
There is one special case that should be mentioned. Assume that a node x contains a diamond ǫ i = α ψ that is not satisfied "within this node" (Case (a) of (M1) does not apply). Then there is a potential starvation path for ǫ i that starts at x and goes through the node xi: (M1) "advances" the automaton α to α q , and ensures that ǫ j = α q ψ ∈ T (xi) 1 and that T (xi) 3 = j. Now suppose that T (xi) 1 contains another diamond ǫ k = β θ with ǫ j = ǫ k . If ǫ k is not satisfied within xi, there is a potential starvation path for ǫ k starting at xi and going through xik. Since the starvation path for ǫ i and the starvation path for ǫ k are for different diamonds, we must be careful to separate them-failure in doing this would result in some starvation-free Hintikkatrees to be rejected. Thus, the definition of ∆ ensures that runs label xik with ⊘, and the constant ↑-labeling of the starvation path for ǫ k is delayed by one node: it starts only at the successor of xik on the starvation path for ǫ k . Now for Condition (T4). In contrast to Conditions (T1) and (T2), this condition has a global flavor in the sense that it does not only concern a node and its successors. Thus, we need to employ a special technique to enforce that (T4) is satisfied: we use the second component of states as a "bookkeeping component" that allows to propagate global information. More precisely, Point (1) of the definition of Q and Point (1) of the definition of ∆ ensure that, whenever two boxes appear in a Hintikkaset labeling a node x in a Hintikka-tree T , then this joint occurrence is recorded in the second component of the state that any run assigns to x. Via the definition of the transition relation (second point), we further ensure that all states appearing in a run share the same second component. Thus, we may use Point (2) of the definition of Q and Point (1) of the definition of ∆ to ensure that any node y satisfies the property stated by Condition (T4).
The following proposition shows that the Büchi tree automaton B ϕ indeed accepts precisely the Hintikka-trees for APDL (¬) -formula ϕ.
PROOF 16. -Let ϕ be a APDL (¬) -formula and k the number of diamond formulas in cl(ϕ).
"⇒". Suppose T is a Hintikka-tree for ϕ. In the following, we show that T ∈ L(B ϕ ), i.e. that there is an accepting run of the Büchi automaton B ϕ on T . Set Inductively define a Λ ϕ × {P 2 (T )} × {⊘, ↑}-tree r as follows: -set r(ε) := (T (ε), P 2 (T ), ⊘); -let x ∈ [k] * such that r(x) = (T (x), P 2 (T ), d x ) is already defined, and let i ∈ [k]. Set r(xi) := (T (xi), P 2 (T ), d xi ) where We claim that the tree r is an accepting run of B ϕ on T . We start with showing that r is a Q-tree. To this end, let x ∈ [k] * be a node. We have to show that r(x) ∈ Q. Since T is a Hintikka-tree for ϕ, we have T (x) ∈ Λ ϕ . Moreover P 2 (T ) ⊆ P 2 (ϕ), and thus We still have to show that r(x) satisfies Properties (1) and (2) of the definition of Q.
It remains to show that the run r is accepting. Suppose that it is not, i.e. that there is a path γ = γ 1 γ 2 · · · ∈ [k] ω such that inf r (γ) ∩ F = ∅. By definition of F , the set inf r (γ) contains only states q with third component ↑. Consequently, there is a position p in the sequence γ such that, for all m ≥ p, the third component of r(γ[m]) is ↑. Let p be the minimal such position. By definition of r(ε), we know that p > 0. Minimality of p thus yields that the third component of r(γ[p − 1]) is ⊘. Together with the fact that the third component of r(γ[p]) is ↑ and by definition of r (the third component), this implies that the diamond formula ǫ ℓ with ℓ = γ p is in T (γ[p − 1]) 1 . We show that the diamond ǫ ℓ is starving in γ[p − 1], in this way obtaining a contradiction to the fact that T is a Hintikka-tree satisfying (T3).
To show that ǫ ℓ is starving in γ[p − 1], we show that the path γ p γ p+1 · · · satisfies Properties 1 and 2 from Definition 9: -ℓ = γ p . Satisfied by choice of ℓ. "⇐". Suppose T ∈ L(B ϕ ), i.e., there is an accepting run r of B ϕ on T . We show that T is a Hintikka-tree for ϕ. Since B ϕ is a Büchi-automaton on k-ary Λ ϕ -trees, T is a k-ary Λ ϕ -tree. Let x, y ∈ [k] * be a nodes in T such that r(x) = (T x , P x , d ′ x ) and r(y) = (T y , P y , d ′ y ). In the following, we check that T fulfills the conditions for Hintikka-trees (T1) to (T4).
(T3) Assume, to the contrary of what is to be shown, that there is a diamond formula ǫ ℓ ∈ T (x) 1 that is starving in x. Then there exists a path γ = γ 1 γ 2 · · · ∈ [k] ω satisfying Conditions 1 and 2 from Definition 9. We show that the third component of r(xγ[i]) is ↑ for all i ≥ 2. Thus, there are no states in inf r (xγ) whose third component is ⊘. By definition of F , this is a contradiction to the fact that r is an accepting run.
Hence, let us show that the third component of r(xγ[i]) is ↑ for all i ≥ 2. This is done by induction on i.
s Putting together Propositions 11 and 15, it is now easy to establish decidability and EXPTIME-complexity of APDL (¬) and thus also of PDL (¬) .
PROOF 18. -From Propositions 11 and 15, it follows that an APDL (¬) -formula ϕ is satisfiable if and only if L(B ϕ ) = ∅. The emptiness problem for Büchi automata is decidable in time quadratic in the size of the automaton [VAR 86]. To show that APDL (¬) -formula satisfiability is in EXPTIME, it thus remains to show that the size of B ϕ = (Q, Λ ϕ , I, ∆, F ) is at most exponential in ϕ.
Let n be the length of ϕ. Since the cardinality of cl(ϕ) is polynomial in n, the cardinality of H ϕ (the set of Hintikka-sets for ϕ) is at most exponential in n. Thus, it is readily checked that the same holds for Λ Φ and Q. The exponential upper bound on the cardinalities of I and F is trivial. It remains to determine the size of ∆: since the size of Q is exponential in n and the out-degree of trees accepted by automata is polynomial in n, we obtain an exponential bound.
Thus, APDL (¬) -formula satisfiability and hence also PDL (¬) -formula satisfiability are in EXPTIME. For the lower bound, it suffices to recall that PDL-formula satisfiability is already EXPTIME-hard [FIS 79]. s

Conclusion
This paper introduces the propositional dynamic logic PDL (¬) , which extends standard PDL with negation of atomic programs. We were able to show that this logic extends PDL in an interesting and useful way, yet retaining its appealing computational properties. There are some natural directions for future work. For instance, it should be simple to further extend PDL (¬) with the converse operator without destroying the EXPTIME upper bound. It would be more interesting, however, to investigate the interplay between (full) negation and PDL's program operators in some more detail. For example, to the best our our knowledge it is unknown whether the fragment of PDL ¬ that has only the program operators "¬" and ";" is decidable.