On the model checking of finite state transducers over semigroups

. Sequential reactive systems represent programs that interact with the environment by receiving signals or requests and react to these requests by performing operations with data. Such systems simulate various software like computer drivers, real-time systems, control procedures, online protocols etc. In this paper, we study the verification problem for the programs of this kind. We use finite state transducers over semigroups as formal models of reactive systems. We introduce a new specification language LP-CTL* to describe the behavior of transducers. This language is based on the well-known temporal logic CTL* and has two distinguished features: 1) each temporal operator is parameterized with a regular expression over input alphabet of the transducer, and 2) each atomic proposition is specified by a regular expression over the output alphabet of the transducer. We develop a tabular algorithm for model checking of finite state transducers over semigroups against LP-CTL* formulae, prove its correctness, and estimate its complexity. We also consider a special fragment of LP-CTL* language, where temporal operators are parameterized with regular expressions over one-letter alphabet, and show that this fragment may be used to specify usual Kripke structures, while it is more expressive than usual CTL*.


Introduction
Finite state machines are widely used in the field of computer science and formal methods for various purposes. While finite automata represent regular sets, transducers stand for regular (or, rational) relations and, therefore, can serve as models of programs and algorithms that operate with input and output data. For  A network switch with several input and output ports. A switch is a device, which receives data packets on its input port, modifies their heads and commutes them to one of the output ports. Once received a special control signal, this switch changes its packet-forwarding table and, thus, its behaviour.
Since packets from different flows may be processed in any order, the switch can be modeled by a transducer, which operates over a free partially commutative semigroup, or a trace monoid. Trace monoids are commonly used as an algebraic foundation of concurrent computations and process calculi (see, e.g., [9]).
 A real-time device that control the operation of some industrial equipment (say, a boiling system). Such device receives data from temperature and pressure sensors and switches some processes on and off according to its instructions and the current state of the system. It seems reasonable that for some actions the order of their implementation is not important (routine actions), while others must follow in a strictly specified order (e.g. an execution of some complex operation). Moreover, there are also actions which bring system to certain predefined operation mode (set-up actions). These actions are implemented in the emergency situations. A partially commutative semigroup with right-zero elements which satisfy the equalities = for every element provides an adequate interpretation for such operations.
 A system supervisor that maintains a log-file. For each entry its date and time is recorded in the file and there is no way to delete entries from the log  only to append it. Thus, for any two basic actions (record operations to the log-file) it is crucial in which order they are performed and such a supervisor can be modeled by a transducer over a free semigroup. Verification techniques for such reactive systems are considered in [17]; this is the main topic of this paper as well.
 A radio-controlled robot, that moves on a surface. It can make one step moves in any of direction. When it receives a control signal in a state ′ it must choose and carry out a sequence of steps and enter to the next state ′′. At some distinguished state the robot reports its current location. Movements of the robot may be regarded as basic actions, and the simplest model of computation which is suitable for analyzing a behaviour of this robot is a nondeterministic finite state transducer operating on a free Abelian group of rank 2. To construct a reliable system or network it is crucial for its components to have a correct behaviour. For example, a network switch must process received data packets within a specified number of execution steps and the boiling system should never be overheated, that is, will never remain for a long time in a particular condition without appropriate responses from the control device. By using finite state transducers as formal models of reactive systems, one can develop verification algorithms for these models to solve such problems as equivalence checking, deductive verification or model checking. The study of the equivalence checking problem for classical transducers began in the early 60s. It was established that the equivalence checking problem for nondeterministic transducers is undecidable [13] even over 1-letter input alphabet [16]. However, the undecidability displays itself only in the case of unbounded transductions when an input word may have arbitrary many images. The equivalence checking problem was shown to be decidable for deterministic [4], functional (single-valued) [5,19], and k-valued transducers [6,26]. In a series of papers [20][21][22] techniques for checking bounded valuedness, k-valuedness and equivalence of finite state transducers over words were developed. Recently in [29] equivalence checking problem was shown to be decidable for finite state transducers that operate over finitely generated semigroups embeddable in decidable groups. There are also papers where equivalence checking problem for transducers is studiedin the framework of program verification. The authors of [23] proposed models of communication protocols as finite state transducers operating on bit strings. They set up the verification problem as equivalence checking between the protocol transducer and the specification transducer. The authors of [25] extended finite state transducers with symbolic alphabets, which are represented as parametric theories. They showed that a number of classical problems for extended transducers, including equivalence checking problem, are decidable modulo underlying theories. In [1] a model of streaming transducers was proposed for programs that access and modify sequences of data items in a single pass. It was shown that a number of verification problems such as equivalence checking, assertion checking, and checking correctness with respect to pre/post conditions, are decidable for this program model. Meanwhile, very few papers on the model checking problem for transducers are known. Transducers can be conveniently used as auxiliary means in regular model checking of parameterized distributed systems where configurations are represented as words over a finite alphabet. In such models, a transition relation on these configurations may be regarded as a rational relation and, thus, it may be specified by finite state transducers (see [7,28]). In these papers, finite state transducers just play the role of verification instrument, but not an object of verification. However, as far as we know, a deeper investigation of the model checking problem for the reactive systems represented by transducers has not yet been carried out. We think that this is due the following main reason. A transducer is a model of computation which, given an input word, computes an output word. The letters of input and output alphabets can be regarded as valuations (tuples of truth values) of some set of basic predicates. Therefore, a transducer can be viewed as some special representation of a labeled transition system (Kripke structure) (see [2]). From this viewpoint model checking problem for finite state transducers conforms well to standard model checking scheme for finite structures, and, hence, it is not worthy of any particular treatment. However, our viewpoint is quite different. Transducer is a more complex model of computation than a finite state automaton (transition systems). Its behaviorism characterized by the correspondence between input and output words. A typical property of such behaviour to be checked is whether for every (some) input word from a given pattern a transducer outputs a word from another given pattern. Therefore, when formally expressing the requirements of this kind one needs not only temporal operators to specify an order in which events occur but also some means to refer to such patterns. Conventional Temporal Logics like or are not sufficient in this case; they should be modified in such a way as to acquire an ability to express correspondences between the sets (languages) of input words and the sets (languages) of output words. This could be achieved by supplying temporal operators with patterns as parameters. Every such pattern is a formal description of a language over an input alphabet ; automata, formal grammars, regular expressions, language equations are suitable for this purpose. The basic properties of output words can be also represented by languages over an output alphabet. Then, for instance, an expression can be understood as the requirement that for every input word from the language the output word ℎ of a transducer belongs to the language . The advantages of this approach are twofold. On the one hand, such extensions of Temporal Logics make it possible to express explicitly relationships between input and output words and specify thus desirable behaviours of transducers. On the other hand, it can be hoped that such extensions could rather easily assimilate some wellknown model checking techniques (see [3,8]) developed for conventional Temporal Logics. The first attempt to implement this approach was made in [17]. The authors of this paper introduced an -specification language based on temporal logic and developed a checking procedure for transducers over free monoids against specifications from -. It was shown that this procedure has double exponential time complexity.
In this paper we continue this line of research and "raise'' the specification language introduced in [17] to the level of - * . We will focus only on one task related to the use of new logic for the verification of reactive systems, namely, the development of a general model checking algorithm for finite state transducers against specifications in - * . Such issues as expressive power of - * , complexity of model checking and satisfiability checking problems, the influence of types of languages used as parameters and basic predicates in - * on decidability and complexity of model checking problem remain topic of our further research and will be covered in our subsequent works. We also leave beyond this work a number of applied questions, which are worthy of consideration in a separate paper. For example, it is important to understand to what extent the already developed model checking tools can be adapted to the new temporal logic. And, of course, in the future we will have a well-chosen series of examples that illustrate the new possibilities of using - * to describe the behavior of reactive systems.
The paper is organized as follows. In Section 2, we define the concept of finite state transducer over semigroup as a formal model of sequential reactive systems (see [29]) and in Section 3, we describe the syntax and the semantics of - * as a formal language for specifying behaviour of sequential reactive systems. In Section 3 we also set up formally model checking problem for finite state transducers against - * formulae. In Section 4, we present an - * model checking algorithm for the case when parameters of temporal operators and basic predicates are regular languages represented by finite state automata. The model checking algorithm we designed has time complexity which is linear of the size of a transducer but exponential of the size of - * formula. This complexity estimate is in contrast to the case of conventional model checking: its time complexity is linear of both the size of a model and the size of a formula. To explain this effect in Section 5 we show how - * formulae can be also checked on the conventional Kripke structures. Finally, we compare - * with some other known extensions Temporal Logics and discuss some topics for further research.

Finite state transducers as models of reactive systems
In this section, we introduce a Finite State Transducer as a formal model of a reactive computing system which receives control signals from the environment and reacts to these signals by performing operations with data. Let be a finite set of signals. Finite words over are called signal flows; the set of all signal flows is denoted by * . Given a pair of signal flows and we write for their concatenation, and denote by the empty flow. Let = { 1 , … , } be a finite set of elements called basic actions; these actions stand for the elementary operations performed by a reactive system. Finite words over are called compound actions; they denote sequential compositions of basic actions. Since different sequences of basic actions could produce the same result, one may interpret compound actions over a semigroup ( , , ∘) generated by a set of basic actions . The elements of are called data states. Every compound action ℎ = 1 2 … is evaluated by the data state For example, if a reactive system just keeps a track of input requests by adding certain records to a log-file then a free semigroup will be suitable for interpretation of these operations. But when a robot moves on a 2-dimensional surface then the actions (movements) performed by this robot may be regarded as generating elements of Abelian group of rank 2, and the positions on the surface occupied by this robot can be specified by the elements from . In this paper we restrict ourselves to the consideration of free semigroups when [ℎ] = ℎ holds for every compound action ℎ, and ∘ is the word concatenation operation. Let be a set of signals and be a set of basic actions that are interpreted over a semigroup ( , ,∘). Then a Finite State Transducer (in what follows, FST) is a quintuple Π = ( , , , , ), where  is a finite set of control states;  ∈ is an initial control state;  ⊆ × × × * is a finite transition relation. Each tuple ( ′, , ′′, ℎ) in is called a transition: when a transducer is in a control state ′ and receives a signal , it changes its state to ′′ and performs a compound action ℎ. We denote such transition by ′ ,ℎ → ′′. A run of a FST Π is any finite sequence of transitions holds.

- * specification language
When designing sequential reactive systems one should be provided with a suitable formalism to specify the requirements for their desirable behaviour. For example, one may expect that  a mobile robot, receiving an equal number of control signals "go_left'' and "go_right'', will always return to its original position,  a network switch will never commute data packets from different packet flows into the same output buffer,  it is not possible for the interrupt service routine to complete the processing of one interrupt before it receives a request to handle another. These and many other requirements which refer to the correspondences between control flows and compound actions in the course of FST runs can be specified by means of Temporal Logics. When choosing a suitable temporal logic as a formal specification language of FST behaviours one should take into account two principal features of our model of sequential reactive systems:  since a FST operates over a data space which is semigroup, the basic predicates must be interpreted over semigroups as well, and  since a behaviour of a FST depends not on the time flow itself but on a signal flow which it receives as an input, temporal operators must be parameterized by certain descriptions of admissible signal flows. To adapt traditional temporal logic formalism to these specific features of FST behaviours the authors of [17] introduced a new variant of Linear Temporal Logic (LTL). We assume that in general case one may be interested in checking the correctness of FST's responses to arbitrary set of signal flows. Every set of control flows may be regarded as a language over the alphabet of signals. Therefore, it is reasonable to supply temporal operators ("globally'' , "eventually'' , etc.) with certain descriptions of such languages as parameters. In more specific cases we may confine ourselves with considering only a certain family of languages (finite, regular, context-free, etc.) ℒ used as parameters of temporal operators. These languages will be called environment behaviour patterns. A reactive system performs finite sequences of basic actions in response to control signals from the environment and thus follows in the course of its run via a sequence of data states, which are elements of a semigroup ( , , ∘), Therefore, basic predicates used in LTL formulae may be viewed as some sets of data states ′ , ′ ⊆ . These sets can be also specified in language-theoretic fashion.
Any language over the alphabet of basic actions corresponds to a predicate (set of data states) = {[ℎ] | ℎ ∈ }. As in the case of environment behaviour patterns we may distinguish a certain class of languages and use them as specifications of basic predicates. When these languages are used as parameters in temporal formulae then it will be assumed that they are defined constructively by means of automata, grammars, Turing machines, etc.
Thus, we arrive at the concept of -variants of Temporal Logics. In [17] the syntax and semantics of -was studied in some details in the case when both environment behaviour patterns and basic predicates are regular languages presented by finite automata. In this paper we make one step further and extend the concept of -variants of Temporal Logics to * . Select an arbitrary family of environment behaviour patterns ℒ and a family of basic predicates . The set of - * formulae consists of state formulae and trajectory formulae, which are defined as follows:  each basic predicate ∈ is a state formula;  if 1 , 2 are state formulae then ¬ 1 , 1 ∧ 2 and 1 ∨ 2 are state formulae;  if is a trajectory formula then and are state formulae;  if is a state formula then is a trajectory formula;  if 1 , 2 are trajectory formulae then ¬ 1 , 1 ∧ 2 and 1 ∨ 2 are trajectory formulae;  if , 1 , 2 are state formulae, ∈ , and ∈ ℒ then , , , and 1 2 are trajectory formulae. The specification language - * is the set of all state formulae constructed as defined above. Now we introduce the semantics of - * formulae. These formulae are interpreted over transition systems. Let = (Π, ) be a transition system, be a state of computation in this system, and be a trajectory in . Then for every state formula we write , ⊨ to denote the fact that the assertion is true in the state of , and for every trajectory formula we write , ⊨ to denote the fact that the assertion holds for the trajectory in . In the definition below it is assumed that is a transition system, = ( , ) is a state of computation in , and = ( 0 , ) is a trajectory in such that = ( 1 , 1 ), ( 2 , 2 ), … , ( , ), …. We define the satisfiability relation ⊨ by induction on the height of formulae: As usual, other Boolean connectives like ∨, →, ≡ may be defined by means of ¬ and ∧. Some other * operators like, for example, R (release) or (weak until) may be parametrized by environmental behaviour patterns in the same fashion. The model checking problem we deal with is that of checking, given a finite state transducer Π operating over a semigroup ( , , ∘), and an - * formula , whether (Π, ), ⊨ holds. When a semigroup is fixed then we use a brief notation Π ⊨ .

Model checking against - * specifications
In this paper, we discuss only the most simple case of model checking problem for finite state transducers against - * formulae when  the semigroup ( , ∘, ) the transducers operate over is a free monoid, which means that is the set of all finite words in the alphabet , the binary operation ∘ is concatenation of words, and the neutral element is the empty word ;  the family of environment behaviour patterns ℒ is the family of regular languages in the alphabet ;  all basic predicates in are specified by regular languages in the alphabet . All regular languages used as environment behaviour patterns and basic predicate specifications are defined by means of deterministic finite state automata (DFAs). Therefore, the size of a - * formula is the number of Boolean connectives and temporal operators occurred in plus the total size of automata used in to specify environment behaviour patterns and basic predicates.
Let us first describe a model checking algorithm for -fragment of - * , which consists of all - * formulae such that every temporal operator , , , is immediately preceded by a trajectory quantifier or . In our algorithm, we involve an explicit iterative model checking techniques for the ordinary (see [8,10]). Following this approach satisfiability checking of a formula in a state of a model is reduced to satisfiability checking of the largest subformulae of in the state and in the neighboring states of . In other words, a model checking procedure incrementally labels all states of a model by those subformulae of which are satisfied in these states. Let = ( , , , , ) be a finite state transducer over the free semigroup ( * , ⋅ , ) and let be an -formula. There are five pairs of coupled temporal operators: and , and , and , and , and . As in the case of "ordinary" (see ), each of these couple can be expressed in terms of four main coupled operators , , and :

Proposition 2. For every formula the following equalities hold
Certainly, some other relationships like fixed-point identities are also valid in - * (see [17]) but they will not be involved in this paper. We can now bound our consideration with those -formulae which are constructed using only ¬, ∧, , , and . Let be a transition system ( , * ) = ( , , , ) of over * . It should be noticed that is, in general, infinite. Therefore, to obtain an effective model checking procedure we need a construction that will model the behaviour of w.r.t. a target formula . For every basic predicate ∈ let = ( , , , , ) be a minimal DFA recognizing this language. Here is a finite set of states, is an initial state, is a set of accepting states and ∶ × → is a transition function. The latter can be extended to the set * in the usual fashion: Thus, every metastate is a tuple ̂= ( 0 , 1 , … , ) such that 0 ∈ and ∈ for every , 1 ≤ ≤ , and the transition relation ̂ synchronizes transitions of and the automata 1 , … , in response to every signal . Recall that the elements of the free monoid are words from * . The checking machine ℳ induces a binary relation ∼ on the set : for an arbitrary pair ′ = ( ′, ′) and ″ = ( ″, ″) of states of computation of over * The relation ∼ is clearly an equivalence relation of finite index, and every equivalence class of states of computation in corresponds to a metastate of the checking machine . As it can be seen from the definition of ∼, if two states of computation ′ and ″ are equivalent and there is a trajectory ′ = ( ′, ′) in , where ′ = ( , ′ ), ( , ′ ), …, from one of these states, then there is also a corresponding trajectory ″ = ( ″, ″), where ″ = ( , ″ ), ( , ″ ), … from the other state, such that ′ ∼ ″ holds for every , ≥ . Actually, this means that ∼ is a bisimulation relation on the state space of the transition system . It is well known (see [3,8]) that bisimulation preserves the satisfiability of formulae. The Proposition below shows that the same is true for -. This means that the checking machine provides a finite contraction of the infinite transition system = ( , * ) w.r.t. satisfiability of -formulae. for all < if 1 2 … ∈ then , ′| ⊨ .
Not only the states of the transition system = ( , ) correspond to the metastates of the checking machine , but also there is a relationship between the trajectories in and the traces in (they can be quite naturally called metatrajectories). More formally, every trajectory = ( , ) in with = ( , )( , ) …, corresponds to a metatrajectory ̂= (̂,̂), where ̂= ( ,̂)( ,̂) … is such that for all ≥ : ∈^. It is easy to see that every metatrajectory ̂= (̂,̂) corresponds to the only trajectory = ( , ), which originates in a given state from ̂. The well-known labeling algorithm for conventional and ordinary Kripke structures can be now adapted in such a way as to cope with model checking problem for -. The algorithm operates as follows. For every metastate ̂∈̂ of the checking machine it computes a set (̂) of all subformulae of satisfied in ̂. More formally, let ( ) be the minimal set of -formulae such that: The algorithm builds incrementally the sets (̂) of all those ∈ ( ) for which ̂⊨ 0 holds. At the first step every (̂) contains only basic predicates, i. e.
(̂) ⊆ ( ) ∩ . Then, at the algorithm processes those subformulae whose nesting depth is − 1. Every time when the algorithm adds a subformula to (̂) it thus detects that ̂⊨ 0 . All we need now is to describe how the algorithm should process formulae of 7  We then delete all those nodes (^, ) of Γ (ℳ, ) for which the relations ∉ (̂), ∉ (̂) and ∈ hold simultaneously and discard all arcs incoming to or outcoming from such nodes. A DLG thus reduced is denoted by Γ ′ (ℳ, ).
 For a subformula we construct a DLG Γ (ℳ, ) in the same fashion and delete all the nodes (̂, ) for which the relations ∉ (̂) and ∈ hold simultaneously. As the result we obtain the reduced DLG Γ′_ (ℳ, ). The subformula is added to the set (̂) iff Γ ′ (ℳ, ) includes the node (̂, ) and there exists a directed path in this graph from this node to some nontrivial strongly connected component (SCC), that is, to a subgraph, every node of which is reachable from any other node by some non-empty path.
As soon as all the subformulae from ( ) (including the formula ) are processed we obtain the result of the model checking as The correctness of this assertion is based on the following relationship: ̂⊨ ⇔ ∈ (̂). It can be proved by applying induction on the nesting depth of formulae with the help of Proposition 3. We also need Propositions 4 and 5 to justify the induction step for formulae of the form [ ] and . Suppose, that for every metastate ̂∈̂ it is true that ̂ ⊨ ⇔ ∈ (̂) and ̂ ⊨ ⇔ ∈ (̂). This statement is used as an inductive hypothesis.

Proposition 5.
Let ̂∈̂ be an arbitrary metastate in . Then ̂⊨ iff some nontrivial strongly connected component is reachable from the node (̂, ) in DLG ′ ( , ) by a directed path.
The proofs of these Propositions are straightforward adaptations of the correctness proof of the tabular model checking algorithm for which is discussed in much details in [8]. However, for completeness of the exposition we give here a proof of Proposition 5. The proof of Proposition 4 follows the similar line of reasoning. ). Relying on Proposition 3 and taking into account the fact that = ( , … ) for every , ≥ , we may conclude that ̂⊨ holds for every such that ∈ . By induction hypothesis, ̂⊨ is equivalent to ∈ (̂). Therefore, by definition of DLG ( , ) the path is the infinite path which is entirely contained in the ′ ( , ). Due to the finiteness of ′ ( , ), this path may be represented as a concatenation = , where is a finite path, and is an infinite path passing through each of its nodes infinitely often. It is clear that the set ( ) of all nodes of is included in some strongly connected component. Thus, a nontrivial strongly connected component is reachable from the node (̂, ) in DLG ′ ( , ). this sequence is a metatrajectory ̂ in the checking machine ℳ,
By the induction hypothesis, the latter implies ̂⊨ 0 for every metastate ̂ in this trajectory such that 1 2 … ∈ . Consider an arbitrary state 0 ∈̂0 and a trajectory = ( 0 , ) in , where = ( 1 , 1 ), ( 2 , 2 ), …, which corresponds to ̂. By definition of ⊨ 0 and Proposition 3, , ⊨ holds for every such that 1 2 … ∈ . Then, according to the semantics of - * , , ⊨ , and, hence, , 0 ⊨ . Thus, by referring once again to definition of ⊨ 0 , we arrive at the conclusion that ̂0 ⊨ 0 . ∎ Now we estimate the complexity of the model checking algorithm for described above. By the size of a transducer = ( , , , , ) we will mean the sum ∥ ∥= | | + | |. The size of a formula is defined as follows. Suppose that basic predicates { } = occurred in are recognized by minimal DFAs Because of these considerations, we get the following Theorem 1. Model checking of a finite state transducer operating over a free monoid against a formula ∈ -can be performed in time (∥ ∥⋅ ∥ ∥ ).
When a more general case of model checking problem of FSTs against - * formulae is concerned we can rely on the well-known combining approach which is based on the interleaving application of model checking algorithms for and . The details can be found in [8]. The similar procedure for - * can be obtained in the same fashion by means of -model checking algorithm described above and -model checking algorithm developed in . Since this approach does not take into account any specific features of - * formulae, we will not give a complete description of it.

- * and ordinary Kripke structures
In this section, we consider the model checking problem for two subfamilies of - * whose semantics can be defined on ordinary Kripke structures.
Recall, that a Kripke structure over a finite set of atomic propositions is a quadruple = ( , , , ), where is a finite set of states which includes an initial state , ⊆ × is a transition relation and : → is a labeling function which for each state gives a matching set ( ) ⊆ of all atomic propositions that are evaluated to in this state. As usual, the size of is the sum ∥ ∥= | | + | |. Below we present two modifications of - * that are well suited for model checking of Kripke structures. Given a Kripke structure = ( , , , ), consider a set of - * formulae where is a family of regular languages over one-letter alphabet { } and = (we denote this formulae by -1- * ) and a transition system = ( , { }, , , ) where ( ′, , ″) ∈ iff ( ′, ″) ∈ . Then for ∈ the relation ⊨ holds iff ∈ ( ). The semantics of more complex formulae is defined exactly as in Section 3. Some -1- * formulae have an ability to keep track of the number of steps of the run. For example, an -1-formula , where = { } is a regular language which contains all 1-letter words of even length, expresses the assertion that holds at every even step of a run. By using the techniques of Ehrenfeucht-Fraisse games for Temporal Logics developed and studied in [11] one can prove that this property cannot be specified by means of usual . This certifies that -1- * is more expressive than * and justifies its use as a new specification language for finite state transducers and Kripke structures. Observe, that given a set of all atomic propositions used in formulae we can use the directly as a checking machine for the algorithm described in Section 4. Suppose that formula refers to 1-letter regular languages , , … , as the parameters of temporal operators, and every language , ≤ ≤ , is recognized by a DFA with a set of states . Then the size of the graphs used in this algorithm does not exceed the value ∥ ∥⋅ Then consider a specification language -- * which is a set of all such formulae where ℒ is a family of regular languages over and = AP. To model check a transition system against these formulae one needs to process only the states in and only the fair transitions. To do so, we replace all state formulae of type with ( ¬ ⟶ ) and all state formulae of type with ( ¬ ∧ ). The transition system thus obtained may as well be used as a checking machine for the model checking algorithm described in Section 4. Thereby, the following theorem holds. Theorem 2.
As it can be seen from this theorem, the exponential complexity of model checking procedure described in Section 4 is due to the language-theoretic nature of basic predicates used in - * .

Related papers and conclusion
Actually, the idea of providing parameterization of temporal operators is not new. In [27] right-linear grammar patterns were offered to define new temporal operators. The same kind of temporal patterns but specified by means of finite state automata were introduced in [18,24]. For these extensions it was proved that they have the same expressiveness as S S and that satisfiability checking problem in these logics is PSPACE-complete. We did not pursue a goal of merely expanding the expressive possibilities of * ; our aim was to make * more adequate for describing the behaviour of reactive systems. Almost the same kind of parametrization is used in Dynamic LTL. However, our extension of * differs from that which was developed in [14], since in our logic basic predicates are also parameterized. The - * formulae allows one to specify and verify the behaviour of finite state transducers that operate over semigroups as well as classical Kripke structures. Moreover, when Kripke structures are concerned - * has more expressive power than conventional temporal logics. But the place of - * in the expressive hierarchy of specification languages, such as S1S, PDL or -calculus, has not yet been established and remains a matter for our further research. The results of this paper combined with the results of [17] provide positive solution to model checking for transducers over free semigroups. Free semigroups is the most simple algebraic structure which can be used for interpretation of basic actions performed by transducers when they are regarded as formal models of sequential reactive systems. Next, we are going to find out whether model checking algorithms could be built for transducers operating over more specific semigroups. Some preliminary results showed that this is not an easy problem. In [12] we proved that it is undecidable for the case of Abelian groups and free commutative semigroups.