First-Order Transition Systems

. First-order transition systems are a convenient formalism to specify parametric systems such as multi-agent workﬂows or distributed algorithms. In general, any nontrivial question about such systems is undecidable. Here, we present three subclasses of ﬁrst-order transition systems where every universal invariant can eﬀectively be decided via ﬁxpoint iteration. These subclasses are deﬁned in terms of syntactical restrictions: negation, stratiﬁcation and guardedness. While guardedness represents a particular pattern how input predicates control existential quantiﬁers, stratiﬁcation limits the information ﬂow between predicates. Guardedness implies that the weakest precondition for every universal invariant is again universal, while the remaining suﬃcient criteria enforce that either the number of ﬁrst-order variables, or the number of required instances of input predicates remains bounded, or the number of occurring negated literals decreases in every iteration. We argue for each of these three cases that termination of the ﬁxpoint iteration can be guaranteed.


Introduction
FO transition systems (FO for First-order) are a convenient tool for specifying systems where the number of agents is not known in advance. This is very useful for modeling systems like network protocols [22] or web-based workflows like conference management, banking or commerce platforms. Consider, e.g., the specification from Fig. 1 modeling parts of the review process of a conference management system as a FO transition system.
A4(x1, x2, p, d, r1, r2) ∧ report(x1, p, r1) ∧ report(x2, p, r2) system works as follows: First, each PC member x possibly declares her conflict with each paper p. Then, papers p are assigned to PC members x in such a way that the conf relation is respected. Repeatedly, reports for PC members x about papers p arrive, where a subsequent discussion between PC members x 1 , x 2 on some paper p is only possible if both have received a report on that paper and may update their reviews based on the discussions. Variants of this example have already been studied in [19,25].
A useful property to ensure in this example is that a discussion between x 1 and x 2 on some paper p is only possible if neither x 1 nor x 2 are authors of p: ∀x 1 , x 2 , p, d.¬discuss(x 1 , x 2 , p, d) ∨ ¬auth(x 1 , p) ∧ ¬auth(x 2 , p) (2) As FO predicate logic is undecidable, we cannot hope to find an effective algorithm for proving an invariant such as (2) for arbitrary FO transition systems. That does not exclude, though, that at least some invariants can be proven inductive and thus, to be valid. Also, approximation techniques may be conceived to construct strengthenings of given invariants which, hopefully turn out to be inductive and thus may serve as certificates for the invariants in question. The idea of using FO predicate logic for specifying the semantics of systems has perhaps been pioneered by abstract state machines (ASMs) [6,7,14]. Recently, it has successfully been applied for the specification and verification of software-defined networks [2,20], of network protocols [23], of distributed algorithms [22]. The corresponding approach is built into the tool Ivy [18,23]. Ivy is a proof assistant for systems specified in FO logic which is carefully designed around a decidable many-sorted extension of EPR (Effectively Propositional Logic, or ∃ * ∀ * FO logic). In the base setting, invariants are provided manually and then checked for inductiveness by the theorem prover Z3 [8]. Some effort, though, has been invested to come up with more automatic techniques for specific settings such as threshold algorithms [4] or more general FO invariant inference [15,16]. The fundamental problem thereby is that repeated application of the weakest precondition operator may introduce additional first-order variables, new instances of input predicates or existential quantifiers and thus result in formulas outside the decidable fragment of FO logic.
This problem also has been encountered in [10,11,19] where noninterference [13] is investigated for multi-agent workflows in the spirit of the conference management system from Fig. 1. In [19], the authors present a a symbolic verification approach where the agent capabilities as well as declassification and self-composition of the original system T is encoded into a FO transition system T 2 . Noninterference of the original system is thus reduced to a universal invariant of the resulting system T 2 . Further abstraction (i.e., strengthening of the encountered formulas) is applied in order to arrive at a practical algorithm which iteratively strengthens the initial invariant.
Only for rare cases, so far, decidability could be shown. In [21], Sagiv et al. show that inferring universal inductive invariants is decidable when the transition relation is expressed by formulas with unary predicates and a single binary predicate restricted by the background theory of singly-linked-lists. The same problem becomes undecidable when the binary symbol is not restricted by a background theory. In [19] on the other hand, syntactic restrictions are introduced under which termination at least of an abstract fixpoint iteration can be guaranteed. The abstraction thereby, consists in strengthening each occurring existential quantifier via appropriate instantiations (see also [9]). The syntactic restrictions proposed in [19] essentially amount to introducing a stratification on the predicates and restricting substitutions to be stratified and guarded updates. It is argued that these restrictions are not unrealistic in specifications of multiagent systems where the computation proceeds in stages each of which accumulates information based on the results obtained in earlier stages. The example transition system from Fig. 1, e.g., is stratified: there is a mapping λ assigning a level λ(R) to each predicate R so that the predicates occurring in right-hand sides which are distinct from the left-hand side have lower levels. In the example, λ could be given by Intuitively, stratification limits dependencies between predicates to be acyclic. Examples of stratified guarded updates on the other hand, are the two statements in the loop body of Fig. 1. Guarded updates only allow to extend predicates where the extensions constrain the use of existential quantifiers to the format ϕ ∨ ∃z.Aȳz ∧ ψ for some input predicate A and quantifier-free subformulas ϕ, ψ.
The loop of the example thus satisfies the requirements of [19], implying that an abstract fixpoint iteration is guaranteed to terminate for every universal invariant. Here, we show that under the given assumptions, no abstraction is required: the concrete fixpoint iteration in question already terminates and returns the weakest inductive invariant, which happens to consist of universal formulas only. We conclude that universal invariants for the given class of FO transition systems are decidable.
Beyond that, we extend this class of FO transition systems by additionally allowing stratified guarded resets such as the two assignments before the loop in Fig. 1. Guarded stratified resets are seemingly easier than updates, as they define their left-hand sides solely in terms of predicates of lower levels. In full generality, though, when there are both updates and resets, we failed to prove that universal invariants are decidable. We only succeed so-provided further (mild) restrictions are satisfied. Our results are that jointly, stratified guarded updates and resets can be allowed -when resets refer to predicates at the highest and at the lowest level of the stratification only; or -when all predicates of level at least 1, occur in right-hand sides only positively; or -when all updates are not only guarded, but strictly guarded.

Basic Definitions
Assume that we are given a finite set of predicate names R together with a finite set of constant names C. A FO structure s = I, ρ over a given universe U consists of an interpretation I of the predicates in R, i.e., a mapping which assigns to each predicate R ∈ R of arity k ≥ 0, a k-ary relation over U, together with a valuation ρ : C → U which assigns to each constant name an element in U. The semantics of FO (first-order) formulas as well as SO (second-order) formulas with free occurrences of predicates and variables in R and C, respectively, is defined as usual. We write s |= ϕ or I, ρ |= ϕ to denote that ϕ is valid for the given interpretation I and valuation ρ as provided by s. For FO transition systems, we distinguish between the set R state of state predicates and the disjoint set A of input predicates. While the values of constants as well as the interpretation of the state predicates constitute the state attained by the system, the input predicates are used to model (unknown) input from the environment or decisions of participating agents.
At each transition of a FO transition system, the system state s after the transition is determined in terms of the system state s before the transition via a substitution θ. For each state predicate R ∈ R state , θ provides a FO formula to specify the interpretation of R after the transition in terms of the interpretation and valuation in s.
Technically, we introduce a set Y = {y i | i ∈ N} of distinct formal parameters where C ∩ Y = ∅. For a predicate R of arity k ≥ 0, we write Rȳ for the literal R(y 1 , . . . , y k ) and assume that each substitution θ maps each literal Rȳ, R ∈ R state , to some FO formula θ(Rȳ) with predicates in R state ∪A and free variables either from C or occurring among the variables inȳ. In case that θ(Rȳ) = ψ and θ(R ȳ) = R ȳ for all R ∈ R state \ {R}, we also denote θ by Rȳ := ψ. Example 1. In the example from Fig. 1, R state consists of the predicates conf, auth, assign, report and discuss while R input consists of the predicates A 1 . . . A 4 . No constants are needed, so C = ∅. The edge from node 1 to 2, e.g., specifies a substitution θ that updates assign with θ(assign(x, p)) = A 2 (x, p) ∧ ¬conf(x, p) but does not change literals of predicates conf, auth, report or discuss.
Applying θ to a FO formula ϕ results in the FO formula θ(ϕ) which is obtained from ϕ by replacing each literal Rz with the FO formula θ(Rȳ)[z/ȳ]. Here, [z/ȳ] represents the simultaneous substitution of the variables inȳ by the corresponding variables inz.
Example 2. Consider formula ϕ that specifies that the author of a paper p should never be assigned to provide a review for p: Applying the substitution θ from Example 1 results in A FO transition system T (over the given sets R state of predicates, A of input predicates and C of constant names) consists of a finite set of nodes V together with a finite set E of edges of the form e = (u, θ, v) where u, v ∈ V and θ is a substitution of the predicates in R state . W.l.o.g., we assume that each substitution θ at some edge e always has occurrences of at most one input predicate, which we denote by A e . For a given universe U, a program state s attained at a program point is a FO structure for the predicates in R state and the constants in C over the universe U. Let S denote the set of all program states. A configuration of T is a pair (v, s) ∈ V × S. A (finite) run τ of T starting in configuration (v 0 , s 0 ) and ending at node v in state s, i.e., in configuration (v, s) is a sequence of configurations (v i , s i ), i = 0, . . . , n where (v n , s n ) = (v, s) and for all i = 1, . . . , n, there is some edge e i = (v i−1 , θ i , v i ) ∈ E such that for s i−1 = I, ρ , s i = I , ρ where for some interpretation R i of the input predicate A ei , and every valuation ρ Y of the formals, . Assume that we are given an initial node v 0 ∈ V together with an initial hypothesis H, i.e., a FO formula (with predicates in R state and free variables only in C) characterizing all possible initial states attained at v 0 . Example 3. According to the specification in Eq. (1) for the example transition system in Fig. 1, the single initial state is a pair of state 0 and the FO structure which interprets the relations auth, assign, report and discuss with the empty relation.
Input predicates may take fresh interpretations whenever the substitution of the corresponding edge is executed. This should be contrasted to state predicates whose interpretations stay the same if they are not explicitly updated by the transition system. The constant interpretation of such predicates instead may be constrained by suitable background theories as provided, e.g., via conjuncts of the initial hypothesis.
Assume that Ψ assigns to each program point v ∈ V , a FO formula Ψ [v]. Then Ψ is a valid invariant (relative to the initial hypothesis H), if every run τ of the system starting in a configuration (v 0 , s 0 ) with s 0 |= H and visiting some Indeed, it is this observation which is used in the Ivy project to verify distributed algorithms such as the Paxos protocol, essentially, by manually providing the invariant Ψ and verifying properties (3) and (4) via the theorem prover Z3 [8].
Not each valid invariant Ψ , though, is by itself inductive. If this is not yet the case, iterative strengthenings Ψ (h) , h ≥ 0, of Ψ may be computed as follows: For computing the next iterate in (5), universal SO quantification over the input predicate A e is required in order to account for every input possibly occurring during a run at the given edge. As, e.g., noted in [25], The iteration thus can be considered as computing the weakest pre-condition of the given invariant Ψ -as opposed to the collecting semantics of the FO transition system, which corresponds to the set of all configurations reachable from the set of all initial configurations (v 0 , s), s |= H. Whenever the fixpoint iteration (5) terminates, we obtain the weakest strengthening of the given invariant Ψ which is inductive. We have:

Lemma 1. Let T be a FO transition system and let Ψ an invariant. Assume that for some
In general, the required SO quantifier elimination may not always be possible, i.e., there need not always exist an equivalent FO formula [1], and even if SO quantifier elimination is always possible, the fixpoint iteration need not terminate. Non-termination may already occur when all involved predicates either have no arguments or are monadic [25]. Termination as well as effective computability can be enforced by applying abstraction (see, e.g., [24] for a general discussion). Applying an abstraction α amounts to computing a sufficient condition for the invariant Ψ to hold. Technically, an abstraction maps each occurring formula ψ to a formula α[ψ] (hopefully of a simpler form) so that α[ψ] → ψ. Subsequently, we list three examples for such strengthenings.

Example 4. Abstraction of existentials.
In [19], formulas with universal SO quantifiers and universal as well as existential quantifiers are strengthened to formulas with universal quantifiers only. The idea is to replace an existentially quantified subformula ∃x.ϕ with a disjunction y∈Y ϕ[y/x] where Y is the subset of constants and those universally quantified variables in whose scope ϕ occurs. So, the formula ∀y 1 , y 2 .∃x.R(x) is abstracted by ∀y 1 , y 2 .R(y 1 ) ∨ R(y 2 ). This abstraction is particularly useful, since SO universal quantifiers can be eliminated from universally quantified formulas.
Abstraction of Universals. Fixpoint iteration for universally quantified formulas still may not terminate due to an ever increasing number of quantified variables. The universally quantified variable x in an otherwise quantifier-free formula ψ in negation normal form can be removed by replacing each literal containing x with false. In this way, the formula ∀x.
Abstraction of Conjunctions. Assume that the quantifier-free formula ψ is a conjunction of clauses. Then ψ is implied by the single clause c consisting of all literals which all clauses in ψ have in common. The formula (Rx ∨ ¬Sy ∨ T z) ∧ (Rx ∨ T z ∨ ¬T x), e.g., can be strengthened to Rx ∨ T z.
In this paper, rather than focusing on using abstractions, we identify sufficient criteria when the concrete iteration (5) terminates without any further abstraction.

Stratification and Guardedness
Subsequently, we concentrate on initial conditions in the ∃ * ∀ * fragment and universal invariants, i.e., where the invariant Ψ consists of universal FO formulas only. Already for this setting, non-termination of the inference algorithm may occur even without SO quantification when a single binary predicate is involved.
Example 5. Consider the FO transition system T over a monadic state predicate R, a binary state predicate E and a constant element a. T consists of a single state u with a single transition: The weakest inductive invariant thus represents the set of elements which are not reachable from a via the edge relation E. This property is not expressible in FO predicate logic. Accordingly, Our goal is to identify useful non-trivial classes of FO transition systems where the fixpoint iteration is guaranteed to terminate. One ingredient for this definition is a stratification mapping λ : R state → N which assigns to each state predicate R a level λ(R). Intuitively, this mapping is intended to describe how the information flows between predicates. Thereby, we use the convention that λ(R) = 0 only for predicates R which are never substituted, i.e., whose values stay the same throughout each run of the transition system. We will consider substitutions which are guarded and stratified. A substitution θ is called guarded if it modifies at most one predicate R ∈ R state at a time and is of one of the following forms: where A ∈ R input is an input predicate and ϕ, ψ are quantifier-free FO formulas without occurrences of predicate A. If additionally, each predicate R occurring in ϕ or ψ has level less than λ(R), then θ is called stratified. According to our definition, a guarded substitution only updates a single predicate R. We might wonder whether the single update restriction could be lifted by additionally allowing simultaneous updates of several predicates which are coupled via the same input predicate. For this extension, however, termination can no longer be guaranteed.

Lemma 2. There exists a FO transition system T using stratified simultaneous guarded updates and resets, together with some universal invariant
Proof. Consider the FO transition system T as shown in Fig. 2 for some binary predicate E, together with the invariant Ψ = {1 → error ∨ ¬hull(a, b), 0, 2 → } for constants a, b. Initially, the predicate hull is set to ⊥. By executing the loop h times, either the error flag error is set to , or hull receives kfold compositions of E for k = 0, . . . , h. Still, we can assign levels to the predicates used by T which meet the requirements of a stratification: For the required SO quantifier elimination of A 1 , A 2 , we note that in order to avoid error to be set to , add(x, y, z) must imply hull(x, y) ∧ E(y, z). In order to falsify the invariant at program point 1 whenever possible, thus, A 1 (x, y, z) should be set to hull(x, y) ∧ E(y, z), and A 2 (x, z, y) at least to add(x, y, z). Altogether thus, the weakest inductive invariant for program point 0 is given by error ∨ ¬E  *  (a, b) where E * is the transitive closure of E. As transitive closure is not FO definable, we conclude that the fixpoint iteration cannot terminate. At the expense of slightly more complicated formulas for Ψ (h) , the right-hand side for add could be brought into the form (6). Thus, the crucial issue which results in inexpressible weakest inductive invariants, is the use of the same input predicate in two simultaneous updates. In the next section, we indicate how to generally deal with SO quantifiers, once a guarded substitution has been applied.

Universal So Quantifier Elimination
It is well-known that universal SO quantifiers can be removed from otherwise quantifier-free formulas [12,19]. For example, where forȳ = (y 1 , . . . , y k ) andz = (z 1 , . . . , z k ),ȳ =z is a shortcut for the formula (y 1 = z 1 ) ∧ . . . ∧ (y k = z k ). Interestingly, there are also cases where SO quantifier elimination is possible even in presence of FO existential quantifiers. In that case, θ(R(a) ∨ ¬R(b)) is given by A closer inspection reveals that in this case, SO quantifier elimination of A is possible where ∀A. θ(R(a) ∨ ¬R(b)) is equivalent to In particular, the resulting FO formula has universal FO quantifiers only.
The observation in Example 6 can be generalized.
2. If Ψ is of the form for n, m ∈ N where ϕ, ϕ , ψ j all are FO formulas without occurrences of A.
Proof. For proving statement (1), we consider the negated formula ∃A.¬Ψ and apply Ackermann's lemma in order to remove existential SO quantification. We calculate: where the last formula is equivalent to the negation of formula (9). The second statement then follows from statement (1) by distributivity.
Interestingly, the same result is obtained when the existentially quantified variablesz do not occur as arguments to the input predicate A.
for n, m ∈ N where ϕ is a FO formula without occurrences of A. Then ∀A. Ψ is equivalent to

If Ψ is of the form
for n, m ∈ N where ϕ, ϕ , ψ j all are FO formulas without occurrences of A.
Proof. For proving statement (1), we again consider the negated formula ∃A.¬Ψ and apply Ackermann's lemma in order to remove existential SO quantification. By introducing the shortcut Φ for ∃z. ϕ, we calculate: where the last formula is equivalent to the negation of formula (13). Again, the second statement then follows from statement (1) by distributivity.
In light of Lemmas 3 and 4, we introduce simplified versions of guarded updates and resets where the input predicate no longer occurs in the scope of existential quantifiers:

Simplified Update:
Rȳ As a first corollary, we obtain: Corollary 1. Assume that θ is a guarded update of the form (6) (guarded reset of the form (7)), and that θ is the corresponding simplified update (16) (simplified reset (17)). Then for every universal FO formula Ψ , In light of Corollary 1, we subsequently consider FO transition systems with simplified guarded updates and resets only. Let θ 4 denote this simplified update, and consider the invariant (2) from the introduction. Application of θ 4 results in the formula Since A 4 only occurs negatively, universal SO quantifier elimination of A 4 yields Corollary 2. Assume Ψ is a formula of the form (14). Then ∀A. Ψ ←→ θ(Ψ ) where θ is given by The definition (18) thus provides us with the worst adversarial strategy to defeat the proposed invariant. As another consequence of Lemma 3, we find that in presence of subsequent SO quantifier elimination, the effect of a guarded substitution of the forms (16) or (17) could also be simulated by the corresponding nonuniform substitutions:

Corollary 3.
Assume that θ is a guarded substitution of the form (16) or (17). Assume that θ is the nonuniform substitution of the corresponding form (19) or (20), respectively. Then for every universal formula Ψ , Finally, as another important consequence of Lemma 3, we obtain: is FO definable. Then due to the compactness theorem for FO predicate logic [5], there is some h ≥ 0 such that Example 8. Consider again the specification from Fig. 1, and let θ 1 , θ 2 , θ 3 , and θ 4 denote the simplified substitutions occurring therein. Assume that Ψ equals the universal formula in (2), and we are interested in its validity at program point 2 of the transition system. The formula ∀A 3 . θ 3 (∀A 4 . θ 4 (Ψ )) is given by x2, p, d, r1, r2.¬discuss(x1, x2, The resulting formula Ψ already equals the fixpoint for the loop. Since the predicate assign only occurs negatively in Ψ and conf only negatively in the right-hand side for assign, the formula ∀A 1 .θ 1 (∀A 2 .θ 2 (Φ )) construction from Ψ via the substitution θ assign defined by assign(y 1 , y 2 ) := ¬auth(y 1 , y 2 ) This means the formula Ψ for the initial node of the transition system is given by By the initial condition H from the introduction, ¬discuss(x 1 , x 2 , p, d) holds at the initial node of the transition system, as well as ¬report(x 1 , p, r 1 ) and ¬report(x 2 , p, r 2 ) for all x 1 , x 2 , p, d, r 1 , r 2 . Therefore, H implies Ψ , and the property Ψ at the exit of the transition system is valid.
In this section we have shown comprehensively how to eliminate universal SO quantifiers introduced by guarded updates in a FO transition system and introduced a non-uniform variant of any guarded updates and resets which removes all possibly introduced existential FO quantifiers. In the next two sections, we will apply these results to FO transition systems which additionally are stratified.

Stratified Guarded Updates
In [19], termination was announced for FO transition systems with stratified guarded updates where instantiation of existential quantifiers was applied as an abstraction to enforce all occurring formulas to be universal. Here, we improve on that result in two respects. First, we present a proof that termination can also be guaranteed without any abstraction. Second, we generalize the setting to allow stratified guarded resets-at least at the maximal and minimal levels.

Theorem 2. Assume that T is a FO transition system where each occurring substitution is stratified guarded with the restriction that resets only occur for predicates of level 1 and the maximal level L. Then for every universal invariant Ψ , the weakest inductive invariant is again universal and can effectively be computed.
Proof. W.l.o.g., we assume that each occurring substitution is a simplified update or reset, i.e., either of the form (16) or (17). We show that there is some h ≥ 0, so that Ψ (h+1) = Ψ (h) . Since by Lemma 4,Ψ (h) [u] is a universal formula for all h ≥ 0 and program points u, the statement of the theorem follows.
Assume that each simplified update θ of a predicate R always is specified by means of the same input predicate A R . Let Θ denote the finite set of stratified guarded substitutions occurring in T , and Φ a universal FO formula. Let π = θ N , . . . , θ 1 be any sequence of nonuniform substitutions where for each i = 1, . . . , N, θ i = θ i [A i /A R ] holds for a fresh input predicate A i , and a nonuniform substitution θ i of the form (19) corresponding to a simplified update or reset θ ∈ Θ with left-hand side Rȳ.

Lemma 5.
There is some number V only depending on Φ and Θ so that π(Φ) = θ N (. . . θ 1 (Φ) . . .) = N h=t (∀z t .c t ) for clauses c t where the number of FO variables inz t is bounded by V . In particular, V is independent of the number N of substitutions in π.
Given Lemma 5, the number of argument tuplesz of occurring literals A iz in any c t is bounded. Due to Corollary 2, a bounded number of substitutions of the form (18) therefore suffices to realize SO quantifier elimination of A 1 , . . . , A N in c t . As a consequence, the number of universal FO formulas possibly occurring in each conjunct of ∀A 1 . . . A N . π(Φ), and thus also the number of conjunctions of these formulas is finite. Accordingly, there must be some h ≥ 0 so that Φ (h+1) = Φ (h) , and the theorem follows. It therefore remains to prove Lemma 5.
Proof (of Lemma 5). Let us first consider the case where there is no reset of predicates at maximal level L. We introduce a dedicated class of formulas g as finite conjunctions of generalized clauses c which are built up according to the following abstract grammar where c 0 is an ordinary clause without occurrences of input predicates, R is a predicate, A, A n are input predicates,ā,b are sequences of arguments,z R is a sequence of fresh variables whose length only depends on R, and formulas ob where all state predicates are of level 0. A formula f Rb is also called negation tree with head ¬Rb, while we call a formula ob a level 0 chunk. Moreover, (a) All literals occurring in the generalized clauses c n inside the conjunction within f Rb are of levels less than λ(R); (b) For any two negation trees ϕ 1 , ϕ 2 with identical head ¬Rb, there is some formula Δ so that either ϕ 1 = ϕ 2 ∧ Δ or vice versa, ϕ 2 = ϕ 1 ∧ Δ holds.
Φ can be brought into the form ∀z. m t=1 c t where each c t is an ordinary clause without occurrences of input predicates, i.e., a plain disjunction of literals and (dis-)equalities. Therefore, now consider a single generalized clause c which satisfies properties (a) and (b). We show that for each nonuniform update substitution θ of the form θ(c) can again be represented as a conjunction of generalized clauses satisfying properties (a) and (b), and whose free variables are all contained in the set of free variables from c and θ. Assume that c is of the form c ∨ s i=1 Rā i ∨ t j=1 f Rbj where c is a generalized clause without further top-level occurrences either of positive literals Rā or negation trees with head ¬Rb for anyā ,b , and f Rbj = ¬Rb j ∧ ∀z R . uj ν=1 (¬A j,νbj ∨ c j,ν ) is a negation tree with head ¬Rb j . Then θ(c) = c1,...,cs∈C J⊆ [1,t] where C andC are the sets of clauses in the normal forms of ϕ and ¬ϕ, respectively. The resulting formula can indeed be represented as a conjunction of generalized clauses satisfying property (a). Concerning property (b), we observe that for every fresh negative literal property (b) trivially holds, while for existing negation trees, this property is preserved. If on the other hand, θ is a reset of a predicate at level 1, θ(c) is a conjunction of generalized clauses where some negation trees have been replaced by level 0 chunks. In particular, properties (a) and (b) still hold.
Assume now that we are given a generalized clause c satisfying properties (a) and (b). Then c is called flat up to level i, if the roots of all negation trees occurring in c with a nonempty conjunction, have level at most i, and for every predicate R of level i and every possible argument tupleb, there is at most one negation tree with head ¬Rb. For a generalized clause c which is flat up to level i, we define the transformation flatten i as follows. Assume that c is of the form where the ¬R jbj represent all occurrences of negated literals of level i. Then c ←→ J={j1<...<j k }⊆ [1,t] ν1∈ [1,uj 1 In each quantified clause ∀z j1 . . .z j k . c in the conjunction, all occurring negation trees have level less than i. Now due to property (2), c can be simplified so that for each negated literal R b where R is of level i−1, there is at most one negation tree. The resulting conjunction of quantified clauses is denoted by flatten i c.
To compute a bound on the number of possible argument variables, let us introduce the following structural parameters: Therefore, assume that i < L and a bound V i+1 has already been found. Then V i can be bound as follows: Given the number V i+1 , the number of literals of predicates at level i + 1 can be bound by m · V r i+1 . For each of these literals, a fresh list of variables of length at most l can be provided. Accordingly, Altogether, this means that the total number of variables possibly occurring in literals of c (outside of level 0 chunks) at level at least 0 is bounded by Let us finally also consider the case when additionally resets of predicates at maximal level L occur. Such a reset for a predicate R takes effect at most once. It thus introduces one fresh list of universally quantified variables for each occurrence ¬Rb of the negated the negated literal at most once where we w.l.o.g. may even assume that the list of outside universal quantifiers of the negation tree for that literal can be reused. Thus, no further universal quantifiers are introduced. Altogether, therefore, the number of FO variables in quantified clauses ∀z .c contained in π(Φ) remains bounded. This completes the proof of Lemma 5.
We remark that Theorem 2 remains true if there are predicates R with stratified guarded updates as well as resets also at non-extremal levels-given that neither their updates nor their resets introduce FO variables, i.e., the variable listsz in (6) and (7) ((16) and (17)) are empty. In general, though, the proof technique of Theorem 2 cannot easily be extended to FO transition systems with arbitrary resets of the form (7), since then conjunctions of the form ob with nonempty lists of quantified variables may also occur at higher levels-where it is no longer clear how to prove that their number is finite.

Allowing Guarded Stratified Resets
We would like to extend Theorem 2 from the last section to FO transition systems which additionally have resets at arbitrary levels. We succeed in doing so in two special cases (see Theorems 3 and 4, respectively). Let us call an update strictly guarded it it is of the form: for some predicate R and quantifier-free FO formula ψ without occurrences of A. Furthermore, let us call an update or reset θ positive if all predicates only occur positively in the right-hand side. (∀z j . c j ) denote the conjunction of quantified generalized clauses for π(Φ)-now possibly also with subformulas ob holding predicates of level > 0. Then each FO variable x occurring in a positive literal A iā in any c j , already occurs in Φ. In light of Corollary 2, it therefore suffices to use only a globally bounded number of input predicates in each c j . If the number of predicate symbols is bounded, then also the number of generalized clauses as well as the number of non-equivalent formulas ∀A 1 . . . A N . π(Φ)implying that for every universal invariant Ψ , Ψ (h+1) = Ψ (h) for some h ≥ 0. From that, the statement of the theorem follows.
The proof argument for Theorem 3 cannot easily be extended to unrestricted stratified guarded substitutions. In presence of negated literals in substitutions, it is no longer the case that the arguments of positive literals Rā occurring in π(Φ) have already occurred in Φ, so for the next result we have to rely on a different proof strategy. Proof. For this proof, it is convenient to use the notation Φ ∀x. c for a universal FO formula Φ, a clause c, and a listx of distinct variables so that for the prenex CNF ∀z. c 1 ∧ . . . ∧ c m of Φ, c occurs among the c j , andx is the subsequence of variables inz which occur in c. We rely on the following technical lemma: Assume that c is a clause and θ a stratified reset or stratified strictly guarded update with input predicate A which substitutes a predicate R with λ(R) = s. Let c be a clause with ∀A. θ(c) ∀x. c wherex is the list of newly introduced variables in c . Then either c = c andx is empty, or the number of literals at level s of c is less than the corresponding number of c.
Proof. Assume that the clause c is of the form c 0 ∨ Rȳ 1 ∨ . . . ∨ Rȳ n ∨ ¬Rȳ 1 ∨ · · · ∨ ¬Rȳ m where c 0 does not contain the predicate R. If θ is a reset, all literals containing R are eliminated. Therefore, the assertion of the lemma trivially holds. Now assume that θ is a strictly guarded update, i.e., of the form (22). Then by Lemma 3, [1,m] wherez j is a fresh list of FO variables of the same length asz, andz J is the concatenation of all listsz j , j ∈ J. In particular for J = ∅,z J is empty and the corresponding clause equals c. If on the other hand J = ∅, the number of negated literals occurring in the clause has decreased. By Lemma 6, the number of literals at level s therefore either decreases, or the clause stays the same. Let Θ denote a finite set of stratified guarded substitutions where all updates in Θ are strictly guarded, and let c 0 denote any clause. Consider a sequence (θ t , ∀x t .c t ), t ≥ 1, where for all t ≥ 1, θ t ∈ Θ with some input predicate A t , and ∀A t . (θ t c t−1 ) ∀x t . c t holds. We claim that then there is some t ≥ 1 so that c t = c t andx t is empty for all t > t .
In order to prove that claim, we introduce for t ≥ 1, the vector v t = (v t,L , . . . , v t,1 ) ∈ N L where L is the maximal level of a predicate in R state , and v t,i is the number of literals with predicates of level i. By Lemma 6, it holds for all t ≥ 0, that either c t = c t+1 andz t is empty, or v t > v t+1 w.r.t. the lexicographic order on N L . Since the lexicographical ordering on N L is well-founded, the claim follows. We conclude that the set of quantified clauses ∀z.c with Ψ (h) [u] ∀z.c for any u and h, is finite. From that, the statement of the theorem follows.
Theorem 4 leaves open the case of transition systems with stratified guarded resets and stratified guarded updates of which some are not strictly guarded. To these, the presented proof technique cannot be easily extended. The reason is that a non-strictly guarded update θ for some predicate R, when applied to some clause c, may result in a quantified clause ∀z. c with ∀A.θ(c) ∀z. c so that neither c = c holds nor does the number of literals ¬Rb decrease.

Conclusion
We have investigated FO transition systems where all substitutions are either guarded updates or guarded resets. For these, we observed that the exact weakest pre-condition of a universal FO formula is again a universal FO formula, thus allowing us to realize a fixpoint computation of iterated strengthening for proving the validity of universal invariants. In order to identify sub-classes of FO transition systems where termination can be guaranteed, we relied on a natural notion of stratification. Here, we were able to prove termination (and thus decidability) for three interesting sub-classes of stratified guarded FO transition systems. However, it remains as an open question whether termination can be proven for all FO transition systems with stratified guarded updates and resets.
The results of our paper can immediately be applied to the multi-agent workflow language as considered in [19] for analyzing noninterference in presence of declassification and agent coalitions. There, transformations are presented to encode noninterference properties as invariants of the self-composition of the given workflow [3,17]. At least for the case of stubborn agents [11], i.e., agents who do not participate in adversarial coalitions, the given transformation preserves both guardedness and the stratification. The same also holds true if the size of adversarial coalitions is bounded. For these cases, our novel decidability results therefore translate into decidability of noninterence.