Temporal Stream Logic modulo Theories ∗

. Temporal stream logic (TSL) extends LTL with updates and predicates over arbitrary function terms. This allows for specifying data-intensive systems for which LTL is not expressive enough. In the semantics of TSL, functions and predicates are left uninterpreted. In this paper, we extend TSL with first-order theories, enabling us to specify systems using interpreted functions and predicates such as incrementa-tion or equality. We investigate the satisfiability problem of TSL modulo the standard underlying theory of uninterpreted functions as well as with respect to Presburger arithmetic and the theory of equality: For all three theories, TSL satisfiability is highly undecidable. Nevertheless, we identify three fragments of TSL for which the satisfiability problem is (semi-)decidable in the theory of uninterpreted functions. Despite the high undecidability, we present an algorithm – which is not guaranteed to terminate – for checking the satisfiability of a TSL formula in the theory of uninterpreted functions and evaluate it: It scales well and is able to validate assumptions in a real-world system design.


Introduction
Linear-time temporal logic (LTL) [32] is one of the standard specification languages to describe properties of reactive systems. The success of LTL is largely due to its ability to abstract from the detailed data manipulations and to focus on the change of control over time. In data-intensive applications, such as smartphone apps, LTL is, however, often not expressive enough to capture the relevant properties. When specifying a music player app, for instance, we would like to state that if the user leaves the app, the track that is currently playing will be stored and will resume playing once the user returns to the app.
To specify data-intensive systems, extensions of LTL such as Constraint LTL (CLTL) [6] and, more recently, Temporal Stream Logic (TSL) [15] have been proposed. In CLTL, the atomic propositions of LTL are replaced with atomic constraints over a concrete domain D and an interpretation for relations. Relating variables with the equality relation, such as x = y, denoting that the value of x is equal to the value of y, allows for specifying assignment-like statements. In this paper, however, we focus on the logic TSL to specify data-intensive systems.
TSL extends LTL with updates and predicates over arbitrary function terms. An update x ↢ f (y) denotes that the result of applying function f to variable y is assigned to variable x. For the music player app, for instance, the update paused ↢ track (current) specifies that the track that is currently playing, obtained by applying function track to variable current, is stored in variable paused . Updates are the main characteristic of TSL that differentiates it from other first-order extensions of LTL: They allow for specifying the evolution of variables over time. Thus, programs can be represented in TSL and therefore, for instance, the model checking problem can be encoded.
In the semantics of TSL, functions and predicates are left uninterpreted, i.e., a system satisfies a TSL formula if the formula evaluates to true for all possible interpretations of the function and predicate symbols. This semantics has proven especially useful in the synthesis of reactive programs [15,17], where the synthesis algorithm builds a control structure, while the implementation of the functions and predicates is either done manually or provided by some library. One exemplary success story of TSL-based specification and synthesis of a reactive system is the arcade game Syntroids [17] realized on an FPGA.
In this paper, we define and investigate the satisfiability problem of TSL modulo the standard underlying theory of uninterpreted functions and with respect to other first-order theories such as the theory of equality and Presburger arithmetic. Intuitively, a TSL formula φ is satisfiable in a theory T if there is an execution satisfying φ that matches the function applications and predicate constraints of an interpretation in T . TSL validity in T is dual: A TSL formula φ is valid in a theory T if, and only if, ¬φ is unsatisfiable in T .
For LTL, satisfiability is decidable [37] and efficient algorithms for checking the satisfiability of an LTL formula have been implemented in tools like Aalta [25]. Satisfiability checking has numerous applications in the specification and analysis of reactive systems, such as identifying inconsistent system requirements during the design process, comparing different formalizations of the same requirements, and various types of vacuity checking. TSL satisfiability checking extends these applications to data-intensive systems.
We present an algorithm for checking the satisfiability of a TSL formula in the theory of uninterpreted functions. It is based on Büchi stream automata (BSAs), a new kind of ω-automata that we introduce in this paper. BSAs can handle the predicates and updates occurring in TSL formulas. Similar to the relationship between LTL formulas and nondeterministic Büchi automata, BSAs are an automaton representation of TSL formulas, i.e., there exists an equivalent BSA for every TSL formula. Given a TSL formula φ, our algorithm constructs an equivalent BSA B φ and then tries to prove satisfiability and unsatisfiability in parallel: For proving satisfiability, it searches for a lasso that ensures consistency of the function terms in an accepting run of B φ . If such a lasso is found, φ is satisfiable. For proving unsatisfiability, the algorithm discards inconsistent runs of B φ . If no accepting run is left, φ is unsatisfiable.
The algorithm does not always terminate. In fact, we show that TSL satisfiability is neither semi-decidable nor co-semi-decidable in the theory of uninterpreted functions. Thus, no complete algorithm exists. The undecidability result extends to the theory of equality and Presburger arithmetic. There exist, however, (semi-)decidable fragments of TSL in the theory of uninterpreted functions: For satisfiable formulas with a single variable as well as satisfiable reachability formulas, our algorithm is guaranteed to terminate. For slightly more restricted reachability formulas, satisfiability is decidable.
We have implemented the algorithm and evaluated it, clearly illustrating its applicability: It terminates within one second on many randomly generated formulas and scales particularly well for satisfiable formulas. Moreover, it is able to check realistic benchmarks for consistency and to (in-)validate their assumptions. Most notably, we successfully validate the assumptions of a Syntroids module.
A preliminary version of this paper has been published on arXiv [13]. This already lead to further research on TSL modulo theories: Maderbacher and Bloem show that the synthesis problem for TSL modulo theories is undecidable in general and present a synthesis procedure for TSL modulo theories based on a counter-example guided LTL synthesis loop [27].
Further details and proofs are available in the full version of this paper [14].

Preliminaries
We assume time to be discrete. A value can be of arbitrary type and we denote the set of all values by V. The Boolean values are denoted by B ⊆ V. Given n values, an n-ary function f : V n → V computes a new value. An n-ary predicate p : V n → B determines whether a property over n values is satisfied. The sets of all functions and predicates are denoted by F and P ⊆ F, respectively. Constants are both functions of arity zero and values. Starting from 0, we denote the i-th position of an infinite word σ by σ i and the i-th component of a tuple t by π i (t).
To argue about functions and predicates, we use a term based notation. Function terms τ f are constructed from variables and functions, recursively applied to a set of function terms. Predicate terms τ p are constructed by applying a predicate to function terms. The sets of all function and predicate terms are denoted by T F and T P ⊆ T F , respectively. Given sets Σ F , Σ P of function and predicate symbols with Σ P ⊆ Σ F , a set V of variables, and a set V of values, let ⟨·⟩ : V ∪ Σ F → V ∪ F be an assignment function assigning a concrete function (predicate) to each function (predicate) symbol and an initial value to each variable. We require ⟨v⟩ ∈ V, ⟨f ⟩ ∈ F, and ⟨p⟩ ∈ P for v ∈ V , f ∈ Σ F , p ∈ Σ P . The evaluation χ ⟨·⟩ : T F → V ∪ B of function terms is defined by χ ⟨·⟩ (v) := ⟨v⟩ for v ∈ V , and by χ ⟨·⟩ (f (τ 0 , . . . , τ n )) := ⟨f ⟩(χ ⟨·⟩ (τ 0 ), . . . , χ ⟨·⟩ (τ n )) for f ∈ Σ F ∪ Σ P .
Functions and predicates are not tied to a specific interpretation. To restrict the possible interpretations, we utilize first-order theories. A first-order theory T is a tuple (Σ F , Σ P , A), where Σ F and Σ P are sets of function and predicate symbols, respectively, and A is a set of closed first-order logic formulas over Σ F , Σ P , and a set of variables V . For an introduction to first-order logic, we refer to the full version [14]. The elements of A are called the axioms of T and Σ F ∪ Σ P is called the signature of T . A model M for a theory T = (Σ F , Σ P , A) is a tuple (V, ⟨·⟩), where V is a set of values and ⟨·⟩ is an assignment function as introduced above. Furthermore, (V, ⟨·⟩) is required to entail φ A for each axiom φ A ∈ A. The set of all models of a theory T is denoted by Models(T ).
In the remainder of this paper, we focus on the following three theories: The theory of uninterpreted functions T U is a theory without any axioms, i.e., every symbol is uninterpreted. It allows for arbitrarily many function and predicate symbols. The theory of equality T E additionally includes equality, i.e., its axioms enforce the equality symbol = to indeed represent equality. The theory of Presburger arithmetic T N implements the idea of numbers. Its axioms define the constants 0 and 1 as well as equality and addition.

Temporal Stream Logic modulo Theories
In this section, we introduce Temporal Stream Logic modulo theories, an extension of the recently introduced logic Temporal Stream Logic (TSL) [15] with first-order theories. First, we recap the main idea of TSL as well as its syntax and semantics. Afterwards, we extend TSL with first-order theories and define the basic notions of satisfiability and validity for TSL formulas modulo theories.

Temporal Stream Logic
Temporal Stream Logic (TSL) [15] is a temporal logic that separates temporal control and pure data. Data is represented as infinite streams of arbitrary type. TSL allows for checks and manipulations of streams on an abstract level: It focuses on the control flow and abstracts away concrete implementation details. The temporal structure of the data is expressed by temporal operators as in LTL [32]. TSL is especially designed for reactive synthesis and thus distinguishes between uncontrollable input streams and controllable output streams, so-called cells. In this paper, this distinction is not necessary since we consider TSL independent of its usage in synthesis. Thus, we use the notions of streams and cells as synonyms. The finite set of all cells is denoted by C.
In TSL, we use functions f ∈ F to modify cells and predicates p ∈ P to perform checks on cells. The cells c ∈ C serve as variables for function terms. The sets of all function and predicate terms over Σ F , Σ P , and C are denoted by T F and T P . TSL formulas are built according to the following grammar: where c ∈ C, τ p ∈ T P , and τ f ∈ T F . An update c ↢ τ f denotes that the value of the function term τ f is assigned to cell c. The value of τ f may depend on the value of the cells occurring in τ f . The temporal operators φ and φ U ψ are similar to the ones in LTL. We define φ = true U φ and φ = ¬ ¬φ.
Since functions and predicates are represented symbolically, they are not tied to a specific implementation. To assign an interpretation to them, we use an assignment function ⟨·⟩ : C ∪ Σ F → V ∪ F, where V is a set of values. We require ⟨c⟩ ∈ V, ⟨f ⟩ ∈ F and ⟨p⟩ ∈ P for c ∈ C, f ∈ Σ F , and p ∈ Σ P Note that ⟨·⟩ also assigns an initial value to each cell. Terms can be compared syntactically with the equivalence relation ≡. The set of all assignments of cells c ∈ C to function terms τ f ∈ T F is denoted by C. A computation ς ∈ C ω is an infinite sequence of assignments of cells to function terms, capturing the behavior of cells over time. The satisfaction of a TSL formula φ with respect to ς, a set of values V, an assignment function ⟨·⟩, and a time step t is defined by: 1 We call (ς, V, ⟨·⟩) an execution. The satisfaction of a predicate depends on the current and the past steps in the computation. For updates, the satisfaction depends solely on the current step. While updates are only checked syntactically, the satisfaction of predicates depends on the given assignment ⟨·⟩. An execution (ς, V, ⟨·⟩) satisfies a TSL formula φ, denoted ς |= V,⟨·⟩ φ, if ς, 0 |= V,⟨·⟩ φ holds. Let V = N be the set of values and let ⟨·⟩ be an assignment function such that the initial value of x is 1, function f corresponds to incrementation, and predicate p determines whether its argument is even (true) or odd (false). Consider the TSL formula φ := x ↢ f (x) ∧ ¬p(x) ∧ p(x). By the semantics of TSL, we have ς, 0 |= V,⟨·⟩ φ if, and only if, (ς 0 (x) = f (x)) ∧ (¬⟨p⟩(⟨x⟩)) ∧ (⟨p⟩(⟨f ⟩(⟨x⟩))) holds. The first conjunct clearly holds by construction of ς. Since 1 is odd and 1 + 1 = 2 is even, the other two conjuncts hold as well for the chosen assignment function.
A computation ς is called finitary with respect to φ, denoted fin φ (ς), if for all cells c ∈ C and for all points in time t, either ς t (c) ≡ c holds, or there is an update c ↢ τ in φ such that ς t (c) ≡ τ , i.e., a finitary computation only contains updates occurring in φ and self-updates. For ς and φ from Example 1, for instance, ς is finitary with respect to φ.

Extending TSL with Theories
In this paper, we extend TSL with first-order theories. That is, we restrict the possible interpretations of predicate and function symbols to a theory. Hence, we define the notions of satisfiability and validity of a TSL formula modulo a theory T . Intuitively, a TSL formula φ is satisfiable in a theory T if there exists an execution satisfying φ whose domain and assignment function represent a model in T , i.e., that entail all axioms of T . Formally: Definition 1 (TSL Satisfiability). Let T = (Σ F , Σ P , A) be a theory and let φ be a TSL formula over Σ F , Σ P , and C. We call φ satisfiable in T if, and only if, there exists an execution (ς, V, ⟨·⟩), such that ς |= V,⟨·⟩ φ and (V, ⟨·⟩) ∈ Models(T ) hold. If additionally fin φ (ς) holds, then φ is called finitary satisfiable in T .
Intuitively, a formula φ is valid in a theory T , if for all executions and all matching models of the theory the formula is satisfied. Formally: It follows directly from their definitions that (finitary) TSL satisfiability and (finitary) TSL validity are dual. Thus, we focus on TSL satisfiability in the remainder of this paper as the results can easily be extended to TSL validity.
Theorem 1 (Duality of TSL Satisfiability and Validity). Let φ be a TSL formula over Σ F , Σ P , and C and let T = (Σ F , Σ P , A) be a theory. Then, φ is (finitary) satisfiable in T if, and only if, ¬φ is not (finitary) valid in T .

TSL modulo T U Satisfiability Checking
In this section, we investigate the satisfiability of TSL modulo the theory of uninterpreted functions T U . Since T U has no axioms, there are no restrictions on how a model for T U evaluates the function and predicate symbols. The only condition is that the evaluated symbols are indeed functions. Therefore, we have (ς, V, ⟨·⟩) ∈ Models(T U ) for all executions. Thus, finding some execution satisfying a TSL formula φ is sufficient for showing that φ is satisfied in T U : In the following, we introduce an (incomplete) algorithm for checking the satisfiability of a TSL formula φ in the theory of uninterpreted functions. By Lemma 1, it suffices to find an execution satisfying φ to prove its satisfiability in T U . To search for such an execution, we introduce Büchi stream automata (BSAs), a new kind of ω-automata that reads executions and allows for dealing with predicates and updates. BSAs are, similar to the connection between LTL and Büchi automata, an automaton representation for TSL. Then, we present the algorithm for checking satisfiability in T U based on BSAs.

Büchi Stream Automata
Intuitively, a Büchi stream automaton (BSA) is an ω-automaton with Büchi acceptance condition that reads infinite executions instead of infinite words. Furthermore, it is able to deal with predicates and updates occurring in TSL formulas. To do so, the transitions of a BSA are labeled with guards and update terms. Intuitively, the former define which predicates need to hold when taking the transition. The latter define how the corresponding cells are updated when taking the transition. Formally, a BSA is defined as follows: Definition 3 (Büchi Stream Automaton). Let Σ F , Σ P be sets of function and predicate symbols, respectively, and let C be a finite set of cells is a finite set of function terms over Σ F , Σ P , and C, called update terms, and Note that by requiring the update terms U to be a finite set of function terms, not all executions can be read by a BSA: Non-finitary executions contain updates with function terms that do not occur in the given TSL formula. Thus, they may require infinitely many update terms. Therefore, we introduce the fresh term symbol • ̸ ∈ C ∪ Σ F ∪ Σ P . If a transition in a BSA assigns • to a cell c ∈ C, then any function term can be assigned to c. This allows for reading non-finitary executions while maintaining finite representability of BSAs.
Example 2. Consider the three BSAs depicted in Figure 1. If B 1 is in state q 0 and p(x) holds, then cell x is updated with f (x) and B 1 chooses nondeterministically to either stay in q 0 or to move to the accepting state q 1 . In contrast, B 2 is deterministic. Yet, it is incomplete: In both q 0 and q 1 , no guard is satisfied if ¬p(x) holds. Hence, B 2 gets stuck, preventing satisfaction of the Büchi winning condition for any execution containing ¬p(x). The BSA B 3 makes use of the fresh term symbol •: If p(x) holds, any function term can be assigned to x.
and only if, the first state of c is an initial state, i.e., π 1 (c 0 ) ∈ Q 0 , and both c t ∈ δ and π 4 (c t ) = π 1 (c t+1 ) hold for all points in time t ∈ N 0 . Intuitively, a run c is an infinite sequence of tuples (q, g, u, q ′ ) encoding transitions in the BSA: q is the q0 q1 source state, q ′ is the target state, g determines which predicate terms hold, and u defines which updates are performed when taking the transition. A run c is called accepting if it contains infinitely many accepting states, i.e., for all points Figure 1a. It is accepting as it visits q 1 infinitely often.
The characteristics of a BSA are its predicates and updates. Thus, it is not sufficient to solely consider accepting runs since the constraints produced by the predicates might be inconsistent. Therefore, we define the execution of a BSA that only permits consistent accepting runs. Intuitively, given a run c of a BSA B, an execution of c consists of a computation ς ∈ C ω , a domain V, and an assignment ⟨·⟩ such that the updates in ς match the updates in c and such that the recursive evaluation of a predicate term using ⟨·⟩ matches its truth value in ς. To capture the constraints accumulated in ς as well as their truth values, we define the constraint trace ϱ : (τ p × B) ω of ς and c: Formally, ϱ for ς and c is defined by ϱ t := ∅ if t = 0, and ϱ t := ϱ t−1 ∪{(η(ς, t−1, τ p ), π 2 (c t−1 )(τ p )) | τ p ∈ G} if t > 0. As an example, reconsider the computation ς from Example 1 and the run c of BSA B 1 from Example 3. The constraint trace of ς and c is given and (τ p , false) occur in t∈N0 ϱ t . ϱ from the example above is consistent. Using constraint traces, we now formally define the execution of a BSA: Definition 4 (Execution of a BSA). Let Σ F and Σ P be sets of function and predicate symbols, respectively, and let C be a finite set of cells. Let B be a BSA over Σ F , Σ P , and C and let c be a run of B. Let ς ∈ C ω be an infinite computation and let ⟨·⟩ : C ∪ Σ F → V ∪ F be an assignment function. Let ϱ be the constraint trace of ς and c. We call (ς, V, ⟨·⟩) execution for c if (1) for all points in time t ∈ N 0 and all cells c ∈ C, we have either π 3 (c t )(c) = ς t (c) or π 3 (c t )(c) = •, and (2) for all (τ p , b) ∈ t∈N0 ϱ t , we have χ ⟨·⟩ (τ p ) = b.
Note that the second requirement can only be fulfilled if the constraint trace is consistent. Consider the computation ς and the assignment function ⟨·⟩ from Example 1, the run c of B 1 from Example 3, and the constraint trace ϱ of ς and c given above. Then, (ς, N, ⟨·⟩) is an execution for c: Since in both ς and c, cell x is always updated with f (x), the updates in ς and c coincide at every point in time. Furthermore, by construction of ⟨·⟩, the constraints of ϱ match the truth values obtained by recursively evaluating ⟨·⟩ for all predicate terms.
We  Figure 1, are finitary while B 3 is not. Since B 1 is finitary, consider the prefix c p = (q 0 , g 1 , u, q 1 )(q 1 , g 2 , u, q 0 ) of the run c of B 1 presented in Example 3. Its execution effect is given by effect( An LTL formula φ can be translated into a nondeterministic Büchi automaton (NBA) A φ with L(φ) = L(A φ ) [38]. An analogous relation exists between TSL formulas and BSAs: A TSL formula φ can be translated into an equivalent BSA B φ : First, we approximate φ by an LTL formula φ LTL , similarly to the approximation described in [15]. The main idea of the approximation is to represent every function and predicate term as well as every update occurring in φ LTL by an atomic proposition and to add conjuncts that ensure that exactly one update is performed for every cell in every time step. Second, we build an equivalent NBA A φLTL from φ LTL . Third, we construct a BSA B φ from A φLTL by, intuitively, translating the atomic propositions back into predicate terms and updates and by dividing them into guards and update terms, while maintaining the structure of the NBA A φLTL . The full construction of an equivalent BSA B φ from a TSL formula φ is given in the full version [14].

An Algorithm for TSL modulo T U Satisfiability Checking
Utilizing BSAs, we present an algorithm for checking the satisfiability of a TSL formula in the theory of uninterpreted functions T U in the following. First, recall that finitary computations only perform self-updates or updates that occur in the given TSL formula. Since there are only finitely many cells, the behavior of finitary computations is thus restricted to a finite set of possibilities in each step. Hence, reasoning with finitary computations is easier than reasoning with non-finitary ones. In the algorithm, we make use of the fact that satisfiability can be reduced to finitary satisfiability in the theory of uninterpreted functions, enabling us to focus on finitary computations. The main idea of the reduction is to introduce a new cell for each cell of a given TSL formula. The new cells then capture the values that are constructed by the non-finitary parts of a computation. The proof is given in the full version [14].
Lemma 2. Let φ be a TSL formula. Then, there is a TSL formula φ fin such that φ is satisfiable in T U if, and only if, φ ∧ φ fin is finitary satisfiable in T U .
Algorithm 1 shows the algorithm for checking TSL modulo T U satisfiability. It directly works on Büchi stream automata. First, an equivalent BSA B is generated for the input formula φ. Then, in parallel, SatSearch tries to prove that φ is satisfiable in T U while UnsatSearch tries to prove unsatisfiability of φ.
SatSearch enumerates all lasso-shaped accepting runs pref.rec ω of B, i.e., accepting runs consisting of a finite prefix pref and a finite recurring part rec that is repeated infinitely often. Both pref and rec need to end in the same state of B. Then, the execution effects of pref and pref.rec are computed. SatSearch checks if it is possible to satisfy all predicate constraints induced by pref.rec under the condition that, for each cell, pref and pref.rec construct equal function terms. For this, it utilizes an SMT solver to check the satisfiability of a quantifier-free first-order logic formula, encoding the consistency requirement, in the theory of equality. If the check succeeds, adding rec to pref des not create an inconsistency and hence repeating rec infinitely often is consistent. Therefore, there exists an execution for pref.rec ω and thus φ is finitary satisfiable in T U by Lemma 1.
UnsatSearch computes the execution effect of finite subwords of runs of B and checks whether they are consistent. If a subword is inconsistent, then every run that contains this subword is inconsistent. Hence, there do not exist executions for these runs and therefore they are removed from the set of candidate runs. If there is no accepting candidate run left, then B has an empty symbolic language and thus, by Theorem 2, φ is unsatisfiable in T U .
If we execute Algorithm 1 on φ 2 , UnsatSearch checks at some point wether in B 2 the transition sequence q 0 → q 1 followed by the upper self-loop is consistent. This is not the case as it requires p(f (x)) to be true (first transition) and false (second transition): We have ϱ 1 = {(p(x), true), (p(f (x)), false)} and ϱ 2 = ϱ 1 ∪ {(p(f (x)), true), (p(f (f (x))), true)} by definition of the constraint trace. UnsatSearch also checks the transition sequence q 0 → q 1 followed by the lower self-loop which is also inconsistent. Hence, there is no consistent transition after q 0 → q 1 and thus there is no valid accepting run. Hence, φ 2 is unsatisfiable.
Note that the presentation of Algorithm 1 omits implementation details such as the enumeration of accepting loops and the implementation of the infinite set R. A more detailed description addressing these issues is given in [14].
Algorithm 1 is correct. Intuitively, it terminates with SAT if the constraint trace ϱ of the unique computation ς of pref.rec ω is consistent. Hence, ϱ defines an assignment ⟨·⟩ such that (ς, V, ⟨·⟩) is an execution of pref.rec ω , implying satisfiability of φ in T U . If the algorithm terminates with UNSAT, then all accepting runs of the BSA are inconsistent and thus no finitary execution satisfying φ exists. For the proof, we refer the reader to the full version [14].

Undecidability of TSL modulo T U Satisfiability
The algorithm for TSL satisfiability checking in T U presented in the previous section does not necessarily terminate. In this section, we show that no complete algorithm exists: The satisfiability of a TSL formula in the theory of uninterpreted functions T U (TSL-T U -SAT) is neither semi-decidable nor co-semi-decidable: Theorem 4 (Undecidability of TSL-T U -SAT). The satisfiability (validity) problem of TSL in T U is neither semi-decidable nor co-semi-decidable.
The main intuition behind the undecidability result is that we can encode numbers with TSL in the theory of uninterpreted functions. That is, we are able to encode incrementation, resetting some variable to zero, and equality. We only give the encoding here, for the proof of its correctness we refer to [14].
Lemma 3. Let f be a unary function, let = be a binary predicate, and let z be a constant. Let f x (z) correspond to applying f x-times to z. There exists a TSL formula φ num such that every execution entailing φ num requires from its models that for all a, b ∈ N 0 , a = b holds if, and only if, f a (z) = f b (z) holds.
Using this encoding in TSL modulo T U , we can construct a TSL formula φ G for every Goto-program G such that φ G ∧ φ num is satisfiable in T U if, and only if, G terminates on every input. Intuitively, φ G "simulates" G on different inputs by starting with input zero and incrementing the input if the halting location was reached. The temporal operators of TSL allow for requiring that G terminates infinitely often. The construction of φ G is given in the full version [14]. Since the universal halting problem for Goto programs is neither semi-decidable nor co-semi-decidable, the same undecidability result follows for the satisfiability of a TSL formula modulo T U , proving Theorem 4.
Since the theory of Presburger arithmetic T N allows for incrementation, resetting a variable to zero, and equality, we can reuse the TSL formula φ G from above to reduce the universal halting problem for Goto programs to TSL satisfiability modulo T N (TSL-T N -SAT), proving undecidability of TSL-T N -SAT. Note that this result holds for other theories that can express incrementation, reset, and equality, for instance Peano Arithmetic, as well.
Theorem 5 (Undecidability of TSL-T N -SAT). The satisfiability (validity) problem of TSL in T N is neither semi-decidable nor co-semi-decidable.
Furthermore, equality allows for encoding incrementation and resetting a variable to zero. Hence, similarly to T U , there exists a TSL formula φ enc that, if entailed, enforces a binary function and a constant to behave as incrementation and a reset, respectively. The construction of φ enc is given in the full version [14]. Thus, the TSL formula φ G constructed as above for a Goto program G ensures that φ G ∧ φ enc is satisfiable in the theory of equality T E if, and only if, G terminates on every input. Hence, undecidability of TSL-T E -SAT follows: Theorem 6 (Undecidability of TSL-T E -SAT). The satisfiability (validity) problem of TSL in T E is neither semi-decidable nor co-semi-decidable.

(Semi-)Decidable Fragments
In Section 5, we showed that TSL satisfiability is undecidable in T U . In this section, however, we identify fragments of TSL on which Algorithm 1 terminates for certain inputs. In fact, we present one fragment for which TSL-T U -SAT is decidable and two fragments for which TSL-T U -SAT is semi-decidable.
First, we consider the TSL reachability fragment, i.e., the fragment of TSL that only permits the next operator and the eventually operator as temporal operators. In our applications, this fragment corresponds to finding counterexamples to safety properties. For satisfiable reachability formulas, Algorithm 1 terminates. The main idea behind the termination is that the BSA of a reachability formula has an accepting lasso-shaped run and since φ is satisfiable, this run is consistent. For the proof, we refer to the full version [14].
Lemma 4. Let φ be a TSL formula in the reachability fragment. If φ is finitary satisfiable in T U , then Algorithm 1 terminates on φ.
Restricting the reachability fragment further, we consider TSL formulas with updates, predicates, logical operators, next operators, and at most one top-level eventually operator. Such formulas are either completely time-bounded or they are of the form φ = φ ′ , where φ ′ is time-bounded. In the dual validity problem, such formulas correspond to invariants on a fixed time window, a useful property for many applications. Algorithm 1 is guaranteed to terminate for satisfiable and unsatisfiable formulas of the above form if a suitable BSA is constructed. Such a suitable BSA has a single accepting state q indicating that the time-bounded part has been satisfied. Intuitively, a suitable BSA ensures that all runs reaching q are accepting and that only finitely many transition sequences lead to q. Then, if φ is unsatisfiable, Algorithm 1 is able to exclude all transition sequences leading to q and thus to terminate. A BSA with infinitely many transition sequences leading to q, in contrast, may cause the algorithm to diverge as it may consider infinitely many consistent subsequences before finding the inconsistent one yielding the exclusion of the sequences leading to q. A suitable BSA exists for every TSL formula in the considered fragment. For the proof, including a more detailed description of suitable BSAs, we refer to the full version [14].
Lemma 5. Let φ be a TSL formula with only logical operators, predicates, updates, next operators, and at most one top-level eventually operator. Algorithm 1 terminates on φ if it picks a suitable respective BSA.
Note that Algorithm 1 is only a formal decider for this fragment if we ensure that a suitable BSA is always generated. In practice, we experienced that this is usually the case even without posing restrictions on the BSA construction. Lastly, we consider a fragment of TSL that does not restrict the temporal structure of the formula but the number of used cells. For TSL formulas with a single cell, Algorithm 1 always terminates on satisfiable inputs: Lemma 6. Let φ be a TSL formula such that |C| = 1. If φ is finitary satisfiable in the theory of uninterpreted functions, then Algorithm 1 terminates on φ.
Intuitively, restricting the TSL formula to use only a single cell prevents us from simulating arbitrary computations and thus from reducing from the universal halting problem of Goto programs as in the general undecidability proof. The formal proof, given in the full version [14], however, is unrelated to the above intuition. Combining the three observations, we obtain the following (semi-)decidability results for the satisfiability of fragments of TSL modulo T U : Theorem 7. The satisfiability problem of TSL formulas in T U is (1) semidecidable for the reachability fragment of TSL, (2) decidable for formulas consisting of only logical operators, predicates, updates, next operators, and at most one top-level eventually operator, and (3) semi-decidable for formulas with one cell.

Evaluation
We implemented the algorithm for checking TSL modulo T U satisfiability 2 . We used TSL tools 3 to handle TSL, spot [11] to transform the approximated LTL formulas into NBAs, SyFCo [20] for LTL transformations, and z3 [31] to solve SMT queries. The implementation follows the extended algorithm described in [14]. Since in some cases the default optimizations of spot produce a large overhead in computation time, we first execute it with these and if this does not terminate within 20s, we execute it without optimizations. We evaluated the implementation on three benchmark classes and a machine with an AMD Ryzen 7 processor, using a virtual machine with two logical cores and 6 GB of RAM.
Scalability Benchmark Series. We test the scalability of the algorithm with parameterized decidable benchmarks. The timeout is one minute. Note that spot can always perform its optimizations. The satisfiable benchmarks are defined by ) . The parameter n corresponds to the number of updates that have to be performed to find a satisfiable lasso. By Lemma 6, the algorithm always terminates. The TSL formula φ unsat (n) := ( (q(x) ↔ ¬q(f n (x)))) ∧ ( x ↢ f (x) ) ∧ (q(x) ∧ n q(x)) defines the unsatisfiable benchmarks. The parameter n corresponds to the "distance" in time and number of updates of the conflict causing unsatisfiability. The algorithm always terminates. The results are shown in Figure 2. The algorithm scales particularly well for the satisfiable formulas. However, the experiments indicate an exponential complexity of the algorithm for the unsatisfiable formulas.
Random Benchmark Series. We implemented a random TSL formula generator that uses spot's ltlrand to generate random LTL formulas and then substitutes the atomic propositions with random updates and predicates. The generated TSL formulas have one to three cells, one to three different updates and one to three different predicates. For the LTL formulas generated by ltlrand we use tree sizes from 5 to 95 in steps of five. For each of the tree sizes, we generate 30 formulas; 570 in total. The execution times are shown in Figure 3. On many formulas, the algorithm terminates within one second. The implementation returns SAT for 513 of the 570 formulas. It times out after 30s on 29 formulas. However, the timeouts already occur in the automaton construction, both with and without spot's optimizations. Only 28 formulas are unsatisfiable. For 25 of these unsatisfiable formulas, the intermediate LTL approximation formula is already unsatisfiable, i.e., only for three formulas there is some conflict due to updates and predicate evaluation. Applications Benchmark Series. These benchmarks correspond to checking consistency of a specification and validating assumptions of a system. Hence, they illustrate how satisfiability results can aid the system design. The results are presented in Table 1. We introduce two of the benchmarks in more detail here. The other, slightly larger, ones, including different kinds of arbiters, a scheduler, and modules of the Syntroids [17] arcade game, are described in [14].
The Chain benchmark considers a compound system of two chained modules m 1 and m 2 that receive an input value, store it, and forward it to the next system: To simulate the input of the first module, we use an update with an uninterpreted function: . We require that if some property p holds on m 1 's input, p also needs to hold hold on m 2 's output: φ spec := (p(in 1 ) → p(in 3 )). Our algorithm determines within 8s that (φ inp ∧ φ 1 ∧ φ 2 ) ∧ ¬φ spec is satisfiable, detecting an inconsistency: If m 1 stores some value on which p holds, it may overwrite it before m 2 copies it, preventing the value to reach m 2 's output.
The Filter benchmark studies a system that "passes through" an input value to a cell if it fulfills a certain property p and holds the previous value otherwise: , where d is a constant representing an initial default value. The default value fulfills p, i.e., φ fact := p(d ()). As for the chain, φ inp := in ↢ f (in) simulates the input. The filter is valid if p holds on all outputs after the initialization: φ spec := p(out). Within 400ms, the algorithm confirms that (φ inp ∧ φ fact ∧ φ filter ) ∧ ¬φ spec is unsatisfiable, validating the filter.

Related Work
Linear-time temporal logic (LTL) [32] is one of the most popular specification languages for reactive systems. It is based on an underlying assertion logic, such as propositional logic, which is extended with temporal modalities. Satisfiability of propositional LTL has long known to be decidable [37] and there are efficient tools for LTL satisfiability checking [36,25].
While propositional LTL is very common, especially in hardware verification, LTL with richer assertion logics, such as first-order logic and various theories, have long been used in verification (cf. [28]). Temporal Stream Logic (TSL) [15] was introduced as a new temporal logic for reactive synthesis. In the original TSL semantics, all functions and predicates are uninterpreted. TSL synthesis is undecidable in general, even without inputs or equality, but can be underapproximated by the decidable LTL synthesis problem [15]. TSL has been used to specify and synthesize an arcade game realized on an FPGA [17].
Constraint LTL (CLTL) [6] extends LTL with the possibility of expressing constraints between variables at bounded distance. A constraint system D consists of a concrete domain and an interpretation of relations on the domain. In Constraint LTL over D (CLTL(D)), one can relate variables with relations defined in D. Similar to updates in TSL, CLTL can specify assignment-like statements by utilizing the equality relation. Like for all constraints allowing for a counting mechanism, LTL with Presburger constraints, i.e., CLTL(Z, =, +), is undecidable [6]. However, there exist decidable fragments such as LTL with finite constraint systems [4] and LTL with integer periodicity constraints [5]. Permitting constraints between variables at an unbounded distance leads to undecidability even for constraint systems that only allow equality checks on natural numbers. Restricting such systems to a finite number of constraints yields decidability again [9]. In TSL modulo theories, a theory is given from which a model can be chosen. In CLTL, in contrast, the concrete model is fixed. Therefore, TSL modulo theories cannot be encoded into CLTL in general.
LTL has been extended with the freeze operator [8,7], allowing for storing an input in a register. Then, the stored value can be compared with a current value for equality. Freeze LTL with two registers is undecidable [26,10] . For flat formulas, i.e., formulas where the possible occurrences of the freeze operator are restricted, decidability is regained [10]. Similar to the freeze operator, updates in TSL allow for storing values in cells and in TSL modulo the theory of equality the equality check can be performed. In TSL, we can perform computations on the stored values which is not possible in freeze LTL. Hence, freeze LTL can be seen as a special case of TSL. Constraint LTL has been augmented with the freeze operator as well [10]. For an infinite domain equipped with the equality relation, it is undecidable. For flat formulas, decidability is regained [10].
The temporal logic of actions (TLA) [24] is designed to model computer systems. States are assignments of values to variables and actions relate states. Actions can, similar to updates in TSL, describe assignments of variables. A TLA formula may contain state functions and predicates. Actions and state functions are combined with the temporal operators and . In contrast to TSL, and U are not permitted. The validity problem for the propositional fragment of TLA, i.e., with uninterpreted functions and predicates, is PSPACE complete [35].
Similar to temporal logics, dynamic logic [33,19] is an extension of modal logic to reason about computer programs. Dynamic logic allows for stating that after action a, it is necessarily the case that p holds, or it is possible that p holds. Compound actions can be build up from smaller actions. In propositional dynamic logic (PDL) [16], data is omitted, i.e., its terms are actions and propositions. PDL satisfiability is decidable in EXPTIME [34]. First-order dynamic logic (FODL) [18] allows for including data: First-order quantification over a first-order structure, the so-called domain of computation, is allowed. Dynamic logic does not contain temporal operators such as or . Since we consider reactive systems, i.e., systems that continually interact with their environment, temporal logics are better suited than dynamic logics for our setting.
Symbolic automata (see e.g. [2,3]) and register automata [21] are extensions of finite automata that are capable of handling large or infinite alphabets. Register automata have additionally been considered over infinite words in some works (see e.g. [8,22,12]). Similar to BSAs, transitions of symbolic automata are labeled with predicates over a domain of alphabet symbols. Register automata are equipped with a finite amount of registers that, similar to cells in BSAs, can store input values. Symbolic register automata (SRAs) [1] combine the features of both automata models. BSAs have the additional ability to modify the stored values and thus to perform actual computations on them. Moreover, they read infinite instead of finite words. Thus, SRAs can be seen as a special case of BSAs.
More recently, the verification of uninterpreted programs has been investigated [29]. Uninterpreted programs are similar to While-programs with equality and uninterpreted functions and predicates. They are annotated with assumptions. The verification of uninterpreted programs is undecidable in general; for the subclass of coherent uninterpreted programs, however, it is decidable [29]. The verification problem has been extended with theories, i.e., with axioms over the functions and predicates [30]. Adding axioms to coherent uninterpreted programs preserves decidability for some axioms, e.g., idempotence, while it yields undecidability for others, e.g., associativity. The synthesis problem for uninterpreted programs is undecidable in general, but decidable for coherent ones [23].

Conclusion
We have extended Temporal Stream Logic (TSL) with first-order theories and formalized the satisfiability and validity of a TSL formula in a theory. While we show that TSL satisfiability is neither semi-decidable nor co-semi-decidable in the theory of uninterpreted functions T U , the theory of equality T E , and Presburger arithmetic T N , we identify three fragments for which satisfiability in T U is (semi-)decidable: For reachability formulas as well as for formulas with a single cell, TSL satisfiability in T U is semi-decidable. For slightly more restricted reachability formulas, it is decidable. Moreover, we have presented an algorithm for checking the satisfiability of a TSL formula in the theory of uninterpreted functions that is based on Büchi stream automata, an automaton representation of TSL formulas introduced in this paper. Satisfiability checking has various applications in the specification and analysis of reactive systems such as identifying inconsistent requirements during the design process. We have implemented the algorithm and evaluated it on three different benchmark series, including consistency checks and assumption validations: The algorithm terminates on many randomly generated formulas within one second and scales particularly well for satisfiable formulas. Moreover, it is able to prove or disprove consistency of realistic benchmarks and to validate or invalidate their assumptions.