Abstract. We study complexity issues related to the model-checking problem for LTL with registers (a.k.a. freeze LTL) over one-counter automata. We consider several classes of one-counter automata (mainly deterministic vs. nondeterministic) and several syntactic fragments (restriction on the number of registers and on the use of propositional variables for control locations). The logic has the ability to store a counter value and to test it later against the current counter value. By introducing a non-trivial abstraction on counter values, we show that model checking LTL with registers over deterministic one-counter automata is PSPACEcomplete with infinite accepting runs. By constrast, we prove that model checking LTL with registers over nondeterministic one-counter automata is Σ 1 1 -complete [resp. Σ 0 1 -complete] in the infinitary [resp. finitary] case even if only one register is used and with no propositional variable. This makes a difference with the facts that several verification problems for one-counter automata are known to be decidable with relatively low complexity, and that finitary satisfiability for LTL with a unique register is decidable. Our results pave the way for model-checking LTL with registers over other classes of operational models, such as reversal-bounded counter machines and deterministic pushdown systems.
Introduction
Logics for data words and trees. Data words are sequences in which each position is labelled by a letter from a finite alphabet and by another letter from an infinite alphabet (the datum). This fundamental and simple model captures the timed words accepted by timed automata [1] , and its extension to trees is useful to model XML documents with values, see e.g. [4, 15] . In order to really speak about data, known logical formalisms for data words/trees contain a mechanism that stores a value and tests it later against other values, see e.g. [5, 9] . This is a powerful feature shared by other memoryful temporal logics [18, 16] . However, the satisfiability problem for these logics becomes easily undecidable even when stored data can be tested only for equality. For instance, firstorder logic for data words restricted to three individual variables is undecidable [5] , whereas LTL with registers (also known as freeze LTL) restricted to a single register is undecidable over infinite data words [9] . By contrast, decidable fragments of the satisfiability problems have been found in [5, 10, 19] either by imposing syntactic restrictions (bound the number of registers, constrain the polarity of temporal formulae, etc.) or by considering subclasses of data words (finiteness for example). Similar phenomena occur with metric temporal logics and timed words [22, 23] . A key point for all these logical formalisms is the ability to store a value from an infinite alphabet, which is a feature also present in models of register automata, see e.g [7, 21, 25] . However, the storing mechanism has a long tradition (apart from its ubiquity in programming languages) since it appeared for instance in real-time logics [2] (the data are time values) and in so-called hybrid logics (the data are node addresses), see an early undecidability result with reference pointers in [13] . Meaningful restrictions for hybrid logics can also lead to decidable fragments, see e.g. [24] .
Our motivations. In this paper, our main motivation is to analyze the effects of adding a binding mechanism with registers to specify runs of operational models such as pushdown systems and counter automata. The registers are simple means to compare data values at different points of the execution. Indeed, runs can be naturally viewed as data words: for example, the finite alphabet is the set of locations and the infinite alphabet is the set of data values (natural numbers, stacks, etc.). To do so, we enrich an ubiquitous logical formalism for model-checking techniques, namely linear-time temporal logic LTL, with registers. Even though this was the initial motivation to introduce LTL with registers in [10] , most decision problems considered in [10, 19, 9] are essentially oriented towards satisfiability. In this paper, we focus on the following type of model-checking problem: given a set of runs generated by an operational model, more precisely by a one-counter automaton, and a formula from LTL with registers, is there a run satisfying the given formula? In our context, it will become clear that the extension with two counters is undecidable. It is not difficult to show that this model-checking problem differs from those considered in [19, 10] and are of a different nature from those for hybrid logics investigated in [12, 27] . However, since two consecutive counter values in a run are ruled by the set of transitions, constraints on data that are helpful to get finetuned undecidability proofs for satisfiability problems in [10, 9] may not be allowed on runs. This is precisely what we want to understand in this work. Like in [6] , LTL with registers makes sense to specify and reason about configurations of operational models, precisely counter systems.
Our contribution. We study complexity issues related to the model-checking problem for LTL with registers over one-counter automata that are simple operational models but our undecidability results can be obviously lifted to pushdown systems when registers store the stack value. Moreover, in order to determine borderlines for decidability, we also present results for deterministic one-counter models that are less powerful but remain interesting when they are viewed as a means to specify an infinite path on which model checking is performed, see analogous issues in [20] .
We consider several classes of one-counter automata (deterministic and nondeterministic) and several fragments by restricting the use of registers or the use of letters from the finite alphabet. Moreover, we distinguish finite accepting runs from infinite ones as data words. Unlike several results from [22, 23, 9, 19] , the decidability status of the model checking does not depend on the fact that we consider finite data words instead of infinite ones. In this paper, we present the following results.
-Model checking LTL with registers over deterministic one-counter automata is PSPACE-complete (see Sect. 3.2). PSPACE-hardness is established by reducing QBF and it also holds when no letters from the finite alphabet are used in formulae. When the number of registers is bounded, the problem can be solved in polynomial time. In order to get these complexity upper bounds, we introduce an abstraction on counter values even though the counter values may not be bounded along the unique run of the deterministic automata. This makes a substantial difference with [20] in which no data values are considered, but still our problem amounts to model checking a path specified by a deterministic one-counter automaton. -Model checking LTL with registers over nondeterministic one-counter automata restricted to a unique register and without alphabet is Σ 1 1 -complete in the infinitary case by reducing the recurrence problem for Minsky machines (see Sect. 4). In the finitary case, the problem is shown Σ 0 1 -complete by reducing the halting problem for Minsky machines. These results are quite surprising since several verification problems for one-counter automata are known to be decidable with relatively low complexity [14, 26] . Moreover, finitary satisfiability for LTL with one register is decidable [9] even though with nonprimitive complexity.
Because of lack of space, omitted proofs can be found in [11] .
Preliminaries

One-counter automaton
Let us recall standard definitions and notations about our operational models. A onecounter automaton is a tuple A = Q, q I , δ, F where Q is a finite set of locations, q I ∈ Q is the initial location, F ⊆ Q is the set of accepting locations and δ ⊆ Q × L × Q is the transition relation over the instruction set L = {inc, dec, ifzero}. A counter valuation v is an element of N and a configuration of A is a pair in Q × N. The initial configuration is the pair q I , 0 . As usual, a one-counter automaton A induces a (possibly infinite) transition system Q × N, − → such that q, n − → q , n iff one of the conditions below holds true: (1) q, inc, q ∈ δ and n = n + 1, (2) q, dec, q ∈ δ and n = n − 1 (and n ∈ N), (3) q, ifzero, q ∈ δ and n = n = 0. A finite [resp. infinite] run ρ is a finite [resp. infinite] sequence ρ = q 0 , n 0 − → q 1 , n 1 − → · · · where q 0 , n 0 is the initial configuration. A finite run is accepting iff it ends with an accepting location. An infinite run ρ is accepting iff it contains an accepting location infinitely often (Büchi acceptance condition).
A one-counter automaton A is deterministic whenever it corresponds to a deterministic one-counter Minsky machine: for every location q, either A has a unique transition from q incrementing the counter, or A has exactly two transitions from q, one with instruction ifzero and the other one with instruction dec, or A has no transition from q (not present in original deterministic Minsky machines). In the transition system induced by any deterministic one-counter automaton, each configuration has at most one successor. One-counter automata in full generality are understood as nondeterministic one-counter automata.
LTL over data words
Formulae of the logic LTL ↓,Σ where Σ is a finite alphabet are defined as follows:
where a ∈ Σ and r ranges over N \ {0}. We write LTL ↓ to denote LTL with registers for some unspecified finite alphabet. An occurrence of ↑ r within the scope of some freeze quantifier ↓ r is bound by it; otherwise it is free. A sentence is a formula with no free occurrence of any ↑ r . Given a natural number n > 0, we write LTL ↓,Σ n to denote the restriction of LTL ↓,Σ to registers in {1, . . . , n}. Models of LTL ↓,Σ are data words. A data word σ over a finite alphabet Σ is a non-empty word in Σ <ω or Σ ω , together with an equivalence relation ∼ σ on word indices. We write |σ| for the length of the data word, σ(i) for its letters where 0 ≤ i < |σ|.
A register valuation v for a data word σ is a finite partial map from N \ {0} to the indices of σ. Whenever v(r) is undefined, the formula ↑ r is interpreted as false. The satisfaction relation |= is defined as follows (Boolean clauses are omitted). Given a one-counter automaton A = Q, q I , δ, F , finite [resp. infinite] accepting runs of A can be viewed as finite [resp. infinite] data words over the alphabet Q. Indeed, given a run ρ, the equivalence relation ∼ ρ is defined as follows: i ∼ ρ j iff the counter value at the ith position of ρ is equal to the counter value at the jth position of ρ. In order to ease the presentation, in the sequel we store in registers counter values, which is an equivalent way to proceed by slightly adapting the semantics for ↑ r and ↓ r , and the values stored in registers (data).
The finitary [resp. infinitary] (existential) model-checking problem over one-counter automata for LTL with registers, noted MC <ω [resp. MC ω ] is defined as follows: given a one-counter automaton A = Q, q I , δ, F and a sentence φ in LTL ↓,Q , is there a finite [resp. infinite] accepting run ρ of A such that ρ, 0 |= φ? If the answer is "yes", we write
In this existential version of model checking, this problem can be viewed as a variant of satisfiability in which satisfaction of a formula can be only witnessed within a specific class of data words, namely the accepting runs of the automata. Results for the universal version of model checking will follow easily from those for the existential version.
We write MC α n to denote the restriction of MC α to formulae with at most n registers. Very often, it makes sense that only counter values are known but not the current location of a configuration, which can be understood as an internal information about the system. We write PureMC α n to denote the restriction of MC α n (its "pure" version) to formulae with atomic formulae only of the form ↑ r .
Example 1.
Here are properties that can be stated in LTL ↓,Q 2 along a run.
-"There is a suffix such that all the counter values are different": FG(↓ 1 XG¬ ↑ 1 ).
-"Whenever location q is reached with current counter value n and next current counter value m, if there is a next occurrence of q, the two consecutive counter values are also n and m":
We show how to get rid of propositional variables by reducing the model-checking problem over one-counter automata to its pure version.
Lemma 2 (Purification). Given a one-counter automaton A and a sentence φ in LTL
↓,Q n , one can compute in logarithmic space in |A| + |φ| a one-counter automaton A P and
The idea of the proof is simply to identify locations with patterns about the changes of the unique counter that can be expressed in LTL ↓,∅ .
Proof. Let A = Q, q I , δ, F with Q = {q 1 , ..., q n } and φ in LTL ↓,Q . In order to define A P , we identify locations with patterns about the changes of the unique counter. For each location q i in Q we associate the new sequence of transitions described in Fig. 1 and
In the sequence of picks numbered from 0 to n + 1, the only pick of height 2 is one numbered i. In order to identify the beginning of the first pick of height 3 we introduce formulae in LTL ↓,∅ 1 : ϕ ¬ 3 7 expresses that "among the 7 next counter values (including the current counter value), there are no 3 equal values" and ϕ 0∼6 expresses that "the current counter value is equal to the counter value at the 6th next position". We write LOC to denote the formula ϕ ¬ 3 7 ∧ ϕ 0∼6 . By a simple case analysis, one can check that for k ≥ 0, in the run of A P , LOC holds true iff the current location is in Q. We pose
One can check that for k ≥ 0, in the run of A P LOC ∧ φ i holds true iff the current location is q i . φ P is equal to T(φ) with the map T that is homomorphic for Boolean operators and ↓ r , and its restriction to ↑ r is identity. The rest of the inductive definition is as follows.
e remark that φ and φ P have the same amount of registers unless φ has no register. 
Model checking deterministic one-counter automata
In this section, we show that MC ω restricted to deterministic one-counter automata is PSPACE-complete and the same restriction for MC <ω is in EXPSPACE. First, we show PSPACE-hardness.
Proposition 3. PureMC
<ω and PureMC ω restricted to deterministic one-counter automata are PSPACE-hard problems.
where p 1 ,...,p 2N are propositional variables and Ψ (p 1 , . . . , p 2N ) is a quantifier-free propositional formula built over p 1 , . . . , p 2N . The fixed deterministic one-counter automaton A below generates the sequence of counter values (01) ω .
Let ψ be the formula in LTL ↓,∅ defined from the family ψ 1 , . . . , ψ 2N +1 of formulae with ψ =↓ 2N +1 ψ 1 :
<ω , one can enforce the sequence of counter values from the accepting run to be (01) 2N 0 and then use X to define the ψ i s.
Observe that in the reduction, we use an unbounded number of registers (see Theorem 12) but a fixed deterministic one-counter automaton.
Properties on runs for deterministic automata
Any deterministic one-counter automaton A has at most one infinite run, possibly with an infinite amount of counter values. If this run is not accepting, i.e. no accepting location is repeated infinitely, then for no formula φ, we have A |= ω φ. We show below that we can decide in polynomial-time whether A has accepting runs either finite or infinite. Moreover, we shall show that the infinite unique run has some regularity.
Let ρ ω A be the unique run (if it exists) of the deterministic one-counter automaton A represented by the following sequence of configurations q 0 , n 0 q 1 , n 1 q 2 , n 2 . . .
Lemma 4.
Let A be a deterministic one-counter automaton with an infinite run. There are
Hence, the run ρ ω A can be encoded by its first K 1 +K 2 configurations. ρ ω A has a simple structure: it is composed of a polynomial-size prefix q 0 , n 0 · · · q K1−1 , n K1−1 followed by the polynomial-size loop q K1 , n K1 · · · q K1+K2−1 , n K1+K2−1 repeated infinitely often. The effect of applying the loop consists in adding K 3 to every counter value. Testing whether A has an infinite run or ρ ω A is accepting amounts to check whether there is an accepting location in the loop, which can be done in cubic time in |Q|. In the rest of this section, we assume that ρ ω A is accepting. Similarly, testing whether A has a finite accepting run amounts to check whether an accepting location occurs in the prefix or in the loop.
When K 3 = 0 and A has an infinite run, ρ ω A is precisely
It is then possible to apply a polynomial-space labelling algorithm à la CTL for model checking LTL ↓,Q formulae on A. However, one needs to take care of register valuations, which explains why unlike the polynomial-time algorithm for model checking ultimately periodic models on LTL formulae (see e.g., [20] ), model checking restricted to deterministic automata with K 3 = 0 is still PSPACE-hard.
A PSPACE symbolic model-checking algorithm
In this section, we provide decision procedures for solving MC <ω and MC ω restricted to deterministic one-counter automata. Let us introduce some notations. Let ρ ω A = q 0 , n 0 q 1 , n 1 q 2 , n 2 . . . be the unique run of the deterministic one-counter automaton A and φ be a sentence with N ≥ 1 registers. Let i ≥ 0 be a position in ρ ω A and m be a register value in N. We write pos A (i, m) to denote the following (possibly infinite) set of offsets: pos A (i, m) = {j ∈ N : m = n i+j }. The values m should be understood as register values when evaluation of subformulae is done at position i. In general, the set {pos A (i, m) ⊆ N : i, m ∈ N} can be infinite but if we restrict ourselves to m in {n 0 , . . . , n i } then it is not anymore the case. After all, this is a reasonable assumption when m is intended to be a value stored in a register. Before showing this property, we establish that whenever K 3 > 0, two positions with identical counter values are separated by a distance that is bounded by a polynomial in |Q|.
Lemma 6. {pos A (i, m) : i ∈ N, m ∈ {n 0 , . . . , n i }} is finite and its cardinality is polynomial in |Q|.
We write REGVALUES A to denote the above finite set with polynomial cardinality. Observe that even though the set of counter values occurring in ρ ω A may be infinite (exactly when K 3 > 0) we can represent symbolically each register value v(r) at a position i by a concise representation for pos A (i, v(r)). One consequence of the proof of Lemma 6 is that |REGVALUES A | is bounded by (
We define below the equivalence relation ≡ between positions of ρ ω A : i ≡ i iff q i = q i , and for all α, β ≥ 0, (n i+α = n i+β iff n i +α = n i +β ) and (q i+α = q i+β iff q i +α = q i +β ). Typically, i and i are equivalent whenever the path starting at position i is isomorphic to the path starting at position i . It is easy to see that ≡ has at most K 1 + K 2 equivalence classes since i ≡ K2 i and i, i ≥ K 1 imply i ≡ i (here ≡ K2 is the congruence relation). We extend ≡ to pairs composed of positions and register valuations. Given positions i, i ∈ N and register valuations v, v such that ran(v) ⊆ {n 0 , . . . , n i } and ran(v ) ⊆ {n 0 , . . . , n i }, i, v ≡ i , v iff (1) i ≡ i and (2) for all α ≥ 0 and registers r ∈ {1, . . . , N }, n i+α = v(r) iff n i +α = v (r). Again, ≡ is an equivalence relation. A pair i, v is called a context.
Condition (2) on the definition of ≡ is equivalent to: for every register r ∈ {1, . . . , N }, pos A (i, v(r)) = pos A (i , v (r)). Consequently, Lemma 7. There are polynomials P 1 and P 2 such that the number of equivalence classes for ≡ on contexts i, v is bounded by
is the number of registers).
The bound is exactly (
is the cardinal of REGVALUES A and K 1 + K 2 is the number of equivalent positions w.r.t. to ≡.
Lemma 8. If i, v ≡ i , v , then (I) for all
j > 0, i + j, v ≡ i + j, v and (II) for every formula ψ ∈ LTL ↓,Q N , ρ ω A , i |= v ψ iff ρ ω A , i |= v ψ.
Lemma 8(I) is by an easy verification (recurrence on j) whereas Lemma 8(II) is by structural induction on ψ.
Abstraction and complexity issues
We have seen that the equivalence relation ≡ on contexts has finite index. We present below a means to represent symbolically an equivalence class. In the case K 3 = 0, a symbolic context is a pair i, pos where i ∈ {0, . . . , K 1 +K 2 −1} and pos is a symbolic register valuation of the form {1, . . . , N } → {n 0 , . . . , n K1+K2−1 }. A context i, v is represented by the symbolic context i , pos where -i < K 1 implies i = i otherwise i is the unique element of {K 1 , . . . , K 1 +K 2 −1} such that i ≡ K2 i , -for r ∈ {1, . . . , N }, pos(r) = v(r). Observe that v(r) ∈ {n 0 , . . . , n K1+K2−1 } and pos(r) can be encoded with O(log(|Q|)) bits.
When K 3 > 0, the definition of a symbolic context is modified for the second component only since the set of counter values along the run is infinite. A symbolic context remains a pair i, pos but i ∈ {0, . . . , K 1 +K 2 −1} and pos is a symbolic register valuation of the form {1, . . . , N } → P({0, . . . , Each value pos(r) can be encoded with a polynomial amount of bits in |Q|. One can compute in polynomial time in |Q| the range of any symbolic register valuation (whether K 3 = 0 or not) thanks to Lemma 6. When we bound the number of registers, the number of symbolic contexts occurring in ρ ω A is polynomial in |Q| and they can be computed in polynomial time.
Given a context i, v , we write [ i, v ] to denote its corresponding symbolic context (w.r.t. A). Symbolic contexts correspond to the equivalence classes of ≡:
Let us define a map next that takes as argument a symbolic context i, pos and returns the symbolic context obtained at the next step. This is a well-defined function because taking two contexts that are ≡-equivalent, moving one step forward leads to two new contexts that are also ≡-equivalent (see Lemma 10 below). The map next is defined as follows : next( i, pos ) = i , pos where
Lemma 10. Let i, v be a context with ran(v)
Below, we solve the model-checking problem by following an automata-based approach [30] . We consider alternating word automata with Büchi acceptance condition on ω-words, see e.g. [29] : every infinite branch of accepting runs has an accepting state repeated infinitely often. Let φ be a formula in NNF built over disjunction ∨ and the release operator R (dual of U). Observe that X and ↓ r are self-dual. We build an alternating automaton A φ that can be viewed as the product between the run of A and the automaton for φ. The synchronization mode between these two components takes into account the presence of registers. When K 3 > 0 and A has an accepting run (which can be checked in PTIME), let A φ = Σ, S, s 0 , δ, F be defined as follows: The proof (by structural induction) is a variant of the one for LTL and uses Lemma 8 and 10. This will allow us to characterize precisely the complexity of model checking.
Theorem 12. MC
ω restricted to deterministic one-counter automata is PSPACE-complete and its restriction to n ≥ 1 registers is in PTIME.
Proof. A φ is an hesitant alternating word automata over a 1-letter alphabet with each set S j of the partition being a set of states with identical subformulae. By [17, Theorem 5.6], the nonemptiness problem for hesitant alternating word automata over a 1-letter alphabet can be solved in space O(m log 2 n) where n is the number of states and m is the number of elements in the partition of the set of states. In order to obtain the PSPACE upper bound, it is sufficient to check that the on-the-fly version of the algorithm given in the proof of [17, Theorem 5.6 ] can be performed (computation of the transition function on demand). This is possible partly because in A φ , m is linear in |φ|, n is exponential in |φ|, for each state s, δ(s, a) can be built in polynomial-time in |φ| and testing if a state is accepting can be done in linear time in |φ|. Moreover, each state in A φ can be encoded in polynomial space in |A| + |φ|.
When the number of registers is fixed, A φ has a polynomial number of states and since the nonemptiness problem for weak alternating word automata over a 1-letter alphabet can be solved in linear time [3] , we get the PTIME upper bound.
For the finitary case, we cannot invoke the result in [3] because the length of the word is a distinguishing factor.
Corollary 13. MC
<ω restricted to deterministic one-counter automata is in EXPSPACE.
The proof consists in designing an alternating word automata on ω-words with a two-letter alphabet on the lines of the previous construction. However, the second letter marks the end of the word so that all the branches detect the end of the word in a synchronous way. The recognized ω-words are among a * · b · a ω . Then, we invoke the quadratic space upper bound for the nonemptiness of alternating automata [28] , which provides the EXPSPACE upper bound since A φ is of exponential size in |φ| and A φ can be built in polynomial space in |φ|.
In order to illustrate the significance of the following results, it is worth recalling that the halting problem for Minsky machines with incrementing errors is reducible to finitary satisfiability for LTL with one register [9] . We show below that, if we have existential model checking of one-counter automata instead of satisfiability, then we can use one-counter automata to refine the reduction in [9] so that runs with incrementing errors are excluded. More precisely, in the reduction in [9] , we were not able to exclude incrementing errors because the logic is too weak to express that, for every decrement, the datum labelling it was seen before (remember that we have no past operators). Now, the one-counter automata are used to ensure that such faulty decrements cannot occur. 
where − → hides steps for updating the counter according to the constraints described below. During these steps, auxiliary locations are used and there are of two types: locations that increment or decrement the counter in order to reach an adequate data value (busyup t,t and busydown t,t where t, t are transitions) and intermediate locations to perform -transitions. The data values in the run of B are governed by the rules below:
(ii) after any configuration labelled by q, inc, c, q (incrementation of the counter c), there is no configuration labelled by some q 1 , inc, c , q 1 with the same counter value, (iii) after any configuration labelled by q, inc, c, q , there is at most one configuration labelled by some q 1 , dec, c, q 1 with the same counter value (there are more incrementations than decrementations), (iv) after any configuration labelled by q, inc, c, q , there is no configuration labelled by some q 1 , dec, c , q 1 with the same counter value and c = c , (v) after any configuration labelled by q, inc, c, q , there is no configuration labelled by q 1 , ifzero, c, q 1 followed by a configuration labelled by some q 1 , dec, c, q 1 with the same counter value as q, inc, c, q , (vi) after any configuration labelled by q, inc, c, q for which there is no subsequent configuration labelled by q 1 , dec, c, q 1 with the same counter value, there is also no q 2 , ifzero, c, q 2 , Now, let us define B. We shall partly encode in its control graph the satisfaction of these conditions. For instance, two successive incrementation transitions in A, leads to an incrementation in B since we enforce that the counter value is fresh in B iff its letter is some −, inc, −, − (incrementation instructions). When we write q − → q we mean q inc − → auxi q,q dec − → q for an auxiliary location auxi q,q .
-Q is equal to δ ({q I } ∪ {busydown t,t , busyup t,t : t, t ∈ δ}) plus some unspecified auxiliary locations, -F = { q, l, c, q ∈ δ : q ∈ F } ∪ ({q I } ∩ F ) and q I = q I , -The relation δ contains the following transitions:
• For q I , inc, c, q ∈ δ, add q I inc − → q I , inc, c, q to δ ;
• For t = q I , ifzero, c, q ∈ δ, add q I − → t to δ ; • For every transition t = q, inc, c, q ∈ δ, 1. if t = q , inc, c , q ∈ δ, then add t inc − → t to δ , 2. if t = q , ifzero, c , q ∈ δ with c = c or t = q , dec, c, q ∈ δ, then add t − → t to δ , 3. if t = q , dec, c , q ∈ δ with c = c, then add t − → busydown t,t , busydown t,t dec − → busydown t,t , and busydown t,t dec − → t to δ (decrement the counter until it reaches a value for a previous incrementation), • For every transition t = q, l, c, q ∈ δ with l ∈ {dec, ifzero},
busyup t,t , and busyup t,t inc − → t to δ (increment the counter until it reaches a new value), 2. if t = q , ifzero, c , q ∈ δ then add t − → t to δ , 3. if t = q , dec, c , q" ∈ δ, then add to δ the transitions from Figure 2 .
Observe that this is the only case for which we do not know whether the counter increases or not. In runs of B, we are only interested in positions with letters in δ. The control graph of B guarantees that the succession of transitions in A is valid assuming that we ignore the intermediate (auxiliary or busy) configurations The formula φ is the conjunction of the following requirements: (ii)-(vi) plus (i) some configuration in F is visited, (vii) after any configuration labelled by t = q, inc, c, q , there is no configuration labelled by some busyup t,t with the same counter value and such that the next configuration has the same label unless there is some configuration labelled by some q 1 , inc, c, q 1 in between,
(viii) after any configuration labelled by t = q, inc, c, q , there is no configuration labelled by some q 1 , dec, c, q 1 with a different counter value unless there is some configuration labelled by some q 2 , inc, c, q 2 in between,
It is easy to check that each condition in (i)-(viii) can be expressed in LTL
(some examples are indeed provided above). Now consider any run of B which satisfies (ii)-(viii). The key achievement of the definitions of B and φ is that, for every position in the run, the counter value is fresh iff either its letter is some q, inc, c, q or the letter is not in δ ∪ {q I }. For any counter c ∈ {1, 2}, we can define its value as the number of q, inc, c, q letters for which a latter letter The proof is similar to the proof of Theorem 14 except that instead of reducing the halting problem for Minsky machines, we reduce the recurrence problem for nondeterministic Minsky machines that is known to be Σ The above-mentioned undecidability holds true even if we restrict ourselves to onecounter automata for which there are no transitions with identical instructions going from the same location. A one-counter automaton A is weakly deterministic whenever for every location q, if q, l, q , q, l , q ∈ δ, we have l = l implies q = q . The transition systems induced by these automata are not necessarily deterministic. The proof uses the Purification Lemma and provides reductions from the modelchecking problems to their restrictions to weakly deterministic automata.
Conclusion
We have shown that model checking LTL ↓ over one-counter automata is undecidable, which contrasts with the decidability of many verification problems for one-counter automata [14, 26] . For instance, we have shown that model checking nondeterministic one-counter automata over LTL ↓ restricted to a unique register and without alphabet is already Σ 1 1 -complete in the infinitary case. On the decidability side, a suitable abstraction has been introduced to establish the PSPACE upper bound for model checking LTL ↓ over deterministic one-counter automata in the infinitary case. Viewing runs as data words is an idea that can be pushed further. For instance, the decidability status of model checking LTL ↓ over the class of reversal-bounded counter automata [8] remains open. Hence, our results pave the way for model checking LTL ↓ over other classes of operational models that are known to admit powerful techniques for solving verification tasks. Finally, among the specific problems left open by this paper, we wish to mention the complexity of model-checking deterministic one-counter automata with LTL ↓ in the finitary case (the complexity is however known in the infinitary case). Finitary nonemptiness problem for 1-letter hesitant alternating word automata also faces the difficulty to determine the end of the word (synchronization is needed), see e.g. [17] .
