First-order Temporal Logic on Finite Traces: Semantic Properties, Decidable Fragments, and Applications

Formalisms based on temporal logics interpreted over finite strict linear orders, known in the literature as finite traces, have been used for temporal specification in automated planning, process modelling, (runtime) verification and synthesis of programs, as well as in knowledge representation and reasoning. In this paper, we focus on first-order temporal logic on finite traces. We first investigate preservation of equivalences and satisfiability of formulas between finite and infinite traces, by providing a set of semantic and syntactic conditions to guarantee when the distinction between reasoning in the two cases can be blurred. Moreover, we show that the satisfiability problem on finite traces for several decidable fragments of first-order temporal logic is ExpSpace-complete, as in the infinite trace case, while it decreases to NExpTime when finite traces bounded in the number of instants are considered. This leads also to new complexity results for temporal description logics over finite traces. Finally, we investigate applications to planning and verification, in particular by establishing connections with the notions of insensitivity to infiniteness and safety from the literature.


INTRODUCTION
The study of formalisms based on propositional or first-order temporal logics on linear flows of time has found a wide spectrum of applications, ranging from verification of programs and model checking [22,72,76], to automated planning [20,21,23], process modelling [2,71], and knowledge representation.In the latter context, several decidable fragments of first-order temporal logic with the linear time operator until U, denoted T U QL , have been investigated [48,62,63].Temporal description logics (see [4,6,18,69,82] and references therein), obtained by suitably combining (linear) temporal logic operators with description logics (DLs) constructs, are well-known examples of such fragments.These logics usually lie within the two-variable monodic fragment of T U QL , denoted as T U QL 2  1 , obtained by restricting the language to formulas having at most two variables, and so that the temporal operators are applied only to subformulas with at most one free variable.For instance, by using the reflexive temporal operators + , meaning sometimes in the future, and + , meaning always in the future, the following formula ∀ Reviewer ( ) → + + ∀ Submission( ) ∧ reviews( , ) → + Evaluated ( ) is a T U QL 2 1 formula stating that every reviewer will reach a (present or future) moment after which all the submissions they review will be eventually evaluated.Other decidable languages considered in the literature are the monadic fragment T U QL and the one-variable fragment T U QL 1 , with formulas having, respectively, at most unary predicates and at most one variable.The complexity of the satisfiability problem ranges from E S -complete, for T U QL 2 1 , T U QL and T U QL 1 [48,62], down to NE T -or E T -complete, for temporal extensions of the DL ALC without temporalised roles and with restrictions on the application of temporal operators [17,69].Recent work on temporal extensions of lightweight DLs in the DL-Lite and EL families [7,60], used in conceptual data modelling and underlying prominent profiles of the OWL standard, shows that the complexity of reasoning can be even lowered down to NP or NL S .
A widely studied semantics for temporal logics is defined on structures based on the strict linear order of the natural numbers [47,56,76].However, linear temporal structures with only a finite number of time points, often called finite traces, have been investigated as well [40,47], receiving a renewed interest in the literature [43,45,46].The finiteness of the time dimension represents indeed a fairly natural restriction for several applications.In automated planning, or when modelling (business) processes with a declarative formalism, we consider finite action plans and terminating services, often within a given temporal bound [26,37,41,42].In runtime verification only the current finite behaviour of the system is taken into account, while infinite models are considered when checking whether a given requirement is satisfied in some/all infinite extensions of the finite trace [27,54].These needs from critical applications of temporal logics can be reflected by a semantics based on finite traces, with formulas having different satisfaction conditions compared to the infinite case.For instance, by using the formula last to refer to the last time point of a finite trace, we have that Formula (1) above is equivalent on finite traces to guarantee that two formulas equivalent on finite (respectively, infinite) traces are also equivalent on infinite (respectively, finite) traces.We also devise a semantic criterion and a syntactically defined class of formulas to guarantee preservation of satisfiability from finite to infinite traces.In Section 5, we study the complexity of reasoning over finite traces for the two-variable monodic fragment T U QL 2 1 , the monadic fragment T U QL and the one-variable fragment T U QL 1 , showing that the complexity remains E S -complete on finite traces, but lowers down to NE T if we restrict to traces with a bound (given in binary) on the number of instants.Moreover, we show that these fragments enjoy two kinds of bounded model properties: the bounded trace property, which limits the finite traces satisfying a formula to be at most double exponential in the size of the input formula, and the bounded domain property, which limits the number of domain elements in a -bounded trace (finite trace with at most instants) to be at most double exponential both in the size of the input formula and in the (binary representation) of .In the context of temporal DLs, we show that complexity results similar to the infinite trace case, as well as bounded model properties, also hold for the temporal DL T U ALC when interpreted on finite traces.We further show a more challenging result, i.e., that the complexity further reduces to E T if only global TBox T U ALC axioms together with a temporal ABox are interpreted on -bounded traces.Finally, in Section 6, we investigate connections with the planning and verification literature.Concerning the former scenario, we study in our setting the notion of insensitivity to infiniteness [42], a property applying to formulas that, once satisfiable on finite traces, remain satisfiable on infinite traces verifying an end event forever and falsifying all other atomic formulas.Concerning the verification aspect, we establish connections between the finite and infinite trace characterisations, as introduced in Section 4, and the notions of safety [22,80], as well as other related notions from the literature on runtime verification [27].Section 7 concludes the paper.

RELATED WORK
Finite traces [40,47,77] have regained momentum in formalisms for AI applications.Together with (propositional) linear temporal logic (LTL) [76], also the more expressive linear dynamic logic [61], alternating time logic [3], and mucalculus [24,65] have been investigated on semantics based on finite traces [28,29,51,55,68].To deal with uncertainty in dynamic systems, a probabilistic version of LTL over finite traces has been proposed as well [70], while a recent paper addresses problems in declarative process mining by introducing metric temporal logic on finite traces [50].Significant areas of applications for LTL on finite traces are indeed in the planning domain [23, 34, 37-39, 42, 49], in (declarative) business process modelling, as well as in runtime verification and monitoring [25,27,41,52,77].In addition, LTL on finite traces has found applications in the context of synthesis [35,36,44,52,53,83], multi-agent systems [57,58,64], temporal databases [78], and answer-set programming [31][32][33].The problem of establishing connections between finite and infinite traces semantics is also not new to the literature.Several approaches have been proposed to show when satisfiability of formulas is preserved from the finite to the infinite case, so to reuse on finite traces algorithms developed for the infinite case [26,42].In this work, we determine conditions that preserve satisfiability in the other direction as well, from infinite to finite traces, thus leaning towards research directions that aim at the application of efficient finite traces reasoners to the infinite case [46,67,79].
Given their connections with first-order temporal logic and their relevance to the present article, we separately discuss related work on temporal DLs.For a general overview, we refer to the already mentioned surveys [4,6,18,69,82].In the linear time case, a wide body of research has focused on temporal DLs with semantics based on the natural numbers [17,74,75] or the integers [7], possibly by extending the language with metric temporal operators as well [14,15,59].In applications, temporalised DLs have been considered in the context of runtime verification [13,19] and business process modelling [1,8].However, such proposals are based on the usual infinite trace semantics or are Manuscript submitted to ACM TOCL limited in expressivity.To the best of our knowledge, little has been done in order to combine finite traces and temporal DLs.Recent work in this direction can be found in [9,10].The complexity landscape of temporal DLs on finite traces semantics has been further enriched by preliminary results on temporal DL-Lite logics [11].These results, that match the corresponding ones on infinite traces semantics [7], are obtained by considering axioms interpreted either globally or locally, and by syntactically restricting the application of the temporal operators (allowing for U, or only for and ), or of the DL constructors (focussing on the so-called bool, horn, krom, and core fragments).

FIRST-ORDER TEMPORAL LOGICS
The first-order temporal language T U QL [48], that we present in the following, is obtained by extending the usual first-order language with the temporal operator until U interpreted over linear structures, called traces.

Syntax
The alphabet of T U QL consists of countably infinite and pairwise disjoint sets of predicates N P (with ar( ) ∈ N being the arity of ∈ N P ), constants (or individual names) N I , and variables Var; the logical operators ¬ (negation) and ∧ (conjunction); the existential quantifier ∃, and the temporal operator U (until).The formulas of T U QL are of the form: where ∈ N P , ¯ = ( 1 , . . ., ar( ) ) is a tuple of terms, i.e., constants or variables, and ∈ Var.Formulas without the until operator are called non-temporal.We write ( 1 , . . ., ) to indicate that the free variables of a formula are exactly 1 , . . ., .We write { / } for the result of uniformly substituting the free occurrences of in by .For ∈ N, the -variable fragment of T U QL , denoted by T U QL , consists of T U QL formulas with at most variables.
The (propositional) language LTL is T U QL 0 with formulas constructed without the existential quantifier.The monodic fragment of T U QL , denoted by T U QL 1 , consists of formulas such that all subformulas of the form U have at most one free variable.The monadic fragment T U QL is the fragment of T U QL with formulas not containing predicates of arity ≥ 2. Finally, the constant-free one-variable monadic fragment, T U QL 1, , is obtained from the one-variable monadic fragment by disallowing constants.

Semantics
A first-order temporal interpretation (or trace) is a pair = (Δ , (M ) ∈ ), where is a sub-order of (N, <) of the form [0, ∞) or [0, ], with ∈ N, and each M is a classical first-order interpretation with a non empty domain Δ (or simply Δ): we have M ⊆ Δ ar( ) , for each ∈ N P , and M = M ∈ Δ for all ∈ N I and , ∈ N, i.e., constants are rigid designators (with fixed interpretation, denoted simply by M ).The stipulation that all time points share the same domain Δ is called the constant domain assumption (meaning that objects are not created or destroyed over time), and it is the most general choice in the sense that increasing, decreasing, and varying domains can all be reduced to it [48].
An assignment in (or simply an assignment, when is clear from the context) is a function from Var to Δ, and the value of a term in under is defined as: ( ) = ( ), if = , and ( ) = M , if = ∈ N I .Given a tuple of terms ¯ = ( 1 , . . ., ), we set ( ¯ ) = ( ( 1 ), . . ., ( )).Given a formula , the satisfaction of in at time point by modifying so that maps to .
In the following, we call finite trace a trace with = [0, ], often denoted by = (Δ , (F ) ∈[0, ] ), while infinite traces, based on = [0, ∞), will be denoted by ℑ = (Δ ℑ , (I ) ∈[0,∞) ).We say that a T U QL formula is satisfiable on infinite, finite, or -bounded traces, respectively, if it is satisfied in a trace in the class of infinite, finite, or finite traces with at most ∈ N, > 0 (given in binary) time points, respectively.Moreover, given T U QL formulas and , we write |= (respectively, |= ) iff logically implies on infinite (resp., finite) traces.Similarly, we write ≡ if and are equivalent on infinite traces, and ≡ if they are equivalent on finite traces.
In addition to the standard conventions on parenthesis and Boolean equivalences, we will use the following abbreviations for formulas: Manuscript submitted to ACM TOCL and ′ = [0, ( + ′ ) + 1], if = [0, ′ ]; and for ∈ N P , ∈ ′ : We define the set of extensions of a finite trace as the set of infinite traces Ext( Instead, given a trace , the set of prefixes of is the set Pre( ) = { | = • ′ , for some trace ′ }.Moreover, we call the frozen extension of = (Δ, (F ) ∈[0, ] ), denoted by , the concatenation of with the infinite trace That is, is the infinite trace obtained from by repeating its last time point infinitely often [26].

FINITE VS. INFINITE TRACES
In this section, we compare finite and infinite traces semantics.First, in Section 4.1, we lift to the first-order temporal logic setting a well-known reduction of propositional linear temporal logic formula satisfiability from finite traces to infinite ones.Then, in Section 4.2, we establish model-theoretic conditions under which it is guaranteed that formulas equivalent on finite (respectively, infinite) traces are also equivalent on infinite (respectively, finite) traces.In addition, we syntactically define classes of formulas that are shown to satisfy such model-theoretic conditions, and for which the corresponding results on preservation of formula equivalences are thus inherited.We finally restrict ourselves to the problem of preserving satisfiability of a formula, from finite to infinite traces.For this case as well, we define a class of formulas for which it holds that satisfiability on finite traces implies satisfiability on infinite traces.

Reduction to Satisfiability on Infinite Traces
In the following, we show how to reduce the formula satisfiability problem on finite traces to the same problem on infinite traces.Similar to the encoding proposed in [43] for (propositional) LTL, to capture the finiteness of the temporal dimension, we introduce a fresh unary predicate , standing for the end of time, with the following properties: ( ) there is at least one instant before the end of time; ( ) the end of time comes for all objects; ( ) the end of time comes at the same time for every object; ( ) the end of time is permanent.We axiomatise these properties as follows: We now characterise models satisfying the end of time formula be, respectively, a finite and an infinite trace with the same domain Δ and such that F = I , for all ∈ N I .We denote by • ℑ the end extension of with ℑ, defined as the concatenation of with ℑ such that: Clearly, end extensions characterise the satisfiability of .We formalise this in the next lemma.Manuscript submitted to ACM TOCL P . is satisfied in ℑ iff there is > 0 such that, for all ∈ Δ, it holds that: ∉ I , for all ∈ [0, ); and ∈ I , for all ∈ [ , ∞).That is, ℑ = • ℑ ′ , for some finite trace and some infinite trace ℑ ′ .
We now introduce a translation • † for T U QL formulas, used together with the end of time formula, , to capture satisfiability on finite traces.More formally, a T U QL formula is satisfiable on finite traces if and only if its translation † is satisfied in an infinite trace that also satisfies the formula .The translation • † is defined as: Before showing the correctness of the translation, the following lemma shows the relevance of end extensions when interpreting translated formulas.L 4.2.Let • ℑ be an end extension of a finite trace .For every T U QL formula and every assignment , ) be a finite trace and let ) be an end extension of .We prove by structural induction the following more general statement.For all ∈ [0, ] and all assignments : For the base case = ( ¯ ), the statement follows from the definitions of • ℑ and • † , while the proof of the inductive cases = ¬ , = ( ∧ ), and = ∃ is straightforward.
Using the previous lemmas, we can show the correctness of the reduction of the T U QL satisfiability problem on finite traces to the same problem for T U QL on infinite traces.T 4.3.A T U QL formula is satisfiable on finite traces iff † ∧ is satisfiable on infinite traces.

Blurring the Distinction Between Finite and Infinite Traces
While certain formulas, such as ⊤, are satisfiable both on finite and infinite traces, others, e.g., last and + ⊤, are only satisfiable on finite traces and on infinite traces, respectively.It is thus of interest to understand in which cases satisfiability on finite and infinite traces coincide, so that solving the problem in one case answers to the other as well.A similar question can be posed for the problem of equivalences between formulas.For example, ( ∨ ) and ∨ are equivalent on finite traces but not on infinite traces [26].Moreover, + + and + + are not equivalent on infinite traces, whereas on finite traces they are both equivalent to + (last ∧ ) [43].Conversely, ⊥ and last are only equivalent on infinite traces.
In this section we address these questions and investigate the distinction between reasoning on finite and on infinite traces.We first propose semantic properties under which it is guaranteed that formula equivalences are preserved from finite to infinite traces, or vice versa, thus allowing to blur the distinction between these semantics.Then, we syntactically define classes of formulas satisfying some of these semantic properties, so to provide a sufficient criterion for the preservation of equivalences from finite to infinite traces, or vice versa.Finally, we focus on preserving satisfiability from the finite to the infinite case, devising a wider class of formulas for which this preservation holds.We also restrict to the "one directional" version of the above properties.We denote by F • and I • , where • ∈ {⇒ , ⇐}, the corresponding '⇒' and '⇐' directions of the F and I properties, respectively.Finally, given a property P, we denote by T U QL (P) the set of T U QL formulas satisfying P.
The semantic properties F and I capture different classes of T U QL formulas, as illustrated by the following example.
Example 4.4.The following formulas satisfy exactly one of the corresponding finite or infinite trace properties.
Indeed, by using the formulas from Example 4.4, we can prove the following.• T U QL (F ∃ ) , with ∈ {T U QL (F ∀ ), T U QL (I ∃ ), T U QL (I ∀ )}.It can be seen that the formula + last ∨ ( ) is F ∃ .However, Manuscript submitted to ACM TOCL -it is not F ∀ : (under any assignment) the formula is satisfied in a finite trace = (Δ, (F 0 )), with 0 as its only time point and such that F 0 = ∅, but an extension ℑ ∈ Ext( ) such that ℑ = (Δ, (I ) ∈[0,∞) ), with F 0 = I 0 and I = ∅, for every ∈ [0, ∞), does not satisfy it; it is not I ∃ : (under any assignment) an infinite trace ℑ = (Δ, (I ) ∈[0,∞) ) such that I = ∅, for every ∈ [0, ∞) does not satisfy the formula, whereas any (and thus some) prefix ∈ Pre(ℑ) satisfies it; it is not I ∀ : shown as in the previous case.
(3) T U QL (F ⇒∀ ) and T U QL (I ⇒∃ ), as well as T U QL (I ⇒∀ ) and T U QL (F ⇒∃ ), are incomparable with respect to inclusion.
We now consider the problem of formula equivalence, by showing under which semantic properties equivalence between formulas can be blurred.The following theorem provides sufficient conditions to preserve formula equivalence from the infinite to the finite case (cf. the notion of LTL compliance in [27]).
. Let be a finite trace and an assignment such that |= .By F ∃ , there is an infinite trace ℑ ∈ Ext( ) such that ℑ |= .Since ≡ , we have that ℑ |= .By F ∃ , |= .The converse direction can be obtained similarly, by swapping and .The proof for , ∈ T U QL (F ∀ ) is analogous.
As is I ⇒∀ , ℑ |= implies that, for all ′ ∈ Pre(ℑ), ′ |= .Thus, in particular, |= .The other direction can be obtained by swapping and .We now present sufficient conditions to preserve equivalences from the finite to the infinite case.We now show the statement for , ∈ T U QL (F ⇒∀ ) ∩ T U QL (I ⇒∃ ).Let ℑ be an infinite trace and be an for all ℑ ′ ∈ Ext( ): ℑ ′ |= .Therefore, we have also ℑ |= .The converse direction is obtained in a similar way by swapping and .
The properties F ∃ or F ∀ alone are not sufficient to ensure that formula equivalence on finite traces implies formula equivalence on infinite traces.To illustrate this, consider for example the formulas + last ∨ ( ), shown in Manuscript submitted to ACM TOCL Example 4.4, and + last ∨ ( ) ∨ , where Formula is from Section 5.3.These formulas are F ∃ , however, they are only equivalent on finite traces.Moreover, if we take ∀ + ( ), from Example 4.4, and ∀ + ( ) ∨ , we have that they are both F ∀ , though equivalent only on finite traces.The last example also shows that the condition F ⇒∀ alone is not sufficient for Theorem 4.8.We now argue that I ⇒∃ alone is also not sufficient.To see this, consider, e.g., ( ( ) ∧ + ⊤) ∨ last and + ⊤ ∨ last, which are I ⇒∃ but are equivalent only on finite traces.
From Theorems 4.7 and 4.8 we have that if , ∈ T U QL (F ∃ ) or , ∈ T U QL (F ∀ ), and , ∈ T U QL (I ∃ ) or , ∈ T U QL (I ∀ ), then ≡ if and only if ≡ .In particular, the above examples show that if, from a given pair of conditions F and I ′ , we remove any of the two properties, then formula equivalences on finite and infinite traces may not coincide.

Preserving Formula
Equivalences: Syntactic Characterisation.We now analyse syntactic features of the properties introduced so far, providing classes of formulas that satisfy them.This will in turn allow us to show results on preservation of equivalences, for such formulas, between finite and infinite traces.

P .
Clearly, since has no temporal operators, for any finite or infinite trace , satisfies at under iff any extension or prefix of satisfies at under , respectively.
We now introduce the relevant fragments of T U QL that will be analysed in the rest of this section.First, U +formulas , are built according to the grammar (with ∈ N P ): Moreover, we call U-formulas the set of formulas generated by allowing U in the grammar rule for U + -formulas1 , and we call U + ∀-formulas the result of allowing ∀ in the grammar rule for U + -formulas.
Next, R + -formulas , are built according to the grammar (with ∈ N P ): We call R-formulas the set of formulas generated by allowing R in the grammar rule for R + -formulas2 , and we call R + ∃-formulas the result of allowing ∃ in the grammar rule for R + -formulas.
Having introduced such fragments, the rest of this section will be devoted to the proof of the following theorem, which is a consequence of Theorems 4.7-4.8above and Lemmas 4.11-4.12below, as outlined in Table 1.
T 4.10.The following hold: (1) for all U + -or R + -formulas and , ≡ if and only if ≡ ; Table 1.Syntactic fragments with corresponding semantic properties and preservation of equivalences.
We first show that every U + ∀-formula is F ∀ , and every U-formula is I ∃ .As an immediate consequence, we obtain that every U + -formula is both F ∀ and I ∃ .

P
. We first show that all U + ∀-formulas are F ∀ .In Claim 1, we show that all U + ∀-formulas are F ⇒∀ (in fact, for the F ⇒∀ case, we can also allow U in the grammar).Then, in Claim 2, we show that all U + ∀-formulas are F ⇐∀ .
• The other cases can be proved in a straightforward way using the inductive hypothesis.
• The remaining cases follow by a straightforward application of the inductive hypothesis.
We now show the second part of Lemma 4.11, i.e., that U-formulas are I ∃ .In Claim 4, we show that U-formulas are Then, in Claim 5, we show that U-formulas are I ⇐∃ .Before proving Claim 4, we show the following statement.
The proof is by structural induction on .Clearly, the statement holds for the base cases of = ( ¯ ) and = ¬ ( ¯ ).We now proceed with the inductive cases.
• The other cases can be proved by straightforward applications of the inductive hypothesis.
We can now proceed with the following claim.) and an assignment in ℑ, we show that ℑ |= implies that there exists ∈ Pre(ℑ) such that |= .The proof is by structural induction on .By Proposition 4.9, the statement holds for the base cases of = ( ¯ ) and = ¬ ( ¯ ).We now proceed with the inductive steps.
We now conclude the proof of Lemma 4.11 by showing the following claim.) and an assignment , we show that |= , for some ∈ Pre(ℑ), implies ℑ |= .The proof is by structural induction on .By Proposition 4.9, the statement holds for the base cases of = ( ¯ ) and = ¬ ( ¯ ).We now proceed with the inductive steps.
• The remaining cases follow by a straightforward application of the inductive hypothesis.
The results of Lemma 4.11 are tight in the sense that we cannot extend the grammar rule for U-formulas (and not even for U + -formulas) with ∀ while still satisfying I ∃ , and we cannot extend the grammar rule for U + ∀-formulas with U and satisfy F ∀ .Simple counterexamples are ∀ + ( ) and ⊤, which are not I ∃ and F ∀ , respectively.To see that ∀ + ( ) is not I ⇒∃ , and thus not I ∃ , consider the model given by an infinite trace ℑ with a (countably) infinite domain Δ = { 1 , 2 , . . ., , . ..},where the -th domain element is in the extension of exactly at time point ∈ N, i.e., ℑ, |= ( ) and ℑ, |= ( ), for any ≠ .It can be seen that there is no finite prefix of this infinite trace where ∀ + ( ) holds.On the other hand, ⊤ holds in any infinite trace, but not on a finite trace with only one time point.Thus, ⊤ is not F ⇐∀ , and hence not F ∀ .
We now move to the case of R + ∃-, R-, and R + -formulas, by proving a result similar to Lemma 4.11.

P
. We first show that all R + ∃-formulas are F ∃ .In Claim 6 we show that all R + ∃-formulas are F ⇒∃ .Then, in Claim 7 we show that all R + ∃-formulas are F ⇐∃ (in fact, for the F ⇐∃ case, we can also allow R in the grammar).C 6. R + ∃-formulas are F ⇒∃ .
Manuscript submitted to ACM TOCL P C 6. We show the stronger claim that, for every finite trace = (Δ, (F ) ∈[0, ] ) and every assignment , |= implies |= .The proof is by structural induction on .By Proposition 4.9, the statement holds for the base cases of = ( ¯ ) and = ¬ ( ¯ ).We now proceed with the inductive cases.• The other cases can be proved in a straightforward way using the inductive hypothesis.
) and an assignment , we show that ℑ |= , for some The proof is by structural induction on .By Proposition 4.9, the statement holds for the base cases of = ( ¯ ) and = ¬ ( ¯ ).We now proceed with the inductive steps.By the inductive hypothesis, we have |= [ ↦ → ] , for all ∈ Δ.Hence, |= ∀ .
• The remaining cases are a straightforward application of the inductive hypothesis.
We now show the second part of Lemma 4.12, i.e., that R-formulas are I ∀ .In Claim 9, we show that all R-formulas are I ⇒∀ .Then, in Claim 10, we show that all R-formulas are I ⇐∀ .Before proving Claim 9 we show the following claim. .We now proceed with the inductive cases.
• The other cases can be proved by straightforward applications of the inductive hypothesis.
We can now proceed with the following claim.• The remaining cases follow by a straightforward application of the inductive hypothesis.
We now conclude the proof of Lemma 4.12 by showing the following claim.By the (contrapositive of the) inductive hypothesis, the previous step implies that there exists > 0 such that |= , for some ≥ , and, for every ∈ (0, ), |= , for some ≥ .Since N is well-founded, we can assume without loss of generality that such and , for every ∈ (0, ), are the minimum numbers for which the previous step holds.By taking as the maximum among such and , for every ∈ (0, ), since ∈ Pre( ) and every ∈ Pre( ), by Claim 8 we obtain that |= and, for every ∈ (0, ), |= .
The results of Lemma 4.12 are also tight in the sense that we cannot extend the grammar rule for R-formulas (and not even for R + -formulas) with ∃ , while still satisfying I ∀ , and we cannot extend the grammar rule for R + ∃-formulas with R , while satisfying F ∃ .Simple counterexamples are ∃ + ¬ ( ) and last := ⊥, which are not I ∀ and F ∃ , respectively.To see that ∃ + ¬ ( ) is not I ⇐∀ , and thus not I ∀ , consider again the model described above with an infinite (and countable) domain, where each element is in the extension of at a specific time point ∈ N. The formula ∃ + ¬ ( ) holds in every finite prefix but it does not hold in this infinite trace.Thus, it is not I ∀ .On the other hand, clearly, last holds in a finite trace with only one time point but it does not on any extension of .Therefore, it is not We conjecture that, for these fragments, which are in negation normal form and allow for only one kind of reflexive temporal operator (i.e., either U + or R + ), the set of equivalent formulas on finite and infinite traces coincide.Finally, as stated in Point (1) of Theorem 4.10, we remark that there is no distinction between reasoning on finite and infinite traces whenever a formula is either an U + -or a R + -formula.As already pointed out, however, + + ( ) and + + ( ) are only equivalent on finite traces, and so, when considering formula equivalences, the distinction between finite and infinite traces cannot be blurred for the class of formulas that allow both U + and R + .

Preserving Formula Satisfiability:
From Finite to Infinite Traces.In this section, we consider the problem of preserving satisfiability of a T U QL formula from finite to infinite traces, i.e., under which conditions, knowing that is finitely satisfiable, we can conclude that is also satisfiable on infinite traces.Identifying classes of formulas for which this question can be positively answered is of interest also to develop more efficient automated reasoners.Indeed, under certain conditions which guarantee that satisfiability of a formula on finite traces implies its satisfiability on infinite ones, solvers can simply stop trying to build the lasso of an infinite trace, once a finite trace satisfying the formula is found.
In order to connect this problem with the results obtained in the previous sections, we make the following observations.First, in Theorem 4.3, we have seen that T U QL formulas interpreted on finite traces can be translated into equisatisfiable formulas on infinite traces.However, such translation is not always needed, since for some classes of formulas satisfiability is already preserved.For instance, given ∈ T U QL (F ⇒∃ ), we clearly have that, if is satisfiable on finite traces, then it is satisfiable on infinite traces.Moreover, the problem of preserving satisfiability from finite to infinite traces can be seen as a special case of the problem of preserving formula equivalences from infinite to finite ones, where we are only interested in determining if a T U QL formula that is equivalent to ⊥ on infinite traces (i.e., unsatisfiable on infinite traces) is also unsatisfiable on finite traces.This is not the case in general.For instance, last, which is equivalent to ⊥ on infinite traces but satisfiable on finite traces, is a formula for which satisfiability is not preserved from finite to infinite traces.Instead, from Theorem 4.10, we obtain in particular that, for every U + ∀-or R + ∃-formulas satisfiability is preserved from finite to infinite traces.
Manuscript submitted to ACM TOCL However, the results of the previous section do not allow us to determine classes of formulas that involve both operators U + and R + , and for which satisfiability from finite to infinite traces is preserved.Formulas like + + ( ) and + + ( ), for instance, are such that their satisfiability is preserved from finite to infinite traces, but they do not fall in any of the fragments identified above.Our aim in the rest of this section is to show that indeed satisfiability from finite to infinite traces is preserved for a larger class of formulas, introduced in the following.
U + R + -formulas , are built according to the grammar (with ∈ N P ): It can be seen that the set of U + R + -formulas is just a syntactic variant (in negation normal form) of the fragment , the fragment allowing only for U + and R + as temporal operators.A typical example of an U + R + -formula, used to express properties in the context of specification and verification of reactive systems, is + ∀ ( ( ) → + ( )) [48].
We show in the following that the language generated by the grammar rule for U + R + -formulas contains only formulas whose satisfiability on finite traces implies satisfiability on infinite traces.This result, formalised by the following theorem, is an immediate consequence of Lemma 4.14 below.
T 4.13.All U + R + -formulas satisfiable on finite traces are satisfiable on infinite traces.
The converse of Theorem 4.13, however, does not hold, as illustrated by the next example.Consider the We have that (3) is satisfiable on infinite traces only, since it requires ( ) and ( ) to alternate infinitely often.
Therefore, for U + R + -formulas, satisfiability on infinite traces does not imply satisfiability on finite traces.
In order to prove Theorem 4.13, we introduce the following preliminary notion.A T U QL formula is F iff, for all finite traces and all assignments , it satisfies the frozen trace property: We denote by T U QL (F ) the set of T U QL formulas that are F .Clearly, if ∈ T U QL (F ) is satisfiable on finite traces, then is satisfiable on infinite traces.Thus, Theorem 4.13 above is an immediate consequence of the following lemma.

P
. We write F ⇒ and F ⇐ for the "one directional" version of F .In Claim 11 we show that all U + R + -formulas are F ⇒ .Then, in Claim 12, we show that all U + R + -formulas are F ⇐ .

COMPLEXITY OF DECIDABLE FRAGMENTS ON FINITE AND -BOUNDED TRACES
In this section, we study the complexity of the satisfiability problem for formulas taken from well-known decidable fragments of first-order temporal logic, ranging from the constant-free one-variable monadic, to the monadic monodic, or the two-variables monodic, fragments (as introduced in Section 3.1).First, we consider satisfiability on arbitrary finite traces, showing that the complexity does not change compared to the infinite case, i.e., it remains E S complete.Then, we analyse the case of satisfiability on -bounded traces, proving that the complexity lowers down to NE T -complete.Finally, we show that these fragments interpreted on finite traces enjoy both the bounded trace and the bounded domain properties, that is, they are satisfiable on finite traces iff they are satisfied on finite traces with a bounded number of time points, and of elements in the domain, respectively, with a bound that depends on the size of the formula.We conclude the section with an excursus on temporal DLs, by investigating the complexity of the satisfiability problem in the temporal extension of the DL ALC.

Complexity Results on Finite Traces
We analyse the complexity of decidable fragments of first-order temporal logic on finite traces.To start with, we show that E S -hardness holds already for the constant-free one-variable monadic fragment T U QL 1, .This fragment can be considered as a notational variant of the propositional language of the two-dimensional product LTL × S5, defined similarly to the product LTL × S5 [48], where LTL denotes LTL interpreted on finite traces.In particular, the S5-modality is replaced by the universal quantifier ∀ , and propositional letters are substituted by unary predicates ( ), with free variable .The lower bound can be proved by applying similar ideas as those used to show hardness of LTL × S5 satisfiability.P 5.1.T U QL 1, formula satisfiability on finite traces is E S -hard.
The × 2 corridor tiling problem is known to be E S -complete [81].In the following, we will reduce this problem to T U QL 1, formula satisfiability on finite traces.
Given a finite set of tile types T, with 0 , 1 ∈ T, and an ∈ N, our aim is to construct a T U QL 1, formula ,T such that: ( ) the length of ,T is polynomial in and |T|; ( ) ,T is satisfiable on finite traces iff there exist ∈ N and a function : × 2 → T tiling the × 2 corridor (as described by the conditions above).
We start by taking distinct unary predicates 0 , . . ., −1 , and let 0 = ¬ and 1 = , for 0 ≤ ≤ − 1.Then, we define a binary counter, called -counter, up to 2 by setting where is the -th bit in the binary representation of 0 ≤ ≤ 2 − 1.Moreover, we require so that, at each time point, the -counter value will be the same for every element of the domain.The following formula will be used to set the value of the -counter to 0 at the first instant of a trace, and to increase its value by one at each subsequent instant (if any).Once the -counter reaches the value of 2 − 1, it goes back to 0 at the following time point (if any).
Manuscript submitted to ACM TOCL Moreover, we define the formulas where is a fresh unary predicate for each ∈ T.
Observe that, for Formulas (5) and (7) to be satisfied, a trace has to be finite and so that in its last instant the value of the -counter is 2 − 1.As it will become clear below, this step differs from the proof of [48, Theorem 5.43], since we exploit the last instant of a finite trace to indicate that the construction of the corridor is completed.
The following formula will ensure that each point of the corridor is covered by at most one tile: In addition, we impose that tile 0 is put onto the point (0, 0) of the corridor and that tile 1 covers ( − 1, 0) by using the following formulas: The condition about matching colours on adjacent sides of adjacent tiles is encoded by the formulas: Finally, we represent as follows that the bottom and the top side of the corridor have to be white: We then define the T U QL 1, formula ,T ( ) as the conjunction of ( 9)-( 16).Clearly, the length of ,T ( ) is polynomial in and |T|.
The reduction given in Theorem 4.3 allows us to transfer E S upper bounds for the following fragments of first-order temporal logic on infinite traces to the finite traces case (see [62] and [48,Theorem 11.31]): the monadic monodic fragment T U QL 1 , and the two-variable monodic fragment T U QL 2 1 .
P 5.2.T U QL 1 and T U QL 2 1 formula satisfiability on finite traces is in E S .
Thanks to the hardness and membership results of, respectively, Propositions 5.1 and 5.2, since T U QL 1, is contained both in T U QL 1 and T U QL 1 , and since T U QL 1 is contained in T U QL 2 1 , we obtain the following result.
T 5.3.T U QL 1, , T U QL 1 , T U QL 1 and T U QL 2 1 formula satisfiability on finite traces are E S complete problems.

Complexity Results on -Bounded Traces
We now study satisfiability of the decidable fragments considered above on traces with at most time points, where is given in binary as part of the input.We show that in this case the complexity of the satisfiability problem in the fragments considered in the previous section decreases from E S to NE T .We start by showing the lower bound for T U QL 1, .P 5.4.T U QL 1, formula satisfiability on -bounded traces is NE T -hard.

P
. The proof is an adaptation of Proposition 5.1 to the case of T U QL 1, on -bounded traces.As above, a tile type is a 4-tuple = (up( ), down( ), le ( ), right( )) of colours.Let T be a finite set of tile types, with 0 ∈ T. For Manuscript submitted to ACM TOCL an ∈ N, the 2 × 2 grid tiling problem is the problem of deciding whether there exists a tiling : 2 × 2 → T such that: The 2 × 2 grid tiling problem is known to be NE T -complete [81].In the following, we will reduce this problem to T U QL 1, formula satisfiability on -bounded traces, with = 2 2 .
Let T be a finite set of tile types, with 0 ∈ T, and let ∈ N. We modify the proof of Proposition 5.1 to construct a Recall the definition of the -counter, given in the proof of Proposition 5.1.We introduce other distinct unary predicates 0 , . . ., −1 , and let 0 = ¬ and 1 = , for 0 ≤ ≤ − 1.Then, we define another binary counter, called -counter up to 2 by setting where is the -th bit in the binary representation of 0 ≤ ≤ 2 − 1.In addition, we require so that, at each time point, the counter value will be the same for every element of the domain.The following formula will set the value of this counter to 0 at the first instant of a trace, and increase its value by one at each future instant where 0 holds (if any).
Formula (18) implies that, if 0 ( ) is satisfied at a given instant, then ( ) is satisfied as well, for some 0 ≤ < 2 .
We now show the correctness of the encoding (see also Figure 1).Suppose that , 0 |= ,T [ 0 ], for some -bounded trace = (Δ , (F ) ∈[0, ] ), with = 2 2 and < , and some 0 ∈ Δ .It can be seen that the function : Conversely, if there exists a function : 2 × 2 → T tiling the 2 × 2 grid, then we can construct a -bounded For the upper bound, we resort to a classical abstraction of models called quasimodels [48].One can show that there is a model with at most time points iff there is a quasimodel with a sequence of states (sets of subformulas with certain constraints) of length at most .Then, our upper bound is obtained by guessing an exponential size sequence of states which serves as a certificate for the existence of a quasimodel (and therefore a model) for the input formula.P 5.5.T U QL 1 and T U QL 2 1 formula satisfiability on -bounded traces is in NE T .

P
. We use standard definitions for quasimodels [48,63], presented here for convenience of the reader.In the following, with an abuse of notation, ( ) denotes a formula with at most as free variable.Let be a T U QL 1 sentence3 , let N I ( ) be the set of individuals occurring in , and let sub( ) be the set of subformulas of .For every formula ( ) of the form 1 U 2 with one free variable , we fix a surrogate ( ); and for every sentence of the form 1 U 2 , we fix a surrogate , where and are symbols not occurring in .Given a T U QL 1 formula , we denote by the result of replacing in all subformulas of the form 1 U 2 which are not in the scope of any other occurrence of U by their surrogates.Thus, does not contain occurrences of temporal operators.Let sub 0 ( ) be the set of all sentences in sub( ).Let be a variable not occurring in , and sub ( ) be the closure under (single) negation of all formulas { / } with ( ) ∈ sub( ).A type for is a subset of { | ∈ sub ( )} ∪ N I ( ) such that: • ¬ ∈ iff ∉ , for every ¬ ∈ sub ( ); and • contains at most one element of N I ( ).
We omit 'for ' when there is no risk of confusion.We say that the types , ′ agree on sub 0 ( ) if ∩ sub 0 ( ) = ′ ∩ sub 0 ( ).Denote with tp( ) the set of all types for .If ∈ ∩ N I ( ), then "describes" a named element.
All these conditions can be checked in non-deterministic exponential time with respect to | | and the binary size of , | |.The algorithm returns 'satisfiable' iff all conditions are satisfied, thus implying that ( , ℜ) is a quasimodel for .By Lemma 5.7, given an L ∈ {T U QL 1 , T U QL 2 1 } formula , there is a finite trace satisfying with at most time points iff there is a quasimodel for with at most quasistates.Thus, we showed Proposition 5.5 illustrating a

NE T
algorithm for checking the satisfiability of formulas in {T U QL 1 , T U QL 2 1 }.
We can now state the main result of this section.Thanks to the lower and upper bounds shown in Propositions 5.4 and 5.5, since T U QL 1, is contained both in T U QL 1 and T U QL 1 , and since T U QL 1 is contained in T U QL 2 1 , we obtain the following complexity result.

Bounded Trace and Domain Properties
In this section, we prove that L ∈ {T U QL 1 , T U QL 2 1 } on finite traces enjoys two kinds of bounded model properties, one which bounds the domain of elements and one which bounds the number of time points in a trace.
First, we show that an L formula has the bounded trace property: if it is satisfiable on finite traces, then there is a -bounded trace satisfying it, where is at most double exponential in | |.

P
. In order to prove the statement, we require some preliminary lemmas.First, we recall the following result [48,Lemma 11.22], applied to the case of finite traces.L 5.10.An L sentence is satisfiable on finite traces iff there is a quasimodel for .
Moreover, we adapt [48,Lemma 11.28] to the case of finite traces, formalising it as follows.

P
. We first introduce the following notation.Given a sequence Σ = ( 0 , 1 , 2 , . ..) and ∈ N, we denote by Σ and Σ the prefix ending at and the suffix starting at of Σ, respectively.Moreover, given sequences Σ, Σ ′ , we denote by Σ • Σ ′ the concatenation of Σ with Σ ′ .Then, we require the following claim, obtained by rephrasing [48,Lemma 11.27] to our terminology.

Manuscript submitted to ACM TOCL
We now establish that an L formula interpreted on -bounded traces has the bounded domain property, i.e., if it is satisfiable on -bounded traces, then it is satisfied on a trace having finite domain with bounded cardinality.T 5.12.Satisfiability of an L ∈ {T U QL 1 , T U QL 2 1 } formula on -bounded traces implies satisfiability of on traces having finite domain of cardinality at most |tp( )| • 2 |tp( ) | .

P
. We require the following preliminary definitions and result.A quasimodel ( , ℜ) for , with = ( (0), . . ., ( )), is said to be finitary if ( ) is finitely realisable, for every ∈ [0, ], and ℜ is finite.The next lemma is an adaptation of [48,Lemma 11.41] to the case of -bounded traces.L 5.13.An L sentence is satisfiable on -bounded traces having finite domain iff there is a finitary quasimodel for with a sequence of quasistates of length at most .Now, suppose that is satisfied on a -bounded trace.By Lemma 5.7, there is a quasimodel ( , ℜ) for , with = ( (0), . . ., ( )) and < .It is known that, for L ∈ {T U QL 1 , T U QL 2 1 } formulas, a state candidate is realisable iff it is finitely realisable, since monadic and 2-variable first-order formulas enjoy the exponential (hence, finite) model property [30, Proposition 6.2.7, Corollary 8.1.5].Thus, we have that every ( ), for ∈ [0, ], is finitely realisable.Moreover, because is finite, we have that ℜ, which is a set of functions from {0, . . ., } to 0≤ ≤ ( ), is finite as well.Therefore, ( , ℜ) is finitary and, by Lemma 5.13, is satisfiable on -bounded traces having finite domain.Finally, having recalled that monadic and 2-variable first-order formulas enjoy the exponential model property, we can assume without loss of generality that a first-order interpretation realising a quasistate in has domain of cardinality at most 2 |tp( ) | .Thus, one can adjust the construction in [48,Lemma 11.41] to obtain, from a finitary quasimodel ( , ℜ) for , with | | ≤ , a -bounded trace that satisfies with domain Since T U QL 2 1 satisfiability on finite traces implies satisfiability on -bounded traces, for some > 0, the T U QL 2 which only admits models with an infinite domain [69], is unsatisfiable over finite traces.

Temporal Description Logics
We conclude this section investigating the complexity of the satisfiability problem in temporal DLs.We consider the temporal language T U ALC [48] as a temporal extension of the DL ALC [16].Let N C , N R ⊆ N P be, respectively, countably infinite and disjoint sets of unary and binary predicates called concept and role names.A T U ALC concept is an expression of the form: where ∈ N C and ∈ N R .A T U ALC axiom is either a concept inclusion (CI) of the form ⊑ , or an assertion, , of the form ( ) or ( , ), where , are T U ALC concepts, ∈ N C , ∈ N R , and , ∈ N I .T U ALC formulas have the form: The semantics of T U ALC is given again (with a small abuse of notation) over finite traces = (Δ, (F ) ∈[0, ] ), where ∈ N, Δ is a non-empty domain, and, for every ∈ [0, ], F is an ALC interpretation with domain Δ, mapping each concept name ∈ N C to a subset F of Δ, each role name ∈ N R to a binary relation F on Δ, and each Manuscript submitted to ACM TOCL individual name ∈ N I to a domain element F in such a way that F = F , for all , ∈ [0, ] (thus, we just use the notation F ).The interpretation is extended to concepts as usual: Given a T U ALC formula , the satisfaction of in at time point ∈ [0, ], written , |= , is inductively defined as: , |= U iff there is ∈ ( , ] such that , |= and , |= , for all ∈ ( , ).
We say that a T U ALC formula is satisfiable on finite traces if there exists a finite trace such that , 0 |= .If is satisfiable on finite traces with at most instants, with given in binary, we say that is satisfiable on -bounded traces.
Since a T U ALC formula can be mapped into an equisatisfiable T U QL 2 1 formula [48] we can transfer the upper bounds of Propositions 5.2 and 5.5 to T U ALC on finite and -bounded traces, respectively.The lower bounds can be obtained from Propositions 5.1 and 5.4, since T U QL 1,  can be seen as a fragment of T U ALC without role names [48].Thus, the following holds.Moreover, from Theorems 5.9 and 5.12, we obtain immediately that T U ALC on finite traces has both the bounded trace and domain properties.
We also consider the satisfiability problem on -bounded traces of T U ALC restricted to global CIs [5,69], defined as the fragment of T U ALC in which formulas can only be of the form + (T ) ∧ , where T is a conjunction of CIs and does not contain CIs.The E T upper bound we provide has a rather challenging proof that uses a form of type elimination [48,59,69], but in a setting where the number of time points is bounded by a natural number > 0. 4 The complexity is tight since satisfiability in ALC is already E T -hard [16].
To show the following theorem, we rely again on quasimodels [48], which have been used to prove the satisfiability of various temporal DLs.Our definitions here are similar to those in Section 5.2, now adapted to temporal ALC.

P
. It is enough to show that satisfiability in T U ALC restricted to global CIs on -bounded traces is in E T .Let be a T U ALC formula restricted to global CIs.Assume without loss of generality that does not contain abbreviations (i.e., it only contains the logical connectives ¬, ⊓, ∧, the existential quantifier ∃, and the temporal operator Finally, a quasimodel for = + (⊤ ⊑ T ) ∧ is a pair ( , ℜ), with a finite sequence of quasistates ( (0), . . ., ( )) and ℜ a non-empty set of run segments such that: M1 ∈ 0 where 0 is the formula type in (0); M2 for every ∈ ℜ and every ∈ [0, ], ( ) ∈ ( ); and, conversely, for every ∈ ( ), there is ∈ ℜ with ( ) = .
By M2 and the definition of a quasistate for , ℜ always contains exactly one formula run segment and one named run segment for each ∈ N I ( ).
Every quasimodel for describes an interpretation satisfying and, conversely, every such interpretation can be abstracted into a quasimodel for .We formalise this notion for finite traces with the following lemma.L 5.16.There is a finite trace satisfying with at most time points iff there is a quasimodel for with a sequence of quasistates of length at most .

P
. (⇒) Assume there is a finite trace = (Δ, (F ) ∈[0, ] ), with < , that satisfies , i.e., , 0 |= .Without loss of generality, assume that, for all ∈ N I ( ), we have F = { F } for all ∈ [0, ], where are those fresh concept names we used to extend cl c ( ).We define ( , ℜ) in the following way.First, for all ∈ [0, ], ∈ Δ and ∈ N I ( ), we set: By Q2, R1, and M2, F is well-defined.In order to show that satisfies , we first show the following claim.It remains to show the following cases.The proof is by induction on .
Therefore, by Claim 15 and M1, we can conclude that , 0 |= .This finishes the proof of Lemma 5.16.
Before presenting our algorithm we need the following definition.We say that a pair ( , ′ ) of (concept/formula) types is U-compatible if: where cl * is either cl c or cl f (as appropriate).
Our type elimination algorithm iterates over the values in [1, − 1] to determine in exponential time in | |, with given in binary, the length of the sequence of quasistates of a quasimodel for , if one exists.We assume that has the form + (⊤ ⊑ T ) ∧ .For each ∈ [1, − 1], the -th iteration starts with sets: and each is initially set to tp( ).We start by exhaustively eliminating concept types from some , with ∈ [0, ], if violates one of the following conditions: E1 for all ∃ .∈ , there is ′ ∈ such that ∈ ′ and ( , ′ ) is -compatible; For each ∈ N I ( ), if is a named type then, in E2 and E3, we further require that the mentioned types in a Ucompatible pair contain .This phase of the algorithm stops when no further concept types can be eliminated.Next, for each formula type , we say that a function , mapping each ∈ N I ( ) to a named type containing , is consistent with if: (i) for all ( ) ∈ cl f ( ), ( ) ∈ iff ∈ ( ); and (ii) for all ( , ) ∈ cl f ( ), ( , ) ∈ iff ( ( ), ( )) is -compatible.We are going to use these functions to construct our quasimodel as follows.We first add to each all consistent with each formula type ∈ such that the image of is contained in .We then exhaustively eliminate such functions from some , with ∈ [0, ], if violates one of the following conditions: Manuscript submitted to ACM TOCL E1 ′ if < , then there is ′ ∈ +1 such that ( , ′ ) is U-compatible and, for all ∈ N I ( ), ( ( ), ′ ( )) is Ucompatible; E2 ′ if = , then there is no U ∈ .
It remains to ensure that each contains exactly one formula type and one named type for each ∈ N I ( ) (and no functions ).For this choose any formula type function 0 in 0 such that ∈ 0 (if one exists) and remove formula types ′ 0 ≠ 0 from 0 .Then, for each ∈ [1, ], select a formula type function ∈ such that ( −1 , ) is Ucompatible and for all ∈ N I ( ), ( −1 ( ), ( )) is U-compatible, removing formula types ′ ≠ from , where is the selected function.The existence of such is ensured by E1 ′ .For each selected function and each ∈ N I ( ), with ∈ [1, ], we remove from all named types such that ≠ ( ).We now have that each contains exactly one formula type and one named type for each ∈ N I ( ).Finally, we proceed removing all functions .We have thus constructed a sequence of quasistates.Until concepts/formulas U are satisfied thanks to the U-compatibility conditions and the fact that there are no expressions of the form U in concept/formula types in the last quasistate.
This last step does not affect conditions E1-E5 (in particular E1) for the remaining concept types since for each named type there is an unnamed (concept) type which is the result of removing the individual name from it, and if the named type was not removed during type elimination then the corresponding unnamed type was also not removed.
If the algorithm succeeds on these steps with a surviving concept type ∈ 0 and a formula type 0 in 0 such that ∈ 0 then it returns 'satisfiable'.Otherwise, it increments or returns 'unsatisfiable' if = − 1 (i.e., there are no further iterations).
L 5.17.The type elimination algorithm returns 'satisfiable' iff there is a quasimodel for .
where cl * is either cl c or cl f (as appropriate).We now argue that ( * , ℜ) is a quasimodel for .We first argue that * is a sequence of quasistates for .E1 ensures Condition Q5, while Condition Q3 is guaranteed by condition E5.
For Conditions Q4 and Q6, we have the fact that named types are taken from functions consistent with the formula types.The last step of our algorithm consists in eliminating formula and named types so that we satisfy Conditions Q1 and Q2.Thus, * is a sequence of quasistates for .Concerning the construction of ℜ, Point (2) can be enforced thanks to our selection procedure for named types, which enforces U-compatibility, while Point (3) is a consequence of • Conditions E2, E3 and E4, for concept types; and • Conditions E1 ′ and E2 ′ , for formula types, together with the selection procedure.
For the other direction (⇐), assume there is a quasimodel ( , ℜ) for .Assume is of the form 0 . . .−1 , for some ∈ [1, − 1].Let * 0 , . . ., * be the result of the type elimination at the -th iteration.Since ( , ℜ) is a quasimodel, each concept type satisfies E1.Moreover, conditions E2-E5 are consequences of the existence of run segments through each type (by M2).Then, for all unnamed (concept) types , if ∈ then ∈ * , ∈ [0, ].If is a formula type or a named type then ∈ does not necessarily imply that ∈ * , ∈ [0, ].However, the existence of such types implies that the algorithm should find a sequence of functions , for ∈ [0, ], satisfying E1 ′ and E2 ′ which is then used to select formula and named types satisfying the quasimodel conditions.In particular, due to M1, the selection procedure will select a function 0 associated with a formula type 0 ∈ * 0 containing .So there is a surviving formula type in * 0 containing and the algorithm returns 'satisfiable'.This finishes the proof of Lemma 5.17.
We now argue that our type elimination algorithm runs in exponential time.Since there are polynomially many individuals (with respect to the size of ) occurring in , the number of functions consistent with a formula type is exponential.As the number of (concept/formula) types is exponential the total number of functions and types to consider is exponential.In every step some concept type or function is eliminated (by E1-E5 or by E1 ′ -E2 ′ , respectively).
Conditions E1-E5 and E1 ′ -E2 ′ can clearly be checked in exponential time.Also, the selection procedure of functions for each , which determine the formula and named types in the result of the algorithm, can also be checked in exponential time, since we can pick any function in +1 satisfying the U-compatibility relation, which is a local condition.As this can also be implemented in exponential time, this concludes the proof of Theorem 5.15.
We leave the complexity of the satisfiability problem on finite traces for T U ALC restricted to global CIs as an open problem.It is known that the complexity of the satisfiability problem in this fragment over infinite traces is E Tcomplete [14,69].However, the end of time formula is not expressible in this fragment.Thus, we cannot use the same strategy of defining a translation for the semantics based on infinite traces, as we did in Section 4.1.Moreover, the upper bound in [69] is based on type elimination.The main difficulty in devising a type elimination procedure in the case of arbitrary finite traces is that the number of time points is not fixed and the argument in [69], showing that there is a quasimodel iff there is a quasimodel ( , ℜ) such that ( + 1) ⊆ ( ), for all ≥ 0, is not applicable to finite traces.A type with a concept equivalent to last can only be in the last quasistate of the quasimodel.Therefore, it is not clear whether one can show that if there is a quasimodel, then there is a quasimodel with an exponential sequence of quasistates, as done in Theorem 5.15.

APPLICATIONS
Understanding the connections between finite and infinite traces is of interest to several applications.In the following, we focus on planning and verification.First, we lift to the first-order temporal logic setting the LTL notion of insensitivity to infiniteness [42], introduced in the planning domain.Then, we discuss how, in LTL, the concepts of safety, as well as impartiality and anticipation [27], can be related to the semantic properties of Section 4.2 for bridging finite and infinite traces.

Planning
In automated planning, the sequence of states generated by actions is usually finite [26,38,42,43].To reuse temporal logics based on infinite traces for specifying plan constraints, one approach, developed by De Giacomo et al. 2014a for LTL on finite traces, is based on the notion of insensitivity to infiniteness.This property is meant to capture those formulas that can be equivalently interpreted on infinite traces, provided that, from a certain instant, these traces Manuscript submitted to ACM TOCL satisfy an end event forever and falsify all other atomic propositions.The motivation for this comes from the fact that propositional letters represents atomic tasks/actions that cannot be performed anymore after the end of a process.
In order to lift this notion of insensitivity to our first-order temporal setting, and to provide a characterisation analogous to the propositional one, we introduce the following definitions.Let = (Δ , (F ) ∈[0, ] ) be a finite trace, and let = (Δ , (E ) ∈[0,∞) ) be the infinite trace such that Δ = Δ (we write just Δ), E = F for all ∈ N I , and for all ∈ N P \ { }, E = ∅, while E = Δ, for any ∈ [0, ∞).
Before we proceed with a formal characterisation of insensitive formulas, we require the following preliminary lemmas.Thus, for all ∈ (0, ∞), for all objects and all tuples of objects ¯ in Δ, we have: if ) and some infinite trace ℑ ′ .Thus: Since ℑ |= , for all ∈ [ + 1, ∞), for all objects and all tuples of objects ¯ in Δ, we have that: if Since ⊥ is insensitive, we obtain the following immediate corollary of the previous result.C 6.6.All insensitive formulas satisfiable on finite traces are satisfiable on infinite traces.
However, the converse directions of the above results do not not hold, as witnessed, e.g., by formula (cf.Section 5.3), which is trivially insensitive, but satisfiable only on infinite traces.We can obtain the converse directions by using our Theorem 4.8.For instance, + ( ) ∨ + ( ) and + ( ( ) ∨ ( )) are insensitive and I ∃ formulas for which equivalence on finite and infinite traces coincide.

Verification
In this section we show how our comparison between finite and infinite traces can be related to the literature on temporal logics for verification.In particular, we establish connections between the finite and infinite trace properties, introduced in Section 4.2, and: ( ) the definition of safety in LTL on infinite traces [22,80]; ( ) maxims related to monitoring procedures in runtime verification [27].

Safety.
Recall that a safety property intuitively guarantees that "bad things" never happen during the execution of a program.In verification, LTL is often used as a specification language for such properties, and the notion of safety is defined accordingly on infinite traces [22,80].In the rest of this section, we will thus restrict ourselves to LTL.A typical example of an LTL formula used to specify a safety property is represented by ¬ , where is an atom standing for an action or task.Dual to safety properties are co-safety properties, expressing that "good things" will eventually happen in the execution of a program.The LTL formula is a standard example of a formula specifying a co-safety property.
To fix notions that will be used in the rest of this section, we start by recalling the definitions of safety and co-safety fragments of LTL.The LTL safety formulas [80] are defined as the LTL formulas obtained from ⊥, ⊤, and literals (i.e., propositional letters , or negated propositional letters ¬ ), by applying conjunction ∧, disjunction ∨, strong next , and reflexive release R + operators.The LTL co-safety formulas [66] are dually defined as those LTL formulas obtained from ⊥, ⊤, and literals, by applying conjunction ∧, disjunction ∨, strong next , and reflexive until U + operators.It is known [36,66,80] that every safety formula expresses a safety property, i.e., for every infinite trace ℑ such that ℑ |= , there exists ∈ Pre(ℑ) so that, for all ℑ ′ ∈ Ext( ), it holds that ℑ ′ |= .We call such a finite trace a bad prefix for , and we define BadPre( ) as the set of bad prefixes for .On the other hand, every co-safety formula expresses a co-safety property, i.e., for every infinite trace ℑ satisfying , there is a good prefix for , that is, a finite prefix of ℑ such that every infinite extension ℑ ′ of satisfies .Given the equivalence, ¬ ≡ ¬ , holding on infinite traces, we have that the LTL formulas that are, respectively, in the R-and U-fragments defined in Section 4.2 express, respectively, safety and co-safety properties.
In order to establish connections between safety properties and finite traces semantics, we now require, following [22], further definitions and notation.Let N 0 P be the subset of N P containing 0-ary predicates, i.e., propositional letters.Given a suborder of (N, <) of the form [0, ∞) or [0, ], with ∈ N, a trace is now viewed simply as a sequence

Runtime verification maxims.
We recall that in runtime verification the task is to evaluate a property with respect to the current history (which is finite at each given instant) of a dynamic system, and to check whether this property is satisfied in all its possible future evolutions [19,27,41].Here we discuss the relationship between our semantic conditions and the maxims for runtime verification in (variants of) LTL introduced by Bauer et al. 2010, which relate finite trace semantics to the infinite case.Although the authors consider also semantics for LTL that allow for more than two truth-values, in this section we will restrict our attention to LTL interpreted on finite traces only.Bauer et al. suggest that any LTL semantics to be used in runtime verification should satisfy, for every LTL formula , the maxims of impartiality and anticipation, defined as follows.
Impartiality For every finite trace , It can be easily seen that LTL on finite traces does not satisfy, for every LTL formula , impartiality and anticipation.An example of a formula that does not satisfy impartiality is + , whereas ⊤ violates anticipation.However, the properties of impartiality and anticipation can be used to define the corresponding sets of LTL formulas that satisfy them.Indeed, we have that impartiality is captured by LTL(F ⇒∀ ) ∩ LTL(F ⇐∃ ), while anticipation corresponds to LTL(F ⇐∀ ) ∩ LTL(F ⇒∃ ).Therefore, any set of LTL formulas satisfying both impartiality and anticipation is included in the intersection LTL(F ∀ ) ∩ LTL(F ∃ ).Concerning the possibility to syntactically characterise these formulas, we have that, due to Lemmas 4.11 and 4.12, impartiality and anticipation are not guaranteed to be preserved for U + -or R + -formulas.

CONCLUSION
We investigated first-order temporal logic on finite traces, by comparing its semantics with the usual one based on infinite traces, and by studying the complexity of formula satisfiability in some of its decidable fragments.
In an effort to systematically clarify the correlations between finite vs. infinite reasoning we introduced various semantic conditions that allow to formally specify when it is possible to blur the distinction between finite and infinite traces.Grammars for T U QL formulas satisfying some of these conditions have been provided as well.In particular, Manuscript submitted to ACM TOCL we have shown that for U + -and R + -formulas, equivalence over finite and infinite traces coincide.Moreover, we have shown that, for the class of U + R + -formulas, satisfiability is preserved from finite to infinite traces.
Concerning the complexity of the satisfiability problem in decidable fragments on finite traces, we have shown that the constant-free one-variable monadic fragment T U QL 1, , the one-variable fragment T U QL 1 , the monadic monodic fragment T U QL 1 , and the the two-variable monodic fragment T U QL 2 1 , while being E S -complete over arbitrary finite traces, lower down to NE T -complete when interpreted on traces with at most time points.
Similar results have been shown here for T U ALC, a temporal extension of the description logic ALC, interpreted on finite or -bounded traces.Moreover, we proved that T U ALC restricted to global CIs is E T -complete on traces with at most time points.
Finally, we have lifted results related to the notion of insensitivity to infiniteness [42], introduced in the planning context, to our first-order setting.Moreover, we have analysed the connections between notions from the verification literature (in particular, safety [80], as well as the runtime verification maxims of impartiality and anticipation [27]), and our framework of semantic conditions relating reasoning over finite and infinite traces.
As future work, we are interested in strengthening the results obtained in Section 4, so to obtain semantic and syntactic conditions that are both necessary and sufficient (as opposed to sufficient only) to characterise equivalences on finite and infinite traces.We conjecture also that for U + ∀-and R + ∃-formulas, i.e., T U QL formulas in negation normal form involving only one kind of reflexive temporal operator (either U + or R + , respectively), the equivalences on finite traces coincide with the equivalences on infinite traces.
Moreover, we plan to to study the axiomatisability of fragments of first-order temporal logic on finite traces, and to apply the semantic conditions introduced in this work to the analysis of monitoring functions for runtime verification [19,27,41].It would also be interesting to determine the precise complexity of the satisfiability problem in T U ALC on finite traces with just global CIs, as well as in those DLs from the temporal DL-Lite family for which this problem remains open [11].

P 4 . 5 .
The sets T U QL (F ∃ ), T U QL (F ∀ ), T U QL (I ∃ ), and T U QL (I ∀ ) are mutually incomparable with respect to inclusion.P.For every , ∈ {T U QL (F ∃ ), T U QL (F ∀ ), T U QL (I ∃ ), T U QL (I ∀ )}, we use the formulas from Example 4.4 to show that .

Theorem 4 .
7 does not hold for formulas that satisfy only I ∃ or I ∀ .Consider the formulas ⊤∨last, from Example 4.4, and ⊤ ∨ last, which are both I ∃ .These formulas are equivalent only on infinite traces.Also, + ( ) ∨ + ( ( ) ∧ last), from Example 4.4, and + ( ) ∨ + ( ( ) ∧ last) are I ∀ , and equivalent on infinite but not on finite traces.The last example also shows that the condition I ⇒∀ alone is not sufficient for Theorem 4.7.Moreover, F ⇒∃ alone is also not sufficient.To see this, consider, e.g., + ⊤ ∨ ( ( ) ∧ last) and + ⊤ ∨ last , which are F ⇒∃ but equivalent only on infinite traces.
and thus not F ∃ .Finally, we comment on the results of Theorem 4.10.We observe that ⊤ and ⊤ are examples of U-formulas that are equivalent on infinite, but not on finite, traces.Similarly, ⊥ and ⊥ are R-formulas equivalent on infinite traces only.Thus, the converse of Point (3) of Theorem 4.10 does not hold for such sets of formulas.However, we leave as an open problem to determine whether the converse of Point (2) in Theorem 4.10 holds for U + ∀-and R + ∃-formulas.

T 5 . 8 .
T U QL 1, , and T U QL 1 , T U QL 1 and T U QL 2 1 formula satisfiability on -bounded traces are NE T -complete problems.

T 5 .
14. T U ALC satisfiability is E S -complete on finite traces, and NE T -complete on -bounded traces.

T 5 .
15. T U ALC satisfiability on -bounded traces restricted to global CIs is E T -complete.
|= .We say that and are equivalent, writing ≡ , if |= and |= .Since the satisfaction of a formula ( 1 , . . ., ) under an assignment depends only on the values of its free variables under , we may write , |= [ 1 , . . ., ] in place of , |= ( 1 , . . ., ), where ( ∈ under an assignment , written , |= , is inductively defined as: ′ , for some assignment ′ that can differ from only on , , |= U iff there is ∈ , > : , |= and, for all ∈ ( , ), , |= . 1 ) = 1 , . . ., ( ) = .Also, given an assignment and an element in an interpretation's domain Δ we denote by [ ↦ → ] the assignment obtained To show intuitive examples, let us consider the case where is a Boolean combination of atomic formulas.Examples of formulas satisfying F ∀ and I ∃ are formulas of the form + .Formulas of the form are also I ∃ , but in general not F ∀ , as witnessed, for instance, by ⊤.On the other hand, the properties F ∃ and I ∀ capture for example formulas of the form + .Formulas of the form are also I ∀ , but not necessarily F ∃ , because of, e.g., ⊥.These observations, that can easily be checked, are also immediate consequences of Lemmas 4.11 and 4.12 below.
1, formula ,T such that: ( ) the length of ,T is polynomial in and |T|; ( ) ,T is satisfiable on -bounded traces, with = 2 2 , iff there exists a function : 2 × 2 → T tiling the 2 × 2 grid (as described by the conditions above).
The end extension (cf.Section 4.1) of with , • , will be called the insensitive extension of .A T U QL formula is insensitive to infiniteness (or simply insensitive) if, for every finite trace and all assignments , |= iff • |= .Clearly, all insensitive T U QL formulas are also F ⇒∃ .Moreover, let Σ be a finite subset of P such that ∈ Σ. Assume without loss of generality that the T U QL formulas we mention in this subsection have predicates in Σ.Given an infinite trace ℑ, the Σ-reduct of ℑ is the infinite trace ℑ | Σ coinciding with ℑ on Σ and such that I | Σ = ∅, for ∉ Σ and ∈ [0, ∞).Finally, recalling the definition of (since all the predicates occurring in , † are in Σ).Assume that |= ↔ † .By Lemma 6.1, for every infinite trace ℑ and every assignment , ℑ |= means that ℑ | Σ = • , for a finite trace .Let , be insensitive formulas.Then ¬ , ∃ , and ∧ are insensitive.¬isinsensitive as well.For ∃ , we have that|= ∃ iff |= [ ↦ → ] , for some ∈ Δ.Given that is insensitive, this is equivalent to • |= [ ↦ → ] , for some ∈ Δ.That is, • |= ∃ ,and so ∃ is insensitive.For ∧ , we have that |= ∧ is equivalent to |= and |= .Since both and are assumed to be insensitive, the previous step is equivalent to: • |= [2]] is equivalent to I = ∅, for all ∈ Σ \ { } and ∈ [ + 1, ∞).Therefore, we have thatℑ | Σ = • .Concerning temporal operators, in[42]it is shown how several standard temporal patterns derived from the declarative process modelling language[2]are insensitive.On the other hand, negation affects the insensitivity of temporal formulas.For instance, given a non temporal T U QL formula , we have that + is insensitive while + ¬ is not.Dually, + ¬ is insensitive, while + is not.Therefore, if a T U QL formula is insensitive, it cannot be concluded that formulas of the form + or + are insensitive.Finally, we have that insensitivity is sufficient to ensure that if formulas are equivalent on infinite traces, then they are equivalent on finite traces.T 6.5.For all insensitive formulas , , ≡ implies ≡ .