One-Pass and Tree-Shaped Tableaux for LTL

One-Pass and Tree-Shaped Tableaux for LTL

Nicola Gigante

Linear Temporal Logic

Linear Temporal Logic(LTL) is a propositional modal logic interpreted over infinite, discrete, linear orders.

X α αwill be true at thenextstate.

αU β βwill eventually be true, and αalways holdsuntilthen.

F β≡ ⊤ U β β willeventuallybe true.

G β≡ ¬ F ¬β β willalwaysbe true.

Tableau methods for LTL satisfiability

LTLsatisfiabilityis the problem of checking whether there exists a model that satisfies a given LTL formula.

PSPACE-completeproblem.

Algorithmic solutions:

(Büchi) Automata-based Tableaumethods Temporal resolution

Reduction to model checking

…

Tableau methods for LTL satisfiability

You have already seen a tableau method for LTL satisfiability, which isgraph-shaped:

A graph structure is built from the closure of the formula Each node is anatom, a set of locally consistent formulae A path in the graph corresponds to a potential model of the formula

A strongly connected components decomposition of the graph is used to check whether there exists a fulfilling path.

A One-Pass Tree-Shaped Tableau for LTL

Today we’ll look at a different method, which isone-passand tree-shaped.

The built structure is atreeinstead of a graph.

Asingle passis sufficient to build a branch of the tree and determine its acceptance or rejection.

Verysimplerule-based structure:

Easy toextendto LTL extensions Easy to parallelize

How it works

How it works

The tableau for ϕ is a tree where each node is labeled by a set of formulae, with the root labeled with{ϕ}.

The formula starts in Negated Normal Form.

At each step some rules are applied to a leaf, depending on the contents of the label, possibly generating new children for the current node.

Some rules canaccepta branch, others canrejectit.

If the complete tree contains at least an accepted branch, the formula issatisfiable.

Expansion rules

Expansion rules are applied to a node until no other expansion rule can be applied anymore:

Boolean connectives handled just like in classical propositional tableau.

{α ∨ β}

{α} {β}

{α ∧ β}

{α, β}

Expansion rules

Expansion rules are applied to a node until no other expansion rule can be applied anymore:

Common expansion rules handle temporal operators:

{α Uβ}

{β} {α, X(α Uβ)}

{Fβ} {β} {X Fβ}

{G α}

{α, X G α}

βis called aneventuality.

X(αU β) is anX-eventuality.

Expansion rules

Rule ϕ Γ1(ϕ) Γ2(ϕ) Disjunction α∨ β {α} {β}

Until αU β {β} {α, X(α U β)}

Release αR β {α, β} {β, X(α R β)}

Eventually F β {β} {X F β}

Conjunction α∧ β {α, β}

Always G α {α, X G α}

Advancing to the next temporal step

Eventually we reach apoisednode, labelled only ofelementary formulae: propositionsortomorrows.

We can step to the next temporal state by the step rule:

{. . . , X α, . . .}

{α}

The poised node give us theevaluationfor the currentstate.

Contradictions

If a label contains contradictions, werejectthe branch.

{. . . , p, . . . , ¬p, . . .}

7

Acceptance and contradictions

If a step rule results into an empty label, we’re done:

the branch isaccepted.

{. . . , p, ¬q, r, . . .}

{}

3

Finding periodic models - loop rule

Some formulae (e.g., G F p) require to satisfy infinitely often the same request, thus the labels may never become empty.

these formulae will have infinite periodic models the loop rule accepts such branches

Finding periodic models - loop rule

Let u =⟨u0, . . . ,u_k⟩ be a branch with a poised leaf uk: loop rule

The branch isacceptedif there is another position i < k such that Γ(uj) = Γ (uk), and all the X-eventualities requested in uj

are fulfilled in u_[j+1,k].

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p, X ¬p, X G F(p ∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p ¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p, X ¬p, X G F(p ∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p ¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{F(p∧ X ¬p),X G F(p∧ X ¬p)}

. . . {p,X¬p,X G F(p∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p ¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p,X¬p,X G F(p∧ X ¬p)}

{¬p,G F(p∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p ¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p,X¬p, X G F(p ∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p

¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p, X ¬p, X G F(p ∧ X ¬p)}

{¬p,G F(p∧ X ¬p)}

{¬p, F(p∧ X ¬p),X G F(p∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p

¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p, X ¬p, X G F(p ∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p∧ X ¬p),X G F(p∧ X ¬p)}

{¬p,p,X¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p

¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p, X ¬p, X G F(p ∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p∧ X ¬p),X G F(p∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p,X F(p∧ X ¬p),X G F(p∧ X ¬p)}

3

p

¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p, X ¬p, X G F(p ∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p,X F(p∧ X ¬p),X G F(p∧ X ¬p)}

3

p

¬p p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p, X ¬p, X G F(p ∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p,X F(p∧ X ¬p), X G F(p ∧ X ¬p)}

3

p ¬p

p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p, X ¬p, X G F(p ∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p ¬p

p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p,X¬p,X G F(p∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

3

p ¬p

p ¬p

Example

{G F(p ∧ X ¬p)}

{ F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

. . . {p,X¬p,X G F(p∧ X ¬p)}

{¬p, G F(p ∧ X ¬p)}

{¬p, F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

{¬p, p, X ¬p, . . .} {¬p, X F(p ∧ X ¬p), X G F(p ∧ X ¬p)}

p ¬p p ¬p

Unrealizable eventualities

Something is still missing. Consider the following formula:

G¬p ∧ q U p

It is unsatisfiable, but not because of propositional contradictions.

The requested eventuality is unrealizable.

Unrealizable eventualities - prune rule

In these cases we have to stop postponing the eventuality to guarantee termination. Let u =⟨u0, . . . ,uk⟩ be a branch with a poised leaf u_k:

prune rule

The branch isrejectedif:

1 there are other two positions i < j < k such that Γ (ui) = Γ (uj) = Γ (uk), and

2 all the X-eventualities fulfilled in u[j+1,k]are fulfilled in u as well.

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{G¬p,qU p}

{¬p,X G¬p,p}

7

{¬p, X G ¬p, q, X(q U p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{ G ¬p, q U p}

{¬p,X G¬p,p}

7

{¬p, X G ¬p, q, X(q U p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{G¬p,qU p}

{¬p, X G ¬p, p}

7

{¬p,X G¬p,q,X(qU p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G¬p,q,X(qU p)}

{G¬p,qU p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p,X G¬p,q,X(qU p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p,X G¬p,q,X(qU p)}

{G ¬p, q U p}

7

Example - unsatisfiable formula

{G ¬p ∧ q U p}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{ G ¬p, q U p}

{¬p, X G ¬p, p}

7

{¬p, X G ¬p, q, X(q U p)}

{G ¬p, q U p}

How it works - summary

To summarize:

When toaccepta branch?

When the label isempty

When we are looping while satisfying all theeventualities When to reject a branch?

When a label is contradictory

When we are looping but unable to satisfy all the eventualities

How it works - summary

To summarize:

When to accept a branch?

When the label is empty

When we are looping while satisfying all the eventualities When torejecta branch?

When a label iscontradictory

When we are looping but unable to satisfy all theeventualities

Proofs

We can briefly overview how to prove that the method is soundandcomplete.

Soudness

If the complete tableau for ϕ contains anacceptedbranch, then ϕ issatisfiable.

Completeness

If ϕ issatisfiable, then the complete tableau for ϕ contains at

Soundness

The soundness proof builds a model from the accepted branch:

let u =⟨u0, . . . ,un⟩ be an accepted branch (unisticked) let π =⟨π0, . . . , π_m⟩ be the subsequence of itspoisednodes if u is accepted then either Γ(πm)is empty or there is a π_k with Γ(πk) = Γ (πm)that triggered the loop rule.

we extend π ad infinitum to:

Π = π_[0,k](π_[k+1,m])^ω (let k = m − 1 in the empty case)

Soundness

The soundness proof builds a model from the accepted branch:

then, we can extract a model σ =⟨σ0, σ₁, . . .⟩ from Π:

σ,i|= p if and only if p ∈ Γ(Πi)

we can prove by structural induction that if ψ∈ Γ(Πi), then σ, i|= ψ:

if p∈ Γ(Π_i), it holds by definition

if X ψ∈ Γ(Π_i), either ψ∈ Γ(Π_i+1)by the step rule, or Π_i= Π_m= Π_kbecause of the loop rule, hence ψ∈ Γ(Πi+1) = Γ (Π_k+1)again because of the step rule.

all other cases follow the expansion rules, e.g. if α∨ β ∈ Γ(Π), then either α∈ Γ(Π)or β∈ Γ(Π)by

Completeness

Completeness

The completeness proof revolves around the prune rule.

Atoms and pre-models

We need a different but related concept ofatom:

Definition

Let X⊆ C(ϕ) be a set of formulae. Anatomgenerated by X is a minimalset of formulae ∆⊆ C(ϕ) such that:

X⊆ ∆

if ψ∈ ∆, then Γ1(ψ)⊆ ∆ or Γ2(ψ)⊆ ∆

Atoms and pre-models

A pre-models is a sequence of atoms that abstracts a set of models of a formula.

Definition

Apre-modelgenerated by a set X⊆ C(ϕ) is an infinite sequence of atoms ∆ =⟨∆0, ∆₁, . . .⟩ such that:

∆₀is generated by X;

for all i⩾ 0, ∆i+1is generated by X(∆_i) where X(∆) ={ψ | X ψ ∈ ∆};

if αU β ∈ ∆i, then there is a k⩾ k such that β ∈ ∆k,

Atoms and pre-models

Pre-models abstract models for a formula:

A set of models for ϕ can be extracted by a pre-model ∆ A pre-model ∆ can be built from a model σ for ϕ such that if ψ∈ ∆ithen σ, i|= ψ

Finding the accepted branch

The tableau nodes can be used to build atoms:

get the sequence π =⟨π0, . . . , π_m⟩ of a branch’s poised nodes

∆(π_i), theatomof π_i, is the union of all the nodes that got expandedto reach πi.

∆(π_i)isgeneratedby X(Γ(π_i−1)).

Finding the accepted branch

So suppose a model for ϕ exists:

make a pre-model ∆ for ϕ

use ∆ as a guide totraversethe tableau for ϕ:

find a branch u =⟨u0, . . . ,un⟩ s.t. if ∆(u_i) = ∆_ifor all i⩾ 0 the branch cannot berejectedby the contradiction rule, because otherwise we would have{p, ¬p} ⊆ ∆n.

so either the branch is accepted, and we are done, or it has been rejected by the prune rule.

Greedy pre-models

Let ∆ ={∆0, ∆1, . . .} be a pre-model for ϕ. For each X-eventuality ψ≡ X(α U β) ∈ C(ϕ) and position i ⩾ 0, let:

d_i(ψ) =







0 if ψ isnotrequested at position i n if ψ is requested at position i

and fulfilled at j > i such that n = j − 1

ψ₁≡ X(α U β)

ψ2≡ X(α U γ) β γ

d 3

Greedy pre-models

Let ∆ ={∆0, ∆1, . . .} be a pre-model for ϕ. For each X-eventuality ψ≡ X(α U β) ∈ C(ϕ) and position i ⩾ 0, let:

d_i(ψ) =







0 if ψ isnotrequested at position i n if ψ is requested at position i

and fulfilled at j > i such that n = j − 1

ψ₁≡ X(α U β)

ψ2≡ X(α U γ) β γ

d 2

Greedy pre-models

Let ∆ ={∆0, ∆1, . . .} be a pre-model for ϕ. For each X-eventuality ψ≡ X(α U β) ∈ C(ϕ) and position i ⩾ 0, let:

d_i(ψ) =







0 if ψ isnotrequested at position i n if ψ is requested at position i

and fulfilled at j > i such that n = j − 1

ψ₁≡ X(α U β)

ψ2≡ X(α U γ) β γ

d 1

Greedy pre-models

Let ∆ ={∆0, ∆1, . . .} be a pre-model for ϕ. For each X-eventuality ψ≡ X(α U β) ∈ C(ϕ) and position i ⩾ 0, let:

d_i(ψ) =







0 if ψ isnotrequested at position i n if ψ is requested at position i

and fulfilled at j > i such that n = j − 1

ψ₁≡ X(α U β)

ψ2≡ X(α U γ) β γ

d 0

Greedy pre-models

With delays, we can define apreorderon pre-models.

Given two premodels ∆ and ∆^′:

d_i⩽ d_i^′iff d_i(ψ)⩽ d_i^′(ψ)for all X-eventualities ψ

∆_i⪯ ∆_i^′iff d_i⩽ d_i^′

the order on pre-models is definedlexicographically:

∆⪯ ∆^′iff ∆_j ⩽ ∆_j^′for some j⩾ 0 with ∆i = ∆_i^′for all i < j.

Existence of greedy pre-models

If there is a pre-model ∆ for ϕ, then there is agreedyone ∆^′ ⪯ ∆.

∆⁰₀ ∆⁰₁ ∆⁰₂ · · · ∆⁰n · · ·

⪯

∆¹₀ ∆¹₁ ∆¹₂ · · · ∆¹_n · · ·

⪯

∆²₀ ∆²₁ ∆²₂ · · · ∆²n · · ·

∼ = ⪯

∆³₀ ∆³₁ ∆³₂ · · · ∆³_n · · ·

∼ = ∼ = ⪯

An infinite descending chains of pre-models might exists

but, for any m the prefix of length m stabilizes sooner or later hence thelimitof the sequence is a pre-model, and is greedy.

Completeness: Endgame

Greedy pre-models allow us to prove completeness:

Traverse the tableau tree as described before, but suppose to do it with agreedypre-model ∆ for the formula ϕ Recall that we found a branch u with poised nodes π such that ∆(π_i) = ∆_i

Recall that by construction, it can only have been crossed by the prune rule, if at all

Let’s show this cannot happen.

Completeness: Endgame

X F α X F β X F γ 1 2

8 α β

X F α X F β X F γ 1 4

5 α

X F α X F β X F γ n 1

2 β γ

1 2 5

α β n

1 2

β γ

Completeness: Endgame

X F α X F β X F γ 1 2

8 α β

X F α X F β X F γ 1 4

5 α

X F α X F β X F γ n 1

2 β γ

1 2 5

α β n

1 2

β γ

Completeness: Endgame

X F α X F β X F γ 1 2

8 α β

X F α X F β X F γ 1 4

5 α

X F α X F β X F γ n 1

2 β γ

1 2 5

α β n

1 2

β γ

Completeness: Endgame

X F α X F β X F γ 1 2

8 α β

X F α X F β X F γ 1 4

5 α

X F α X F β X F γ n 1

2 β γ

1 2 5

α β n

1 2

β γ

Completeness: Endgame

X F α X F β X F γ 1 2

8 α β

X F α X F β X F γ 1 4

5 α

X F α X F β X F γ n 1

2 β γ

1 2 5

α β n

1 2

β γ

The end

Questions?

Appendix

Why three occurrences?

Consider this formula:

ϕ≡ p ∧ G(p ←→ X ¬p) ∧ G F q1∧ G F q2∧

G¬(q1∧ q2)∧ G(q1−→ ¬p) ∧ G(q2−→ ¬p)

And its tableau: {ϕ}

{. . . , X F q1,X F q2, . . .}

. . . {. . . , X F q1,X F q2, . . .}

7 ?

. . . {. . . , X F q1,X F q2, . . .}

3

q2

q1

p q1 p q2 p q1

Why three occurrences?

Consider this formula:

ϕ≡ p ∧ G(p ←→ X ¬p) ∧ G F q1∧ G F q2∧

G¬(q1∧ q2)∧ G(q1−→ ¬p) ∧ G(q2−→ ¬p) And its tableau:

{ϕ}

{. . . , X F q1,X F q2, . . .}

. . . {. . . , X F q1,X F q2, . . .}

7 ?

3

q1

p q1 p q2 p q1

Why three occurrences?

Consider this formula:

ϕ≡ p ∧ G(p ←→ X ¬p) ∧ G F q1∧ G F q2∧

G¬(q1∧ q2)∧ G(q1−→ ¬p) ∧ G(q2−→ ¬p) And its tableau:

{ϕ}

{. . . , X F q1,X F q2, . . .}

. . . {. . . , X F q1,X F q2, . . .}

7 ?

3

q1

p q1 p q2 p q1

Why three occurrences?

Consider this formula:

ϕ≡ p ∧ G(p ←→ X ¬p) ∧ G F q1∧ G F q2∧

G¬(q1∧ q2)∧ G(q1−→ ¬p) ∧ G(q2−→ ¬p) And its tableau:

{ϕ}

{. . . ,X F q1,X F q2, . . .}

. . . {. . . ,X F q1,X F q2, . . .}

3

q1

p q1 p q2 p q1

Why three occurrences?

Consider this formula:

ϕ≡ p ∧ G(p ←→ X ¬p) ∧ G F q1∧ G F q2∧

G¬(q1∧ q2)∧ G(q1−→ ¬p) ∧ G(q2−→ ¬p) And its tableau:

{ϕ}

{. . . ,X F q1,X F q2, . . .}

. . . {. . . ,X F q1,X F q2, . . .}

7 ?

3

q1

p q1 p q2 p q1

Why three occurrences?

Consider this formula:

ϕ≡ p ∧ G(p ←→ X ¬p) ∧ G F q1∧ G F q2∧

G¬(q1∧ q2)∧ G(q1−→ ¬p) ∧ G(q2−→ ¬p) And its tableau:

{ϕ}

{. . . ,X F q1,X F q2, . . .}

. . . {. . . , X F q1,X F q2, . . .}

7 ?

q q1

p q1 p q2 p q1