Heribert Vollmer Theoretische Informatik, Leibniz Universit at - - PowerPoint PPT Presentation

The Tractability of Model-Checking for LTL: The Good, the Bad, and the Ugly Fragments

Heribert Vollmer

Theoretische Informatik, Leibniz Universit¨ at Hannover

The burning issue

Problem

The model-checking problem for full Linear Temporal Logic (LTL) is PSPACE-complete [Sistla, Clarke 1985]. That is, this problem is (most probably) intractable.

Solution

Systematically restrict the propositional part of LTL. ❀ Many tractable (good) fragments ❀ Many intractable (bad) fragments

The tractability of LTL model-checking 2

What is Linear Temporal Logic?

LTL = propositional logic plus temporal operators, speaks about linear structures; for example:

A structure P

w e w e c c w c w c h w c h w c h c

. . .

1 2 3 4 5 6 7 8

The tractability of LTL model-checking 3

The language and its interpretation

The structure P

w e w e c c w c w c h w c h w c h c

. . .

1 2 3 4 5 6 7 8

The following kinds of statements can be formulated in LTL.

◮ now

P, 2 (w ∧ ¬e) ∨ c

◮ at some time in the Future

P, 0 Fh

◮ always Going to

P, 3 G¬e

◮ neXt time

P, 1 X(w → e)

◮ Until

P, 5 cU(¬w)

◮ Since

P, 3 cSw

◮ P, 0 F(c ∧¬e)∧G

• (c ∧¬w) → [X(w ∧Xh)∧(h → w ∧c)Uc]
• The tractability of LTL model-checking

4

A model and a structure

A model (cf. Clarke et al. ”Model Checking“): Possible behaviour of a microwave oven

w e c w c h w c e w c Start Reset Open Door End Start Start Cooking Close Door Open Door Close Door Open Door Cook working error heating door closed

The tractability of LTL model-checking 5

A model and a structure

A structure: Actual behaviour of a microwave oven

w e c w c h w c e w c Start Reset Open Door End Start Start Cooking Close Door Open Door Close Door Open Door Cook working error heating door closed

The tractability of LTL model-checking 5

Summing up: Models and structures

Model

A directed graph where every state has a successor. States are marked with assignments to propositional variables.

Structure

An infinite path in a model.

The tractability of LTL model-checking 6

The model-checking problem

Model-Checking

Instance ϕ, M, a Question Does M contain a structure P with initial state a such that P, a ϕ ?

Theorem (Sistla, Clarke 1985)

Model-checking for LTL is PSPACE-complete.

The tractability of LTL model-checking 7

When do LTL fragments suffice?

Example

Properties of “microwave oven runs” expressible in LTL fragments: Property Formula Operators used An error never occurs. G¬e G, ¬

(Safety)

¬Fe F, ¬ Ge′ G Every error will GF¬e F, G, ¬ eventually be resolved. G¬Ge G, ¬

(Liveness)

GFe′ F, G

The tractability of LTL model-checking 8

When do LTL fragments suffice?

Example

Properties of “microwave oven runs” expressible in LTL fragments: Property Formula Operators used An error never occurs. G¬e G, ¬

(Safety)

¬Fe F, ¬ Ge′ G Every error will GF¬e F, G, ¬ eventually be resolved. G¬Ge G, ¬

(Liveness)

GFe′ F, G

The tractability of LTL model-checking 8

The model-checking problem for LTL fragments

LTL fragment

Let T ⊆ {F, G, X, U, S} be a set of temporal operators and B be a finite set of Boolean operators.∗ L(T, B) = set of all LTL formulas with operators in T ∪ B.

∗For instance, {∧, ∨} — monotone formulae.

Model-checking problem MC(T, B) for LTL fragments

Instance: ϕ, M, a with ϕ ∈ L(T, B) Question: Does M contain a structure P with initial state a such that P, a ϕ ?

The tractability of LTL model-checking 9

Known complexity results . . .

Theorem ([Sistla, Clarke 1985] and [Markey 2004])

• 1. MC({G, X}, {∧, ∨, ¬}) and MC({U}, {∧, ∨, ¬}) are

PSPACE-complete, even if negation is applied to atoms only.

• 2. MC({F}, {∧, ∨, ¬}), MC({G}, {∧, ∨, ¬}) and

MC({X}, {∧, ∨, ¬}) are NP-complete, even if negation is applied to atoms only.

• 3. MC({F, X}, {∧, ∨, ¬}) in general is PSPACE-complete,

but NP-complete if negation is applied to atoms only.

The tractability of LTL model-checking 10

Known complexity results . . .

Consequences of results by [Sistla, Clarke 1985] and [Markey 2004]:

Hardness and completeness of MC(T, B)

B {∧, ∨} {∧, ∨, ¬} T X NP NP G NP NP F NP NP FX NP PSPACE GX PSPACE PSPACE U PSPACE PSPACE                Bad fragments!

The tractability of LTL model-checking 11

What we would like to know . . .

Goal

◮ classify the complexity of MC(T, B) for all LTL fragments ◮ separate LTL fragments into

good (efficiently solvable) and bad (NP-hard)

The tractability of LTL model-checking 12

What we would like to know . . .

Goal

◮ classify the complexity of MC(T, B) for all LTL fragments ◮ separate LTL fragments into

good (efficiently solvable) and bad (NP-hard)

The tractability of LTL model-checking 12

Fragments of propositional logic: Clones

R1 R0 BF R M M1 M0 M2 S2 S3 S0 S2

02

S3

02

S02 S2

01

S3

01

S01 S2

00

S3

00

S00 S2

1

S3

1

S1 S2

12

S3

12

S12 S2

11

S3

11

S11 S2

10

S3

10

S10 D D1 D2 L L1 L0 L2 L3 V V1 V0 V2 E E0 E1 E2 I I1 I0 I2 N2 N

Post’s lattice

(est’d 1941 by Emil Post) X2 without constants X0,1 with constant 0,1 BF all BF M monotone functions S1 x ∧ y S0 x → y D f (a1, . . . , an) = f (a1, . . . , an) L x ⊕ y (xor) V x ∨ y E x ∧ y N ¬x I identities

The tractability of LTL model-checking 13

Clones with both constants

All relevant sets of Boolean operators

I V E N M L BF all monotone ⊕ ∨ ∧ ¬ ∅ Every other set of Boolean op’s can be reduced to one of these.

The tractability of LTL model-checking 14

Tractability of model-checking: Fragments with F,G,X

Hardness and completeness of MC(T, B)

B I N E V M L BF T ¬ ∧ ∨ mon. ⊕ all X NL NL NL NL NP NL NP G NL NL NL NL NP NP F NL NL NP NL NP NP FG NL NL NP NL NP NP FX NL NL NP NL NP PS GX NL NL NL NP PS PS FGX NL NL NP NP PS PS

(PS = PSPACE)

The tractability of LTL model-checking 15

Tractability of model-checking: Fragments with S, U

Hardness and completeness of MC(T, B)

B I N E V M L BF T ¬ ∧ ∨ mon. ⊕ all S L L L L L L L SX NP NP NP NP NP NP NP SG NP NP NP NP PS NP PS SF NL NP NP NL PS NP PS SFG NP NP NP NP PS NP PS SFX NP NP NP NP PS NP PS SGX NP NP NP NP PS NP PS SFGX NP NP NP NP PS NP PS

• ther

NP NP NP NP PS NP PS

The tractability of LTL model-checking 16

Tractability of model-checking: Fragments with S, U

Hardness and completeness of MC(T, B)

B I N E V M L BF T ¬ ∧ ∨ mon. ⊕ all S L L L L L L L SX NP NP NP NP NP NP NP SG NP NP NP NP PS NP PS SF NL NP NP NL PS NP PS SFG NP NP NP NP PS NP PS SFX NP NP NP NP PS NP PS SGX NP NP NP NP PS NP PS SFGX NP NP NP NP PS NP PS

• ther

NP NP NP NP PS NP PS

The tractability of LTL model-checking 16

An NP-hardness proof

Theorem (Sistla, Clarke 1985)

MC({F}, {∧}) is NP-hard.

Proof sketch.

◮ Reduction from 3SAT ◮ From (x1 ∨ ¬x2 ∨ ¬x4) ∧ (¬x1 ∨ x3 ∨ ¬x4) ∧ (¬x2 ∨ x4)

we obtain the model

q x1 x1 x2 x2 x3 x3 x4 x4 s b1 b2 b3 b2 b1, b3 b1, b2

and the L({F}, {∧})-formula Fb1 ∧ Fb2 ∧ Fb3 .

The tractability of LTL model-checking 17

An NP-hardness proof

Theorem (Sistla, Clarke 1985)

MC({F}, {∧}) is NP-hard.

Proof sketch.

◮ Reduction from 3SAT ◮ From (x1 ∨ ¬x2 ∨ ¬x4) ∧ (¬x1 ∨ x3 ∨ ¬x4) ∧ (¬x2 ∨ x4)

we obtain the model

q x1 x1 x2 x2 x3 x3 x4 x4 s b1 b2 b3 b2 b1, b3 b1, b2

and the L({F}, {∧})-formula Fb1 ∧ Fb2 ∧ Fb3 .

The tractability of LTL model-checking 17

An NP-hardness proof

Theorem

MC({U}, ∅) is NP-hard.

Proof sketch.

◮ Reduction from 3SAT ◮ From (x1 ∨ ¬x2 ∨ ¬x4) ∧ (¬x1 ∨ x3 ∨ ¬x4) ∧ (¬x2 ∨ x4)

we obtain the model

q1 q2 q3 x1 x1 x2 x2 x3 x3 x4 x4 s a1 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 b1 b2 b3 b2 b1, b3 b1, b2

and the L({U}, ∅)-formula ((a1Ub1)U(a2Ub2))U(a3Ub3) .

The tractability of LTL model-checking 18

An NP-hardness proof

Theorem

MC({U}, ∅) is NP-hard.

Proof sketch.

◮ Reduction from 3SAT ◮ From (x1 ∨ ¬x2 ∨ ¬x4) ∧ (¬x1 ∨ x3 ∨ ¬x4) ∧ (¬x2 ∨ x4)

we obtain the model

q1 q2 q3 x1 x1 x2 x2 x3 x3 x4 x4 s a1 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 b1 b2 b3 b2 b1, b3 b1, b2

and the L({U}, ∅)-formula ((a1Ub1)U(a2Ub2))U(a3Ub3) .

The tractability of LTL model-checking 18

An NP-hardness proof

Theorem

MC({U}, ∅) is NP-hard.

Proof sketch.

◮ Reduction from 3SAT ◮ From (x1 ∨ ¬x2 ∨ ¬x4) ∧ (¬x1 ∨ x3 ∨ ¬x4) ∧ (¬x2 ∨ x4)

we obtain the model

q1 q2 q3 x1 x1 x2 x2 x3 x3 x4 x4 s a1 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 b1 b2 b3 b2 b1, b3 b1, b2

and the L({U}, ∅)-formula ((a1Ub1)U(a2Ub2))U(a3Ub3) .

The tractability of LTL model-checking 18

An NP-hardness proof

Theorem

MC({U}, ∅) is NP-hard.

Proof sketch.

◮ Reduction from 3SAT ◮ From (x1 ∨ ¬x2 ∨ ¬x4) ∧ (¬x1 ∨ x3 ∨ ¬x4) ∧ (¬x2 ∨ x4)

we obtain the model

q1 q2 q3 x1 x1 x2 x2 x3 x3 x4 x4 s a1 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 a3 a2 a1 b1 b2 b3 b2 b1, b3 b1, b2

and the L({U}, ∅)-formula ((a1Ub1)U(a2Ub2))U(a3Ub3) .

The tractability of LTL model-checking 18

Tractability of model-checking: Fragments with F,G,X

Hardness and completeness of MC(T, B)

B I N E V M L BF T ¬ ∧ ∨ mon. ⊕ all X NL NL NL NL NP NL NP G NL NL NL NL NP NP F NL NL NP NL NP NP FG NL NL NP NL NP NP FX NL NL NP NL NP PS GX NL NL NL NP PS PS FGX NL NL NP NP PS PS

The tractability of LTL model-checking 19

Tractability of model-checking: Fragments with F,G,X

Hardness and completeness of MC(T, B)

B I N E V M L BF T ¬ ∧ ∨ mon. ⊕ all X NL NL NL NL NP NL NP G NL NL NL NL NP NP F NL NL NP NL NP NP FG NL NL NP NL NP NP FX NL NL NP NL NP PS GX NL NL NL NP PS PS FGX NL NL NP NP PS PS

The tractability of LTL model-checking 19

An NL-completeness proof

Theorem

MC({F, X}, {∨}) is NL-complete.

Proof sketch.

◮ NL-hardness: Reduction from the Graph Accessibility Problem ◮ NL-membership via a logspace computable normal form

Given ϕ, M, a, transform ϕ into ϕ′ = FXi1y1 ∨ · · · ∨ FXinyn ∨ Xin+1yn+1 ∨ · · · ∨ Ximym .

◮ Guess one of the disjuncts (F)Xij. ◮ Guess the initial section of a path in M from a.

(Its length is determined by ij.)

◮ Check the truth of (F)Xij at a. The tractability of LTL model-checking 20

An NL-completeness proof

Theorem

MC({F, X}, {∨}) is NL-complete.

Proof sketch.

◮ NL-hardness: Reduction from the Graph Accessibility Problem ◮ NL-membership via a logspace computable normal form

Given ϕ, M, a, transform ϕ into ϕ′ = FXi1y1 ∨ · · · ∨ FXinyn ∨ Xin+1yn+1 ∨ · · · ∨ Ximym .

◮ Guess one of the disjuncts (F)Xij. ◮ Guess the initial section of a path in M from a.

(Its length is determined by ij.)

◮ Check the truth of (F)Xij at a. The tractability of LTL model-checking 20

Another good fragment

Theorem

MC({G, X}, {∧}) is NL-complete.

Proof sketch.

◮ NL-hardness: as above ◮ NL-membership:

Example: (Xb ∧ GX(Ga ∧ XGXGXb)) ≡ Xb ∧ XGa ∧ XXXGb goal: guess a path with following properties: in state 0: nothing to check in state 1: b and a hold in state 2: a holds in state 3: a and b hold in state 4: a and b hold . . . . . .

The tractability of LTL model-checking 21

Duality

◮ MC({F, X}, {∨}) is NL-complete. ◮ MC({G, X}, {∧}) is NL-complete. ◮ MC({F}, {∧}) is NP-complete. ◮ MC({G}, {∨}) is NL-complete,

even MC({F, G}, {∨}).

The tractability of LTL model-checking 22

Duality

◮ MC({F, X}, {∨}) is NL-complete. ◮ MC({G, X}, {∧}) is NL-complete. ◮ MC({F}, {∧}) is NP-complete. ◮ MC({G}, {∨}) is NL-complete,

even MC({F, G}, {∨}).

The tractability of LTL model-checking 22

Duality

◮ MC({F, X}, {∨}) is NL-complete. ◮ MC({G, X}, {∧}) is NL-complete. ◮ MC({F}, {∧}) is NP-complete. ◮ MC({G}, {∨}) is NL-complete,

even MC({F, G}, {∨}).

The tractability of LTL model-checking 22

A PSPACE-hardness proof

Theorem

For each finite B with [B] ⊇ M: MC({G, X}, B) is PSPACE-hard.

Proof sketch.

◮ PSPACE-hardness of MC({G, X}, {∧, ∨}) follows from

[Markey 2004].

◮ Every operator in B can be represented by a short

∧, ∨-formula.

◮ Hence, MC({G, X}, {∧, ∨}) ≤log m

MC({G, X}, B).

The tractability of LTL model-checking 23

General results: lower bounds

Lemma (lower bounds are inherited to larger clones)

Let B ⊆ {∧, ∨, ¬} and B ⊆ [C]. Then MC(T, B) ≤log

m MC(T, C).

specific: MC({G, X}, {∨}) is NP-hard. general: Let C be a finite set of Boolean functions such that {∨} ⊆ [C]. Then MC({G, X}, C) is NP-hard. specific: MC({G, X}, {∨, ∧}) is PSPACE-complete. general: Let C be a finite set of Boolean functions such that {∨, ∧} ⊆ [C]. Then MC({G, X}, C) is PSPACE-hard.

The tractability of LTL model-checking 24

General results: upper bounds

Fear

Upper bounds are not necessarily inherited to smaller clones. Does MC({G, X}, C) ∈ PSPACE hold for every C ? Some upper bounds can be generalized. For example: specific: MC({F, X}, {∨}) is in NL. general: Let C be a finite set of Boolean functions such that [C] ⊆ [{∨}]. Then MC({F, X}, C) in NL.

The tractability of LTL model-checking 25

Tractability of model-checking: Fragments with F,G,X

Hardness and completeness of MC(T, B)

B I N E V M L BF T ¬ ∧ ∨ mon. ⊕ all X NL NL NL NL NP NL NP G NL NL NL NL NP NP F NL NL NP NL NP NP FG NL NL NP NL NP NP FX NL NL NP NL NP PS GX NL NL NL NP PS PS FGX NL NL NP NP PS PS

The tractability of LTL model-checking 26

Tractability of model-checking: Fragments with S, U

Hardness and completeness of MC(T, B)

B I N E V M L BF T ¬ ∧ ∨ mon. ⊕ all S L L L L L L L SX NP NP NP NP NP NP NP SG NP NP NP NP PS NP PS SF NL NP NP NL PS NP PS SFG NP NP NP NP PS NP PS SFX NP NP NP NP PS NP PS SGX NP NP NP NP PS NP PS SFGX NP NP NP NP PS NP PS

• ther

NP NP NP NP PS NP PS

The tractability of LTL model-checking 27

Conclusion

Achieved

◮ Separated model-checking problems for almost all LTL

fragments into good (efficiently solvable) and bad (NP-hard).

◮ Established the exact complexity of all good fragments.

Open questions

◮ LTL fragments with ⊕ (ugly) ◮ upper bounds e.g. for MC({U}, ∅) ◮ exact complexity of bad fragments ◮ CTL . . .

The tractability of LTL model-checking 28

Conclusion

Achieved

◮ Separated model-checking problems for almost all LTL

fragments into good (efficiently solvable) and bad (NP-hard).

◮ Established the exact complexity of all good fragments.

Open questions

◮ LTL fragments with ⊕ (ugly) ◮ upper bounds e.g. for MC({U}, ∅) ◮ exact complexity of bad fragments ◮ CTL . . .

The tractability of LTL model-checking 28

Related work

Achieved

◮ Complete classification of satisfiability for all fragments of

CTL∗

◮ Partial classification of reasoning in fragments of default logic

◮ existence of a stable extension ◮ credulous reasoning ◮ skeptical reasoning The tractability of LTL model-checking 29

Related work

Achieved

◮ Complete classification of satisfiability for all fragments of

CTL∗

◮ Partial classification of reasoning in fragments of default logic

◮ existence of a stable extension ◮ credulous reasoning ◮ skeptical reasoning The tractability of LTL model-checking 29

Thanks

Joint work with

Michael Bauland, Olaf Beyersdorff, Arne Meier, Martin Mundhenk, Thomas Schneider, Henning Schnoor, Ilka Schnoor, Michael Thomas

The tractability of LTL model-checking 30

Thanks

Joint work with

Michael Bauland, Olaf Beyersdorff, Arne Meier, Martin Mundhenk, Thomas Schneider, Henning Schnoor, Ilka Schnoor, Michael Thomas

Thank you!

The tractability of LTL model-checking 30