On model-checking durational Kripke structures F. Laroussinie , N. - - PowerPoint PPT Presentation

On model-checking durational Kripke structures

• F. Laroussinie∗, N. Markey◦, Ph. Schnoebelen∗

http://www.lsv.ens-cachan.fr ∗ LSV, ENS de Cachan & CNRS UMR 8643

• LIFO, Univ. d’Orléans & CNRS FRE 2490

Verifying real-time systems A | = ϕ

Verifying real-time systems A | = ϕ

Describing real-time systems

(where quantitative information about timing is required)

Ex: Time-out

Verifying real-time systems A | = ϕ

Describing real-time systems

(where quantitative information about timing is required)

Ex: Time-out Expressing quantitative properties

(over the timing of actions)

Ex: “any problem is followed by an alarm in at most 20 time units”

Timed Specification Languages

“any problem is followed by an alarm in at most 20 time units”

• Temporal logics with subscripts.

AG(problem ⇒ AF≤20 alarm)

• Temporal logics with clocks.

AG

• problem ⇒ (x in AF(x ≤ 20 ∧ alarm))

Cost of verifying timed models

Kripke structures Timed automata Reachability: NLOGSPACE-C PSPACE-C (T)CTL: O(|S| · |ϕ|) PSPACE-C (T)LTL: PSPACE-C undecidable

if T = R

• r EXPSPACE-C if T = N

AF-µ-cal. O(|S| · |ϕ|) EXPTIME-C

Cost of verifying timed models

Kripke structures Timed automata Reachability: NLOGSPACE-C PSPACE-C (T)CTL: O(|S| · |ϕ|) PSPACE-C (T)LTL: PSPACE-C undecidable

if T = R

• r EXPSPACE-C if T = N

AF-µ-cal. O(|S| · |ϕ|) EXPTIME-C Using timed automata induce a complexity blowup! [AH92, AH94, ACD93, AL99]

Cost of verifying timed models

Kripke structures Timed automata Reachability: NLOGSPACE-C PSPACE-C (T)CTL: O(|S| · |ϕ|) PSPACE-C (T)LTL: PSPACE-C undecidable

if T = R

• r EXPSPACE-C if T = N

AF-µ-cal. O(|S| · |ϕ|) EXPTIME-C Using timed automata induce a complexity blowup! [AH92, AH94, ACD93, AL99] Is it possible to have quantitative constraints without such a blowup?

Modelling with simpler models

It is possible to use classical Kripke structures as timed models. There is no inherent concept of time: time elapsing is encoded by events.

Modelling with simpler models

It is possible to use classical Kripke structures as timed models. There is no inherent concept of time: time elapsing is encoded by events. For example:

• each transition = one time unit
• or: a “tick” proposition labels states where one t.u. elapses.

Modelling with simpler models

It is possible to use classical Kripke structures as timed models. There is no inherent concept of time: time elapsing is encoded by events. For example:

• each transition = one time unit
• or: a “tick” proposition labels states where one t.u. elapses.

Model-checking can be polynomial-time! ([EMSS92, LST00]) Is it possible to have more expressive models and temporal logics while staying polynomial-time?

Outlines

• our model: Durational Kripke Structure
• Model-checking TCTL is ∆p

2-complete

Model-checking TCTL≤,≥ is P-complete

• And TLTL, TCTL∗, TCTL+...
• Conclusion

Durational Kripke Structures

New Idea Draft Written Submis− sion Wait for Submi. Notif. Accept Final Version Publication Notif. Reject Revised Draft

[7,45] [25,50] [25,50] [0,7] [50,110] 1 [0,10] [0,∞) [0,∞) [0,366]

Durational Kripke Structures (DKS)

A durational Kripke structure S is Q, R, l where

• Q is a (finite) set of states,
• R ⊆ Q × I × Q is a total transition relation with duration
• l : Q → 2AP labels every state with a subset of AP.

I is the set of intervals of the form “[n, m]” or “[n, ∞)”

(with n, m ∈ N)

AP is the set of atomic propositions

Semantics of DKS

A transition q

[n,m]

− − → q′ in the model means that “moving from q to q′ takes some duration d in [n, m].” The behaviour is: q

d

− → q′ (d ∈ N: Time is discrete) A path π in a DKS is: π = q0

d0

− → q1

d1

− → q2 . . . with qi

di

− → qi+1 ∈ R for all i. The length of a finite path π = q0

d0

− → q1

d1

− → q2 · · · qn is n. The duration of π (denoted Time(π)) is d0 + · · · + dn−1.

Semantics of DKS

New Idea Draft Written Submis− sion Wait for Submi. Notif. Accept Final Version Publication Notif. Reject Revised Draft

[7,45] [25,50] [25,50] [0,7] [50,110] 1 [0,10] [0,∞) [0,∞) [0,366]

New Idea

15

− → Draft Written − → Wait for. . .

20

− → Wait for. . . − → Submission

27

− → Notif. of acc. . . .

Variants of DKS in literature

• tight DKS : all intervals are singletons (q

d

− → q). “state graphs” in [AH94] or “timed KS” in [ET99].

• small-step DKS (ssDKS): all steps have duration 0 or 1.

Similar to “KS + tick” in [LST00] and KS in [EMSS92].

Variants of DKS in literature

• tight DKS : all intervals are singletons (q

d

− → q). “state graphs” in [AH94] or “timed KS” in [ET99].

• small-step DKS (ssDKS): all steps have duration 0 or 1.

Similar to “KS + tick” in [LST00] and KS in [EMSS92]. We have two specific properties over the small-step DKSs: − Durations of shortest paths are less than |Q| − 1, − Time progresses smoothly along paths: a path π of duration d = d1 + d2 can always be decomposed into π′ · π′′ such that Time(π′) = d1 and Time(π′′) = d2. These properties do not hold for DKSs !

Expressing Properties over DKS

New Idea Draft Written Submis− sion Wait for Submi. Notif. Accept Final Version Publication Notif. Reject Revised Draft

[7,45] [25,50] [25,50] [0,7] [50,110] 1 [0,10] [0,∞) [0,∞) [0,366]

“whenever a notification is received, either publication or submission occurs in less than 150 days ? ”

Definition of TCTL

TCTL formulae are built from:

• atomic proposition (For ex. Submission, Notification, Publication)
• boolean combinators (∧, ∨, ¬)
• EX operator
• E U∼c

and A U∼c + all the standard abbreviations: AG∼c , AF∼c etc.

Definition of TCTL

TCTL formulae are built from:

• atomic proposition (For ex. Submission, Notification, Publication)
• boolean combinators (∧, ∨, ¬)
• EX operator
• E U∼c

and A U∼c + all the standard abbreviations: AG∼c , AF∼c etc. q | = EϕU∼c ψ iff there is a run π : q = q0

d0

− → q1

d1

− → q2 · · · and an integer n s.t. Time(π|n) ∼ c, qn | = ψ, and qi | = ϕ for all 0 ≤ i < n

Definition of TCTL

TCTL formulae are built from:

• atomic proposition (For ex. Submission, Notification, Publication)
• boolean combinators (∧, ∨, ¬)
• EX operator
• E U∼c

and A U∼c + all the standard abbreviations: AG∼c , AF∼c etc. “whenever a notification is received, either publication or submission

• ccurs in less than 150 days ? ”

AG

• Notification ⇒ AF≤150 (Publication ∨ Submission)

Exercise - 1

New Idea Draft Written Submis− sion Wait for Submi. Notif. Accept Final Version Publication Notif. Reject Revised Draft

[7,45] [25,50] [25,50] [0,7] [50,110] 1 [0,10] [0,∞) [0,∞) [0,366]

AG

• New Idea ⇒ ¬EF<100 Publication

Exercise - 1

New Idea Draft Written Submis− sion Wait for Submi. Notif. Accept Final Version Publication Notif. Reject Revised Draft

[7,45] [25,50] [25,50] [0,7] [50,110] 1 [0,10] [0,∞) [0,∞) [0,366] 7 25 50

AG

• New Idea ⇒ ¬EF<100 Publication
• (no !)

Exercise - 2

New Idea Draft Written Submis− sion Wait for Submi. Notif. Accept Final Version Publication Notif. Reject Revised Draft

[7,45] [25,50] [25,50] [0,7] [50,110] 1 [0,10] [0,∞) [0,∞) [0,366]

AG

• New Idea ⇒ ¬EF<60 Publication

Exercise - 2

New Idea Draft Written Submis− sion Wait for Submi. Notif. Accept Final Version Publication Notif. Reject Revised Draft

[7,45] [25,50] [25,50] [0,7] [50,110] 1 [0,10] [0,∞) [0,∞) [0,366]

AG

• New Idea ⇒ ¬EF<60 Publication
• (yes !)

Model-checking TCTL

Theorem [EMSS92, LST00]: Model-checking TCTL over ssDKS can be done in O(|S|3 · |ϕ|) And over DKS ?

Model-checking TCTL

Proposition:

Model-checking formulae of the form EF=c P over DKS is NP-hard.

Model-checking TCTL

Proposition:

Model-checking formulae of the form EF=c P over DKS is NP-hard. Reduction from KNAPSACK [GJ79]: given a finite set A = {a1, . . . , an}

• f natural integers, and some target D, is there a subset A′ of A s.t.

D =

a∈A′ a.

This is the case iff q0 | = EF=D P in the following DKS: . . . q0 q1 q2 qn P a1 a2 a3 an

Model-checking TCTL≤,≥

Let TCTL≤,≥ denote the fragment of TCTL where equality constraints

• n modalities are not allowed:

Theorem: Model-checking TCTL≤,≥ over DKSs can be done in time O

• |S|2.|ϕ|
• .

Idea of the proof: It is enough to extend the classical CTL algorithm with decision procedures running in time |S|2.⌈log c⌉ for each modality E P1 U∼c P2 and A P1 U∼c P2.

Model-checking TCTL≤,≥

Decision procedure for ϕ = E P1 U≤c P2

• We restrict to the subgraph where only states satisfying E P1 U P2

have been kept, and where we only consider the left extremity of intervals on edges.

• Then for every state q we compute the smallest duration (call it cq)
• f a path from q to some state satisfying P2

This can be done in time O(|S2|) using a classical single-source shortest paths algorithm. Then q | = ϕ iff cq ≤ c.

Model-checking TCTL≤,≥

Decision procedure for ϕ = E P1 U≥c P2 There are 2 ways a state can verify ϕ:

• a simple path (i.e. with no loop). Similar to the previous case.
• with loops:

P1 P1 P1 P1 P1 P2 We add a new proposition PSCC+(P1) labeling every state that belongs to a strongly connected component with duration > 0, satisfying P1.

Then: q | = EP1U≥c P2 if q | = EP1U(P1 ∧ PSCC+(P1) ∧ EP1UP2) Other operators can be handled in a similar way.

Model-checking TCTL

Proposition: Model-checking TCTL over DKSs is in ∆p

2.

∆p

2 is the class PNP of problems that can be solved by a deterministic

polynomial-time Turing machine that has access to an NP oracle.

Model-checking TCTL

Proposition: Model-checking TCTL over DKSs is in ∆p

2.

∆p

2 is the class PNP of problems that can be solved by a deterministic

polynomial-time Turing machine that has access to an NP oracle. This proposition is based on the following lemma: Lemma: Model-checking formulae of the form E P1 U=c P2 or A P1 U=c P2 over DKS is in NP.

Model-checking E P1 U=c P2

q0 | = EP1U=c P2 ⇔ ∃π = q0

d1

− → q1

d2

− → · · ·

dn

− → qn such that          qi | = P1 qn | = P2 di = c n < c · |Q|

Model-checking E P1 U=c P2

q0 | = EP1U=c P2 ⇔ ∃π = q0

d1

− → q1

d2

− → · · ·

dn

− → qn such that          qi | = P1 qn | = P2 di = c n < c · |Q| Let Φπ : R → N be the Parikh image of π, i.e. the number of times each transition is used in π.

• Φπ can be encoded in polynomial size
• Given Φ: R → N, we can decide in polynomial time whether Φ corresponds to

a witness of q0 | = EP1U= cP2. (Euler circuit Theorem + verification of propositions + verification of the length) Verifying E P1 U=c P2 can be done in NP.

Complexity of TCTL model-checking

Theorem: Model-checking TCTL over DKS is ∆p

2-complete.

The proof of ∆p

2-hardness is done by reduction of SNSAT (“sequentially

nested SAT”) to TCTL model checking.

A ∆p

2-complete problem

SNSAT (sequentially nested SAT) is ∆p

2-complete ([LMS01]):

I =       x1 := ∃Z1 F1(Z1), x2 := ∃Z2 F2(x1, Z2), . . . xn := ∃Zn Fn(x1, . . . , xn−1, Zn)       where each Fi is a 3-CNF. I defines a unique valuation vI of the variables in X where: vI(xi) = ⊤ iff Fi(vI(x1), . . . , vI(xi−1), Zi) is satisfiable. ❀ Deciding whether vI(xn) = ⊤. SNSAT can be reduced to TCTL model-checking.

∆p

2-hardness of TCTL model-checking

Assume Fi =

l

3

m=1 αi,l,m

With every disjunct

m αi,l,m we associate a clause Ci,l of the form xi∨ m αi,l,m.

Let Cl be {C1, . . . , Cr} the the resulting set of clauses. Fix some K > 11. To variables u ∈ X ∪ Z and clauses C ∈ Cl we assign weights s(u) and s(C) given by: s(xi)= Ki s(zi)= Kn+i s(Ci)= Kn+p+i (p = |Z|) A multiset M of variables and clauses has weight s(M) =

x s(x) × M(x).

Now if M(x) < K and M′(x) < K for all x ∈ X ∪ Z ∪ Cl, then: s(M) = s(M′) iff M = M′.

∆p

2-hardness of TCTL model-checking

s(xn) + Σ{s(Ci) | xn ⇒ Ci} xn xn . . . . . . x1 x1 z1 z1 . . . . . . zp zp . . . . . . . . . . . . . . . . . . . . .

d(xn) d(xn) d(x2) d(x2) d(z1) d(z1) d(zp−1) d(zp−1) d(x1) d(x1) d(xn) d(xn) 3C1 2C1 C1 3Cr 2Cr Cr d(x1) d(x1) d(zp) d(zp)

vI(xn) = ⊤ iff xn | = ϕ2n−1 with: ϕk = E

• Px ⇒ EX
• Px ∧ ¬ϕk−1
• U=D⊤,

ϕ0 = ⊤, and D =

u∈Var s(u) + 4 × C∈Cl s(C)

Conclusion

TCTLc TCTL+ TCTL∗ TLTL TCTL ≤, ≥, = ≤, ≥ ≤, ≥, = ≤, ≥ ≤, ≥, = ≤, ≥ ≤, ≥, = ≤, ≥ PSPACE-complete ∆p

2-complete

EXPSPACE-complete PSPACE-complete EXPSPACE-complete PSPACE-complete PTIME-complete ∆p

2-complete

PTIME-complete ssDKSs (

0/1

− →) tight DKSs (

n

− →), DKSs (

ρ

− →)

• 1. Exact durations make model-checking harder.
• 2. Polynomial time model-checking is possible if one considers TCTL≤,≥ or

TCTL and ssDKSs

• 3. A new ∆p

2-complete model-checking problem.

• 4. We are considering other semantics.

References - 1

[ACD93]

• R. Alur, C. Courcoubetis, and D. Dill. Model-checking in dense real-time. Information

and Computation, 104(1):2–34, 1993. [AH92]

• R. Alur and T. A. Henzinger. Logics and models of real time: A survey. In Real-Time:

Theory in Practice, Proc. REX Workshop, Mook, NL, June 1991, volume 600 of Lecture Notes in Computer Science, pages 74–106. Springer, 1992. [AH94]

• R. Alur and T. A. Henzinger. A really temporal logic. Journal of the ACM,

41(1):181–203, 1994. [AL99]

• L. Aceto and F. Laroussinie. Is your model checker on time? In Proc. 24th Int. Symp.
• Math. Found. Comp. Sci. (MFCS’99), Szklarska Poreba, Poland, Sep. 1999, volume

1672 of Lecture Notes in Computer Science, pages 125–136. Springer, 1999. [EMSS92]

• E. A. Emerson, A. K. Mok, A. P. Sistla, and J. Srinivasan. Quantitative temporal
• reasoning. Real-Time Systems, 4(4):331–352, 1992.

[ET99]

• E. A. Emerson and R. J. Trefler. Parametric quantitative temporal reasoning. In Proc.

14th IEEE Symp. Logic in Computer Science (LICS’99), Trento, Italy, July 1999, pages 336–343. IEEE Comp. Soc. Press, 1999.

References - 2

[GJ79]

• M. R. Garey and D. S. Johnson. Computers and Intractability. A Guide to the Theory of

NP-Completeness. Freeman, 1979. [LMS01]

• F. Laroussinie, N. Markey, and Ph. Schnoebelen. Model checking CTL+ and FCTL is
• hard. In Proc. 4th Int. Conf. Foundations of Software Science and Computation

Structures (FOSSACS’2001), Genova, Italy, Apr. 2001, volume 2030 of Lecture Notes in Computer Science, pages 318–331. Springer, 2001. [LST00]

• F. Laroussinie, Ph. Schnoebelen, and M. Turuani. On the expressivity and complexity of

quantitative branching-time temporal logics. In Proc. 4th Latin American Symposium

• n Theoretical Informatics (LATIN’2000), Punta del Este, Uruguay, Apr. 2000, volume

1776 of Lecture Notes in Computer Science, pages 437–446. Springer, 2000. Journal version as [LST02]. [LST02]

• F. Laroussinie, Ph. Schnoebelen, and M. Turuani. On the expressivity and complexity of

quantitative branching-time temporal logics. Theoretical Computer Science, 2002. To appear.