Heribert Vollmer Theoretische Informatik, Leibniz Universit at - PowerPoint PPT Presentation

The Tractability of Model-Checking for LTL: The Good, the Bad, and the Ugly Fragments Heribert Vollmer Theoretische Informatik, Leibniz Universit¨ at Hannover

The burning issue Problem The model-checking problem for full Linear Temporal Logic (LTL) is PSPACE-complete [Sistla, Clarke 1985]. That is, this problem is (most probably) intractable. Solution Systematically restrict the propositional part of LTL. ❀ Many tractable (good) fragments ❀ Many intractable (bad) fragments The tractability of LTL model-checking 2

What is Linear Temporal Logic? LTL = propositional logic plus temporal operators, speaks about linear structures; for example: A structure P 0 1 2 3 4 5 6 7 8 w w w w w w e c c c c c . . . e c c h h h The tractability of LTL model-checking 3

The language and its interpretation The structure P 0 1 2 3 4 5 6 7 8 w w w w w w e c c c c c . . . e c c h h h The following kinds of statements can be formulated in LTL. ◮ now P , 2 � ( w ∧ ¬ e ) ∨ c ◮ at some time in the F uture P , 0 � F h ◮ always G oing to P , 3 � G ¬ e ◮ ne X t time P , 1 � X ( w → e ) ◮ U ntil P , 5 � c U ( ¬ w ) ◮ S ince P , 3 � c S w ◮ P , 0 � F ( c ∧¬ e ) ∧ G � � ( c ∧¬ w ) → [ X ( w ∧ X h ) ∧ ( h → w ∧ c ) U c ] The tractability of LTL model-checking 4

A model and a structure A model (cf. Clarke et al. ”Model Checking“): Possible behaviour of a microwave oven w e Start Open Door Close Open Close Open Door Door Cook Door Door Reset End w c c w c e h Start Cooking Start w orking e rror w c h eating door c losed The tractability of LTL model-checking 5

A model and a structure A structure: Actual behaviour of a microwave oven w e Start Open Door Close Open Close Open Door Door Cook Door Door Reset End w c c w c e h Start Cooking Start w orking e rror w c h eating door c losed The tractability of LTL model-checking 5

Summing up: Models and structures Model A directed graph where every state has a successor. States are marked with assignments to propositional variables. Structure An infinite path in a model. The tractability of LTL model-checking 6

The model-checking problem Model-Checking � ϕ, M , a � Instance Question Does M contain a structure P with initial state a such that P , a � ϕ ? Theorem (Sistla, Clarke 1985) Model-checking for LTL is PSPACE-complete. The tractability of LTL model-checking 7

When do LTL fragments suffice? Example Properties of “microwave oven runs” expressible in LTL fragments: Property Formula Operators used An error never occurs. G ¬ e G , ¬ ¬ F e F , ¬ (Safety) G e ′ G Every error will GF ¬ e F , G , ¬ eventually be resolved. G ¬ G e G , ¬ GF e ′ (Liveness) F , G The tractability of LTL model-checking 8

When do LTL fragments suffice? Example Properties of “microwave oven runs” expressible in LTL fragments: Property Formula Operators used An error never occurs. G ¬ e G , ¬ ¬ F e F , ¬ (Safety) G e ′ G Every error will GF ¬ e F , G , ¬ eventually be resolved. G ¬ G e G , ¬ GF e ′ (Liveness) F , G The tractability of LTL model-checking 8

The model-checking problem for LTL fragments LTL fragment Let T ⊆ { F , G , X , U , S } be a set of temporal operators and B be a finite set of Boolean operators. ∗ L ( T , B ) = set of all LTL formulas with operators in T ∪ B . ∗ For instance, {∧ , ∨} — monotone formulae. Model-checking problem MC( T , B ) for LTL fragments Instance: � ϕ, M , a � with ϕ ∈ L ( T , B ) Does M contain a structure P with initial state a Question: such that P , a � ϕ ? The tractability of LTL model-checking 9

Known complexity results . . . Theorem ([Sistla, Clarke 1985] and [Markey 2004]) 1. MC( { G , X } , {∧ , ∨ , ¬} ) and MC( { U } , {∧ , ∨ , ¬} ) are PSPACE-complete, even if negation is applied to atoms only. 2. MC( { F } , {∧ , ∨ , ¬} ), MC( { G } , {∧ , ∨ , ¬} ) and MC( { X } , {∧ , ∨ , ¬} ) are NP-complete, even if negation is applied to atoms only. 3. MC( { F , X } , {∧ , ∨ , ¬} ) in general is PSPACE-complete, but NP-complete if negation is applied to atoms only. The tractability of LTL model-checking 10

Known complexity results . . . Consequences of results by [Sistla, Clarke 1985] and [Markey 2004]: Hardness and completeness of MC( T , B ) {∧ , ∨} {∧ , ∨ , ¬} B T X  NP NP  G  NP NP     F NP NP  Bad fragments! FX NP PSPACE   GX PSPACE PSPACE     U  PSPACE PSPACE The tractability of LTL model-checking 11

What we would like to know . . . Goal ◮ classify the complexity of MC( T , B ) for all LTL fragments ◮ separate LTL fragments into good (efficiently solvable) and bad (NP-hard) The tractability of LTL model-checking 12

What we would like to know . . . Goal ◮ classify the complexity of MC( T , B ) for all LTL fragments ◮ separate LTL fragments into good (efficiently solvable) and bad (NP-hard) The tractability of LTL model-checking 12

Fragments of propositional logic: Clones BF Post’s lattice R 1 R 0 (est’d 1941 by Emil Post) R M X 2 without constants M 1 M 0 X 0 , 1 with constant 0,1 M 2 S 2 S 2 0 1 S 2 S 2 S 2 S 2 BF all BF 02 01 11 12 S 3 S 3 0 1 S 2 S 2 00 10 M monotone functions S 3 S 3 S 3 S 3 02 01 11 12 S 3 D S 3 S 1 x ∧ y 00 10 S 0 S 1 D 1 S 02 S 01 S 11 S 12 S 0 x → y D 2 S 00 S 10 D f ( a 1 , . . . , a n ) V L E = f ( a 1 , . . . , a n ) V 1 V 0 L 1 L 3 L 0 E 1 E 0 L x ⊕ y (xor) V 2 L 2 E 2 N V x ∨ y N 2 E x ∧ y I N ¬ x I 1 I 0 I identities I 2 The tractability of LTL model-checking 13

Clones with both constants All relevant sets of Boolean operators all BF monotone ⊕ M L ¬ ∨ ∧ V E N ∅ I Every other set of Boolean op’s can be reduced to one of these. The tractability of LTL model-checking 14

Tractability of model-checking: Fragments with F , G , X Hardness and completeness of MC( T , B ) I N E V M L BF B T ¬ ∧ ∨ mon. ⊕ all X NP NP NL NL NL NL NL G NL NL NL NL NP NP F NL NL NP NL NP NP FG NL NL NP NL NP NP FX NL NL NP NL NP PS GX NP PS PS NL NL NL FGX NL NL NP NP PS PS (PS = PSPACE) The tractability of LTL model-checking 15

Tractability of model-checking: Fragments with S , U Hardness and completeness of MC( T , B ) I N E V M L BF B T ¬ ∧ ∨ mon. ⊕ all S L L L L L L L SX NP NP NP NP NP NP NP SG NP NP NP NP PS NP PS SF NP NP PS NP PS NL NL SFG NP NP NP NP PS NP PS SFX NP NP NP NP PS NP PS SGX NP NP NP NP PS NP PS SFGX NP NP NP NP PS NP PS other NP NP NP NP PS NP PS The tractability of LTL model-checking 16

Tractability of model-checking: Fragments with S , U Hardness and completeness of MC( T , B ) I N E V M L BF B T ¬ ∧ ∨ mon. ⊕ all S L L L L L L L SX NP NP NP NP NP NP NP SG NP NP NP NP PS NP PS SF NP NP PS NP PS NL NL SFG NP NP NP NP PS NP PS SFX NP NP NP NP PS NP PS SGX NP NP NP NP PS NP PS SFGX NP NP NP NP PS NP PS other NP NP NP NP PS NP PS The tractability of LTL model-checking 16

An NP-hardness proof Theorem (Sistla, Clarke 1985) MC( { F } , {∧} ) is NP-hard. Proof sketch. ◮ Reduction from 3SAT ◮ From ( x 1 ∨ ¬ x 2 ∨ ¬ x 4 ) ∧ ( ¬ x 1 ∨ x 3 ∨ ¬ x 4 ) ∧ ( ¬ x 2 ∨ x 4 ) we obtain the model b 1 b 2 b 3 x 1 x 2 x 3 x 4 q s x 1 x 2 x 3 x 4 b 2 b 1 , b 3 b 1 , b 2 and the L ( { F } , {∧} )-formula F b 1 ∧ F b 2 ∧ F b 3 . The tractability of LTL model-checking 17

An NP-hardness proof Theorem (Sistla, Clarke 1985) MC( { F } , {∧} ) is NP-hard. Proof sketch. ◮ Reduction from 3SAT ◮ From ( x 1 ∨ ¬ x 2 ∨ ¬ x 4 ) ∧ ( ¬ x 1 ∨ x 3 ∨ ¬ x 4 ) ∧ ( ¬ x 2 ∨ x 4 ) we obtain the model b 1 b 2 b 3 x 1 x 2 x 3 x 4 q s x 1 x 2 x 3 x 4 b 2 b 1 , b 3 b 1 , b 2 and the L ( { F } , {∧} )-formula F b 1 ∧ F b 2 ∧ F b 3 . The tractability of LTL model-checking 17

An NP-hardness proof Theorem MC( { U } , ∅ ) is NP-hard. Proof sketch. ◮ Reduction from 3SAT ◮ From ( x 1 ∨ ¬ x 2 ∨ ¬ x 4 ) ∧ ( ¬ x 1 ∨ x 3 ∨ ¬ x 4 ) ∧ ( ¬ x 2 ∨ x 4 ) we obtain the model b 1 b 2 b 3 a 3 a 2 a 2 x 1 x 2 x 3 x 4 a 1 a 1 a 1 a 3 a 3 a 3 a 3 q 1 q 2 q 3 s a 2 a 2 a 2 a 2 a 1 a 1 a 1 a 1 x 1 x 2 x 3 x 4 b 2 b 1 , b 3 b 1 , b 2 and the L ( { U } , ∅ )-formula (( a 1 U b 1 ) U ( a 2 U b 2 )) U ( a 3 U b 3 ) . The tractability of LTL model-checking 18

An NP-hardness proof Theorem MC( { U } , ∅ ) is NP-hard. Proof sketch. ◮ Reduction from 3SAT ◮ From ( x 1 ∨ ¬ x 2 ∨ ¬ x 4 ) ∧ ( ¬ x 1 ∨ x 3 ∨ ¬ x 4 ) ∧ ( ¬ x 2 ∨ x 4 ) we obtain the model b 1 b 2 b 3 a 3 a 2 a 2 x 1 x 2 x 3 x 4 a 1 a 1 a 1 a 3 a 3 a 3 a 3 q 1 q 2 q 3 s a 2 a 2 a 2 a 2 a 1 a 1 a 1 a 1 x 1 x 2 x 3 x 4 b 2 b 1 , b 3 b 1 , b 2 and the L ( { U } , ∅ )-formula (( a 1 U b 1 ) U ( a 2 U b 2 )) U ( a 3 U b 3 ) . The tractability of LTL model-checking 18