Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures

1
Complexity of Compositional Model Checking of
Computation Tree Logic on Simple Structures

• Krishnendu Chatterjee
• Pallab Dasgupta
• P.P. Chakrabarti
• IWDC 2004, ISI Calcutta, Dec 28, 2004.

2
Correctness of Systems

• Verifying correctness of systems
• Testing
• Testing systems with test cases
• Formal methods
• Proof of correctness, e.g., theorem proving,
  model checking

3
Formal Methods

• Given a system model and a property does the
  system satisfy the property
• Verifying the correctness of the system specified
  as properties

4
Model Checking
System Model
Property ?
Model Checker
No, Counter example
Yes
5
Model Checking
System Model Kripke Structure
Property ? Temporal Logic
Model Checker
No, Counter example
Yes
6
System Model

• System modeled as labeled transition system
• Kripke structures
• Graphs
• Vertices labeled by atomic proposition
• Edges represent transitions between states

7
Specification Language

• Specification language to specify properties
• Temporal logic formulas specify temporal
  behaviors of a systems
• Examples of temporal logic
• Computation Tree Logic (CTL)
• Linear Temporal Logic (LTL)

8
System and Properties

• System modeled as Kripke structures
• Labeled transition systems
• Properties as temporal logic formulas
• Linear time Linear time logic (LTL)
• Branching time Computation Tree Logic (CTL)

9
Kripke Structure and CTL
p

• Temporal Logics
• CTL
• ( p U q )
• E ( p U q )
• A ( p U q )
• LTL, CTL are other examples of temporal
  logics.

r
p
r
q
r
p
10
CTL Syntax

• S p S S Æ S AX(S) EX(S) A( S U S
  ) E (S U S)
• where p is a member of atomic propositions

11
CTL

• CTL attractive temporal logic
• Polynomial time algorithm for model checking if
  the system modeled as a single kripke structure
• Elegant syntax
• Top down decomposition of formulas to
  sub-formulas

12
CTL Model Checking
CTL Formula
System
Polytime Model Checker
13
System Model

• System composed of several modules that run in
  parallel and concurrently
• Specially in parallel and distributed environment
• The whole system is the product of the individual
  components

14
System Composed of Modules
CTL Formula
System
Polytime Model Checker
15
Composition

• Explicit construction of whole system
• State space explosion by product
• No more polynomial in size of the input
• Exponential space to construct a single Kripke
  structure
• Explicit construction makes CTL model checking
  exponential

16
CTL Model Checking

• Can we verify properties without explicit product
  construction
• Even for restrictive class of systems
• Even for simpler formulas of CTL

17
Simplest Class of Components

• Tree-like kripke structures
• Components consist of kripke structures such that
  the underlying graph is a tree with leaves having
  self-loops
• Simplest class of component kripke structure
• Can this class be verified without explicit
  composition and tractable

18
Composition

• Composition of several components
• Synchronous composition all components make
  transition simultaneously
• Asynchronous composition some of the components
  make transitions and other does not make a
  transition

19
Results

• No (Negative)
• Complexity for compositional CTL model checking
  for tree-like kripke structures
• CTL Model checking PSPACE-complete
• E(B U B) NP-complete
• A(B U B) coNP-complete
• B is a boolean formula

20
Results

• The complexity results hold for
• Synchronous composition all components make
  transition simultaneously
• Asynchronous composition some of the components
  make transitions and other does not make a
  transition

21
PSPACE-hardness
22
Proof Idea

• Reduction of Quantified Boolean Formula (QBF) to
  CTL model checking of tree-like kripke structures
• QBF formula
• ? 9 x1 8 x2 9 x3 8 xn. C1 Æ C2 Æ Cm
• Each Cj is a clause (disjunction of literals) and
  has exactly 3 distinct literals

23
Tree from Clauses

• A tree Ti from clause Ci
• If a variable xj occurs in Ci
• then two child at level j,
• otherwise only one child.
• The left branch corresponds
• to an assignment of false.
• The right branch corresponds
• to an assignment of true.

pi11
pi10
pi31
pi30
pi30
pi31
Clause with (x1 Ç x3 )
24
Tree from Clauses
The atomic proposition ti represents truth of
the clause given an assignment of variables
pi11
pi10
pi31
pi30
pi30
pi31
ti
Clause with (x1 Ç x3 )
25
Tree from Clauses
CTL formula pj to ensure consistency pj
(Æi1n pij0) Ç (Æi1n pij1)
pi11
pi10
pi31
pi30
pi30
pi31
Clause with (x1 Ç x3 )
26
Proof Idea

• Tree-like kripke structure Ti for every clause Ci
• CTL formula
• ? EX(p1 Æ AX(p2 (EX(p3 AX(pn Æ (t1 Æ t2 Æ
  tm))))))
• Recall the QBF formula
• ? 9 x1 8 x2 9 x3 8 xn. C1 Æ C2 Æ Cm

27
Proof Tree and Solution Tree

• Proof tree to prove a CTL formula
• Choose a successor for EX branch
• All successors for AX branch
• Solution tree for QBF formula
• A valuation for existential variables
• All valuation for universal variables

28
Proof Idea

• Argue that ? is true if and only if the CTL
  formula ? is true in the kripke structure
  composed of the component tree-like kripke
  structure
• Proof idea
• Solution tree for ? for proof tree for ?
• Proof tree for ? from solution tree for ?

29
Proof Idea

• The argument establish PSPACE hardness
• PSPACE algorithm
• DFS search and on-the-fly state space
  construction
• Similar to Savitchs Theorem
• PSPACE-completeness

30
Complexity of Sub-logics

• NP-complete for formulae of the form E(B U B)
• Reduction to SAT
• coNP-complete for formulae of the form A(B U B)
• Reduction Validity problem

31
Conclusion and Future works

• Compositional model checking of CTL
• Problem is inherently difficult
• Future directions
• Identify simpler logics and properties such that
  compositional reasoning is tractable
• Reachability properties
• Tractable for asynchronous composition
• Complexity open for synchronous composition

32
Thank you !!!