Variants of LTL Query Checking - Semantic Scholar
Variants of LTL Query Checking Hana Chockler1
Arie Gurfinkel2
Ofer Strichman3
1
2
IBM Haifa Research Lab, Haifa, Israel. [email protected] Software Engineering Institute, Pittsburgh, USA. [email protected] 3 Information Systems Engineering, IE, Technion, Haifa, Israel. [email protected]
Abstract. Given a model M and a temporal logic formula ϕ[?], where ? is a placeholder, the query checking problem, as defined for the case of CTL by Chan in 2000, is to find the strongest propositional formula f such that M |= ϕ[? ← f ]. The motivation for solving this problem is, among other things, to get insight on the model. We consider various objectives to the LTL query-checking problem, and study the question of whether there is a better solution than simply enumerating all possible formulas (modulo logical equivalence). It turns out that in most cases the answer is no, but there is one particular objective for which the answer – in practice – is definitely yes. The solution is based on a reduction to a Pseudo-Boolean Solving problem.
1 Introduction Given a Kripke model M and a CTL formula ϕ[?], where ? is a placeholder, Chan defined in [5] the query checking problem as follows: find the strongest propositional formula f such that M |= ϕ[? ← f ]. The motivation for solving this problem is quite clear. Users can mine their model for some of its properties, and gain better insight as to what it really does. It can also help them perform “sanity-checks”, by contrasting their expectation regarding the properties of the model and what they really are. As an example, users of a model-checker can check whether their model satisfies ϕ , G(request ⇒ F grant), that is, whether request is always eventually followed by a grant, but users of a query-checker can instead check the query G(request ⇒ F?), which asks what is the strongest propositional formula that always eventually follows request. An answer can be either weaker or stronger than grant, e.g., ‘grant ∨ nack’ and ‘false’, respectively. The former case demonstrates that query checking can give information beyond what is given by a counterexample to the originally assumed property ϕ. The latter case demonstrates that query checking also encompasses vacuity checking [2]. In fact query checking gives users a finer version of vacuity checking, since even when the property is not vacuous, (e.g., M 6|= ϕ[grant ← false] in this case), it may still give an answer that, like vacuity checks, may lead to discovering errors in the design or the property. Other known applications of query checking include guided simulation and model-based automatic test generation, as was demonstrated by Gurfinkel et al. in [9]. It is clear, then, that query-checking is at least as complex as model checking, and indeed all the published algorithms for query checking use some form of (repeated)
model checking. A naive solution to this problem, as pointed out by Bruns and Godefroid in [3], can be performed by explicitly enumerating all possible solutions. In other words, for a given set of atomic propositions AP , query checking can be solved by |AP | running a model checker 22 times: once for each possible formula over AP modulo logical equivalence. One should not deem this problem as unsolvable, however. In practice it is reasonable to ask the user to restrict the expected output to a few propositions only, which we denote by AP 0 (AP 0 ⊆ AP ). In the example above, whereas the model can have hundreds of signals, users may restrict the query to formulas over several signals that they consider as relevant to the behavior of request. The solution in this case is a formula f that has the strongest projection to these signals but still satisfies M |= ϕ[? ← f ]. Unlike model checking where projections correspond to abstraction and hence to possibly loss of completeness, here projections entail a different focus of the query, which may still be valuable to the user. Chan noted that, regardless of complexity, the user would probably want to restrict the answer of the query to a small number of propositions simply because an answer based on a large number of propositions is too complex and not helpful. Gurfinkel et al. defined the set of variables to which the query is restricted as part of the input language of the query [9]. For example, an answer to AG(?{p, q}) is an invariant of the model over p and q. Related work In [5], Chan proposed to focus on a subset of CTL which has a unique strongest solution in every model and hence corresponds to his definition of the problem. He coined the term ‘valid queries’ to refer to queries in this restricted language. Nevertheless in the general case there can be multiple strongest interpretations to ?. In [3] Bruns and Godefroid solved the query-checking problem for any temporal logic for which there is a representation by an alternating automata, including CTL and LTL. They also changed the problem definition to finding all strongest formulas f (modulo logical equivalence) such that M |= ϕ[? ← f ]. Their solution strategy is based on an extension to alternating automata that maps a state and an input tree value to a finite lattice element. The elements of the lattice, in this case, are the possible answers to the query. Their algorithm translates the query into an extended alternating automata, computes the product with the model M , and checks for lattice emptiness. The result is a lattice value corresponding to all strongest solutions to the query. The complexity of this algorithm is not better, in the worst case, than enumerating all solutions. Gurfinkel et al. examined in [9] several extensions to the original problem: multiple occurrences of the same placeholder, possibly with mixed polarity, and multiple placeholders. They showed that query-checking is reducible to multi-valued model-checking over a lattice of solutions. This has been implemented in the context of a multi-valued model-checker χChek [6]. When the problem is defined as in [3], namely finding all strongest solutions, the size of the output itself can be double exponential in AP 0 , as it corresponds to the width of the propositional lattice. There is no way around this problem other than making AP 0 very small. Hornus and Schnoebelen show in [11] how to test, with a polynomial number of model-checking invocations, whether a given temporal logic query has a unique solution in a given model. This capability at least lets us detect easily the cases in which the size of the output is a single formula. Samer and Veith present a context-
free grammar of a syntactic subset of LTL for which there is at most one strongest solution to the query, and conjecture that this result can be extended to CTL as well [13]. Our contribution This is the first work to focus on LTL query checking. As mentioned earlier, there were works that dealt with arbitrary temporal logics, but those did not focus on the goals that we describe below. Our goal is to find a strongest propositional formula f , while considering three alternative definitions of strength: O1: f is stronger than g if models(f ) ⊆ models(g). This is equivalent to saying that f → g, and corresponds to the traditional objective of query checking. O2: f is stronger than g if |models(f )| < |models(g)|. This objective is useful when there are many incomparable solutions to O1. In such a case, a solution to O2 is one of the O1 solutions that has the smallest number of models. O3: f is stronger than g if ϕ[f ] → ϕ[g]. The necessity of this objective is demonstrated next. Example 1. Consider Table 1. It includes queries, interpretations, the interpreted queries, the relations between the interpretations, and, finally, the relations between the interpreted queries. The first query demonstrates that ϕ[f ] can become stronger while f becomes weaker, and the second query that an incomparable interpretation can make ϕ[f ] stronger. This nonmonotonicity implies that O3 cannot, in general, be reduced to O1 or O2. u t Query
f1
f2
ϕ[f1 ]
ϕ[f2 ]
Relations
F(p ∨ ?) ∧ F(¬?) p ∧ q p F(p) ∧ F(¬p ∨ ¬q) F(p) ∧ F(¬p) f1 → f2 ϕ[f1 ] ← ϕ[f2 ] G(p ∧ ?) p q G(p) G(p ∧ q) ϕ[f1 ] ← ϕ[f2 ] Table 1. Demonstrating the necessity of objective O3, as part of Example 1.
If the occurrences of the placeholder appear in mixed polarity, the value of finding the strongest replacement according to O1 and O2 is questionable. For example, for a query G(? → X¬?), the solution p ∧ q is not necessarily more informative to the user than the solution p, although it is logically stronger. For this reason we solve O1 only for the case of pure polarity, which makes it computationally easier. For O2 our solution is oblivious to the polarity although, as said, it makes more sense to use it for formulas in which the occurrences appear in pure polarity. In other cases we consider O3 to be the right option, and indeed our solution with this objective is insensitive to the question of whether the polarity is pure or mixed. The main question we are interested in is whether we can find a solution to any of these goals which is easier than trying all possible replacements for the query. It turns out that for O1 and O3 we can do only a little better, but essentially the solutions are
based on traversing the lattice of possible solutions, albeit not in the most naive way. We delay the presentation of these solutions to Sect. 3. Our solution to O2, on the other hand, is not based on enumerating possible solutions and is far better in practice than simple enumeration, at least for the case of safety properties. The solution, which is described in Sect. 2, is based on a series of reductions, ending with a formulation of an optimization problem in Integer Linear Programming over binary variables (0-1-ILP), or, equivalently, as a Pseudo-Boolean problem (PBS) [1]. Essentially, we solve the problem of finding a minimal set of assignments that need to satisfy the solution f in order for the language of the product M × B¬ϕ[?←f ] to be empty. The running time complexity of our solutions is summarized in Table 2 for the case of a single placeholder with possibly multi- Objective Complexity ple occurrences. Note that for O1 the solu0 O(|M | · 22|AP |+|ϕ| ) tion is correct only for queries in which the O1 |AP 0 | occurrences of the placeholder are in pure +|ϕ| O2 (safety) O(|M | · 22 ) polarity, whereas for O2 and O3, the solu0 tion allows mixed polarity. Throughout the O2 (liveness) O(|M |2 · 22|AP | +|ϕ| ) article we assume that the reader is famil|AP 0 | +|ϕ| O(|M | · 22 ) iar with the basics of LTL model checking in O3 the automata-theoretic framework. For backTable 2. Complexity of LTL query ground see, e.g., [12]. We also assume familchecking, according to the objective. iarity with modeling problems in 0-1-ILP.
2 Achieving objective O2 In the first step of our solution we use a construction which is similar, but not identical, to that used in LTL model checking with the Vardi-Wolper scheme [16]. We describe this construction in Sect. 2.1, and the full algorithm in Sect. 2.2. 2.1 The construction The query tableau B¬ϕ[?] Let ϕ[?] be a query over AP ∪ {?}. We construct a query 0 0 tableau B¬ϕ[?] = hSB , SB , RB , FB i where SB is a set of states, SB ⊆ SB and FB ⊆ AP ∪{?} 2 SB are subsets of the states, and RB : SB × 2 × SB is the transition relation1 . B¬ϕ[?] is similar to a B¨uchi automaton that represents ϕ[?] if ? was any other atom, with the difference that its edges are labeled with formulas over AP ∪{?}. Labeling the edges with formulas is more concise and more natural for the description of the algorithm later on. It is also more intuitive in our context because, recall, ‘?’ itself represents a formula, and therefore it is more natural to consider it as part of a bigger formula 1
We refrain from calling it a query automaton because it cannot be defined as an acceptor without an interpretation to the placeholder. This is also the reason that we do not define an 0 alphabet as part of the construction, nor do we designate SB and FB as initial and final states, respectively.
rather than an element of a full assignment. In fact modern LTL to B¨uchi convertors do not label their edges with full assignments, rather with either partial assignments or formulas. Examples of tools that label their edges with partial assignments are LBT by R¨onkk¨o, which is based on [8], and Somenzi’s Wring [14]. An example of a tool that labels its edges with formulas (represented as BDDs) is BAOM, which was written by Thirioux [15]. 0 , RM i is given by an alphabet Σ = 2AP , The model M The model M = hΣ, SM , SM 0 a set of states SM , a set of initial states SM ⊆ SM and a set of transitions RM : SM × Σ × SM . 0 The product A = M × B¬ϕ[?] Given the model M = hΣ, SM , SM , RM i and 0 B¬ϕ[?] = hSB , SB , RB , FB i, we define the product A = M × B¬ϕ[?] = hS, S 0 , R, F i as follows:
S = {hsi , sj i | si ∈ SM , sj ∈ SB } 0 0 S 0 = {hsi , sj i | si ∈ SM , sj ∈ S B } 0 0 R = {hsi , sj ihτ, σihsi , sj i | hsi , τ, s0i i ∈ RM ,
hsj , σ, s0j i ∈ RB , ∃f. τ ∧ σ[? ← f ]} F = {hsi , sj i | si ∈ SM , sj ∈ FB } Note that the edges in M are labeled with full assignments over AP and the edges in B¬ϕ[?] are labeled with formulas over AP ∪ ?. This mismatch is not a problem when constructing the product, however, because at this stage, before having an interpretation to the placeholder, we do not attempt to synchronize the transitions. Given an interpretation f to ?, we can turn A into a B¨uchi automaton, which we denote by A[f ], by replacing each label of the form hτ, σi in A with the label τ if τ |= σ[? ← f ] (1) false otherwise Note that this definition is equivalent to taking the label τ ∧ σ[? ← f ]. For example, h¬a ∧ b ∧ c, b ∨ ?i in A, given an interpretation f = c ∧ a becomes (¬a ∧ b ∧ c ∧ (b ∨ (c ∧ a))) = ¬a ∧ b ∧ c in A[f ], which is simply τ . Example 2. Figure 1 demonstrates the model M , a query tableau B¬ϕ[?] and their product. We consider this example automaton later in Example 3. u t 2.2 An algorithm for a single placeholder The solution is based on finding an interpretation f that on the one hand eliminates all accepting paths in A[f ], and on the other is the strongest such f according to O2. We assume that the given query has at least one solution, so such an f must exist. A bird’s eye view of the solution is given by the following steps:
1. Given ϕ[?] and M , compute the product A as explained in the previous section. 2. Solve the following problem for A: Problem 1. Find a smallest set Fτ of full assignments that should satisfy f in order to make L(A[f ]) = ∅, where L(A[f ]) denotes the language of A[f ]. 3. Let f=
_
τ.
(2)
τ ∈Fτ
4. Return f . If ϕ[?] is an unrestricted LTL query, then Problem 1 is reduced to Problem 2 below. If, on the other hand, it is a safety query, then it is reduced straight to Problem 3 below. The cause for the difference is that safety properties can be model-checked with automata over finite words. We continue by describing Problem 2, for which we need the following notation: for an automaton B with edges labeled by literals from a set of variables L, and an assignment α : L 7→ {0, 1}, denote by B|α the automaton B after removing edges whose labels are falsified by α. Problem 2 (Minimum cutting set for a B¨uchi automaton). Let B be a B¨uchi automaton hS, S 0 , R, F i, where S is a set of states, S 0 ⊆ S is a set of initial states, R : S × L × S is the transition relation – where L is a set of literals labeling the edges – and F ⊆ S is a set of accepting states. Given such an automaton B, find an assignment α with a minimum number of satisfied positive literals such that L(B|α ) = ∅. It is left to show how to use a solution to this problem in order to generate a solution to Problem 1. Roughly speaking, for this purpose we consider a B¨uchi automaton B in which each element of L represents a full assignment to AP , e.g., a label eτ represents a full assignment τ . Hence the set of positive literals satisfied by the solution α corresponds to a set of full assignments, which is the solution to Problem 1. The construction of B is such that a literal eτ in B labeling an edge indicates that in order for this edge to remain in A[f ] we must have that τ |= f . Similarly, a literal ¬eτ labeling an edge indicates that in order for this edge to remain in A[f ] we must have that τ |= ¬f . We solve Problem 2 by reducing it to Problem 3 below, which is the same problem but for a finite automaton: Problem 3 (Minimum cutting set for a finite automaton). Let Bf be a finite state automaton hSf , Sf0 , Rf , Ff i, where Sf is a set of states, Sf0 ⊆ Sf is a set of initial states, R : Sf × L × Sf is the transition relation – where L is a set of literals labeling the edges – and Ff ⊆ Sf is a set of accepting states. Find an assignment α with a minimum number of satisfied positive literals such that L(Bf |α ) = ∅. 2.3 Reductions A reduction from Problem 1 to Problem 2 We reduce A to a B¨uchi automaton B with edges labeled with literals that represent assignments or their negation. Recall that the
labels in A are of the form hτ, σi where τ is a full assignment. Denote by σ(τ ) the value of σ after assigning its variables the values given to them in τ and applying standard propositional simplifications. For example, for an edge labeled hp ∧ q, p ∧ ¬?i, σ(τ ) = ¬?. It is not hard to see that σ(τ ) can be one of ‘?’, ‘¬?’, true or false. Automaton B is the same as A, other than the following relabeling: – If σ(τ ) = ? then the corresponding edge in B is labeled with a (propositional) literal eτ . – If σ(τ ) = ¬? then the corresponding edge in B is labeled with a (propositional) literal ¬eτ . – If σ(τ ) = false then the edge is removed. – If σ(τ ) = true then the corresponding edge in B is labeled with true. Note that such edges cannot be part of any solution. Hence B is a B¨uchi automaton according to the definition in Problem 2. Example 3. Consider the query ϕ[?] = GF(p ∧ ?). Fig. 1 contains the corresponding query tableau B¬ϕ[?] , as well as a Kripke structure M and their product A at the bottom left. The B¨uchi automaton B, which appears at the bottom right of the figure, is computed as explained above. For conciseness in this and future figures we represent assignments with juxtaposition for conjunction and overline for negation. For example p¯ q stands for p ∧ ¬q. p¯ ∨ ¯?
T B¬ϕ[?] :
p¯ ∨ ¯?
s0
pq w¯ w0
M:
s1
w1 pqw
hpq w, ¯ p¯ ∨ ¯?i
w1 s1
B:
T
T
w0 s0
w0 s1
¬epqw¯
hpqw, T i
¬epqw
w1 s0
¬epqw¯
¬epqw
w0 s0
w0 s1 hpqw, p¯ ∨ ¯?i
hpq w, ¯ Ti
A:
hpqw, p¯ ∨ ¯?i hpq w, ¯ p¯ ∨ ¯?i
w1 s0
w1 s1
Fig. 1. (Top left) a query tableau corresponding to the negation of the query GF(p ∧ ?), (Top right) A Kripke structure M , (Bottom left) the product A = M × B¬ϕ[?] , and (Bottom right) after reduction of A to a B¨uchi automaton B.
u t Proposition 1. Given a query and a model M , let A be the product as constructed in Sect. 2.1. Let B be the B¨uchi automaton constructed from A by the reduction above. Given a minimum cutting set {eτ1 , . . . , eτn } for B, the corresponding minimum set of assignments Fτ is {τ1 , . . . , τn }. Then, the function f as defined in (2) satisfies L(A[f ]) = ∅ and is a strongest such function.
Proof. We first prove that any cutting set of B induces f such that L(A[f ]) = ∅. Falsely assume that there exists an accepting path π in A[f ], where f is a disjunction between the full assignments corresponding to a solution to Problem 2. Let πB be the corresponding (accepting) path in B. By definition of Problem 2, there has to be at least one edge in πB not satisfied by the solution assignment α, since this solution makes the language L(A[f ]) empty. Let hτ, σi be the label of the corresponding edge in A. We show that in all cases this implies that the label of the same edge in A[f ] must be false and hence cannot be part of the path π. There are four cases: – if σ(τ ) = ?, then eτ is not satisfied by α. This means that τ 6|= f , and hence the same edge in A[f ] is labeled with false. – if σ(τ ) = ¬?, then eτ is satisfied by α. This means that τ |= f , but since f is negated in the label of this edge then the same edge in A[f ] is again labeled with false. – if σ(τ ) = false, then it is also labeled with false in A[f ], regardless of f . – if σ(τ ) = true, then this cannot be the edge unsatisfied by α. There must be another edge along this path that is not satisfied by α. The argument is then repeated for that edge. It is left to prove that f is a strongest such function according to O2. Falsely assume the existence of a function f 0 such that f 0 is stronger than f according to O2 and L(A[f ]) = ∅. The function f 0 induces an assignment αf 0 to the set of labels in B, such that L(B|αf 0 ) = ∅. But the set of literals assigned true in αf 0 is a subset of the set of literals assigned true in α, owing to the way that f is constructed. Hence αf 0 represents a cutting set for B and has fewer models than α, which contradicts the minimality of α. u t A reduction from Problem 2 to Problem 3 Given a B¨uchi automaton B = hS, S 0 , R, F i, we construct a finite state automaton Bf = hSf , Sf0 , Rf , Ff i: Sf = {ski | si ∈ S, k ∈ [0..|F |]} Sf0 = {s0i | si ∈ S 0 } Rf = {hski , l, skj i | hsi , l, sj i ∈ R, k ∈ [0..|F |]} ∪ {hs0i , l, skj i | hsi , l, sj i ∈ R, si is kth state in F } Ff = {ski | si is kth state in F } Thus, the resulting automaton is made of |F | + 1 copies of B. Example 4. Continuing our running example, the finite state automaton corresponding to the B¨uchi automaton that appears in the bottom right of Fig. 1, appears in Fig. 2. u t Proposition 2. Let B be the input B¨uchi automaton to Problem 2. Let Bf be the result of the reduction above, given B as input. Then the solution of Problem 3 with respect to Bf is also a solution to Problem 2 with respect to B.
¬epqw¯
¬epqw¯ w1 s1 0
w1 s1 1
w0 s1 2
¬epqw
¬epqw¯
w ¬e pq
¬epqw
w0 s0 0
w¯
T
w0 s1 1 pq ¬e ¬epqw
T
w0 s1 0
¬epqw¯
¬epqw
w1 s0 0
w1 s1 2
Fig. 2. A finite state automaton resulting from the reduction to Problem 2, starting from the B¨uchi automaton B that appears at the bottom right of Fig. 1. Four unreachable states (corresponding to copies of w0 s0 and w1 s0 ) were removed from the drawing.
Proof. Let α be the solution to Problem 3. This means that L(Bf |α ) = ∅. Falsely assume that L(B|α ) 6= ∅, and let π = π1 π2ω denote a lasso-shaped accepting path in B|α such that π1 ends with a state s ∈ F ∩ inf (π) (as shown in [7, 17], if there is an accepting path, then there is a lasso-shaped accepting path). We show that the finite path π1 π2 is an accepting path in Bf |α . Assume that s is the kth accepting state for the purpose of constructing Bf . The prefix π1 exists in the 0 copy of B in Bf , and connects an initial state to s0 . The suffix π2 connects s0 to sk , which is accepting in Bf . We know that none of the edges of π is removed in Bf |α , because they are labeled the same in B and Bf , and we assumed that they are not removed in B. Hence π1 π2 is an accepting path in Bf |α , which is a contradiction to our assumption that L(Bf |α ) = ∅. u t A Reduction from Problem 3 to a 0-1-ILP problem We show a reduction from Problem 3 to a 0-1 ILP problem. For clarity, however, we formulate the constraints with propositional formulas rather than with linear constraints. The encoding is inspired by the one in [4]. With a positive literal l ∈ L we associate a propositional variable el and with a negative one we associate ¬el . Intuitively el =false if we choose to remove all edges labeled with l. With each state si ∈ S we associate a propositional variable esi . Intuitively esi = true if si is reachable. The constraints are: 1. Initial states are reachable. For each si ∈ S 0 : 2. Accepting states are unreachable. For each si ∈ F : 3. Transitions. For each transition hsi , l, sj i ∈ R: A special case is when l is the label true. Then we add:
e si ¬esi e si ∧ e l → e sj e si → e sj
The objective is to minimize Σel . Example 5. The 0-1-ILP system corresponding to the finite automaton in Fig. 2 is: objective: initial states: final states: transitions:
min epqw + epqw¯ ew0 s0 0 ¬ew0 s1 1 ∧ ¬ew1 s1 2
ew0 s0 0 ew0 s0 0 ew1 s0 0 ew0 s1 0 ew0 s1 0
↔ ew1 s0 0 ∧ ¬epqw¯ → ew1 s1 0 ∧ ¬epqw → ew0 s1 0 ∧ ¬epqw¯ → ew1 s1 0 ∧ ¬epqw¯ → ew1 s1 1
ew0 s1 2 ew1 s1 0 ew1 s1 1 ew1 s1 0 ew0 s1 1
∧ ¬epqw¯ ∧ ¬epqw ∧ ¬epqw ∧ ¬epqw ∧ ¬epqw¯
→ ew1 s1 2 → ew0 s1 2 → ew0 s1 1 → ew0 s1 0 → ew1 s1 1
ew1 s1 2 ∧ ¬epqw → ew0 s1 2
A solution gives us either epqw = 1 or epqw¯ = 1 with objective equal to 1. Recall that we use this solution to construct f . In this case the solution would be f = p ∧ q ∧ w or f = p ∧ q ∧ ¬w, and the property, correspondingly, either GF(p ∧ q ∧ w) or GF(p ∧ q ∧ ¬w). Note that without the objective the assignment epqw = epqw¯ = 1 also satisfies the constraints, which results in the nonoptimal solution GF(pq). There are various opportunities for optimization (e.g., note that the last three transition constraints are unnecessary) but we leave this issue to future work. u t In Appendix A we demonstrate the algorithm with a full example. 2.4 Complexity We first consider the complexity of general LTL queries, and then focus on safety queries. The product A is linear in M and exponential in |ϕ|. The reduction to a B¨uchi automaton and then to a finite automata Af = hV, Ei multiplies the size of the automaton by |F |, which is proportional to |M |, assuming a small constant number of accepting states in B¬ϕ[?←f ] . The number of conjuncts in the definition of the transition relation is proportional to |E|, and the number of variables is equal to the number of different labels plus |V |. The number of different labels is bounded by two figures: first, it is bounded by the number of edges in A, which cannot be more than quadratic 0 in the number of nodes in A; second, it is bounded by 2|AP | , where AP 0 ⊆ AP is, recall, the projection set (see Sect. 1). For the sake of discussion assume that the latter is the smaller number and therefore the actual bound. This is a reasonable assumption because the size of AP 0 is controlled by the user and can be in practice very small. Solving this constraint is exponential in the number of variables. All together, then, the solving time is O(|M | · 2|ϕ| · |F | · 22
|AP 0 |
) = O(|M |2 · 22
|AP 0 |
+|ϕ|
).
(3)
For safety queries, the quadratic growth in the size of the model disappears, and hence the complexity is O(|M | · 2|ϕ| · 22
|AP 0 |
) = O(|M | · 22
|AP 0 |
+|ϕ|
).
(4)
As stated in the introduction, we would like to see if this solution is better than an exhaustive search over all possible replacements. A reasonable way to perform such an exhaustive search is to traverse the propositional lattice over AP 0 top down, and for each element (function) f check whether M |= ϕ[? ← f ] with a model-checker. The
complexity, thus, is double exponential in AP 0 , and linear in the size of the model. This is the same worst-case complexity as our solution for safety queries. However, in practice the run time of a 0-1 ILP solver is much better than an explicit enumeration of the search-space, so we can claim for a better algorithm in the case of safety queries. For liveness properties, however, our solution is worst-case quadratic in |M |, and hence is worse than an explicit enumeration. What it is the reason for the complexity gap in the case of liveness properties? Our current encoding for liveness queries is quadratic because it refers separately to paths leading to accepting states and paths from these states back to themselves. In contrast, in LTL model-checking, although we also search for a lasso-shaped path, it is linear in the size of the product if using the SCC-decomposition method (see, e.g., Sect. 6.6 in [12]) or nested DFS [10]. Perhaps it is possible to construct a linear encoding which mimics one of these methods. We leave this as an open problem. 2.5 Multiple placeholders In the presence of multiple placeholders we adopt the definition of [9] by which a solution hf1 , . . . , fn i is stronger than hf10 , . . . , fn0 i if ∀i.1 ≤ i ≤ n → fi → fi0 . The adaptation of the algorithm we presented for a single placeholder, is extended quite naturally to multiple placeholders. The only change is in the reduction from Problem 3 to a 0-1-ILP problem. The value of σ(τ ) is now some Boolean combination of ?1 , . . . , ?n . Whereas with a single placeholder we associated a single propositional variable eτ for each label τ , here we associate n such variables e1τ , . . . , enτ . In order for a given edge hτ, σi to remain in A[f1 , . . . , fn ], we need τ to satisfy σ after the ith placeholder is replaced with fi , for each i ∈ [1..n]. We change the constraint system accordingly, as demonstrated in the following example. Example 6. Let hS1 , ψ, S2 i be an edge in A[?1 , ?2 ], where ψ = σ(τ ) = ((?1 ∧ ¬?2 ) ∨ (¬?1 )). The corresponding constraint is eS1 ∧ (e1τ ∧ ¬e2τ ∨ ¬e1τ ) → eS2 . u t What about the objective? Clearly we are facing a multi-objective optimization problem, since we are trying to make fi stronger for all 1 ≤ i ≤ n. Minimizing n Σi=1 Σeiτ , however, gives us a strongest interpretation. A solution is given by n functions f1 , . . . , fn where each fi is a disjunction over the eil atoms that were assigned true in the solution. Example 7. Consider the query FG(?1 ∨ ?2 ). A query tableau for the negation of this query appears on the left of Fig. 3. The Kripke structure M appears on the right of the same figure, and the product at the bottom left. The corresponding B¨uchi automaton B appears at the bottom right. The unrolling of B into a finite automaton appears in Fig. 4. The corresponding constraints system is below.
?1 ∨ ?2
¯?1 ∧ ¯?2
¯?1 ∧ ¯?2
s0
pq
p¯q pq
w0
s1
w1
?1 ∨ ?2 e1pq ∨ e2pq
e1p¯q ∨ e2p¯q
e1p¯q ∨ e2p¯q
1 2 ¬epq ∧ ¬epq
2
¬e1pq ∧ ¬e2pq
w1 s1
1 2 ¬epq ∧ ¬epq
w0 s1
w1 s0 1 2 epq ∨ epq
¬e1p¯q ∧ ¬e2p¯q
e1pq ∨ e2pq
pq ¬e ∧ 1 q p ¬e ¬ep1¯q ∧ ¬ep2¯q
w1 s1
1 2 ¬epq ∧ ¬epq
¬e1pq ∧ ¬e2pq
1 2 ¬epq ∧ ¬epq
2 q p
¬e
1 2 epq ∨ epq
∧
¬ep1¯q ∧ ¬ep2¯q
1 q p
¬e
w0 s1
w0 s0
w1 s0
¬e1p¯q ∧ ¬e2p¯q
w0 s0
Fig. 3. (Top left) A query tableau corresponding to the negation of the query FG(?1 ∨ ?2 ), (Top right) a model M , (Bottom left) the product A, and (Bottom right) the corresponding B¨uchi automata.
P2 objective: min i=1 eipq + eipq ¯ initial state: ew0 s0 0 accepting states: ¬ew0 s1 1 ∧ ¬ew1 s1 2 transitions: 2 ew0 s0 0 ∧ (¬e1pq ew1 s0 0 ¯ ∧ ¬epq ¯ ) → ew0 s1 0 1 2 1 ew0 s1 0 ∧ (¬epq ∧ ¬e ) → e e w s w0 s1 0 ¯ pq ¯ 0 1 2 1 0 ew0 s1 0 ∧ (e1pq ∨ e ) → e e w s w ¯ pq ¯ 0 0 1 s1 2 1 0 ew0 s0 1 ∧ (¬e1pq ∧ ¬e ) → e e w0 s1 w1 s1 ¯ pq ¯ ew0 s0 0 ew0 s0 0 ∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 0 ew1 s0 2 ∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 2
∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 0 ∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 0 ∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 2 ∧ (e1pq ∨ e2pq ) → ew1 s0 2 → ew1 s0 0 ∧ (e1pq ∨ e2pq )
There are several optimal solutions, all of which result in FG(q): – – – –
e1pq e1pq e2pq e2pq
= e1pq ¯ = e2pq ¯ = e1pq ¯ = e2pq ¯
= 1 which entails f1 = 1 which entails f1 = 1 which entails f1 = 1 which entails f1
= (p ∧ q) ∨ (¬p ∧ q), f2 = false, = (p ∧ q), f2 = (¬p ∧ q), = (¬p ∧ q), f2 = (p ∧ q), = false, f2 = (p ∧ q) ∨ (¬p ∧ q).
Correctness Consider Propositions 1 and 2 that were proven for the case of a single placeholder. The proof of Proposition 1 needs a small change as follows. Recall that the proof is based on showing that there must be an edge in each accepting path in B that is unsatisfied in the solution assignment α, and that the same edge is also labeled with false in A[f ]. The difference is that now σ(τ ) is some function of ?1 , . . . , ?n , which we denote by F(?1 , . . . , ?n ). But we know that τ 6|= F(?1 , . . . , ?n ), and hence the same edge cannot be part of A[f1 , . . . , fn ].
1 2 ¬epq ∧ ¬epq
2 q p
pq
¬e
q
¬e1pq ∧ ¬e2pq
1 2 ¬epq ∧ ¬epq
∧
2
∨ e p¯
¬ep1¯q ∧ ¬ep2¯q
1 q p
¬e
1
¬ep1¯q ∧ ¬ep2¯q
e p¯q
¬e1p¯q ∧ ¬e2p¯q w0 s1 1 w0 s1 0
w1 s0 2
w1 s0 0 ∨e2
e1pq ∨ e2pq
w1 s1 0
q
w0 s0 0
ep 1
w0 s0 1
¬e1pq ∧ ¬e2pq
w1 s1 2
Fig. 4. The unrolled version of B. Once again edges that are not relevant to the constraints system are dotted.
The proof of Proposition 2 is insensitive to the labels and hence holds for the case of multiple placeholders. The correctness of the reduction to 0-1-ILP is straightforward.
3 Objectives O1 and O3 We briefly describe solutions to objectives O1 and O3. As mentioned in the introduction, these solutions are not very interesting, as they are based on traversing the lattice of possible solutions. We present them here for completeness of the article and for lack of a better solution. As future work one may find reductions similar to the one presented in Sect. 2 for achieving these objectives. 3.1 Achieving objective O1 For a set of atomic propositions AP , as mentioned above we denote by Lprop (AP ) the propositional lattice over AP . Constructing the lattice Lprop (AP ) can be done in time linear in its size. Recall that the requested solution can be restricted by the user to a |AP 0 | subset AP 0 of AP . Then, the relevant size is the size of Lprop (AP 0 ), which is 22 . Algorithm 1 traverses the lattice Lprop (AP 0 ) from the top searching for an element f such that M |= ϕ[? ← f ], but for all direct successors g of f in Lprop (AP 0 ), M does not satisfy ϕ[? ← g] (that is, f cannot be strengthened). The height of the lattice 0 is 2|AP | , and in each step the number of direct successors of an element f is bounded by k - the number of 1’s in the truth table of f . Thus, the total number of steps is 0 0 2|AP | Σk=0 k = O(22|AP | ), and in each step we perform model checking. The total running time complexity is, therefore 0
O(|M | · 2|ϕ| · 22|AP | ) = O(|M | · 22|AP
0
|+|ϕ|
).
(5)
Correctness This approach is only correct for queries in which the occurrences of the placeholder are in pure polarity. In such a case the elements of the lattice are ordered
Algorithm 1 Traversing the propositional lattice for a strongest solution according to O1. The algorithm is quadratic in the height of the lattice. The input to T RA VERSE LATTICE is a lattice element v which, for the purpose of this algorithm, is simply a propositional formula. function T RAVERSE LATTICE(element v) for each direct successor v 0 of v do if M |= ϕ[? ← v 0 ] then T RAVERSE LATTICE (v 0 ); Output(v); A BORT ();
. Abort the recursion
monotonically with respect to satisfaction of ϕ[?] by M . More formally, for two lattice elements f, f 0 such that f → f 0 , it holds that M |= ϕ[f ] → M |= ϕ[f 0 ]. Hence if the children of a lattice element are too strong, then so are its other descendants. 3.2 Achieving objective O3 We begin by considering a single placeholder. A lattice of possible solutions Given the lattice Lprop (AP 0 ), we construct the lattice Lϕ of the possible solutions to the query ϕ[?] with O3, and by Lϕ (M ) the subset of Lϕ that contains only formulas that are satisfied in M . The size of Lϕ is bounded by the size of Lprop (AP 0 ), and the complexity of comparing two formulas in Lϕ is PSPACE, hence, is exponential in the size of the formulas. Since each formula in Lϕ is of size O(|ϕ|), the total complexity of constructing Lϕ is O(2|ϕ| 22
|AP 0 |
).
Remark 1. Note that there is no one-to-one correspondence between Lϕ and Lprop (AP 0 ), because there can be two different propositional formulas f1 and f2 in Lprop (AP 0 ) such that ϕ[f1 ] = ϕ[f2 ]. A simple example is ϕ[?] = G(p∨?) and two possible replacements f1 = q and f2 = p ∨ q. While f1 6= f2 , ϕ[f1 ] = G(p ∨ q) = ϕ[f2 ]. The algorithm for a single placeholder is exactly Algorithm 1 on the lattice Lϕ , instead of Lprop (AP 0 ). Complexity The number of iterations of the algorithm is bounded by the size of the lattice Lϕ , and each model-checking run has the complexity O(|M | · 2|ϕ| ). The total complexity, including the construction of Lϕ is, therefore O(2|ϕ| · 22
|AP 0 |
+ |M | · 2|ϕ| · (size(Lϕ ))) ,
which is bounded by O(|M | · 22
|AP 0 |
+|ϕ|
).
(6)
Multiple placeholders The algorithm above can be extended to multiple placeholders in a natural way. For n placeholders, the lattice Lprop (AP 0 , n) is a lattice of n-tuples of propositional formulas over AP 0 constructed similarly to Lprop (AP 0 ). The size of Lprop (AP 0 , n) is 2n2 is O(2
|ϕ|
·2
n2
|AP 0 |
|AP 0 |
, and hence the complexity of the algorithm for n placeholders
+ |M | · 2|ϕ| · (size(Lϕ ))) , which is bounded by O(|M | · 2n2
|AP 0 |
+|ϕ|
).
(7)
4 Conclusions and future work This is the first work that focuses explicitly on LTL query checking. It also includes two new criteria for query checking (regardless of the temporal logic), namely objectives O2 and O3, and solutions in the context of LTL query checking. The solution to O2 is based on a reduction to an optimization problem that is formulated with 0-1-ILP. For safety queries the complexity of this solution is better than a naive solution based on explicit enumeration of formulas. We defined as an open problem the task of encoding Problem 3 with a linear, rather than quadratic, number of constraints in the size of the product.
References 1. Fadi A. Aloul, Arathi Ramani, Igor L. Markov, and Karem A. Saka llah. PBS: A BacktrackSearch Psuedo-Boolean Solver and Optimizer. In Fifth International Symposium on the Theory and Applications of Satisfiability Testing (SAT), 2002. 2. I. Beer, S. Ben-David, C. Eisner, and Y. Rodeh. Efficient detection of vacuity in ACTL formulas. In Orna Grumberg, editor, Proc. 9th Intl. Conference on Computer Aided Verification (CAV’97), volume 1254 of Lect. Notes in Comp. Sci., pages 279–290. Springer-Verlag, 1997. 3. Glenn Bruns and Patrice Godefroid. Temporal logic query checking. In LICS, pages 409– 417, 2001. 4. Sagar Chaki and Ofer Strichman. Three optimizations for assume-guarantee reasoning with L*. J. on Formal Methods in System Design, 32(3):267–284, 2008. 5. William Chan. “Temporal-Logic Queries”. In Proc. 12th Intl. Conference on Computer Aided Verification (CAV’00), pages 450–463, 2000. 6. Marsha Chechik, Arie Gurfinkel, and Benet Devereux. χ-chek: A multi-valued modelchecker. In CAV, pages 505–509, 2002. 7. E.M. Clarke and I.A. Draghicescu. Expressibility results for linear-time and branching-time logics. In Proc. Workshop on LTBTPO, volume 354 of LNCS, pages 428–437. SpringerVerlag, 1988. 8. Rob Gerth, Doron Peled, Moshe Y. Vardi, and Pierre Wolper. Simple on-the-fly automatic verification of linear temporal logic. In Proceedings of PSTV, pages 3–18, 1995. 9. Arie Gurfinkel, Marsha Chechik, and Benet Devereux. Temporal logic query checking: A tool for model exploration. IEEE Trans. Software Eng., 29(10):898–914, 2003. 10. G.J. Holzmann, D. Peled, and M. Yannakakis. On nested depth first search. In Second SPIN workshop, AMS, pages 23–32, 1996. 11. Samuel Hornus and Ph. Schnoebelen. “On Solving Temporal Logic Queries”. In AMAST, pages 163–177, 2002.
12. Doron Peled. Software Reliability Methods. Springer-Verlag, 2001. 13. Marko Samer and Helmut Veith. A syntactic characterization of distributive ltl queries. In ICALP, pages 1099–1110, 2004. 14. F. Somenzi and R. Bloem. Efficient B¨uchi automata from LTL formulae. In E. A. Emerson and A. P. Sistla, editors, Twelfth Conference on Computer Aided Verification (CAV’00), pages 248–263. Springer-Verlag, Berlin, July 2000. 15. Xavier Thirioux. Simple and efficient translation from LTL formulas to Buchi automata. Electronic Notes in Theoretical Computer Science, 66(2):145 – 159, 2002. FMICS’02, 7th International ERCIM Workshop in Formal Methods for Industrial Critical Systems (ICALP 2002 Satellite Workshop). 16. M.Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In Proc. First IEEE Symp. Logic in Comp. Sci., pages 332–344, 1986. 17. M.Y. Vardi and P. Wolper. Reasoning about infinite computations. Information and Computation, 110(2), 1994.
A A full example for Sect. 2 We demonstrate the process of achieving objective O2, as described in Sect. 2.1– 2.2, with a full example. ?
¯?
¯? s0
p¯q
p¯ q p¯q
w2
s1
p¯ q
w0
w1
?
Fig. 5. (Left) a query automaton corresponding to ¬F G?, (Right) a model M .
w0 s0
hpq ¯, ?¯ i
w2 s0 hp q¯, ?i
hp¯q ¯ , ?i
hp¯ q , ?i
¯?i hpq¯,
, ?i hp¯q
hp q¯, ?i hp¯q
w2 s1
h¯ pq, ?i
,¯?i
q hp¯
w1 s1
w1 s0 i ,?
h¯ pq, ¯?i
hp¯ q , ¯?i
w0 s0 ep
¬e p
w2 s0 ep
¬e p¯q
ep¯q
q¯
epq ¯
e p¯q
w1 s0
¬
q¯
q¯
¬e pq¯
e p¯q
w2 s1 ¬ep¯q
w1 s1
e p¯q
¬epq ¯
Fig. 6. (Top) the product, and (Bottom) the product after re-labeling the edges.
Let the query ϕ[?] be FG?. 1. The query tableau B¬ϕ[?] is shown in the left of Fig. 5. It is constructed using a standard converter from LTL to B¨uchi automaton, while treating the placeholder as any other symbol. 2. The Kripke structure M is shown at the right of the same figure. 3. The product automaton A is shown in the top part of Fig. 6. Only states reachable from the initial state are shown. 4. We reduce A to a B¨uchi automaton B by relabeling its edges, as explained in Sect. 2.3. There are two predicates, namely epq ¯ and ep¯ q . The relabeling appears in the bottom of Fig. 6. Consider for example the edge hw0 s0 , w2 s0 i on the left, which is labeled with h¯ pq, ?i. This edge is left in A[f ] if p¯q |= f . Correspondingly
we replace the label on this edge with epq ¯ . Now consider the edge hw0 s0 , w2 s1 i, which is labeled with h¯ pq, ¯?i. This edge is left in A[f ] if p¯q |= ¬f , and correspondingly we label it with ¬epq uchi ¯ . We now solve Problem 2 for the resulting B¨ automaton.
w0 s0 0 ep ¬e p¯q
¬e p
q ¬e p¯
q¯
w2 s1 0
¬e p
e p¯q
w2 s0 1
¬ep¯q
e pq¯
w1 s0 0
w1 s1 0 ¬epq ¯
w2 s0 0
q¯
¬e pq¯
e p¯q
q ¬e p¯
q¯
w2 s1 1
w1 s0 2
w1 s1 2
Fig. 7. After unrolling B. Only reachable states are shown. Edges that are not on a non-redundant path to an accepting state are not necessary for the reduction and appear dotted.
Figure 7 shows the unrolled B¨uchi automaton B, as required by the reduction to Problem 3. The resulting constraints system is: objective: min ep¯q + epq ¯ initial states: ew0 s0 0 final states: ¬ew2 s1 1 ∧ ¬ew1 s1 2 transitions: ew2 s1 0 ∧ ep¯q → ew2 s0 1 ew0 s0 0 ∧ epq ¯ → ew2 s0 0 ew2 s1 0 ∧ ¬ep¯q → ew2 s1 1 ew0 s0 0 ∧ ¬epq ¯ → ew2 s1 0 ew2 s0 1 ∧ ¬ep¯q → ew2 s1 1 ew0 s0 0 ∧ ¬ep¯q → ew1 s1 0 ew1 s1 0 ∧ ¬epq ew0 s0 0 ∧ ep¯q → ew1 s0 0 ¯ → ew1 s1 2 ew1 s1 0 ∧ epq ew2 s0 0 ∧ ¬ep¯q → ew2 s1 0 ¯ → ew1 s0 2 ew1 s0 2 ∧ ¬epq ew1 s0 0 ∧ ¬epq ¯ → ew1 s1 2 ¯ → ew1 s1 0
An optimal solution (in fact the only solution in this case) is given by ep¯q = epq ¯ = 1, which corresponds to f = p¯ q ∨ p¯q = p ⊕ q . Indeed FG(p ⊕ q) is satisfied by M .
Arie Gurfinkel2
Ofer Strichman3
1
2
IBM Haifa Research Lab, Haifa, Israel. [email protected] Software Engineering Institute, Pittsburgh, USA. [email protected] 3 Information Systems Engineering, IE, Technion, Haifa, Israel. [email protected]
Abstract. Given a model M and a temporal logic formula ϕ[?], where ? is a placeholder, the query checking problem, as defined for the case of CTL by Chan in 2000, is to find the strongest propositional formula f such that M |= ϕ[? ← f ]. The motivation for solving this problem is, among other things, to get insight on the model. We consider various objectives to the LTL query-checking problem, and study the question of whether there is a better solution than simply enumerating all possible formulas (modulo logical equivalence). It turns out that in most cases the answer is no, but there is one particular objective for which the answer – in practice – is definitely yes. The solution is based on a reduction to a Pseudo-Boolean Solving problem.
1 Introduction Given a Kripke model M and a CTL formula ϕ[?], where ? is a placeholder, Chan defined in [5] the query checking problem as follows: find the strongest propositional formula f such that M |= ϕ[? ← f ]. The motivation for solving this problem is quite clear. Users can mine their model for some of its properties, and gain better insight as to what it really does. It can also help them perform “sanity-checks”, by contrasting their expectation regarding the properties of the model and what they really are. As an example, users of a model-checker can check whether their model satisfies ϕ , G(request ⇒ F grant), that is, whether request is always eventually followed by a grant, but users of a query-checker can instead check the query G(request ⇒ F?), which asks what is the strongest propositional formula that always eventually follows request. An answer can be either weaker or stronger than grant, e.g., ‘grant ∨ nack’ and ‘false’, respectively. The former case demonstrates that query checking can give information beyond what is given by a counterexample to the originally assumed property ϕ. The latter case demonstrates that query checking also encompasses vacuity checking [2]. In fact query checking gives users a finer version of vacuity checking, since even when the property is not vacuous, (e.g., M 6|= ϕ[grant ← false] in this case), it may still give an answer that, like vacuity checks, may lead to discovering errors in the design or the property. Other known applications of query checking include guided simulation and model-based automatic test generation, as was demonstrated by Gurfinkel et al. in [9]. It is clear, then, that query-checking is at least as complex as model checking, and indeed all the published algorithms for query checking use some form of (repeated)
model checking. A naive solution to this problem, as pointed out by Bruns and Godefroid in [3], can be performed by explicitly enumerating all possible solutions. In other words, for a given set of atomic propositions AP , query checking can be solved by |AP | running a model checker 22 times: once for each possible formula over AP modulo logical equivalence. One should not deem this problem as unsolvable, however. In practice it is reasonable to ask the user to restrict the expected output to a few propositions only, which we denote by AP 0 (AP 0 ⊆ AP ). In the example above, whereas the model can have hundreds of signals, users may restrict the query to formulas over several signals that they consider as relevant to the behavior of request. The solution in this case is a formula f that has the strongest projection to these signals but still satisfies M |= ϕ[? ← f ]. Unlike model checking where projections correspond to abstraction and hence to possibly loss of completeness, here projections entail a different focus of the query, which may still be valuable to the user. Chan noted that, regardless of complexity, the user would probably want to restrict the answer of the query to a small number of propositions simply because an answer based on a large number of propositions is too complex and not helpful. Gurfinkel et al. defined the set of variables to which the query is restricted as part of the input language of the query [9]. For example, an answer to AG(?{p, q}) is an invariant of the model over p and q. Related work In [5], Chan proposed to focus on a subset of CTL which has a unique strongest solution in every model and hence corresponds to his definition of the problem. He coined the term ‘valid queries’ to refer to queries in this restricted language. Nevertheless in the general case there can be multiple strongest interpretations to ?. In [3] Bruns and Godefroid solved the query-checking problem for any temporal logic for which there is a representation by an alternating automata, including CTL and LTL. They also changed the problem definition to finding all strongest formulas f (modulo logical equivalence) such that M |= ϕ[? ← f ]. Their solution strategy is based on an extension to alternating automata that maps a state and an input tree value to a finite lattice element. The elements of the lattice, in this case, are the possible answers to the query. Their algorithm translates the query into an extended alternating automata, computes the product with the model M , and checks for lattice emptiness. The result is a lattice value corresponding to all strongest solutions to the query. The complexity of this algorithm is not better, in the worst case, than enumerating all solutions. Gurfinkel et al. examined in [9] several extensions to the original problem: multiple occurrences of the same placeholder, possibly with mixed polarity, and multiple placeholders. They showed that query-checking is reducible to multi-valued model-checking over a lattice of solutions. This has been implemented in the context of a multi-valued model-checker χChek [6]. When the problem is defined as in [3], namely finding all strongest solutions, the size of the output itself can be double exponential in AP 0 , as it corresponds to the width of the propositional lattice. There is no way around this problem other than making AP 0 very small. Hornus and Schnoebelen show in [11] how to test, with a polynomial number of model-checking invocations, whether a given temporal logic query has a unique solution in a given model. This capability at least lets us detect easily the cases in which the size of the output is a single formula. Samer and Veith present a context-
free grammar of a syntactic subset of LTL for which there is at most one strongest solution to the query, and conjecture that this result can be extended to CTL as well [13]. Our contribution This is the first work to focus on LTL query checking. As mentioned earlier, there were works that dealt with arbitrary temporal logics, but those did not focus on the goals that we describe below. Our goal is to find a strongest propositional formula f , while considering three alternative definitions of strength: O1: f is stronger than g if models(f ) ⊆ models(g). This is equivalent to saying that f → g, and corresponds to the traditional objective of query checking. O2: f is stronger than g if |models(f )| < |models(g)|. This objective is useful when there are many incomparable solutions to O1. In such a case, a solution to O2 is one of the O1 solutions that has the smallest number of models. O3: f is stronger than g if ϕ[f ] → ϕ[g]. The necessity of this objective is demonstrated next. Example 1. Consider Table 1. It includes queries, interpretations, the interpreted queries, the relations between the interpretations, and, finally, the relations between the interpreted queries. The first query demonstrates that ϕ[f ] can become stronger while f becomes weaker, and the second query that an incomparable interpretation can make ϕ[f ] stronger. This nonmonotonicity implies that O3 cannot, in general, be reduced to O1 or O2. u t Query
f1
f2
ϕ[f1 ]
ϕ[f2 ]
Relations
F(p ∨ ?) ∧ F(¬?) p ∧ q p F(p) ∧ F(¬p ∨ ¬q) F(p) ∧ F(¬p) f1 → f2 ϕ[f1 ] ← ϕ[f2 ] G(p ∧ ?) p q G(p) G(p ∧ q) ϕ[f1 ] ← ϕ[f2 ] Table 1. Demonstrating the necessity of objective O3, as part of Example 1.
If the occurrences of the placeholder appear in mixed polarity, the value of finding the strongest replacement according to O1 and O2 is questionable. For example, for a query G(? → X¬?), the solution p ∧ q is not necessarily more informative to the user than the solution p, although it is logically stronger. For this reason we solve O1 only for the case of pure polarity, which makes it computationally easier. For O2 our solution is oblivious to the polarity although, as said, it makes more sense to use it for formulas in which the occurrences appear in pure polarity. In other cases we consider O3 to be the right option, and indeed our solution with this objective is insensitive to the question of whether the polarity is pure or mixed. The main question we are interested in is whether we can find a solution to any of these goals which is easier than trying all possible replacements for the query. It turns out that for O1 and O3 we can do only a little better, but essentially the solutions are
based on traversing the lattice of possible solutions, albeit not in the most naive way. We delay the presentation of these solutions to Sect. 3. Our solution to O2, on the other hand, is not based on enumerating possible solutions and is far better in practice than simple enumeration, at least for the case of safety properties. The solution, which is described in Sect. 2, is based on a series of reductions, ending with a formulation of an optimization problem in Integer Linear Programming over binary variables (0-1-ILP), or, equivalently, as a Pseudo-Boolean problem (PBS) [1]. Essentially, we solve the problem of finding a minimal set of assignments that need to satisfy the solution f in order for the language of the product M × B¬ϕ[?←f ] to be empty. The running time complexity of our solutions is summarized in Table 2 for the case of a single placeholder with possibly multi- Objective Complexity ple occurrences. Note that for O1 the solu0 O(|M | · 22|AP |+|ϕ| ) tion is correct only for queries in which the O1 |AP 0 | occurrences of the placeholder are in pure +|ϕ| O2 (safety) O(|M | · 22 ) polarity, whereas for O2 and O3, the solu0 tion allows mixed polarity. Throughout the O2 (liveness) O(|M |2 · 22|AP | +|ϕ| ) article we assume that the reader is famil|AP 0 | +|ϕ| O(|M | · 22 ) iar with the basics of LTL model checking in O3 the automata-theoretic framework. For backTable 2. Complexity of LTL query ground see, e.g., [12]. We also assume familchecking, according to the objective. iarity with modeling problems in 0-1-ILP.
2 Achieving objective O2 In the first step of our solution we use a construction which is similar, but not identical, to that used in LTL model checking with the Vardi-Wolper scheme [16]. We describe this construction in Sect. 2.1, and the full algorithm in Sect. 2.2. 2.1 The construction The query tableau B¬ϕ[?] Let ϕ[?] be a query over AP ∪ {?}. We construct a query 0 0 tableau B¬ϕ[?] = hSB , SB , RB , FB i where SB is a set of states, SB ⊆ SB and FB ⊆ AP ∪{?} 2 SB are subsets of the states, and RB : SB × 2 × SB is the transition relation1 . B¬ϕ[?] is similar to a B¨uchi automaton that represents ϕ[?] if ? was any other atom, with the difference that its edges are labeled with formulas over AP ∪{?}. Labeling the edges with formulas is more concise and more natural for the description of the algorithm later on. It is also more intuitive in our context because, recall, ‘?’ itself represents a formula, and therefore it is more natural to consider it as part of a bigger formula 1
We refrain from calling it a query automaton because it cannot be defined as an acceptor without an interpretation to the placeholder. This is also the reason that we do not define an 0 alphabet as part of the construction, nor do we designate SB and FB as initial and final states, respectively.
rather than an element of a full assignment. In fact modern LTL to B¨uchi convertors do not label their edges with full assignments, rather with either partial assignments or formulas. Examples of tools that label their edges with partial assignments are LBT by R¨onkk¨o, which is based on [8], and Somenzi’s Wring [14]. An example of a tool that labels its edges with formulas (represented as BDDs) is BAOM, which was written by Thirioux [15]. 0 , RM i is given by an alphabet Σ = 2AP , The model M The model M = hΣ, SM , SM 0 a set of states SM , a set of initial states SM ⊆ SM and a set of transitions RM : SM × Σ × SM . 0 The product A = M × B¬ϕ[?] Given the model M = hΣ, SM , SM , RM i and 0 B¬ϕ[?] = hSB , SB , RB , FB i, we define the product A = M × B¬ϕ[?] = hS, S 0 , R, F i as follows:
S = {hsi , sj i | si ∈ SM , sj ∈ SB } 0 0 S 0 = {hsi , sj i | si ∈ SM , sj ∈ S B } 0 0 R = {hsi , sj ihτ, σihsi , sj i | hsi , τ, s0i i ∈ RM ,
hsj , σ, s0j i ∈ RB , ∃f. τ ∧ σ[? ← f ]} F = {hsi , sj i | si ∈ SM , sj ∈ FB } Note that the edges in M are labeled with full assignments over AP and the edges in B¬ϕ[?] are labeled with formulas over AP ∪ ?. This mismatch is not a problem when constructing the product, however, because at this stage, before having an interpretation to the placeholder, we do not attempt to synchronize the transitions. Given an interpretation f to ?, we can turn A into a B¨uchi automaton, which we denote by A[f ], by replacing each label of the form hτ, σi in A with the label τ if τ |= σ[? ← f ] (1) false otherwise Note that this definition is equivalent to taking the label τ ∧ σ[? ← f ]. For example, h¬a ∧ b ∧ c, b ∨ ?i in A, given an interpretation f = c ∧ a becomes (¬a ∧ b ∧ c ∧ (b ∨ (c ∧ a))) = ¬a ∧ b ∧ c in A[f ], which is simply τ . Example 2. Figure 1 demonstrates the model M , a query tableau B¬ϕ[?] and their product. We consider this example automaton later in Example 3. u t 2.2 An algorithm for a single placeholder The solution is based on finding an interpretation f that on the one hand eliminates all accepting paths in A[f ], and on the other is the strongest such f according to O2. We assume that the given query has at least one solution, so such an f must exist. A bird’s eye view of the solution is given by the following steps:
1. Given ϕ[?] and M , compute the product A as explained in the previous section. 2. Solve the following problem for A: Problem 1. Find a smallest set Fτ of full assignments that should satisfy f in order to make L(A[f ]) = ∅, where L(A[f ]) denotes the language of A[f ]. 3. Let f=
_
τ.
(2)
τ ∈Fτ
4. Return f . If ϕ[?] is an unrestricted LTL query, then Problem 1 is reduced to Problem 2 below. If, on the other hand, it is a safety query, then it is reduced straight to Problem 3 below. The cause for the difference is that safety properties can be model-checked with automata over finite words. We continue by describing Problem 2, for which we need the following notation: for an automaton B with edges labeled by literals from a set of variables L, and an assignment α : L 7→ {0, 1}, denote by B|α the automaton B after removing edges whose labels are falsified by α. Problem 2 (Minimum cutting set for a B¨uchi automaton). Let B be a B¨uchi automaton hS, S 0 , R, F i, where S is a set of states, S 0 ⊆ S is a set of initial states, R : S × L × S is the transition relation – where L is a set of literals labeling the edges – and F ⊆ S is a set of accepting states. Given such an automaton B, find an assignment α with a minimum number of satisfied positive literals such that L(B|α ) = ∅. It is left to show how to use a solution to this problem in order to generate a solution to Problem 1. Roughly speaking, for this purpose we consider a B¨uchi automaton B in which each element of L represents a full assignment to AP , e.g., a label eτ represents a full assignment τ . Hence the set of positive literals satisfied by the solution α corresponds to a set of full assignments, which is the solution to Problem 1. The construction of B is such that a literal eτ in B labeling an edge indicates that in order for this edge to remain in A[f ] we must have that τ |= f . Similarly, a literal ¬eτ labeling an edge indicates that in order for this edge to remain in A[f ] we must have that τ |= ¬f . We solve Problem 2 by reducing it to Problem 3 below, which is the same problem but for a finite automaton: Problem 3 (Minimum cutting set for a finite automaton). Let Bf be a finite state automaton hSf , Sf0 , Rf , Ff i, where Sf is a set of states, Sf0 ⊆ Sf is a set of initial states, R : Sf × L × Sf is the transition relation – where L is a set of literals labeling the edges – and Ff ⊆ Sf is a set of accepting states. Find an assignment α with a minimum number of satisfied positive literals such that L(Bf |α ) = ∅. 2.3 Reductions A reduction from Problem 1 to Problem 2 We reduce A to a B¨uchi automaton B with edges labeled with literals that represent assignments or their negation. Recall that the
labels in A are of the form hτ, σi where τ is a full assignment. Denote by σ(τ ) the value of σ after assigning its variables the values given to them in τ and applying standard propositional simplifications. For example, for an edge labeled hp ∧ q, p ∧ ¬?i, σ(τ ) = ¬?. It is not hard to see that σ(τ ) can be one of ‘?’, ‘¬?’, true or false. Automaton B is the same as A, other than the following relabeling: – If σ(τ ) = ? then the corresponding edge in B is labeled with a (propositional) literal eτ . – If σ(τ ) = ¬? then the corresponding edge in B is labeled with a (propositional) literal ¬eτ . – If σ(τ ) = false then the edge is removed. – If σ(τ ) = true then the corresponding edge in B is labeled with true. Note that such edges cannot be part of any solution. Hence B is a B¨uchi automaton according to the definition in Problem 2. Example 3. Consider the query ϕ[?] = GF(p ∧ ?). Fig. 1 contains the corresponding query tableau B¬ϕ[?] , as well as a Kripke structure M and their product A at the bottom left. The B¨uchi automaton B, which appears at the bottom right of the figure, is computed as explained above. For conciseness in this and future figures we represent assignments with juxtaposition for conjunction and overline for negation. For example p¯ q stands for p ∧ ¬q. p¯ ∨ ¯?
T B¬ϕ[?] :
p¯ ∨ ¯?
s0
pq w¯ w0
M:
s1
w1 pqw
hpq w, ¯ p¯ ∨ ¯?i
w1 s1
B:
T
T
w0 s0
w0 s1
¬epqw¯
hpqw, T i
¬epqw
w1 s0
¬epqw¯
¬epqw
w0 s0
w0 s1 hpqw, p¯ ∨ ¯?i
hpq w, ¯ Ti
A:
hpqw, p¯ ∨ ¯?i hpq w, ¯ p¯ ∨ ¯?i
w1 s0
w1 s1
Fig. 1. (Top left) a query tableau corresponding to the negation of the query GF(p ∧ ?), (Top right) A Kripke structure M , (Bottom left) the product A = M × B¬ϕ[?] , and (Bottom right) after reduction of A to a B¨uchi automaton B.
u t Proposition 1. Given a query and a model M , let A be the product as constructed in Sect. 2.1. Let B be the B¨uchi automaton constructed from A by the reduction above. Given a minimum cutting set {eτ1 , . . . , eτn } for B, the corresponding minimum set of assignments Fτ is {τ1 , . . . , τn }. Then, the function f as defined in (2) satisfies L(A[f ]) = ∅ and is a strongest such function.
Proof. We first prove that any cutting set of B induces f such that L(A[f ]) = ∅. Falsely assume that there exists an accepting path π in A[f ], where f is a disjunction between the full assignments corresponding to a solution to Problem 2. Let πB be the corresponding (accepting) path in B. By definition of Problem 2, there has to be at least one edge in πB not satisfied by the solution assignment α, since this solution makes the language L(A[f ]) empty. Let hτ, σi be the label of the corresponding edge in A. We show that in all cases this implies that the label of the same edge in A[f ] must be false and hence cannot be part of the path π. There are four cases: – if σ(τ ) = ?, then eτ is not satisfied by α. This means that τ 6|= f , and hence the same edge in A[f ] is labeled with false. – if σ(τ ) = ¬?, then eτ is satisfied by α. This means that τ |= f , but since f is negated in the label of this edge then the same edge in A[f ] is again labeled with false. – if σ(τ ) = false, then it is also labeled with false in A[f ], regardless of f . – if σ(τ ) = true, then this cannot be the edge unsatisfied by α. There must be another edge along this path that is not satisfied by α. The argument is then repeated for that edge. It is left to prove that f is a strongest such function according to O2. Falsely assume the existence of a function f 0 such that f 0 is stronger than f according to O2 and L(A[f ]) = ∅. The function f 0 induces an assignment αf 0 to the set of labels in B, such that L(B|αf 0 ) = ∅. But the set of literals assigned true in αf 0 is a subset of the set of literals assigned true in α, owing to the way that f is constructed. Hence αf 0 represents a cutting set for B and has fewer models than α, which contradicts the minimality of α. u t A reduction from Problem 2 to Problem 3 Given a B¨uchi automaton B = hS, S 0 , R, F i, we construct a finite state automaton Bf = hSf , Sf0 , Rf , Ff i: Sf = {ski | si ∈ S, k ∈ [0..|F |]} Sf0 = {s0i | si ∈ S 0 } Rf = {hski , l, skj i | hsi , l, sj i ∈ R, k ∈ [0..|F |]} ∪ {hs0i , l, skj i | hsi , l, sj i ∈ R, si is kth state in F } Ff = {ski | si is kth state in F } Thus, the resulting automaton is made of |F | + 1 copies of B. Example 4. Continuing our running example, the finite state automaton corresponding to the B¨uchi automaton that appears in the bottom right of Fig. 1, appears in Fig. 2. u t Proposition 2. Let B be the input B¨uchi automaton to Problem 2. Let Bf be the result of the reduction above, given B as input. Then the solution of Problem 3 with respect to Bf is also a solution to Problem 2 with respect to B.
¬epqw¯
¬epqw¯ w1 s1 0
w1 s1 1
w0 s1 2
¬epqw
¬epqw¯
w ¬e pq
¬epqw
w0 s0 0
w¯
T
w0 s1 1 pq ¬e ¬epqw
T
w0 s1 0
¬epqw¯
¬epqw
w1 s0 0
w1 s1 2
Fig. 2. A finite state automaton resulting from the reduction to Problem 2, starting from the B¨uchi automaton B that appears at the bottom right of Fig. 1. Four unreachable states (corresponding to copies of w0 s0 and w1 s0 ) were removed from the drawing.
Proof. Let α be the solution to Problem 3. This means that L(Bf |α ) = ∅. Falsely assume that L(B|α ) 6= ∅, and let π = π1 π2ω denote a lasso-shaped accepting path in B|α such that π1 ends with a state s ∈ F ∩ inf (π) (as shown in [7, 17], if there is an accepting path, then there is a lasso-shaped accepting path). We show that the finite path π1 π2 is an accepting path in Bf |α . Assume that s is the kth accepting state for the purpose of constructing Bf . The prefix π1 exists in the 0 copy of B in Bf , and connects an initial state to s0 . The suffix π2 connects s0 to sk , which is accepting in Bf . We know that none of the edges of π is removed in Bf |α , because they are labeled the same in B and Bf , and we assumed that they are not removed in B. Hence π1 π2 is an accepting path in Bf |α , which is a contradiction to our assumption that L(Bf |α ) = ∅. u t A Reduction from Problem 3 to a 0-1-ILP problem We show a reduction from Problem 3 to a 0-1 ILP problem. For clarity, however, we formulate the constraints with propositional formulas rather than with linear constraints. The encoding is inspired by the one in [4]. With a positive literal l ∈ L we associate a propositional variable el and with a negative one we associate ¬el . Intuitively el =false if we choose to remove all edges labeled with l. With each state si ∈ S we associate a propositional variable esi . Intuitively esi = true if si is reachable. The constraints are: 1. Initial states are reachable. For each si ∈ S 0 : 2. Accepting states are unreachable. For each si ∈ F : 3. Transitions. For each transition hsi , l, sj i ∈ R: A special case is when l is the label true. Then we add:
e si ¬esi e si ∧ e l → e sj e si → e sj
The objective is to minimize Σel . Example 5. The 0-1-ILP system corresponding to the finite automaton in Fig. 2 is: objective: initial states: final states: transitions:
min epqw + epqw¯ ew0 s0 0 ¬ew0 s1 1 ∧ ¬ew1 s1 2
ew0 s0 0 ew0 s0 0 ew1 s0 0 ew0 s1 0 ew0 s1 0
↔ ew1 s0 0 ∧ ¬epqw¯ → ew1 s1 0 ∧ ¬epqw → ew0 s1 0 ∧ ¬epqw¯ → ew1 s1 0 ∧ ¬epqw¯ → ew1 s1 1
ew0 s1 2 ew1 s1 0 ew1 s1 1 ew1 s1 0 ew0 s1 1
∧ ¬epqw¯ ∧ ¬epqw ∧ ¬epqw ∧ ¬epqw ∧ ¬epqw¯
→ ew1 s1 2 → ew0 s1 2 → ew0 s1 1 → ew0 s1 0 → ew1 s1 1
ew1 s1 2 ∧ ¬epqw → ew0 s1 2
A solution gives us either epqw = 1 or epqw¯ = 1 with objective equal to 1. Recall that we use this solution to construct f . In this case the solution would be f = p ∧ q ∧ w or f = p ∧ q ∧ ¬w, and the property, correspondingly, either GF(p ∧ q ∧ w) or GF(p ∧ q ∧ ¬w). Note that without the objective the assignment epqw = epqw¯ = 1 also satisfies the constraints, which results in the nonoptimal solution GF(pq). There are various opportunities for optimization (e.g., note that the last three transition constraints are unnecessary) but we leave this issue to future work. u t In Appendix A we demonstrate the algorithm with a full example. 2.4 Complexity We first consider the complexity of general LTL queries, and then focus on safety queries. The product A is linear in M and exponential in |ϕ|. The reduction to a B¨uchi automaton and then to a finite automata Af = hV, Ei multiplies the size of the automaton by |F |, which is proportional to |M |, assuming a small constant number of accepting states in B¬ϕ[?←f ] . The number of conjuncts in the definition of the transition relation is proportional to |E|, and the number of variables is equal to the number of different labels plus |V |. The number of different labels is bounded by two figures: first, it is bounded by the number of edges in A, which cannot be more than quadratic 0 in the number of nodes in A; second, it is bounded by 2|AP | , where AP 0 ⊆ AP is, recall, the projection set (see Sect. 1). For the sake of discussion assume that the latter is the smaller number and therefore the actual bound. This is a reasonable assumption because the size of AP 0 is controlled by the user and can be in practice very small. Solving this constraint is exponential in the number of variables. All together, then, the solving time is O(|M | · 2|ϕ| · |F | · 22
|AP 0 |
) = O(|M |2 · 22
|AP 0 |
+|ϕ|
).
(3)
For safety queries, the quadratic growth in the size of the model disappears, and hence the complexity is O(|M | · 2|ϕ| · 22
|AP 0 |
) = O(|M | · 22
|AP 0 |
+|ϕ|
).
(4)
As stated in the introduction, we would like to see if this solution is better than an exhaustive search over all possible replacements. A reasonable way to perform such an exhaustive search is to traverse the propositional lattice over AP 0 top down, and for each element (function) f check whether M |= ϕ[? ← f ] with a model-checker. The
complexity, thus, is double exponential in AP 0 , and linear in the size of the model. This is the same worst-case complexity as our solution for safety queries. However, in practice the run time of a 0-1 ILP solver is much better than an explicit enumeration of the search-space, so we can claim for a better algorithm in the case of safety queries. For liveness properties, however, our solution is worst-case quadratic in |M |, and hence is worse than an explicit enumeration. What it is the reason for the complexity gap in the case of liveness properties? Our current encoding for liveness queries is quadratic because it refers separately to paths leading to accepting states and paths from these states back to themselves. In contrast, in LTL model-checking, although we also search for a lasso-shaped path, it is linear in the size of the product if using the SCC-decomposition method (see, e.g., Sect. 6.6 in [12]) or nested DFS [10]. Perhaps it is possible to construct a linear encoding which mimics one of these methods. We leave this as an open problem. 2.5 Multiple placeholders In the presence of multiple placeholders we adopt the definition of [9] by which a solution hf1 , . . . , fn i is stronger than hf10 , . . . , fn0 i if ∀i.1 ≤ i ≤ n → fi → fi0 . The adaptation of the algorithm we presented for a single placeholder, is extended quite naturally to multiple placeholders. The only change is in the reduction from Problem 3 to a 0-1-ILP problem. The value of σ(τ ) is now some Boolean combination of ?1 , . . . , ?n . Whereas with a single placeholder we associated a single propositional variable eτ for each label τ , here we associate n such variables e1τ , . . . , enτ . In order for a given edge hτ, σi to remain in A[f1 , . . . , fn ], we need τ to satisfy σ after the ith placeholder is replaced with fi , for each i ∈ [1..n]. We change the constraint system accordingly, as demonstrated in the following example. Example 6. Let hS1 , ψ, S2 i be an edge in A[?1 , ?2 ], where ψ = σ(τ ) = ((?1 ∧ ¬?2 ) ∨ (¬?1 )). The corresponding constraint is eS1 ∧ (e1τ ∧ ¬e2τ ∨ ¬e1τ ) → eS2 . u t What about the objective? Clearly we are facing a multi-objective optimization problem, since we are trying to make fi stronger for all 1 ≤ i ≤ n. Minimizing n Σi=1 Σeiτ , however, gives us a strongest interpretation. A solution is given by n functions f1 , . . . , fn where each fi is a disjunction over the eil atoms that were assigned true in the solution. Example 7. Consider the query FG(?1 ∨ ?2 ). A query tableau for the negation of this query appears on the left of Fig. 3. The Kripke structure M appears on the right of the same figure, and the product at the bottom left. The corresponding B¨uchi automaton B appears at the bottom right. The unrolling of B into a finite automaton appears in Fig. 4. The corresponding constraints system is below.
?1 ∨ ?2
¯?1 ∧ ¯?2
¯?1 ∧ ¯?2
s0
pq
p¯q pq
w0
s1
w1
?1 ∨ ?2 e1pq ∨ e2pq
e1p¯q ∨ e2p¯q
e1p¯q ∨ e2p¯q
1 2 ¬epq ∧ ¬epq
2
¬e1pq ∧ ¬e2pq
w1 s1
1 2 ¬epq ∧ ¬epq
w0 s1
w1 s0 1 2 epq ∨ epq
¬e1p¯q ∧ ¬e2p¯q
e1pq ∨ e2pq
pq ¬e ∧ 1 q p ¬e ¬ep1¯q ∧ ¬ep2¯q
w1 s1
1 2 ¬epq ∧ ¬epq
¬e1pq ∧ ¬e2pq
1 2 ¬epq ∧ ¬epq
2 q p
¬e
1 2 epq ∨ epq
∧
¬ep1¯q ∧ ¬ep2¯q
1 q p
¬e
w0 s1
w0 s0
w1 s0
¬e1p¯q ∧ ¬e2p¯q
w0 s0
Fig. 3. (Top left) A query tableau corresponding to the negation of the query FG(?1 ∨ ?2 ), (Top right) a model M , (Bottom left) the product A, and (Bottom right) the corresponding B¨uchi automata.
P2 objective: min i=1 eipq + eipq ¯ initial state: ew0 s0 0 accepting states: ¬ew0 s1 1 ∧ ¬ew1 s1 2 transitions: 2 ew0 s0 0 ∧ (¬e1pq ew1 s0 0 ¯ ∧ ¬epq ¯ ) → ew0 s1 0 1 2 1 ew0 s1 0 ∧ (¬epq ∧ ¬e ) → e e w s w0 s1 0 ¯ pq ¯ 0 1 2 1 0 ew0 s1 0 ∧ (e1pq ∨ e ) → e e w s w ¯ pq ¯ 0 0 1 s1 2 1 0 ew0 s0 1 ∧ (¬e1pq ∧ ¬e ) → e e w0 s1 w1 s1 ¯ pq ¯ ew0 s0 0 ew0 s0 0 ∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 0 ew1 s0 2 ∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 2
∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 0 ∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 0 ∧ (¬e1pq ∧ ¬e2pq ) → ew1 s1 2 ∧ (e1pq ∨ e2pq ) → ew1 s0 2 → ew1 s0 0 ∧ (e1pq ∨ e2pq )
There are several optimal solutions, all of which result in FG(q): – – – –
e1pq e1pq e2pq e2pq
= e1pq ¯ = e2pq ¯ = e1pq ¯ = e2pq ¯
= 1 which entails f1 = 1 which entails f1 = 1 which entails f1 = 1 which entails f1
= (p ∧ q) ∨ (¬p ∧ q), f2 = false, = (p ∧ q), f2 = (¬p ∧ q), = (¬p ∧ q), f2 = (p ∧ q), = false, f2 = (p ∧ q) ∨ (¬p ∧ q).
Correctness Consider Propositions 1 and 2 that were proven for the case of a single placeholder. The proof of Proposition 1 needs a small change as follows. Recall that the proof is based on showing that there must be an edge in each accepting path in B that is unsatisfied in the solution assignment α, and that the same edge is also labeled with false in A[f ]. The difference is that now σ(τ ) is some function of ?1 , . . . , ?n , which we denote by F(?1 , . . . , ?n ). But we know that τ 6|= F(?1 , . . . , ?n ), and hence the same edge cannot be part of A[f1 , . . . , fn ].
1 2 ¬epq ∧ ¬epq
2 q p
pq
¬e
q
¬e1pq ∧ ¬e2pq
1 2 ¬epq ∧ ¬epq
∧
2
∨ e p¯
¬ep1¯q ∧ ¬ep2¯q
1 q p
¬e
1
¬ep1¯q ∧ ¬ep2¯q
e p¯q
¬e1p¯q ∧ ¬e2p¯q w0 s1 1 w0 s1 0
w1 s0 2
w1 s0 0 ∨e2
e1pq ∨ e2pq
w1 s1 0
q
w0 s0 0
ep 1
w0 s0 1
¬e1pq ∧ ¬e2pq
w1 s1 2
Fig. 4. The unrolled version of B. Once again edges that are not relevant to the constraints system are dotted.
The proof of Proposition 2 is insensitive to the labels and hence holds for the case of multiple placeholders. The correctness of the reduction to 0-1-ILP is straightforward.
3 Objectives O1 and O3 We briefly describe solutions to objectives O1 and O3. As mentioned in the introduction, these solutions are not very interesting, as they are based on traversing the lattice of possible solutions. We present them here for completeness of the article and for lack of a better solution. As future work one may find reductions similar to the one presented in Sect. 2 for achieving these objectives. 3.1 Achieving objective O1 For a set of atomic propositions AP , as mentioned above we denote by Lprop (AP ) the propositional lattice over AP . Constructing the lattice Lprop (AP ) can be done in time linear in its size. Recall that the requested solution can be restricted by the user to a |AP 0 | subset AP 0 of AP . Then, the relevant size is the size of Lprop (AP 0 ), which is 22 . Algorithm 1 traverses the lattice Lprop (AP 0 ) from the top searching for an element f such that M |= ϕ[? ← f ], but for all direct successors g of f in Lprop (AP 0 ), M does not satisfy ϕ[? ← g] (that is, f cannot be strengthened). The height of the lattice 0 is 2|AP | , and in each step the number of direct successors of an element f is bounded by k - the number of 1’s in the truth table of f . Thus, the total number of steps is 0 0 2|AP | Σk=0 k = O(22|AP | ), and in each step we perform model checking. The total running time complexity is, therefore 0
O(|M | · 2|ϕ| · 22|AP | ) = O(|M | · 22|AP
0
|+|ϕ|
).
(5)
Correctness This approach is only correct for queries in which the occurrences of the placeholder are in pure polarity. In such a case the elements of the lattice are ordered
Algorithm 1 Traversing the propositional lattice for a strongest solution according to O1. The algorithm is quadratic in the height of the lattice. The input to T RA VERSE LATTICE is a lattice element v which, for the purpose of this algorithm, is simply a propositional formula. function T RAVERSE LATTICE(element v) for each direct successor v 0 of v do if M |= ϕ[? ← v 0 ] then T RAVERSE LATTICE (v 0 ); Output(v); A BORT ();
. Abort the recursion
monotonically with respect to satisfaction of ϕ[?] by M . More formally, for two lattice elements f, f 0 such that f → f 0 , it holds that M |= ϕ[f ] → M |= ϕ[f 0 ]. Hence if the children of a lattice element are too strong, then so are its other descendants. 3.2 Achieving objective O3 We begin by considering a single placeholder. A lattice of possible solutions Given the lattice Lprop (AP 0 ), we construct the lattice Lϕ of the possible solutions to the query ϕ[?] with O3, and by Lϕ (M ) the subset of Lϕ that contains only formulas that are satisfied in M . The size of Lϕ is bounded by the size of Lprop (AP 0 ), and the complexity of comparing two formulas in Lϕ is PSPACE, hence, is exponential in the size of the formulas. Since each formula in Lϕ is of size O(|ϕ|), the total complexity of constructing Lϕ is O(2|ϕ| 22
|AP 0 |
).
Remark 1. Note that there is no one-to-one correspondence between Lϕ and Lprop (AP 0 ), because there can be two different propositional formulas f1 and f2 in Lprop (AP 0 ) such that ϕ[f1 ] = ϕ[f2 ]. A simple example is ϕ[?] = G(p∨?) and two possible replacements f1 = q and f2 = p ∨ q. While f1 6= f2 , ϕ[f1 ] = G(p ∨ q) = ϕ[f2 ]. The algorithm for a single placeholder is exactly Algorithm 1 on the lattice Lϕ , instead of Lprop (AP 0 ). Complexity The number of iterations of the algorithm is bounded by the size of the lattice Lϕ , and each model-checking run has the complexity O(|M | · 2|ϕ| ). The total complexity, including the construction of Lϕ is, therefore O(2|ϕ| · 22
|AP 0 |
+ |M | · 2|ϕ| · (size(Lϕ ))) ,
which is bounded by O(|M | · 22
|AP 0 |
+|ϕ|
).
(6)
Multiple placeholders The algorithm above can be extended to multiple placeholders in a natural way. For n placeholders, the lattice Lprop (AP 0 , n) is a lattice of n-tuples of propositional formulas over AP 0 constructed similarly to Lprop (AP 0 ). The size of Lprop (AP 0 , n) is 2n2 is O(2
|ϕ|
·2
n2
|AP 0 |
|AP 0 |
, and hence the complexity of the algorithm for n placeholders
+ |M | · 2|ϕ| · (size(Lϕ ))) , which is bounded by O(|M | · 2n2
|AP 0 |
+|ϕ|
).
(7)
4 Conclusions and future work This is the first work that focuses explicitly on LTL query checking. It also includes two new criteria for query checking (regardless of the temporal logic), namely objectives O2 and O3, and solutions in the context of LTL query checking. The solution to O2 is based on a reduction to an optimization problem that is formulated with 0-1-ILP. For safety queries the complexity of this solution is better than a naive solution based on explicit enumeration of formulas. We defined as an open problem the task of encoding Problem 3 with a linear, rather than quadratic, number of constraints in the size of the product.
References 1. Fadi A. Aloul, Arathi Ramani, Igor L. Markov, and Karem A. Saka llah. PBS: A BacktrackSearch Psuedo-Boolean Solver and Optimizer. In Fifth International Symposium on the Theory and Applications of Satisfiability Testing (SAT), 2002. 2. I. Beer, S. Ben-David, C. Eisner, and Y. Rodeh. Efficient detection of vacuity in ACTL formulas. In Orna Grumberg, editor, Proc. 9th Intl. Conference on Computer Aided Verification (CAV’97), volume 1254 of Lect. Notes in Comp. Sci., pages 279–290. Springer-Verlag, 1997. 3. Glenn Bruns and Patrice Godefroid. Temporal logic query checking. In LICS, pages 409– 417, 2001. 4. Sagar Chaki and Ofer Strichman. Three optimizations for assume-guarantee reasoning with L*. J. on Formal Methods in System Design, 32(3):267–284, 2008. 5. William Chan. “Temporal-Logic Queries”. In Proc. 12th Intl. Conference on Computer Aided Verification (CAV’00), pages 450–463, 2000. 6. Marsha Chechik, Arie Gurfinkel, and Benet Devereux. χ-chek: A multi-valued modelchecker. In CAV, pages 505–509, 2002. 7. E.M. Clarke and I.A. Draghicescu. Expressibility results for linear-time and branching-time logics. In Proc. Workshop on LTBTPO, volume 354 of LNCS, pages 428–437. SpringerVerlag, 1988. 8. Rob Gerth, Doron Peled, Moshe Y. Vardi, and Pierre Wolper. Simple on-the-fly automatic verification of linear temporal logic. In Proceedings of PSTV, pages 3–18, 1995. 9. Arie Gurfinkel, Marsha Chechik, and Benet Devereux. Temporal logic query checking: A tool for model exploration. IEEE Trans. Software Eng., 29(10):898–914, 2003. 10. G.J. Holzmann, D. Peled, and M. Yannakakis. On nested depth first search. In Second SPIN workshop, AMS, pages 23–32, 1996. 11. Samuel Hornus and Ph. Schnoebelen. “On Solving Temporal Logic Queries”. In AMAST, pages 163–177, 2002.
12. Doron Peled. Software Reliability Methods. Springer-Verlag, 2001. 13. Marko Samer and Helmut Veith. A syntactic characterization of distributive ltl queries. In ICALP, pages 1099–1110, 2004. 14. F. Somenzi and R. Bloem. Efficient B¨uchi automata from LTL formulae. In E. A. Emerson and A. P. Sistla, editors, Twelfth Conference on Computer Aided Verification (CAV’00), pages 248–263. Springer-Verlag, Berlin, July 2000. 15. Xavier Thirioux. Simple and efficient translation from LTL formulas to Buchi automata. Electronic Notes in Theoretical Computer Science, 66(2):145 – 159, 2002. FMICS’02, 7th International ERCIM Workshop in Formal Methods for Industrial Critical Systems (ICALP 2002 Satellite Workshop). 16. M.Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In Proc. First IEEE Symp. Logic in Comp. Sci., pages 332–344, 1986. 17. M.Y. Vardi and P. Wolper. Reasoning about infinite computations. Information and Computation, 110(2), 1994.
A A full example for Sect. 2 We demonstrate the process of achieving objective O2, as described in Sect. 2.1– 2.2, with a full example. ?
¯?
¯? s0
p¯q
p¯ q p¯q
w2
s1
p¯ q
w0
w1
?
Fig. 5. (Left) a query automaton corresponding to ¬F G?, (Right) a model M .
w0 s0
hpq ¯, ?¯ i
w2 s0 hp q¯, ?i
hp¯q ¯ , ?i
hp¯ q , ?i
¯?i hpq¯,
, ?i hp¯q
hp q¯, ?i hp¯q
w2 s1
h¯ pq, ?i
,¯?i
q hp¯
w1 s1
w1 s0 i ,?
h¯ pq, ¯?i
hp¯ q , ¯?i
w0 s0 ep
¬e p
w2 s0 ep
¬e p¯q
ep¯q
q¯
epq ¯
e p¯q
w1 s0
¬
q¯
q¯
¬e pq¯
e p¯q
w2 s1 ¬ep¯q
w1 s1
e p¯q
¬epq ¯
Fig. 6. (Top) the product, and (Bottom) the product after re-labeling the edges.
Let the query ϕ[?] be FG?. 1. The query tableau B¬ϕ[?] is shown in the left of Fig. 5. It is constructed using a standard converter from LTL to B¨uchi automaton, while treating the placeholder as any other symbol. 2. The Kripke structure M is shown at the right of the same figure. 3. The product automaton A is shown in the top part of Fig. 6. Only states reachable from the initial state are shown. 4. We reduce A to a B¨uchi automaton B by relabeling its edges, as explained in Sect. 2.3. There are two predicates, namely epq ¯ and ep¯ q . The relabeling appears in the bottom of Fig. 6. Consider for example the edge hw0 s0 , w2 s0 i on the left, which is labeled with h¯ pq, ?i. This edge is left in A[f ] if p¯q |= f . Correspondingly
we replace the label on this edge with epq ¯ . Now consider the edge hw0 s0 , w2 s1 i, which is labeled with h¯ pq, ¯?i. This edge is left in A[f ] if p¯q |= ¬f , and correspondingly we label it with ¬epq uchi ¯ . We now solve Problem 2 for the resulting B¨ automaton.
w0 s0 0 ep ¬e p¯q
¬e p
q ¬e p¯
q¯
w2 s1 0
¬e p
e p¯q
w2 s0 1
¬ep¯q
e pq¯
w1 s0 0
w1 s1 0 ¬epq ¯
w2 s0 0
q¯
¬e pq¯
e p¯q
q ¬e p¯
q¯
w2 s1 1
w1 s0 2
w1 s1 2
Fig. 7. After unrolling B. Only reachable states are shown. Edges that are not on a non-redundant path to an accepting state are not necessary for the reduction and appear dotted.
Figure 7 shows the unrolled B¨uchi automaton B, as required by the reduction to Problem 3. The resulting constraints system is: objective: min ep¯q + epq ¯ initial states: ew0 s0 0 final states: ¬ew2 s1 1 ∧ ¬ew1 s1 2 transitions: ew2 s1 0 ∧ ep¯q → ew2 s0 1 ew0 s0 0 ∧ epq ¯ → ew2 s0 0 ew2 s1 0 ∧ ¬ep¯q → ew2 s1 1 ew0 s0 0 ∧ ¬epq ¯ → ew2 s1 0 ew2 s0 1 ∧ ¬ep¯q → ew2 s1 1 ew0 s0 0 ∧ ¬ep¯q → ew1 s1 0 ew1 s1 0 ∧ ¬epq ew0 s0 0 ∧ ep¯q → ew1 s0 0 ¯ → ew1 s1 2 ew1 s1 0 ∧ epq ew2 s0 0 ∧ ¬ep¯q → ew2 s1 0 ¯ → ew1 s0 2 ew1 s0 2 ∧ ¬epq ew1 s0 0 ∧ ¬epq ¯ → ew1 s1 2 ¯ → ew1 s1 0
An optimal solution (in fact the only solution in this case) is given by ep¯q = epq ¯ = 1, which corresponds to f = p¯ q ∨ p¯q = p ⊕ q . Indeed FG(p ⊕ q) is satisfied by M .
