From Quantified CTL to QBF
Akash Hossain, Francois Laroussinie

TL;DR
This paper introduces a model-checking algorithm for QCTL, an extension of CTL with propositional quantification, by reducing the problem to QBF and comparing different strategies using Z3.
Contribution
It presents a novel reduction-based model-checking algorithm for QCTL, leveraging QBF solving techniques and evaluating various reduction strategies.
Findings
Reduction strategies vary in efficiency
Prototype implementation with Z3 demonstrates feasibility
QCTL model checking is PSPACE-complete in structure semantics
Abstract
QCTL extends the temporal logic CTL with quantifications over atomic propositions. This extension is known to be very expressive: QCTL allows us to express complex properties over Kripke structures (it is as expressive as MSO). Several semantics exist for the quantifications: here, we work with the structure semantics, where the extra propositions label the Kripke structure (and not its execution tree), and the model-checking problem is known to be PSPACE-complete in this framework. We propose a model-checking algorithm for QCTL based on a reduction to QBF. We consider several reduction strategies, and we compare them with a prototype (based on the SMT-solver Z3) on several examples.
| (4) | ||||
| (5) | ||||
| (6) | ||||
| (7) |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
IRIF, Univ. Paris Diderot, [email protected] FREDDAIRIF, Univ. Paris Diderot, [email protected] FREDDA \CopyrightAkash Hossain and François Laroussinie\ccsdesc[100]General and reference General literature \ccsdesc[100]General and reference\ccsdesc[500]Theory of computation Logic and verification \ccsdesc[500]Theory of computation Modal and temporal logics \ccsdesc[500]Theory of computation Verification by model checking \supplement\hideLIPIcs\EventEditorsJohn Q. Open and Joan R. Access \EventNoEds2 \EventLongTitle42nd Conference on Very Important Topics (CVIT 2016) \EventShortTitleCVIT 2016 \EventAcronymCVIT \EventYear2016 \EventDateDecember 24–27, 2016 \EventLocationLittle Whinging, United Kingdom \EventLogo \SeriesVolume42 \ArticleNo23
From Quantified CTL to QBF
Akash Hossain
François Laroussinie
Abstract
extends the temporal logic with quantifications over atomic propositions. This extension is known to be very expressive : allows us to express complex properties over Kripke structures (it is as expressive as ). Several semantics exist for the quantifications : here, we work with the structure semantics, where the extra propositions label the Kripke structure (and not its execution tree), and the model-checking problem is known to be PSPACE-complete in this framework. We propose a model-checking algorithm for based on a reduction to . We consider several reduction strategies, and we compare them with a prototype (based on the SMT-solver Z3) on several examples.
keywords:
Model-checking, Quantified CTL, QBF solvers, SAT based model-checking.
category:
\relatedversion
1 Introduction
Temporal logics have been introduced in computer science in the late 1970’s [14]; they provide a powerful formalism for specifying correctness properties of evolving systems. Various kinds of temporal logics have been defined, with different expressiveness and algorithmic properties. For instance, the Computation Tree Logic () expresses properties of the computation tree of the system under study (time is branching : a state may have several successors), and the Linear-time Temporal Logic () expresses properties of one execution at a time (a system is viewed as a set of executions).
Temporal logics allow model checking, i.e. the automatic verification that a finite state system satisfies its expected behavioral specifications [15, 3]. It is well known that model-checking is PTIME-complete and model-checking (based on automata techniques) is PSPACE-complete. But verification tools exist for both logics and model-checking is now commonly used in the design of critical reactive systems. The main limitation to this approach is the state-explosion problem : symbolic techniques (for example with BDD), SAT-based approaches, or partial order reductions have been developed and they are impressively successful. The SAT-based model-checking consists in using SAT-solvers in the decision procedures. It was first developed for bounded model-checking (to search for executions whose length is bounded by some integer, satisfying some temporal property) which can be reduced to some satisfiability problem and then can be solved by a SAT-solver [2]. SAT approaches have also been extended to unbounded verification and combined with other techniques [12]. Many studies have been done in this area, and it is widely considered as an important approach in practice, which complements other symbolic techniques like BDD (see [1] for a survey).
In terms of expressiveness, (or ) still has some limitations : in particular, it lacks the ability of counting. For instance, it cannot express that an event occurs (at least) at every even position along a path, or that a state has two successors. In order to cope with this, temporal logics have been extended with propositional quantifiers [16] : those quantifiers allow for adding fresh atomic propositions in the model before evaluating the truth value of a temporal-logic formula. That a state has at least two successors can then be expressed (in quantified , hereafter written ) by saying that it is possible to label the model with atomic proposition in such a way that there is a successor that is labelled with and one that is not.
Different semantics for have been studied in literature depending on the definition of the labelling : either it refers to the finite-state model – it is the structure semantics – or it refers to the execution tree – it is the tree semantics. Both semantics are interesting and have been extensively studied [9, 7, 13, 8, 4, 10]. While the tree semantics allow us to use the tree automata techniques to get decision procedures (model-checking and satisfiability are TOWER-complete [10]), the situation is quite different for the structure semantics : in this framework, model-checking is PSPACE-complete and satisfiability is undecidable [7].
In this paper, we focus on the structure semantics, and we propose a model-checking algorithm based on a reduction to : given a Kripke structure and a formula , we show how to build a formula which is valid iff . It is natural to use quantifiers to deal with propositional quantifiers of . Of course, -solvers are not as efficient as SAT-solvers, but still much progress has been made (and -solvers have already been considered for model-checking, as in [6]). We propose several reductions depending on the way of dealing with nested temporal modalities, and we have implemented a prototype (based on Z3 SMT-solver [5]) to compare these reductions over several examples. As far as we know, it is the first implementation of a model-checker for .
Here, our first objective is to use the -solver as a tool to check complex properties over limited size models, and this is therefore different from the classical use of -based techniques which are precisely applied to solve verification problems for very large systems.
The outline of the paper is as follows : we begin with setting up the necessary formalism in order to define . We then devote Section 3 to the different reductions to . Finally, Section 4 contains several practical results and examples.
2 Definitions
2.1 Kripke structures
Let be a set of atomic propositions.
Definition 2.1**.**
A Kripke structure is a tuple , where is a finite set of vertices (or states), is a set of edges (we assume that for any , there exists s.t. ), and is a labelling function.
An infinite path (also called an execution) in a Kripke structure is an infinite sequence such that for any we have and . We write for the set of infinite paths of and for the set of infinite paths issued from . Given such a path , we use to denote the -th prefix , for the -th suffix , and for the vertex . The size of is .
Given a set , two Kripke structures and are said -equivalent (denoted by ) if , , and for every we have : .
2.2
This section is devoted to the definition of the logic , which extends the classical branching-time temporal logic with quantifications over atomic propositions.
Definition 2.2**.**
The syntax of is defined by the following grammar :
[TABLE]
where and range over .
formulas are evaluated over states of Kripke structures :
Definition 2.3**.**
Let be a Kripke structure, and . The semantics of formulas is defined inductively as follows :
[TABLE]
In the sequel, we use standard abbreviations such as , , , and . We also use the additional (classical) temporal modalities of : , , , , , and .
Moreover, we use the following abbreviations related to quantifiers over atomic propositions : , and for a set , we write for and for .
The size of a formula , denoted , is defined inductively by : , , . Moreover we use to denote the temporal height of , that is the maximal number of nested temporal modalities in . And given a subformula in , the temporal depth of in (denoted ) is the number of temporal modalities having in their scope.
In the following, we denote by (resp. ) the set of subformulas of (resp. the set of subformulas starting with a temporal modality).
Two formulas and are said to be equivalent (written ) iff for any structure , any state , we have iff . This equivalence is substitutive.
Discussion on the semantics.
The semantics we defined is classically called the structure semantics : a formula holds true in a Kripke structure iff there exists a -labeling of the structure such that is satisfied. Another well-known semantics coexists in the literature for propositional quantifiers, the tree semantics : holds true when there exists a -labelling of the execution tree (the infinite unfolding) of the Kripke structure under which holds. If, for , interpreting formulas over the structure or the execution tree is equivalent, this is not the case for . Moreover, these two semantics do not have the same algorithmic properties : if model-checking and satisfiability are TOWER-complete for the tree semantics (the algorithms are based on tree automata techniques), model-checking is PSPACE-complete for the structure semantics but satisfiability is undecidable. (see [10] for a survey). Nevertheless, in both semantics, and (the extension of with quantifications) are equally expressive, and are as expressive 111This requires adequate definitions, since a temporal logic formula may only deal with the reachable part of the model, while has a more global point of view. as the Monadic Second-Order Logic over the finite structure or the infinite trees (depending on the semantics). Note also that any formula is equivalent to a formula in Prenex normal form (we will use this result in next sections).
Finally, there is also the amorphous semantics [7], where holds true at a state in some Kripke structure if, and only if, there exists some Kripke structure with a state such that and are bisimilar, and for which there exists a -labeling making hold true at . With these semantics, the logic is insensitive to unwinding, and more generally it is bisimulation-invariant (contrary to the two previous semantics, see below).
2.3 Examples of formulas
allows us to express complex properties over Kripke structures : for example, it is easy to build a characteristic formula (up to isomorphism) of a structure, and one can also reduce model-checking problems for multi-player games to model-checking [11]…Below, we give several examples of counting properties, to illustrate the expressive power of propositional quantifiers.
The first one of the formulas below expresses that there exists a unique reachable state verifying , and the second one states that there exists a unique immediate successor satisfying :
[TABLE]
where we assume that does not appear in . Consider the formula 1: if there were two reachable states satisfying , then labelling only one of them with would falsify the A****G subformula. For 2, the argument is similar.
The existence of at least successors satisfying a given property can be expressed with :
[TABLE]
And we can define as to . Note that these examples show why formulas are not bisimulation-invariant.
When using to specify properties, one often needs to quantify (existentially or universally) over one reachable state we want to mark with a given atomic proposition. To this aim, we add the following abbreviations :
[TABLE]
3 Model-checking QCTL
Model-checking is a PSPACE-complete problem (for detailed results about program complexity and formula complexity, see [10]), and it is NP-complete for the restricted set of formulas of the form , with and [9]. In this section, we give a reduction from the model-checking problem to .
In the following, we assume a Kripke structure , an initial state and a formula to be fixed. Let be . We also assume w.l.o.g. that every quantifier and in introduces a fresh atomic proposition, and distinct from the propositions used in . We use to denote the set of quantified atomic propositions in .
These assumptions allow us to use an alternative notation for the semantics of -subformulas : the truth value of will be defined for a state in within an environment , that is a partial mapping associating a subset of vertices to a proposition in . We use to denote that holds at in within . This ensures that the ’s labelling is not modified when a subformula is evaluated, only is extended with labellings for new quantified propositions. Formally the main changes of the semantics are as follows :
[TABLE]
where denotes the mapping which coincides with for every proposition in and associates to .
We use this new notation in order to better distinguish initial ’s propositions and quantified propositions to make proofs simpler. Of course, there is no semantic difference : iff .
In next sections, we consider general quantified propositional formulas () of the form :
[TABLE]
The formal semantics of a formula is defined over a Boolean valuation for free variables in (i.e. propositions which are not bounded by a quantifier 222We assume w.l.o.g. that every quantifier and introduces a new proposition.), and it is defined as usual. A formula is said to be closed when it does not contain free variables. In the following, we use the standard notion of validity for closed formulas.
Our aim is then to build a (closed) formula such that is valid iff holds true at in .
3.1 Overview
We present several reductions of model-checking problem to validity problem. Given a -subformula , a vertex , and a subset , we define a formula whose variables belongs to (in the following, we use the notation for and ). The first two reductions are based on different encodings of temporal modalities, but share a common part given at Table 1.
3.1.1 Unfolding characterization of the until operators
First, we can complete previous construction rules of Table 1 with those of Table 2 to get the first method (called UU). This is a naive approach consisting in encoding the temporal modalities as unfoldings of the transition relation.
Before stating the correctness of the construction, we need to associate a Boolean valuation for variables in to an environment for . We define as follows : for any and , iff .
Now we have the following theorem whose proof is in appendix A :
Theorem 3.1**.**
Given a formula , a Kripke structure , a state , an environment and a -subformula , if is defined inductively w.r.t. the rules of Tables 1 and 2, we have:
It remains to define as and we get the reduction : iff is valid.
The main drawback of this reduction is the size of the formula : indeed any Until modality may induce a formula whose size is in , and the size of the resulting formula is then in . Nevertheless, one can notice that the reduction does not use new quantified propositons to encode the temporal modalities, contrary to other methods we will see later.
3.2 Fixed point characterization of the until operators
Here we present the fixed point method (called FP) for dealing with the modalities A****U and E****U. Let and be two -formulas. The idea of the method is to build a formula that is equivalent to (or ), using only the modalities E****X, A****X and A****G.
We first have the following lemma :
Lemma 3.2**.**
For any formula , we have :
[TABLE]
Proof 3.3**.**
*Let be a state in a Kripke structure . Let be the formula \big{(}\text{{A}}\text{{G}}\big{(}z\Leftrightarrow(\psi\vee(\varphi\wedge\text{{E}}\text{{X}}\>z))\big{)}\;\Rightarrow\;z\big{)}.
Assume . We can use the standard characterization of E****U as fixed point : belongs to the least fixed point of the equation where (resp. ) is here interpreted as the set of states satisfying (resp. ). Therefore any -labelling of reachable states from 333Labelling other states does not matter. corresponding to a fixed point will have the state labelled. This is precisely what is specified by the formula.
Now if for every -labelling corresponding to a fixed point of the previous equation, this is the case for the -labelling of the states reachable from and satisfying , and we deduce .*
And we have the same result for A****U :
Lemma 3.4**.**
For any formula , we have :
[TABLE]
Proof 3.5**.**
Similar to the proof of Lemma 3.2
As a direct consequence, we get the following result :
Proposition 3.6**.**
For any formula , we can build an equivalent formula such that : (1) is built up from atomic propositions, Boolean operators, propositional quantifiers and modalities **EX and **AG, and (2) the size of is linear in .
Note that the size of comes from the fact that there is no duplication of subformulas when applying the transformation rules based on equivalences of Lemmas 3.2 and 3.4. Moreover, the temporal height of is .
And to translate into , it remains to add a single rule 444For A****X we can either change the rule for E****X with a disjunction, or express it with E****X and . to the definitions of Table 1 to deal with A****G :
[TABLE]
And we have :
Theorem 3.7**.**
Given a formula , a Kripke structure , a state and an environment , for any -subformula , if is defined inductively w.r.t. the rules of Table 1 and the rule 8, we have :
[TABLE]
Proof 3.8**.**
The proof is a direct consequence of Proposition 3.6.
With this approach, the size of is in . Indeed, an E****U (or A****U) modality gives rise to a formula of size . The exponential size comes from the potential nesting of temporal modalities : to avoid it, one could consider the DAG-size of formulas. In the next section, we consider another solution. Note also that the number of propositional variables in the formula is bounded by .
3.3 Reduction via flat formulas
To avoid the size explosion of , one can use an alternative approach for Prenex formulas. Remember that any formula can be translated into an equivalent formula in Prenex normal form whose size is linear in the size of the original formula [10].
In the following, a formula is said to be basic when it is of the form , or where and are Boolean combinations of atomic propositions. It is easy to observe that any formula can be translated into a formula with a temporal height less or equal to 2 :
Proposition 3.9**.**
Any formula is equivalent to some formula of the form :
[TABLE]
where is a Boolean combination of basic formulas and every is a basic formula (for any ). Moreover, is in .
Proof 3.10**.**
Let be the set of temporal subformulas occurring in at a temporal depth greater or equal to 1. Assume and let be fresh atomic propositions. For any , we define as where every temporal subformula at temporal depth 1 in , is replaced by . is defined similarly from .
The equivalence can be proven by induction over . If , the formula satisfies the property. Now consider a formula with . Let be a basic formula. Let be the following formula : , where is where every occurrence of is replaced by . Then and are equivalent : any state reachable from the current state will be labeled by iff holds true at that state (NB : the states that are not reachable from do not matter for the truth value of ) and this enforces the equivalence. And then we can apply the induction hypothesis to get :
[TABLE]
Note that the last equivalence comes from the fact that no with occurs in and we also have . The size of is linear in .
In the following, a formula of the form {\displaystyle\mathcal{Q}.\big{(}\Phi_{0}\wedge\bigwedge_{i=1\ldots m}\text{{A}}\text{{G}}(\kappa_{i}\Leftrightarrow\theta_{i})\big{)}}, where is a sequence of quantifications, is a Boolean combination of basic formulas, and every (for ) is a basic formula, is said to be a flat formula.
As a corollary of previous results, we have :
Proposition 3.11**.**
Any formula is equivalent to some flat formula whose size is linear in .
Given a formula , we use to denote the flat formula equivalent to , obtained by first translating into Prenex normal form, and then transform the subformula as described in Proposition 3.9.
Applying method FP to some flat formula provides a formula of polynomial size since a flat formula has a temporal height less or equal to 2 :
Corollary 3.12**.**
Given a formula , a Kripke structure and a state , the formula \stackon[-8pt]\vstretch1.5\hstretch8^ x obtained by applying the rules of Table 1 and the rule 8 is valid iff . And the size of \stackon[-8pt]{\mathsf{fpc}(\mathsf{flat}(\Phi))}{\vstretch{1.5}{\hstretch{8}{\widehat{\phantom{\;}}}}}^{x} is in .
Therefore this reduction (called FFP) provides a PSPACE algorithm for model-checking. But there are two disadvantages of this approach. First, putting the formula into Prenex normal form may increase the number of quantified atomic propositions and the number of alternations (which is in fine linear in the number of quantifiers in the original formula)[10]. For example, when extracting a quantifier from some E****X modality, we need to introduce two propositions, this can be seen for the formula which is translated as :
[TABLE]
where the proposition is used to mark a state, and is used to enforce that only at most one successor is labeled by . Of course, these two remarks may have a strong impact on the complexity of the decision procedure. Finally, note also that the resulting formula is not in Prenex normal form.
3.4 Variant of FFP
In the previous reduction, the modalities E****U and A****U may introduce an alternation of quantifiers : an atomic proposition is introduced by an existential quantifier, and then an universal quantifier introduces a variable to encode the fixed point characterisation of U. We propose another reduction in order to avoid this alternation : for this, we will use bit vectors (instead of single Boolean values) associated with every state to encode the distance from the current state to a state satisfying the right-hand side of the Until modality.
First, we consider a formula under negation normal form (NNF), where the negation is only applied to atomic propositions. This transformation makes that is built from temporal modalities in
We can then reformulate Proposition 3.11 as follows :
Proposition 3.13**.**
Any formula is equivalent to some formula in NNF of the form : {\displaystyle\Psi=\mathcal{Q}\>\exists\{\kappa_{1}\ldots\kappa_{m}\}.\Big{(}\Phi_{0}\wedge\bigwedge_{i=1\ldots m}\text{{A}}\text{{G}}(\kappa_{i}\Rightarrow\theta_{i})\Big{)}} where is a sequence of quantifications, is a formula containing only the temporal modalities **EX, **AX or **AG and whose temporal height is less or equal to 1, and every is a basic formula (with ). Moreover, is in .
Proof 3.14**.**
Consider w.l.o.g. a formula in Prenex normal form and NNF. We can define and the basic formulas s approximately as in Proposition 3.9, except that contains only **EX, **AX or **AG modalities, and every other modality gives rise to some quantified proposition and a subformula in the main cunjunction of . Every starts with a modality in . Let be the original -subformula associated with . Note that is in NNF, and occurs only once in in the scope of a negation, and it happens in the subformula . We now have to show that is equivalent to . Consider the formula where every is replaced by : by following the same arguments of Proposition 3.9, we clearly have , and . It remains to prove the opposite direction.
To prove , it is sufficient to show that this is true for the empty (as equivalence is substitutive). Assume . Then there exists an environment from to such that . Now we have :
[TABLE]
Indeed, assume that it is not true and and . Consider such a formula with the smallest temporal height. The only atomic propositions occurring in are then associated with some and which verify the property and thus any state satisfying such a , also satisfies . Therefore any state labeled by such a is correctly labeled (and satisfies ). And the states that are not labeled by cannot make to be wrongly evaluated to true (because is not in the scope of a negation). Therefore holds true at . The same holds for and . As a direct consequence, we have .
From the previous proposition, we derive a new reduction to (called FBV). For modalities E****W and A****W, we use the same encoding as for method FP, except that we use the corresponding Boolean proposition directly for the greatest fixed point. And for Until-based modalities, corresponding to least fixed points, we will use bit vectors instead of atomic propositions to encode the truth value of E****U or A****U : for a formula , we will consider a bit vector of length for every state instead of a single Boolean value . The idea is that in a state , the value encodes in binary the distance (in terms of number of transitions) from to a state satisfying along a path satisfying . And for , the value encodes the maximal distance before a state satisfying (along a path where is true). In the following, such a associated to a based on an Until is called an Until-. Note that given a bit vector and an integer value encoded in binary, we will use and to denote the corresponding propositional formulas over .
The new reduction is based on the rewriting rules of Table 3 for several operators, and we define the reduction for for or as follows :
[TABLE]
And for with or , we have :
[TABLE]
where and with a given value correspond to propositional formulas over . And for with , we have :
[TABLE]
Note that in the equivalences 11 and 12, we cannot replace the implication by an equivalence : for a state s.t. , the existence of some successor s.t. is not sufficient to imply . This is why we consider only implications here.
Method FBV is defined from previous rules and we get a Prenex formula :
Corollary 3.15**.**
Given a formula , a Kripke structure , and a state , the Prenex formula obtained by applying the rules of Tables 3 and rules 9, 10, 11, and 12 above, is valid iff , and is in .
This approach allows us to easily adapt the algorithm to bounded model-checking : instead of considering values from to for in the definition of Until modalities, one can restrict the range to a smaller interval, to get a smaller formula to check. Note also that obtaining a Prenex formula is interesting in practice, because many -solvers require Prenex formulas as inputs.
We can also observe that this reduction proceeds a bit like the classical model-checking algorithm for where for deciding , the truth value of every -subformula is computed in every state of the model. In some case, this may induce additional work compared to methods like FP or UU (for example to decide whether the initial state satisfies a E****U formula).
3.4.1 Using BitVectors for and .
The quantifiers and are very useful in many specifications. It can be interesting to develop ad-hoc algorithms in order to improve the generated formulas. For the first methods we described, they are translated into propositional formulas (instead of introducing extra quantified atomic propositions as they are formally defined). Another method consists in using bit vectors as in the treatment of Until modalities described above : in this case, these quantifiers introduce a unique bit vector of size to store the number of the state selected by the quantifier (that is the state which will be labeled by the proposition). This method is interesting, since it reduces the number of quantified propositions, it is integrated in the method FBV.
4 Experimental results
In this section, we consider three examples to illustrate the -based model-checking approach for . We propose these problems because the size of the structures can easily be scaled up, and the properties to be checked are quite different. Note that these properties cannot be expressed with classical temporal logics.
We have implemented a prototype to try the different reduction strategies 555NB: For reductions FFP and FBV the formula has to be given in Prenex normal form. . Our tool is available online 666https://www.irif.fr/~francoisl/qctlmc.html : given a Kripke structure with a state and a formula , it produces a specification file (corresponding to ) for the SMT-solver Z3 [5]. The choice of Z3 was motivated by the fact that the generated formulas are not always Prenex, which many -solvers require, unlike Z3.
4.1 -connectivity
Here, we consider an undirected graph, and we want to check whether there exist (at least) internally disjoint paths 777Two paths paths and are internally disjoint iff for any and . And note that with this def., if there is an edge , there exist internally disjoint paths from to for any . from a vertex to some vertex . A classical result in graph theory due to Menger ensures that, given two vertices and in a graph , the minimum number of vertices whose deletion makes that there is no more paths between and is equal to the maximum number of internally disjoint paths between these two vertices.
We can encode these two ideas by the following formulas (interpreted over ) :
[TABLE]
uses the labelling by the ’s to mark the internal vertices of paths between the current position and the vertex . The modality E****X is used to consider only the intermediate states (and not the starting state). The formula proceeds differently : the idea is to mark exactly states with and to verify that there still exists at least one path leading to without going through the states labeled by some .
By Menger’s Theorem, we know that these formulas are equivalent over undirected graphs.
We interpret these formulas over Kripke structures with (see Figure 1) which correspond to two kinds of grid connected by edges (these edges are of the form or The initial state is and when evaluating or we assume the state to be labeled by . In this context, we clearly have that and hold for true at iff .
Detailed results are presented in Appendix B. The main lessons we can see are :
- •
Formula is much more difficult to verify : the number of temporal modalities is probably one explanation. Another one for methods FP and FFP(based on the fixed point characterization of modalities) could be an alternation of quantifiers : in , there is an existential quantification over the s and the E****Us introduce an universal quantification, but it is not the case for , where there are only universal quantifications for these reductions.
- •
The reduction FP is the most efficient : it can be used to verify models with more than two thousands states when is small. The method FFP is also rather efficient, but the flattening seems to be too costly for such a simple formula.
- •
The reduction UU produces very large formulas, but rather simple to check.
We can generalise the problem by verifying that there exist at least internally disjoint paths between any pair of reachable vertices and in a given structure. These previous formulas can be modified as follows :
[TABLE]
In that case, is useless : too complex to be verified. And the method FP is still the most efficient.
4.2 Nim game
Nim game is a turn-based two-players game. A configuration is a set of heaps of objects and a boolean value indicating whose turn it is. At each turn, a player has to choose one non-empty heap and remove at least one object from it. The aim of each player is to remove the last object. Given a configuration and a Player- with , we can build a finite Kripke structure , where is a state corresponding to the configuration ; and use a formula such that iff Player- has a wining strategy from . Note that there is a simple and well-known criterion over the numbers of objects in each heap to decide who has a winning strategy, but we consider this problem just because it is interesting to illustrate what kind of problem we can solve with .
Each configuration corresponds to a state in . Every move for Player- from a configuration to a configuration provides a transition in . However, a move of Player- from to is encoded as two transitions where is then an intermediary state we use to encode a strategy for Player- (marking by an atomic proposition will correspond to Player- choosing from ). We assume that every state is labeled by if it’s Player-’s turn to play at , and by otherwise. Every intermediary state is labeled by int. We also label empty configurations by or , depending on which player played the last move.
Clearly, the size of will depend on the number of objects in each set in the initial configuration. The formula depends only on :
[TABLE]
This formula holds true in a state corresponding to some configuration iff there exists a labelling by such that every reachable configuration where it’s Player-’s turn, has a successor labeled by (thus a possible choice to do) and every execution from the current state leads to either a winning state for Player- or a non-selected intermediary state, therefore all outcomes induced by the underlying strategy have to verify . Note that in this example, the Kripke structure is acyclic (except the self-loops on the ending states).
From detailed results in appendix, we can see :
- •
One can consider structures with more than 10 thousand states. Note that the number of heaps is important for the size of the model, but the maximal length of a game depends on the number of objects (and is rather small in our examples).
- •
The most efficient method is FFP (with FP).
- •
Method FBV is more efficient when we consider bounded model-checking. Note that in this case, the verification may not be complete : if the formula is valid, the property is satisfied by the structure, otherwise, no conclusion can be done, except if we can prove that the chosen bound was big enough to be sure that there is no solution. In our case, we can easily compute the maximal bound : at each turn, a player has to pick at least one object, such a move may give rise to one transition in the model (for the opponent), or two transitions (for the player for whom we look for a strategy). Thus, if there are objects in the initial configuration, we can choose for the bound.
4.3 Resources distribution
The last example is as follows : given a Kripke structure and two integers and , we aim at choosing at most states (called targets in the following) such that every reachable state (from the initial one) can reach a target in less than transitions. This problem can be encoded with the following formula where modalities E****X are nested :
[TABLE]
For experimental results, we consider the grid described at Figure 2. Note that for this example, reductions UU and FP are similar because there is no Until in the formula (A****G is treated as a conjunction). From detailed results in appendix, one can see :
- •
Only small models have been successfully verified.
- •
The nesting of E****Xs operators give an advantage to the reduction based on flattening (FBV and FFP) : the size of the formula increases more slowly.
- •
The reduction FBV is the most efficient on this example. Since there is no Until modality (except behind A****G which is treated separately), the difference with FFP is due to the encoding of operator with a unique bit vector in FBV, this choice seems to be more efficient in this example.
5 Conclusion
We have presented several reductions from model-checking to . This provides a first tool for model-checking. Of course, this is an ongoing-work, and many improvements, are possible : the reduction strategies are still naive and could be significantly improved, and a better understanding of -solver would also be helpful to produce more efficient formulas (we have not yet tried to normalise formulas in a specific form which is often a crucial aspect in /-solving). Still, these first results are rather interesting and encouraging. They show the importance of writing "good" formulas for which the solver will be able to provide a result (this problem already exists for classical temporal logics, but it is more significant here due to the complexity induced by the quantifications). The examples also show that there is no "one best strategy": it depends on the structure of the considered formula, and then offering several reduction strategies seems to be necessary in a -based model-checker for . Finally this work is also interesting because it could easily be adapted for other logics (like Sabotage logics [17]). In the future, we plan to continue to work on reduction strategies, and to use other -solvers.
Appendix A Proof of Theorem 3.1
Proof A.1**.**
We assume to be fixed and we prove the property by structural induction over . Boolean operators are omitted.
- •
* : if , then either is a quantified proposition and it belongs to and belongs to and thus by def. of , or belongs to . In both cases we have . The converse is similar.*
- •
* : iff there exists s.t. , iff (by i.h.) there exists s.t. which is equivalent to .*
- •
. We have iff there exists s.t. , iff (i.h.) which is equivalent to (by def. of ).
- •
* : The definition of corresponds to a finite unfolding of the expansion law that characterizes the EU modality. Assume . There exists a path and a position s.t. and for any . The finite prefix can be assumed to be simple, and then . By using i.h., we get , and for any . From this point, the reader can easily verify by induction (starting at , down to 0) that for all . This makes to be satisfied by .*
Conversely, assume . Let us build a finite path that satisfies . The first vertex is of course , and we have . Fix so that for every , is built, , , and when . Then, there must be so that , and , so we set . The sequence eventually stops, because is finite and the path is simple. If is its last vertex, then we must have , and for every . By using i.h., we get .
- •
* : this case is similar to the previous one, except that we have to consider loops. Assume . Then any path issued from satisfies . If contains a self-loop, then has to be satisfied at (this is ensured by the first case in the def. of ). Otherwise we consider all the paths from : either there is a simple prefix witnessing , or there is a loop from some point. In the latter case, one of the state in the loop has to verify . In both cases, the definition of gives the result.*
Appendix B Experimental results
Detailed results for the three examples are presented in this section. In every case, we distinguished the time required to build the formula (the Z3 specification) and the time required to solve it. Times are given in seconds.
B.1 -connectivity
[TABLE]
[TABLE]
B.2 Nim game
[TABLE]
B.3 Resources distribution
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Armin Biere, Alessandro Cimatti, Edmund M. Clarke, Ofer Strichman, and Yunshan Zhu. Bounded model checking. Advances in Computers , 58:117–148, 2003.
- 2[2] Armin Biere, Alessandro Cimatti, Edmund M. Clarke, and Yunshan Zhu. Symbolic model checking without bdds. In Tools and Algorithms for Construction and Analysis of Systems, 5th International Conference, TACAS ’99, Amsterdam, The Netherlands, March 22-28, 1999, Proceedings , volume 1579 of Lecture Notes in Computer Science , pages 193–207. Springer, 1999.
- 3[3] Edmund M. Clarke and E. Allen Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In Dexter C. Kozen, editor, Proceedings of the 3rd Workshop on Logics of Programs (LOP’81) , volume 131 of Lecture Notes in Computer Science , pages 52–71. Springer-Verlag, 1982.
- 4[4] Arnaud Da Costa, François Laroussinie, and Nicolas Markey. Quantified CTL: Expressiveness and model checking. In Maciej Koutny and Irek Ulidowski, editors, Proceedings of the 23rd International Conference on Concurrency Theory (CONCUR’12) , volume 7454 of Lecture Notes in Computer Science , pages 177–192. Springer-Verlag, September 2012.
- 5[5] Leonardo Mendonça de Moura and Nikolaj Bjørner. Z 3: an efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Budapest, Hungary, 2008. Proceedings , volume 4963 of Lecture Notes in Computer Science , pages 337–340. Springer, 2008.
- 6[6] Nachum Dershowitz, Ziyad Hanna, and Jacob Katz. Bounded model checking with QBF. In Theory and Applications of Satisfiability Testing, 8th International Conference, SAT 2005, St. Andrews, UK, June 19-23, 2005, Proceedings , volume 3569 of Lecture Notes in Computer Science , pages 408–414. Springer, 2005.
- 7[7] Tim French. Decidability of quantified propositional branching time logics. In Markus Stumptner, Dan Corbett, and Mike Brooks, editors, Proceedings of the 14th Australian Joint Conference on Artificial Intelligence (AJCAI’01) , volume 2256 of Lecture Notes in Computer Science , pages 165–176. Springer-Verlag, December 2001.
- 8[8] Tim French. Quantified propositional temporal logic with repeating states. In Proceedings of the 10th International Symposium on Temporal Representation and Reasoning and of the 4th International Conference on Temporal Logic (TIME-ICTL’03) , pages 155–165. IEEE Comp. Soc. Press, July 2003.
