Model Checking CTL is Almost Always Inherently Sequential

Olaf Beyersdorff, Arne Meier, Michael Thomas, Heribert Vollmer, Martin Mundhenk, Thomas Schneider
2009 2009 16th International Symposium on Temporal Representation and Reasoning  
The model checking problem for CTL is known to be P-complete (Clarke, Emerson, and Sistla (1986) , see Schnoebelen (2002) ). We consider fragments of CTL obtained by restricting the use of temporal modalities or the use of negations-restrictions already studied for LTL by Sistla and Clarke (1985) and Markey (2004) . For all these fragments, except for the trivial case without any temporal operator, we systematically prove model checking to be either inherently sequential (P-complete) or very
more » ... iciently parallelizable (LOGCFL-complete). For most fragments, however, model checking for CTL is already P-complete. Hence our results indicate that, in cases where the combined complexity is of relevance, approaching CTL model checking by parallelism cannot be expected to result in any significant speedup. We also completely determine the complexity of the model checking problem for all fragments of the extensions ECTL, CTL + , and ECTL + . Temporal logic was introduced by Pnueli [Pnu77] as a formalism to specify and verify properties of concurrent programs. Computation Tree Logic (CTL), the logic of branching time, goes back to Emerson and Clarke [EC82] and contains temporal operators for expressing that an event occurs at some time in the future (F), always in the future (G), in the next point of time (X), always in the future until another event holds (U), or as long as it is not released by the occurrence of another event (R), as well as path quantifiers (E, A) for speaking about computation paths. The full language obtained by these operators and quantifiers is called CTL ⋆ [EH86]. In CTL, the interaction between the temporal operators and path quantifiers is restricted. The temporal operators in CTL are obtained by path quantifiers followed directly by any temporal operator, e.g., AF and AU are CTL-operators. Because they start with the universal path quantifier, they are called universal CTL-operators. Accordingly, EX and EG are examples for existential CTL-operators. Since properties are largely verified automatically, the computational complexity of reasoning tasks is of great interest. Model checking (MC)-the problem of verifying whether a given formula holds in a state of a given model-is one of the most important reasoning Although model checking for CTL is tractable, its P-hardness means that it is presumably not efficiently parallelizable. We therefore search for fragments of CTL with a model checking problem of lower complexity. We will consider all subsets of CTL-operators, and examine the complexity of the model checking problems for all resulting fragments of CTL. Further, we consider three additional restrictions affecting the use of negation and study the extensions ECTL, CTL + , and their combination ECTL + . The complexity of model checking for fragments of temporal logics has been examined in the literature: Markey [Mar04] considered satisfiability and model checking for fragments of Linear Temporal Logic (LTL). Under systematic restrictions to the temporal operators, the use of negation, and the interaction of future and past operators, Markey classified the two decision problems into NP-complete, coNP-complete, and PSPACE-complete. Further, [BMS + 09] examined model checking for all fragments of LTL obtained by restricting the set of temporal operators and propositional connectives. The resulting classification separated cases where model checking is tractable from those where it is intractable. For model checking paths in LTL an AC 1 (LOGDCFL) algorithm is presented in [KF09] . Concerning CTL and its extension ECTL, our results in this paper show that most restricted versions of the model checking problem exhibit the same hardness as the general problem. More precisely, we show that apart from the trivial case where CTL-operators are completely absent, the complexity of CTL model checking is a dichotomy: it is either Pcomplete or LOGCFL-complete. Unfortunately, the latter case only occurs for a few rather weak fragments and hence there is not much hope that in practice, model checking can be sped up by using parallelism-it is inherently sequential. Put as a simple rule, model checking for CTL is P-complete for every fragment that allows to express a universal and an existential CTL-operator. Only for fragments involving the operators EX and EF (or alternatively AX and AG) model checking is LOGCFL-complete. This is visualized in Figure 4 in Section 5. Recall that LOGCFL is defined as the class of problems logspace-reducible to context-free languages, and NL ⊆ LOGCFL ⊆ NC 2 ⊆ P. MODEL CHECKING CTL IS ALMOST ALWAYS INHERENTLY SEQUENTIAL Hence, in contrast to inherently sequential P-hard tasks, problems in LOGCFL have very efficient parallel algorithms. For the extensions CTL + and ECTL + , the situation is more complex. In general, model checking CTL + and ECTL + is ∆ p 2 -complete [LMS01]. We show that for T ⊆ {A, E, X}, both model checking problems restricted to operators from T remain tractable, while for T {A, E, X}, they become ∆ p 2 -complete. Yet, for negation restricted fragments with only existential or only universal path quantifiers, we observe a complexity decrease to NP-resp. coNP-completeness. This paper is organized as follows: Section 2 introduces CTL, its model checking problems, and the non-basics of complexity theory we use. Section 3 contains our main results, separated into upper and lower bounds. We also provide a refined analysis of the reductions between different model checking problems with restricted use of negation. The results are then generalized to extensions of CTL in Section 4. Finally, Section 5 concludes with a graphical overview of the results. Preliminaries 2.1. Temporal Logic. We inductively define CTL ⋆ -formulae as follows. Let Φ be a finite set of atomic propositions. The symbols used are the atomic propositions in Φ, the constant symbols ⊤, ⊥, the Boolean connectives ¬, ∧, and ∨, and the temporal operator symbols A, E, X, F, G, U, and R. A and E are called a path quantifiers, temporal operators aside from A and E are pure temporal operators. The atomic propositions and the constants ⊤ and ⊥ are atomic formulae. There are two kinds of formulae, state formulae and path formulae. Each atomic formula is a state formula, and each state formula is a path formula. If ϕ, ψ are state formulae and χ, π are path formulae, then ¬ϕ, (ϕ ∧ ψ), (ϕ ∨ ψ), Aχ, Eχ are state formulae, and ¬χ, (χ ∧ π), (χ ∨ π), Xχ, Fχ, Gχ, [χUπ], and [χRπ] are path formulae. The set of CTL ⋆ -formulae (or formulae) consists of all state formulae.
doi:10.1109/time.2009.12 dblp:conf/time/BeyersdorffMTVMS09 fatcat:yiavdk6rirhfthgqnfz5eeqpgu