Mo del Checking and Transitive



Neil Immerman and Moshe Y Vardi

Computer Science Dept University of Massachusetts Amherst MA

httpwwwcsumasseduimmerman immermancsumassedu

Computer Science Dept Rice University Houston TX

httpwwwcsriceeduvardi vardicsriceedu

Abstract We give a lineartime algorithm to translate any formula

from computation logic CTL or CTL into an equivalent expres

sion in a variableconned fragment of transitiveclosure logic FOTC

Traditionally CTL and CTL have been used to express queries for

mo del checking and then translated into calculus for symb olic eval

uation Evaluation of calculus formulas is however complete for time

p olynomial in the typically huge numb er of states in the Kripke struc

ture Thus this is often not feasible not parallelizable and ecient in

cremental strategies are unlikely to exist By contrast evaluation of any

formula in FOTC requires only NSPACElog n This means that the

requirements are manageable the entire computation is paralleliz

able and ecient dynamic evaluation is p ossible

Intro duction

Mo del checking prop osed rst as a paradigm for computeraided verication of

nitestate programs in CE and develop ed further in BCM CES LP

QS VW has been gaining widespread acceptance lately see BBG

The approach is esp ecially appropriate for the design and verication of circuits

and distributed proto cols The detailed lowlevel design can be automatically

translated into a logical structure called a Kripke structure K We can then

write a series of short correctness conditions concerning the b ehavior



of the Kripke structure The conditions are written in a formal language suchas

computation tree logic CTL or the more expressiveCTL Given K and the

i

mo delchecking program will automatically test whether or not K satises If

i

it do es then condence in the design is improved If K do es not satisfy some

i

then the checking program will usually present a counter example which thus

exp oses a bug in the design

The Kripke structures used in mo del checking usually have a state for each

p ossible conguration of the circuit or proto col being designed For this rea

son they are often of size exp onential in the size of the design In this case

Part of the research rep orted here was conducted while the authors were visiting

DIMACS during the Sp ecial Year on Logic and Algorithm

Research partly supp orted byNSFgrant CCR

Research partly supp orted byNSFgrant CCR

one usually represents the Kripke structure symb olically rather than explicitly

often using ordered binary decision diagrams OBDDs The mo del checking p er

formed using these symb olic representations is called symb olic mo del checking

BCM McM

The correctness conditions describ ed ab ove can b e thoughtofasqueriesto

i

the Kripke structure In fact in this pap er we emphasize the close relationship

between mo del checking and database query evaluation cf Var Optimiza

tion of the queries is crucial For this reason the tradeo b etween the expressive

power of the query language and the complexity of doing mo del checking is

imp ortant

A powerful query language for mo del checking is the branchingtime logic

CTL Consider the mo del checking problem for CTL in whichwe x a query

CTL and vary the Kripke structure K The complexity of this problem

called program complexity in VW and data complexity in Var is known to

b e NSPACElog n BVW for CTL Here n is the size of the Kripke structure

aswehavementioned n is often exp onential in the size of the design b eing

veried

The standard way to perform symb olic mo del checking using CTL is to

translate the query to the mo dal calculus KozEL A problem with this

is that the data complexity of the mo dal calculus is p olynomialtime complete

BVW cf I Var This means that evaluation of mo dal calculus

queries most likely requires p olynomial space is not parallelizable and ecient

incremental evaluation strategies are unlikely to exist

We give here a lineartime algorithm to translate any formula from CTL

into an equivalent expression in a variableconned fragment of transitiveclosure

logic FOTC In fact the resulting formulas have only two rstorder variables



The resulting logic denoted FO TC is known to haveadata complexity of

NSPACElog n IVar This means that the space requirements are man

ageable the entire computation is parallelizable and ecient incremental eval

uation is p ossible see for example PI ZSS Thus it is very promising



to do mo del checking and symb olic mo del checking using the language FO TC

rather than the more complex mo dal calculus

Background on Temp oral Logic and the Mo dal

calculus

Let fp p g be a nite of prop ositional symb ols A propositional

r

Kripke structure K S R is a tuple consisting of a nite set of states S

 S

a binary transition R S and a lab eling where

intuitively p is the set of states at which p is true S is often called the

i i

set of p ossible worlds but we call it the set of states b ecause in mo del checking

applications it usually represents the set of global states of the circuit or proto col

b eing designed Typicallyweareinterested in innite computation paths so in

this pap er we restrict our attention to Kripke structures in which every state

has at least one successor whichmay b e itself We can meet this condition by

adding the lo op R s s to each state that has no other successors A Kripke

structure may b e thought of as a directed graph whose vertices are the states

lab eled by the set of prop ositional symb ols they satisfy

The prop ositional Kripke structure K may also b e thoughtofasaniterela

K K

tional structure ie relational database K S R p p The universe

r



of K is the set of states S The R S is the transition relation

K

and a unary relation p p is the set of states at which the prop osition p

i i

i

holds For any rstorder formula we will use the notation K j to mean

that is true in K

We use in this pap er the computation tree CTL and CTL For de

nitions of syntax and semantics of these logics see Eme

The mo dal calculus is a prop ositional mo dal logic that includes the least

xed p oint op erator Koz Eme The mo dal calculus is strictly more

expressive than CTL and has p olynomialtime data complexity see next sec

tion As an example we can write the CTL formula EFp as a least xed p oint

EFp Y p hR iY

Equation can b e generalized to show that all of CTL can b e interpreted

in the mo dal Calculus See EmeVar for details

Fact

There is a linear time algorithm that translates any formula in CTL into an

equivalent formula in the modal calculus

There isanexponential time algorithm that translates any formula in CTL

into an equivalent formula in the modal calculus

Symb olic mo del checking is typically carried out by rst translating the CTL

correctness condition into the calculus McM A drawback of this approach

is that mo del checking of the calculus uses space p olynomial in the size of the

usually huge Kripke structure In the next section we describ e transitiveclosure

logic We will see that although transitiveclosure logic has lower complexity

than the calculus it still suces to interpret CTL

Background on Descriptive Complexity

In descriptive complexitywe study nite logical structures relational databases

suchastheKripke structures

K K

K S R p p

r

The complexity of computing queries on such structures is intimately tied to

the p ower of variants of rstorder logic needed to describ e these queries This

has b een studied in great detail See for example EFILRVar

Let FO b e the set of rstorder expressible prop erties For example consider

the rstorder formula

xpx y R x y py

A Kripke structure K satises in symb ols K j ievery state

satisfying p has a successor state that also satises p



The class FO captures the AC consisting of those prop erties

checkable by b ounded depth p olynomialsize circuits This is equal to the set of

prop erties computable in constant time on a concurrent parallel random access

machine that has at most p olynomially many pro cessors Ia

To obtain a richer class of queries let FOLFP b e rstorder logic extended

by a leastxedp oint op erator This is the closure of rstorder logic under the

power to dene new relations by induction We can view the mo dal calculus

as a restriction of FOLFP in which all xed points are taken over monadic

k

relations and such that only two domain variables are used Let FO be the

r

restriction of FOsuch that the only domain variables are x x Let LFP

k

b e the restriction of LFP to act only on inductive denitions of arity at most r

Then there is a lineartime mapping of eachformula from the mo dal calculus



to an equivalentformula in FO LFP Var

As an example consider the calculus formula Y p hR iY Recall

from Equation that is equivalent to the CTL formula EFp This can be

interpreted in FOLFP as the formula

LFP py y R y y Y y y

Yy

The equivalence b etween and is that for any prop ositional Kripke struc

ture K and state s

K s j K sy j

It is well known that FOLFP captures p olynomial time The following facts

assume that structures in question are nite and include a total ordering on their

universes

Fact I Var The queries computable in polynomial time are exactly

those expressible in FOLFP

While the mo dal calculus is a prop er subset of FOLFP it still con

tains problems complete for p olynomialtime BVW Since the mo del checking

problem for CTL is contained in NSPACElog n it would b e much b etter to

interpret CTL in a logic with this lower complexity

Let the formula x x y y represent a binary relation on k tuples

k k

We express the reexive transitive closure of this relation using the transitive

closure op erator TC as follows TC Let FOTC b e the closure of rst

xy

order logic under the transitiveclosure op erator For example the following

formula is equivalentto Equation and thus interprets the CTL formula

EFp It do es so directlybysaying that there is an R path to a state satisfying

p

y TC R y y y y py

yy

We will see in the next section that every formula in CTL can b e so inter

preted

Transitive closure logic exactly captures nondeterministic logspace

Fact I I The queries computable in NSPACElog n are exactly those

expressible in FOTC

The number of variables used is an imp ortant descriptive resource Eachdo

main variable x ranges over the universe of its input structure In the denition

i

k

of FO we allow an unb ounded number of boolean variables b b in ad

c

dition to the k domain variables Bo olean variables are essentially rstorder

variables that are restricted to range only over the rst two elements of the

universe which we x as and Including also b o olean variables makes the

k

denition of FO more robust I As a simple example wecaninterpret the

conjunction EFp EFq using a universally quantied b o olean variable

R y y y y b py b q y by TC

yy

We note however that the inclusion of b o olean variables has a nontrivial complexity

k

theoretic consequence While pure ie b o oleanvariablefree queries in FO TC

can be evaluated in uniform p olynomial time the space required to evaluate

k

queries in FO TC is p olynomial in the numb er of b o olean variables

s

We sometimes wantastrict transitive closure op erator TC denotes the

transitive closure of as opp osed to the reexive transitive closure of The

strict and reexive transitive closure op erators are denable from eachotheras

follows Note that no extra variables are needed

s

TCy y y y y y TC y y y y

s

TC y y y y y y TCy y y y

y y y y y TCy y y y

Transitive Closure Logic Suces

In this section wepresent an algorithm that translates any formula in CTL to



an equivalent formula in FO TC ie rstorder logic with only two rstorder

variables extended by the transitiveclosure op erator We rst do the case of

CTL which is signicantly simpler

Theorem Thereisatransformation f from state formulas in CTL to formu



las in FO TC that preserves meaning That is for al state formulas CTL

and al l Kripke structures K and states s

K s j K sy j f

Proof We dene f by induction on

f p py for predicate symbol p

f f

f f f

f EU y TC M y y f y

f 

where M y y R y y y

s

f EB y TCM y y f y f y TC M y y

f   f  

It is easy to showby induction that Equation holds The interesting cases

are the last two For Until note that there is a path starting at y along which

U holds i there is some p oint y at which holds and there is a path from

y to y along which holds For Before there is a path starting at y along

which B holds i there is some p oint y for which there is a path from y to y

along which holds and either and b oth hold at y or there is an innite

path ie a cycle starting at y along which remains true ut

Note that the formulas f do es not use b o olean variables We would be

happier if the ab ove f were lineartime computable The problem is that the

formula f o ccurs more than once in the denition of f EB This could

causeanexponential blowup in the size of the resulting formula We will defer

this problem to Corollary

The diculty in extending Theorem to CTL o ccurs in a formula suchas

Ep q U r U t

As b efore we can express that at some state y t holds and that there is a

path from y to y along whichp q U r holds The problem is that wemust

rememb er our obligations along this path ie whether we need to preserve q U r

and wemay need to preserve this along the same path b eyond y

To solve this problem weintro duce a new b o olean variable b whose purp ose is

to rememb er our obligation concerning the formula q Ur The following formula

asserts that there is a path to a future state y and a b o olean value b such

that p q Ur holds along the path t holds at y andif b holds ie weare

still obliged to fulll q Ur then there is a continuation of the path along which

q Ur holds

y b TC y falsey b ty

b y TC M y y r y

q

y b y b p b r q b R y y

Observe that as desired for all Kripke structures K and states s

K s j K sy j

Reiterating the main p oint in addition to the log n bits needed to name y

the current state in our nstate Kripke structure we use one additional bit b

to record our obligations concerning the truth of a formula along the remainder

of a path

Wenow describ e this construction in general so that wemay extend Theorem

toCTL LetE b e a CTL formula Dene the closure of cl to b e

the set of path subformulas of We intro duce a b o olean variable b for each

cl Intuitively weuse the b o olean variables to enco de the state of the

automaton that runs along a path and checks that the path satises a path

formula see VW

We inductively dene a mapping g from state formulas E in CTL to



equivalent formulas in FO TC Let b be a tuple of all the b o olean variables



b for cl Dene the transition relation R y b y b as follows In each

case the comment on the right is the condition underwhichthegiven conjunct is

included in the formula We assume that is written in p ositivenormal form

R y y

b g y for any state formula cl

b b b for anypathformula cl

b b b for anypathformula cl

b b for anypathformula X cl

X

b b b b for anypathformula U cl

U

U

for anypathformula B cl b b b b

B

B



It follows by an inductive pro of from the denition of R that if the structure

K satises the formula

s

 

y b b b TCR b TC R b y b y b y y

then there is a path from y to y along which may b e true The reason we

saymay b e is that there may b e some b o oleans b that are true promising

U

that eventually will b ecome true but in fact as wewalk around the cycle

remains true but never b ecomes true Essentially the b o olean variables enco de

only the states of the lo cal automaton in VW which do es not guarantee

the satisfaction of Until formulas

In order to solve this problem let m b e a tuple of bits m oneforeach

U

Until formula U cl We use the memory bit m to checkthat

U

actually o ccurs on the path from y back to itself We do this by starting

the cycle with m b eing false and only letting it b ecome true when holds

U

Essentially the memory bits enco de the state of the eventuality automaton in

VW

b m asfollows Dene the relation R y b m y



R y by b

m m b for anyformula U cl

U

U



Finallywe dene the desired mapping g from CTL state formulas to FO TC

as follows

g ppy

g g g

g g

g E y b b m b

b TCR y falsey b false

s

TC R y b falsey b m

b m for any formula U cl

U

U

The following can nowbeproved by induction on

Theorem The map g denedabove translates CTL state formulas to equiv



alent formulas in FO TC That is for al l Kripke structures K states s and

CTL state formulas

K s j K sy j g

The transformation g suers from a similar problem as the transformation

f of Theorem The problem is that the formula R is written twice in the

denition of g E This may cause the size of the formula g to growexpo

nentially in the nesting depth of path quantiers E Ain In practice there

is little reason for this nesting depth to be greater than one or two We can

however alleviate this problem in general as follows

Corollary The mapping g above may bemodied to run in linear time and

thus produce linear size output in any of the fol lowing ways



Modify the mapping al lowing another variable that is map to FO TC

Al low the denition of R to be written onceandreused that is we represent

the formula as a rstorder circuit

s

Al low the construction R TC R that is whenever we compute the

transitive closureofarelation we may reuse it

Proof Items and simply change our mo de of representation and are thus

obvious The idea in item is that with an extra state variable t and a universal

quantier we can eliminate the extra o ccurrence of R For example we can

rewrite the denition of GE as follows

g E y b b mtcdb

t y c b d false t y c b d m

s

TC R t c falsey b d

b m for anyformula U cl

U U

Note In all of the cases of Corollary the resulting formulas remain in

FOTC and thus have data complexityNSPACElog n In addition conditions

and are quite feasible from a symbolic model checking p ointofviewwewould

naturally compute the OBDD for the relation R and its transitive closure only

once

The use of the niteness of the Kripke structures K in our pro ofs of Theo

rems and is crucial It is known that CTL cannot b e translated to FOTC

over all structures Ott

Applications to Symb olic Mo del Checking

The main application of this work is to symb olic mo del checking In this situa

tion the Kripke mo del is to o large to b e represented in memory and is instead

represented symb olically often via an OBDD

From a descriptive p oint of view this corresp onds to a Kripke structure

determined by a set of n b o olean variables Let

A hfx x x gp p i

 n r

Here the universe of A is a set of n b o olean variables A state in the cor

resp onding Kripke structure K A is a unary relation S over A ie a truth

assignment to the elements of jAj The formula which might b e represented

as an OBDD expresses the transition relation S S on states of K A



Similarly the formulas p p represent the relevant unary relations that are

r

true or false at each state S of K A

Ab ove we expressed CTL or CTL conditions concerning a Kripke structure



K in FO TC that is in rstorder logic with twovariables and a transitive

closure op erator In the symb olic setting suchaformula concerning K Aisbest

thought of as a secondorder monadic formula concerning the structure AThat

is the elements of the universe of K A are unary relations over AThus the



correctness conditions in question are queries to A in the language MSO TC

monadic secondorder formulas with only two secondorder variables and a

transitive closure op erator

It is not hard to see that

Fact NSPACEn MSOTC

Thus the CTL and CTL queries are all checkable in nondeterministic linear

space BVW Here the space is linear in n the size of the design of the circuit

n

or proto col to b e veried not the size of the Kripke structure K A

It is imp ortant in our simulations that we used as few variables as p ossible

With two secondorder monadic variables the paths to be checked can have

n

length at most Eachbooleanvariable that we add can at most double the

length of such a path whereas adding another secondorder monadic variable

is essentially n boolean variables and could thus increase the length of paths to

n

b e searched by a factor of We susp ect that the number of boolean variables

needed for typical CTL queries is quite small It is an interesting op en question

how many b o olean variables are needed in the worst case For example in the

context of linear temp oral logic analogous translations are known that use no

b o olean variables EVW

Exp eriments need to be p erformed concerning practical asp ects of using

FOTC as a language for expressing correctness queries While the straight

forward approach for adopting transitiveclousre algorithms to symbolic model

checking have failed TBK more sophisticated transitiveclosure algorithms

see Ya might b e quite useful for symb olic mo del checking

This work suggests a new paradigm for mo del checking One can write the

conditions to b e checked in a very expressive language eg secondorder logic or

rstorder logic with leastxed p oint op erators FOLFP Next if the Kripke

structure is small wemaybeabletocheck this condition automaticallyIfnotwe

may need to break our correctness conditions down into simpler conditions which

may b e expressed in simpler languages eg FOTC which can b e automatically

checked in a feasible amount of time Even within FOTC there is a hierarchy



of how manyvarables we need and how many boolean variables in FO TC

There is a welldevelop ed theory in the context of nitemo del theory of the

relationship b etween descriptive complexity and computational complexity I

This understanding could b e also imp ortant in computeraided verication

Conclusions and Future Work

We have shown that every formula in CTL may be translated in linear time

to an equivalent formula in transitive closurelogic FOTC Since the language

FOTC has data complexity NSPACElog n it admits more ecient mo del

checking algorithms than the mo dal calculus which has a p olynomialtime

complete data complexity

There are several op en questions concerning the numberofvariables needed

for the resulting formulas in FOTC

We have shown that the resulting formulas are linear size when we allow



three domain variables that is they are in FO TC It is op en whether



linear size can b e maintained when we map to FO TC or indeed whether

an exp onential blowup is required

Wewould like to knowhowmany b o olean variables are needed to interpret



CTL in FO TC our construction allows a linear number of suchboolean

variables

Finally our approach of using transitiveclosure logic rather than the much

more complex calculus for mo del checking might be useful in practice This

requires further investigation and testing Part of the program of Descriptive

Complexity is that the computational complexity of query evaluation should

be apparentjust from lo oking at the syntax of the query under consideration

Translating CTL queries into transitiveclosure logic rather than calculus

facilitates this approach

Acknowledgements Thanks to Kousha Etessami and Thomas Wilke for

helpful comments corrections and suggestions

References

BBG I Beer S BenDavid D Geist R Gewirtzman and M Yo el Metho dology

and System for Practical Formal Verication of Reactive Hardware in Com

puter AidedVerication Proc th Int Conference D L Dill ed LNCS

SpringerVerlag

BVW O Bernholtz MY Vardi and P Wolp er An AutomataTheoretic Ap

proach to BranchingTime Mo del Checking in Computer AidedVerication

Proc th Int Conference D L Dill ed LNCS SpringerVerlag

BCM JR Burch EM Clarke KL McMillan DL Dill and LJ Hwang Sym

b olic Mo del Checking States and Beyond Information and Computa

tion

CE EM Clarke and EA Emerson Design and Synthesis of Synchronization

Skeletons Using Branching Time Temp oral Logic in Proc Workshop on

Logic of Programs LNCS SpringerVerlag

CES EM Clarke EA Emerson and AP Sistla Automatic Verication of Finite

State Concurrent Systems Using Temp oral Logic Sp ecications ACM Trans

actions on Programming Languages and Systems

EF HD Ebbinghaus J Flum Finite Springer

Eme EA Emerson Temp oral and mo dal logic in Handbook of theoretical com

puter science

Eme E A Emerson Mo del Checking and the MuCalculus in Descriptive Com

plexity and Finite Models N Immerman and Ph Kolaitis eds Amer

ican Mathematical So ciety

EL EA Emerson and CL Lei Ecient Mo del Checking in Fragments of the

Prop ositional muCalculus Proc st Symp on Logic in Computer Science

EVW K Etessami MY Vardi and T Wilke FirstOrder Logic with TwoVari

ables and Unary Temp oral Logic Proc th IEEE Symp on Logic in Com

puter Science July

I N Immerman Relational Queries Computable in Polynomial Time Infor

mation and Control

I N Immerman Languages That Capture Complexity Classes SIAM J

Comput

I N Immerman Nondeterministic Space is Closed Under Complementation

SIAM J Comput

I N Immerman Descriptive and Computational Complexityin Computa

tional Complexity Theory ed J Hartmanis Lecture Notes for AMS Short

Course on Computational Complexity Theory Proc Symp in Applied Math

American Mathematical So ciety

Ia N Immerman Expressibility and Paral lel Complexity SIAM J of Comput

k

I N Immerman DSPACEn VARk Sixth IEEE Structure in Com

plexity Theory Symp July

Koz D Kozen Results on the Prop ositional Calculus Theoretical Computer

Science

LR R Lassaigne and M de Rougemont Logique et Complexite Hermes

LP O Lichtenstein and A Pnueli Checking that Finite State Concurrent Pro

grams Satisfy their Linear Sp ecication Proc th ACM Symp on Principles

of Programming Languages

McM K McMillan Symbolic Model Checking Kluwer

Ott M Otto private communication

PI S Patnaik and N Immerman DynFO A Parallel Dynamic Complexity

Class Proc ACM Symp on Principles of Database Systems

QS JP Queille and J Sifakis Sp ecication and Verication of Concurrent Sys

tems in Cesar Proc th Intl Symp on Programming LNCS

SpringerVerlag

TBK H J Touati R K Brayton and R P Kurshan Testing language con

tainment for automata using BDDs Information and Computation

Var MY Vardi Complexity

of Relational Query Languages ACM Symp Theory Of Comput

Var MY Vardi Why is Mo dal Logic So Robustly Decidablein Descriptive

Complexity and Finite Models N Immerman and Ph Kolaitis eds

American Mathematical So ciety

VW MY Vardi and PWolp er Yet Another Pro cess Logic in Logics of Pro

grams LNCS SpringerVerlag

VW MY Vardi and PWolp er An AutomataTheoretic Approach to Automatic

Program Verication Proc st Symp on Logic in Computer Science

VW MY Vardi and PWolp er Reasoning ab out Innite Computations Infor

mation and Computation

Ya M Yannakakis Graphtheoretic metho ds in database theory Proc th

ACM Symp on Principles of Database Systems

ZSS S Zhang SA Smolka and O Sokolsky On the Parallel Complexity of

Mo del Checking in the Mo dal Calculus Proc th IEEE Symp on Logic

in Computer Science

A

This article was pro cessed using the L T X macro package with LLNCS style E