Mo del Checking and TransitiveClosure Logic Neil Immerman and Moshe Y Vardi Computer Science Dept University of Massachusetts Amherst MA httpwwwcsumasseduimmerman immermancsumassedu Computer Science Dept Rice University Houston TX httpwwwcsriceeduvardi vardicsriceedu Abstract We give a lineartime algorithm to translate any formula from computation tree logic CTL or CTL into an equivalent expres sion in a variableconned fragment of transitiveclosure logic FOTC Traditionally CTL and CTL have been used to express queries for mo del checking and then translated into calculus for symb olic eval uation Evaluation of calculus formulas is however complete for time p olynomial in the typically huge numb er of states in the Kripke struc ture Thus this is often not feasible not parallelizable and ecient in cremental strategies are unlikely to exist By contrast evaluation of any formula in FOTC requires only NSPACElog n This means that the space requirements are manageable the entire computation is paralleliz able and ecient dynamic evaluation is p ossible Intro duction Mo del checking prop osed rst as a paradigm for computeraided verication of nitestate programs in CE and develop ed further in BCM CES LP QS VW has been gaining widespread acceptance lately see BBG The approach is esp ecially appropriate for the design and verication of circuits and distributed proto cols The detailed lowlevel design can be automatically translated into a logical structure called a Kripke structure K We can then write a series of short correctness conditions concerning the b ehavior of the Kripke structure The conditions are written in a formal language suchas computation tree logic CTL or the more expressiveCTL Given K and the i mo delchecking program will automatically test whether or not K satises If i it do es then condence in the design is improved If K do es not satisfy some i then the checking program will usually present a counter example which thus exp oses a bug in the design The Kripke structures used in mo del checking usually have a state for each p ossible conguration of the circuit or proto col being designed For this rea son they are often of size exp onential in the size of the design In this case Part of the research rep orted here was conducted while the authors were visiting DIMACS during the Sp ecial Year on Logic and Algorithm Research partly supp orted byNSFgrant CCR Research partly supp orted byNSFgrant CCR one usually represents the Kripke structure symb olically rather than explicitly often using ordered binary decision diagrams OBDDs The mo del checking p er formed using these symb olic representations is called symb olic mo del checking BCM McM The correctness conditions describ ed ab ove can b e thoughtofasqueriesto i the Kripke structure In fact in this pap er we emphasize the close relationship between mo del checking and database query evaluation cf Var Optimiza tion of the queries is crucial For this reason the tradeo b etween the expressive power of the query language and the complexity of doing mo del checking is imp ortant A powerful query language for mo del checking is the branchingtime logic CTL Consider the mo del checking problem for CTL in whichwe x a query CTL and vary the Kripke structure K The complexity of this problem called program complexity in VW and data complexity in Var is known to b e NSPACElog n BVW for CTL Here n is the size of the Kripke structure aswehavementioned n is often exp onential in the size of the design b eing veried The standard way to perform symb olic mo del checking using CTL is to translate the query to the mo dal calculus KozEL A problem with this is that the data complexity of the mo dal calculus is p olynomialtime complete BVW cf I Var This means that evaluation of mo dal calculus queries most likely requires p olynomial space is not parallelizable and ecient incremental evaluation strategies are unlikely to exist We give here a lineartime algorithm to translate any formula from CTL into an equivalent expression in a variableconned fragment of transitiveclosure logic FOTC In fact the resulting formulas have only two rstorder variables The resulting logic denoted FO TC is known to haveadata complexity of NSPACElog n IVar This means that the space requirements are man ageable the entire computation is parallelizable and ecient incremental eval uation is p ossible see for example PI ZSS Thus it is very promising to do mo del checking and symb olic mo del checking using the language FO TC rather than the more complex mo dal calculus Background on Temp oral Logic and the Mo dal calculus Let fp p g be a nite set of prop ositional symb ols A propositional r Kripke structure K S R is a tuple consisting of a nite set of states S S a binary transition relation R S and a lab eling function where intuitively p is the set of states at which p is true S is often called the i i set of p ossible worlds but we call it the set of states b ecause in mo del checking applications it usually represents the set of global states of the circuit or proto col b eing designed Typicallyweareinterested in innite computation paths so in this pap er we restrict our attention to Kripke structures in which every state has at least one successor whichmay b e itself We can meet this condition by adding the lo op R s s to each state that has no other successors A Kripke structure may b e thought of as a directed graph whose vertices are the states lab eled by the set of prop ositional symb ols they satisfy The prop ositional Kripke structure K may also b e thoughtofasaniterela K K tional structure ie relational database K S R p p The universe r of K is the set of states S The binary relation R S is the transition relation K and a unary relation p p is the set of states at which the prop osition p i i i holds For any rstorder formula we will use the notation K j to mean that is true in K We use in this pap er the computation tree logics CTL and CTL For de nitions of syntax and semantics of these logics see Eme The mo dal calculus is a prop ositional mo dal logic that includes the least xed p oint op erator Koz Eme The mo dal calculus is strictly more expressive than CTL and has p olynomialtime data complexity see next sec tion As an example we can write the CTL formula EFp as a least xed p oint EFp Y p hR iY Equation can b e generalized to show that all of CTL can b e interpreted in the mo dal Calculus See EmeVar for details Fact There is a linear time algorithm that translates any formula in CTL into an equivalent formula in the modal calculus There isanexponential time algorithm that translates any formula in CTL into an equivalent formula in the modal calculus Symb olic mo del checking is typically carried out by rst translating the CTL correctness condition into the calculus McM A drawback of this approach is that mo del checking of the calculus uses space p olynomial in the size of the usually huge Kripke structure In the next section we describ e transitiveclosure logic We will see that although transitiveclosure logic has lower complexity than the calculus it still suces to interpret CTL Background on Descriptive Complexity In descriptive complexitywe study nite logical structures relational databases suchastheKripke structures K K K S R p p r The complexity of computing queries on such structures is intimately tied to the p ower of variants of rstorder logic needed to describ e these queries This has b een studied in great detail See for example EFILRVar Let FO b e the set of rstorder expressible prop erties For example consider the rstorder formula xpx y R x y py A Kripke structure K satises in symb ols K j ievery state satisfying p has a successor state that also satises p The class FO captures the complexity class AC consisting of those prop erties checkable by b ounded depth p olynomialsize circuits This is equal to the set of prop erties computable in constant time on a concurrent parallel random access machine that has at most p olynomially many pro cessors Ia To obtain a richer class of queries let FOLFP b e rstorder logic extended by a leastxedp oint op erator This is the closure of rstorder logic under the power to dene new relations by induction We can view the mo dal calculus as a restriction of FOLFP in which all xed points are taken over monadic k relations and such that only two domain variables are used Let FO be the r restriction of FOsuch that the only domain variables are x x Let LFP k b e the restriction of LFP to act only on inductive denitions of arity at most r Then there is a lineartime mapping of eachformula from the mo dal calculus to an equivalentformula in FO LFP Var As an example consider the calculus formula Y p hR iY Recall from Equation that is equivalent to the CTL formula EFp This can be interpreted in FOLFP as the formula LFP py y R y y Y y y Yy The equivalence b etween and is that for any prop ositional Kripke struc ture K and state s K s j K sy j It is well known that FOLFP captures p olynomial time The following facts assume that structures in question are nite and include a total ordering on their universes Fact I Var The queries computable in polynomial time are exactly those expressible in FOLFP While the mo dal calculus is a prop er subset of FOLFP it still con tains problems complete for p olynomialtime BVW Since the mo del checking problem for CTL is contained in NSPACElog n it would b e much b etter to interpret