This is a repository copy of Model Checking CTL is Almost Always Inherently Sequential. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/74808/ Proceedings Paper: Beyersdorff, O, Meier, A, Thomas, M et al. (3 more authors) (2009) Model Checking CTL is Almost Always Inherently Sequential. In: Lutz, C and Raskin, J-F, (eds.) 16th International Symposium on Temporal Representation and Reasoning 2009. International Symposium on Temporal Representation and Reasoning, 23 - 25 July 2009, Bressanone, Brixen, Italy. IEEE , 21 - 28 . ISBN 978-0-7695-3727-6 https://doi.org/10.1109/TIME.2009.12 Reuse See Attached Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request. [email protected] https://eprints.whiterose.ac.uk/ Model Checking CTL is Almost Always Inherently Sequential∗ Olaf Beyersdorff Arne Meier Michael Thomas Heribert Vollmer Theoretical Computer Science, University of Hannover, Germany {beyersdorff, meier, thomas, vollmer}@thi.uni-hannover.de Martin Mundhenk Computer Science, University of Jena, Germany [email protected] Thomas Schneider Computer Science, University of Manchester, UK [email protected] Abstract of another event (R), as well as path quantifiers (E, A) for speaking about computation paths. The full language ob- The model checking problem for CTL is known to be tained by these operators and quantifiers is called CTL⋆ [5]. P-complete (Clarke, Emerson, and Sistla (1986), see Schnoe- In CTL, the interaction between the temporal operators and belen (2002)). We consider fragments of CTL obtained path quantifiers is restricted. The temporal operators in CTL by restricting the use of temporal modalities or the use of are obtained by path quantifiers followed directly by any negations—restrictions already studied for LTL by Sistla and temporal operator, e.g., AF and AU are CTL-operators. Be- Clarke (1985) and Markey (2004). For all these fragments, cause they start with the universal path quantifier, they are except for the trivial case without any temporal operator, we called universal CTL-operators. Accordingly, EX and EG systematically prove model checking to be either inherently are examples for existential CTL-operators. sequential (P-complete) or very efficiently parallelizable Since properties are largely verified automatically, the (LOGCFL-complete). For most fragments, however, model computational complexity of reasoning tasks is of great in- checking for CTL is already P-complete. Hence our results terest. Model checking (MC)—the problem of verifying indicate that in most applications, approaching CTL model whether a given formula holds in a state of a given model— checking by parallelism will not result in the desired speed is one of the most important reasoning tasks [15]. It is in- up. tractable for CTL⋆ (PSPACE-complete [6, 15]), but tractable We also completely determine the complexity of the model for CTL (solvable in, and even hard for, polynomial time checking problem for all fragments of the extensions ECTL, [3, 15]). CTL+, and ECTL+. Although model checking for CTL is tractable, its P- hardness means that it is presumably not efficiently paral- lelizable. We therefore search for fragments of CTL with 1. Introduction a model checking problem of lower complexity. We will consider all subsets of CTL-operators, and examine the com- Temporal logic was introduced by Pnueli [12] as a formal- plexity of the model checking problems for all resulting ism to specify and verify properties of concurrent programs. fragments of CTL. Further, we consider three additional Computation Tree Logic (CTL), the logic of branching time, restrictions affecting the use of negation and study the exten- goes back to Emerson and Clarke [4] and contains tempo- sions ECTL, CTL+, and their combination ECTL+. ral operators for expressing that an event occurs at some The complexity of model checking for fragments of tem- time in the future (F), always in the future (G), in the next poral logics has been examined in the literature: Markey [9] point of time (X), always in the future until another event considered satisfiability and model checking for fragments of holds (U), or as long as it is not released by the occurrence Linear Temporal Logic (LTL). Under systematic restrictions ∗Supported in part by grants DFG VO 630/6-1 and DAAD-ARC to the temporal operators, the use of negation, and the inter- D/08/08881. action of future and past operators, Markey classified the two 1 decision problems into NP-complete, coNP-complete, and ⊥, the Boolean connectives ¬, ∧, and ∨, and the temporal PSPACE-complete. Further, [1] examined model checking operator symbols A, E, X, F, G, U, and R. for all fragments of LTL obtained by restricting the set of A and E are called a path quantifiers, temporal operators temporal and propositional operators. The resulting classi- aside from A and E are pure temporal operators. The atomic fication separated cases where model checking is tractable propositions and the constants ⊤ and ⊥ are atomic formulae. from those where it is intractable. There are two kinds of formulae, state formulae and path Concerning CTL and its extension ECTL, our results in formulae. Each atomic formula is a state formula, and each this paper show that most restricted versions of the model state formula is a path formula. If ϕ, ψ are state formulae checking problem exhibit the same hardness as the general and χ, π are path formulae, then ¬ϕ, (ϕ ∧ ψ), (ϕ ∨ ψ), problem. More precisely, we show that apart from the trivial Aχ, Eχ are state formulae, and ¬χ, (χ ∧ π), (χ ∨ π), Xχ, case where CTL-operators are completely absent, the com- Fχ, Gχ, [χUπ], and [χRπ] are path formulae. The set of plexity of CTL model checking is a dichotomy: it is either CTL⋆-formulae (or formulae) consists of all state formulae. P-complete or LOGCFL-complete. Unfortunately, the latter A Kripke structure is a triple K = (W, R, η), where W case only occurs for a few rather weak fragments and hence is a finite set of states, R ⊆ W × W a total relation (i. e., for there is not much hope that in practice, model checking can each w ∈ W , there exists a w′ such that (w, w′) ∈ R), and be sped up by using parallelism—it is inherently sequential. η : W → P(Φ) is a labelling function. A path x is an infinite ω Put as a simple rule, model checking for CTL is P- sequence x = (x1, x2,...) ∈ W such that (xi, xi+1) ∈ R, i complete for every fragment that allows to express a uni- for all i ≥ 1. For a path x = (x1, x2,...) we denote by x versal and an existential CTL-operator. Only for fragments the path (xi, xi+1,...). involving the operators EX and EF (or alternatively AX and Let K = (W, R, η) be a Kripke structure, w ∈ W be a ω AG) model checking is LOGCFL-complete. This is visual- state, and x = (x1, x2,... ) ∈ W be a path. Further, let ized in Fig. 2 in Sect. 5. Recall that LOGCFL is defined ϕ, ψ be state formulae and χ, π be path formulae. The truth as the class of problems logspace-reducible to context-free of a CTL⋆-formula w. r. t. K is inductively defined as: languages, and NL ⊆ LOGCFL ⊆ NC2 ⊆ P. Hence, in contrast to inherently sequential P-hard tasks, problems in K, w |= ⊤ always, LOGCFL have very efficient parallel algorithms. K, w |= ⊥ never, For the extensions CTL+ and ECTL+, the situation is K, w |= p iff p ∈ Φ and p ∈ η(w), more complex. In general, model checking CTL+ and K, w |= ¬ϕ iff K, w 6|= ϕ, + p K, w ϕ ψ iff K, w ϕ and K, w ψ, ECTL is ∆ -complete [8]. We show that for T ⊆ |= ( ∧ ) |= |= 2 K, w ϕ ψ iff K, w ϕ or K, w ψ, {A, E, X}, both model checking problems remain tractable, |= ( ∨ ) |= |= A E X p K, w |= Aχ iff K, x |= χ for all paths while for T * { , , }, both problems become ∆2- complete. Yet, for negation restricted fragments with only x = (x1, x2,...) with x1 = w, existential or only universal path quantifiers, we observe a K, x |= ϕ iff K, x1|= ϕ, complexity decrease to NP- resp. coNP-completeness. K, x |= ¬χ iff K, x 6|= χ, K, x |= (χ ∧ π) iff K, x |= χ and K, x |= π, This paper is organized as follows: Section 2 introduces K, x |= (χ ∨ π) iff K, x |= χ or K, x |= π, CTL, its model checking problems, and the non-basics of K, x |= Xχ iff K, x2|= χ complexity theory we use. Section 3 contains our main K, x |= [χUπ] iff there exists k ∈ such that results, separated into upper and lower bounds. We also N K, xi |= χ for 1 ≤ i < k and provide a refined analysis of the reductions between different K, xk |= π. model checking problems with restricted use of negation. The results are then generalized to extensions of CTL in The semantics of the remaining temporal operators is Section 4. Finally, Section 5 concludes with a graphical defined via the equivalences: Eχ ≡ ¬A¬χ, Fχ ≡ [⊤Uχ], overview of the results. For brevity, some proofs are omitted Gχ ≡ ¬F¬χ, and [χRπ] ≡ ¬[¬χU¬π]. A state formula ϕ and will be included in the full version of this paper. is satisfied by a Kripke structure K if there exists w ∈ W such that K, w |= ϕ. We will also denoted this by K |= ϕ. ⋆ 2. Preliminaries A CTL-formula is a CTL -formula in which each path quantifier is followed by exactly one pure temporal operator and each pure temporal operator is preceded by exactly one 2.1.