Model Checking for Fragments of Halpern and Shoham's Interval Temporal Logic Based on Track Representatives
Model checking allows one to automatically verify a specification of the expected properties of a system against a formal model of its behaviour (generally, a Kripke structure). Point-based temporal logics, such as LTL, CTL, and CTL, that describe how the system evolves state-by-state, are commonly used as specification languages. They proved themselves quite successful in a variety of application domains. However, properties constraining the temporal ordering of temporally extended events as well as properties involving temporal aggregations, which are inherently interval-based, can not be properly dealt with by them. Interval temporal logics (ITLs), that take intervals as their primitive temporal entities, turn out to be well-suited for the specification and verification of interval properties of computations (we interpret all the tracks of a Kripke structure as computation intervals).
In this paper, we study the model checking problem for some fragments of Halpern and Shoham’s modal logic of time intervals (HS). HS features one modality for each possible ordering relation between pairs of intervals (the so-called Allen’s relations). First, we describe an EXPSPACE model checking algorithm for the HS fragment of Allen’s relations meets, met-by, starts, started-by, and finishes, which exploits the possibility of finding, for each track (of unbounded length), an equivalent bounded-length track representative. While checking a property, it only needs to consider tracks whose length does not exceed the given bound. Then, we prove the model checking problem for such a fragment to be PSPACE-hard. Finally, we identify other well-behaved HS fragments which are expressive enough to capture meaningful interval properties of systems, such as mutual exclusion, state reachability, and non-starvation, and whose computational complexity is less than or equal to that of LTL.
keywords:Model checking, interval temporal logics, computational complexity
Msc: 03B70, 68Q60
One of the most notable techniques for system verification is model checking, which allows one to verify the desired properties of a system against a model of its behaviour (9). Properties are usually formalized by means of temporal logics, such as LTL and CTL, and systems are represented as labelled state-transition graphs (Kripke structures). Model checking algorithms perform, in a fully automatic way, an (implicit or explicit) exhaustive enumeration of all the states reachable by the system, and either terminate positively, proving that all properties are met, or produce a counterexample, witnessing that some behavior falsifies a property.
The model checking problem has systematically been investigated in the context of classical, point-based temporal logics, like LTL, CTL, and CTL, which predicate over single computation points/states, while it is still largely unexplored in the interval logic setting.
Interval temporal logics (ITLs) have been proposed as a formalism for temporal representation and reasoning more expressive than standard point-based ones (13); (34); (35). They take intervals, instead of points, as their primitive temporal entities. Such a choice gives them the ability to cope with advanced temporal properties, such as actions with duration, accomplishments, and temporal aggregations, which can not be properly dealt with by standard, point-based temporal logics.
Expressiveness of ITLs makes them well suited for many applications in a variety of computer science fields, including artificial intelligence (reasoning about action and change, qualitative reasoning, planning, configuration and multi-agent systems, and computational linguistics), theoretical computer science (formal verification, synthesis), and databases (temporal and spatio-temporal databases) (2); (10); (18); (30); (8); (27); (26); (19); (11). However, this great expressiveness is a double-edged sword: in most cases the satisfiability problem for ITLs turns out to be undecidable, and, in the few cases of decidable ITLs, the standard proof machinery, like Rabin’s theorem, is usually not applicable.
The most prominent ITL is Halpern and Shoham’s modal logic of time intervals (HS, for short) (13). HS features one modality for each of the 13 possible ordering relations between pairs of intervals (the so-called Allen’s relations (1)), apart from the equality relation. In (13), it has been shown that the satisfiability problem for HS interpreted over all relevant (classes of) linear orders is undecidable. Since then, a lot of work has been done on the satisfiability problem for HS fragments, which has shown that undecidability prevails over them (see (4) for an up-to-date account of undecidable fragments). However, meaningful exceptions exist, including the interval logic of temporal neighbourhood and the interval logic of sub-intervals (5); (6); (7); (25).
In this paper, we focus our attention on the model checking problem for HS, for which, as we said, little work has been done (24); (20); (15); (16); (17) (it is worth pointing out that, in contrast to the case of point-based, linear temporal logics, there is not an easy reduction from the model checking problem to validity/satisfiability for ITL).
In the classical formulation of the model checking problem (9), point-based temporal logics are used to analyze, for each path in a Kripke structure, how proposition letters labelling the states change from one state to the next one along the path. In interval-based model checking, in order to check interval properties of computations, one needs to collect information about states into computation stretches. This amounts to interpreting each finite path of a Kripke structure (a track) as an interval, and to suitably defining its labelling on the basis of the proposition letters that hold on the states composing it.
In (24), Montanari et al. give a first characterization of the model checking problem for full HS, interpreted over finite Kripke structures (under the homogeneity assumption (31), according to which a proposition letter holds on an interval if and only if it holds on all its sub-intervals). In that paper, the authors introduce the basic elements of the general picture, namely, the interpretation of HS formulas over (abstract) interval models, the mapping of finite Kripke structures into (abstract) interval models, the notion of track descriptor, and a small model theorem proving (with a non-elementary procedure) the decidability of the model checking problem for full HS against finite Kripke structures. Many of these notions will be recalled in the following section. In (20), Molinari et al. work out the model checking problem for full HS in all its details, and prove that it is EXPSPACE-hard, if a succinct encoding of formulas is allowed, and PSPACE-hard otherwise.
In (15); (16); (17), Lomuscio and Michaliszyn address the model checking problem for some fragments of HS extended with epistemic modalities. Their semantic assumptions differ from those made in (24), making it difficult to compare the outcomes of the two research directions. In both cases, formulas of interval temporal logic are evaluated over finite paths/tracks obtained from the unravelling of a finite Kripke structure. However, while in (24) a proposition letter holds over an interval (track) if and only if it holds over all its states (homogeneity assumption), in (15); (16) truth of proposition letters on a track/interval depends only on their values at its endpoints.
In (15), the authors focus their attention on the HS fragment of Allen’s relations started-by, finished-by, and contains (since modality is definable in terms of modalities and , is actually as expressive as ), extended with epistemic modalities. They consider a restricted form of model checking, which verifies the given specification against a single (finite) initial computation interval. Their goal is indeed to reason about a given computation of a multi-agent system, rather than on all its admissible computations. They prove that the considered model checking problem is PSPACE-complete; moreover, they show that the same problem restricted to the pure temporal fragment , that is, the one obtained by removing epistemic modalities, is in PTIME. These results do not come as a surprise as they trade expressiveness for efficiency: modalities and allow one to access only sub-intervals of the initial one, whose number is quadratic in the length (number of states) of the initial interval.
In (16), they show that the picture drastically changes with other fragments of HS, that allow one to access infinitely many tracks/intervals. In particular, they prove that the model checking problem for the HS fragment of Allen’s relations meets, starts, and before (since modality is definable in terms of modality , is actually as expressive as ), extended with epistemic modalities, is decidable with a non-elementary upper bound. Note that, thanks to modalities and , formulas of can possibly refer to infinitely many (future) tracks/intervals.
Finally, in (17), Lomuscio and Michaliszyn show how to use regular expressions in order to specify the way in which tracks/intervals of a Kripke structure get labelled. Such an extension leads to a significant increase in expressiveness, as the labelling of an interval is no more determined by that of its endpoints, but it depends on the ordered sequence of states the interval consists of. They also prove that there is not a corresponding increase in computational complexity, as the complexity bounds given in (15); (16) still hold with the new semantics: the model checking problem for is still in PSPACE, and it is non-elementarily decidable for .
In this paper, we elaborate on the approach to ITL model checking outlined in (24) and we propose an original solution to the problem for some relevant HS fragments based on the notion of track representative. We first prove that the model checking problem for two large HS fragments, namely, the fragment (resp., ) of Allen’s relations meets, met-by, started-by (resp., finished-by), starts and finishes, is in EXPSPACE. Moreover, we show that it is PSPACE-hard (NEXP-hard, if a succinct encoding of formulas is used). Then, we identify some well-behaved HS fragments, which are still expressive enough to capture meaningful interval properties of state-transition systems, such as mutual exclusion, state reachability, and non-starvation, whose model checking problem exhibits a considerably lower computational complexity, notably, the fragment , whose model checking problem is PSPACE-complete, and the fragment , including formulas of where only universal modalities are allowed and negation can be applied to propositional formulas only, whose model checking problem is coNP-complete.
In Figure 1, we summarize known (white boxes) and new (grey boxes) results about complexity of model checking for HS fragments.
The main technical contributions of the paper can be summarized as follows.
Track descriptors. We start with some background knowledge about HS and Kripke structures, and then we show how the latter can be mapped into interval-based structures, called abstract interval models, over which HS formulas are evaluated. Each track in a Kripke structure is interpreted as an interval, which becomes an (atomic) object of the domain of an abstract interval model. The labeling of an interval is defined on the basis of the states that compose it, according to the homogeneity assumption (31). Then, we introduce track descriptors (24). A track descriptor is a tree-like structure providing information about a possibly infinite set of tracks (the number of admissible track descriptors for a given Kripke structure is finite). Being associated with the same descriptor is indeed a sufficient condition for two tracks to be indistinguishable with respect to satisfiability of formulas, provided that the nesting depth of modality is less than or equal to the depth of the descriptor itself. Finally, we introduce the key notions of descriptor sequence for a track and cluster, and the relation of descriptor element indistinguishability, which allow us to determine when two prefixes of some track are associated with the same descriptor, avoiding the expensive operation of explicitly constructing track descriptors.
A small model theorem. The main result of the paper is a small model theorem, showing that we can restrict the verification of an formula to a finite number of bounded-length track representatives. A track representative is a track that can be analyzed in place of all—possibly infinitely many—tracks associated with its descriptor. We use track representatives to devise an EXPSPACE model checking algorithm for . Descriptor element indistinguishability plays a fundamental role in the proof of the bound to the maximum length of representatives, and it allows us to show the completeness of the algorithm, which considers all the possible representatives. In addition, we prove that the model checking problem for is PSPACE-hard, NEXP-hard if a succinct encoding of formulas is used (it is worth noticing that the proposed algorithm requires exponential working space also in the latter case).
Well-behaved HS fragments. We first show that the proposed model checking algorithm can verify formulas with a constant nesting depth of modality by using polynomial working space. This allows us to conclude that the model checking problem for formulas (which lack modality ) is in PSPACE. Then, we prove that the model checking problem for is PSPACE-hard. PSPACE-completeness of (and ) immediately follows. Next, we deal with the fragment . We first provide a coNP model checking algorithm for , and then we show that model checking for the pure propositional fragment is coNP-hard. The two results together allow us to conclude that the model checking problem for both and is coNP-complete. In addition, upper and lower bounds to the complexity of the problem for (the logic of temporal neighbourhood) directly follow: since is a fragment of and is a fragment of , complexity of model checking for is in between coNP and PSPACE.
Organization of the paper
In Section 2, we provide some background knowledge. Then, in Section 3, we introduce track descriptors (24) and, in Section 4, we formally define the key relation of indistinguishability over descriptor elements. In Section 5, we describe an EXPSPACE model checking algorithm for based on track representatives. We also show how to obtain a PSPACE model checking algorithm for by suitably tailoring the one for . In Section 6, we prove that model checking for is PSPACE-hard; PSPACE-completeness immediately follows. Moreover, we get for free a lower bound to the complexity of the model checking problem for , which turns out to be PSPACE-hard (in the appendix, we show that the problem is NEXP-hard if a succinct encoding of formulas is used). Finally, in Section 7 we provide a coNP model checking algorithm for and then we show that the problem is actually coNP-complete. Conclusions give a short assessment of the work done and describe future research directions.
2.1 The interval temporal logic HS
Interval-based approaches to temporal representation and reasoning have been successfully pursued in computer science and artificial intelligence. An interval algebra to reason about intervals and their relative order was first proposed by Allen (1). Then, a systematic logical study of ITLs was done by Halpern and Shoham, who introduced the logic HS featuring one modality for each Allen interval relation (13), except for equality.
|Allen’s relation||HS||Definition w.r.t. interval structures||Example|
Table 1 depicts 6 of the 13 Allen’s relations together with the corresponding HS (existential) modalities. The other 7 are equality and the 6 inverse relations (given a binary relation , the inverse relation is such that if and only if ).
The language of HS features a set of proposition letters , the Boolean connectives and , and a temporal modality for each of the (non trivial) Allen’s relations, namely, , , , , , , , , , , and . HS formulas are defined by the following grammar:
We will make use of the standard abbreviations of propositional logic, e.g., we will write for , for , and for . Moreover, for all , dual universal modalities and are defined as and , respectively.
We will assume the strict semantics of HS: only intervals consisting of at least two points are allowed. Under that assumption, HS modalities are mutually exclusive and jointly exhaustive, that is, exactly one of them holds between any two intervals. However, the strict semantics can easily be “relaxed” to include point intervals, and all results we are going to prove hold for the non-strict HS semantics as well. All HS modalities can be expressed in terms of , , and , and the inverse modalities , and , as follows:
We denote by the fragment of HS that features modalities only.
HS can be viewed as a multi-modal logic with the 6 primitive modalities , , , , , and . Accordingly, HS semantics can be defined over a multi-modal Kripke structure, called here an abstract interval model, in which (strict) intervals are treated as atomic objects and Allen’s relations as simple binary relations between pairs of them.
Definition 1 ((20)).
An abstract interval model is a tuple , where is a finite set of proposition letters, is a possibly infinite set of atomic objects (worlds), , , and are three binary relations over , and is a (total) labeling function which assigns a set of proposition letters to each world.
Intuitively, in the interval setting, is a set of intervals, , , and are interpreted as Allen’s interval relations (meets), (started-by), and (finished-by), respectively, and assigns to each interval the set of proposition letters that hold over it.
Given an abstract interval model and an interval , truth of an HS formula over is defined by structural induction on the formula as follows:
if and only if , for any proposition letter ;
if and only if it is not true that (also denoted as );
if and only if and ;
, for , if and only if there exists such that and ;
, for , if and only if there exists such that and .
2.2 Kripke structures and abstract interval models
In this section, we define a mapping from Kripke structures to abstract interval models that makes it possible to specify properties of systems by means of HS formulas.
A finite Kripke structure is a tuple , where is a set of proposition letters, is a finite set of states, is a left-total relation between pairs of states, is a total labelling function, and is the initial state.
For all , is the set of proposition letters which hold at that state, while is the transition relation which constrains the evolution of the system over time.
Figure 2 depicts a Kripke structure, , with two states (the initial state is identified by a double circle). Formally, is defined by the following quintuple:
where and .
A track over a finite Kripke structure is a finite sequence of states , with , such that for all , .
Let be the (infinite) set of all tracks over a finite Kripke structure . For any track , we define:
, for ;
is a subtrack of , for ;
is the set of all proper prefixes of . Note that if ;
is the set of all proper suffixes of . Note that if .
It is worth pointing out that the length of tracks, prefixes, and suffixes is greater than 1, as they will be mapped into strict intervals. If (the initial state of ), is said to be an initial track. In the following, we will denote by the concatenation of the tracks and , assuming that hence ; moreover, by we will denote the track obtained by concatenating copies of .
An abstract interval model (over ) can be naturally associated with a finite Kripke structure by interpreting every track as an interval bounded by its first and last states.
Definition 4 ((20)).
The abstract interval model induced by a finite Kripke structure is the abstract interval model , where:
where , for all .
In Definition 4, relations , and are interpreted as Allen’s interval relations meets, started-by, and finished-by, respectively. Moreover, according to the definition of , a proposition letter holds over if and only if it holds over all the states of . This conforms to the homogeneity principle, according to which a proposition letter holds over an interval if and only if it holds over all of its subintervals.
Satisfiability of an HS formula over a finite Kripke structure can be given in terms of induced abstract interval models.
Let be a finite Kripke structure, be a track in , and be an HS formula. We say that the pair satisfies , denoted by , if and only if it holds that .
Let be a finite Kripke structure and be an HS formula. We say that models , denoted by , if and only if for all initial tracks , it holds that
The model checking problem for HS over finite Kripke structures is the problem of deciding whether . Since Kripke structures feature an infinite number of tracks, the problem is not trivially decidable.
We end the section by providing some meaningful examples of properties of tracks and/or transition systems that can be expressed in HS.
The formula can be used to select all and only the tracks of length . Given any , with , independently of , it indeed holds that , because has no (strict) prefixes. On the other hand, it holds that if (and only if) . Finally, let be a shorthand for . It holds that if and only if .
Let us consider the finite Kripke structure depicted in Figure 2. The truth of the following statements can be easily checked:
The above statements show that modalities and can be used to distinguish between tracks that start or end at different states. In particular, note that (resp., ) allows one to “move” to any track branching on the right (resp., left) of the considered one, e.g., if , then , , , , , and so on.
Modalities and can be used to distinguish between tracks encompassing a different number of iterations of a given loop. This is the case, for instance, with the following statements:
Finally, HS makes it possible to distinguish between and , which feature the same number of iterations of the same loops, but differ in the order of loop occurrences: but .
In Figure 3, we give an example of a finite Kripke structure that models the behaviour of a scheduler serving three processes which are continuously requesting the use of a common resource. The initial state is : no process is served in that state. In any other state and , with , the -th process is served (this is denoted by the fact that holds in those states). For the sake of readability, edges are marked either by , for , or by , for . However, edge labels do not have a semantic value, i.e., they are neither part of the structure definition, nor proposition letters; they are simply used to ease reference to edges. Process is served in state , then, after “some time”, a transition from to is taken; subsequently, process cannot be served again immediately, as is not directly reachable from (the scheduler cannot serve the same process twice in two successive rounds). A transition , with , from to is then taken and process is served. This structure can be easily generalised to a higher number of processes.
We show how some meaningful properties to check against can be expressed in HS, and, in particular, by means of formulas of the fragment —a subfragment of the fragment , on which we will focus in the following. In all formulas, we force the validity of the considered property over all legal computation sub-intervals by using modality (all computation sub-intervals are suffixes of at least one initial track). Truth of the following statements can be easily checked:
The first formula requires that in any suffix of length at least 6 of an initial track, at least 2 proposition letters are witnessed. satisfies the formula since a process cannot be executed twice consecutively.
The second formula requires that in any suffix of length at least 12 of an initial track, process 3 is executed at least once in some internal states. does not satisfy the formula since the scheduler, being unfair, can avoid executing a process ad libitum.
The third formula requires that in any suffix of length at least 8 of an initial track, , , and are all witnessed. The only way to satisfy this property would be to constrain the scheduler to execute the three processes in a strictly periodic manner, which is not the case.
3 The notion of -descriptor
For any finite Kripke structure , one can find a corresponding induced abstract interval model , featuring one interval for each track of . As we already pointed out, since has loops (each state must have at least one successor, as the transition relation is left-total), the number of its tracks, and thus the number of intervals of , is infinite.
In (20), Molinari et al. showed that, given a bound on the structural complexity of HS formulas (that is, on the nesting depth of and modalities), it is possible to obtain a finite representation for , which is equivalent to with respect to satisfiability of HS formulas with structural complexity less than or equal to . By making use of such a representation, they prove that the model checking problem for (full) HS is decidable (with a non-elementary upper bound).
In this paper, we first restrict our attention to and provide a model checking algorithm of lower complexity. All the results we are going to prove hold also for the fragment by symmetry. We start with the definition of some basic notions.
Let be an formula. The B-nesting depth of , denoted by , is defined by induction on the complexity of the formula as follows:
, for any proposition letter ;
, for .
Making use of Definition 7, we can introduce the relation(s) of -equivalence over tracks.
Let be a finite Kripke structure, and be two tracks in , and . We say that and are -equivalent if and only if, for every formula with , if and only if .
It can be easily proved that -equivalence propagates downwards.
Let be a finite Kripke structure, and be two tracks in , and . If and are -equivalent, then they are -equivalent, for all .
Let us assume that , with . Consider the formula , whose B-nesting depth is equal to . It holds that either or . In the first case, we have that . Since , from the hypothesis, it immediately follows that , and thus . The other case can be dealt with in a symmetric way. ∎
We are now ready to define the key notion of descriptor for a track of a Kripke structure.
Definition 10 ((20)).
Let be a finite Kripke structure, , and . The -descriptor for is a labelled tree of depth , where is a finite set of vertices, is a set of edges, and is a node labelling function, inductively defined as follows:
for , the -descriptor for is the tree , where
for , the -descriptor for is the tree , where which satisfies the following conditions:
for each prefix of , there exists such that and the subtree rooted in is the -descriptor for ;
for each vertex such that , there exists a prefix of such that the subtree rooted in is the -descriptor for ;
for all pairs of edges , if the subtree rooted in is isomorphic to the subtree rooted in , then
Condition c of Definition 10 simply states that no two subtrees whose roots are siblings can be isomorphic. A -descriptor for a track consists of its root only, which is denoted by . A label of a node will be referred to as a descriptor element: the notion of descriptor element bears analogies with an abstraction technique for discrete time Duration Calculus proposed by Hansen et al. in (14), which, on its turn, is connected to Parikh images (29) (a descriptor element can be seen as a qualitative analogue of this).
Basically, for any , the label of the root of the -descriptor for is the triple . Each prefix of is associated with some subtree whose root is labelled with and is a child of the root of . Such a construction is then iteratively applied to the children of the root until either depth is reached or a track of length 2 is being considered on a node.
Hereafter equality between descriptors is considered up to isomorphism.
As an example, in Figure 4 we show the -descriptor for the track of (Figure 2). It is worth noting that there exist two distinct prefixes of , that is, the tracks and , which have the same -descriptor. Since, according to Definition 10, no tree can occur more than once as a subtree of the same node (in this example, the root), in the -descriptor for , prefixes and are represented by the same tree (the first subtree of the root on the left). This shows that, in general, the root of a descriptor for a track with proper prefixes does not necessarily have children.
-descriptors do not convey, in general, enough information to determine which track they were built from; however, they can be used to determine which formulas are satisfied by the track from which they were built.
In (20), the authors prove that, for a finite Kripke structure , there exists a finite number (non-elementary w.r.t. and ) of possible -descriptors. Moreover, the number of nodes of a descriptor has a non-elementary upper bound as well. Since the number of tracks of is infinite, and for any the set of -descriptors for its tracks is finite, at least one -descriptor must be the -descriptor of infinitely many tracks. Thus, -descriptors naturally induce an equivalence relation of finite index over the set of tracks of a finite Kripke structure (-descriptor equivalence relation).
Let be a finite Kripke structure, , and . We say that and are -descriptor equivalent (denoted as ) if and only if the -descriptors for and coincide.
Let , be a finite Kripke structure and , , , be tracks in such that , , and . Then .
Proposition 13 (Left and right extensions).
Let be a finite Kripke structure, be two tracks in such that , and . If , then , and if , then .
The next theorem proves that, for any pair of tracks , if , then and are -equivalent (see Definition 8).
Theorem 14 ((20)).
Let be a finite Kripke structure, and be two tracks in , and be a formula of with . If , then .
Since the set of -descriptors for the tracks of a finite Kripke structure is finite, i.e., the equivalence relation has a finite index, there always exists a finite number of -descriptors that “satisfy” an formula with (this can be formally proved by a quotient construction (20)).
4 Clusters and descriptor element indistinguishability
A -descriptor provides a finite encoding for a possibly infinite set of tracks (the tracks associated with that descriptor). Unfortunately, the representation of -descriptors as trees labelled over descriptor elements is highly redundant. For instance, given any pair of subtrees rooted in some children of the root of a descriptor, it is always the case that one of them is a subtree of the other: the two subtrees are associated with two (different) prefixes of a track and one of them is necessarily a prefix of the other. In practice, the size of the tree representation of -descriptors prevents their direct use in model checking algorithms, and makes it difficult to determine the intrinsic complexity of -descriptors.
In this section, we devise a more compact representation of -descriptors. Each class of the -descriptor equivalence relation is a set of -equivalent tracks. For any such class, we select (at least) one track representative whose length is (exponentially) bounded in both the size of