Parametric Linear Dynamic Logic
We introduce Parametric Linear Dynamic Logic (PLDL), which extends Linear Dynamic Logic (LDL) by temporal operators equipped with parameters that bound their scope. LDL was proposed as an extension of Linear Temporal Logic (LTL) that is able to express all -regular specifications while still maintaining many of LTL’s desirable properties like an intuitive syntax and a translation into non-deterministic Büchi automata of exponential size. But LDL lacks capabilities to express timing constraints. By adding parameterized operators to LDL, we obtain a logic that is able to express all -regular properties and that subsumes parameterized extensions of LTL like Parametric LTL and PROMPT-LTL.
Our main technical contribution is a translation of PLDL formulas into non-deterministic Büchi word automata of exponential size via alternating automata. This yields a PSPACE model checking algorithm and a realizability algorithm with doubly-exponential running time. Furthermore, we give tight upper and lower bounds on optimal parameter values for both problems. These results show that PLDL model checking and realizability are not harder than LTL model checking and realizability.
Linear temporal logic () is a popular specification language for the verification and synthesis of reactive systems. It provides semantic foundations for industrial logics like PSL [EisnerFismanPSL]. has a number of desirable properties contributing to its ongoing popularity: it does not rely on the use of variables, it has an intuitive syntax and thus gives a way for practitioners to write declarative and concise specifications. Furthermore, it is expressively equivalent to first-order logic over the natural numbers with successor and order [Kamp68] and enjoys an exponential compilation property: one can efficiently construct a language-equivalent non-deterministic Büchi automaton of exponential size in the size of the specification. The exponential compilation property yields a Pspace model checking algorithm and a 2Exptime algorithm for realizability. Both problems are complete for the respective classes.
Model checking of properties described in or its practical descendants is routinely applied in industrial-sized applications, especially for hardware systems [Forspec02, EisnerFismanPSL]. Due to its complexity, the realizability problem has not reached industrial acceptance (yet). First approaches used a determinization procedure for -automata, which is notoriously hard to implement efficiently [AlthoffThomasWallmeier2006]. More recent algorithms for realizability follow a safraless construction [FiliotJinRaskin2011, FinkbeinerSchewe2013], which avoids explicitly constructing the deterministic automaton, and are showing promise on small examples.
Despite the desirable properties, two drawbacks of remain and are tackled by different approaches in the literature: first, is not able to express all -regular properties. For example, the property “ holds on every even step” (but may or may not hold on odd steps) is not expressible in , but easily expressible as an -regular expression. This drawback is a serious one, since the combination of regular properties and linear-time operators is common in hardware verification languages. Several extensions of [LeuckerSanchez07, VardiWolper94, Wolper1983] with regular expressions, finite automata, or grammar operators have been proposed as a remedy.
A second drawback of classic temporal logics like is the inability to natively express timing constraints. The standard semantics are unable to enforce the fulfillment of eventualities within finite time bounds, e.g., it is impossible to require that requests are granted within a fixed, but arbitrary, amount of time. While it is possible to unroll an a-priori fixed bound for an eventuality into , this requires prior knowledge of the system’s granularity and incurs a blow-up when translated to automata, and is thus considered impractical. A more practical way of fixing this drawback has been the purpose of a long line of work in parametric temporal logics, such as parametric [AlurEtessamiLaTorrePeled01], – [KupfermanPitermanVardi09] and parametric metric interval temporal logic [GiampaoloTorreNapoli10]. All of them add parameters to the temporal operators to express time bounds, and either test the existence of a global time bound, like –, or of individual bounds on the parameters, like parametric .
Recently, the first drawback was revisited by De Giacomo and Vardi [GiacomoVardi13, Vardi11] by introducing an extension of called linear dynamic logic (), which is as expressive as -regular languages. The syntax of is inspired by propositional dynamic logic (PDL) [FischerLadner1979], but the semantics follow linear-time logics. In PDL and , programs are expressed by regular expressions with tests, and temporal requirements are specified by two basic modalities: and , stating that should hold at some position where matches, or at all positions where matches, respectively. The operators to specify regular expressions from propositional formulas are as follows: sequential composition (), nondeterministic choice (), repetition (), and test of a temporal formula. On the level of the temporal operators, conjunction and disjunction are allowed. The tests allow to check temporal properties within programs, and are needed to encode into .
As an example, the program “while do ” with property holding after the execution of the loop is expressed in PDL/ as follows: . Intuitively, the loop condition is tested on every loop entry, the loop body is executed/consumed until holds, and then the post-condition has to hold. A request-response property (i.e., every request should eventually be followed by a response) can be formalized as follows: .
Both aforementioned drawbacks of , the inability to express all -regular properties and the missing capability to specify timing constraints, have been tackled individually in a successful way in previous work, but not at the same time. Here, we propose a logic called that combines the expressivity of with the parametricity of P on infinite traces.
In , we are for example able to parameterize the eventuality of the request-response condition, denoted as , which states that every request has to be followed by a response within steps. In the model checking problem, we determine whether there exists a valuation for such that all paths of the system respond to requests within steps. If we take the property as a specification for the realizability problem, and define req as input, resp as output, we compute whether there exists a winning strategy that adheres to a valuation and is able to ensure the delivery of responses to requests in a timely manner.
The main result of this paper is the translation of to alternating Büchi automata. By an extension of the alternating color technique of [KupfermanPitermanVardi09], and by very similar algorithms, we obtain the following results: model checking is Pspace-complete and realizability is 2Exptime-complete. Thus, both problems are no harder than their corresponding variants for . Finally, we give tight exponential and doubly-exponential bounds on satisfying valuations for model checking and realizability.
Our translation might also be of use for on infinite traces, since De Giacomo and Vardi [GiacomoVardi13] only considered on finite traces. Unlike the translation from logic into automata presented there, which is a top-down construction of an alternating automaton, we present a bottom-up approach.
Let be an infinite set of variables and let us fix a finite
where , , and where stands for arbitrary propositional formulas over . We use the abbreviations and for some atomic proposition . The regular expressions have two types of atoms: propositional formulas over the atomic propositions and tests , where is again a formula. Note that the semantics of the propositional atom differ from the semantics of the test : the former consumes an input letter, while tests do not make progress on the word. This is why both types of atoms are allowed.
The set of subformulas of is denoted by . Note that regular expressions are not subformulas, but the formulas appearing in the tests are, e.g., we have . The size of is the sum of and the sum of the lengths of the regular expressions appearing in (counted with multiplicity). We define to be the set of variables parameterizing diamond operators in , to be the set of variables parameterizing box operators in , and set . Usually, we will denote variables in by and variables in by , if is clear from the context. A formula is variable-free, if .
The semantics of are defined inductively with respect to an -word , a position , and a variable valuation via
if and dually for ,
if and ,
if or ,
if there exists s.t. and ,
if for all with we have ,
if there exists s.t. and ,
if for all with we have .
Here, the relation contains all pairs such that matches ( is needed to evaluate tests in , which might have parameterized subformulas) and is defined inductively by
for propositional ,
We write for and say that is a model of with respect to .
The formula expresses that holds true infinitely often.
In general, every formula [AlurEtessamiLaTorrePeled01] (and thus every formula) can be translated into , e.g., is expressible as and as or .
The formula requires that every request (a position where holds) is followed by a response (a position where holds) after an even number of steps.
As usual for parameterized temporal logics, the use of variables has to be restricted: bounding diamond and box operators by the same variable leads to an undecidable satisfiability problem (cp. [AlurEtessamiLaTorrePeled01]).
A formula is well-formed, if .
In the following, we only consider well-formed formulas and drop the qualifier “well-formed”. We consider the following fragments of . Let be a formula: is an formula [GiacomoVardi13], if is variable-free, is a formula, if , and is a formula, if . Every , , and every formula is well-formed by definition. As satisfaction of formulas is independent of variable valuations, we write and instead of and , respectively, if is an formula.
is as expressive as -regular languages, which can be proven by a straightforward translation of ETL [VardiWolper94], which expresses exactly the -regular languages, into .
Theorem 1 ([Vardi11]).
For every -regular language there exists an effectively constructible formula such that .
Note that we define formulas to be in negation normal form. Nevertheless, a negation can be pushed to the atomic propositions using dualities allowing us to define the negation of a formula.
For every formula there exists an efficiently constructible formula s.t.
if and only if ,
If is well-formed, then so is . and vice versa.
We construct by structural induction over using the dualities of the operators:
The latter two claims of Lemma 1 follow from the definition of while the first one can be shown by a straightforward structural induction over . ∎
A simple, but very useful property of is the monotonicity of the parameterized operators: increasing (decreasing) the values of parameters bounding diamond (box) operators preserves satisfaction.
Let be a formula and let and be variable valuations satisfying for every and for every . If , then .
The previous lemma allows us to eliminate parameterized box operators when asking for the existence of a variable valuation satisfying a formula.
For every formula there is an efficiently constructible formula of the same size as such that
for every there is an such that for all : if then , and
for every there is an such that for all : if then .
We construct a single test such that for every and every , which suffices to prove the equivalence of and provided we have , which is sufficient due to monotonicity. We apply the following rewriting rules (in the given order) to :
Replace every subexpression of the form by , until no longer applicable.
Replace every subexpression of the form or by and replace every subexpression of the form or by , where is a propositional formula, until no longer applicable.
Replace every subexpression of the form by and replace every subexpression of the form by , until no longer applicable.
After step 2, contains no iterations and no propositional atoms unless the expression itself is one. In the former case, applying the last two rules yields a regular expression which is a single test, which we denote by . In the latter case, we define .
Each rewriting step preserves the intersection . As is a test, we conclude for every and every . Note that can be efficiently computed from and is of the same size as . Now, replace every subformula of by and denote the formula obtained by , which is a formula that is efficiently constructible and of the same size.
Given an , we define by , if and otherwise. If , then due to monotonicity. By construction of , we also have . On the other hand, if , then as well, where is defined as above. By construction of , we conclude . ∎
2.1 The Alternating Color Technique and LDL
In this subsection, we repeat the alternating color technique, which was introduced by Kupferman et al. to solve the model checking and the realizability problem for –, amongst others. Let be a fresh proposition and define . We think of words in as colorings of words in , i.e., is a coloring of , if we have for every position . Furthermore, is a changepoint, if or if the truth value of differs at positions and . A block is a maximal infix that has exactly one changepoint, which is at the first position of the infix. By maximality, this implies that the first position after a block is a changepoint. Let . We say that is -bounded, if every block has length at most , which implies that has infinitely many changepoints. Dually, is -spaced, if it has infinitely many changepoints and every block has length at least .
The alternating color technique replaces a parameterized diamond operator by an unparameterized one that requires the formula to be satisfied within at most one color change. To this end, we introduce a changepoint-bounded variant of the diamond operator. Since we need the dual operator to allow for negation via dualization, we introduce it here as well. We define
if there exists a s.t. , contains at most one changepoint, and , and
if for all with and where contains at most one changepoint we have .
We denote the logic obtained by disallowing parameterized operators, but allowing changepoint-bounded operators, by . Note that the semantics of formulas are independent of variable valuations. Hence, we drop them from our notation for the satisfaction relations and . Also, Lemma 1 can be extended to by adding the rules and to the proof.
Now, we are ready to introduce the alternating color technique. Given a formula , let be the formula obtained by inductively replacing every subformula by , i.e., we replace the parameterized diamond operator by a changepoint-bounded one. Note that this replacement is also performed in the regular expressions, i.e., is the regular expression obtained by applying the replacement to every test in .
Given a formula let (cf. Example 1), which is an formula and only linearly larger than . On -bounded and -spaced colorings of there is an equivalence between and . The proof is similar to the original one [KupfermanPitermanVardi09].
Lemma 4 (cp. Lemma 2.1 of [KupfermanPitermanVardi09]).
Let be a formula and let .
If , then for every -spaced coloring of , where .
Let . If is a -bounded coloring of with , then , where for every .
3 From LDL to Alternating Büchi Automata
In this section, we show how to translate formulas into alternating Büchi word automata of linear size using an inductive bottom-up approach. These automata allow us to use automata-based constructions to solve the model checking and the realizability problem for via the alternating color technique which links and .
An alternating Büchi automaton consists of a finite set of states, an alphabet , an initial state , a transition function , and a set of accepting states. Here, denotes the set of positive boolean combinations over , which contains in particular the formulas tt (true) and ff (false). A run of on is a directed graph with and implies such that the following two conditions are satisfied: and for all : . Here denotes the set of successors of in projected to . A run is accepting if all infinite paths (projected to ) through visit infinitely often. The language contains all that have an accepting run of .
For every formula , there is an alternating Büchi automaton with linearly many states (in ) such that .
To prove the theorem, we inductively construct automata for every subformula satisfying . The automata for atomic formulas are straightforward and depicted in Figure 1(a) and (b). To improve readability, we allow propositional formulas over as transition labels: the formula stands for all sets with . Furthermore, given automata and , using a standard construction, we can build the automaton by taking the disjoint union of the two automata, adding a new initial state with . Here, is the initial state and is the transition function of . The automaton is defined similarly, the only difference being .
It remains to consider temporal formulas, e.g., . First, we turn the regular expression into an automaton . Recall that tests do not process input letters. Hence, we disregard the tests when defining the transition function, but we label states at which the test has to be executed by this test. We use the Thompson construction [Thompson68] to turn into , i.e., we obtain an -NFA. Then, we show how to combine with the automaton and the automata , where are the test occurring in . The -transitions introduced by the Thompson construction are then removed, since alternating automata do not allow them. During this process, we also ensure that the transition relation takes tests into account by introducing universal transitions that lead from a state marked with into the corresponding automaton .
Formally, an -NFA with markings consists of a finite set of states, an alphabet , an initial state , a transition function , a set of final states (, since we use them to concatenate automata), and a partial marking function , which assigns to some states an formula . We write , if for . An -path from to in is a sequence of states with . The set of all -paths from to is denoted by . Let be the set of markings visited by .
A run of on is a sequence such that for every in the range there is a state reachable from via an -path and with . The run is accepting if there is a reachable via an -path from . This slightly unusual definition (but equivalent to the standard one) simplifies our reasoning below. Also, the definition is oblivious to the marking.
We begin by defining the automaton by induction over the structure of as depicted in Figure 2. Note that the automata we construct have no outgoing edges leaving the unique final state and that we mark some states with tests (denoted by labeling states with the test).
Let and let be a (possibly empty, if ) prefix of . The following two statements are equivalent:
has an accepting run on with -paths for in the range such that for every .
Fix and (with tests ) and let , , and for be the corresponding automata, which we assume to have pairwise disjoint sets of states. Next, we show how to construct , , , and .
We begin with : we define with
So, is the union of the automata for the regular expression, the tests, and for with a modified transition function. The transitions of the automata and are left unchanged and the transition function for states in is obtained by removing -transitions. First consider the upper disjunct: it ranges disjunctively over all non-final states that are reachable via an initial -path and an -transition in the end. To account for the tests visited during the -path (but not the test at ), we add conjunctively transitions that lead into the corresponding automata. The lower disjunct is similar, but ranges over paths that end in a final state. Since we concatenate the automaton with the automaton , all edges leading into final states of are rerouted to the initial state of . The tests along the -path are accounted for as in the first case. Finally, note that does not contain any (Büchi) accepting states, i.e., every accepting run on has to leave after a finite number of transitions. Since this is only possible via transitions that would lead into a final state, this ensures the existence of a position such that .
The definition of is dual, i.e., we have to use automata for for the negated tests and -transitions are removed in a universal manner. Formally, we define where
Note that we add to the (Büchi) accepting states, since a run on might stay in forever, as it has to consider all positions with .
For the changepoint-bounded operators, we have to modify to make it count color changes. Let be the DFA depicted in Figure 1(c). We define the product of and as where , ,
, and . Using this, we define as we defined , but using instead of . Similarly, is defined as , but using instead of .
Proof of Theorem 2.
First, we consider the size of . Boolean operations add one state while a temporal operator with regular expression adds a number of states that is linear in the size of (which is its length), even when we take the intersection with the automaton checking for color changes. Note that we do not need to complement the automata to obtain , instead we rely on Lemma 1. Hence, the size of is linear in the size of . It remains to prove by induction over the structure of . The induction start for atomic formulas and the induction step for disjunction and conjunction are trivial, hence it remains to consider the temporal operators.
Consider . If , then there exists a position such that and . Hence, there is a run of on such that the tests visited during the run are satisfied by the appropriate suffixes of . Thus, applying the induction hypothesis yields accepting runs of the test automata on these suffixes. Furthermore, there is an accepting run of on , again by induction hypothesis. These runs can be “glued” together to build an accepting run of on .
For the other direction, consider an accepting run of on . Let be the last level of that contains a state from . Such a level has to exist since states in are not accepting and they have no incoming edges from states of the automata and , but the initial state of is in . Furthermore, is non-deterministic and complete when restricted to states in . Hence, we can extract an accepting run of from on that satisfies additionally the requirements formulated in Statement 1 of Lemma 5, due to the transitions into the test automata and an application of the induction hypothesis. Hence, we have . Furthermore, from the remainder of (levels greater or equal to ) we can extract an accepting run of on . Hence, by induction hypothesis. Altogether, we conclude .
The case for is dual, while the cases for the changepoint-bounded operators and are analogous, using the fact that only accepts words which have at most one changepoint. ∎
Note that the size of is linear in , but it is not clear that it can be computed in polynomial time in , since the transition functions of subautomata of the form contain disjunctions that range over the set of -paths. Here, it suffices to consider paths that do not contain a state twice, but even this restriction still allows for an exponential number of different paths. Fortunately, we do not need to compute in polynomial time. It suffices to do it in polynomial space, which is sufficient for the applications in the next sections, which is clearly possible.
Furthermore, using standard constructions (e.g., [MiyanoH84, Schewe09]), we can turn the alternating Büchi automaton into a non-deterministic Büchi automaton of exponential size and a deterministic parity automaton
4 Model Checking
In this section, we consider the model checking problem. A (-labeled) transition system consists of a finite set of states, an initial state , a (left-)total edge relation , and a labeling . An initial path through is a sequence of states satisfying for every . Its trace is defined as . We say that satisfies a formula with respect to a variable valuation , if we have for every initial path of . The model checking problem asks, given a transition system and a formula , to determine whether satisfies with respect to some variable valuation .