Modular Model Checking? URL: orna

Transcription

1 Modular Model Checking? Orna Kupferman 1?? and Moshe Y. Vardi 2??? 1 EECS Department, UC Berkeley, Berkeley CA , U.S.A. orna@eecs.berkeley.edu URL: orna 2 Rice University, Department of Computer Science, Houston, TX , U.S.A. vardi@cs.rice.edu, URL: vardi Abstract. In modular verication the specication of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the system in which the module is interacting. This is called the assume-guarantee paradigm. In this paper we consider assume-guarantee specications in which the guarantee is specied by branching temporal formulas. We distinguish between two approaches. In the rst approach, the assumption is specied by branching temporal formulas. In the second approach, the assumption is specied by linear temporal logic. We consider guarantees in 8CTL and 8CTL?, the universal fragments of CTL and CTL?, and assumptions in LTL, 8CTL, and 8CTL?. We describe a reduction of modular model checking to standard model checking. Using the reduction, we show that modular model checking is PSPACE-complete for 8CTL and is EXPSPACE-complete for 8CTL?. We then show that the case of LTL assumption is a special case of the case of 8CTL? assumption, but that the EXPSPACE-hardness result apply already to assumptions in LTL. 1 Introduction Temporal logics, which are modal logics geared towards the description of the temporal ordering of events, have been adopted as a powerful tool for specifying and verifying concurrent programs [Pnu77, Pnu81]. One of the most signicant developments in this area is the discovery of algorithmic methods for verifying temporal-logic properties of nite-state programs [CES86, LP85, QS81]. This? This paper is based on \On the complexity of modular model checking", by M.Y. Vardi, Proc. 10th IEEE Symp. on Logic in Computer Science (LICS'95), June 1995, pp. 101{111, and \On the complexity of branching modular model checking", by O. Kupferman and M.Y. Vardi, Proc. 6th International Conf. on Concurrency Theory (CONCUR'95), August 1995, Springer-Verlag, Lecture Notes in Computer Science 962, pp. 408{422.?? Supported in part by ONR YIP award N , by NSF CAREER award CCR , by NSF grant CCR , by AFOSR contract F , by ARO MURI grant DAAH , by ARPA grant NAG2-892, and by SRC contract 95-DC ??? Supported in part by NSF grants CCR and CCR , and by a grant from the Intel Corporation.

2 derives its signicance both from the fact that many synchronization and communication protocols can be modeled as nite-state programs, as well as from the great ease of use of fully algorithmic methods. Finite-state programs can be modeled by transition systems where each state has a bounded description, and hence can be characterized by a xed number of boolean atomic propositions. This means that a nite-state program can be viewed as a nite propositional Kripke structure and its properties can be specied using propositional temporal logic. Thus, to verify the correctness of the program with respect to a desired behavior, one only has to check that the program, modeled as a nite Kripke structure, satises (is a model of) the propositional temporal logic formula that species that behavior. Hence the name model checking for the verication methods derived from this viewpoint. Surveys can be found in [CG87, Wol89, CGL93]. We distinguish between two types of temporal logics: linear and branching [Lam80]. In linear temporal logics, each moment in time has a unique possible future, while in branching temporal logics, each moment in time may split into several possible futures. The complexity of model checking for both linear and branching temporal logics is well understood: suppose we are given a program of size n and a temporal logic formula of size m. For a branching temporal logic such as CTL, model-checking algorithms run in time O(nm) [CES86], while, for linear temporal logic such as LTL, model-checking algorithms run in time n2 O(m) [LP85]. Since model checking with respect to a linear temporal logic formula is PSPACE-complete [SC85], the latter bound probably cannot be improved. The dierence in the complexity of linear and branching model checking has been viewed as an argument in favor of the branching paradigm. Model checking suers, however, from the so-called state-explosion problem. In a concurrent setting, the program under consideration is typically the parallel composition of many modules. As a result, the size of the state space of the program is the product of the sizes of the state spaces of the participating modules. This gives rise to state spaces of exceedingly large sizes, which makes even linear-time algorithms impractical. This issue is one of the most important one in the area of computer-aided verication and is the subject of active research (cf. [BCM + 90]). Modular verication is one possible way to address the state-explosion problem, cf. [CLM89, ASSS94]. In modular verication, one uses proof rules of the following form: M 1 j= 1 M 2 j= 2 C( 1 ; 2 ; ) 9 = ; M 1kM 2 j= Here, M j= means that the module M satises the formula, the symbol \k" denotes parallel composition, and C( 1 ; 2 ; ) is some logical condition relating 1, 2, and. Using modular proof rules enables one to apply model checking only to the underlying modules, which have much smaller state spaces. The state-explosion problem is only one motivation for pursuing modular verication. Modular verication is advocated also for other methodological reasons; a robust verication methodology should provide rules for deducing properties

3 of programs from the properties of their constituent modules. Indeed, eorts to develop modular verication frameworks were undertaken in the mid 1980s [Pnu85b]. A key observation, see [Lam83, Jon83, MC81], is that in modular verication the specication should include two parts. One part describes the desired behavior of the module. The other part describes the assumed behavior of the system within which the module is interacting. This is called the assume-guarantee paradigm, as the specication describes what behavior the module is guaranteed to exhibit, assuming that the system behaves in the promised way. For the linear temporal paradigm, an assume-guarantee specication is a pair h'; i, where both ' and are linear temporal logic formulas. The meaning of such a pair is that all the computations of the module are guaranteed to satisfy, assuming that all the computations of the environment satisfy '. As observed in [Pnu85b], in this case the assume-guarantee pair h'; i can be combined to a single linear temporal logic formula '! (see also [JT95]). Thus, model checking a module with respect to assume-guarantee specications in which both the assumed and the guaranteed behaviors are linear temporal logic formulas is essentially the same as model checking the module with respect to linear temporal logic formulas. The situation is dierent for the branching temporal paradigm. Here the guarantee is a branching temporal formula, which describes the computation tree of the module. There are two approaches, however, to the assumptions in assume-guarantee pairs. The rst approach, implicit in [CES86, EL85b, EL87] and made explicit in [Jos87a, Jos87b, Jos89, DDGJ89], is that the assumption in the assume-guarantee pair concerns the interaction of the module with its environment along each computation, and is therefore more naturally expressed in linear temporal logic. Thus, in this approach, an assume-guarantee pair should consist of a linear temporal assumption ' and a branching temporal guarantee. The meaning of such a pair is that holds in the computation tree that consists of all computations of the program that satisfy '. The problem of verifying that a given module M satises such a pair h'; i, which we call the linear-branching modular model-checking problem, is more general than either linear or branching model checking. A second approach was considered in [GL94], where assumptions are taken to apply to the computation tree of the system within which the module is interacting. Accordingly, assumptions in [GL94] are also expressed in branching temporal logic. There, a module M satises an assume-guarantee pair h'; i i whenever M is part of a system satisfying ', the system satises too. We call this branching modular model checking. Furthermore, it is argued there, as well as in [DDGJ89, Jos89, GL91, DGG93], that in the context of modular verication it is advantageous to use only universal branching temporal logic, i.e., branching temporal logic without existential path quantiers. That is, in a universal branching temporal logic one can state properties of all computations of a program, but one cannot state that certain computations exist. Consequently, universal branching temporal logic formulas have the helpful property that once

4 they are satised in a module, they are satised also in a system that contains this module. The focus in [GL94] is on using 8CTL, the universal fragment of CTL, for both the assumption and the guarantee. In this paper, we focus on the branching modular model-checking problem, which we show to be a proper extension of the linear-branching modular modelchecking problem. We consider assumptions and guarantees in both 8CTL and in the more expressive 8CTL?. Our key result is that modular model checking can be reduced to standard model checking. At the same time, we show that there is a signicant penalty in computational complexity. The fundamental technique used here is the maximal-model technique introduced in [GL94]. It is shown there that with every 8CTL formula ' one can associate a maximal model M ' (called the tableau of ' in [GL94]) such that a module M satises ' precisely when M simulates M ' (we dene simulation later on). We use here automata-theoretic techniques for CTL? [VS85, EJ88] to construct maximal models for 8CTL? formulas. While maximal models for 8CTL involve an exponential blow-up, maximal models for 8CTL? involve a doubly exponential blow-up. The maximalmodel technique yield optimal algorithms for modular model checking. We prove that the problem is PSPACE-complete for 8CTL and is EXPSPACE-complete for 8CTL?. We then show that the linear-branching model-checking problem is a special case of the branching modular model-checking problem, but that the EXPSPACE-hardness result apply already to assumptions in linear temporal logic. We also show that the increase in complexity is solely to the assumption part of the specication. This suggests that modular model checking in the branching temporal framework can be practical only for very small assumptions. 2 Preliminaries 2.1 The Temporal Logics LTL, CTL?, and CTL The logic LTL is a linear temporal logic. Formulas of LTL are built from a set AP of atomic proposition using the usual Boolean operators and the temporal operators X (\next time"), U (\until"), and ~ U (\duality of until"). We present here a positive normal form in which negation may be applied only to atomic propositions. Given a set AP, an LTL formula is dened as follows: { true, false, p, or :p, for p 2 AP. { _ ', ^ ', X, U ', or ~ U ', where and ' are LTL formulas. We dene the semantics of LTL with respect to a computation = 0 ; 1 ; : : :, where for every j 0, we have that j is a subset of AP, denoting the set of atomic propositions that hold in the j's position of. We denote the sux j ; j+1 ; : : : of by j. We use j= to indicate that an LTL formula holds in the path. The relation j= is inductively dened as follows: { For all, we have that j= true and 6j= false. { For an atomic proposition p 2 AP, we have j= p i p 2 0 and j= :p i p 62 0.

5 { j= _ ' i j= or j= '. { j= ^ ' i j= and j= '. { j= X i 1 j=. { j= U ' i there exists k 0 such that k j= ' and i j= for all 0 i < k. { j= ~ U ' i for every k 0 for which k 6j= ', there exists 0 i < k such that i j=. We denote the size of a formula ' by j'j and we use the following abbreviations in writing formulas: {! and $, interpreted in the usual way. { F = trueu (\eventually"). { G = :F : (\always"). The logic CTL? is a branching temporal logic. A path quantier, E (\for some path") or A (\for all paths"), can prex an assertion composed of an arbitrary combination of linear time operators. There are two types of formulas in CTL? : state formulas, whose satisfaction is related to a specic state, and path formulas, whose satisfaction is related to a specic path. Formally, let AP be a set of atomic proposition names. A CTL? state formula (again, in a positive normal form) is either: { true, false, p or :p, for p 2 AP. { _ ' or ^ ' where and ' are CTL? state formulas. { E or A, where is a CTL? path formula. A CTL? path formula is either: { A CTL? state formula. { _ ', ^ ', X, U ', or ~ U ', where and ' are CTL? path formulas. The logic CTL? consists of the set of state formulas generated by the above rules. The logic CTL is a restricted subset of CTL?. In CTL, the temporal operators X, U, and ~ U must be immediately preceded by a path quantier. Formally, it is the subset of CTL? obtained by restricting the path formulas to be X, U ', or ~ U ', where and ' are CTL state formulas. The logic 8CTL? is a restricted subset of CTL? that allows only the universal path quantier A. Note that since negation in CTL? can be applied only to atomic propositions, assertions of the form :A, which is equivalent to E:, are not possible. Thus, the logic 8CTL? is not closed under negation. The logic 8CTL is dened similarly, as the restricted subset of CTL that allows the universal path quantier only. The logics 9CTL? and 9CTL are dened analogously, as the existential fragments of CTL? and CTL, respectively. Note that negating a 8CTL? formula results in an 9CTL? formula. For example, :ApU(AXq) is equivalent to E(:p) ~ U(EX:q). Conversely, negating a 9CTL? formula results in an 8CTL? formula. The closure cl( ) of a CTL? formula is the set of all state subformulas of (including but excluding true and false). For example, cl(e(pu(axq))) =

6 fe(pu(axq)); p; AXq; qg. It is easy to see that the size of cl( ) is linear in the size of. We say that a CTL? formula ' is an U-formula if it is of the form A' 1 U ' 2 or E' 1 U ' 2. The subformula ' 2 is then called the eventuality of '. Similarly, ' is a U-formula ~ if it is of the form A'1 U ~ '2 or E' 1 U ~ '2. We denote by AU( ) the set of formulas of the from A' 1 U ' 2 in cl( ). The sets EU( ), A U( ~ ), and E U( ~ ) are dened similarly. We dene the semantics of CTL? (and its sublanguages) with respect to fair Rabin modules (fair modules, for short). A fair module M = hap; W; R; W 0 ; L; i consists of a set AP of atomic propositions, a set W of states, a total transition relation R W W, a set W 0 W of initial states, a labeling function L : W! 2 AP, and a Rabin fairness condition ; that is, denes a subset of W! (our choice of this type of fairness condition is technically motivated, as will be claried in the sequel). For a state w 2 W, we use bd(w) to denote the branching degree of w; that is, the number of dierent R-successors that w has. A computation of a fair module is a sequence of states, = w 0 ; w 1 ; : : : such that for every i 0, we have that hw i ; w i+1 i 2 R. We extend the labeling function L to computations and denote by L() the word L(w 0 ) L(w 1 ). For a computation, let inf() denote the set of states that repeat innitely often in. That is, inf() = fw : for innitely many i 0; we have w i = wg: A computation of M is fair i it satises the fairness condition. Thus, if is hg 1 ; B 1 i; : : : ; hg k ; B k ig, then is fair i there exists 1 i k such that inf() \ G i 6= ; and inf() \ B i = ;. In other words, i visits G i innitely often and visits B i only nitely often. We say that a fair module is nonempty i there exists a fair computation that starts at an initial state. A module is a fair module with no fairness condition. That is, all the computations of a module are considered fair. We denote a module by M = hap; W; R; W 0 ; Li. We use w j= ' to indicate that a state formula ' holds at state w (assuming an agreed fair module M). The relation j= is inductively dened as follows (the relation j= for a path formula is the same as for in LTL). { For all w, we have that w j= true and w 6j= false. { For an atomic proposition p 2 AP, we have w j= p i p 2 L(w) and w j= :p i p 62 L(w). { w j= _ ' i w j= or w j= '. { w j= ^ ' i w j= and w j= '. { w j= E i there exists a fair computation = w 0 ; w 1 ; : : : such that w 0 = w and j=. { w j= A i for all fair computations = w 0 ; w 1 ; : : : such that w 0 = w, we have j=. { j= ' for a computation = w 0 ; w 1 ; : : : and a state formula ' i w 0 j= '. A fair module M satises a formula ', denoted M j= ', i ' holds in all initial states of M. The problem of determining whether a given fair module M satises a formula ' is the fair-model-checking problem. The complexity of fair model checking is very well understood.

7 Theorem 1. (1) [SC85, VW86] The fair-model-checking problem for specication in LTL is PSPACE-complete. Determining whether M j= ' for ' in LTL can be done in time k2 O(l) and space O((log k + l) 2 ), where k is the size of M, and l is the length of '. (2) [CES86, KV95] The fair-model-checking problem for specication in CTL is PTIME-complete. Determining whether M j= ' for ' in CTL can be done in time O(kl) and space O(l log 2 k), where k is the size of M, and l is the length of '. (3) [EL85a, KV95] The fair-model-checking problem for specication in CTL? is PSPACE-complete. Determining whether M j= ' for ' in CTL? can be done in time k2 O(l) and space O(l(log k + l) 2 ), where k is the size of M, and l is the length of '. Since modular model-checking with assumption ' and guarantee in LTL reduce to model checking the formula '! [Pnu85a], it follows that determining whether M guarantees under the assumption ' can be done in time k2 O(l+m) and space O((log k + l + m) 2 ), where k is the size of M, l is the length of ', and m is the length of. 2.2 Simulation Relation and Composition of Modules In the context of modular verication, it is helpful to dene an order relation between fair modules [GL94]. Intuitively, the order captures what it means for a fair module M 0 to have \more behaviors" than a fair module M. Let M = hap; W; R; W 0 ; L; i and M 0 = hap 0 ; W 0 ; R 0 ; W0 0 ; L0 ; 0 i be two fair modules for which AP 0 AP, and let w and w 0 be states in W and W 0, respectively. A relation H W W 0 is a simulation relation from hm; wi to hm 0 ; w 0 i i the following conditions hold: (1) H(w; w 0 ). (2) For all s and s 0, we have that H(s; s 0 ) implies the following: (2.1) L(s) \ AP 0 = L(s 0 ). (2.2) For every fair computation = s 0 ; s 1 ; : : : in M, with s 0 = s, there exists a fair computation 0 = s 0 0 ; s0 1 ; : : : in M 0, with s 0 0 = s 0, such that for all i 0, we have H(s i ; s 0 i). A simulation relation H is a simulation from M to M 0 i for every w 2 W 0 there exists w 0 2 W0 0 such that H(w; w 0 ). If there exists a simulation from M to M 0, we say that M simulates M 0 and we write M M 0. Intuitively, it means that the fair module M 0 has more behaviors than the fair module M. In fact, every possible behavior of M is also a possible behavior of M 0. Note that our simulation is an extension of the classical simulation used by Milner [Mil71], where there are no fairness conditions. We sometimes relate module (with no fairness condition) with. Then, we assume that all computations are fair, and the relation that follows coincides with the one in [Mil71].

8 Theorem 2. [GL94] (1) The simulation relation is a preorder (i.e., a reexive and transitive order). (2) For every M and M 0 such that M M 0, and for every universal branching temporal logic formula ', M 0 j= ' implies M j= '. Let M and M 0 be two modules. The composition of M and M 0, denoted MkM 0, is a module that has exactly these behaviors that are joint to M and M 0. Formally, if M = hap; W; R; W 0 ; Li and M 0 = hap 0 ; W 0 ; R 0 ; W0 0 ; i, then L0 MkM 0 = hap 00 ; W 00 ; R 00 ; W0 00 ; i, where, L00 { AP 00 = AP [ AP 0. { W 00 = fhw; w 0 i : L(w) \ AP 0 = L(w 0 ) \ AP g. { R 00 = fhhw; w 0 i; hs; s 0 ii : hw; si 2 R and hw 0 ; s 0 i 2 R 0 g. { W 00 = 0 (W 0 W 0) \ 0 W 00. { For every hw; w 0 i 2 W 00, we have L 00 (hw; w 0 i) = L(w) [ L 0 (w 0 ). We also dene the composition of a fair module M with a module M 0. Here, MkM 0 is a fair module that has exactly these behaviors that are joint to M and M 0 and are fair in M. Formally, if M = hap; W; R; W 0 ; L; i and M 0 = hap 0 ; W 0 ; R 0 ; W 0 0 ; i, then L0 MkM 0 = hap 00 ; W 00 ; R 00 ; W 00 0 ; L00 ; 00 i, where AP 00 ; W 00 ; R 00 ; W0 00, and L 00 are as in the composition of two modules, and { 00 = fh(g W 0 ) \ W 00 ; ((B W 0 ) \ W 00 i : hg; Bi 2 g. It is easy to see that if M and M 0 have n and n 0 states (that we assume to be disjoint), and M has m pairs in its fairness condition, then MkM 0 has nn 0 states and m pairs. The following properties of compositions are proven in [GL94] for fair Streett modules (modules where the fairness condition is Streett), and we prove them here for modules and fair Rabin modules. Theorem 3. For every module M and fair Rabin modules M 0 following hold. and M 00, the (1) If M 0 M 00 then MkM 0 MkM 00. (2) M 0 M 0 km 0. Proof: The proof is very similar to the proof for Streett modules given in [GL94]. We start with (1). Assume that M 0 M 00. Let H be a simulation from M 0 to M 00. Let W be the states space of M. It is easy to see that the relation H 0 = fhhw; w 0 i; hw; w 00 ii : H(w 0 ; w 00 )g is a simulation from MkM 0 to MkM 00. In order to prove (2), recall that the state space of M 0 km 0 is W 0 W 0, where W 0 is the state space of M 0. Therefore, it is easy to see that the relation H = fhw 0 ; hw 0 ; w 0 iig is a simulation from M 0 to M 0 km 0. ut

9 A fair module M is a maximal model for an 8CTL? formula ' if it allows all behaviors consistent with '. Formally, M is a maximal model of ' if M j= ' and for every fair module M 0 we have that M 0 M if M 0 j= '. Note that by the preceding theorem, if M 0 M, then M 0 j= '. Thus, M ' is a maximal model for ' if for every fair module M, we have that M M ' i M j= '. Theorem4. [GL94] For every 8CTL formula ', there exists a maximal model M ' of size 2 O(j'j). 2.3 Buchi Word Automata Given an alphabet, an innite word over is an innite sequence w = w 1 w 2 w 3 of letters in. A Buchi automaton over innite words is A = h; Q; ; q 0 ; F i, where is the input alphabet, Q is a nite set of states, : Q! 2 Q is a transition function, Q 0 Q is a set of initial states, and F Q is an acceptance condition (a condition that denes a subset of Q! ). Intuitively, (q; ) is the set of states that A can move into when it is in state q and it reads the letter. Since A may have several initial states and since the transition function may specify many possible transitions for each state and letter, A may be nondeterministic. If jq 0 j = 1 and is such that for every q 2 Q and 2, we have that j(q; )j = 1, then A is a deterministic automaton. Given an input innite word w = c 0 c 1 2!, a run of A on w can be viewed as a function r : IN! Q where r(0) 2 Q 0 (i.e., the run starts in one of the initial states) and for every i 0, we have r(i + 1) 2 (r(i); c i ) (i.e., the run obeys the transition function). Each run r induces a set inf (r) of states that r visits innitely often. Formally, inf (r) = fq 2 Q : for innitely many i 0; we have r(i) = qg: As Q is nite, it is guaranteed that Inf (r) 6= ;. The run r accepts w i Inf (r) \ F 6= ;. Note that a nondeterministic automaton can have many runs on w. In contrast, a deterministic automaton has a single run on w. An automaton A accepts an input word w i there exists a run r of A on w such that r accepts w. The language of A, denoted L(A), is the set of innite words that A accepts. Thus, each word automaton denes a subset of!. Computations of a fair module can be viewed as innite words over the alphabet 2 AP. According to this view, each fair module corresponds to a language over the alphabet 2 AP and can be associated with an automaton. A similar connection has been established between LTL formulas and Buchi automata: Theorem 5. [VW94] Given an LTL formula, there is a Buchi automaton A = h2 AP ; Q; ; Q 0 ; F i, with 2 O(j j) states, such that L(A ) is exactly the set of computations satisfying.

10 2.4 Branching Modular Model-Checking for 8CTL In modular verication, one uses assertions of the form h'im h i to specify that whenever M is part of a system satisfying the universal branching temporal logic formula ', the system satises the universal branching temporal logic formula too. Formally, h'imh i holds if MkM 0 j= for all M 0 such that MkM 0 j= '. Here ' is an assumption on the behavior of the system and is the guarantee on the behavior of the fair module. Assume-guarantee assertions are used in modular proof rules of the following form: 9 >= h' 1 im 1 h 1 i htrueim 1 h' 1 i h' 2 im 2 h 2 i htrueim 2 h' 2 >; htrueim 1kM 2 h 1 ^ 2 i i Thus, a key step in modular verication is checking that assume-guarantee assertions hold, which we call the branching modular model-checking problem. It was shown in [GL94] that the maximal-model technique yields a solution to the modular model-checking problem. Theorem 6. [GL94] For all 8CTL formulas ' and, and for every fair module M, we have that h'imh i i MkM ' j=. Thus, modular model checking for 8CTL is reducible to standard model checking for 8CTL. Combining this with Theorems 4 and 1, we get the following complexity results. Theorem 7. (1) Determining whether h'imh i, for ' and in 8CTL, can be done in time km2 O(l) and space O(m(log k + l) 2 ), where k is the size of M, l is the length of ', and m is the length of. (2) Determining whether h'imh i, for ' in 8CTL and in 8CTL?, can be done in time k2 O(l+m) and space O(m(log k + l + m) 2 ), where k is the size of M, l is the length of ', and m is the length of. A comparison of Theorem 7 with Theorem 1 shows that the complexity of branching modular model checking with assumptions in 8CTL is higher than the complexity of CTL model checking, but is comparable to the complexity of LTL model checking. How do LTL and 8CTL compare from the expressiveness point of view? While 8CTL and LTL have incomparable expressive power, in practice one often nds LTL to be more expressive, as the specications that can be expressed in 8CTL but not in LTL rarely arise in practical settings. Since the complexity of CTL model checking is lower than that of LTL model checking (Theorem 1), we are often willing to settle for the lower expressiveness of CTL; that is, we are willing to verify the design with respect to weaker specications, with the hope that design errors will be discovered in the process. For example, a signicant portion of veried properties are safety properties that can be expressed as AG', where ' is a propositional formula.

11 While we might be willing to settle for a weak guarantee, we cannot, however, settle for weak assumptions. In many cases one needs to adopt rather strong assumptions in order to verify even a very weak guarantee. Very often such assumptions are simply not expressible in 8CTL. For example, the assumption AF G', where ' is a propositional formula, cannot be expressed in 8CTL[EH86]. Thus, 8CTL is simply not expressive enough as a specication language for modular model checking. In the next section we will consider using 8CTL? and LTL as specication languages for assumptions in modular model checking. 3 Modular Model-Checking for 8CTL? and LTL 3.1 Maximal Models We now consider assumptions in 8CTL?, and we wish to construct maximal models for such assumptions. Unfortunately, the tableau-based technique that was used in the proof of Theorem 4 does not seem to extend to 8CTL?. Indeed, while the satisability problem for CTL can be solved using tableau-based technique [EH85], the satisability problem for CTL? requires sophisticated automatatheoretic techniques [EJ88]. We now show that these automata-theoretic techniques can be used to construct maximal models for 8CTL? formulas. Theorem8. For every 8CTL? formula ', there exists a maximal model M ' of size 2 2O(j'j). Proof: For a 8CTL? formula ', let sf(') denote the set of state subformulas of '. Given ', let 8(') sf(') denote the set of all the state subformulas of ' of the form A. Let A 8(') be a Buchi!-automaton over = 2 sf(') such that A 8(') accepts an innite word = w 0 ; w 1 ; : : : i there exists a sux w i ; w i+1 ; : : : of and a formula A 2 8(') such that A 2 w i and w i ; w i+1 ; : : : does not satisfy. Technically, A 8(') nondeterministically guesses a location i and a formula A and then follows the Buchi!-automaton of :. Consequently, if w i ; w i+1 ; : : : does not satisfy, the automaton A 8(') would accept. By Theorem 5, such A 8(') of size 2 O(j'j) exists. Note that though is a path formula of a branching temporal logic, we interpret it here over linear sequences. Since these sequences are labeled with all the state subformulas of, this causes no diculty, as we can regard the state subformulas of as atomic propositions and regard as a linear temporal logic formula. We now take A 8(') and co-determinize it. The resulted automaton, called A 8('), is a deterministic Rabin automaton that accepts exactly all the words = w 0 ; w 1 ; : : : for which if a state w i is labeled with some A 2 8('), then is satised in the sux w i ; w i+1 ; : : : of. By [Saf89], the automaton A 8(') is of size 2 2O(j'j). For a set s sf('), we say that s is consistent i the following four conditions hold: 1. For every p 2 AP, if p 2 s, then :p 62 s.

12 2. For every p 2 AP, if :p 2 s, then p 62 s. 3. For every ' 1 ^ ' 2 2 s, we have that ' 1 2 s and ' 2 2 s. 4. For every ' 1 _ ' 2 2 s, we have that ' 1 2 s or ' 2 2 s. Let c(') denote the set of all consistent subsets of sf('). Consider the module M = hap; c('); c(') c('); W 0 ; Li; where the initial set W 0 includes all states w 2 c(') for which ' 2 w (note that if ' is satisable, the set W 0 is not empty), and for every w 2 c('), we have that L(w) = w \ AP. That is, M is more general than any model of ', yet, it is not necessarily a model of '. To make it a maximal model, we take the product of M with A 8(') as follows. Let A 8(') = h; Q; ; q 0 ; i, where = fhg 1 ; B 1 i; : : : ; hg k ; B k ig. Then, M ' = hap; c(') Q; R; W 0 fq 0 g; L 0 ; 0 i, where R, L 0, and 0 are dened as follows. { R = fhhw; qi; hw 0 ; q 0 ii : (q; w) = q 0 g. { For all w 2 c(') and q 2 Q, we have L 0 (hw; qi) = L(w). { 0 = fhc(') G 1 ; c(') B 1 i; : : : ; hc(') G k ; c(') B k ig. We now prove the correctness of our construction. That is, we show that M ' j= ' and that for all fair modules M, we have M j= ' only if M M ' We rst prove that M ' j= '. More precisely, we prove that for every reachable state hw; qi 2 c(') Q, and for every formula 2 w, we have that hw; qi j=. The proof proceeds easily by induction on the structure of. In particular, satisfaction of formulas of the form A follows from the product with A 8('). To see this, consider a state hw; qi and a formula A 2 w. Let hw 1 ; q 1 i; hw 2 ; q 2 i; : : : be a fair computation of M ' that starts in hw; qi; that it, hw 1 ; q 1 i = hw; qi. By the denition of R and 0, the sequence w 1 ; w 2 ; : : : is a sux of a word accepted by A 8('). Hence, for all formulas of the form A 0 2 w, the computation w 1 ; w 2 ; : : : satises 0. Thus, in particular, w 1 ; w 2 ; : : : satises. Consider now a fair module M = hap; W M ; R M ; W 0 M ; L M ; M i and assume that M j= '. We show a simulation H from M to M '. For every state w 2 W M, dene f(w) to be the set in c(') of state formulas that are true in w. The simulation H is the smallest set that satises the following: { For every w 2 W 0 M, we have H(w; hf(w); q 0i). { For every w 1 ; w 2 in W M and hf(w 1 ); q 1 i 2 c(')q such that hw 1 ; w 2 i 2 R M and H(w 1 ; hf(w 1 ); q 1 i), we have H(w 2 ; hf(w 2 ); (q 1 ; f(w 1 ))i). We prove that H is indeed a simulation from M to M '. That is, we prove that for all w 2 WM 0, there exists w0 2 W 0 fq 0 g such that H is a simulation relation from hm; wi to hm ' ; w 0 i. Consider a state w 2 WM 0. Since M j= ', then, by the denition of f(w) and W 0, we have hf(w); q 0 i 2 W 0 fq 0 g, and hence, by the denition of H, we have H(w; hf(w); q 0 i). Now, let w 2 W M and hf(w); qi 2 c(') Q be such that H(w; hf(w); qi). By the denition of H, all the pairs in H are of this form. By the denition of L 0, we have that L 0 (hf(w); qi) = L M (w). So, the rst requirement on pairs in a simulation holds. For the second requirement,

13 assume H(w; hf(w); qi) and let = w 0 ; w 1 ; : : : be a fair computation in M with w 0 = w. Consider the computation 0 = hf(w); qi; hf(w 1 ); q 1 i; : : : where q 1 = (q; f(w)) and for every i 1, we have q i+1 = (q i ; f(w i )). By the denition of H, we have that for all i 1 we have H(w i ; hf(w i ); q i i). So, it remains to show that 0 is fair in M '. Since M j= ' and is fair, then for each state w i and formula A 2 8(') such that A 2 f(w i ), we have that is satised in w i ; w i+1 ; : : :. Thus, q i ; q i+1 ; : : : is an accepting run of A 8(') with q i as an initial state over w i ; w i+1 ; : : :. Therefore, by the denition of 0, the computation 0 is fair. ut We can now obtain an alternative proof of Theorem 4. Theorem9. For every 8CTL formula ', there exists M ' of size 2 O(j'j). Proof: Exactly as for 8CTL?. Here, however, A 8(') is of size O(j'j), and hence A 8(') is of size 2 O(j'j). ut 3.2 The Branching Modular Model-Checking Problem We now show the maximal-model technique enables us to reduce modular model checking to standard model checking. Theorem10. For all 8CTL? formulas ' and, and for every fair module M, we have that h'imh i i MkM ' j=. Proof: Assume rst that h'im h i. Thus, whenever M is part of a system satisfying ', the system satises too. Since M ' j= ' and MkM ' M ', we have, by Theorem 2 (2), that MkM ' satises '. Consequently, MkM ' satises. Assume now that MkM ' j= and let MkM 0 be such that MkM 0 j= '. Then, MkM 0 M ', which implies, by Theorem 3 (1), that MkMkM 0 MkM '. Thus, by Theorem 3 (2), MkM 0 MkM ' and therefore, by Theorem 2 (2), MkM 0 j=. Hence, h'imh i. ut It follows that branching modular model checking can be reduced to fair model checking. In Theorem 11 below we apply the reduction to the logics 8CTL and 8CTL?. We also show that the upper bounds that follow are tight. Theorem 11. (1) The branching modular model-checking problem for 8CTL is PSPACE-complete. (2) The branching modular model-checking problem for 8CTL? is EXPSPACEcomplete. (3) Determining whether h'imh i, for ' and in 8CTL?, can be done in time k2 O(m)+2O(l) in space O(m(m + log k + 2 O(l) ) 2 ), where l is the length of ', k is the size of M, and m is the length of.

14 (4) Determining whether h'imh i, for ' in 8CTL? and in 8CTL, can be done in time km2 2O(l) in space O(m(log k + 2 O(l) ) 2 ), where l is the length of ', k is the size of M, and m is the length of. Proof: We start with the upper bounds. By Theorem 10, the problem of determining whether h'imh i is reducible to model checking of in MkM '. The upper bounds bounds then follow from Theorems 1 and 8. We now turn to the lower bounds. For both bounds, we do a reduction from the implication problem. The implication problem is dened as follows: given two formulas ' and, does ' imply (denoted '! )? Namely, does hold in every fair module in which ' holds? For a set AP of atomic propositions, let M AP be the maximal model over AP. That is, M AP = hap; 2 AP ; 2 AP 2 AP ; 2 AP ; L; fh2 AP ; ;igi; where for all w 2 2 AP we have that L(w) = w. Let ' and be 8CTL? formulas over a set AP of atomic propositions. For every fair module M, the fair modules M and MkM AP simulate each other. Hence, for every 8CTL? formula ' over AP we have that MkM AP j= ' i M j= '. Thus, the implication '! holds i h'im AP h i. The complexity of the reduction depends on the size of M AP. We will show that for both 8CTL and 8CTL?, the size of M AP is xed. To prove the PSPACE lower bound for the implication problem for 8CTL, we prove a PSPACE lower bound for its satisability problem. The result then follows since the formula ' is satisable if and only if ' does not imply Afalse. We prove hardness in PSPACE for 8CTL satisability by a reduction from LTL satisability, proved to be PSPACE-hard in [SC85]. Given an LTL formula, let A be the 8CTL formula obtained from by preceding each temporal operator with the path quantier A. For example, if = F Xp then A = AF AXp. It is easy to see that is satisable i A is satisable. Indeed, a computation that satises can be viewed as a fair module satisfying A. For the second direction, assume that A is satisable in some fair module M. Consider a fair computation of M. We can view as a fair module of branching degree 1. Clearly, simulates M, and thus, it satises A as well. Also, since its branching degree is 1, the computation also satises. Thus, is satisable. The satisability problem for LTL is PSPACE-hard already for formulas with a xed number of atomic propositions. The PSPACE-hardness proof in [SC85] uses temporal formulas with an unbounded number of atomic propositions. Nevertheless, By using a Turing machine M that accepts a PSPACE-complete language, it is possible to bound the number of atomic propositions used to the size of the working alphabet of M. Since it is possible to encode the truth values of m atomic propositions in one state by the truth values of a single atomic proposition along log m states, it follows that satisability of temporal formulas with a single atomic proposition is also PSPACE-hard.It follows that the implication problem for 8CTL is PSPACE-hard already for formulas with a xed number of atomic propositions. Thus, the size of M AP in our reduction is xed. To prove the EXPSPACE lower bound for the implication problem for 8CTL?, we do a reduction from the problem whether an exponential-space deterministic

15 Turing machine T accepts an input word x. That is, given T and x, we construct two 8CTL? formulas ' and such that T accepts x i ' does not imply. In fact we prove a stronger lower bound. Given T and x, we construct an LTL formula and an 9CTL formula such that the length of is polynomial in the size of T and the length of x, the length of is xed, and T accepts an input word x i the formula A ^ is satisable. Thus, taking ' = A and = :, we have that T accepts x i the implication '! does not hold. Thus, the branching modular model-checking problem is EXPSPACE-complete even for an assumption of the form A, where is an LTL formula, a xed fair module, and an 8CTL guarantee. For details see [KV95]. ut Note that the crucial factor in the complexity of the branching modular model checking problem is the assumption part of the specication. Indeed, the lower bounds given in Theorem 11 remains true even is we x the guarantee part of the specication. This suggests that modular model checking in the branching temporal framework can be practical only for very small assumptions. Indeed, in many examples the assumptions do tend to be of a very small size [Jos87b, Jos89, GL94], see also [AL93]. We will come back to this point in Section The Linear-Branching Modular Model-Checking Problem The modular proof rule in the preceding section uses branching assumptions and guarantees. As mentioned in the introduction, there is another approach in which the assumption is a linear temporal formula, while the guarantee is a branching temporal formula. In this approach, the assumption in the assume-guarantee pair concerns the interaction of the module with its environment along each computation, and is therefore more naturally expressed in a linear temporal logic. We denote this kind of assertion by [']Mh i. The meaning of such an assertion is that the branching temporal formula holds in the computation tree that consists of all computations of the program that satisfy the linear temporal formula '. The idea is to use assume-guarantee assertions in modular proof rules of the following form [Jos87a, Jos87b, Jos89]: 9 >= [' 2 ]M 1 h 1 i [true]m 1 hbr(' 1 )i [' 1 ]M 2 h 2 i [true]m 1 hbr(' 2 >; [true]m 1kM 2 h 1 ^ 2 i )i where br(') is a branching version (it is an 8CTL formula) of the LTL formula '; see above references for details. Verifying assertions of the form [']M h i is called the linear-branching modular model-checking problem. In order to dene the linear-branching model checking problem formally, we dene extended modules. An extended module hm; P i is a module M = hap; W; R; W 0 ; Li extended by a language P (2 AP )!. We regard P as a fairness condition: a computation of M is fair i L() 2 P. Unlike the Rabin fairness

16 condition, fairness of a computation with respect to P cannot be determined by the fairness of any of 's suxes. Therefore, in order to dene the semantics of CTL? formulas with respect to extended modules, we rst associate with each module M a tree module M t. Intuitively, M t is obtained by unwinding M to an innite tree. Let M = hap; W; R; W 0 ; Li. A partial path in M is a nite prex, w 0 ; w 1 ; : : : ; w k, of a computation in M, where w 0 2 W 0. We denote the set of partial paths of M by ppath(m). The tree module of M is M t = hap; ppath(m); R t ; fw 0 g; L t i, where for every partial path = w 0 ; : : : ; w k 2 ppath(m), we have { R t (; 0 ) i there exists w k+1 2 W such that 0 = w 0 ; : : : ; w k ; w k+1 and R(w k ; w k+1 ). That is, the partial path 0 extends the partial path by a single transition in M. { L t () = L(w k ). Note that M t is indeed a tree; every state has a unique predecessor. A computation 0 ; 1 ; : : : in M t is an anchored path i 0 is in W 0. The semantics of CTL? with respect to tree modules extended by a fairness condition P (2 AP )! is dened as the usual semantics of CTL?, with path quantication ranging only over anchored paths that are labeled by a word in P. Thus, for example, { j= E if there exists an anchored path = 0 ; : : : ; i ; i+1 ; : : : of M t and i 0 such that L() 2 P, i =, and i j=. { j= A if for all anchored paths = 0 ; : : : ; i ; i+1 ; : : : of M t and i 0 such that L() 2 P and i =, we have i j=. Note that by dening the truth of formulas on the nodes of the computation tree M t, we guarantee that only one path leads to each node. The extended tree module hm t ; P ' i satises a formula i fw 0 g j=. We say that hm; P i j= i hm t ; P i j=. Now, [']Mh i holds i hm; P ' i j=, where P ' is the set of all that computations that satisfy '. 3. We rst show that when the language P is given by a deterministic Rabin automaton, we can translated the extended modules hm; P i to an equivalent fair module. Lemma 12. Let hm; P i be an extended module and let A P be a deterministic Rabin automaton such that L(A P ) = P. We can construct a fair module M 0 such that for every CTL? formula, we have that hm; P i j= i M 0 j=. Moreover, M 0 MkM 0. Proof: Let M = hap; W; R; W 0 ; Li and A P = h2 AP ; Q; ; q 0 ; F i. We dene M 0 = hap; W Q; R 0 ; W 0 fq 0 g; L 0 ; i, where { R 0 (hw; qi; hw 0 ; q 0 i) i R(w; w 0 ) and (q; L(w)) = q 0. 3 We note that the formal denitions of [']M h i in [Jos87a, Jos87b, Jos89] apply only to restricted linear temporal assumptions and involve a complicated syntactic construction.

17 { L 0 (hw; qi) = L(w). { = fhw G; W Bi : hg; Bi 2 F g. We prove that hm t ; P i and M 0 satisfy the same CTL? formulas. For a state = w 0 ; : : : ; w k 2 ppath(m), we denote by last() the state w k 2 W, and denote by () the nite word L(w 0 ) L(w k ) 2 (2 AP ). Also, for a nite word 2 (2 AP ), let (q 0 ; ) be the state that A P reaches after reading. The fact that every state in M t is associated with a single partial path of M enables us to relate the states of M t with the states of M 0. Formally, we claim the following. For every CTL? formula and state in hm t ; P i, we have that j= in hm t ; P i i hlast(); (q 0 ; ())i j= in M 0. In particular, fw 0 g j= in hm t ; P i i hw 0 ; q 0 i j= in M 0. The proof proceeds by induction on the structure of. The interesting case is = A or = E, for a path formula. Let = A. Assume rst that j= in hm t ; P i. Then, for every anchored path = 0 ; : : : ; i ; i+1 ; : : : of M t such that L() 2 P and i =, we have that i j= in hm t ; P i. Consider a fair computation = hw 0 ; q 0 i; : : : ; hw i ; q i i; hw i+1 ; q i+1 i; : : : in M 0 for which hw i ; q i i = hlast(); (q 0 ; ())i. Let = 0 ; : : : ; i ; i w i+1 ; i w i+1 w i+2 ; : : : be the anchored path in M t that corresponds to. Since is fair, L() 2 P. Hence, i ; i w i+1 ; i w i+1 w i+2 ; : : : satises. Then, by the induction hypothesis, hw i ; q i i; hw i+1 ; q i+1 i; : : : satises as well and we are done. The proof for = E is similar. It is left to see that M 0 MkM 0. Recall that the state space of MkM 0 is W W Q. Intuitively, since M 0 is a restriction of M, composing M 0 with M does not restrict it further. Formally, it is easy to see that the relation H = fhhw; qi; hw; w; qii : hw; qi 2 W Qg is a fair simulation from M 0 to MkM. ut To solve the the linear-branching model-checking problem, we show that the branching modular framework is more general than the linear-branching modular framework. Thus, the algorithms discussed in Section 3.2 are applicable also here. Theorem13. For every LTL formula ', fair module M, and a 8CTL? formula, we have that ha'imh i i [']Mh i. Proof: Given ', M, and, assume rst that [']Mh i holds. Let P ' be the set of computations satisfying '. Thus, the extended module hm; P ' i satises. Consider the composition MkM 0 of M with some module M 0. Recall that for M and M 0 with state spaces W and W 0, respectively, the state space W 00 of MkM 0 consists of all the pairs hw; w 0 i for which w and w 0 agree on the labels of the atomic propositions joint to M and M 0. Then, the relation H = fhhw; w 0 i; wi : hw; w 0 i 2 W 00 g is a simulation relation from MkM 0 to M. It is easy to see that H is also a simulation relation from hmkm 0 ; P ' i to hm; P ' i. Hence, hmkm 0 ; P ' i satises

18 as well. Let M 0 be such that MkM 0 j= A'. That is, all the computations in MkM 0 satisfy '. Hence, the identity relation is a simulation relation from MkM 0 to hmkm 0 ; P ' i. Therefore, as hmkm 0 ; P ' i satises, so does MkM 0, and we are done. Assume now that ha'imh i holds. Let M A' be the maximal model of A'. Since M A' j= A' and MkM A' M A', we have that MkM A' j= A' and therefore, by the assumption, MkM A' j=. Let M 0 be the fair module equivalent to hm; P ' i, as dened in Lemma 12. That is, hm; P ' i and M 0 satisfy the same CTL? formulas. Since hm; P ' i j= A', we have that M 0 j= A'. Hence, M 0 M A' and therefore, by Theorem 2 (2), MkM 0 MkM A'. Hence, as MkM A' j=, we have that MkM 0 j=. Since, by Lemma 12, M 0 M 0 km, it follows that M 0 satises as well. Hence, hm; P ' i also satises and we are done. ut It is known that the 8CTL formula AF AGp is not equivalent to any formula of the form A, where is an LTL formula. Thus, the branching modular framework is strictly more expressive than the linear-branching modular framework, with no increase in worst-case computational complexity (we have seen, in the proof of Theorem 11, that the EXPSPACE lower bound holds already for assumptions of the form A for an LTL formula ). 4 Concluding Remarks The results of the paper indicate that modular model-checking for general universal or linear assumptions is rather intractable. Our results provide an a posteriori justication for Josko's restriction on the linear temporal assumption [Jos87a, Jos87b, Jos89]. Essentially, for a restricted linear temporal assumption ', one can get a more economical automata-theoretic construction of the maximal model associated with the CTL? formula A' (exponential rather than doubly exponential). We note that it is argued in [LP85] that an exponential time complexity in the size of the specication might be tolerable in practical applications. There is, however, a fundamental dierence between the impact that the guarantee and the assumption have on the complexity of model checking. Both assumption and guarantee are often given as a conjunction of formulas. That is, we are often trying to verify assume-guarantee assertions of the form h' 1 ^ : : : ^ ' l imh 1 ^ : : : ^ m i: Each conjunct expresses a certain property about a module or its environment. Typically, each conjunct is of a rather small size. While it is possible to decompose the guarantee and reduce the problem to verifying assertions of the form h' 1 ^ : : : ^ ' l imh i, where is of small size, it is not possible in general to decompose the assumption in a similar fashion. Thus, it may seem that in trying to employ modular verication in order to overcome the state-explosion problem, we are merely replacing it with the assumption-explosion problem.

19 This observation provides a justication to the approach taken in [CLM89] to avoid the assume-guarantee paradigm. Instead of describing the interaction of the module by an LTL formula, it is proposed there to model the environment by interface processes. As is shown there, these processes are typically much simpler than the full environment of the module. By composing a module with its interface processes and then verifying properties of the composition, it can be guaranteed that these properties will be preserved at the global level. Acknowledgment: We thank Martin Abadi, Orna Grumberg, and Pierre Wolper for helpful suggestions and discussions. References [AL93] M. Abadi and L. Lamport. Composing specications. ACM Transactions on Programming Languages and Systems, 15(1):73{132, [ASSS94] A. Aziz, T.R. Shiple, V. Singhal, and A.L. Sangiovanni-Vincentelli. Formula-dependent equivalence for compositional CTL model checking. In Proc. 6th Conf. on Computer Aided Verication, volume 818 of Lecture Notes in Computer Science, pages 324{337, Stanford, CA, June Springer-Verlag. [BCM + 90] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic model checking: states and beyond. In Proc. 5th Symposium on Logic in Computer Science, pages 428{439, Philadelphia, June [CES86] E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic verication of nite-state concurrent systems using temporal logic specications. ACM Transactions on Programming Languages and Systems, 8(2):244{263, January [CG87] E.M. Clarke and O. Grumberg. Research on automatic verication of nitestate concurrent systems. In Annual Review of Computer Science, volume 2, pages 269{290, [CGL93] E.M. Clarke, O. Grumberg, and D. Long. Verication tools for nitestate concurrent systems. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Decade of Concurrency { Reections and Perspectives (Proceedings of REX School), volume 803 of Lecture Notes in Computer Science, pages 124{175. Springer-Verlag, [CLM89] E.M. Clarke, D.E. Long, and K.L. McMillan. Compositional model checking. In R. Parikh, editor, Proc. 4th IEEE Symposium on Logic in Computer Science, pages 353{362. IEEE Computer Society Press, [DDGJ89] W. Damm, G. Dohmen, V. Gerstner, and B. Josko. Modular verication of Petri nets: the temporal logic approach. In Stepwise Renement of Distributed Systems: Models, Formalisms, Correctness (Proceedings of REX Workshop), volume 430 of Lecture Notes in Computer Science, pages 180{ 207, Mook, The Netherlands, May/June Springer-Verlag. [DGG93] D. Dams, O. Grumberg, and R. Gerth. Generation of reduced models for checking fragments of CTL. In Proc. 5th Conf. on Computer Aided Verication, volume 697 of Lecture Notes in Computer Science, pages 479{490. Springer-Verlag, June 1993.