Counting Temporal Logics
François Laroussinie (1)
Joint work with: Antoine Meyer (2), Eudes Petonnet (1)
FOSSACS’10 & TIME’10
(1) LIAFA / Univ. Paris 7 – CNRS
(2) LIGM, Univ. Paris Est – CNRS
September 2010
Model checking
System
Properties
Formalizing step
?
ϕ
Classical framework
The system is modeled with an automaton, a Kripke structure, a
Petri net,. . .
The specification is stated with a Temporal Logic.
The correctness of the system corresponds to a set of TL formulas
that have to be satisfied by the model.
Classical framework
The system is modeled with an automaton, a Kripke structure, a
Petri net,. . .
The specification is stated with a Temporal Logic.
The correctness of the system corresponds to a set of TL formulas
that have to be satisfied by the model.
Then just press the button !
(and wait. . . )
Classical framework
The system is modeled with an automaton, a Kripke structure, a
Petri net,. . .
The specification is stated with a Temporal Logic.
The correctness of the system corresponds to a set of TL formulas
that have to be satisfied by the model.
Then just press the button !
Choose the right models !
(and wait. . . )
Temporal logics for the specification
Classical Temporal Logics (CTL, LTL,. . . ) are very convenient to
specify reactive systems
• good expressive power,
• natural semantics,
• succinctness,
• efficient (. . . ) decision procedures (and tools !),
• nice extensions (timed TL, probabilistic TL,. . . ).
Temporal logics for the specification
Classical Temporal Logics (CTL, LTL,. . . ) are very convenient to
specify reactive systems
• good expressive power,
• natural semantics,
• succinctness,
• efficient (. . . ) decision procedures (and tools !),
• nice extensions (timed TL, probabilistic TL,. . . ).
examples. . .
Linear-time Temporal Logic
Formulas built from AP, ∧, ¬, U, X, S, X−1 , . . .
• ϕUψ : ϕ holds for every suffix until ψ is satisfied.
def
• Fϕ = ⊤Uϕ:
def
• Gψ = ¬F¬ϕ:
• Xψ :
“eventually ϕ”
“always ϕ”
“The next state satisfies ϕ”
Formulas are interpreted over infinite executions: q0 · q1 · q2 · · ·
S |= Φ ⇔ Φ holds for any run in S.
• G(Pb ⇒ F Alarm)
• (GF P1 ) ⇒ (GF P2 )
Branching-time Temporal Logic
Formulas contain also path quantifiers: E and A.
Formulas are interpreted over states of Kripke structures.
S |= Φ ⇔ Φ holds for qinit .
• E P1 U (AX P2 )
• AG(Pb ⇒ AF Alarm)
• AG(Pb ⇒ EF Alarm)
Counting. . .
Here our aim is to make the specifications of counting properties
easy to write in TL.
Adding counting constraints in formulas
Consider an ATM.
“three mistakes forbid cash retrieval”
Adding counting constraints in formulas
Consider an ATM.
“three mistakes forbid cash retrieval”
¬EF error ∧ EXEF error ∧ EXEF(error ∧ EFmoney)
Adding counting constraints in formulas
Consider an ATM.
“three mistakes forbid cash retrieval”
¬EF error ∧ EXEF error ∧ EXEF(error ∧ EFmoney)
¬EF error ∧ EFs error ∧ EFs (error ∧ EFmoney)
Adding counting constraints in formulas
Consider an ATM.
“three mistakes forbid cash retrieval”
¬EF error ∧ EXEF error ∧ EXEF(error ∧ EFmoney)
¬EF error ∧ EFs error ∧ EFs (error ∧ EFmoney)
“whenever the PIN is locked, at least three erroneous attempts
have been made”
Adding counting constraints in formulas
Consider an ATM.
“three mistakes forbid cash retrieval”
¬EF error ∧ EXEF error ∧ EXEF(error ∧ EFmoney)
¬EF error ∧ EFs error ∧ EFs (error ∧ EFmoney)
“whenever the PIN is locked, at least three erroneous attempts
have been made”
¬E¬errorUlock∧
¬E¬errorU(error ∧ EXE¬errorUlock)∧
¬E¬errorU error ∧ EXE¬errorU(error ∧ . . .
∧EXE¬errorUlock)
With counting constraints
“three mistakes forbid cash retrieval”
¬EF[♯error≥3] money
“whenever the PIN is locked, at least three erroneous attempts
have been made”
¬EF[♯error≤2] lock
Counting in formulas
Other examples :
EF[♯EXPb<2 ∧ ♯ok>10] P,
EF[♯ok−♯bad>10] P,
AG[10·♯ok<300·♯bad] ⊥, . . .
Counting in formulas
Other examples :
EF[♯EXPb<2 ∧ ♯ok>10] P,
EF[♯ok−♯bad>10] P,
AG[10·♯ok<300·♯bad] ⊥, . . .
Objectives:
study the extensions of LTL and LTL with counting constraints of
the form. . .
ℓ
^ _ X
αi · ♯ϕi ∼ k
i =1
with αi ∈ Z. . . and all sensible restrictions. . .
Counting extensions of TL
• LTL with some regular expressions with quantitative
constraints [ET97]
of constants.
exponential algo. in |Φ| and the value
• CTL with constraints (with parameters)
[ET99].
P
Constraints are positive BC of
i
Pi ≤ c with Pi ∈ AP:
• Model-checking E U is shown to be NP-complete;
• A polynomial algorithm is given for a restricted logic.
• A branching-time TL with general counting constraint (using
freeze var.) is undecidable [YMW97].
• LTL and CTL with Presburger constraints [BEH95b, BEH95a]
for some infinite state processes.
• Sugar/PSL [psl03]: extension of LTL.
• (timed extensions. . . )
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
Kripke structures
CTL formulas are interpreted over the states of a Kripke structure:
AP = a set of atomic propositions.
S = hQ, q0 , →, ℓi
• Q is finite set of states,
• q0 ∈ Q is the initial state,
• →⊆ Q × Q is total accessibility relation, and
• ℓ : Q → 2AP is a labeling of states with atomic propositions.
Kripke structures
CTL formulas are interpreted over the states of a Kripke structure:
AP = a set of atomic propositions.
S = hQ, q0 , →, ℓi
• Q is finite set of states,
• q0 ∈ Q is the initial state,
• →⊆ Q × Q is total accessibility relation, and
• ℓ : Q → 2AP is a labeling of states with atomic propositions.
An execution: ρ : s0 → s1 → s2 → · · ·
def
def
def
ρ(i ) = si , ρi = si → si +1 · · · , ρ|i = s0 → · · · → si
Kripke structures
CTL formulas are interpreted over the states of a Kripke structure:
AP = a set of atomic propositions.
S = hQ, q0 , →, ℓi
• Q is finite set of states,
• q0 ∈ Q is the initial state,
• →⊆ Q × Q is total accessibility relation, and
• ℓ : Q → 2AP is a labeling of states with atomic propositions.
An execution: ρ : s0 → s1 → s2 → · · ·
def
def
def
ρ(i ) = si , ρi = si → si +1 · · · , ρ|i = s0 → · · · → si
no cost, no weight, no time . . . !
CTL with counting constraints
Definition
CCTL ∋ ϕ, ψ ::= P | ϕ ∧ ψ | ¬ϕ | EϕU[C ] ψ | AϕU[C ] ψ
where P ∈ AP and C is a constraint of the form:
ℓ
^ _ X
i =1
with ϕi ∈ CCTL
αi · ♯ϕi ∼ k
Semantics of CTL
S = hQ, q0 , →, ℓi
Semantics
P ∈ ℓ(q)
q |= ϕ and q |= ψ
q 6|= ϕ
∃q → q ′ , s.t. q ′ |= ϕ
∃ρ ∈ Runs(q), s.t.∃k ≥ 0, ρ(k) |= ψ, and
∀0 ≤ i < k, ρ(i ) |= ϕ
q |= AϕUψ iff ∀ρ ∈ Runs(q), ∃k ≥ 0, s.t. ρ(k) |= ψ, and
∀0 ≤ i < k, ρ(i ) |= ϕ
q
q
q
q
q
|= P
|= ϕ ∧ ψ
|= ¬ϕ
|= EXϕ
|= EϕUψ
iff
iff
iff
iff
iff
CTL with counting constraints
Semantics
q |= EϕU[C ] ψ
iff ∃ρ ∈ Runs(q), ∃k ≥ 0, ρ(k) |= ψ, ρ|k−1 |= C ,
and ∀0 ≤ i < k, ρ(i ) |= ϕ
q |= AϕU[C ] ψ iff ∀ρ ∈ Runs(q), ∃k ≥ 0, ρ(k) |= ψ, ρ|k−1 |= C ,
and ∀0 ≤ i < k, ρ(i ) |= ϕ
Semantics of constraints Let π be a finite run.
π |= C is based on the interpretation of ♯ϕ over π:
def
π[♯ϕ]
π[♯ϕ] = |{j | 0 ≤ j ≤ |π| ∧ π(j) |= ϕ}|
Abbreviations. . .
• “It is possible to reach Φ and C ”:
def
EF[C ] Φ = E ⊤ U[C ] Φ
• “Along every path, one can reach Φ and C ”:
def
AF[C ] Φ = A ⊤ U[C ] Φ
Abbreviations. . .
• “It is possible to reach Φ and C ”:
def
EF[C ] Φ = E ⊤ U[C ] Φ
• “Along every path, one can reach Φ and C ”:
def
AF[C ] Φ = A ⊤ U[C ] Φ
• “Always: C implies Φ”:
def
AG[C ] Φ = ¬EF[C ] ¬Φ
• “There is a path along which C implies Φ”:
def
EG[C ] Φ = ¬AF[C ] ¬Φ
Examples of formulas
def
• EX ϕ = EF[♯⊤=1] ϕ
Examples of formulas
def
• EX ϕ = EF[♯⊤=1] ϕ
def
• EϕU[C ] ψ = EF[C ∧♯(¬ϕ)=0] ψ
Examples of formulas
def
• EX ϕ = EF[♯⊤=1] ϕ
def
• EϕU[C ] ψ = EF[C ∧♯(¬ϕ)=0] ψ
• we can reach the alarm state in less than 50 transitions:
EF[♯⊤<50] Alarm
Examples of formulas
def
• EX ϕ = EF[♯⊤=1] ϕ
def
• EϕU[C ] ψ = EF[C ∧♯(¬ϕ)=0] ψ
• we can reach the alarm state in less than 50 transitions:
EF[♯⊤<50] Alarm
• we can reach the alarm state in less than 50 “ticks”:
EF[♯tick<50] Alarm
def
Timed CTL over KSs with tick: EϕU<k ψ = EϕU[♯tick<k] ψ
Examples of formulas
• For an ATM: “it is not possible to get money when three
mistakes are made in the same session”:
AG ¬EF[♯error≥3∧♯reset=0] money
Examples of formulas
• For an ATM: “it is not possible to get money when three
mistakes are made in the same session”:
AG ¬EF[♯error≥3∧♯reset=0] money
• AG ( EF[♯(EXalarm)≤5] init )
“It is always possible to reach init along a path where less
than 5 states have an alarm state as successor.”
Examples of formulas
• The bounded waiting property with bound 10 for a mutual
exclusion algorithm with n processes:
^
requesti ⇒ ¬EF[Pj6=i ♯CSj >10∧♯CSi =0] ⊤
AG
i
Examples of formulas
• The bounded waiting property with bound 10 for a mutual
exclusion algorithm with n processes:
^
requesti ⇒ ¬EF[Pj6=i ♯CSj >10∧♯CSi =0] ⊤
AG
i
• “The number of receive events can not exceed the number of
send events”:
AG[♯send−♯receive<0] ⊥
Examples of formulas
• Quantitative fairness: “the ϕi ’s occur infinitely often along
every run and there is no sub-run where ϕi holds for more
than 10 states and ϕj holds for less than 4 states”:
AG AF[Vi 5≤♯ϕi ≤10] ⊤
Examples of formulas
• Quantitative fairness: “the ϕi ’s occur infinitely often along
every run and there is no sub-run where ϕi holds for more
than 10 states and ϕj holds for less than 4 states”:
AG AF[Vi 5≤♯ϕi ≤10] ⊤
• Ratio: “there is a path leading to P s.t. the ratio of error
states is less than 1 percent.”
Examples of formulas
• Quantitative fairness: “the ϕi ’s occur infinitely often along
every run and there is no sub-run where ϕi holds for more
than 10 states and ϕj holds for less than 4 states”:
AG AF[Vi 5≤♯ϕi ≤10] ⊤
• Ratio: “there is a path leading to P s.t. the ratio of error
states is less than 1 percent.”
Examples of formulas
• Quantitative fairness: “the ϕi ’s occur infinitely often along
every run and there is no sub-run where ϕi holds for more
than 10 states and ϕj holds for less than 4 states”:
AG AF[Vi 5≤♯ϕi ≤10] ⊤
• Ratio: “there is a path leading to P s.t. the ratio of error
states is less than 1 percent.”
EF[100·♯error−♯⊤<0] P
♯P
(Constraints “ ♯P
′ ∼ k” can easily be expressed.)
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
Expressiveness
Constraints:
^_
Σli =1 αi · ♯ϕi ∼ k
Proposition
CCTL with positive coefficients can be translated into CTL.
Idea: count manually occurrences of events using nested U
modalities. . . and consider all possible shuffles of such occurrences.
Expressiveness
Constraints:
^_
Σli =1 αi · ♯ϕi ∼ k
Proposition
CCTL with positive coefficients can be translated into CTL.
Idea: count manually occurrences of events using nested U
modalities. . . and consider all possible shuffles of such occurrences.
Proposition
The formula ϕ = AG[♯A−♯B<0] ⊥ cannot be translated into CTL.
Idea: the set of models of any CTL formula can be recognized by a
Büchi alternating tree automaton. For ϕ, we need a counter for
any path.
Diagonal constraints increase the expressive power of CTL.
Succinctness
^_
CCTL formulas with constraints
Σli =1 αi · ♯ϕi ∼ k with
positive coefficients can be translated into CTL, but in these
constraints, there are three potential sources of concision:
• the binary encoding of constants,
• the Boolean combinations in the constraints,
• and the sums.
Succinctness
^_
CCTL formulas with constraints
Σli =1 αi · ♯ϕi ∼ k with
positive coefficients can be translated into CTL, but in these
constraints, there are three potential sources of concision:
• the binary encoding of constants,
• the Boolean combinations in the constraints,
• and the sums.
Only the two first yield an exponential improvement in
succinctness.
Succinctness – binary encoding of the constants
The natural translation of EF[♯A=k] B into CTL yields an
exponential formula.
(it uses k nested modalities. . . )
Succinctness – binary encoding of the constants
The natural translation of EF[♯A=k] B into CTL yields an
exponential formula.
(it uses k nested modalities. . . )
Proposition CCTL with constraints ♯ϕ ∼ k can be exponentially
more succinct than CTL.
Idea: TCTL formulas EF<k A and EF>k A do not admit any
equivalent CTL formula of temporal height less than k [LST03].
Succinctness – Boolean combinations
V
Proposition CCTL with constraints (♯ϕi ∼ ki ) and unary
encoding of integers can be exponentially more succinct than CTL.
Succinctness – Boolean combinations
V
Proposition CCTL with constraints (♯ϕi ∼ ki ) and unary
encoding of integers can be exponentially more succinct than CTL.
Idea: any CTL formula equivalent to ψ:
ψ = E(F P0 ∧ . . . ∧ F Pn )
must be of length exponential in n [Wil99, AI03].
ψ ≡ EF[Vi ♯Pi ≥1] ⊤
(no need of binary encoding of constants)
Succinctness – Sums
Proposition
For every formula Φ ∈ CCTL with constraints of the
P
♯ϕi ∼ k and with unary encoding of integers, there exists
form
an equivalent CTL formula of DAG-size polynomial in |Φ|.
Succinctness – Sums
Proposition
For every formula Φ ∈ CCTL with constraints of the
P
♯ϕi ∼ k and with unary encoding of integers, there exists
form
an equivalent CTL formula of DAG-size polynomial in |Φ|.
Example: Φ = EFΣi ♯Pi =K A is equivalent to ΨK with:
Succinctness – Sums
Proposition
For every formula Φ ∈ CCTL with constraints of the
P
♯ϕi ∼ k and with unary encoding of integers, there exists
form
an equivalent CTL formula of DAG-size polynomial in |Φ|.
Example: Φ = EFΣi ♯Pi =K A is equivalent to ΨK with:
Ψk
Ψ0
^ _
Pi ∧ βk,1,⊥
P̄i U
= E
i
i
^
def
P̄i U A
= E
def
(k > 0)
i
def
Ψ−1 = ⊥
def
βk,i ,ǫ = (Pi ∧ βk−1,i +1,⊤ ) ∨ (P̄i ∧ βk,i +1,ǫ )
def
βk,n,⊤ = (Pn ∧ EX Ψk−1 ) ∨ (P¯n ∧ EX Ψk )
def
βk,n,⊤ = Pn ∧ EX Ψk−1
(i < n)
Comparison with Past
Counting constraints deal with past events !
We could use past-time modalities:
−1
−1
AG money ⇒ ¬ F−1
(error
∧
F
(error
∧
F
error))
s
s
s
Comparison with Past
Counting constraints deal with past events !
We could use past-time modalities:
−1
−1
AG money ⇒ ¬ F−1
(error
∧
F
(error
∧
F
error))
s
s
s
+ Past-time modalities allow us to express properties over the
ordering of the events.
+ They (often) increase the expressive power (compared to
CTL).
+ Boolean combinations are directly handled. . .
− Counting constraints are still more succinct.
− Complexity (model-checking CTL + F−1 is PSPACE-Complete)
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
Model checking algorithms
The complexity of the model checking problem depends on the
type of the constraints.
Complexity ranges from P-complete to. . . undecidability.
Constraints
Given l , k ∈ N, k ′ ∈ Z and ∼∈ {<, ≤, =, ≥, >}, we define:
C0 : ♯ϕ ∼ k
C1 :
αC1 :
l
X
♯ϕi
∼k
i =1
l
X
αi · ♯ϕi
l
X
± · ♯ϕi
∼ k′
βi · ♯ϕi
∼ k′
i =1
∼k
αi ∈ N
C2 : (♯ϕ − ♯ψ) ∼ k ′
C3 :
i =1
αC3 :
l
X
i =1
βi ∈ Z
And B(C) is the set of Boolean combinations of constr. in C.
Conclusion
P-complete
♯ϕ ∼ k
∆P2 -complete
^
♯ϕ ∼ k
^
(♯ϕ − ♯ψ) ∼ k
^
(Σ♯ϕ) ∼ k
EXPTIME ∋
∆P2 -hard
^
^
(Σ ± α · ♯ϕ) ∼ k
(♯ϕ − ♯ψ) ∼ k
(Σα · ♯ϕ) ∼ k
(Σ ± ·♯ϕ) ∼ k
(Σα · ♯ϕ) ∼ k
undec.
(Σ ± ·♯ϕ) ∼ k
(Σα · ♯ϕ) ∼ k
^
(Σ ± α · ♯ϕ) ∼ k
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
Model checking CCTLC1 : (Σ♯ϕi ) ∼ k
Theorem Model-checking CCTLC1 is P-complete.
Reduction to a model-checking problem for TCTL formula over
Kripke structures with O/1 durations.
Model checking CCTLC1 : (Σ♯ϕi ) ∼ k
Theorem Model-checking CCTLC1 is P-complete.
Reduction to a model-checking problem for TCTL formula over
Kripke structures with O/1 durations.
Example: S = (Q, R, ℓ), and Φ = EϕU[♯P1 +♯P2 ∼k] ψ
|= P1
|= P1 ∧ P2
Model checking CCTLC1 : (Σ♯ϕi ) ∼ k
Theorem Model-checking CCTLC1 is P-complete.
Reduction to a model-checking problem for TCTL formula over
Kripke structures with O/1 durations.
Example: S = (Q, R, ℓ), and Φ = EϕU[♯P1 +♯P2 ∼k] ψ
|= P1
|= P1 ∧ P2
•
•
1
• 1
•
• 1
•
•
•
•
Φ′
= E(¬• ⇒ ϕ)U∼k (¬ • ∧ψ) ∈ TCTL
1
1•
•
Model-checking CCTLC3
For CCTLC3 (i.e. with constraint of the form ”(Σli =1 ± ·♯ϕi ) ∼ k ′ ”),
the previous encoding gives a DKS with durations in {−1, 0, 1}:
Model-checking CCTLC3
For CCTLC3 (i.e. with constraint of the form ”(Σli =1 ± ·♯ϕi ) ∼ k ′ ”),
the previous encoding gives a DKS with durations in {−1, 0, 1}:
S = (Q, R, ℓ), and Φ = EϕU[♯P1 −♯P2 ∼k] ψ
|= P1
|= P2
Model-checking CCTLC3
For CCTLC3 (i.e. with constraint of the form ”(Σli =1 ± ·♯ϕi ) ∼ k ′ ”),
the previous encoding gives a DKS with durations in {−1, 0, 1}:
S = (Q, R, ℓ), and Φ = EϕU[♯P1 −♯P2 ∼k] ψ
|= P1
|= P2
•
•
−1
•
• 1
•
•
•
•
−1
•
Reduction to a model-checking problem for TCTL over DKS−1/0/1 .
Model-checking TCTL over DKS−1/0/1
Theorem
Model-checking TCTL over DKS−1/0/1 is P-complete.
Model-checking TCTL over DKS−1/0/1
Theorem
Model-checking TCTL over DKS−1/0/1 is P-complete.
def
• Φ = EϕU≤k ψ : shortest paths + reachability of negative cycles.
Model-checking TCTL over DKS−1/0/1
Theorem
Model-checking TCTL over DKS−1/0/1 is P-complete.
def
• Φ = EϕU≤k ψ : shortest paths + reachability of negative cycles.
def
• Φ = EϕU=k ψ :
def
k
Compute Rk = {(q, q ′ ) ∈ S 2 | ∃q −→ q ′ } as follows:
• Rk = R⌊k/2⌋ · R⌊k/2⌋ · Rk%2
def
1
• R1 = R0 · −→ ·R0
• R0 is the least solution of:
0
1
−1
−1
1
X = (−→)∗ ∪ X · (−→ ·X · −→ ∪ −→ ·X · −→) · X
Add constraints for ϕ. . .
Rk′
⇒ q |= Φ iff (q, q ′ ) ∈ Rk′ for some q ′ satisfying ψ ′ .
Model-checking TCTL over DKS−1/0/1
Theorem
Model-checking TCTL over DKS−1/0/1 is P-complete.
def
• Φ = EϕU≤k ψ : shortest paths + reachability of negative cycles.
def
• Φ = EϕU=k ψ :
def
k
Compute Rk = {(q, q ′ ) ∈ S 2 | ∃q −→ q ′ } as follows:
• Rk = R⌊k/2⌋ · R⌊k/2⌋ · Rk%2
def
1
• R1 = R0 · −→ ·R0
• R0 is the least solution of:
0
1
−1
−1
1
X = (−→)∗ ∪ X · (−→ ·X · −→ ∪ −→ ·X · −→) · X
Add constraints for ϕ. . .
Rk′
⇒ q |= Φ iff (q, q ′ ) ∈ Rk′ for some q ′ satisfying ψ ′ .
def
• Φ = AϕU∼k ψ : . . .
Model-checking CCTLC3 : (Σ ± ·♯ϕi ) ∼ k
Corollary Model-checking CCTLC3 is P-complete.
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
Model-checking CCTLB(C0) :
VW
Theorem
Model-checking CCTLB(C0 ) is ∆P2 -hard.
♯ϕ ∼ k
Model-checking CCTLB(C0) :
VW
♯ϕ ∼ k
Theorem
Model-checking CCTLB(C0 ) is ∆P2 -hard.
Reduction from SNSAT:
def
z = ∃X1 .ϕ1 (X1 )
1 def
z = ∃X2 .ϕ2 (z1 , X2 )
2
...
def
zn = ∃Xn .ϕn (z1 , . . . , zn−1 , Xn )
Question: zn = ⊤ ?
Model-checking CCTLαC1 : (Σli=1αi · ♯ϕi ) ∼ k, αi ∈ N
Theorem
Model-checking CCTLαC1 is ∆P2 -hard.
Model-checking CCTLαC1 : (Σli=1αi · ♯ϕi ) ∼ k, αi ∈ N
Theorem
Model-checking CCTLαC1 is ∆P2 -hard.
Reduction from the MC pb for TCTL over KSs with durations.
Let S = (Q, RS , ℓ) be a DKS.
k
“q −→ q ′ in S” is replaced by “q(ok) → qaux (Pk ) → q ′ (ok)”
def
e
The TCTL formula Φ = EϕU∼m ψ is replaced by Φ:
def
with C =
P
d∈W
e
e U[C ] (ok ∧ ψ)
E(ok ⇒ ϕ)
d · ♯Pd ∼ m.
Model-checking CCTLB(αC1) :
αi ∈ N
WV l
(Σi=1αi · ♯ϕi ) ∼ k,
Theorem
Model-checking CCTLB(αC1 ) is in ∆P2 .
Model-checking CCTLB(αC1) :
αi ∈ N
WV l
(Σi=1αi · ♯ϕi ) ∼ k,
Theorem
Model-checking CCTLB(αC1 ) is in ∆P2 .
Based on the Parikh image of the runs satisfying EF[C ] ψ.
• we can assume that |ρ| is in O(|Q| · 2|C | );
• check in polynomial time that a guessed Parikh image
corresponds to some path;
• verify that it verifies the formula.
And for EG[C ] ψ, we look for an infinite run but (Σαi · ♯ϕi ) ∼ k
may change its truth value at most twice along the run. . .
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
Model-checking CCTLB(C2) :
VW
(♯ϕ − ♯ψ) ∼ k
Theorem
The model-checking problem for CCTLB(C2 ) is undecidable.
Model-checking CCTLB(C2) :
VW
(♯ϕ − ♯ψ) ∼ k
Theorem
The model-checking problem for CCTLB(C2 ) is undecidable.
Reduction from the halting problem of a two-counter machine M.
Two counters: C and D, and 5 kinds of instructions:
• i : C++, goto j
• i : D++, goto j
• i : if C=0 then goto j else C--, goto k
• i : if D=0 then goto j else D--, goto k
• i : halt
Model-checking CCTLB(C2) :
VW
(♯ϕ − ♯ψ) ∼ k
From M, we build the following Kripke structure:
i : X++, goto j i : if X=0 then goto j else X--, goto k
i
X+
i
X−
koX
okX
j
j
k
X ∈ {C, D}
Model-checking CCTLB(C2) :
VW
(♯ϕ − ♯ψ) ∼ k
From M, we build the following Kripke structure:
i : X++, goto j i : if X=0 then goto j else X--, goto k
i
X+
i
X−
koX
okX
j
j
k
X ∈ {C, D}
M does not halt if and only if q1 |=SM EG[C ] ⊥ with:
def
C = (♯halt ≥ 1) ∨ Cbad
def
Cbad =
_ (♯X + −♯X − < 0) ∨ (♯X + −♯X − > 0∧♯koX −♯okX > 0)
X ∈{C,D}
Conclusion
P-complete
♯ϕ ∼ k
∆P2 -complete
^
♯ϕ ∼ k
^
(♯ϕ − ♯ψ) ∼ k
^
(Σ♯ϕ) ∼ k
EXPTIME ∋
∆P2 -hard
^
^
(Σ ± α · ♯ϕ) ∼ k
(♯ϕ − ♯ψ) ∼ k
(Σα · ♯ϕ) ∼ k
(Σ ± ·♯ϕ) ∼ k
(Σα · ♯ϕ) ∼ k
undec.
(Σ ± ·♯ϕ) ∼ k
(Σα · ♯ϕ) ∼ k
^
(Σ ± α · ♯ϕ) ∼ k
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
LTL + counting constraints
Syntax
LTL ∋ ϕ, ψ ::= P | ϕ ∧ ψ | ¬ϕ | ϕUψ | Xϕ
where P ∈ AP.
LTL + counting constraints
Syntax
LTL ∋ ϕ, ψ ::= P | ϕ ∧ ψ | ¬ϕ | ϕUψ | Xϕ
where P ∈ AP.
Semantics ρ : q1 → q2 → · · ·
ρ |= P
ρ |= ϕ ∧ ψ
ρ |= ¬ϕ
ρ |= Xϕ
ρ |= ϕUψ
iff
iff
iff
iff
iff
P ∈ ℓ(q1 )
ρ |= ϕ and ρ |= ψ
ρ 6|= ϕ
ρ1 |= ϕ
∃k ≥ 0, ρk |= ψ, and ∀0 ≤ i < k, ρi |= ϕ
LTL + counting constraints
Syntax
LTL ∋ ϕ, ψ ::= P | ϕ ∧ ψ | ¬ϕ | ϕU[C ] ψ | Xϕ
where P ∈ AP.
Semantics ρ : q1 → q2 → · · ·
ρ |= P
ρ |= ϕ ∧ ψ
ρ |= ¬ϕ
ρ |= Xϕ
ρ |= ϕUψ
ρ |= ϕU[C ] ψ
iff
iff
iff
iff
iff
iff
P ∈ ℓ(q1 )
ρ |= ϕ and ρ |= ψ
ρ 6|= ϕ
ρ1 |= ϕ
∃k ≥ 0, ρk |= ψ, and ∀0 ≤ i < k, ρi |= ϕ
∃k ≥ 0, ρk |= ψ, ρ, k −1 |= C
and ∀0 ≤ i < k, ρi |= ϕ
LTL + counting constraints
Syntax
LTL ∋ ϕ, ψ ::= P | ϕ ∧ ψ | ¬ϕ | ϕU[C ] ψ | Xϕ
where P ∈ AP.
Semantics ρ : q1 → q2 → · · ·
ρ |= P
ρ |= ϕ ∧ ψ
ρ |= ¬ϕ
ρ |= Xϕ
ρ |= ϕUψ
iff
iff
iff
iff
iff
iff
P ∈ ℓ(q1 )
ρ |= ϕ and ρ |= ψ
ρ 6|= ϕ
ρ1 |= ϕ
∃k ≥ 0, ρk |= ψ, and ∀0 ≤ i < k, ρi |= ϕ
Overview of the results for LTL
undecidable
VW LTL +
Σαi · ♯ϕi ∼ k
LTL + . . .
with αi ∈ N
VLTL + . . .
Σαi ♯ϕi ≺ k
V
Σαi ♯ϕi ≻ k
LTL
expressivity
EXPSPACE-C
PSPACE-C
Linear-time case
def
CLTL = LTL+ constraints with “positive” coefficients.
Use standard techniques:
• alternating Büchi automata to recognize the models of a
formula.
(for CLTL, AΦ is exponential in |Φ|.)
• satisfiability and model-checking
• removing equality makes procedures more efficient.
• couting along a unique path is easier. . .
Outline
1
CCTL
2
Expressivity
3
Model checking
Efficient model-checking
and harder. . .
and even worst !
4
Linear-Time Temporal Logics
5
Conclusion
Conclusion
• Other semantics are possible. . . For example, the cumulative
semantics.
EFc[♯⊤≤k1 ] (P1 ∧ EFc[♯⊤≤k2 ] P2 ) : “there is a run with less than
k2 transitions leading to P2 and along this run there is some
P1 located at less than k1 transitions from the initial state”
Conclusion
• Other semantics are possible. . . For example, the cumulative
semantics.
EFc[♯⊤≤k1 ] (P1 ∧ EFc[♯⊤≤k2 ] P2 ) : “there is a run with less than
k2 transitions leading to P2 and along this run there is some
P1 located at less than k1 transitions from the initial state”
• Freeze variables can also be used instead of subscripts in Until
modalities.
Conclusion
• Other semantics are possible. . . For example, the cumulative
semantics.
EFc[♯⊤≤k1 ] (P1 ∧ EFc[♯⊤≤k2 ] P2 ) : “there is a run with less than
k2 transitions leading to P2 and along this run there is some
P1 located at less than k1 transitions from the initial state”
• Freeze variables can also be used instead of subscripts in Until
modalities.
• CCTL∗ . . .
Conclusion
• Other semantics are possible. . . For example, the cumulative
semantics.
EFc[♯⊤≤k1 ] (P1 ∧ EFc[♯⊤≤k2 ] P2 ) : “there is a run with less than
k2 transitions leading to P2 and along this run there is some
P1 located at less than k1 transitions from the initial state”
• Freeze variables can also be used instead of subscripts in Until
modalities.
• CCTL∗ . . .
• See in practice.
Conclusion
• Other semantics are possible. . . For example, the cumulative
semantics.
EFc[♯⊤≤k1 ] (P1 ∧ EFc[♯⊤≤k2 ] P2 ) : “there is a run with less than
k2 transitions leading to P2 and along this run there is some
P1 located at less than k1 transitions from the initial state”
• Freeze variables can also be used instead of subscripts in Until
modalities.
• CCTL∗ . . .
• See in practice.
• Consider other operators (modulo,. . . ).
Conclusion
• Other semantics are possible. . . For example, the cumulative
semantics.
EFc[♯⊤≤k1 ] (P1 ∧ EFc[♯⊤≤k2 ] P2 ) : “there is a run with less than
k2 transitions leading to P2 and along this run there is some
P1 located at less than k1 transitions from the initial state”
• Freeze variables can also be used instead of subscripts in Until
modalities.
• CCTL∗ . . .
• See in practice.
• Consider other operators (modulo,. . . ).
• Consider properties over infinite runs (ratio).
M. Adler and N. Immerman.
An n! lower bound on formula size.
ACM Transactions on Computational Logic, 4(3):296–314,
2003.
A. Bouajjani, R. Echahed, and P. Habermehl.
On the verification problem of nonregular properties for
nonregular processes.
In Proc. 10th LICS, pages 123–133. IEEE Comp. Soc. Press,
1995.
A. Bouajjani, R. Echahed, and P. Habermehl.
Verifying infinite state processes with sequential and parallel
composition.
In Proc. 22nd POPL, pages 95–106, 1995.
E. A. Emerson and R. J. Trefler.
Generalized quantitative temporal reasoning: An
automata-theoretic approach.
In Proc. 7th TAPSOFT, volume 1214 of LNCS, pages
189–200. Springer, 1997.
E. A. Emerson and R. J. Trefler.
Parametric quantitative temporal reasoning.
In Proc. 14th LICS, pages 336–343. IEEE Comp. Soc. Press,
1999.
F. Laroussinie, Ph. Schnoebelen, and M. Turuani.
On the expressivity and complexity of quantitative
branching-time temporal logics.
Theor. Comput. Sci., 297(1–3):297–315, 2003.
Property Specification Language Reference Manual, Version
1.1, 2003.
http://www.eda-stds.org/vfv/docs/PSL-v1.1.pdf.
T. Wilke.
CTL+ is exponentially more succinct than CTL.
In Proc. 19th FSTTCS, volume 1738 of LNCS, pages 110–121.
Springer, 1999.
J. Yang, A. K. Mok, and F. Wang.
Symbolic model checking for event-driven real-time systems.
ACM Transactions on Programming Languages and Systems,
19(2):386–412, 1997.
© Copyright 2026 Paperzz