Transparents
publicité
Fondements pour la vérification
des systèmes temps-réel et concurrents
Lecture 3
Alternation and LTL extensions
Stéphane Demri
October 8th, 2007
Summary from previous lecture
Bφ = (Σ, S, S0 , ρ, F1 , . . . , Fk )
◮
S is the set of maximally consistent sets wrt φ,
◮
Σ = P(PROP),
◮
S0 = {X ∈ S : φ ∈ X },
◮
Y ∈ ρ(X , a) iff
◮
◮
◮
X ∩ PROP = a,
for Xψ ∈ cl(φ), Xψ ∈ X iff ψ ∈ Y,
If ψ1 Uψ1′ , . . . , ψk Uψk′ occurs in φ, then
def
Fi = {X ∈ S : either ψi Uψi′ 6∈ X or ψi′ ∈ X }
◮
If U does not occur in φ, then k = 1 and F1 = S.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Simple complexity properties
◮
L(Bφ ) = Models(φ).
◮
Checking whether X ⊆ cl(φ) belongs to S [resp. S0 , F1 , . . . ,
Fk ] can be done in polynomial-time in |φ|.
◮
Checking whether Y ∈ ρ(X , a) can be done in
polynomial-time in |φ|.
◮
|S| is in 2O(|φ|) .
◮
Elements in S can be encoded in polynomial-space in |φ|.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
NPSpace algorithm
1. Guess s0 ∈ S0 , s1 ∈ F1 , . . . , sk ∈ Fk ;
2. i := 0; s := s0 (current state);
3. While s 6= s1 and i < |S| do
a
3.1 Guess s ′ such that s −
→ s ′ for some a ∈ Σ;
′
3.2 i := i + 1; s := s .
4. If s 6= s1 , then abort otherwise
4.1 i := 0; j := 2;
4.2 While i := 0 or (j 6= 1 and i < |S| × k) do
a
4.2.1 Guess s ′ such that s →
− s ′ for some a ∈ Σ;
′
4.2.2 i := i + 1; s := s .
4.2.3 if s ′ ∈ Fj then nondeterministically choose either
j := (j mod k) + 1 or skip;
4.3 If s = s1 , then accept, otherwise abort.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Complexity
◮
Bφ is in exponential size in |φ|.
◮
Testing on-the-fly the nonemptiness of Bφ can be done in
NPSpace.
◮
By Savitch’s theorem: NPSpace = PSpace.
◮
Satisfiability for LTL is in PSpace.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
What about model-checking?
◮
Let M = (W , R, L) be a finite and total Kripke structure and
s0 ∈ W .
◮
L(AM,s0 ) = Paths(M, s0 ):
AM,s0 = (P(PROP), W , {s0 }, ρ, W )
def
where ρ(s, a) = {s ′ : (s, s ′ ) ∈ R, a = L(s)} for all s ∈ W and
a ⊆ PROP.
◮
M, s0 |=∃ φ iff L(AM,s0 ) ∩ L(Bφ ) 6= ∅.
◮
LTL model-checking is in PSpace.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Exercise (bis)
◮
Adapt the automata-based approach to deal with X−1 :
def
σ, i |= X−1 φ ⇔ i > 0 and σ, i − 1 |= φ.
◮
Adapt the automata-based approach to deal with S:
def
σ, i |= φSψ ⇔ there is j ≤ i such that σ, j |= ψ and for
j < k ≤ i , we have σ, k |= φ.
◮
Characterize the complexity of model-checking and
satisfiability problems for LTL(U, X, X−1 , S).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
LTL and alternating Büchi automata
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Positive Boolean formulae
◮
◮
◮
Given a finite set X , B + (X ) denotes the set of positive
Boolean formulae built over X ∪ {⊥, ⊤}.
Example: (s ∨ s ′ ) ∧ s ′′ ∈ B + ({s, s ′ , s ′′ }).
Each subset Y ⊆ X can be viewed as a propositional
valuation: s ∈ Y iff s is interpreted as true.
def
◮
Y |= φ ∈ B + (X ) ⇔ φ holds true in the interpretation Y.
◮
Example: {s, s ′′ } |= (s ∨ s ′ ) ∧ s ′′ .
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Alternating Büchi automata
◮
◮
A = (Σ, S, s0 , ρ, F ) with
◮
Σ: finite alphabet,
◮
S: finite set of states,
◮
s0 ∈ S: initial state,
◮
ρ : S × Σ → B + (S): transition relation,
◮
F ⊆ S: set of accepting states.
Encoding nondeterministic BA in alternating BA:
_
ρ(s, a) 7→
s′
s ′ ∈ρ(s,a)
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Accepting runs
◮
A run r on the ω-sequence a0 a1 a2 . . . ∈ Σω is a (possibly
infinite) tree whose nodes are labelled by states in S and s.t.
◮
◮
◮
r = (T , T ) where T is a tree and T : T → S,
Root of T is labelled by s0 (i.e. T (ǫ) = s0 ),
For x ∈ T , if |x| = i (depth in T ) and T (x) = s then
{T (x1 ), . . . , T (xk )} |= ρ(s, ai ) where x1 , . . . , xk are the
children of x.
def
◮
A run is accepting ⇔ for every infinite branch of T , an
accepting state is repeated infinitely often.
◮
L(A): set of ω-sequences in Σω for which there is an
accepting run.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Properties
◮
◮
ABA are closed under intersection, union and
complementation (with quadratic blow-up).
Nonemptiness problem for ABA is PSpace-complete [Chandra
& Kozen & Stockmeyer, JACM 81].
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
From ABA to NBA
◮
Given an ABA A = (Σ, S, s0 , ρ, F ), there is a NBA
An = (Σ, S ′ , S0′ , ρ′ , F ′ ) s.t. L(A) = L(An ).
◮
Idea of the proof: An guesses the set of states at each level of
an accepting run of A.
◮
A state of An is a set of states from A.
◮
One needs to encode which states are visited infinitely often
on each branch of the accepting run of A.
◮
A state of A is divided in two subsets in order to distinguish
branches that visit recently an accepting state.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
◮
◮
◮
◮
def
S ′ = P(S) × P(S)
if (X , Y) ∈ S then Y is the set of states on branches that visit
recently an accepting state,
def
S0′ = {({s0 }, ∅)};
def
F ′ = ∅ × P(S);
Transition relation ρ′ (2 subcases):
◮
((∅, X ′ )):
def
ρ′ ((∅, X ′ ), a) = {(Y, Y ′ ) : ∃Z |=
^
ρ(s, a), Y = Z\F , Y ′ = Z∩F }
s∈X ′
◮
(X 6= ∅):
def
ρ′ ((X , X ′ ), a) = {(Y, Y ′ ) : ∃Z, Z ′ such that
^
^
Z |=
ρ(s, a), Z ′ |=
ρ(s, a), Y = Z\F , Y ′ = Z ′ ∪(Z∩F )}.
s∈X
s∈X ′
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Negative normal form
def
◮
φRψ = ¬(¬φU¬ψ).
◮
A formula built over ∨, ∧, X, U, R, ¬ and PROP in which
negation occurs only in front of propositional variables is said
to be in negative normal form.
◮
Every formula in LTL is equivalent to a formula in negative
normal form (reduction in polynomial-time).
◮
Some essential properties:
◮
◮
◮
¬Xφ is equivalent to X¬φ,
¬(φUψ) is equivalent to (¬φR¬ψ),
¬(φ ∧ ψ) is equivalent to (¬φ ∨ ¬ψ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
From LTL formulae to ABA
A = (Σ, S, s0 , ρ, F )
◮
S is the set of subformulae of φ,
◮
s0 = φ,
◮
Σ = P(PROP),
◮
F is equal to S restricted to formulae whose outermost
connective is not U.
◮
Transition relation:
def
def
◮
◮
◮
◮
◮
◮
def
def
ρ(p, a) = ⊤ if p ∈ a; ρ(¬p, a) = ⊤ if p 6∈ a,
def
def
ρ(p, a) =⊥ if p 6∈ a; ρ(¬p, a) =⊥ if p ∈ a,
def
ρ(ψ ∧ ψ ′ , a) = ρ(ψ, a) ∧ ρ(ψ ′ , a),
def
ρ(Xψ, a) = ψ,
def
ρ(ψUϕ, a) = ρ(ϕ, a) ∨ (ρ(ψ, a) ∧ (ψUϕ)),
def
ρ(ψRϕ, a) = ρ(ϕ, a) ∧ (ρ(ψ, a) ∨ (ψRϕ)).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Example
◮
Extensions:
◮
◮
◮
◮
def
def
ρ(⊤, a) = ⊤; ρ(⊥, a) =⊥;
def
ρ(Fψ, a) = ρ(ψ, a) ∨ Fψ;
def
ρ(Gψ, a) = ρ(ψ, a) ∧ Gψ.
Transition relation for FGp:
s
FGp
Gp
p
ρ(s, ∅)
FGp
⊥
⊥
Stéphane Demri
ρ(s, {p})
Gp ∨ FGp
Gp
⊤
Fondements pour la vérification des systèmes temps-réel et co
Summary
◮
L(Aφ ) is the set of models for φ.
◮
The number of states of Aφ is polynomial in |φ|.
◮
The difficulty is in the nonemptiness test for ABA.
◮
Corollary: When PROP is finite and fixed, satisfiability for
LTL is in PSpace.
◮
NB: LTL satisfiability/model-checking can be reduced in
logspace to LTL satisfiability/model-checking with at most 2
propositional variables.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Exercise
◮
Construct the ABA for FGp ∧ FGq with the previous
systematic construction and compare it with a direct
construction.
◮
Represent an accepting run for {p}{q}{q}{p}{p, q}ω .
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Wolper’s automata-based operators
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
From BA to LTL formulae?
◮
φ 7→ Aφ [Büchi, 62; Wolper & Vardi, IC 94].
◮
BA A over P(PROP) 7→ LTL formula φA ?
◮
ω-sequences accepted by the BA below are exactly the
sequences with {p} on even positions:
q0
{p}, {}
{p}
q1
◮
What about
1. G(p ⇔ XXp) ∧ p ∧ X¬p,
2. p ∧ G(p ⇒ XXp),
3. q ∧ X¬q ∧ G(q ⇔ XXq) ∧ G(q ⇒ p)
?
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Expressive power
◮
By Kamp’s theorem, LTL(Us , Ss ) is as expressive as first-order
theory on (N, <).
◮
LTL is as expressive as first-order theory on (N, <) with
respect to initial equivalence.
◮
Büchi automata are as expressive as monadic second-order
theory on (N, <).
◮
Proposition [Wolper, IC 83]
There is no LTL formula φ built over the unique propositional
variable p such that Models(φ) is exactly the set of LTL
models such that p holds true on every even position (on odd
positions, p may hold true or not).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Proof of propostion
◮
Suppose that there is a formula φ built over p and |φ|X be
the number of X occurrences in φ.
◮
N(φ) = {i ∈ N : {p}i · ∅ · {p}ω |= φ}
◮
We shall show that for n ≥ |φ|X + 1, n ∈ N(φ) iff
n + 1 ∈ N(φ).
◮
Consequently, |φ|X + 1 ∈ N(φ) iff |φ|X + 2 ∈ N(φ).
◮
def
|φ| +1
However, exactly one structure among {p} X · ∅ · {p}ω
|φ| +2
and {p} X · ∅ · {p}ω is a model for φ, a contradiction.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Induction
◮
Base case: φ = p
◮
◮
◮
N(φ) = N \ {0} and |φ|X = 0.
For n ≥ 1, n ∈ N(φ) iff n + 1 ∈ N(φ).
Induction hypothesis: for φ s.t. |φ| ≤ N, for n ≥ |φ|X + 1,
n ∈ N(φ) iff n + 1 ∈ N(φ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Case φ = φ1 ∧ φ2
◮
Cases for ¬ and ∨ are analogous.
◮
|φ|X = |φ1 |X + |φ2 |X .
◮
Equivalence between the propositions below (n ≥ |φ|X + 1):
◮
◮
◮
◮
n ∈ N(φ),
n ∈ N(φ1 ) and n ∈ N(φ2 ) (∧ semantics);
n + 1 ∈ N(φ1 ) and n + 1 ∈ N(φ2 )
(by (IH) since |φ1 |, |φ2 | ≤ N and n ≥ |φ1 |X + 1, |φ2 |X + 1),
n + 1 ∈ N(φ) (∧ semantics).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
φ = Xψ
◮
|φ|X = 1 + |ψ|X .
◮
Equivalence between the propositions below
(n ≥ |φ|X + 1 ≥ 2):
◮
n ∈ N(φ),
◮
n − 1 ∈ N(ψ) (X semantics),
◮
n ∈ N(ψ)
(by (IH) since |ψ| ≤ N and n − 1 ≥ |ψ|X + 1),
◮
n + 1 ∈ N(φ) (X semantics).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
φ = φ1 Uφ2
◮
|φ|X = |φ1 |X + |φ2 |X .
◮
Let n ≥ |φ|X + 1 and suppose σ n = {p}n ∅{p}ω |= φ.
◮
There exists j ≥ 0 such that σ n , j |= φ2 and for 0 ≤ k < j, we
have σ n , k |= φ1 .
◮
We shall show that σ n+1 = {p}n+1 ∅{p}ω |= φ, i.e.
n + 1 ∈ N(φ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
First part of the until case
◮
◮
Subcase j = 0
◮
|φ2 | ≤ N and n ≥ |φ2 |X + 1.
◮
By (IH), n + 1 ∈ N(φ2 ), whence n + 1 ∈ N(φ).
Subcase j ≥ 1
◮
|φ1 | ≤ N and n ≥ |φ1 |X + 1.
◮
n ∈ N(φ1 ).
◮
By (IH), n + 1 ∈ N(φ1 ).
◮
Hence n + 1 ∈ N(φ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Second part of until case
◮
Now suppose that σ n+1 = {p}n+1 ∅{p}ω |= φ.
◮
There exists j ≥ 0 s.t. σ n+1 , j |= φ2 and for 0 ≤ k < j, we
have σ n+1 , k |= φ1 .
◮
If j = 0, then since |φ2 | ≤ N and n ≥ |φ2 |X + 1, by (IH)
n ∈ N(φ2 ), whence n ∈ N(φ).
◮
If j ≥ 1, then σ n+1 , 1 |= φ, whence n ∈ N(φ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Extended temporal logic ETL
◮
FSA A = (Σ, S, S0 , ρ, F ) with Σ = a1 < . . . < ak .
◮
ETL = LTL + all formulae A(φ1 , . . . , φk ).
◮
σ, i |= A(φ1 , . . . , φk ) ⇔
def
◮
◮
either S0 ∩ F 6= ∅ (ǫ ∈ L(A)),
or there is a finite word ai1 ai2 . . . ain ∈ L(A) such that for every
1 ≤ j ≤ n, σ, i + (j − 1) |= φij .
◮
If S0 ∩ F 6= ∅, then A(φ1 , . . . , φk ) is equivalent to ⊤.
◮
L(A) = {ab i a : i ≥ 0} and a < b:
A(p, q)
p
q
q
q
q
p
a
b
b
b
b
a
Stéphane Demri
∈ L(A)
Fondements pour la vérification des systèmes temps-réel et co
ETL
◮
Define X and U with automata-based operators.
◮
Define a formula φ in ETL built over p whose models are
exactly those in which p holds true at least on even positions.
◮
Model-checking and satisfiability problems for ETL are
PSpace-complete [Vardi & Wolper, IC 94].
◮
ETL has the same expressive power as Büchi automata:
◮
For any BA A over Σ = {a1 , . . . , ak }, for any map l : Σ → X
where X is a set of finite
subsets of PROP, there is a formula
S
φ in ETL built over i l(ai ) s.t. L(A) = Models(φ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Expressive power
The class of languages defined by ETL formulae is equal to the
class of languages defined by
◮ Büchi automata,
◮
formulae from monadic second-order theory for (ω, <), also
known as S1S,
◮
ω-regular expressions (or by finite union of sets U · V ω with
regular U, V ⊆ Σ∗ ),
◮
formulae from LTL with second-order quantification.
◮
◮
◮
σ, σ ′ : N → P(PROP), p ∈ PROP.
def
σ ≈p σ ′ ⇔ for i ∈ N, σ(i) \ {p} = σ ′ (i) \ {p}.
def
LTL with second-order quantification: σ, i |= ∀ p φ ⇔ for σ ′
′
′
s.t. σ ≈p σ , we have σ , i |= φ.
formulae from LTL with fixed-point operators [Vardi, POPL
88].
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Consiseness
ETL is a powerful and concise extension of LTL:
◮
◮
the nonemptiness problem for Büchi automata is
NLogSpace-complete,
MC∃ (ETL) and SAT(ETL) are PSpace-complete,
◮
satisfiability for LTL with fixed-point operators is
PSpace-complete [Vardi, POPL 88],
◮
satisfiability for S1S is non-elementary
(time complexity is not bounded by any tower of exponentials
of fixed height).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Extension with context-free languages
◮
C: class of languages of finite words.
◮
LTL + C: extension of LTL with formulae L(φ1 , . . . , φn ) for
some L ∈ C.
◮
ETL = LTL + REG where REG is the class of regular
languages represented by finite-state automata.
◮
Context-free languages (in CF) represented by context-free
grammars.
◮
SAT(LTL + CF) is undecidable.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Proof
◮
Language equality between context-free grammars is
undecidable.
◮
Reduction to SAT(LTL + CF).
◮
G1 , G2 : CF grammars over Σ = {a1 , . . . , an }.
◮
◮
◮
◮
G1+ ,G2+ : CF grammars over Σ+ = {a1 , . . . , an , an+1 } s.t.
L(G1+ ) = L(G1 ) · {an+1 } and L(G2+ ) = L(G2 ) · {an+1 }.
G1+ and G2+ can be effectively computed from G1 and G2 ,
respectively.
L(G1 ) = L(G2 ) iff L(G1+ ) = L(G2+ ).
We shall construct φG1 ,G2 in LTL + CF s.t. φG1 ,G2 is
satisfiable iff L(G1 ) 6= L(G2 ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Building φG1 ,G2
◮
φG1 ,G2 is built over p1 , . . . , pn+1 and holds true only in
structures s.t.
◮
◮
◮
exactly one variable from p1 , . . . , pn+1 , holds true at each
position,
pn+1 holds true at a unique position (end marker).
UNI encodes these properties:
_
^
def
UNI = G(
pi ) ∧ G(
1≤i ≤n+1
1≤i ≤n+1
(pi ⇒
^
¬pj )∧
1≤j6=i ≤n+1
((pn+1 ∧ XG¬pn+1 ) ∨ ¬pn+1 U(pn+1 ∧ XG¬pn+1 ))
◮
Equivalence between
◮
◮
L(G1+ ) 6= L(G2+ ),
UNI ∧ ¬(L(G1+ )(p1 , . . . , pn+1 ) ⇔ L(G2+ )(p1 , . . . , pn+1 )) is
satisfiable.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Equivalence (I)
◮
Suppose L(G1+ ) 6= L(G2+ ) with ai1 ai2 · · · ail an+1 ∈ L(G1+ ) and
ai1 ai2 · · · ail an+1 6∈ L(G2+ ).
◮
Wlog, l ≥ 1.
◮
σ:{pi1 } · {pi2 } · · · {pil } · {pn+1 } · {p1 }ω .
◮
We have
◮
◮
◮
σ |= UNI,
σ |= L(G1+ )(p1 , . . . , pn+1 ) ,
σ 6|= L(G2+ )(p1 , . . . , pn+1 ) since the only finite word ending by
{pn+1 } in σ is {pi1 } · {pi2 } · · · {pil } · {pn+1 } and
ai1 ai2 · · · ail an+1 6∈ L(G2+ ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Equivalence (II)
◮
◮
◮
Suppose σ, 0 |= UNI ∧ ¬(L(G1+ )(p1 , . . . , pn+1 ) ⇔
L(G2+ )(p1 , . . . , pn+1 )).
Assume σ |= L(G1+ )(p1 , . . . , pn+1 ) and
σ 6|= L(G2+ )(p1 , . . . , pn+1 ).
A simple reasoning allows to deduce that L(G1+ ) 6= L(G2+ ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Special context-free languages
◮
L0 = {a1k · a2 · a1k−1 · a3 : k ≥ 1}.
◮
L1 = {a1k · a2 · a1k · a3 : k ≥ 0} (L0 = {a1 } · L1 ).
◮
Valid formulae in LTL + {L0 , L1 }.
◮
L1 (p, q, r ) ⇔ (q ∧ Xr ) ∨ L0 (p, q, p ∧ Xr ),
◮
L0 (p, q, r ) ⇔ p ∧ XL1 (p, q, r ),
◮
Fφ ⇔ L1 (⊤, φ, ⊤),
◮
Xφ ⇔ L1 (⊥, ⊤, φ).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Undecidability
◮
◮
SAT(LTL + {L1 }) is undecidable.
Consequently, MC∃ (LTL + {L1 }) is undecidable.
(satisfiability reduces to it by building a complete Kripke
structure)
◮
Reduction from the recurrence problem for domino
games [Harel, 85].
input: a domino game Dom with a distinguished color
c.
output: 1, if Dom can pave N × N where the color c
occurs infinitely often.
◮
Let Dom = (C , D, Col ) be a domino game with
◮
◮
◮
C = {1, . . . , n} and c = 1,
D = {d1 , . . . , dm },
Col : D × {up, down, left, right} → {1, . . . , n}
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Syntactic ressources
We use the following propositional variables:
◮
◮
◮
in holds true when the state encodes a position in N2 . There
are states in the model that do not correspond to positions in
N2 . out is equivalent to the negation of in.
For 1 ≤ j ≤ m, we introduce j : “position in N2 associated to
the current position has domino type dj ”.
For every 1 ≤ i ≤ n, we use the variables upi , downi , lefti ,
righti .
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
PAVE formula
◮
Every state encoding a position in N2 is occupied by a unique
domino:
m
m
_
^
(j ∧
G(in ⇒
¬ j’ ))
j ′ =1,j ′ 6=j
j=1
◮
Propositional variables for colours are compatible with the
definition of domino types:
G(in ⇒
m
^
j =⇒
j=1
^
side∈{up,down,right,left}
◮
^
sideCol(dj ,side) ∧
¬sidej ′ )
1≤j ′ 6=Col(dj ,side)≤n
PAVE: conjunction of above formulae.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
SNAKE formula
SNAKE: conjunction of following formulae:
◮
G(in ⇔ ¬out),
◮
in ∧ Xout ∧ XXin ∧ XXXin ∧ XXXXout,
◮
G(out ⇒ XL1 (in, out, in ∧ Xout)).
(L1 = {a1k · a2 · a1k · a3 : k ≥ 0}).
◮
Only structure (built over in and out) satisfying SNAKE:
{in} · {out} · {in}2 · {out} · {in}3 · {out} · {in}4 . . .
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
out, ⇓
out, ⇓
in, ⇓
in, ⇑
in, ⇓
in, ⇓
in, ⇑
in, ⇓
in, ⇑
in, ⇓
in, ⇑
in, ⇓
in, ⇓
in, ⇑
in, ⇓
in, ⇑
out, ⇑
Stéphane Demri
out, ⇑
in, ⇓
out, ⇑
Fondements pour la vérification des systèmes temps-réel et co
DIRECTION formula
◮
◮
Difficulty of the proof is not to design a path through N2 but
to define a path on which it is easy to access to neighbours
(right or top).
DIRECTION: conjunction of formulae:
◮
◮
◮
◮
◮
◮
G(⇑⇔ ¬ ⇓),
⇓ ∧X ⇑,
G(in ∧ Xin∧ ⇑⇒ X ⇑)
(“we stay on ascending chain”),
G(in ∧ Xin∧ ⇓⇒ X ⇓)
(“we stay on descending chain”),
G(in ∧ Xout∧ ⇑⇒ (X ⇓ ∧XX ⇓))
(“we pass from ascending to descending chain”),
G(in ∧ Xout∧ ⇓⇒ (X ⇑ ∧XX ⇑))
(“we pass from descending to ascending chain”).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Only structure (built over in, out, ⇑ and ⇓) satisfying
SNAKE ∧ DIRECTION:
{in, ⇓}{out, ⇑} · {in, ⇑}2 · {out, ⇓} · {in, ⇓}3 · {out, ⇑} · {in, ⇑}4 . . .
out, ⇓ in, ⇓
in, ⇑
in, ⇓
out, ⇓ in, ⇓
in, ⇑
in, ⇓
in, ⇑
in, ⇓
in, ⇑
in, ⇓
in, ⇓
in, ⇑
in, ⇓
in, ⇑
out, ⇑
Stéphane Demri
out, ⇑
in, ⇓
out, ⇑
Fondements pour la vérification des systèmes temps-réel et co
CONSTRAINTS formula
◮
The path allows to access to adjacent states as follows:
◮
◮
◮
◮
◮
in
in
in
in
{in, ⇑},
{in, ⇑},
{in, ⇓},
{in, ⇓},
we
we
we
we
access
access
access
access
to
to
to
to
the
the
the
the
right neighbour with L1 ,
up neighbour with L0 ,
right neighbour with L0 ,
up neighbour with L1 .
CONSTRAINTS: conjunction of formulae
◮
◮
◮
◮
V
G(in∧ ⇑⇒ (V1≤i ≤n righti ⇒ L1 (in, out, lefti ))),
G(in∧ ⇑⇒ (V1≤i ≤n upi ⇒ L0 (in, out, downi ))),
G(in∧ ⇓⇒ (V1≤i ≤n righti ⇒ L0 (in, out, lefti ))),
G(in∧ ⇓⇒ ( 1≤i ≤n upi ⇒ L1 (in, out, downi ))).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
High undecidability
W
◮
REC:GF(in ∧
◮
Dom can pave N2 by repeating infinitely often the colour 1 iff
side∈{left,right,up,down}
side1 ).
PAVE ∧ SNAKE ∧ DIRECTION ∧ CONSTRAINTS ∧ REC
is satisfiable in LTL + {L0 , L1 }.
◮
Since X, F and L0 can expressed with L1 , satisfiability and
model-checking problems for propositional calculus with the
temporal operator defined with L1 are highly undecidable.
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
Exercise (bis)
1. φ[ψ]ρ be an LTL formula with subformula ψ at the occurrence
ρ. Show that φ[ψ]ρ is satisfiable iff φ[p]ρ ∧ G(p ⇔ ψ) is
satisfiable where p is a new propositional variable no occurring
in φ[ψ]ρ .
2. Conclude that there is a logarithmic space reduction from
SAT(LTL) to SAT(LTL2ω ).
3. Show that SAT(LTL1 (X)) is NP-complete (independent of 1.
and 2.).
Stéphane Demri
Fondements pour la vérification des systèmes temps-réel et co
