Mu-calculus path checking

Nicolas Markey and Philippe Schnoebelen

Lab. Specication & Verication, CNRS & ENS de Cachan, France
Abstract
We investigate the path model checking problem for the -calculus. Surprisingly,
restricting to deterministic structures does not allow for more ecient model check-
ing algorithm, as we prove that it can encode any instance of the standard model
checking problem for the -calculus.
1 Introduction
Model checking is a fundamental problem, originally motivated by concerns with the
automatic verication of systems, but now more broadly associated with several dif-
ferent elds ranging from Bio-Informatics to Databases to Automated Deduction.
In verication settings, model checking problems usually ask whether S, a given
model of a system, satises , a given formal property, denoted S |= . In [8]
we introduced the path model checking problem (see also Open Problem 4.1 in [4]).
This problem is unusual since it is a restriction of the classical model checking
problem, not an extension as is usually considered. The restriction is that one only
considers models having the form of a nite path (or a nite loop, or more generally
an ultimately periodic innite path). These are models without choice, or without
nondeterminism. Checking nite paths or loops occurs naturally in many applica-
tions: run-time verication [5], analysis of machine-generated scenarios or debugger
traces [1], analysis of log les [11], Monte Carlo methods for verication [6], etc.
In [8] we consider path model checking for several temporal logics. Our ndings can
be summarized as follows:
checking a deterministic path is usually much easier than checking a nondeter-
ministic structure,
checking a nite path and checking a loop are usually equivalent (inter-reducible).
Email addresses: markey@lsv.ens-cachan.fr (Nicolas Markey),
phs@lsv.ens-cachan.fr (Philippe Schnoebelen).
Preprint submitted to Elsevier Science
In this note, we consider path model checking for the modal -calculus. It is known
that checking whether a Kripke structure S satises a -calculus formula (called the
branching-time, or B

, model-checking problem) is PTIME-hard, and is in UP

coUP [7]. Additionally, checking whether all paths of S satisfy a -calculus formula
(called the linear-time, or L

, model-checking problem) is PSPACE-complete [12].

For path model checking, our ndings are surprising:
(1) General B

model checking reduces to path model checking. Hence B

model
checking does not become easier when it is restricted to structures without
choice. This does not t the pattern observed in [8] for other logics like CTL
or CTL

.
(2) The above reduction uses loops. We were not able to reduce checking of nite
loops to checking of nite paths. Again this does not t the pattern observed
in [8] for other logics.
The paper contains some additional results, e.g., that model checking of nite paths
is PTIME-complete (hence the above discrepancies would disappear if it turns
out that -calculus model checking is in PTIME, a conjecture believed true by
several researchers), or relating loops and nite paths in a -calculus extended with
backwards (sometimes called past-time) modalities.
2 Preliminaries
We refer to [3]. -calculus formulae are given by the following grammar:
B

, ::= p | p | Z | | | 3 | 2 | Z. | Z.
where p ranges over a set AP of atomic propositions, and Z over a set V of vari-
able names. Our denition only allows negations on propositions, but negation of
arbitrary formulae can be dened in the standard way, and similarly for classi-
cal shorthands such as , etc. We dene the CTL-modalities EF and AG with:
EF
def
= Z.( 3Z) and AG
def
= Z.( 2Z) where Z is any variable not free
in .
Formulae in B

are interpreted over nite Kripke structures (KS), i.e., labeled

nite-state systems of the general form K = (Q, R, l) where R Q Q is the
set of transitions and l : Q 2
AP
is the state labeling. As usual, and when R is
understood, we write x y rather than (x, y) R, and we say y is a successor
of x. Given S Q, we write Pre(S) for the set {x Q | y S. x y}, and S
for QS. Then x Pre(S) i all the successors of x (if any) are in S.
Formally, for a KS K = (Q, R, l) and a context v : V 2
Q
, the set
K
v
of states
2
where holds is dened inductively:
p
K
v
def
= {x Q | p l(x)} p
K
v
def
= {x Q | p / l(x)}

K
v
def
=
K
v

K
v

K
v
def
=
K
v

K
v
Z
K
v
def
= v(Z)
3
K
v
def
= Pre
_

K
v
_
2
K
v
def
= Pre
_

K
v
_
Z.
K
v
def
=

{U Q |
K
v[ZU]
U}
Z.
K
v
def
=
_
{U Q | U
K
v[ZU]
}
We sometimes omit the K and v subscripts when no ambiguity arises (or for
closed formulae where v is irrelevant) and write x |=
K
v
when x
K
v
. The
above denition entails the following standard xed-point equalities:
Z.
v
=
v
_
ZZ.
v

Z.
v
=
v
_
ZZ.
v

.
For N, the approximant Z

.
K
v
is dened inductively by
Z
0
.
v
def
= and Z
+1
.
v
def
=
v
_
ZZ

.
Set Z

.
v
is dened dually. It is well known that, since K is nite, the sequences
(Z

.
v
)
N
and (Z

.
v
)
N
eventually reach Z.
v
and Z.
v
resp.
A KS is deterministic if every state has at most one successor. For such KSs, 3
and 2 have very close meanings: 3 means that holds in the successor state,
while 2 means that, if there is a successor state, then holds in that state. We
consider below deterministic KSs having the form of a nite path (isomorphic to an
initial segment of N, with a last state having no successors), or a nite loop (where
there is a single strongly connected component). On loops, the meanings of 3 and
2 coincide exactly.
3 Main result
Theorem 3.1 B

model checking logspace-reduces to model checking of loops.

Hence -calculus model checking of loops and general B

model checking are equiva-

lent (inter-reducible). Considering deterministic KSs does not simplify the problem:
Corollary 3.2 B

model checking of loops is PTIME-hard, and in UP coUP.

The rest of this section describes our reduction. We transform an instance x |=
K
? into an equivalent x

|=
L
? where L is a loop. We observe that |L| = O(|K|),
3
a
b c
r
1
r
2
r
3
r
4
a
s
a
d
a
s
b
d
b
s
c
d
a
s
c
d
c
s
. .
r
1
. .
r
2
. .
r
3
. .
r
4
h
Fig. 1. From non-deterministic to deterministic Kripke structure
and | | = O(|K|||). Furthermore, the transformation from to does not increase
the alternation depth (Prop. 3.8).
Let K = (Q, R, l) be a KS. For this reduction we assume that AP and Q coincide,
and that l is the identity.
1
L has labels from AP

def
= AP{s, d} where s (for source)
and d (for destination) are two new atomic propositions. Assume R = {r
1
, . . . , r
n
}
contains n transitions: then L = (Q

, R

, l

) has Q

def
= {s
1
, d
1
, s
2
, d
2
, . . . , s
n
, d
n
}. R

has transitions s
i
d
i
and d
i
s
(i mod n)+1
for 1 i n, arranging Q

into a loop.
Finally, the labeling l

is dened as follows: if r
i
= (x, y) then l

(s
i
) = {x, s} and
l

(d
i
) = {y, d}.
In summary, L lists the transitions of K. The states of L maps to original states
via the mapping h: Q

Q given by h(x

) = x x l

(x

). Fig. 1 illustrates this

construction on a schematic example.
In the sequel we use h(x

) either as a state or as an element of AP

, depending on
the context. For any S Q, h(x

) S i x

h
1
(S).
Lemma 3.3 Let S Q. Then Pre
K
(S) = h
_
s
L
Pre
L
_
h
1
(S)
__
.
PROOF. Assume x Pre
K
(S) because of a transition r
i
of the form x y with
y S. In L, s
i
d
i
has d
i
h
1
(y) h
1
(S) and s
i
s
L
. Hence x = h(s
i
)
h(s
L
Pre
L
(h
1
(S))). Conversely, if x h(s
L
Pre
L
(h
1
(S))), then x = h(s
i
)
for some i such that h(d
i
) S. Therefore r
i
shows that x Pre
K
(S).
Now, dene (Z)
def
=
_
xQ
_
x EF(x Z)

and (Z)
def
=
_
xQ
_
x AG(x Z)

.
Lemma 3.4 For all v, (Z)
L
v
= h
1
(h(Z
L
v
)) and (Z)
L
v
= h
1
(h(Z
L
v
)).
1
This assumption is no loss of generality. Any general KS can be relabeled in
such a way. This requires replacing any proposition used in the original labeling
with a disjuction of (the propositions denoting) the states where it holds. This
transformation is logspace.
4
PROOF. (Z)
v
is

xQ
x EF(x Z)
v
. Since L is strongly connected, this is
{x

| y

Z
v
, h(x

) = h(y

)} by denition of l

. We end up with h
1
(h(Z
v
)).
The second result follows by duality.
Lemma 3.5 Assume Y and Z are distinct variables. Then for all v, we have
Z.(Y (Z))
L
v
= (Y ) = h
1
_
h
_
Y
L
v
__
Z.(Y (Z))
L
v
= (Y ) = h
1
_
h
_
Y
L
v
__
.
PROOF. We only prove the rst result, the second one being dual.
(): Write U for h
1
(h(Y
v
)). Then Y (Z)
v[ZU]
= Y
v
(Z)
v[ZU]
=
Y
v
h
1
(h(U)) (by Lemma 3.4) = U. Hence U is a xed point and Z.(Y
(Z))
v
U.
(): Write S for Z.(Y (Z))
v
. From the xed-point property, we have S =
Y (Z)
v[ZS]
= Y
v
(S)
v
= Y
v
h
1
(h(S)) (by Lemma 3.4). Hence
S h
1
(h(Y
v
)).
Thus () and Z.( (Z)) are equivalent on L (when Z does not occur free
in ). The important dierence between them is size: |()| is in O(|Q| ||) while
|Z.( (Z))| is in O(|Q| +||).
We now translate each formula into a in such a way that if holds in x Q,
then holds in all x

h
1
(x). Formally, is dened inductively by:
p
def
= p p
def
= p

Z
def
= Z

def
=

3
def
= Z [(s 3 ) (Z)]

Z.
def
= Z.

def
=

2
def
= Z. [(s 2 ) (Z)]

Z.
def
= Z.
Lemma 3.6 For any formula involving atomic propositions in AP, and any con-
text v : V 2
Q
, and writing v

for h
1
v:
h
1
_

K
v
_
=
L
v
(1)
In other words, x

L
v
i h(x

)
K
v
.
PROOF. By induction on the structure of .
Case = p AP: Since AP = Q, and by denition of l

, h
1
(p
K
) = p
L
.
5
Case = Z V: h
1
(Z
v
) = h
1
v(Z) = Z
v
by denition of v

.
Case = Z.: It is sucient to show that, for all integers , h
1
(Z

.
v
) =
Z

v
. We proceed by induction on . The base case where = 0 holds triv-
ially, and the inductive step relies on h
1
(Z
+1
.
v
) = h
1
(
v[ZZ

.
v
]
) =

h
1
v[ZZ

.
v
]
by ind. hyp. (Lemma 3.6 on ). This is

[Zh
1
(Z

.
v
)]
=

[ZZ

]
(by ind. hyp. on ), hence equals Z
+1
.

v
.
Case = 3: h
1
(3
v
) = h
1
(Pre(
v
)) = h
1
(h(s Pre(h
1
(
v
))))
(Lemma 3.3) = h
1
(h(s Pre(

v
))) by ind. hyp. This is h
1
(h(s 3

v
)), or

3
v
(Lemma 3.5).
Remaining cases: The case where is some
1

2
is obvious and the remaining
cases are obtained by duality.
Corollary 3.7 For x

h
1
(x) and a closed formula, x |=
K
i x

|=
L
.
PROOF. Lemma 3.6 provides the direction, and the direction too once
we observe that h h
1
= Id
Q
.
Regarding alternation depth, we refer to [10,2]. A -calculus formula is in
0
(=
0
)
i it contains not xpoint operation. Then, for n N,
n+1
is dened as the
smallest class of formulae that contains
n

n
and is closed under conjunctions
and disjunctions, 3- and 2-modalities, least xed points Z. with
n+1
, and
substitution of

n+1
for a free variable of a formula
n+1
, provided that
no free variable of

is captured by .
n+1
is dened dually.
Proposition 3.8 If
n
(or dually,
n
), then is in
max(n,2)
(resp.
max(n,2)
).
PROOF. By induction on the structure of . The only dicult cases are 3-
and 2-formulae. If = 3, with
n
, the induction hypothesis yields that

max(n,1)
. Then is obtained from Z. [(s 3W) (Z)], a
1
-formula, by
substituting

for W. If = 2, we substitute in a
1
(hence
2
) formula.
4 Finite paths and acyclic structures
It is well-known that, for acyclic KSs, B

model checking can be done in polynomial-

time (hence is PTIME-complete), see, e.g., [9]. Thus model checking nite paths is
in polynomial-time and it is not surprising that we could not reduce model checking
of loops to model checking of paths: with Theorem 3.1, this would have solved the
general B

model-checking problem.
6
However, even if nite paths seem easier than nite loops, they are not easier than
arbitrary acyclic KSs as we now show.
Theorem 4.1 B

model checking of nite paths is PTIME-complete.

For this result, it turns out that the reduction from the previous section adapts very
easily. If we omit the step d
n
s
1
that closed the loop, we obtain a nite path
where, assuming that the transitions R = {r
1
, . . . , r
n
} of the acyclic K are given in
some topological order, for every vertex of K, the destination copies (if any) occur
before the source copies. That way, we get:
Lemma 4.2 Given x

, y

s.t. h(x

) = h(y

) and x

occurs before y

, for any
formula B

and any context v : V 2

Q
, writing v

= h
1
v, we have: if y

v
, then x

v
.
That result can easily be shown by induction. We then obtain weaker versions of
Lemmas 3.4, 3.5 and 3.6:
Lemma 4.3 Assuming Y and Z are distinct variables, for any context v

, we have
h
_
(Y )
K

_
= h
_
Y
K

_
= h
_
Z.(Y (Z)
K

_
Lemma 4.4 For any formula of B

involving atomic propositions in AP, context

v : V 2
Q
, and writing v

for h
1
v:

K
v
= h
_

K

v
s
_
h
1
_

K
v
_
d =
K

v
d
Now, clearly, a state in K satises formula i its rst source copy in L satises .
5 Paths, loops, and backwards modalities
Model checking of loops reduces to nite paths when one considers 2B

, or 2-
way B

, the extension of B

with backwards modalities 3

1
and 2
1
. One lets
x 3
1
i there is some y with y x, and dually for 2
1
[13].
Theorem 5.1 The following three problems are logspace inter-reducible:
(a) B

model checking of loops,

(b) 2B

model checking of loops,

(c) 2B

model checking of nite paths.

Corollary 5.2 These three problems are equivalent to B

model checking on arbi-

trary KSs. They are thus PTIME-hard, and in UP coUP.
PROOF. (of Theorem 5.1) Since (a) is a special case of (b), we only need two
reductions.
7
(b reduces to c) Let L be a loop x
1
x
2
x
n
( x
1
). With L, the reduction
associates a nite path F of the form x
0
x
1
x
2
x
n
x
n+1
. The labeling
of F is inherited from L (and irrelevant for x
0
and x
n+1
). The reduction translates
a formula to a

such that

F
\{x
0
, x
n+1
} =
L
. The translation is obtained
with
(3)

def
= Z.
_
_
(3

33) (3
1
)
n
Z
_
_
(3
1
)

def
= Z.
_
_
(3
1

3
1
3
1
) (3)
n
Z
_
_
One adds dual clauses for (2)

and (2
1
)

, and obvious clauses, like (Z.)

def
=
Z.(

), for the other constructs. Then |

| is in O(|| |L|).
(c reduces to a) Let F be a nite path x
1
x
2
x
n
. A loop L is obtained
from F by adding a transition x
n
x
1
and labeling x
1
with a new additional
proposition i. The reduction then translates a formula to a

without backwards
modalities, and such that

L
=
F
. We use
(3)

def
= 3(

i) and (3
1
)

def
= i 3
n1

and obvious remaining clauses. Again, |

| is in O(|| |L|).
6 Conclusion
We proved that -calculus model checking is not easier when restricting to deter-
ministic Kripke structures having the form of a single loop. On the other hand, we
could not reduce model checking of nite loops to model checking of nite paths, a
PTIME-complete problem. These results help understand what makes -calculus
model checking dicult.
It comes as a surprise that none of these two results ts the pattern we exhibited for
several other logics [8], where checking nondeterministic KSs is harder than checking
deterministic loops, and where nite loops are no harder than nite paths. A possible
explanation for the rst discrepancy is the expressive power of the -calculus, that
allows the reduction we developed in Section 3. The second discrepancy is harder
to justify, but would disappear if -calculus model checking were proved to be in
PTIME.
Acknowledgments. We thank Misa Keinanen for drawing our attention to the
-calculus path model-checking problem.
References
[1] C. Artho, H. Barringer, A. Goldberg, K. Havelund, S. Khurshid, M. Lowry,
C. Pasareanu, G. Rosu, K. Sen, W. Visser, and R. Washington. Combining
8
test case generation and runtime verication. Theoretical Computer Science,
336(2-3):209234, 2005.
[2] J. C. Bradeld. The modal mu-calculus alternation hierarchy is strict.
Theoretical Computer Science, 195(2):133153, 1998.
[3] J. C. Bradeld and C. Stirling. Modal logics and mu-calculi: an introduction.
In Handbook of Process Algebra, chapter 4, pages 293330. Elsevier, 2001.
[4] S. Demri and Ph. Schnoebelen. The complexity of propositional linear temporal
logics in simple cases. Information and Computation, 174(1):84103, 2002.
[5] K. Havelund and G. Rosu. An overview of the runtime verication tool Java
PathExplorer. Formal Methods in System Design, 24(2):189215, 2004.
[6] T. Herault, R. Lassaigne, F. Magniette, and S. Peyronnet. Approximate
probabilistic model checking. In Proc. 5th Int. Conf. Verication, Model
Checking, and Abstract Interpretation (VMCAI04), Venice, Italy, Jan. 2004,
volume 2937 of LNCS, pages 7384. Springer, 2004.
[7] M. Jurdzi nski. Deciding the winner in parity games is in UP coUP.
Information Processing Letters, 68(3):119124, 1998.
[8] N. Markey and Ph. Schnoebelen. Model checking a path (preliminary report). In
Proc. 14th Int. Conf. Concurrency Theory (CONCUR03), Marseille, France,
August 2003, volume 2761 of LNCS, pages 251265. Springer, 2003.
[9] R. Mateescu. Local model-checking of modal mu-calculus on acyclic labeled
transition systems. In Proceedings of the 8th International Conference on Tools
and Algorithms for the Construction and Analysis of Systems (TACAS02),
Grenoble, France, April 2002, volume 2280 of LNCS, pages 281295. Springer,
2002.
[10] D. Niwi nski. On xed point clones. In Proc. 13th Int. Coll. Automata,
Languages and Programming (ICALP86), Rennes, France, July 1986, volume
226 of LNCS, pages 464473. Springer, 1986.
[11] M. Roger and J. Goubault-Larrecq. Log auditing through model checking. In
Proc, 14th IEEE Computer Security Foundations Workshop (CSFW01), pages
220236, Cape Breton, Nova Scotia, Canada, June 2001. IEEE Comp. Soc.
Press.
[12] M. Y. Vardi. A temporal xpoint calculus. In Proc. 15th ACM Symp. Principles
of Programming Languages (POPL88), San Diego, CA, USA, Jan. 1988, pages
250259, 1988.
[13] M. Y. Vardi. Reasoning about the past with two-way automata. In Proc.
25th Int. Coll. Automata, Languages, and Programming (ICALP98), Aalborg,
Denmark, July 1998, volume 1443 of LNCS, pages 628641. Springer, 1998.
9