Abstract
Model checking is a powerful method widely explored in formal verification. Given a model of a system, e.g., a Kripke structure, and a formula specifying its expected behaviour, one can verify whether the system meets the behaviour by checking the formula against the model. Classically, system behaviour is expressed by a formula of a temporal logic, such as LTL and the like. These logics are “point-wise” interpreted, as they describe how the system evolves state-by-state. However, there are relevant properties, such as those constraining the temporal relations between pairs of temporally extended events or involving temporal aggregations, which are inherently “interval-based”, and thus asking for an interval temporal logic. In this paper, we give a formalization of the model checking problem in an interval logic setting. First, we provide an interpretation of formulas of Halpern and Shoham’s interval temporal logic HS over finite Kripke structures, which allows one to check interval properties of computations. Then, we prove that the model checking problem for HS against finite Kripke structures is decidable by a suitable small model theorem, and we provide a lower bound to its computational complexity.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
As a matter of fact, the same argument can be given by referring to suffixes instead of prefixes. Anyway, as one can easily see, making use of both the right extension and the left extension properties does not allow us to improve the claimed bound.
If a track \(\overline{\rho }\) was considered in place of \(\tilde{\rho }\), with the same \({\textit{BE}}_k\)-descriptor \(\mathcal {D}_{{\textit{BE}}_k}\) as \(\tilde{\rho }\), by the right extension property, both \(\tilde{\rho }\cdot \rho \) and \(\overline{\rho }\cdot \rho \) are associated with the same descriptor as well.
References
Allen, J.F.: Maintaining knowledge about temporal intervals. Commun. ACM 26(11), 832–843 (1983)
Bresolin, D., Della Monica, D., Goranko, V., Montanari, A., Sciavicco, G.: The dark side of interval temporal logic: marking the undecidability border. Ann. Math. Artif. Intell. 71(1–3), 41–83 (2014)
Bresolin, D., Goranko, V., Montanari, A., Sala, P.: Tableau-based decision procedures for the logics of subinterval structures over dense orderings. J. Log. Comput. 20(1), 133–166 (2010)
Bresolin, D., Goranko, V., Montanari, A., Sciavicco, G.: Propositional interval neighborhood logics: expressiveness, decidability, and undecidable extensions. Ann. Pure Appl. Log. 161(3), 289–304 (2009)
Bresolin, D., Montanari, A., Sala, P., Sciavicco, G.: What’s decidable about Halpern and Shoham’s interval logic? The maximal fragment \({\sf AB}{\overline{\sf BL}}\). In: Proceedings of the 26th LICS. IEEE Comp. Society Press, pp. 387–396 (2011)
Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching-time temporal logic. In: Proceedings of the Workshop on Logic of Programs, LNCS, vol. 131. Springer, pp. 52–71 (1981)
Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (2002)
Della Monica, D., Goranko, V., Montanari, A., Sciavicco, G.: Interval temporal logics: a journey. Bull. EATCS 105, 73–99 (2011)
Gabbay, D.M.: The declarative past and imperative future: executable temporal logic for interactive systems. In: Proceedings of Temporal Logic in Specification, LNCS, vol. 398. Springer, pp. 409–448 (1987)
Goranko, V., Montanari, A., Sciavicco, G.: A road map of interval temporal logics and duration calculi. J. Appl. Non-Classical Log. 14(1–2), 9–54 (2004)
Halpern, J.Y., Shoham, Y.: A propositional modal logic of time intervals. J. ACM 38(4), 935–962 (1991)
Lange, M.: Model checking propositional dynamic logic with all extras. J. Appl. Log. 4(1), 39–49 (2006)
Lodaya, K.: Sharpening the undecidability of interval temporal logic. In: Proceedings of the 6th ASIAN, LNCS, vol. 1961, pp. 290–298 (2000)
Lomuscio, A.R., Michaliszyn, J.: An epistemic Halpern–Shoham logic. In: Proceedings of the 23rd IJCAI. AAAI Press/International Joint Conferences on Artificial Intelligence (2013)
Lomuscio, A.R., Michaliszyn, J.: Decidability of model checking multi-agent systems against a class of EHS specifications. In: Proceedings of the 21st ECAI, pp. 543–548 (2014)
Marcinkowski, J., Michaliszyn, J.: The undecidability of the logic of subintervals. Fundam. Inf. 131(2), 217–240 (2014)
Montanari, A., Murano, A., Perelli, G., Peron, A.: Checking interval properties of computations. In: Proceedings of the 21st TIME, pp. 59–68 (2014)
Montanari, A., Puppis, G., Sala, P.: Maximal decidable fragments of Halpern and Shoham’s modal logic of intervals. In: Proceedings of the 37th ICALP, LNCS, vol. 6199, pp. 345–356 (2010)
Moszkowski, B.: Reasoning About Digital Circuits. PhD thesis, Department of Computer Science, Stanford University, Stanford, CA (1983)
Papadimitriou, C.H.: Computational Complexity. Addison-Wesley, Reading (1994)
Pnueli, A.: The temporal logic of programs. In: Proceedings of the 18th FOCS, pp. 46–57 (1977)
Pnueli, A.: The Temporal Semantics of Concurrent Programs. Theor. Comput. Sci. 13, 45–60 (1981)
Queille, J.P., Sifakis, J.:Specification and verification of concurrent programs in CESAR. In: Proceedings of the 6th SP, LNCS, vol. 137. Springer, pp. 337–351 (1981)
Roeper, P.: Intervals and tenses. J. Philos. Log. 9, 451–469 (1980)
Sipser, M.: Introduction to the Theory of Computation, 3rd edn. International Thomson Publishing, New York (2012)
Sistla, A.P., Clarke, E.M.: The complexity of propositional linear temporal logics. J. ACM 32(3), 733–749 (1985)
Vardi, M.Y., Wolper, P.: An automata-theoretic approach to automatic program verification. In: Proceedings of the 1st LICS. IEEE Comp. Society Press, pp. 332–344 (1986)
Venema, Y.: A modal logic for chopping intervals. J. Log. Comput. 1(4), 453–476 (1991)
Acknowledgments
We would like to thank the anonymous reviewers whose comments and suggestions helped us to improve the paper. Angelo Montanari, Aniello Murano, and Adriano Peron acknowledge the support from the GNCS project: “Algorithmica for model checking and synthesis of safety-critical systems”. Aniello Murano and Adriano Peron also acknowledge the support from the FP7 EU Project 600958-SHERPA.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
Proof of Lemma 1.
Proof
The proof is by induction on \(n\ge 0\). Let \(\mathcal {D}_{{\textit{BE}}_k}\) and \(\mathcal {D}'_{{\textit{BE}}_k}\) be the \({\textit{BE}}_k\)-descriptors for \(\rho \) and \(\rho '\), respectively.
Base case (\(n=0\)). Since \(\mathcal {K},\rho \models p\iff \mathcal {K},\rho '\models p\), for any \(p\in \mathcal {AP}\), the roots of \(\mathcal {D}_{{\textit{BE}}_k}\) and \(\mathcal {D}_{{\textit{BE}}_k}'\) are labelled by the same set of proposition letters and the descriptors are corresponding up to depth 0.
Inductive step (\(n \ge 1\)). We preliminarily show that if \(\mathcal {K}, \rho \models \varphi \iff \mathcal {K}, \rho ' \models \varphi \) for all HS formulas \(\varphi \) with \({{\mathrm{Nest_{BE}}}}(\varphi ) \le k\) and \({{\mathrm{Nest}}}(\varphi )\le n\), then for any track \(\overline{\rho }\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho })={{\mathrm{lst}}}(\rho )\), there is a track \(\overline{\rho }'\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho }')={{\mathrm{lst}}}(\rho ')\), such that, for all HS formulas \(\psi \), with \({{\mathrm{Nest}}}(\psi )\le n-1\) and \({{\mathrm{Nest_{BE}}}}(\psi )\le k\), \(\mathcal {K},\overline{\rho }\models \psi \iff \mathcal {K},\overline{\rho }'\models \psi \). The proof is by contradiction. Suppose that there exists a track \(\overline{\rho }\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho })={{\mathrm{lst}}}(\rho )\), such that, for all tracks \(\overline{\rho }'\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho }')={{\mathrm{lst}}}(\rho ')\), there exists a formula \(\psi \), with \({{\mathrm{Nest}}}(\psi )\le n-1\) and \({{\mathrm{Nest_{BE}}}}(\psi )\le k\), such that \(\mathcal {K},\overline{\rho }\models \psi \) and \(\mathcal {K},\overline{\rho }'\not \models \psi \). Let H be the set of those tracks \(\hat{\rho }\) such that \({{\mathrm{fst}}}(\hat{\rho })={{\mathrm{lst}}}(\rho ')\). H can be partitioned into a finite number of classes, say \(s \ge 1\), each one containing k-descriptor equivalent tracks of H (remind that k-descriptor equivalence is an equivalence relation of finite index). Now, let \(\{\overline{\rho }'_1,\overline{\rho }'_2,\ldots , \overline{\rho }'_s\}\) be a set of track representatives, chosen one for each equivalence class induced by \(\sim _k\) on H (for all \(1\le \ i<j\le s\), \(\overline{\rho }'_i\) and \(\overline{\rho }'_j\) have distinct \({\textit{BE}}_k\)-descriptors). By Theorem 1, tracks which are k-descriptor equivalent satisfy the same set of formulas \(\psi '\), with \({{\mathrm{Nest_{BE}}}}(\psi ')\le k\). So there are formulas \(\psi _1, \ldots ,\psi _s\) such that, for all \( 1 \le i \le s\), \({{\mathrm{Nest}}}(\psi _i)\le n-1\), \({{\mathrm{Nest_{BE}}}}(\psi _i)\le k\), \(\mathcal {K},\overline{\rho }\models \psi _i\), and \(\mathcal {K},\overline{\rho }'_i\not \models \psi _i\). It easily follows that \(\mathcal {K},\overline{\rho }\models \psi _1\wedge \psi _2\wedge \cdots \wedge \psi _s\) and, for all \(1 \le i \le s\), \(\mathcal {K},\overline{\rho }'_i\models \lnot \psi _1\vee \lnot \psi _2\vee \cdots \vee \lnot \psi _s\). Hence, \(\mathcal {K},\rho \models {{\mathrm{\langle A\rangle }}}(\psi _1\wedge \psi _2\wedge \cdots \wedge \psi _s)\) and \(\mathcal {K},\rho '\models [A](\lnot \psi _1\vee \lnot \psi _2\vee \cdots \vee \lnot \psi _s)\), that is, \(\mathcal {K},\rho '\not \models {{\mathrm{\langle A\rangle }}}(\psi _1\wedge \psi _2\wedge \cdots \wedge \psi _s)\), which is a contradiction.
Thus, we have proved that for any track \(\overline{\rho }\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho })={{\mathrm{lst}}}(\rho )\), there exists a track \(\overline{\rho }'\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho }')={{\mathrm{lst}}}(\rho ')\), such that, for all HS formulas \(\psi \), with \({{\mathrm{Nest}}}(\psi )\le n-1\) and \({{\mathrm{Nest_{BE}}}}(\psi )\le k\), \(\mathcal {K},\overline{\rho }\models \psi \iff \mathcal {K},\overline{\rho }'\models \psi \). By the inductive hypothesis, \(\overline{\rho }\) and \(\overline{\rho }'\) are associated with corresponding \({\textit{BE}}_k\)-descriptors up to depth \(n-1\). Symmetrically, we can show that for any track \(\overline{\rho }'\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho }')={{\mathrm{lst}}}(\rho ')\), there exists \(\overline{\rho }\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho })={{\mathrm{lst}}}(\rho )\), such that \(\overline{\rho }'\) and \(\overline{\rho }\) are associated with corresponding \({\textit{BE}}_k\)-descriptors up to depth \(n-1\). In this way, we have proved the condition for modality A of Definition of 17. The conditions for modalities \(\overline{A}\), \(\overline{B}\), and \(\overline{E}\) can be proved in a very similar way. In particular, as a consequence of the fact that \(\mathcal {K}, \rho \models \varphi \iff \mathcal {K}, \rho ' \models \varphi \) for all HS formulas \(\varphi \) with \({{\mathrm{Nest_{BE}}}}(\varphi ) \le k\) and \({{\mathrm{Nest}}}(\varphi )\le n\), with \(n\ge 1\), it holds that \(\mathcal {K},\rho \models {{\mathrm{\langle \overline{A}\rangle }}}\top \iff \mathcal {K},\rho '\models {{\mathrm{\langle \overline{A}\rangle }}}\top \). It follows that \(\mathcal {D}_{{\textit{BE}}_k}\) has an \(\overline{A}\)-successor if and only if \(\mathcal {D}'_{{\textit{BE}}_k}\) has one. The same holds for \(\overline{E}\)-successors.
Let us now consider the condition for modality B of Definition of 17.
First of all, we show that for any track \(\overline{\rho }\in {{\mathrm{Pref}}}(\rho )\), there exists a track \(\overline{\rho }'\in {{\mathrm{Pref}}}(\rho ')\) such that for all HS formulas \(\psi \), with \({{\mathrm{Nest}}}(\psi )\le n-1\) and \({{\mathrm{Nest_{BE}}}}(\psi )\le k-1\), \(\mathcal {K},\overline{\rho }\models \psi \iff \mathcal {K},\overline{\rho }'\models \psi \). The proof is again by contradiction. Suppose that there exists a track \(\overline{\rho }\in {{\mathrm{Pref}}}(\rho )\) such that, for all tracks \(\overline{\rho }'\in {{\mathrm{Pref}}}(\rho ')\), there exists a formula \(\psi \), with \({{\mathrm{Nest}}}(\psi )\le n-1\) and \({{\mathrm{Nest_{BE}}}}(\psi )\le k-1\), such that \(\mathcal {K},\overline{\rho }\models \psi \) and \(\mathcal {K},\overline{\rho }'\not \models \psi \). Now, let us consider the tracks \(\overline{\rho }'_1,\overline{\rho }'_2,\ldots , \overline{\rho }'_s\) (for some \(s\in \mathbb {N}\)) which are prefixes of \(\rho '\) and are associated with distinct subtrees of depth \(k-1\) of the \({\textit{BE}}_k\)-descriptor for \(\rho '\) (the number of these tracks is obviously finite). So there are formulas \(\psi _1, \ldots ,\psi _s\) such that, for all \( 1 \le i \le s\), \({{\mathrm{Nest}}}(\psi _i)\le n-1\), \({{\mathrm{Nest_{BE}}}}(\psi _i)\le k-1\), \(\mathcal {K},\overline{\rho }\models \psi _i\), and \(\mathcal {K},\overline{\rho }'_i\not \models \psi _i\). Thus, \(\mathcal {K},\overline{\rho }\models \psi _1\wedge \psi _2\wedge \cdots \wedge \psi _s\) and for all i, \(\mathcal {K},\overline{\rho }'_i\models \lnot \psi _1\vee \lnot \psi _2\vee \cdots \vee \lnot \psi _s\).
Hence \(\mathcal {K},\rho \models {{\mathrm{\langle B\rangle }}}(\psi _1\wedge \psi _2\wedge \cdots \wedge \psi _s)\) and \(\mathcal {K},\rho '\models [B](\lnot \psi _1\vee \lnot \psi _2\vee \cdots \vee \lnot \psi _s)\), that is \(\mathcal {K},\rho '\not \models {{\mathrm{\langle B\rangle }}}(\psi _1\wedge \psi _2\wedge \cdots \wedge \psi _s)\), which leads to a contradiction.
We have proved that for any track \(\overline{\rho }\in {{\mathrm{Pref}}}(\rho )\), there exists a track \(\overline{\rho }'\in {{\mathrm{Pref}}}(\rho ')\) such that, for all HS formulas \(\psi \), with \({{\mathrm{Nest}}}(\psi )\le n-1\) and \({{\mathrm{Nest_{BE}}}}(\psi )\le k-1\), \(\mathcal {K},\overline{\rho }\models \psi \iff \mathcal {K},\overline{\rho }'\models \psi \). By the inductive hypothesis, \(\overline{\rho }\) and \(\overline{\rho }'\) are associated with corresponding \({\textit{BE}}_{k-1}\)-descriptors up to depth \(n-1\). Symmetrically, we can show that for any track \(\overline{\rho }'\in {{\mathrm{Pref}}}(\rho ')\), there exists a track \(\overline{\rho }\in {{\mathrm{Pref}}}(\rho )\) such that \(\overline{\rho }'\) and \(\overline{\rho }\) are associated with corresponding \({\textit{BE}}_{k-1}\)-descriptors up to depth \(n-1\).
In this way, we have proved the condition for modality B of Definition of 17. The condition for modality E can be proved in a symmetrical way. \(\square \)
Proof of Lemma 2.
Proof
The proof is by induction on \(n\ge 0\).
Base case (\(n = 0\)). Consider the descriptors \(\mathcal {D}_{{\textit{BE}}_k}\), \(\mathcal {D}_{{\textit{BE}}_k}'\), \(\mathcal {D}_{{\textit{BE}}_k}|_{k-1}\), and \(\mathcal {D}_{{\textit{BE}}_k}'|_{k-1}\). Since the roots of \(\mathcal {D}_{{\textit{BE}}_k}\) and \(\mathcal {D}_{{\textit{BE}}_k}'\) are labelled by the same set of proposition letters, the roots of \(\mathcal {D}_{{\textit{BE}}_k}|_{k-1}\) and \(\mathcal {D}_{{\textit{BE}}_k}'|_{k-1}\) are labelled by the same set of proposition letters as well.
Inductive step (\(n>0\)). Let \(\rho ,\rho '\in {{\mathrm{Trk}}}_\mathcal {K}\) be two witnesses for \(\mathcal {D}_{{\textit{BE}}_k}\) and for \(\mathcal {D}_{{\textit{BE}}_k}'\), respectively (and thus for \(\mathcal {D}_{{\textit{BE}}_k}|_{k-1}\) and and \(\mathcal {D}_{{\textit{BE}}_k}'|_{k-1}\), respectively). Consider a track \(\tilde{\rho }\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\tilde{\rho })={{\mathrm{lst}}}(\rho )\). The \({\textit{BE}}_k\)-descriptor \(\tilde{\mathcal {D}_{{\textit{BE}}_k}}\) for \(\tilde{\rho }\) is an A-successor of \(\mathcal {D}_{{\textit{BE}}_k}\), and \(\tilde{\mathcal {D}_{{\textit{BE}}_k}}|_{k-1}\) is an A-successor of \(\mathcal {D}_{{\textit{BE}}_k}|_{k-1}\). Since \(\mathcal {D}_{{\textit{BE}}_k}\) and \(\mathcal {D}_{{\textit{BE}}_k}'\) are corresponding up to depth n, there exists a track \(\overline{\rho }\in {{\mathrm{Trk}}}_\mathcal {K}\), with \({{\mathrm{fst}}}(\overline{\rho })={{\mathrm{lst}}}(\rho ')\), described by \(\overline{\mathcal {D}_{{\textit{BE}}_k}}\), such that \(\tilde{\mathcal {D}_{{\textit{BE}}_k}}\) and \(\overline{\mathcal {D}_{{\textit{BE}}_k}}\) are corresponding up to depth \(n-1\). By the inductive hypothesis, \(\tilde{\mathcal {D}_{{\textit{BE}}_k}}|_{k-1}\) and \(\overline{\mathcal {D}_{{\textit{BE}}_k}}|_{k-1}\) are corresponding up to depth \(n-1\) (and, obviously, \(\overline{\mathcal {D}_{{\textit{BE}}_k}}|_{k-1}\) is an A-successor of \(\mathcal {D}_{{\textit{BE}}_k}'|_{k-1}\)).
Let us consider now a track \(\hat{\rho }\), with \(({{\mathrm{lst}}}(\rho ),{{\mathrm{fst}}}(\hat{\rho }))\in \delta \) and \(\rho \cdot \hat{\rho }\in {{\mathrm{Trk}}}_\mathcal {K}\). The \({\textit{BE}}_k\)-descriptor \(\hat{\mathcal {D}_{{\textit{BE}}_k}}\) of \(\rho \cdot \hat{\rho }\) is a \(\overline{B}\)-successor of \(\mathcal {D}_{{\textit{BE}}_k}\) and \(\hat{\mathcal {D}_{{\textit{BE}}_k}}|_{k-1}\) is a \(\overline{B}\)-successor of \(\mathcal {D}_{{\textit{BE}}_k}|_{k-1}\). Since \(\mathcal {D}_{{\textit{BE}}_k}\) and \(\mathcal {D}_{{\textit{BE}}_k}'\) are corresponding up to depth n, there exists a track \(\check{\rho }\) such that \(({{\mathrm{lst}}}(\rho '),{{\mathrm{fst}}}(\check{\rho }))\in \delta \), \(\rho '\cdot \check{\rho }\) is described by \(\check{\mathcal {D}_{{\textit{BE}}_k}}\), and \(\hat{\mathcal {D}_{{\textit{BE}}_k}}\) and \(\check{\mathcal {D}_{{\textit{BE}}_k}}\) are corresponding up to depth \(n-1\). By the inductive hypothesis, \(\hat{\mathcal {D}_{{\textit{BE}}_k}}|_{k-1}\) and \(\check{\mathcal {D}_{{\textit{BE}}_k}}|_{k-1}\) are corresponding up to depth \(n-1\) (and, obviously, \(\check{\mathcal {D}_{{\textit{BE}}_k}}|_{k-1}\) is a \(\overline{B}\)-successor of \(\mathcal {D}_{{\textit{BE}}_k}'|_{k-1}\)).
Finally (only for cases with \(k\ge 2\)), let us consider a subtree of depth \(k-2\) linked to the root of \(\mathcal {D}_{{\textit{BE}}_k}|_{k-1}\) via a B-edge. In this case, there exists (at least) a subtree of \(\mathcal {D}_{{\textit{BE}}_k}\), say \(\mathcal {S}_{k-1}\), such that \(\mathcal {S}_{k-1}|_{k-2}\) is the considered subtree of \(\mathcal {D}_{{\textit{BE}}_k}|_{k-1}\). Since \(\mathcal {D}_{{\textit{BE}}_k}\) and \(\mathcal {D}_{{\textit{BE}}_k}'\) are corresponding up to depth n, there exists a subtree \(\mathcal {S}'_{k-1}\) of \(\mathcal {D}_{{\textit{BE}}_k}'\), connected to the root of \(\mathcal {D}_{{\textit{BE}}_k}'\) via a B-edge, corresponding to \(\mathcal {S}_{k-1}\) up to depth \(n-1\). By the inductive hypothesis \(\mathcal {S}_{k-1}|_{k-2}\) and \(\mathcal {S}'_{k-1}|_{k-2}\) are corresponding up to depth \(n-1\) (the latter is a subtree of \(\mathcal {D}_{{\textit{BE}}_k}'|_{k-1}\) connected to the root of \(\mathcal {D}_{{\textit{BE}}_k}'|_{k-1}\) via a B-edge).
The remaining cases can be dealt with analogously. \(\square \)
Rights and permissions
About this article
Cite this article
Molinari, A., Montanari, A., Murano, A. et al. Checking interval properties of computations. Acta Informatica 53, 587–619 (2016). https://doi.org/10.1007/s00236-015-0250-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00236-015-0250-1