Complexity - Incomplete Property Checking for Asynchronous Reactive Systems

In this section we analyze the complexity of the problem of checking buffer boundedness in general. It has already been mentioned in Section 5.3 that the boundedness problem is undecidable for UML RT or Promela models (Level 0), undecidable for CFSM systems (Level 1), EXPSPACE-complete for parallel-composition-VASS (Level 2), co-NP-complete for parallel-parallel-composition-VASS with arbitrary initial tokens (Level 3), and polynomial in the number of elementary cycles for independent cycle systems (Level 4). While the complexity results for Level 0 – 2 are either trivial or known from existing work, we need to prove the complexity results for Level 3 and Level 4.

5.7.1 Co-NP-completeness of the Structural Boundedness Problem of Parallel-Composition-VASS

We first prove that the structural boundedness problem is co-NP-complete, by first showing that it is co-NP-hard (Proposition 5.10), and then that it is in co-NP (Proposition 5.11).

Proposition 5.10. The structural boundedness problem of parallel-composition-VASS is co-NP-hard.

Proof. We will show that the structural boundedness problem is co-NP-hard even if the control flow graph of each part of the system is strongly connected and contains only polynomially many elementary cycles. The proof is by a reduction from the NP-complete boolean satisfiability problem (SAT) to the unboundedness of parallel-composition-VASS with respect to some initial con-figuration.

ti fi

Figure 5.8: The parallel-composition-VASS system constructed from a boolean formula Φ :=F1∧ · · · ∧Fk

Let Φ :=F1∧· · ·∧Fk be a boolean formula over boolean variablesx1, . . . , xn. Each clauseFj is a disjunction of literals and each literal is either a variable or the negation of a variable.

We now construct a parallel-composition-VASS system, as shown in Figure 5.8, from Φ in polynomial time as follows: The system contains k+ 2 places, y1, . . . , yk, l, g, where each of the firstk places corresponds to one clause. For every boolean variablexi we construct a partpi in the VASS system with three control statessi, ti, ui. The transitions from si to ti, from ti to si, fromsi to fi, and from fi to si have the following same effect: They reduce the number of tokens in the place l by 1 and leave all other places unaffected. The self-transition at ti removes one token from the place g, and adds one token to the placeyj for allj such that ClauseFj containsxi. The self-transition atfi

removes one token fromg, and adds one token topjfor alljsuch that ClauseFj

contains¬xi. Finally, we add another partpto the VASS system with one state s. The self-transition atshas an effect (−1, . . . ,−1,0, n+ 1), i.e., removing one token from each of the placesyk and addingn+ 1 tokens tog. Furthermore, the initial states are s1, . . . , sn, s. Note that eachpi andp are strongly connected and that the total number of elementary cycles in the system is 4n+ 1. We now show that the constructed VASS is structurally bounded if and only if Φ isnot satisfiable.

For the “only if” part, we assume by contradiction that the VASS system is structurally bounded and Φ is satisfiable. Then, there exists a variable as-signment that makes all clauses Fj true. From such an assignment, we may construct an execution of the system as follows: First, for each partpi, if xi is true in the assignment, then the transition toti is taken; otherwise, the transi-tion tofi is taken. The combined effect of this is (0, . . . ,0,−n,0). Next, each pi executes the cycle atti orfiaccordingly exactly once, producing a combined effect denoted by (e1, . . . , ek,0,−n). We can show that (*) ej ≥ 1 for all j.

Next, the cycle atsin the partpis executed exactly once, producing the effect (−1, . . . ,−1,0, n+ 1). Note that, by executing the previously mentioned cycle combination in all processespi and the cycle atstogether once, the combined effect is larger than (0, . . . ,0,1), which can therefore be repeated infinitely often in our constructed execution. Obviously the execution is unbounded starting at the configuration (0, . . . ,0, n, n). This contradicts the assumption that the system is structurally bounded.

Now, we prove that the above statement (*) is true. Because each clauseFj

is true, at least one literal inFj must be true. For each Fj, we consider two cases. (1) If a literal xi in Fj is true, then the part pi would move to ti and generate one token to the placeyjby executing the cycle atti each time. (2) If a literal¬xi inFj is true, then the partpi would move tofi and generate one token toyj by executing the cycle atfi each time. In both cases, we have that ej≥1.

For the “if” part, we assume by contradiction that Φ is not satisfiable and the VASS system is unbounded with respect to an initial configuration. Note that the transitions between si and ti/fi in any part pi can be taken only a finite number of times because the number of tokens in the placelis decreased along these transitions and never increased anywhere in the VASS system. Con-sequently, the execution of eachpiwill eventually either terminate, or cycle only throughti, or cycle only through fi. Furthermore, since all the cycles at each statetiorfiremove a token fromg, they can be repeated infinitely often only if the cycle atsinpis also executed infinitely often to add tokens tog. Moreover, because Φ is not satisfied, we can show that no combination consisting of at most one cycle at ti or fi from each pi can have a positive effect on all the placesy1, . . . , yk: From any such combination, we may construct a variable as-signment as follows. For each partpi, if none of its cycles is in the combination, thenxi can take any truth value; if its cycle atti is in the combination, then xi takes the value true; if its cycle at fi is in the combination, then xi takes the valuefalse. Now we assume that one combination exists to have a positive effect on each placeyj. Then, for each placeyj, there exists at least one part pi of the VASS system in which the cycle at ti or fi is in the combination to put one token to yj. This means that one of xi or ¬xi is a true literal and included in the clauseFj that corresponds to the placeyj. Consequently, every Fj is true, which makes Φ true. This contradicts that Φ is unsatisfiable. As a result, any combination of cycles atti offi has a non-positive effect, i.e., an effect 0 on at least one place, and can therefore be repeated jointly with the cycle atsonly a finite number of times. Since no cycle in the VASS system can be executed infinitely often, all executions starting at any initial configuration have a finite length and the system is certainly structurally bounded. This con-tradicts the assumption that the system is unbounded with respect to an initial configuration. 2

Proposition 5.11. Structural boundedness of parallel-composition-VASS is in co-NP.

Proof. We reduce the negation of the structural boundedness problem, i.e., un-boundedness with respect to some initial configuration, to the NP-complete language-non-emptiness problem for reversal-bounded counter machines. These are Minsky-multi-counter machines where the counters can only switch from increasing-mode to decreasing-mode (and vice versa) a bounded number of times [70].

Given a parallel-composition-VASS system consisting of parts p1. . . pm, we first partition the control flow graph of eachpi into strongly connected compo-nents. This can be done in polynomial time. We choose nondeterministically a strongly connected componentAi in everypi. In eachAi we choose nondeter-ministically some statesⁱ₀ as the initial state ofAi.

From the above VASS system, we obtain a reversal-bounded counter machine C as follows. C contains the same states as those states in all the strongly connected components Ai, ands¹₀ is the initial state ofC. For alliwe add an unlabeled transition from sⁱ₀ to sⁱ⁺¹₀ . If the VASS system has d places, then we have 2dreversal-bounded counters inCsuch that there are two countersc⁺_j and c⁻_j for every place xj. These counters are initially 0. For each transition labeled with a vector ¯v in the VASS system, the counters are changed in the corresponding transition in C as follows. For all components ¯v^j of the vector

v, if ¯v^j ≥0 thenc⁺_j is increased by ¯v^j. If ¯v^j <0 thenc⁻_j is increased by−¯v^j. It follows that c⁺_j −c⁻_j represents the complete effect of the transition on the place xj. Finally, we add an extra control statesand a transition from s^m₀ to s. At state sthe counter machine C checks ifc⁺_j ≥ c⁻_j for all j, and if there exists some j such that c⁺_j > c⁻_j. It accepts an execution if and only if these conditions are satisfied. Chas a polynomial size, contains a polynomial number of counters that are all reversal-bounded by 1. The one reversal is needed for the final check at the end, because one has to subtract c⁻_j from c⁺_j. Checking the language ofC for non-emptiness is in NP, as shown in [63].

It remains to show that the parallel-composition-VASS is not structurally bounded if and only if the language ofC is non-empty.

If the parallel-composition-VASS is not structurally bounded then there ex-ists some initial configuration from which there is an unbounded execution.

Any such execution is infinite and can be decomposed into an acyclic part and a cyclic part, i.e., a combination of executions of control flow cycles. The effect of this combination must have an overall non-negative effect on all places and a positive effect on at least one place. Furthermore, each cycle must be contained in some strongly connected componentAj of a partpj. By the construction of C an unbounded execution exists if and only ifC can reach an accepting state.

Theorem 5.12. Structural boundedness of parallel-composition-VASS is co-N P-complete.

The above theorem follows immediately Proposition 5.10 and Proposition 5.11.

5.7.2 Polynomial Time Complexity of the Boundedness Problem of Independent Cycle Systems

Given an independent cycle system (n, C,eff), an ILP problem (Inequalities 5.6–5.8) that represents the sufficient and necessary condition for its unbound-edness can be built in time polynomial in the size of the cycle system. In general, solving ILP problems is NP-complete. However, any ILP problem generated in our test to determine boundedness has a special property: For each inequality in the ILP problem, the left-hand side does not contain any constant items, and the right-hand side is 0. Such an ILP problem is called a homogeneous ILP problem. A homogeneous linear programming problem has the following prop-erty: Given any rational solution (v1, . . . , vn) to the problem and any positive rational number t, (t·v1, . . . , t·vn) is still a solution to the problem. This is because every inequality in a homogeneous linear programming problem can be transformed into the formP this property, we may turn the ILP problem into a linear programming problem by allowing all the variablesxi to have rational values. Then, we can solve the linear programming problem to obtain rational solutions forxi, which is known to be in polynomial time [105]. Next, we compute the least common denomi-natordof all the xi values in the rational solution, which is also in polynomial time [40]. We can get an integer value for eachxi by multiplying the rational solution of xi with d. All the obtained integer values for xi give an integer solution to the problem.

From the above argument, we know that the complexity of the boundedness problem of an independent cycle system is polynomial in the size of the cycle system, i.e., the number of elementary control flow cycles in all processes of the original CFSM systems. In the worst case, the number of elementary cycles in a CFSM process can be exponential in the size of the process. Consequently, the worst-case complexity of the boundedness problem of independent cycle systems is exponential in the size of each process. This is also the worst-case complexity of our boundedness test. It should be noted that this is still normally much smaller than the complexity of the semi-complete boundedness test by constructing reachability graphs, which is triply exponential as already shown in Section 5.1.2. Moreover, the control flow graphs derived from realistic models of asynchronous reactive systems are normally very sparse, and the number of elementary control flow cycles in them is normally polynomial, rather than exponential. Therefore, the boundedness test requires only polynomial time in practice.

Im Dokument Incomplete Property Checking for Asynchronous Reactive Systems (Seite 61-65)