On the Complexity of Modular Model Checking

In modular veriication the speciication of a module consists of two parts. One part describes the guaranteed behavior of the module. The other part describes the assumed behavior of the environment with which the module is interacting. This is called the assume-guarantee paradigm. Even when one speciies the guaranteed behavior of the module in a branching temporal logic, the assumption in the assume-guarantee pair concerns the interaction of the environment with the module along each computation, and is therefore often naturally expressed in linear temporal logic. In this paper we consider assume-guarantee speciications in which the assumption is given by an LTL formula and the guarantee is given by a CTL formula. Verifying modules with respect to such specii-cations is called the linear-branching model-checking problem. We apply automata-theoretic techniques to obtain a model-checking algorithm whose running time is linear in the size of the module and the size of the CTL guarantee, but doubly exponential in the size of the LTL assumption. We also show that the high complexity in the size of the LTL speciication is inherent by proving that the problem is EXPSPACE-complete. The lower bound applies even if the branching temporal guarantee is restricted to be speciied in 8CTL, the universal fragment of CTL.