Lecture 16: Computation Tree Logic (CTL)

Similar documents
Computation Tree Logic

Model for reactive systems/software

Computation Tree Logic (CTL)

T Reactive Systems: Temporal Logic LTL

Temporal Logic Model Checking

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Model Checking with CTL. Presented by Jason Simas

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

An Introduction to Temporal Logics

Timo Latvala. February 4, 2004

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Finite-State Model Checking

Overview. overview / 357

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Computation Tree Logic

Model checking (III)

Verification Using Temporal Logic

MODEL CHECKING. Arie Gurfinkel

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Model Checking: An Introduction

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model Checking. Boris Feigin March 9, University College London

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Chapter 4: Computation tree logic

Algorithmic verification

CTL Model Checking. Wishnu Prasetya.

LTL and CTL. Lecture Notes by Dhananjay Raju

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Alternating Time Temporal Logics*

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Linear Temporal Logic (LTL)

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Alan Bundy. Automated Reasoning LTL Model Checking

Chapter 6: Computation Tree Logic

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Model checking the basic modalities of CTL with Description Logic

CS357: CTL Model Checking (two lectures worth) David Dill

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Linear Temporal Logic (LTL)

3-Valued Abstraction-Refinement

CS477 Formal Software Dev Methods

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Automata-Theoretic Model Checking of Reactive Systems

Modal and Temporal Logics

Formal Verification of Mobile Network Protocols

From Liveness to Promptness

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Modal Logic. UIT2206: The Importance of Being Formal. Martin Henz. March 19, 2014

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Computation Tree Logic

Computation Tree Logic (CTL)

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

On the Expressiveness and Complexity of ATL

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Model Checking & Program Analysis

Reasoning about Time and Reliability

Model Checking for the -calculus. Paolo Zuliani , Spring 2011

Computer-Aided Program Design

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Model Checking for Propositions CS477 Formal Software Dev Methods

Reasoning about Strategies: From module checking to strategy logic

Guest lecturer: Mark Reynolds, The University of Western Australia

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

PSPACE-completeness of LTL/CTL model checking

Decision Procedures for CTL

Lecture 2: Symbolic Model Checking With SAT

Crash course Verification of Finite Automata CTL model-checking

Reasoning about Equilibria in Game-like Concurrent Systems

The State Explosion Problem

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

SFM-11:CONNECT Summer School, Bertinoro, June 2011

Abstraction for Falsification

LTL Model Checking. Wishnu Prasetya.

Testing with model checkers: A survey

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Automata-based Verification - III

Topics in Verification AZADEH FARZAN FALL 2017

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Alternating-Time Temporal Logic

ESE601: Hybrid Systems. Introduction to verification

Theoretical Foundations of the UML

PSL Model Checking and Run-time Verification via Testers

Finite State Model Checking

CTL satisfability via tableau A C++ implementation

An Introduction to Multi-Valued Model Checking

FAIRNESS FOR INFINITE STATE SYSTEMS

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

Transcription:

Lecture 16: Computation Tree Logic (CTL) 1

Programme for the upcoming lectures Introducing CTL Basic Algorithms for CTL CTL and Fairness; computing strongly connected components Basic Decision Diagrams Tool demonstration: SMV 2

LTL and CTL LTL (linear-time logic) Describes properties of individual executions. Semantics defined as a set of executions. CTL (computation tree logic) Describes properties of a computation tree: formulas can reason about many executions at once. (CTL belongs to the family of branching-time logics.) Semantics defined in terms of states. 3

Computation tree Let T = S,, s 0 be a transition system. Intuitively, the computation tree of T is the acyclic unfolding of T. Formally, we can define the unfolding as the least (possibly infinite) transition system U,, u 0 with a labelling l : U S such that u 0 U and l(u 0 ) = s 0 ; if u U, l(u) = s, and s s for some u, s, s, then there is u U with u u and l(u ) = s ; u 0 does not have a direct predecessor, and all other states in U have exactly one direct predecessor. Note: For model checking CTL, the construction of the computation tree will not be necessary. However, this definition serves to clarify the concepts behind CTL. 4

Computation tree: Example A transition system and its computation tree (labelling l given in blue): s0 s0 s1 s2 s0 s1 s1 s1 s2 s1 s2 5

CTL: Overview CTL = Computation-Tree Logic Combines temporal operators with quantification over runs Operators have the following form: Q T there exists an execution for all executions E A X F G U next finally globally until (and possibly others) 6

CTL: Syntax We define a minimal syntax first. Later we define additional operators with the help of the minimal syntax. Let AP be a set of atomic propositions: The set of CTL formulas over AP is as follows: if a AP, then a is a CTL formula; if φ 1, φ 2 are CTL formulas, then so are φ 1, φ 1 φ 2, EX φ 1, EG φ 1, φ 1 EU φ 2 7

CTL: Semantics Let K = (S,, s 0, AP, ν) be a Kripke structure. We define the semantic of every CTL formula φ over AP w.r.t. K as a set of states [[φ]] K, as follows: [[a]] K = ν(a) for a AP [[ φ 1 ]] K = S \ [[φ 1 ]] K [[φ 1 φ 2 ]] K = [[φ 1 ]] K [[φ 2 ]] K [[EX φ 1 ]] K = { s there is a t s.t. s t and t [[φ 1 ]] K } [[EG φ 1 ]] K = { s there is a run ρ with ρ(0) = s and ρ(i) [[φ 1 ]] K for all i 0 } [[φ 1 EU φ 2 ]] K = { s there is a run ρ with ρ(0) = s and k 0 s.t. ρ(i) [[φ 1 ]] K for all i < k and ρ(k) [[φ 2 ]] K } 8

We say that K satisfies φ (denoted K = φ) iff s 0 [[φ]] K. We declare two formulas equivalent (written φ 1 φ 2 ) iff for every Kripke structure K we have [[φ 1 ]] K = [[φ 2 ]] K. In the following, we omit the index K from [[ ]] K if K is understood. 9

CTL: Extended syntax φ 1 φ 2 ( φ 1 φ 2 ) AX φ EX φ true a a AG φ EF φ false true AF φ EG φ φ 1 EW φ 2 EG φ 1 (φ 1 EU φ 2 ) φ 1 AW φ 2 ( φ 2 EU (φ 1 φ 2 )) EF φ true EU φ φ 1 AU φ 2 AF φ 2 (φ 1 AW φ 2 )) Other logical and temporal operators (e.g. ), ER, AR,... may also be defined. 10

CTL: Examples We use the following computation tree as a running example (with varying distributions of red and black states): {p} {p} {q} {q} In the following slides, the topmost state satisfies the given formula if the black states satisfy p and the red states satisfy q. 11

AG p 12

AF p 13

AX p 14

p AU q 15

EG p 16

EF p 17

EX p 18

p EU q 19

Solving nested formulas: Is s 0 [[AF AG x]]? s6 {z} s7 { } s0 {x,y,z} s2 {y,z} s4 {y} s3 {x} s1 {x,y} s5 {x,z} To compute the semantics of formulas with nested operators, we first compute the states satisfying the innermost formulas; then we use those results to solve progressively more complex formulas. In this example, we compute [[x]], [[AG x]], and [[AF AG x]], in that order. 20

Bottom-up method (1): Compute [[x]] s6 s7 {z} { } s0 s3 {x,y,z} {x} s4 s5 s2 {y} s1 {x,z} {y,z} {x,y} 21

Bottom-up method (2): Compute [[AG x]] s6 s7 {z} { } s0 s3 {x,y,z} {x} s4 s5 s2 {y} s1 {x,z} {y,z} {x,y} 22

Bottom-up method (3): Compute [[AF AG x]] s6 s7 {z} { } s0 s3 {x,y,z} {x} s4 s5 s2 {y} s1 {x,z} {y,z} {x,y} 23

Example: Dining Philosophers 1 5 2 4 3 Five philosophers are sitting around a table, taking turns at thinking and eating. We shall express a couple of properties in CTL. Let us assume the following atomic propositions: e i f i = philosopher i is currently eating = philosopher i has just finished eating 24

Philosophers 1 and 4 will never eat at the same time. AG (e 1 e 4 ) Whenever philosopher 4 has finished eating, he cannot eat again until philosopher 3 has eaten. AG(f 4 ( e 4 AW e 3 )) Philosopher 2 will be the first to eat. (e 1 e 3 e 4 e 5 ) AU e 2 25

Philosophers 1 and 4 will never eat at the same time. AG (e 1 e 4 ) Whenever philosopher 4 has finished eating, he cannot eat again until philosopher 3 has eaten. AG(f 4 ( e 4 AW e 3 )) Philosopher 2 will be the first to eat. (e 1 e 3 e 4 e 5 ) AU e 2 26

Philosophers 1 and 4 will never eat at the same time. AG (e 1 e 4 ) Whenever philosopher 4 has finished eating, he cannot eat again until philosopher 3 has eaten. AG(f 4 ( e 4 AW e 3 )) Philosopher 2 will be the first to eat. (e 1 e 3 e 4 e 5 ) AU e 2 27

Philosophers 1 and 4 will never eat at the same time. AG (e 1 e 4 ) Whenever philosopher 4 has finished eating, he cannot eat again until philosopher 3 has eaten. AG(f 4 ( e 4 AW e 3 )) Philosopher 2 will be the first to eat. (e 1 e 3 e 4 e 5 ) AU e 2 28

Expressiveness of CTL and LTL (1/4) CTL and LTL have a large overlap, i.e. properties expressible in both logics. Examples: Invariants (e.g., p never holds. ) AG p or G p Reactivity ( Whenever p happens, eventually q will happen. ) AG(p AF q) or G(p F q) 29

Expressiveness of CTL and LTL (2/4) CTL considers the whole computation tree whereas LTL only considers individual runs. Thus CTL allows to reason about the branching behaviour, considering multiple possible runs at once. Examples: The CTL property AG EF p ( reset property ) is not expressible in LTL. The CTL property AF AX p distinguishes the following two systems, but the LTL property F X p does not: {p} {p} {p} {p} 30

Expressiveness of CTL and LTL (3/4) Even though CTL considers the whole computation tree, its state-based semantics is subtly different from LTL. Thus, there are also properties expressible in LTL but not in CTL. Examples: The LTL property F G p is not expressible in CTL: {p} s0 { } s1 {p} s2 K = F G p but K = AF AG p 31

Expressiveness of CTL and LTL (4/4) Also, fairness conditions are not directly expressible in CTL: (G F p 1 G F p 2 ) φ However, as we shall see later, there is another way to extend CTL with fairness conditions. Conclusion: The expressiveness of CTL and LTL is incomparable; there is an overlap, and each logic can express properties that the other cannot. Remark: There is a logic called CTL that combines the expressiveness of CTL and LTL. However, we will not deal with it in this course. 32

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback