Computation Tree Logic (CTL)

Similar documents
Computation Tree Logic

Lecture 16: Computation Tree Logic (CTL)

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Model for reactive systems/software

Model Checking with CTL. Presented by Jason Simas

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Model Checking Algorithms

LTL and CTL. Lecture Notes by Dhananjay Raju

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

An Introduction to Temporal Logics

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Overview. overview / 357

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Linear Temporal Logic (LTL)

Model Checking: An Introduction

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Verification Using Temporal Logic

Temporal Logic Model Checking

Lecture Notes on Model Checking

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

PSPACE-completeness of LTL/CTL model checking

A 3 Valued Contraction Model Checking Game: Deciding on the World of Partial Information

Computer-Aided Program Design

3-Valued Abstraction-Refinement

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Chapter 6: Computation Tree Logic

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Linear Temporal Logic and Büchi Automata

Revising Specifications with CTL Properties using Bounded Model Checking

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

a Hebrew University b Weizmann Institute c Rice University

First-order resolution for CTL

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

FAIRNESS FOR INFINITE STATE SYSTEMS

Computation Tree Logic

CS357: CTL Model Checking (two lectures worth) David Dill

Explicit State Model Checking Algorithm for CTL. CSE 814 CTL Explicit-State Model Checking Algorithm

Algorithms for Model Checking (2IW55)

From Liveness to Promptness

MODEL CHECKING. Arie Gurfinkel

Symbolic Model Checking Property Specification Language*

Chapter 4: Computation tree logic

Model checking the basic modalities of CTL with Description Logic

Topics in Verification AZADEH FARZAN FALL 2017

Alternating-Time Temporal Logic

Model-Checking Games: from CTL to ATL

An n! Lower Bound On Formula Size

Reducing CTL-live Model Checking to Semantic Entailment in First-Order Logic (Version 1)

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

Reasoning about Time and Reliability

Finite-State Model Checking

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Automata-Theoretic Model Checking of Reactive Systems

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Automata-based Verification - III

How Vacuous is Vacuous?

Chapter 5: Linear Temporal Logic

Multi-Valued Symbolic Model-Checking

Model Checking. Boris Feigin March 9, University College London

Temporal Logics for Specification and Verification

An n! Lower Bound on Formula Size

T Reactive Systems: Temporal Logic LTL

Formal Verification of Mobile Network Protocols

Automata-Theoretic Verification

Modal and Temporal Logics

CTL-RP: A Computational Tree Logic Resolution Prover

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Logic as a Tool Chapter 1: Understanding Propositional Logic 1.1 Propositions and logical connectives. Truth tables and tautologies

First-Order Predicate Logic. Basics

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

The Complexity of Satisfiability for Fragments of CTL and CTL 1

Model Checking & Program Analysis

An Introduction to Multi Valued Model Checking

Timo Latvala. February 4, 2004

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Decision Procedures for CTL

Models for Efficient Timed Verification

Automata-based Verification - III

Computation Tree Logic (CTL)

CTL Model Checking. Wishnu Prasetya.

A tableau-based decision procedure for a branching-time interval temporal logic

Alan Bundy. Automated Reasoning LTL Model Checking

ESE601: Hybrid Systems. Introduction to verification

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Propositional Logic: Part II - Syntax & Proofs 0-0

Binary Decision Diagrams

Computation Tree Logic

Thorough Checking Revisited

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Transcription:

Computation Tree Logic (CTL) Fazle Rabbi University of Oslo, Oslo, Norway Bergen University College, Bergen, Norway fazlr@student.matnat.uio.no, Fazle.Rabbi@hib.no May 30, 2015 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 1 / 25

Model of Computation Finite-state systems are modeled by labeled state transition graphs, called Kripke Structures. Example a,b b,c c Figure : State Transition Graph or Kripke Model Formally, a Kripke structure is a triple M = S, R, L, where S is the set of states, R S S is the transition relation, and L : S P(AP) gives the set of atomic propositions true in each state. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 2 / 25

Model of Computation If some state is designated as the initial state, the structure can be unwound into an infinite tree with that state as the root. Example (Unwind State Graph to obtain Infinite Tree) a,b a,b b,c c b,c c a,b c c State Transition Graph or Kripke Model Infinite Computation Tree A path in M is an infinite sequence of states, π = s 0, s 1,... such that for i 0, (s i, s i+1 ) R. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 3 / 25

Motivation of using CTL LTL formulas are evaluated on paths. A state of a system satisfies an LTL formula if all paths from the given state satisfy it. Thus, LTL implicitly quantifies universally over paths. Properties which assert the existence of a path cannot be expressed in LTL. Example From any state it is possible to get to the Restart state. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 4 / 25

Motivation of using CTL Computation Tree Logic (CTL) is a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be the actual path that is realised. In CTL, as well as the temporal operators X, F, G and U of LTL we also have quantifiers A and E which express all paths and exists a path, respectively. Example (Each computation tree has the state s 0 as its root) g g g g g g g g g g M, s 0 = EF g M, s 0 = AF g M, s 0 = EG g M, s 0 = AG g Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 5 / 25

Syntax of CTL Definition CTL formulas are inductively defined via a Backus Naur form φ ::= p ( φ) (φ φ) (φ φ) (φ φ) AX φ EX φ AF φ EF φ AGφ EGφ A[φUφ] E[φUφ] where p ranges over a set of atomic formulas. Notice that each of the CTL temporal connectives is a pair of symbols. there exists an execution E for all execution A Q T X (next) F (finally) G (globally) U (until) (and possibly others) Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 6 / 25

Semantics of computation tree logic Let M = (S,, L) be a model. For a CTL formula φ. the relation M, s = φ is defined by structural induction on φ: 1 M, s = and M, s 2 M, s = p iff p L(s) 3 M, s = φ iff M, s φ 4 M, s = φ 1 φ 2 iff M, s = φ 1 and M, s = φ 2 5 M, s = φ 1 φ 2 iff M, s = φ 1 or M, s = φ 2 6 M, s = φ 1 φ 2 iff M, s φ 1 or M, s = φ 2 7 M, s = AX φ iff for all s 1 such that s s 1 we have M, s 1 = φ 8 M, s = EX φ iff for some s 1 such that s s 1 we have M, s 1 = φ 9 M, s = AGφ holds iff for all paths s 1 s 2 s 3..., where s 1 equals s, and all s i along the path, we have M, s i = φ 10 M, s = EGφ holds iff there is a path s 1 s 2 s 3..., where s 1 equals s, and all s i along the path, we have M, s i = φ 11 M, s = AF φ holds iff for all paths s 1 s 2 s 3..., where s 1 equals s, there is some s i such that M, s i = φ 12 M, s = EF φ holds iff there is a path s 1 s 2 s 3..., where s 1 equals s, and for some s i along the path, we have M, s i = φ 13 M, s = A[φ 1 Uφ 2 ] holds iff for all paths s 1 s 2 s 3..., where s 1 equals s, that path satisfies φ 1 Uφ 2 14 M, s = E[φ 1 Uφ 2 ] holds iff there is path s 1 s 2 s 3..., where s 1 equals s, and that path satisfies φ 1 Uφ 2 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 7 / 25

CTL Semantics: Intuitions (Cont.) AX EX AG EG AF EF A[ U ] 1 2 E[ U ] 1 2 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 8 / 25

Example of CTL formula Example There is a reachable state satisfying q: this is written EF q. From all reachable states satisfying p, it is possible to maintain p continuously until reaching a state satisfying q: AG(p E [p U q]). Whenever a state satisfying p is reached, the system can exhibit q continuously forevermore: AG (p EG q). There is a reachable state from which all reachable states satisfy p: EF AG p. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 9 / 25

Expressive Power LTL and CTL have different expressive powers. The choice between LTL and CTL depends on the application and the personal preferences. For example, there is no CTL formula that is equivalent to the LTL formula p. Likewise, there is no LTL formula that is equivalent to the CTL formula AG(EF p). The disjunction p AG(EF p) is a CTL formula that is not expressible in either CTL or LTL. CTL* LTL CTL Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 10 / 25

Expressive Power There is no CTL formula that is equivalent to the LTL formula p. M s a a 0 s 1 s 2 s 0 a s 0 s 0 a s 0 a a s 1 s 1 a s 1 s 2 a s 1 a s 2 a s 2 s 2 a s 2 M, s 0 LTL a M, s 0 CTL AF (AG a) Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 11 / 25

Expressive Power There is no LTL formula that is equivalent to the CTL formula AG(EF p). This is shown by contradiction: assume ϕ AG(EF p); let: M M' s a 0 s 1 s 0 M = AG(EF p), and thus- by assumption- M = ϕ Paths(M ) Paths(M), Thus M = ϕ But M AG(EF p) as path s w G(EF p) Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 12 / 25

Equivalences between CTL formulas Definition Two CTL formulas φ and ψ are said to be semantically equivalent if any state in any model which satisfies one of them also satisfies the other; we denote this by φ ψ. Example AF φ EG φ EF φ AG φ AX φ EX φ AF φ A[T U φ] EF φ E[T U φ] Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 13 / 25

Adequate sets of CTL connectives There are ten basic CTL operators: AX and EX AF and EF AG and EG AU and EU AR and ER Each of the ten operators can be expressed in terms of three operators EX, EG, and EU: AX φ = EX ( φ) EF φ = E[ Uφ] AG φ = EF ( φ) AF φ = EG( φ) A[φUψ] E[ ψ U ( φ ψ)] EG ψ A[φRψ] E[ φ U ψ] E[φRψ] A[ φ U ψ] Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 14 / 25

CTL Model checking INPUT: a model M = (S,, L) and a CTL formula φ. OUTPUT: the set of states of M which satisfy φ. First, we convert φ with the adequate sets of CTL connectives (i.e.,,, EX, EU, EG). Next, label the states of M with the subformulas of φ that are satisfied there, starting with the smallest subformulas and working outwards towards φ. Suppose ψ is a subformula of φ and states satisfying all the immediate subformulas of ψ have already been labelled. We determine by a case analysis which states to label with ψ. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 15 / 25

CTL Model checking (cont..) If ψ is : then no states are labelled with. p: then label s with p if p L(s). ψ 1 ψ 2 : label s with ψ 1 ψ 2 if s is already labelled both with ψ 1 and with ψ 2. ψ 1 : label s with ψ 1 if s is not already labelled with ψ 1. EX ψ 1 : label any state with EX ψ 1 if one of its successors is labelled with ψ 1. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 16 / 25

CTL Model checking (cont..) If ψ is E[ψ 1 Uψ 2 ]: If any state s is labelled with ψ 2, label it with E[ψ 1 Uψ 2 ]. Repeat: label any state with E[ψ 1 Uψ 2 ] if it is labelled with ψ 1 and at least one of its successors is labelled with E[ψ 1 Uψ 2 ], until there is no change. This step is illustrated in Figure E[ U ] 1 2 E[ U ] 1 2 1 1 E[ U ] 1 2 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 17 / 25

CTL Model checking (cont..) If ψ is EGψ 1 : Label all the states with EGψ 1. If any state s is not labelled with ψ 1, delete the label EGψ 1. Repeat: delete the label EGψ 1 from any state if none of its successors is labelled with EGψ 1 ; until there is no change. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 18 / 25

Complexity of CTL Model checking algorithm The complexity of the above mentioned algorithm is O( f S ( S + R )), where f is the number of connectives in the formula, S is the number of states and R is the number of transitions; the algorithm is linear in the size of the formula and quadratic in the size of the model. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 19 / 25

A variant which is more efficient For EX and EU we do as before (but take care to search the model by backwards breadth-first search, for this ensures that we wont have to pass over any node twice). For the EGψ case: Restrict the graph to states satisfying ψ, i.e., delete all other states and their transitions; Find the maximal strongly connected components (SCCs); these are maximal regions of the state space in which every state is linked with (= has a finite path to) every other one in that region. Use backwards breadth-first search on the restricted graph to find any state that can reach an SCC. EG scc states satisfying scc scc The complexity of this algorithm is O( f ( S + R )), i.e., linear both in the size of the model and in the size of the formula Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 20 / 25

Fairness Consider the dining philosopher problem. It is not very reasonable to assume that One philosopher keeps eating forever. How can we rule out this behavior? One solution is to use Fairness Constraints Fairness constraints rule out unrealistic executions Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 21 / 25

Fiarness (cont..) Fairness Constraint Sets of states (constraint) that must occur infinitely often along a computation path to be considered Usually described by a formula of the logic Fairness constraints restrict the path quantifiers (E and A) to fair paths EF φ holds at state s only if there exists a fair path from s along which φ holds AG φ holds at s if φ holds in all states reachable from s along fair paths. If fairness constraints are interpreted as sets of states, then a fair path must contain an element of each fairness constraint infinitely often. If fairness constraints are interpreted as CTL formulas, then a path is fair if each constraint is true infinitely often along the path. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 22 / 25

Fairness constraint in CTL In CTL fairness constraints cannot be expressed! Solution: Impose Fairness Constraints on top of the Kripke Model. We call Fair Computation Paths those paths verifying a fairness constraint infinitely often. We call Fair Kripke Models those models restricted to fair paths. Formally, a fair Kripke structure is a 4-triple M = S, R, L, F, where S, R, L are defined as before and F 2 S is a set of fairness constraints. Let π = s 0, s 1,... be a path in M. defined inf(π) = {s s = s i for infinitely many i } We say that π is fair if and only if for every P F, inf (π) P. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 23 / 25

References Edmund M. Clarke Jr. and Orna Grumberg. Model Checking. The MIT Press, 1999. Michael Huth and Mark Ryan Logic in Computer Science: Modelling and Reasoning about Systems. ISBN: 9780521543101 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 24 / 25

Thank You Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 25 / 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback