Computation Tree Logic

Similar documents
Computation Tree Logic (CTL)

Model checking (III)

LTL and CTL. Lecture Notes by Dhananjay Raju

Lecture 16: Computation Tree Logic (CTL)

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

An Introduction to Temporal Logics

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Overview. overview / 357

Model Checking with CTL. Presented by Jason Simas

Model for reactive systems/software

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Lecture Notes on Model Checking

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

FAIRNESS FOR INFINITE STATE SYSTEMS

Temporal Logic Model Checking

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Model checking the basic modalities of CTL with Description Logic

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Verification. Lecture 9. Bernd Finkbeiner Peter Faymonville Michael Gerke

Temporal Logics for Specification and Verification

Chapter 6: Computation Tree Logic

Verification Using Temporal Logic

Chapter 4: Computation tree logic

How Vacuous is Vacuous?

Model Checking Algorithms

Linear Temporal Logic (LTL)

MODEL CHECKING. Arie Gurfinkel

Thorough Checking Revisited

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

A 3 Valued Contraction Model Checking Game: Deciding on the World of Partial Information

Model Checking: An Introduction

Modal and Temporal Logics

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Revising Specifications with CTL Properties using Bounded Model Checking

Guest lecturer: Mark Reynolds, The University of Western Australia

3-Valued Abstraction-Refinement

Chapter 5: Linear Temporal Logic

Meeting the Deadline: Why, When and How

Topics in Verification AZADEH FARZAN FALL 2017

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Finite-State Model Checking

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Computation Tree Logic

The Complexity of Satisfiability for Fragments of CTL and CTL 1

ESE601: Hybrid Systems. Introduction to verification

Computation Tree Logic

CTL, the branching-time temporal logic

CS357: CTL Model Checking (two lectures worth) David Dill

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

The Planning Spectrum One, Two, Three, Infinity

Scuola Estiva di Logica, Gargnano, 31 agosto - 6 settembre 2008 LOGIC AT WORK. Formal Verification of Complex Systems via. Symbolic Model Checking

a Hebrew University b Weizmann Institute c Rice University

CTL Model Checking. Wishnu Prasetya.

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Branching Time? Pruning Time!

Universität Augsburg. Quantales and Temporal Logics. Institut für Informatik D Augsburg. B. Möller P. Höfner G. Struth. Report June 2006

An Introduction to Multi Valued Model Checking

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Reducing CTL-live Model Checking to Semantic Entailment in First-Order Logic (Version 1)

SUPERVISORY CONTROL AND FAILURE DIAGNOSIS OF DISCRETE EVENT SYSTEMS: A TEMPORAL LOGIC APPROACH

A Model Checker for Strategy Logic

Decision Procedures for CTL

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

3. Temporal Logics and Model Checking

The Safety Simple Subset

Reducing Model Checking Commitments for Agent Communication to Model Checking ARCTL and GCTL

Multi-Valued Symbolic Model-Checking

Automata-Theoretic Verification

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

Reasoning about Strategies: From module checking to strategy logic

Trace Diagnostics using Temporal Implicants

A Tableau-Based Decision Procedure for Right Propositional Neighborhood Logic (RPNL )

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Computation Tree Logic (CTL)

Linear Temporal Logic and Büchi Automata

CTL satisfability via tableau A C++ implementation

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

From Liveness to Promptness

QBF Encoding of Temporal Properties and QBF-based Verification

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Alternating-Time Temporal Logic

Reasoning about Time and Reliability

Thorough Checking Revisited

A One-Pass Tableau-Based Workflow Verification Framework

Model Checking Agent Communication

Chapter 5: Linear Temporal Logic

Computer-Aided Program Design

Symbolic Model Checking Property Specification Language*

Formal Verification via MCMAS & PRISM

T Reactive Systems: Temporal Logic LTL

Transcription:

Computation Tree Logic Computation tree logic (CTL) is a branching-time logic that includes the propositional connectives as well as temporal connectives AX, EX, AU, EU, AG, EG, AF, and EF. The syntax of CTL formulas is defined by the following recursive rules: φ ::= P ( φ) (φ φ) (φ φ) (φ φ) AXφ EXφ A[φUφ] E[φUφ] AGφ EGφ AF φ EF φ P ::= p 1 p 2 p 3... Informally, A and E mean along all paths and along at least one path, respectively; whereas X, F, G, and U refer to next state, some future state, all future states, and Until.

Semantics of CTL We use structural induction on CTL formulas to define a satisfaction relation M, s = φ that depends on a transition system M = (S,, L), a state s of M, and a CTL formula φ: 1. M, s = and M, s = for all states s. 2. M, s = p iff p L(s). 3. M, s = φ iff M, s = φ. 4. M, s = φ 1 φ 2 iff M, s = φ 1 and M, s = φ 2. 5. M, s = φ 1 φ 2 iff M, s = φ 1 or M, s = φ 2. 6. M, s = φ 1 φ 2 iff M, s = φ 1 or M, s = φ 2. 7. M, s = AXφ iff M, s = φ for all states s with s s. 8. M, s = EXφ iff M, s = φ for some state s with s s.

9. M, s = AGφ iff for all paths s = s 0 s 1 s 2 and all states s i along the path, we have M, s i = φ. 10. M, s = EGφ iff there is some path s = s 0 s 1 s 2 such that for all states s i along the path, we have M, s i = φ. 11. M, s = AF φ iff for all paths s = s 0 s 1 s 2 there is some state s i along the path, for which M, s i = φ. 12. M, s = EF φ iff for some path s = s 0 s 1 s 2 and some state s i along the path, we have M, s i = φ. 13. M, s = A[φ 1 Uφ 2 ] iff for all paths s = s 0 s 1 s 2 there is some state s i along the path, such that M, s i = φ 2 and M, s j = φ 1, for all j < i. 14. M, s = E[φ 1 Uφ 2 ] iff for some path s = s 0 s 1 s 2 there is some state s i along the path, such that M, s i = φ 2 and M, s j = φ 1, for all j < i.

CTL Equivalences Two CTL formulas φ and ψ are said to be (semantically) equivalent, written φ ψ, if and only if M, s = φ iff M, s = ψ for all models M and all states s in M. The following basic equivalences illuminate the relation between temporal connectives: AF φ EG φ (1) EF φ AG φ (2) AXφ EX φ (3) AF φ A[ U φ] (4) EF φ E[ U φ] (5) The following equivalences provide the theoretical basis for a model checking algorithm: AGφ φ AX AGφ EGφ φ EX EGφ AF φ φ AX AF φ EF φ φ EX EF φ A[φUψ] ψ (φ AX A[φUψ]) E[φUψ] ψ (φ EX E[φUψ])

Adequate Sets of Connectives The basic equivalences for CTL formulas listed above, and the fact that propositional equivalences carry over to CTL formulas in general, imply that all CTL formulas can be expressed in equivalent form via a few selected connectives. Theorem The set of connectives {,,, AU, EU, EX} is adequate for CTL. Another useful equivalence, to be be discussed in more detail later, is Theorem A[pUq] (E[ qu( p q)] EG q). The sets of connectives {,,, EG, EU, EX} and {,,, AF, EU, EX} are adequate for CTL. There are also other adequate sets for CTL.

Mutual Exclusion Example We next formalize the properties expected for the mutual exlcusion model in CTL. Safety: Liveness: Non-blocking: AG (c 1 c 2 ) AG(t 1 AF c 1 ) AG(n 1 EXt 1 ) No strict sequencing: EF (c 1 E[c 1 U( c 1 E[ c 2 Uc 1 ])])

CTL* If we allow nested modalities and propositional connectives before applying path quantifiers, we obtain a logic called CTL* in which there are two classes of syntactic expressions. State formulas are evaluated in states: φ ::= P ( φ) (φ φ) A[α] E[α] whereas path formulas are evaluated along paths: α ::= φ ( α) (α α) (αu α) (Gα) (F α) (Xα) The variable P ranges over atomic descriptions, the variable α over path formulas; and the variable φ over state formulas. Examples A[(pU r) (qu r)]: along all paths, either p is true until r, or q is true until r, A[Xp XXp]: along all paths, p is true in the next state, or the next but one. E[GF p]: there is a path along which p is true infinitely often. Note that the second and third formula can not be expressed in CTL.

Semantics of CTL* In the case of CTL* we define satisfaction relations for both state and path formulas: 1. (a) M, s = p iff p L(s). (b) M, s = φ iff M, s = φ. (c) M, s = φ 1 φ 2 iff M, s = φ 1 and M, s = φ 2. (d) M, s = A[α] iff for all paths τ beginning at s we have M, τ = α. (e) M, s = E[α] iff for some path τ beginning at s we have M, τ = α. 2. (a) M, π = φ iff M, s 1 = φ. (b) M, π = α iff M, π = α. (c) M, π = α 1 α 2 iff M, π = α 1 and M, π = α 2. (d) M, π = Xα iff M, π 2 = α. (e) M, π = Gα iff, for all i 1, M, π i = α. (f) M, π = F α iff, for some i 1, M, π i = α. (g) M, π = α 1 Uα 2 iff for some i 1, M, π i = α 2 while M, π j = α 1 for all j < i. where p ranges over atomic descriptions, α over path formulas, and φ over state formulas.

CTL, LTL, and CTL* The language of CTL is a subset of CTL* (in which the definition of path formulas is more restricted). Semantically in LTL one considers all paths, and hence an LTL formula α can be considered to be equivalent to A[α]. In this sense LTL may also be viewed as a subset of CTL* The following examples show the relation between these logics. In CTL and LTL: AG(p AF q) in CTL or G(p F q) in LTL In CTL but not in LTL: AG(EF p) In LTL but not in CTL: A[GF p F q] Neither in CTL nor in LTL: E[GF p]

Weak Until Operator in CTL The until operator in CTL has been defined in such a way that whenever A[p U q] is true in a state s then q must be true somewhere along each path from s. Sometimes it is useful to consider a modified until operator W such that p W q is deemed to be true even for paths along which q never holds, provided however that then p is always true. In LTL and CTL* this weak until operator can be defined as follows: p W q (p U q) Gp. A direct encoding in CTL is not possible, but we have the following equivalences for EW and AW E[p W q] E[p U q] EGp. A[p W q] E[ q U (p q)].

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback