Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Similar documents
FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Computation Tree Logic

Lecture 16: Computation Tree Logic (CTL)

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

Temporal Logic Model Checking

Model for reactive systems/software

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Computation Tree Logic (CTL)

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Chapter 4: Computation tree logic

Model checking (III)

Finite-State Model Checking

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Model Checking with CTL. Presented by Jason Simas

Overview. overview / 357

Formal Methods Lecture VII Symbolic Model Checking

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

LTL and CTL. Lecture Notes by Dhananjay Raju

Model checking the basic modalities of CTL with Description Logic

MODEL CHECKING. Arie Gurfinkel

Model Checking: An Introduction

3-Valued Abstraction-Refinement

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Chapter 6: Computation Tree Logic

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Computation Tree Logic

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Computation Tree Logic

Verification Using Temporal Logic

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

CS357: CTL Model Checking (two lectures worth) David Dill

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Scuola Estiva di Logica, Gargnano, 31 agosto - 6 settembre 2008 LOGIC AT WORK. Formal Verification of Complex Systems via. Symbolic Model Checking

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

An Introduction to Temporal Logics

3. Temporal Logics and Model Checking

Computation Tree Logic (CTL)

Topics in Verification AZADEH FARZAN FALL 2017

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Chapter 5: Linear Temporal Logic

Lecture 2: Symbolic Model Checking With SAT

Reasoning about Strategies: From module checking to strategy logic

Temporal logics and model checking for fairly correct systems

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Computer-Aided Program Design

Guest lecturer: Mark Reynolds, The University of Western Australia

Modal and Temporal Logics

Explicit State Model Checking Algorithm for CTL. CSE 814 CTL Explicit-State Model Checking Algorithm

Abstraction for Falsification

From Liveness to Promptness

Temporal Logics for Specification and Verification

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Automata-Theoretic Model Checking of Reactive Systems

Models for Efficient Timed Verification

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Alternating Time Temporal Logics*

Reasoning about Time and Reliability

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

CTL Model Checking. Wishnu Prasetya.

Decision Procedures for CTL

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

ESE601: Hybrid Systems. Introduction to verification

p,egp AFp EFp ... p,agp

Crash course Verification of Finite Automata CTL model-checking

Reasoning about Equilibria in Game-like Concurrent Systems

Efficient Model-Checking of Weighted CTL with Upper-Bound Constraints

Model-Checking Games: from CTL to ATL

T Reactive Systems: Temporal Logic LTL

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Linear-Time Logic. Hao Zheng

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Computation Tree Logic

Chapter 3: Linear temporal logic

Graded Computation Tree Logic

Linear Temporal Logic (LTL)

PSPACE-completeness of LTL/CTL model checking

a Hebrew University b Weizmann Institute c Rice University

Theoretical Foundations of the UML

Timo Latvala. February 4, 2004

Optimal Decision Procedures for Satisfiability in Fragments of Alternating-time Temporal Logics

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Alternating-Time Temporal Logic

QBF Encoding of Temporal Properties and QBF-based Verification

SUPERVISORY CONTROL AND FAILURE DIAGNOSIS OF DISCRETE EVENT SYSTEMS: A TEMPORAL LOGIC APPROACH

Homework 2: Temporal logic

Finite State Model Checking

Logic-Based Modeling in Systems Biology

A tableau-based decision procedure for a branching-time interval temporal logic

First-Order Predicate Logic. Basics

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Transcription:

Summary COMPUTATION TREE LOGIC (CTL) Slides by Alessandro Artale http://www.inf.unibz.it/ artale/ Some material (text, figures) displayed in these slides is courtesy of: M. Benerecetti, A. Cimatti, M. Fisher, F. Giunchiglia, M. Pistore, M. Roveri, R.Sebastiani. p. 1/35 p. 2/35 Computation Tree logic Vs. LTL LTL implicitly quantifies universally over paths. KM,s =! iff for every path " starting at s KM," =! Properties that assert the existence of a path cannot be expressed. In particular, properties which mix existential and universal path quantifiers cannot be expressed. The Computation Tree Logic, CTL, solves these problems! CTL explicitly introduces path quantifiers! CTL is the natural temporal logic interpreted over Branching Time Structures. CTL at a glance CTL is evaluated over branching-time structures (Trees). CTL explicitly introduces path quantifiers: All Paths: A Exists a Path: E. Every temporal operator (G), (F), (X), U (U) preceded by a path quantifier (A or E). Universal modalities: AF, AG, AX, AU The temporal formula is true in all the paths starting in the current state. Existential modalities: EF, EG, EX, EU The temporal formula is true in some path starting in the current state. p. 3/35 p. 4/35

Summary CTL: Syntax Countable set # of atomic propositions: p, q,... the set FORM of formulas is: $,% p $ $ % $ % AX$ AG$ AF$ $AU%) Intuition: EX$ EG$ EF$ $EU%) E A F there Exists a path in All paths sometime in the Future p. 5/35 G Globally in the future p. 6/35 CTL: Semantics We interpret our CTL temporal formulas over Kripke Models linearized as trees (e.g. AFdone).!done CTL: Semantics (Cont.) Let # be a set of atomic propositions. We interpret our CTL temporal formulas over Kripke Models:!done done KM = S,I,R,#,L!done done!done done done!done done done done The semantics of a temporal formula is provided by the satisfaction relation: Universal modalities (AF, AG, AX, AU): the temporal formula is true in all the paths starting in the current state. =: (KM S FORM) {true,false} Existential modalities (EF, EG, EX, EU): the temporal formula is true in some path starting in the current state. p. 7/35 p. 8/35

CTL Semantics: The Propositional Aspect We start by defining when an atomic proposition is true at a state/time s i KM, s i = p iff p L(s i ) (for p #) The semantics for the classical operators is as expected: KM, s i = $ iff KM, s i = $ KM, s i = $ % iff KM, s i = $ and KM, s i = % KM, s i = $ % iff KM, s i = $ or KM, s i = % KM, s i = $ % iff if KM, s i = $ then KM, s i = % KM, s i = KM, s i = CTL Semantics: Intuitions p. 9/35 CTL Semantics: The Temporal Aspect Temporal operators have the following semantics where "=(s i,s i+1,...) is a generic path outgoing from state s i inkm. KM,s i = AX$ iff " =(s i,s i+1,...) KM,s i+1 = $ KM,s i = EX$ iff " =(s i,s i+1,...) KM,s i+1 = $ KM,s i = AG$ iff " =(s i,s i+1,...) j i.km,s j = $ KM,s i = EG$ iff " =(s i,s i+1,...) j i.km,s j = $ KM,s i = AF$ iff " =(s i,s i+1,...) j i.km,s j = $ KM,s i = EF$ iff " =(s i,s i+1,...) j i.km,s j = $ KM,s i =($AU%) iff " =(s i,s i+1,...) j i.km,s j = % and i k < j : M,s k = $ KM,s i = $EU%) iff " =(s i,s i+1,...) j i.km,s j = % and CTL Semantics: Intuitions (Cont.) i k < j : KM,s k = $ p. 10/35 CTL is given by the standard boolean logic enhanced with temporal operators. Necessarily Next. AX$ is true in s t iff $ is true in every successor state s t+1 Possibly Next. EX$ is true in s t iff $ is true in one successor state s t+1 Necessarily in the future (or Inevitably ). AF$ is true in s t iff $ is inevitably true in some s t with t t Possibly in the future (or Possibly ). EF$ is true in s t iff $ may be true in some s t with t t Globally (or always ). AG$ is true in s t iff $ is true in all s t with t t Possibly henceforth. EG$ is true in s t iff $ is possibly true henceforth Necessarily Until. ($AU%) is true in s t iff necessarily $ holds until % holds. Possibly Until. ($EU%) is true in s t iff possibly $ holds until % holds. p. 11/35 p. 12/35

CTL Semantics: Intuitions (Cont.) A Complete Set of CTL Operators finally P globally P next P P until q AFP AGP AXP A[ P U q ] All CTL operators can be expressed via: EX,EG,EU AX$ EX $ AF$ EG $ EF$ ( EU$) AG$ EF $ ( EU $) ($AU%) EG % ( %EU( $ %)) EFP EGP EXP E[ P U q ] p. 13/35 p. 14/35 Summary Safety Properties Safety: something bad will not happen Typical examples: AG (reactor_temp > 1000) AG (one_way AXother_way) AG ((x = 0) AXAXAX(y = z/x)) and so on... Usually: AG... p. 15/35 p. 16/35

Liveness Properties Fairness Properties Liveness: something good will happen Typical examples: AFrich AF(x > 5) AG(start AFterminate) and so on... Usually: AF... Often only really useful when scheduling processes, responding to messages, etc. Fairness: something is successful/allocated infinitely often Typical example: AG(AFenabled) Usually: AGAF... p. 17/35 p. 18/35 Summary The CTL Model Checking Problem The CTL Model Checking Problem is formulated as: KM =! Check if KM,s 0 =!, for every initial state, s 0, of the Kripke structure KM. p. 19/35 p. 20/35

Example 1: Mutual Exclusion (Safety) Example 1: Mutual Exclusion (Safety) KM = AG (C 1 C 2 )? KM = AG (C 1 C 2 )? YES: There is no reachable state in which (C 1 C 2 ) holds! (Same as the (C 1 C 2 ) in LTL.) p. 21/35 p. 21/35 Example 2: Liveness Example 2: Liveness KM = AG(T 1 AFC 1 )? KM = AG(T 1 AFC 1 )? YES: every path starting from each state where T 1 holds passes through a state where C 1 holds. (Same as (T 1 C 1 ) in LTL) p. 22/35 p. 22/35

Example 3: Fairness Example 3: Fairness KM = AGAFC 1? KM = AGAFC 1? NO: e.g., in the initial state, there is the blue cyclic path in which C 1 never holds! (Same as C 1 in LTL) p. 23/35 p. 23/35 Example 4: Non-Blocking Example 4: Non-Blocking KM = AG(N 1 EFT 1 )? KM = AG(N 1 EFT 1 )? YES: from each state where N 1 holds there is a path leading to a state where T 1 holds. (No corresponding LTL formulas) p. 24/35 p. 24/35

Summary LTL Vs. CTL: Expressiveness Many CTL formulas cannot be expressed in LTL (e.g., those containing paths quantified existentially) E.g., AG(N 1 EFT 1 ) Many LTL formulas cannot be expressed in CTL E.g., T 1 C 1 (Strong Fairness in LTL) i.e, formulas that select a range of paths with a property ( p q Vs. AG(p AFq)) Some formluas can be expressed both in LTL and in CTL (typically LTL formulas with operators of nesting depth 1) E.g., (C 1 C 2 ), C 1, (T 1 C 1 ), C 1 p. 25/35 p. 26/35 LTL Vs. CTL: Expressiveness (Cont.) Summary CTL and LTL have incomparable expressive power. The choice between LTL and CTL depends on the application and the personal preferences. LTL CTL p. 27/35 p. 28/35

The Computation Tree Logic CTL* CTL*: Syntax CTL* is a logic that combines the expressive power of LTL and CTL. Temporal operators can be applied without any constraints. A(X$ XX$). Along all paths, $ is true in the next state or the next two steps. E(GF$). There is a path along which $ is infinitely often true. Countable set # of atomic propositions: p, q,... we distinguish between States Formulas (evaluated on states): $,% p $ $ % $ % A& E& and Path Formulas (evaluated on paths): &,' $ & & ' & ' X& G& F& (&U') The set of CTL* formulas FORM is the set of state formulas. p. 29/35 p. 30/35 CTL* Semantics: State Formulas We start by defining when an atomic proposition is true at a state s 0 KM, s 0 = p iff p L(s 0 ) (for p #) The semantics for State Formulas is the following where " =(s 0,s 1,...) is a generic path outgoing from state s 0 : KM, s 0 = $ iff KM, s 0 = $ KM, s 0 = $ % iff KM, s 0 = $ and KM, s 0 = % KM, s 0 = $ % iff KM, s 0 = $ or KM, s 0 = % KM, s 0 = E& iff " =(s 0,s 1,...)such that KM," = & KM, s 0 = A& iff " =(s 0,s 1,...)then KM," = & CTL* Semantics: Path Formulas The semantics for Path Formulas is the following where " =(s 0,s 1,...) is a generic path outgoing from state s 0 and " i denotes the suffix path (s i,s i+1,...): KM, " = $ iff KM, s 0 = $ KM, " = & iff KM, " = & KM, " = & ' iff KM, " = & and KM, " = ' KM, " = & ' iff KM, " = & or KM, " = ' KM, " = F& iff i 0such that KM," i = & KM, " = G& iff i 0then KM," i = & KM, " = X& iff KM," 1 = & KM, " = &U' iff i 0such that KM," i = ' and j.(0 j i) then KM," j = & p. 31/35 p. 32/35

CTLs Vs LTL Vs CTL: Expressiveness CTL* subsumes both CTL and LTL $ in CTL = $ in CTL* (e.g., AG(N 1 EFT 1 )) $ in LTL = A$ in CTL* (e.g., A(GFT 1 GFC 1 )) LTL CTL CTL* (e.g., E(GFp GFq)) CTL* Vs LTL Vs CTL: Complexity The following Table shows the Computational Complexity of checking Satisbiability Logic Complexity LTL CTL* CTL LTL CTL CTL* PSpace-Complete ExpTime-Complete 2ExpTime-Complete p. 33/35 p. 34/35 CTL* Vs LTL Vs CTL: Complexity (Cont.) The following Table shows the Computational Complexity of Model Checking (M.C.) Since M.C. has 2 inputs the model, M, and the formula, $ we give two complexity measures. Logic Complexity w.r.t. $ Complexity w.r.t. M LTL PSpace-Complete P (linear) CTL P-Complete P (linear) CTL* PSpace-Complete P (linear) p. 35/35

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback