FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Similar documents
Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

Formal Methods Lecture VII Symbolic Model Checking

Chapter 4: Computation tree logic

Computation Tree Logic

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Model for reactive systems/software

Temporal Logic Model Checking

Lecture 16: Computation Tree Logic (CTL)

LTL and CTL. Lecture Notes by Dhananjay Raju

Chapter 6: Computation Tree Logic

Overview. overview / 357

Finite-State Model Checking

Computation Tree Logic

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Model checking (III)

Computation Tree Logic (CTL)

MODEL CHECKING. Arie Gurfinkel

Verification Using Temporal Logic

Model Checking: An Introduction

Automata-Theoretic Model Checking of Reactive Systems

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Model checking the basic modalities of CTL with Description Logic

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

T Reactive Systems: Temporal Logic LTL

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Topics in Verification AZADEH FARZAN FALL 2017

FORMAL METHODS LECTURE VI BINARY DECISION DIAGRAMS (BDD S)

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Linear-Time Logic. Hao Zheng

Model Checking with CTL. Presented by Jason Simas

3-Valued Abstraction-Refinement

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Computation Tree Logic

Computer-Aided Program Design

Logic: Propositional Logic (Part I)

Reasoning about Strategies: From module checking to strategy logic

Theoretical Foundations of the UML

Chapter 5: Linear Temporal Logic

An Introduction to Temporal Logics

From Liveness to Promptness

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Modal and Temporal Logics

Timo Latvala. February 4, 2004

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Reasoning about Time and Reliability

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Alternating-Time Temporal Logic

Reasoning about Equilibria in Game-like Concurrent Systems

CS357: CTL Model Checking (two lectures worth) David Dill

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Temporal logics and model checking for fairly correct systems

Alternating Time Temporal Logics*

The State Explosion Problem

A tableau-based decision procedure for a branching-time interval temporal logic

Lecture 2: Symbolic Model Checking With SAT

Valentin Goranko Stockholm University. ESSLLI 2018 August 6-10, of 33

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Chapter 3: Linear temporal logic

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Principles of Knowledge Representation and Reasoning

Temporal Logic of Actions

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Homework 2: Temporal logic

Abstraction for Falsification

a Hebrew University b Weizmann Institute c Rice University

Lecture Notes on Emptiness Checking, LTL Büchi Automata

PSL Model Checking and Run-time Verification via Testers

Temporal Logics for Specification and Verification

ESE601: Hybrid Systems. Introduction to verification

Monodic fragments of first-order temporal logics

First-order resolution for CTL

Linear-time Temporal Logic

CS477 Formal Software Dev Methods

Scuola Estiva di Logica, Gargnano, 31 agosto - 6 settembre 2008 LOGIC AT WORK. Formal Verification of Complex Systems via. Symbolic Model Checking

FAIRNESS FOR INFINITE STATE SYSTEMS

Lecture Notes on Model Checking

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Graded Computation Tree Logic

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Safety and Liveness Properties

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

QBF Encoding of Temporal Properties and QBF-based Verification

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Models for Efficient Timed Verification

Model-Checking Games: from CTL to ATL

From Liveness to Promptness

Algorithms for Model Checking (2IW55)

An Introduction to Modal Logic III

Transcription:

Alessandro Artale (FM First Semester 2007/2008) p. 1/37 FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL) Alessandro Artale Faculty of Computer Science Free University of Bolzano artale@inf.unibz.it http://www.inf.unibz.it/ artale/ Some material (text, figures) displayed in these slides is courtesy of: M. Benerecetti, A. Cimatti, M. Fisher, F. Giunchiglia, M. Pistore, M. Roveri, R.Sebastiani.

Alessandro Artale (FM First Semester 2007/2008) p. 2/37 Summary of Lecture IV Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM First Semester 2007/2008) p. 3/37 Computation Tree logic Vs. LTL LTL implicitly quantifies universally over paths. KM,s = φ iff for every path π starting at s KM,π = φ Properties that assert the existence of a path cannot be expressed. In particular, properties which mix existential and universal path quantifiers cannot be expressed. The Computation Tree Logic, CTL, solves these problems! CTL explicitly introduces path quantifiers! CTL is the natural temporal logic interpreted over Branching Time Structures.

Alessandro Artale (FM First Semester 2007/2008) p. 4/37 CTL at a glance CTL is evaluated over branching-time structures (Trees). CTL explicitly introduces path quantifiers: All Paths: P Exists a Path: P. Every temporal operator ( path quantifier ( P or P ).,,,U ) preceded by a Universal modalities: P, P, P, P U The temporal formula is true in all the paths starting in the current state. Existential modalities: P, P, P, P U The temporal formula is true in some path starting in the current state.

Alessandro Artale (FM First Semester 2007/2008) p. 5/37 Summary Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM First Semester 2007/2008) p. 6/37 CTL: Syntax Countable set Σ of atomic propositions: p,q,... the set FORM of formulas is: ϕ,ψ p ϕ ϕ ψ ϕ ψ P ϕ P ϕ P ϕ P (ϕu ψ) P ϕ P ϕ P ϕ (ϕu P ψ)

Alessandro Artale (FM First Semester 2007/2008) p. 7/37 CTL: Semantics We interpret our CTL temporal formulas over Kripke Models linearized as trees (e.g. P done).!done!done done!done done done!done done!done done done done Universal modalities ( P, P, P, P U ): the temporal formula is true in all the paths starting in the current state. Existential modalities ( P, P, P, P U ): the temporal formula is true in some path starting in the current state.

Alessandro Artale (FM First Semester 2007/2008) p. 8/37 CTL: Semantics (Cont.) Let Σ be a set of atomic propositions. We interpret our CTL temporal formulas over Kripke Models: KM = S,I,R,Σ,L The semantics of a temporal formula is provided by the satisfaction relation: =: (KM S FORM) {true,false}

Alessandro Artale (FM First Semester 2007/2008) p. 9/37 CTL Semantics: The Propositional Aspect We start by defining when an atomic proposition is true at a state/time s i KM, s i = p iff p L(s i ) (for p Σ) The semantics for the classical operators is as expected: KM, s i = ϕ iff KM, s i = ϕ KM, s i = ϕ ψ iff KM, s i = ϕ andkm, s i = ψ KM, s i = ϕ ψ iff KM, s i = ϕ orkm, s i = ψ KM, s i = ϕ ψ iff ifkm, s i = ϕ thenkm, s i = ψ KM, s i = KM, s i =

Alessandro Artale (FM First Semester 2007/2008) p. 10/37 CTL Semantics: The Temporal Aspect Temporal operators have the following semantics where π=(s i,s i+1,...) is a generic path outgoing from state s i inkm. KM,s i = P ϕ iff π = (s i,s i+1,...) KM,s i+1 = ϕ KM,s i = P ϕ iff π = (s i,s i+1,...) KM,s i+1 = ϕ KM,s i = P ϕ iff π = (s i,s i+1,...) j i.km,s j = ϕ KM,s i = P ϕ iff π = (s i,s i+1,...) j i.km,s j = ϕ KM,s i = P ϕ iff π = (s i,s i+1,...) j i.km,s j = ϕ KM,s i = P ϕ iff π = (s i,s i+1,...) j i.km,s j = ϕ KM,s i = P (ϕu ψ) iff π = (si,s i+1,...) j i.km,s j = ψ and i k < j : M,s k = ϕ KM,s i = P (ϕu ψ) iff π = (si,s i+1,...) j i.km,s j = ψ and i k < j :KM,s k = ϕ

Alessandro Artale (FM First Semester 2007/2008) p. 11/37 CTL Semantics: Intuitions CTL is given by the standard boolean logic enhanced with temporal operators. Necessarily Next. P successor state s t+1 ϕ is true in s t iff ϕ is true in every Possibly Next. P ϕ is true in s t iff ϕ is true in one successor state s t+1 Necessarily in the future (or Inevitably ). P ϕ is true in s t iff ϕ is inevitably true in some s t with t t Possibly in the future (or Possibly ). P ϕ is true in s t iff ϕ may be true in some s t with t t

Alessandro Artale (FM First Semester 2007/2008) p. 12/37 CTL Semantics: Intuitions (Cont.) Globally (or always ). P ϕ is true in s t iff ϕ is true in all s t with t t Possibly henceforth. P ϕ is true in s t iff ϕ is possibly true henceforth Necessarily Until. (ϕu P ψ) is true in s t iff necessarily ϕ holds until ψ holds. Possibly Until. (ϕu P ψ) is true in s t iff possibly ϕ holds until ψ holds.

Alessandro Artale (FM First Semester 2007/2008) p. 13/37 CTL Alternative Notation Alternative notations are used for temporal operators. P E there Exists a path P A in All paths F sometime in the Future G Globally in the future X nextime

Alessandro Artale (FM First Semester 2007/2008) p. 14/37 CTL Semantics: Intuitions (Cont.) finally P globally P next P P until q AFP AGP AXP A[ P U q ] EFP EGP EXP E[ P U q ]

Alessandro Artale (FM First Semester 2007/2008) p. 15/37 A Complete Set of CTL Operators All CTL operators can be expressed via: P, P, P U P P ϕ P ϕ P ϕ P ϕ ( U P ϕ) P ϕ P ϕ ( U P ϕ) (ϕu P ψ) P ψ ( ψu P ( ϕ ψ))

Alessandro Artale (FM First Semester 2007/2008) p. 16/37 Summary Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM First Semester 2007/2008) p. 17/37 Safety Properties Safety: something bad will not happen Typical examples: P (reactor_temp > 1000) P (one_way P other_way) P ((x = 0) P P P (y = z/x)) and so on... Usually: P...

Alessandro Artale (FM First Semester 2007/2008) p. 18/37 Liveness Properties Liveness: something good will happen Typical examples: P rich P (x > 5) P (start P terminate) and so on... Usually: P...

Alessandro Artale (FM First Semester 2007/2008) p. 19/37 Fairness Properties Often only really useful when scheduling processes, responding to messages, etc. Fairness: something is successful/allocated infinitely often Typical example: P ( P enabled) Usually: P P...

Alessandro Artale (FM First Semester 2007/2008) p. 20/37 Summary Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM First Semester 2007/2008) p. 21/37 The CTL Model Checking Problem The CTL Model Checking Problem is formulated as: KM = φ Check ifkm,s 0 = φ, for every initial state, s 0, of the Kripke structurekm.

Alessandro Artale (FM First Semester 2007/2008) p. 22/37 Example 1: Mutual Exclusion (Safety) N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0 T1, N2 N1, T2 C1, N2 T1, T2 T1, T2 N1, C2 C1, T2 KM = P (C 1 C 2 )? T1, C2

Alessandro Artale (FM First Semester 2007/2008) p. 22/37 Example 1: Mutual Exclusion (Safety) N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0 T1, N2 N1, T2 C1, N2 T1, T2 T1, T2 N1, C2 C1, T2 KM = P (C 1 C 2 )? T1, C2 YES: There is no reachable state in which (C 1 C 2 ) holds! (Same as the (C 1 C 2 ) in LTL.)

Alessandro Artale (FM First Semester 2007/2008) p. 23/37 Example 2: Liveness N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0 T1, N2 N1, T2 C1, N2 T1, T2 T1, T2 N1, C2 C1, T2 T1, C2 KM = P (T 1 P C 1 )?

Alessandro Artale (FM First Semester 2007/2008) p. 23/37 Example 2: Liveness N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0 T1, N2 N1, T2 C1, N2 T1, T2 T1, T2 N1, C2 C1, T2 KM = P (T 1 P C 1 )? T1, C2 YES: every path starting from each state where T 1 holds passes through a state where C 1 holds. (Same as (T 1 C 1 ) in LTL)

Alessandro Artale (FM First Semester 2007/2008) p. 24/37 Example 3: Fairness N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0 T1, N2 N1, T2 C1, N2 T1, T2 T1, T2 N1, C2 C1, T2 KM = P P C 1? T1, C2

Alessandro Artale (FM First Semester 2007/2008) p. 24/37 Example 3: Fairness N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0 T1, N2 N1, T2 C1, N2 T1, T2 T1, T2 N1, C2 C1, T2 KM = P P C 1? T1, C2 NO: e.g., in the initial state, there is the blue cyclic path in which C 1 never holds! (Same as C 1 in LTL)

Alessandro Artale (FM First Semester 2007/2008) p. 25/37 Example 4: Non-Blocking N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0 T1, N2 N1, T2 C1, N2 T1, T2 T1, T2 N1, C2 C1, T2 T1, C2 KM = P (N 1 P T 1 )?

Alessandro Artale (FM First Semester 2007/2008) p. 25/37 Example 4: Non-Blocking N = noncritical, T = trying, C = critical N1, N2 User 1 User 2 turn=0 T1, N2 N1, T2 C1, N2 T1, T2 T1, T2 N1, C2 C1, T2 KM = P (N 1 P T 1 )? T1, C2 YES: from each state where N 1 holds there is a path leading to a state where T 1 holds. (No corresponding LTL formulas)

Alessandro Artale (FM First Semester 2007/2008) p. 26/37 Summary Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM First Semester 2007/2008) p. 27/37 LTL Vs. CTL: Expressiveness Many CTL formulas cannot be expressed in LTL (e.g., those containing paths quantified existentially) E.g., P (N 1 P T 1 ) Many LTL formulas cannot be expressed in CTL E.g., T 1 C 1 (Strong Fairness in LTL) i.e, formulas that select a range of paths with a property ( p q Vs. P (p P q)) Some formluas can be expressed both in LTL and in CTL (typically LTL formulas with operators of nesting depth 1) E.g., (C 1 C 2 ), C 1, (T 1 C 1 ), C 1

Alessandro Artale (FM First Semester 2007/2008) p. 28/37 LTL Vs. CTL: Expressiveness (Cont.) CTL and LTL have incomparable expressive power. The choice between LTL and CTL depends on the application and the personal preferences. LTL CTL

Alessandro Artale (FM First Semester 2007/2008) p. 29/37 Summary Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM First Semester 2007/2008) p. 30/37 The Computation Tree Logic CTL* CTL* is a logic that combines the expressive power of LTL and CTL. Temporal operators can be applied without any constraints. P ( ϕ ϕ). Along all paths, ϕ is true in the next state or the next two steps. P ( ϕ). There is a path along which ϕ is infinitely often true.

Alessandro Artale (FM First Semester 2007/2008) p. 31/37 CTL*: Syntax Countable set Σ of atomic propositions: p,q,... we distinguish between States Formulas (evaluated on states): ϕ,ψ p ϕ ϕ ψ ϕ ψ P α P α and Path Formulas (evaluated on paths): α,β ϕ α α β α β α α α (αu β) The set of CTL* formulas FORM is the set of state formulas.

Alessandro Artale (FM First Semester 2007/2008) p. 32/37 CTL* Semantics: State Formulas We start by defining when an atomic proposition is true at a state s 0 KM, s 0 = p iff p L(s 0 ) (for p Σ) The semantics for State Formulas is the following where π = (s 0,s 1,...) is a generic path outgoing from state s 0 : KM, s 0 = ϕ iff KM, s 0 = ϕ KM, s 0 = ϕ ψ iff KM, s 0 = ϕ andkm, s 0 = ψ KM, s 0 = ϕ ψ iff KM, s 0 = ϕ orkm, s 0 = ψ KM, s 0 = P α iff π = (s 0,s 1,...)such thatkm,π = α KM, s 0 = P α iff π = (s 0,s 1,...)thenKM,π = α

Alessandro Artale (FM First Semester 2007/2008) p. 33/37 CTL* Semantics: Path Formulas The semantics for Path Formulas is the following where π = (s 0,s 1,...) is a generic path outgoing from state s 0 and π i denotes the suffix path (s i,s i+1,...): KM, π = ϕ iff KM, s 0 = ϕ KM, π = α iff KM, π = α KM, π = α β iff KM, π = α andkm, π = β KM, π = α β iff KM, π = α orkm, π = β KM, π = α iff i 0such thatkm,π i = α KM, π = α iff i 0thenKM,π i = α KM, π = α iff KM,π 1 = α KM, π = αu β iff i 0such thatkm,π i = β and j.(0 j i) thenkm,π j = α

Alessandro Artale (FM First Semester 2007/2008) p. 34/37 CTLs Vs LTL Vs CTL: Expressiveness CTL* subsumes both CTL and LTL ϕ in CTL = ϕ in CTL* (e.g., P (N 1 P T 1 )) ϕ in LTL = P ϕ in CTL* (e.g., P ( T 1 C 1 )) LTL CTL CTL* (e.g., P ( p q)) CTL* LTL CTL

Alessandro Artale (FM First Semester 2007/2008) p. 35/37 CTL* Vs LTL Vs CTL: Complexity The following Table shows the Computational Complexity of checking Satisbiability Logic LTL CTL CTL* Complexity PSpace-Complete ExpTime-Complete 2ExpTime-Complete

Alessandro Artale (FM First Semester 2007/2008) p. 36/37 CTL* Vs LTL Vs CTL: Complexity (Cont.) The following Table shows the Computational Complexity of Model Checking (M.C.) Since M.C. has 2 inputs the model,m, and the formula, ϕ we give two complexity measures. Logic Complexity w.r.t. ϕ Complexity w.r.t. M LTL PSpace-Complete P (linear) CTL P-Complete P (linear) CTL* PSpace-Complete P (linear)

Alessandro Artale (FM First Semester 2007/2008) p. 37/37 Summary of Lecture IV Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback