CTL, the branching-time temporal logic

Similar documents
Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Computation Tree Logic

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Finite State Model Checking

p,egp AFp EFp ... p,agp

Topics in Verification AZADEH FARZAN FALL 2017

Computation Tree Logic

Chapter 6: Computation Tree Logic

DRAFT - do not circulate

Overview. overview / 357

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Chapter 4: Computation tree logic

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Computation Tree Logic

Memoryfull Branching-Time Logic

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

An Introduction to Temporal Logics

Finite-State Verification or Model Checking. Finite State Verification (FSV) or Model Checking

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Verification Using Temporal Logic

ESE601: Hybrid Systems. Introduction to verification

Model for reactive systems/software

Alternating-Time Temporal Logic

SAT based Abstraction-Refinement using ILP and Machine Learning Techniques

Applying the Mu-Calculus in Planning and Reasoning about Action

Game Specification in the Trias Politica

LTL and CTL. Lecture Notes by Dhananjay Raju

Computation Tree Logic (CTL)

MATH 3240Q Introduction to Number Theory Homework 7

Using BDDs to Decide CTL

ABSTRACT MODEL REPAIR

Model Checking Algorithms

Lecture 16: Computation Tree Logic (CTL)

Chapter 5: Linear Temporal Logic

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Alternating Time Temporal Logics*

ABSTRACT MODEL REPAIR

Pretest (Optional) Use as an additional pacing tool to guide instruction. August 21

From Liveness to Promptness

A Tableau-Based Decision Procedure for Right Propositional Neighborhood Logic (RPNL )

MODEL CHECKING. Arie Gurfinkel

Sets of Real Numbers

Modal and Temporal Logics

Symbolic Model Checking Property Specification Language*

MATH 2710: NOTES FOR ANALYSIS

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

A brief introduction to Logic. (slides from

Topic 7: Using identity types

Automata-Theoretic Model Checking of Reactive Systems

PSL Model Checking and Run-time Verification via Testers

Chapter 5: Linear Temporal Logic

Model checking (III)

Linear Temporal Logic and Büchi Automata

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Abstractions and Decision Procedures for Effective Software Model Checking

PROFIT MAXIMIZATION. π = p y Σ n i=1 w i x i (2)

Model Checking with CTL. Presented by Jason Simas

Computation Tree Logic

Pretest (Optional) Use as an additional pacing tool to guide instruction. August 21

Automata and Reactive Systems

Model Checking: An Introduction

2. PROPOSITIONAL LOGIC

Binary Decision Diagrams

Comp487/587 - Boolean Formulas

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Timo Latvala. February 4, 2004

Computer-Aided Program Design

Reasoning about Memoryless Strategies under Partial Observability and Unconditional Fairness Constraints

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

CSE 311 Lecture 02: Logic, Equivalence, and Circuits. Emina Torlak and Kevin Zatloukal

Outline. CS21 Decidability and Tractability. Regular expressions and FA. Regular expressions and FA. Regular expressions and FA

Propositional Logic: Models and Proofs

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Tecniche di Verifica. Introduction to Propositional Logic

Elementary Analysis in Q p

Temporal Logic and Fair Discrete Systems

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Chapter 3: Linear temporal logic

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

Linear-time Temporal Logic

Temporal Logic Model Checking

Model-Checking Games: from CTL to ATL

The State Explosion Problem

Automata, Logic and Games: Theory and Application

Notes. Corneliu Popeea. May 3, 2013

John Weatherwax. Analysis of Parallel Depth First Search Algorithms

Lilian Markenzon 1, Nair Maria Maia de Abreu 2* and Luciana Lee 3

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES

The Logic of Compound Statements. CSE 2353 Discrete Computational Structures Spring 2018

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

A tableau-based decision procedure for a branching-time interval temporal logic

Introduction to Probability and Statistics

Mobius Functions, Legendre Symbols, and Discriminants

Notes on induction proofs and recursive definitions

CSE 599d - Quantum Computing When Quantum Computers Fall Apart

Transcription:

CTL, the branching-time temoral logic Cătălin Dima Université Paris-Est Créteil Cătălin Dima (UPEC) CTL 1 / 29

Temoral roerties CNIL Safety, termination, mutual exclusion LTL. Liveness, reactiveness, resonsiveness, infinitely reeated behaviors LTL. Available choices, strategies, adversial situations? Tout utilisateur eut demander le retrait de ses données... How do we interret eut? = demander le retrait... Then formula =?? NO! Strategy to win a game Black has a strategy to ut the game in a situation from which White king will never get close to Black awn. Not secifiable in LTL either! Cătălin Dima (UPEC) CTL 2 / 29

Comutational Tree Logic (CTL) Syntax: Φ ::= Φ Φ Φ Φ Φ (ΦU Φ) Φ Φ (ΦU Φ) Grammar for the logic: the set of formulas is the set of words obtained by this (context-free!) grammar, with Φ viewed as nonterminal. Syntactic tree for each formula., : ath quantifier (will see why!). U,, : temoral quantifiers. Alternative notations (for the temoral oerators): φ = Gφ, φ = Fφ, φ = Xφ. Each ath quantifier must be followed by a temoral quantifier in the syntactic tree of each formula. Samle formula: ( (U( q q))). Draw its syntactic tree! Strict alternation: A non-ctl formula ( (U( q q))).... because the U is not receded by a ath quantifier. Cătălin Dima (UPEC) CTL 3 / 29

CTL resented Intuitive meanings: : in any next state holds. Regardless of the actions of the environment, at the next clock tick holds. : will eretually hold in any continuation from the current state. Whatever the environment does, will hold forever. U q: in any continuation from the current state q eventually holds, and until then must hold. Cătălin Dima (UPEC) CTL 4 / 29

CTL formulas Derived oerators: Some intuitive meanings: φ = φ φ = (trueu φ) φ = φ φ = φ (φu ψ) = ( φu( φ ψ)) ψ : there exists a next state in which holds. The environment could make it ossible for to hold at the next clock tick. : there exists a continuation on which holds eretually. : in all continuations eventually holds. There is a guarantee that must eventually hold, whatever the environment does. Cătălin Dima (UPEC) CTL 5 / 29

Branching time The root in the following tree satisfies :, q, r The root in the following tree satisfies : q, r Cătălin Dima (UPEC) CTL 6 / 29

Branching time, contd. (U q) (U q) q q q q q q q Cătălin Dima (UPEC) CTL 7 / 29

Transition systems T = (Q,Π,δ,π, q 0 ) with Q finite set of states. Π finite set of atomic roositions. q 0 Q initial state. δ Q Q transition relation. π : Q 2 Π state labeling. Examle: the hunter/wolf/goat/cabbage uzzle. Nondeterminism: given q Q, there may exist several r 1, r 2,... Q with (q, r 1 ) δ,(q, r 2 ) δ... Who chooses wich successor in each state? CTL answer: the environment does! Cătălin Dima (UPEC) CTL 8 / 29

CTL semantics in transition systems Recursively interret each CTL formula in each state of the system Given T = (Q,Π,δ,π, q 0 ) and q Q: q = if π(q). q = φ 1 φ 2 if... q = φ if... q = φ if for all r Q with (q, r) δ, r = φ. Examle: Cătălin Dima (UPEC) CTL 9 / 29

CTL semantics in transition systems Recursively interret each CTL formula in each state of the system Given T = (Q,Π,δ,π, q 0 ) and q Q: q = if π(q). q = φ 1 φ 2 if... q = φ if... q = φ if for all r Q with (q, r) δ, r = φ. Examle:, q, r Cătălin Dima (UPEC) CTL 9 / 29

CTL semantics in transition systems (contd.) Given T = (Q,Π,δ,π, q 0 ) and q Q: q = φ if for each run ρ in T starting in q with ρ = q = q 0 q 1... q n... (infinite!) we have that q n = φ for all n. In other words, ρ = φ! q = (φ 1 Uφ 2 ) if for each run ρ in T starting in q with ρ = q = q 0 q 1... q n... there exists n 0 with q n = φ 2 and for all 0 m < n, q m = φ 1. In other words, ρ = φ1 U φ 2! (U q) q q q q q q Cătălin Dima (UPEC) CTL 10 / 29

Proerty secification CNIL Tout utilisateur eut demander le retrait de ses données... How do we interret eut? = demander le retrait... :. Strategy to win a game Black has a strategy to ut the game in a situation from which White king will never get close to Black awn. q = White king never gets close to Black awn : q. Other roerties related with choices, like noninterference. Cătălin Dima (UPEC) CTL 11 / 29

CTL roerties on transition systems Hunter/wolf/goat/cabbage uzzle. Does the initial state satisfy (h = 1 w = 1 g = 1 c = 1)? What is the right roerty that says that the uzzle has a solution? Deadlock freedom: Suose the states of each rocess are 1, 2, 3, res. q 1, q 2, q 3. Deadlock freedom, i.e. all comutations may rogress: (PC 1 = i PC 1 i ) (PC 2 = q i PC 2 q i ) 1 i 3 1 i 3 Cătălin Dima (UPEC) CTL 12 / 29

CTL roerties on transition systems Hunter/wolf/goat/cabbage uzzle. Does the initial state satisfy (h = 1 w = 1 g = 1 c = 1)? What is the right roerty that says that the uzzle has a solution? (h = 1 w = 1 g = 1 c = 1) Deadlock freedom: Suose the states of each rocess are 1, 2, 3, res. q 1, q 2, q 3. Deadlock freedom, i.e. all comutations may rogress: (PC 1 = i PC 1 i ) (PC 2 = q i PC 2 q i ) 1 i 3 1 i 3 Cătălin Dima (UPEC) CTL 12 / 29

CTL roerties on transition systems Hunter/wolf/goat/cabbage uzzle. Does the initial state satisfy (h = 1 w = 1 g = 1 c = 1)? What is the right roerty that says that the uzzle has a solution? (h = 1 w = 1 g = 1 c = 1) Deadlock freedom: Suose the states of each rocess are 1, 2, 3, res. q 1, q 2, q 3. Deadlock freedom, i.e. all comutations may rogress: (PC 1 = i PC 1 i ) (PC 2 = q i PC 2 q i ) 1 i 3 1 i 3 Cătălin Dima (UPEC) CTL 12 / 29

Samle tautologies Tautology : formula that is true regardless of the truth values given to the atomic roositions. Examles: Formulas which are not tautologies: ( q) q ( q) ( q) ( q) q To rove they are not tautologies, give a counter-model! Cătălin Dima (UPEC) CTL 13 / 29

Minimal set of oerators All CTL formulas can be exressed using the following set of oerators : Boolean oerators (further reducible, e.g., to and ).. U.. Examles exress the following: (U q).. The dual set of ath-temoral oerators can also be used as minimal set of oerators! Cătălin Dima (UPEC) CTL 14 / 29

Other (linear) temoral oerators: weak until, release Weak until W q: W q U q. Release Rq: R q ( U q). Can be extended to CTL oerators: W q, R q, etc. Cătălin Dima (UPEC) CTL 15 / 29

Fixoints Globally, forward, until, release can be defined inductively :...?...?...? U q q ( (U q) ) U q...? R q q ( (R q) ) Cătălin Dima (UPEC) CTL 16 / 29

Remarks on LTL vs. CTL (to be continued!) Both LTL and CTL formulas are interreted over transition systems. An LTL formula seaks about what haens on one run that starts in a state. Time assage is determined by some suerior entity, choices do not exist and no dilemma about ossible continuations exists. A osteriori analysis of the behavior of a system (but behaviors may be infinite!). A CTL formula seaks about what could haen in various runs that starts in a state. Time is nondeterministic and choices must be taken into account, good/bad things may haen due to good/bad decisions and continuations deend on them. A riori analysis of the ossible evolution of a system. Some LTL formulas (but not all!) can be reresented as CTL formulas: Checking holds at a state q in a transition system requires checking that all runs starting in q satisfy. Hence, from this state-centered oint of view, checking amounts to checking. No longer holds for more comlex formulas! Simly because ( q) is not a CTL formula! Cătălin Dima Each (UPEC) ath quantifier must be followed CTL by a temoral quantifier in the 17 / 29

The model-checking roblem Given a CTL formula φ and a finitely resentable model M, does M = φ hold? Finitely resentable tree = transition system over AP. The tree = the unfolding of A. Note the difference with LTL models : A transition system embodies an uncountable set of models for LTL! A transition system embodies a unique model for CTL! Cătălin Dima (UPEC) CTL 18 / 29

CTL model-checking instances Which state satisfies? Search for a reachable state labeled with. Which state satisfies? Search for a reachable strongly connected set labeled with. Only states in this SCC satisfy. Cătălin Dima (UPEC) CTL 19 / 29

CTL model-checking [Clarke & Emerson] State labeling algorithm: Given formula φ, slit Q into Q φ and Q φ Structural induction on the syntactic tree of φ. Add a new roositional symbol φ for each analyzed φ. Label Q φ with φ and do not label Q φ with φ. Cătălin Dima (UPEC) CTL 20 / 29

CTL model-checking (2) For φ = Q = { q Q q δ(q), π(q ) } Q = { q Q q δ(q), π(q ) } Examle... Cătălin Dima (UPEC) CTL 21 / 29

CTL model-checking (3) φ =. Q contains state q iff q is labeled with and belongs to a circuit containing only states. Q = Q \ Q. Examle... Cătălin Dima (UPEC) CTL 22 / 29

CTL model-checking (4) φ = ( 1 U 2 ) Q (1 U 2 ) contains state q iff q Q s.t.: q q 2 1 Q (1 U 2 )) = Q \ Q (1 U 2 ). Examle... Cătălin Dima (UPEC) CTL 23 / 29

CTL model-checking examle, q, q, q U q U q Cătălin Dima (UPEC) CTL 24 / 29

Proerties of the (first variant of the) model-checking algorithm It seems that the model-checking algorithm requires grah algorithms Successors for. Reachability analysis for U. Circuits for. But could we take advantage of the fixoint exansions of the temoral oerators? U q q ( (U q) ) Cătălin Dima (UPEC) CTL 25 / 29

Fixoint variant of the model-checking algorithm Given a formula φ and a transition system M = (Q, q 0,δ),... denote Sat M (φ) the set of states in Q which satisfy φ.... and denote ost(q) = {r Q (q, r) δ}. Theorem Sat( (φu ψ)) is the smallest subset T of Q such that: 1 Sat(ψ) T and 2 If q Sat(φ) and ost(q) T then q T. Sat( φ) is the largest subset T of Q such that: 3 Sat(ψ) T and 4 If q T then ost(q) T. The last line can also be read as: 4 For any q Q, if ost(q) T = then q T. Cătălin Dima (UPEC) CTL 26 / 29

Fixoint variant of the model-checking algorithm How to comute Sat( (φu ψ)): 1 Start with T = Sat(ψ). 2 Aend q to T if q Sat(φ) and ost(q) T. 3... until T no longer grows. How to comute Sat( φ): 1 Start with T = Sat(φ). 2 Eliminate, inductively, from T all states for which ost(q) T =. 3... until T no longer diminishes. Examles... Cătălin Dima (UPEC) CTL 27 / 29

Fixoint variant of the model-checking algorithm, q, q, q ( qu ) Comute Sat( q). Comute Sat( ). Instantiate T = Sat( ). Aend st to T if st Sat( q) and ost(st) T. Cătălin Dima (UPEC) CTL 28 / 29

Fixoint variant of the model-checking algorithm, q, q, q ( qu ) ( U q) Cătălin Dima (UPEC) CTL 28 / 29

ost and re How to comute Sat( φu ψ): 1 Start with T = Sat(ψ). 2 Aend q to T if q Sat(φ) and ost(q) T. 3 The same with T := re(t) Sat(φ). 4 Here re(t) = {q r Q,(q, r) δ}. How to comute Sat( φ): 1 Start with T = Sat(φ). 2 Eliminate, inductively, from T all states for which ost(q) T =. 3 The same with T := re(t) T 4 Here re(t) = Q \ re(q \ T). 5 In other words, re(t) contains all the states whose successors all belong to T. Cătălin Dima (UPEC) CTL 29 / 29

ost and re How to comute Sat( φu ψ): 1 Start with T = Sat(ψ). 2 Aend q to T if q Sat(φ) and ost(q) T. 3 The same with T := re(t) Sat(φ). 4 Here re(t) = {q r Q,(q, r) δ}. How to comute Sat( φ): 1 Start with T = Sat(φ). 2 Eliminate, inductively, from T all states for which ost(q) T =. 3 The same with T := re(t) T 4 Here re(t) = Q \ re(q \ T). 5 In other words, re(t) contains all the states whose successors all belong to T. Cătălin Dima (UPEC) CTL 29 / 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback