Computation Tree Logic and CTL Model Checking

Computation Tree Logic and CTL Model Checking

Xiaowang Zhang, 2020

College of Intelligence and Computing

Chapter 5

Xiaowang Zhang, 2020 (CIC) Computation Tree Logic Chapter 5 1 / 33

Outline

1 Branching Temporal Logic

2 Syntax & Semantics of CTLSyntax of CTLSemantics

3 CTL Model Checking


Linear Vs. Branching Temporal Logic

So far we have been talking about properties of linear behaviors(sequences, traces)But some properties are not linear, e.g.:

Example

It is possible to recover from any fault.

Example

There exists a way to get back to the initial state from any reachable state.



So far we have been talking about properties of linear behaviors(sequences, traces)But some properties are not linear, e.g.:

Example


Example

There exists a way to get back to the initial state from any reachable state.



Example


Based on one (linear) behavior alone, we cannot conclude whether oursystem satisfies the property.

Example

The following system satisfies the property, although it contains a behaviorthat stays forever in state s1:

s0 s1

fault

recovery



Example



Example


s0 s1

fault

recovery



Example



Example


s0 s1

fault

recovery


List of Branching Temporal Logic

Hennessy-Milner logic

Computation Tree Logic (CTL)

Extended Computation Tree Logic (CTL): combines LTL and CTLinto a single framework

Alternation-free modal µ-calculus

Modal µ-calculus

Propositional dynamic logic

This slide is referring to Fazle Rabbi’s slide as follows:http: // www. uio. no/ studier/ emner/ matnat/ ifi/ INF5140/ v15/

slides/ ctl. pdf


http://www.uio.no/studier/emner/matnat/ifi/INF5140/v15/slides/ctl.pdf

http://www.uio.no/studier/emner/matnat/ifi/INF5140/v15/slides/ctl.pdf

Model of Computation

Finite-state systems are modeled by labeled state transition graphs, calledKripke Model.

Example

a b

b c c

Figure: Kripke Model


Model of Computation

If some state is designated as the initial state, the structure can beunwound into an infinite tree with that states as the root

Example (Unwind transition system to obtain infinite tree)

a b

b c c

a b c c

Figure: Kripke Model


Motivation of CTL

LTL formulae are evaluated on paths.A state of a TS satisfies an LTL formula if all paths from the given statesatisfy it.Thus, LTL implicitly quantifies universally over paths.

Properties which assert the existence of a path cannot be expressed in LTL.

Example

From any state it is possible to get to the Restart state.


Motivation of CTL

LTL formulae are evaluated on paths.A state of a TS satisfies an LTL formula if all paths from the given statesatisfy it.Thus, LTL implicitly quantifies universally over paths.

Properties which assert the existence of a path cannot be expressed in LTL.

Example

From any state it is possible to get to the Restart state.


Motivation of CTL

Computation Tree Logic (CTL) is a branching-time logic, meaning that itsmodel of time is a tree-like structure in which the future is not determinedthere are different paths in the future, any one of which might be theactual path that is realised.In CTL, two new operators are introduced:

Temporal Operators

A: all paths

E: exists some path

CTL Vs. LTL

A↔ ∀: for All execution

E↔ ∃: there Exists an execution

X↔©: neXt

G↔ �: Globally

F↔ ♦: FinallyXiaowang Zhang, 2020 (CIC) Computation Tree Logic Chapter 5 9 / 33

Outline





Syntax of CTL

Definition (CTL Formulae)

ψ := a (Atomic formula)a ∈ AP| ¬φ (Negation)| φ1 ∧ φ2 (Conjunction)| φ1 ∨ φ2 (Disjunction)| φ1 → φ2 (Implication)| AXφ (All successors)| EXφ (Some successors)| AFφ (Somewhere, along all paths)| EFφ (Somewhere, along some path)| AGφ (Everywhere, along all paths)| EGφ (Everywhere, along some path)| A[φ1Uψ2] (Until, along all paths)| E[φ1Uφ2] (Until, along some path)


LTL Semantics

Let M = (S ,−→, L) be a Kripke model and s ∈ S .

Definition (Satisfaction relation �)

M, s � true

M, s � a iff a ∈ L(s)

M, s � ¬φ iff M, s 6� φM, s � φ1 ∧ φ2 iff M, s � φ1 and M, s � φ2M, s � φ1 ∨ φ2 iff M, s � φ1 or M, s � φ2M, s � φ1 → φ2 iff M, s 6� φ1 or M, s � φ2


LTL Semantics



M, s � true




LTL Semantics



M, s � true


M, s � ¬φ iff M, s 6� φ

M, s � φ1 ∧ φ2 iff M, s � φ1 and M, s � φ2M, s � φ1 ∨ φ2 iff M, s � φ1 or M, s � φ2M, s � φ1 → φ2 iff M, s 6� φ1 or M, s � φ2


LTL Semantics



M, s � true


M, s � ¬φ iff M, s 6� φM, s � φ1 ∧ φ2 iff M, s � φ1 and M, s � φ2

M, s � φ1 ∨ φ2 iff M, s � φ1 or M, s � φ2M, s � φ1 → φ2 iff M, s 6� φ1 or M, s � φ2


LTL Semantics



M, s � true


M, s � ¬φ iff M, s 6� φM, s � φ1 ∧ φ2 iff M, s � φ1 and M, s � φ2M, s � φ1 ∨ φ2 iff M, s � φ1 or M, s � φ2

M, s � φ1 → φ2 iff M, s 6� φ1 or M, s � φ2


LTL Semantics



M, s � true




LTL Semantics


M, s � AXφ iff ∀ s1, s → s1 implies M, s1 � φ

M, s � EXφ iff ∃ s1, s → s1 implies M, s1 � φ

M, s � AGφ iff ∀ π = s1s2 . . . (s = s1),∀ si ,M, si � φ

M, s � EGφ iff ∃ π = s1s2 . . . (s = s1),∀ si ,M, si � φ

M, s � AFφ iff ∀ π = s1s2 . . . (s = s1),∃ si ,M, si � φ

M, s � EFφ iff ∃ π = s1s2 . . . (s = s1),∃ si ,M, si � φ

M, s � A[φ1Uφ2] iff ∀ π = s1s2 . . . (s = s1), π � φ1Uφ2

M, s � E[φ1Uφ2] iff ∃ π = s1s2 . . . (s = s1), π � φ1Uφ2


LTL Semantics




M, s � AGφ iff ∀ π = s1s2 . . . (s = s1),∀ si ,M, si � φ







LTL Semantics




M, s � AGφ iff ∀ π = s1s2 . . . (s = s1), ∀ si ,M, si � φ







LTL Semantics





M, s � EGφ iff ∃ π = s1s2 . . . (s = s1), ∀ si ,M, si � φ






LTL Semantics






M, s � AFφ iff ∀ π = s1s2 . . . (s = s1), ∃ si ,M, si � φ





LTL Semantics







M, s � EFφ iff ∃ π = s1s2 . . . (s = s1), ∃ si ,M, si � φ




LTL Semantics











LTL Semantics











CTL Semantics: Intuitions


Examples of CTL formula

Example

There is a reachable state satisfying a: this is written EFa.

From all reachable states satisfying a, it is possible to maintain acontinuously until reaching a state satisfying b: AG(a→ E(aUb)).

Whenever a state satisfying a is reached, the system can exhibit bcontinuously forevermore: AG(a→ EGb).

There is a reachable state from which all reachable states satisfy a:EF (AGa).



Example







Example







Example






Expressive Power

LTL and CTL have different expressive powers. The choice between LTLand CTL depends on the application and the personal preferences.

For example, there is no CTL formula that is equivalent to the LTLformula ♦�a.

Likewise, there is no LTL formula that is equivalent to the CTLformula AG(EFa).

The disjunction ♦�a ∨ AG(EFa) is a CTL∗ formula that is notexpressible in either CTL or LTL.


Expressive Power






Expressive Power






Expressive Power






Expressive Power

There is no CTL formula that is equivalent to the LTL formula ♦�a.

M, s0 �LTL ♦�a, but M, s0 6�CTL AF(AGa)


Expressive Power

There is no CTL formula that is equivalent to the LTL formula ♦�a.

M, s0 �LTL ♦�a, but M, s0 6�CTL AF(AGa)


Expressive Power

There is no LTL formula that is equivalent to the CTL formula AG(EFa).

This is shown by contradiction: assume ϕ ≡ AG(EFa). let:

M |= AG(EF a), and thus, by assumption, M |= ϕ.

Paths(M ′) ⊆ Paths(M). Thus M ′ |= ϕ.

But M ′ 6|= AG(EFa) as path sw 6|= G(EFa).


Equivalence Between CTL Formula

Definition (Equivalence)

Two CTL formulas φ and ϕ are said to be semantically equivalent if anystate in any model which satisfies one of them also satisfies the other; wedenote this by φ ≡ ϕ.

Example

¬AFφ ≡ EG¬φ;

¬EFφ ≡ AG¬φ;

¬AXφ ≡ EX¬φ;

AFφ ≡ A[trueUφ];

EFφ ≡ E[trueUφ].


Adequate sets of CTL connectives

There are eight basic CTL operators:

AX and EX;

AF and EF;

AG and EG;

AU and EU.


Adequate sets of CTL connectives

Each of ten basic CTL operators can be expressed in terms of threeoperators EX, EG, and EU.

AXφ ≡ ¬EX(¬φ);EFφ ≡ E(trueUφ);

AGφ ≡ ¬EF(¬φ);AFφ ≡ ¬EG(¬φ);A[φUψ] ≡ ¬E[(¬φU(¬φ ∧ ¬ψ)] ∧ ¬EG¬ψ;

A[φWψ] ≡ ¬E(¬φU¬ψ);E[φWψ] ≡ ¬A(¬φU¬ψ).


Outline





CTL model checking

INPUT: a model M = (S ,−→, L) and a CTL formula φ.OUTPUT: the set of states of M which satisfy φ.

First, we convert φ with the adequate sets of CTL connectives (i.e.,¬, ∨, EX, EU, EG).

Next, label the states of M with the subformulas of φ that aresatisfied there, starting with the smallest subformulas and workingoutwards towards φ.

Suppose ψ is a subformula of φ and states satisfying all theimmediate subformulas of ψ have already been labelled. Wedetermine by a case analysis which states to label with ψ.


CTL model checking

If ψ

false: then no states are labelled with false.

a: then label s with a if a ∈ L(s).

ψ1 ∧ψ2: label s with ψ1 ∧ψ2 if s is already labelled both with ψ1 andwith ψ2.

¬ψ1: label s with ψ1 if s is not already labelled with ψ1.

EXψ1: label any state with EXψ1 if one of its successors is labelledwith ψ1.


CTL model checking

If ψ is E(ψ1Uψ2):

If any state s is labelled with ψ2, label it with E(ψ1Uψ2).

Repeat: label any state with E(ψ1Uψ2) if it is labelled with ψ1 and atleast one of its successors is labelled with E(ψ1Uψ2), until there is nochange. This step is illustrated in the following figure:


CTL model checking

If ψ is EG(ψ1):

Label all the states with EGψ1.

If any state s is not labelled with ψ1, delete the label EGψ1.

Repeat: delete the label EGψ1 from any state if none of its successorsis labelled with EGψ1; until there is no change.


Complexity of CTL Model Checking Algorithm

The complexity of the above mentioned algorithm isO(| f | × | S | ×(| S | × | R |)), where | f | is the number of connectivesin the formula, | S | is the number of states and | R | is the number oftransitions; the algorithm is linear in the size of the formula and quadraticin the size of the model.


A variant which is more efficient

For EX and EU we do as before (but take care to search the model bybackwards breadth-first search, for this ensures that we wont have to passover any node twice). For the EGψ case:

Restrict the graph to states satisfying ψ, i.e., delete all other statesand their transitions;Find the maximal strongly connected components (SCCs); these aremaximal regions of the state space in which every state is linked with(= has a finite path to) every other one in that region.Use backwards breadth-first search on the restricted graph to find anystate that can reach an SCC.

The complexity of this algorithm is O(| f | +(| S | + | R |)), i.e., linearboth in the size of the model and in the size of the formula.


CTL Fairness-Intuition

Consider the dining philosopher problem. It is not very reasonable toassume that “One philosopher keeps eating forever”.

How can we rule out this behavior?

One solution is to use “Fairness Constraints”.

Fairness constraints rule out unrealistic executions


Fairness Constraint

Sets of states (constraint) that must occur infinitely often along acomputation path to be considered

Usually described by a formula of the logic

Fairness constraints restrict the path quantifiers (E and A) to fairpaths

EFφ holds at state s only if there exists a fair path from s along whichφ holds

AGφ holds at s if φ holds in all states reachable from s along fairpaths.

If fairness constraints are interpreted as sets of states, then a fair pathmust contain an element of each fairness constraint infinitely often. Iffairness constraints are interpreted as CTL formulas, then a path is fair ifeach constraint is true infinitely often along the path.


Fairness Constraint

Sets of states (constraint) that must occur infinitely often along acomputation path to be considered

Usually described by a formula of the logic

Fairness constraints restrict the path quantifiers (E and A) to fairpaths

EFφ holds at state s only if there exists a fair path from s along whichφ holds

AGφ holds at s if φ holds in all states reachable from s along fairpaths.

If fairness constraints are interpreted as sets of states, then a fair pathmust contain an element of each fairness constraint infinitely often. Iffairness constraints are interpreted as CTL formulas, then a path is fair ifeach constraint is true infinitely often along the path.


Fairness Constraint in CTL

In CTL fairness constraints cannot be expressed!Solution:

Impose Fairness Constraints on top of the Kripke Model.

We call Fair Computation Paths those paths verifying a fairnessconstraint infinitely often.

We call Fair Kripke Models those models restricted to fair paths.

Definition

Fair Kripke Model Formally, a fair Kripke structure is a 4-tripleM = (S ,R, L,F ), where (S ,R, L) are defined as before and F ⊆ 2S is aset of fairness constraints. Let π = s0s1 . . . be a path in M. Define

inf (π) = {s | s = si for infinitely manyi}.

We say that π is fair if and only if for every P ∈ F , inf (π) ∩ P 6= ∅.


Assignments

Exercise 5.1

Please select at least 1 questions from the following list (see next pages)to answer and send your report to Email: [email protected].

From http://www.win.tue.nl/~andova/education/2IF25/Ex2.pdf


http://www.win.tue.nl/~andova/education/2IF25/Ex2.pdf

Documents

Computation Tree Logic and CTL Model Checking