1

Computation Tree Logic

(CTL)

2

CTL

Syntax

P - a set of atomic propositions, every pP is a CTL formula.

f, g, CTL formulae, then so are f, fg, EXf, A[fUg], E[fUg]

E, A path quantifiers, X, U, G, F temporal operators

Interpreted over a tree of states:

EXf - f holds in some immediate successor

A[fUg] - every path has a prefix that satisfies [fUg]

3

CTL Model (Kripke model)

M = (S, sI, R, L)

S is a finite set of states, sIS is the initial state

R SS s.t. uS. vS. (u,v)R (total)

L: S 2AP

Example: AP = {p,q,r}

S0

{p,q}

S1

{p}

S2

{q}

4

Example: XR Control Program

opening

closing

closed

Tin&not(open!)

/open,@close opened

open! & not(Tin)

Tin/@close

/@open, stop

Tout,Tin

{@open, stop}

{open!}{Tout,

@open,stop}

{Tout,Tin}

{Tin,open,

@close}

{close!,go}

{Tin,

@close}

Tout @ open,stop

close!/go

Tin&open!

/@close

{Tin,open!,

@close}

5

Computation Tree

The infinite computation tree spanned by a model M=(S,sI,R,L)

root s0=si st is an arc in the tree iff (s,t)R.

A path is: s0,s1,s2,S s.t. i. (si,si+1)R

S0

S1

S2

S0

S1 S2

S0 S1

S1 S2 S0

6

CTL Semantics

w.r.t a given model (S,sI,R,L) and a state sS:

s p iff pL(s)

s f iff not s f

s fg iff s f and s g

s EXf iff s. (s,s)R and s f

s A[fUg] iff for every path (s0, s1,) s.t s0=s,

k0. sk g i. 0ik si f

s E[fUg] iff for some path (s0, s1,) s.t s0=s,

k0. sk g i. 0ik si f

f is satisfiable iff there exists a model (S,sI,R,L) such that sI f

f is valid iff f is satisfiable by every model (S,sI,R,L)

7

Derived Operators

AX(f) EXf f holds at all next states

AF(f) A[true U f] f holds in the future of every path

EF(f) E[true U f] f holds in the future of some path

AG(f) EF(f) every state in every path satisfies f

EG(f) AF(f) for some path every state satisfies f

8

9

A note on temporal wff

Syntax: EXf, A[fUg], E[fUg]

E, A path quantifiers

X, U, G, F temporal operators

Structure of a formula: (path)(temporal)[formula]

E, A path quantifiers

X, U, G, F temporal operators

EF(Gu) is not a wff, only EF(EGu) or EF(AGu)

A(fUg) cannot be derived from E(fUg) since E(fUg) is

not wff (since (fUg) is not wff)

10

Properties Expressed in CTL

Every req is followed by ack (not 1-1): AG(req AF ack)

It is possible to get to a state where started holds but ready does

not hold.

EF(started ready)

From any state it is possible to get to the restart state.

AG EF restart

Processes P,Q are not in their critical section simultaneously

AG((PCQC))

A process that asks to enter the critical section, eventually gets

there

AG(PE AF(PC))

Processes strictly alternate in access to the critical section

AG(Pc A(PcU(Pc A(PcUQc))))

11

Expressing Time in CTL

Assertions:

50 seconds minimal delay between trains.

AG(Tin AXTin AXAXTin AX..AXTin )

It takes a train 6 seconds to arrive at the signal

AG(Tin AX(AX(AX(AX(AX(AX(AtSignal)))))))

however, we could write AG(Tin AX6(AtSignal)

like we did in LTL

50

12

LTL vs. CTL

LTL cannot distinguish behaviors that generate same path, therefore cannot express possibility.

CTL is sensitive to the branching structure

Thus, it is always possible to get tea after inserting a coin

is expressible in CTL: AG(coin EXtea) but not in LTL

A

B

C D

coin

coffee tea

A

B C

coin coin

D E

coffee tea

Different models -

A CTL tree defines

a subset of models

of LTL

Expressivity

Define LTL

satisfied on Kripke

model if satisfied

by every path.

For LTL both generate same paths

13

LTL vs. CTL (II)

satisfies p but not AFAGp. -- no single F state

Similarly,

p q

(pOp)

not expressible in CTL

p ~p p

s0

s1

s2

14

LTL vs. CTL (III)

AGEFp - not expressible in LTL

Suppose A is equivalent to AGEFp

- (a) satisfies AGEFp hence A

- (b)-paths (a)-paths hence (b) satisfies A

- However (b) does not satisfy AGEFp

S:{~p} S':{p} S:{~p}(a) (b)

15

CTL*

Allows any LTL formula to be preceded by A or E.

Exm.

E(p Xq), A(Fq Gp)

CTL* is more powerful then CTL and LTL but

Model checking is PSPACE-complete in size of

formula.

16

Model Checking Problem

CTL Model Checking problem:

Given a program model (S, s0, R, L) and a CTL formula f,

determine if s0 f.

Model-checking Satisfiability

Semantic search: Given, M=(S,s0,R,L), every formula is

identified with the set of states that satisfy the formula

(false, true S). So, given f,

find the set SS of all states in S that satisfy f.

Check if s0S.

17

Model Checking by Semantic Search

Given (S, s0, R,L), and f, find the set SS of all states in S

that satisfy f.

Simple for formulae:

{ s | s p } = { s | pL(s) } -- p atomic

{ s | s fg } = { s | s f } { s | s g }

{ s | s f } = S - { s | s f }

{ s | s EXf } = { s | tS s.t. (s,t)R t f }

The problem arises with A(qUr) and E(qUr).

18

Fix-points

Fix-point: (x)=x

Given a set S, a functional : 2S 2S is:

- monotonic iff PQ [P][Q]

- -continuous iff P1P2 [Pi]=[Pi]

- -continuous iff P1P2 [Pi]=[Pi]

Theorem (Tarski)

Monotonic have least and greatest fix-points:

lfp() = {Z : [Z]=Z},

gfp() = {Z : [Z]=Z},

lfp() = i[], i=0,1, if is also -continuous

gfp() = i[S], i=0,1, if is also -continuous

19

Fix-points of CTL Operators

Lemma: EFf = f EX(Eff) (satisfied by same states)

EFf is a fix-point of [Z] = f EX Z

f EX Z is monotonic, -continuous and -continuous

: lfp(fEXZ) = (f EX false)I

Lemma: EFf is a least fix-point of [Z] = f EX Z

EFf = (f EX false)i

20

Fixpoints of CTL Operators (Clark-Emerson)

computationlfp[Z]

(g (f AX false))iA[fUg]g (fAXZ)

(g (f EX false))iE[fUg]g (fEXZ)

(f AX false)iAFff AXZ

(f EX false)iEFff EXZ

Recall AX(f) EXf

computationgfp[Z]

(f AX true)iAGff AXZ

(f EX true)iEGff EXZ

where iS (S is finite)

21

Example: EFp P

the Kripke model

P

P

P

(false)= p EX false = p

2(false)= p EX p

3(false)= p EX(p EX p)

22

Example: EGy =(y EX true)i

S0:{x,y,z}

S2:{y,z}

S3:{x}

S4:{y} S5:{x,z}

S6:{z} S7:{}

S1:{x,y}

[EG(y)] =

[y] EX[S] = {s0,s1,s2,s4}=E0

[y]EX[E0]= {s0,s1,s2,s4}{s0,s2,s3,s4,s5,s6}= {s0,s2,s4}= E1

[y]EX[E1]= {s0,s1,s2,s4}{s0,s2,s3,s4,s6}= {s0,s2,s4}= E1

23

Example: EF(x=z yz) =((x=z yz) EX false)i

S0:{x,y,z}

S2:{y,z}

S3:{x}

S4:{y} S5:{x,z}

S6:{z} S7:{}

S1:{x,y}

[EF(x=z yz)] =

[(x=z yz)] EX[] = {s4,s5}=E0

[E0] EX[E0]= {s4,s5} {s6}= {s4,s5,s6}= E1

(EX[E1]= {s6,s7})= {s4,s5,s6,s7}= E2

(EX[E2]= {s6,,s7,s5}) = {s4,s5,s6,s7}

24

Model Checking

Algorithm (sketch)

1. Construct A, the set of sub-formulae of f.

2. For i=1,,|f|, label every state sS with the sub-formulae of length i that are satisfied by s.

3. Check if s0 is labeled by f.

At stage i the algorithm employs the information gathered

in earlier stages (in particular path formulae look at the

information of the next states).

25

Model Checking Algorithm

Given M=(S, s0, R, L), and a CTL formula f

for j=0 to length(f)

for each sub-formula g of f of length j

case (-- structure of g)

p: nothing (-- S is already labeled with propositions)

qr: sS: if qL(s) and rL(s) then add qr to L(s)

q: sS: if qL(s) then add q to L(s)

EXq: sS: if t s.t. (s,t)R and qL(t) then add EXq to L(s)

A(qUr): AU-check(q, r)

E(qUr): EU-check(q, r)

if fL(s0) then output=true, else output=false.

26

AU-check (q, r)

for each sS, if rL(s) then add A(qUr) to L(s)

for j=1 to |S|

for each sS,

if qL(s) and A(qUr)L(t) for all t s.t. (s,t)R

then add A(qUr) to L(s)

EU-check (q, r)

for each sS, if rL(s) then add E(qUr) to L(s)

for j=1 to |S|

for each sS,

if qL(s) and E(qUr) to L(t) for some t s.t. (s,t)R

then add E(qUr) to L(s)

Complexity: O(|||S|2)

Checking state satisfiability fro A(qUr), E(qUr)

Fairness Assumption

Strong fairness: a transition that is enabled i.o. is taken i.o

- LTL: ( ) - - private case, =True

Weak fairness: a transition that is continuously enabled is taken i.o

- LTL: ( )

Rule out traces that are unrealistic or provide for unfair service (starvation).

(T_Red &P_Green)

& (P_Red &T_Green)

Fairness assumptions are not in CTL

T_Red,

P_Red

T_Green,

P_Red

T_Red,

P_Green

Fair Semantics for CTL

Strong Fairness constraint:Sfair = i(i i) j(j j), i, i, j, j, CTL formulae.

For a model M= (S, sI, R, L) and sS:

FairPaths(s) = {Paths(s) | Sfair }

Fair semantics w.r.t. Sfair

s F p iff sp

s F f iff not sF f

s F fg iff sF f and sF g

s F Exf iff s. (s,s)R and s f FairPaths(s),

s F E[pUq] iff exists =(s0, s1,) s.t s0=s, FairPaths(s),

k0. sk q i. 0ik si p

s F A[pUq] iff for every =(s0, s1,) s.t s0=s, FairPaths(s),

k0. sk q i. 0ik si p

Model Checking under Farness Constraints

How to check: FairPaths(s) ?

Observation: FairPaths(s) iff j0 jFairPaths(j)

Hence, redefine fair semantic:

s F p iff sp

s F f iff not sF f

s F fg iff sF f and sF g

s F Exf iff s. (s,s)R and s f FairPaths(s)

s F A[fUg] iff for every path (s0, s1,) s.t s0=s,

k0. sk g i. 0ik si f

FairPaths(sk)

s F E[fUg] iff for some path (s0, s1,) s.t s0=s,

k0. sk g i. 0ik si f

FairPaths(sk)

Computation of FairPaths(s)

Let: Sfair = ( ) where , are CTL formulae.

Sfair iff k0, nk, s.t. = s0sk-1(sksn)

and: kin. si or kjn. sj

Computation of FairPaths(s) w.r.t. Sfair = ( )

For a model M= (S, sI, R, L):

Let a, b, fair be new fresh variables

Compute Sat()={sS | s} then sSat(). L(s):=L(s){a}

Compute Sat()={sS | s} then sSat(). L(s):=L(s){b}

Decompose M into a graph of maximal SCCs.

For each SCC, if for all states sSCC, aL(s), or otherwise there

exists a state sSCC s.t. bL(s), mark the SCC as fair

For each sS if there exists a path from s to a fair SCC then

L(s){fair}

Computation of FairPaths(s)

Hence, redefine fair semantic:

s F p iff sp

s F f iff not sF f

s F fg iff sF f and sF g

s F Exf iff s. (s,s)R and s (f fair)

s F A[fUg] iff for every path (s0, s1,) s.t s0=s,

k0. sk g i. 0ik si (f fair)

s F E[fUg] iff for some path (s0, s1,) s.t s0=s,

k0. sk g i. 0ik si (f fair)

Thus, fair model checking requires pre-processing of the

model that extends the states labeling, then normal model

checking algorithm

Complexity

For a model with N states and M transitions and a CTL

formula f and a CTL fairness constraint, still linear time:

O(|f|(N +M)).

In the general case, with k fairness constraints, the

labeling must be carried out separately for each

constraint and the final labeling is the conjunction of the

separate labeling. The complexity is then O(|f|(N +M)k)

33

RTCTL

A(qUkr) - at all paths r holds within k t.u. and q

holds at all states until then.

E(qUkr) - at some path r holds within k t.u. and q

holds at all states until then.

Semantics (fixed rate progress approach):

s0 A(qUkr) iff for every path ( s0, s1,)

i. 0ik si r j. 0ji sj q

s0 E(qUkr) iff exists path ( s0, s1,) and

i0. 0ik si r j. 0ji sj q

34

Model Checking Algorithm for RTCTL

Given M=(S, s0, R, L), and a CTL formula f

for j=0 to length(f)

for each sub-formula g of f of length j

case (structure of g)

p: ..

qr: ..

q: ..

EXq: ..

A(qUr): ..

A(qUkr): AU-check(min(k,|S|), q, r)

E(qUr): ..

E(qUkr): EU-check(min(k,|S|), q, r)

if fL(s0) then output=true, else output=false.

35

AU-check (max_len, q, r) -- max_len= min(k,|S|)

for each sS, if rL(s) then add A(qU0r) to L(s)

for len=1 to max_len

for each sS,

if qL(s) and for every t such that (s,t)R

there is jlen-1 s.t. A(qUjr)L(t)

then add A(qUlenr) to L(s)

for each sS,

if A(qUjr)L(s) for some jmax_len

then replace by A(qUmax_lenr) to L(s)

A(qUkr):

Note jk

36

EU-check (max_len, q, r) -- max_len= min(k,|S|)

for each sS, if rL(s) then add E(qU0r) to L(s)

for len=1 to max_len

for each sS,

if qL(s) and

E(qUlen-1r) L(t) for some t such that (s,t)R

then add E(qUlenr) to L(s)

for each sS,

if E(qUjr) L(s) for some jmax_len

then replace by E(qUmax_lenr) to L(s)

E(qUkr):

37

RTCTL (II)

In order to express fixed delays, we need:

A(qUkr) - at all paths r holds at k t.u. and q holds

at all states until then.

E(qUkr) - at some path r holds at k t.u. and q

holds at all states until then.

Semantics (fixed rate progress approach):

s0 A(qUkr) iff for every path ( s0, s1,)

sk r j. 0jk sj q

s0 E(qUkr) iff exists path ( s0, s1,) and

sk r j. 0jk sj q

Model checking same idea as for k

38

Railroad Crossing in Real-Time CTL

Assertions:

50 seconds minimal delay between trains.

AG(Tin EF50Tin)

It takes a train 6 seconds to arrive at the signal

AG(Tin AF6AtSignal)

Train exits XR within 15 to 25 seconds.

AG(((Twait AX(Twait)) AX(AtSignal Twait))

AG16 Tout AF26Tout )

Requirements:

Train at the signal is allowed to continue within 10 seconds.

AG(AtSignal AF5(Twait))

The gate is open whenever the crossing is empty for more than

10 seconds.

AG(E(Tcr0U=10Open))

39

Symbolic Model Checking

Symbolic representation with Boolean formulae of:

the model (program)

CTL formula

thus avoiding the state explosion problem.

Model Checking reduces to Boolean formulae manipulation.

The idea: Given a model (S,R,L) over P (set of atomic propositions),

Represent every state sS by a Boolean formula over P that is

satisfied exactly by L(s)

Represents R in terms of the Boolean formulas corresponding to

source and destination states.

40

Program Representation - Example I

S p

S p

R (p p) (p p) (p p)

(p p) p (p p)

p (p p)

(p p) (p p)

(p p)

S S'

p

41

S0 (v0 v1), S1 v0 v1,

S2 v0 v1, S3 v0 v1

R (v0' v0) (v1 (v0 v1))

S0 S1

v0v

0

v1

S2

v1

S3

v0,v

1

Program Representation - Example II

42

CTL Symbolic Representation

pP , f, fg, are Boolean formulae.

We show Boolean representation for: EXf, A[fUg], E[fUg]

EXf

Let v1,,vnP be the atomic propositions in f, then:

(v1,,vn).f = (a1,,an){0,1}n f(a1,,an)

Then, EXf is represented by the formula

(v1',,vn').(Rf(v1',,vn') )

S S'p

EXp = p'. Rf(p)

= p'. (pp')p'

= p'. (pp')

= (pfalse) (ptrue) = p

43

EX(v0 v1)

= (v0', v1'). R(v0' v1')

= (v0', v1'). (v0 v1 v0' v1')

= (v1').(v0 v1 false v1') (v0 v1 true v1')

= (v1'). (v0 v1 v1')

= (v0v1false) (v0v1true)

= (v0v1)

S0 S1

v0v

0

v1

S2

v1

S3

v0,v

1

44

CTL Operators Representation

For other CTL operators use their fixed point representation

in terms of EX.

S S'

p

Example: computation of EFp

- recall EFp = i(false) where (y)= p EXy

1(false) = p EXfalse = p

2(false) = (p) = pEXp = pp'.(pp')p' = true

3(false) = (true) = pEXtrue = true

45

Computation of EF(v0 v1)

1(false) = (v0 v1) EXfalse = (v0 v1)

2(false) = (v0 v1) = (v0 v1)EX(v0 v1)

= (v0 v1)(v0 v1) = v1

3(false) = (v1) = (v0 v1)EXv1 = (v0 v1)

3(false) = (v0 v1) = (v0 v1)EX(v0 v1) = true

S0 S1

v0v

0

v1

S2

v1

S3

v0,v

1

46

Symbolic Model Checking Algorithm

eval(f)

{ Case (f)

p : return p

g: return eval(g)

gh: return eval(g)eval(h)

EXg: return v'.(Rp')

E(gUh): return evalEU(eval(g),eval(h),false))

EGg: return evalEG(eval(g),true) }

evalEU(p,q,y) { y'=q (p evalEX(y))

if y'=y then return y else return evalEU(p.q.y') }

evalEG(p,y) { y'=(p evalEX(y))

if y'=y then return y else return evalEG(p.y') |

47

Binary Decision Diagrams (BDD)

Graphical representation of Boolean formulae obtained

from ordered decision trees.

a

b b

c c

d d d d d d dd

cc

Ordered Decision Tree of a b c d

48

BDD Derivation

Apply in bottom-up manner:

Combine isomorphic sub-trees into a single tree

Eliminate nodes whose left and right children are

isomorphic

Linear time

Size of resulting graph depends on variable ordering

49

Example - Step 1: node elimination

a

b b

c c

d

0 1

d

0 1

d

0 1

d0 1

d

0 1

d

0 1

d

0 1

d

0 1

cc

0 1 1 1 10 0 0

0

0 0

1

11

0 0 0 0 0 0 0 0 01 1 1 1 1 1 1

50

a

b b

c

d

0 1

d

0,1

d

0,1

c

0 1 0,1

0

0,1

0

1

1

0 0 1 1

Example - Step 1: isomorphic trees

51

a

b

c

d

0 1

0 1

0

0

1

1

0

0 1

1

Example - Step 1: Final BDD

52

Properties of BDDs

Canonical representation of formulae, enables simple

comparison.

Logical operators: , , , EX are computed w.r.t.

BDD quadratic time.