CTL Model Checking - cs.utexas.edudraju/Verification/ctlml.pdf · CTL Model Checking Prof. P.H. Schmitt Institut fur Theoretische Informatik¨ Fakultät f ür Informatik Universität

CTL Model Checking

Prof. P.H. Schmitt

Institut fur Theoretische InformatikFakultat fur InformatikUniversitat Karlsruhe (TH)

Formal Systems II

Prof. P.H. Schmitt CTLMC Summer 2009 1 / 26

Fixed Point Theory


Fixed Points DefinitionDefinition

Let f : P(G) → P(G) be a set valued function and Z a subset of G.

1. Z is called a fixed point of f if f(Z) = Z .

2. Z is called the least fixed point of f is Z is a fixed point and for allother fixed points U of f the relation Z ⊆ U is true.

3. Z is called the greatest fixed point of f is Z is a fixed point and forall other fixed points U of f the relation U ⊆ Z is true.


Finite Fixed Point Lemma

Let G be an arbitrary set, Let P(G) denote the power set of a set G.A function f : P(G) → P(G) is called monotone of for all X, Y ⊆ G

X ⊆ Y ⇒ f(X) ⊆ f(Y )

Let f : P(G) → P(G) be a monotone function on a finite set G.

1. There is a least and a greatest fixed point of f .

2.⋃

n≥1 fn(∅) is the least fixed point of f .

3.⋂

n≥1 fn(G) is the greatest fixed point of f .


Proofof part (2) of the finite fixed point Lemma

Monotonicity of f yields

∅ ⊆ f(∅) ⊆ f2(∅) ⊆ . . . ⊆ fn(∅) ⊆ . . .

Since G is finite there must be an i such that f i(∅) = f i+1(∅).Then Z =

⋃n≥1 fn(∅) = f i(∅) is a fixed point of f :

f(Z) = f(f i(∅)) = f i+1(∅) = f i(∅) = Z

Let U be another fixed point of f .From ∅ ⊆ U be infer by monotonicity of f at first f(∅) ⊆ f(U) = U .By induction on n we conclude fn(∅) ⊆ U for all n.Thus also Z = f i(∅) ⊆ U .


Continuous FunctionsDefinition

A function f : P(G) → P(G) is called

1. ∪-continuous (upward continuous), if for every ascending sequenceM1 ⊆ M2 ⊆ . . . ⊆ Mn ⊆ . . .

f(⋃n≥1

Mn) =⋃n≥1

f(Mn)

2. ∩-continuous (downward continuous) , if for every descendingsequence M1 ⊇ M2 ⊇ . . . ⊇ Mn ⊇ . . .

f(⋂n≥1

Mn) =⋂n≥1

f(Mn)


Fixed Points For Continuous Functions

Letf : P(G) → P(G) be an upward continuous functions andg : P(G) → P(G) a downward continuous function.

The for all M,N ∈ P(G) such that M ⊆ f(M) and g(N) ⊆ N thefollowing is true.

1.⋃

n≥1 fn(M) is the least fixed point of f containing M ,

2.⋂

n≥1 gn(M) is the greatest fixed point of g contained in M .


Proof of (1)

By monotonicity we first obtain

M ⊆ f(M) ⊆ f2(M) ⊆ . . . ⊆ fn(M) ⊆ . . .

Let P =⋃

n≥1 fn(M). This immediately gives M ⊆ P . Furthermore

f(P ) = f(⋃

n≥1 fn(M))=

⋃n≥1 fn+1(M) by continuity

=⋃

n≥1 fn(M) since f(M) ⊆ f2(M)= P

Assume now that Q is another fixed point of f satisfying M ⊆ Q.By Monotonicity and the fixed point property f(M) ⊆ f(Q) = Q andfurthermore for every n ≥ 1 also fn(M) ⊆ Q.Thus we obtain P =

⋃n≥1 fn(M) ⊆ Q


Knaster-Tarski-Fixed-Points Theorem

Let f : P(G) → P(G) be a monotone function. Then

f has a least and a greatest fixed point.

Note, G need not be finite.


ProofFixed Point

Let L = {S ⊆ G | f(S) ⊆ S}, e.g., G ∈ L.Let U =

⋂L. Show f(U) = U !

For all S ∈ L by the property of an intersection: U ⊆ S.By monotonicity and definition of L f(U) ⊆ f(S) ⊆ S.Thus f(U) ⊆

⋂L = U and we have already established half of our claim.

By monotonicity f(U) ⊆ U implies f(f(U)) ⊆ f(U)which yields f(U) ∈ L and futhermore U ⊆ f(U).

We thus have indeed U = f(U).


ProofLeast Fixed Point

Now assume W is another fixed point of f ,i.e., f(W ) = W .This yields W ∈ L= {S ⊆ G | f(S) ⊆ S} andU =

⋂L ⊆ W .

Thus U is the least fixed point of f .

Following the same line of argument one can show that⋃{S ⊆ G | S ⊆ f(S)} is the greatest fixed point of f .


CTL Model Checking

Algorithm


Two Auxiliary Concepts

Let T = (S, R, v) be a transition system and F an CTL formula.The set

τ(F ) = {s ∈ S | s |= F}

is called the characteristic region of F in T .

The universal and existential next step functionsfAX , fEX : P(S) → P(S) are defined by

fAX(Z) = {s ∈ S | for all t with sRt we get t ∈ Z}fEX(Z) = {s ∈ S | there exists a t with sRt and t ∈ Z}


CTL Model Checking Algorithm

Let T = (S, R, v) be a transition system and F an CTL formula. τ(F ) iscomputed by the following high-level recursive algorithm:

1 τ(p) = {s ∈ S | v(s, p) = 1}2 τ(F1 ∧ F2) = τ(F1) ∩ τ)F2)3 τ(F1 ∨ F2) = τ(F1) ∪ τ(F2)4 τ(¬F1) = S \ τ(F1)5 τ(A(F1 U F2)) = lfp[τ(F2) ∪ (τ(F1) ∩ fAX(Z))]6 τ(E(F1 U F2)) = lfp[τ(F2) ∪ (τ(F1) ∩ fEX(Z)]7 τ(AFF1) = lfp[τ(F1) ∪ fAX(Z)]8 τ(EFF1) = lfp[τ(F1) ∪ fEX(Z)]9 τ(EGF1) = gfp[τ(F1) ∩ fEX(Z)]

10 τ(AGF1) = gfp[τ(F1) ∩ fAX(Z)]


Correctness ProofCase 10 AG F1

By definition

τ(AG F1) = {s ∈ S | s ∈ τ(F1) and h ∈ τ(AG F1) for all h with gRh}

Using Definition of the universal next step function:

τ(AG F1) = τ(F1) ∩ fAX(τ(AG F1))

So, τ(AG F1) is a fixed point of the function τ(F1) ∩ fAX(Z).

It remains to see that it is the greatest fixed point.


Correctness ProofCase 10 AG F1 (continued)

Let H be another fixed point, i.e., H = τ(F1) ∩ fAX(H).We need to show H ⊆ τ(AG F1)).Consider g0 ∈ H with the aim of showing that for all n ≥ 0 and all gi

satisfying gi−1Rgi for all 1 ≤ i ≤ n we obtain gn ∈ τ(F1).

Observe H = τ(F1) ∩ fAX(H) ⊆ τ(F1).

Thus it suffices to show for all n ≥ 0 that gn ∈ H.

For n = 0 that is true by assumptions.

Assume gn−1 ∈ H.gn−1 ∈ H ⊆ fAX(H) = {g | for all h with gRh we have h ∈ H}.Thus gn ∈ H.


Correctness ProofCase 6 E(F1 U F2)

By definition

τ(E(F1 U F2)) = {g ∈ S | s |= F2 or s |= F1 andthere exists h with gRh and h |= F2}

Using next step function:

τ(E(F1 U F2)) = τ(F2) ∪ (τ(F1) ∩ fEX(τ(E(F1 U F2)))

Thus τ(E(F1 U F2)) is a fixed point of the function

τ(F2) ∪ (τ(F1) ∩ fEX(Z)).

It remains to show that it is the least fixed point.


Correctness ProofCase 6 E(F1 U F2) (continued)

Consider H ⊆ S with H = τ(F2) ∪ (τ(F1) ∩ fEX(H)).

We need τ(E(F1 U F2)) ⊆ H.

Fix g0 ∈ τ(E(F1 U F2)), try to arrive at g0 ∈ H.

There is an n ∈ N and there are gi for 1 ≤ i ≤ n satisfying

1. giRgi+1 for all 0 ≤ i < n.2. gn ∈ τ(F2).3. gi ∈ τ(F1) for all 0 ≤ i < n.

We set out to prove gn ∈ H by induction on n.n = 0 Since H = τ(F2) ∪ (τ(F1) ∩ fEX(H)) ⊇ τ(F2) and

g0 = gn ∈ τ(F2).n− 1Ã n By induction hypothesis we have g1 ∈ HSince g0 ∈ τ(F1) and g0Rg1 we obtain g0 ∈ (τ(F1) ∩ fEX(H)) ⊆ Hand thus also g0 ∈ H.


CTL Model Checking

Example


Transition System

n1n2

s0

t1n2s1 n1t2 s5

c1n2s2 t1t2

s3

t1t2

s8

n1c2 s6

c1t2s4 t1c2s7


The Task

n1n2

s0

t1n2s1 n1t2 s5

c1n2s2 t1t2

s3

t1t2

s8

n1c2 s6

c1t2s4 t1c2s7

0 1 2 3 4 5 6 7 8

N1 1 0 0 0 0 1 1 0 0

N2 1 1 1 0 0 0 0 0 0

T1 0 1 0 1 0 0 0 1 1

T2 0 0 0 1 1 1 0 0 1

C1 0 0 1 0 1 0 0 0 0

C2 0 0 0 0 0 0 1 1 0

Check if the following the formula is true in state 1.

F = T1 → AFC1 ≡ ¬T1 ∨AFC1


The Set-up

Goal1 |= T1 → AFC1 i.e. 1 |= ¬T1 ∨AFC1

We will present the computations starting with the innermost subformulasfirst, i.e., in the order

τ(T1), τ(C1), τ(¬T1), τ(AFC1), and τ(F ).

This will make it much easier to follow the algorithm, since when arecursice call is started, we know already its result.

In the end we check 1 ∈ τ(F ).


The First Steps

τ(T1) = {1, 3, 7} (1)

τ(C1) = {2, 4} (2)

From which we get easily

τ(¬T1) = {0, 2, 4, 5, 6} (3)


Fixed Point Computation

The next step is to compute τ(AFC1)according to the algorithm this amounts to the computation of the leastfixed point of f(Z) = τ(C1) ∪ fAX(Z) = fAX(Z) ∪ {2, 4}.We thus compute f(∅), f2(∅), . . . fn(∅) till we reach a stationary value,i.e. fn(∅) = fn+1(∅).

f1(∅) = {2, 4}f2(∅) = {2, 3, 4}f3(∅) = {1, 2, 3, 4}f4(∅) = {1, 2, 3, 4, 7}f5(∅) = {1, 2, 3, 4, 7, 8}f6(∅) = {1, 2, 3, 4, 7, 8}

Thus

τ(AFC1) = {1, 2, 3, 4, 7, 8} (4)


End of the Computation

τ(F ) = τ(¬T1) ∪ τ(AFC1) = {0, 1, 2, 3, 4, 5, 6, 7, 8} = S (5)

Since 1 ∈ τ(F ) we conclude

s1 |= F (6)


THE

END


Documents

CTL Model Checking - cs.utexas.edudraju/Verification/ctlml.pdf · CTL Model Checking Prof. P.H. Schmitt Institut fur Theoretische Informatik¨ Fakultät f ür Informatik Universität