Lecture 8 1
Model checking CTL
CS 5270 Lecture 8
Lecture 8 2
Today…
• Summary, operations on zones• Preliminaries to MC
– Automata and TS, Büchi Automaton– Extensional and Intensional logics– Kripke structure
• CTL-– Syntax– Semantics– Algorithm for MC
Lecture 8 3
The Reductions…
TSTTS
TATTS
QTS/RTS
Both the set of states and actions are infinite.
Time abstraction
Finite set of actions but infinite set of states.
Quotient via bisimulation of finite index.
Both states and actions are finite sets.
TTSSemantics
Regions
Lecture 8 4
The Reductions…
Lecture 8 5
QTS – encodings
• RTS – (Regional TS):
• Zones/DBM – efficient:
Lecture 8 6
Operations on Zones
• Intersection of two zones…
Lecture 8 7
Operations on Zones
• Time elapsed zone…
Lecture 8 8
Operations on Zones
• Reset operation on y…
Lecture 8 9
Operations on Zones
• Past operation?…
Lecture 8 10
Today…
• Summary, operations on zones• Preliminaries to MC
– Automata and TS, Büchi Automaton– Extensional and Intensional logics– Kripke structure
• CTL-– Syntax– Semantics– Algorithm for MC
Lecture 8 11
Automaton=TS+accepting states
• Finite automaton: (Q,Σ,Δ,q0,F) – Q – finite number of states– Σ – the alphabet (correspond to actions)– Δ - Q Σ → Q – a transition function
– q0 – the start state
– F Q – the set of accepting states
• The language accepted by such an automaton can be related to reachability questions – “Does a run lead to a desired accepting state?”
Lecture 8 12
Büchi Automaton
• Finite automaton: (Q,Σ,Δ,q0,F)
• But … interpret F differently, so that the automaton accepts an input sequence if an infinite run visits states in F infinitely many times.
• Use this for liveness in non-terminating systems - “there is a measurement not followed by a recording”.
Lecture 8 13
Extensional and intensional logic
• Please answer YES or NO: Will the next answer you give me be NO?
• You are either going to die in a bomb raid or you are not…
• Extensional logic means that you can determine the truth of a formula from the truth values of its parts.
• Intensional/modal logic refers to QUALIFIED truth (words like could, eventually, possibly and so on).
Lecture 8 14
Modal logic
• Operators:– □ - necessity– ◊ - possibility
• With propositional variables, and connectives (,,)
• TEMPORAL logic is a particular modal logic, with operators related to TIME, so that (for example) □ means that propositional variable must hold in all the following (later) states.
Lecture 8 15
Propositional variables?• The resource arbiter: each process is idle,
waiting, or using the resource i1,i2,w1,w2,u1,u2
Lecture 8 16
Propositional variables?• Label each state with properties true in that state:
Lecture 8 17
Temporal logics
• Common to use letter notation:– X - holds in the next state– G - holds in all following states– F - eventually holds somewhere U - holds until holds R - holds up to holds (if it holds)
• Path quantification– A – for all paths– E – there exists a path
Lecture 8 18
Linear vs branching time
Linear time: The set of all runs: { 010101010…,010232323…, …}
Branching time:
Transition system
Lecture 8 19
LTL versus CTL
• LTL and CTL both subsets of CTL*
• LTL – Linear Temporal Logic– A modal, linear-time temporal logic (spin)
• CTL – Computation Tree Logic– A modal, branching-time temporal logic (smv)– All temporal operators are preceded by a path
quantifier (A or E)
Lecture 8 20
Example CTL
• EX p - For (at least) one path, p holds in the next state
• A(p U q) – For all paths, p holds until q holds
• E(p U q) – For one path, p holds until q holds
Lecture 8 21
CTL and CTL-
• CTL has two quantifiers, and five temporal operators, giving a total of 10 CTL temporal formulæ types.
• However all ten can be written in terms of the three just given – EX AU and EU.
• For simplicity we only consider this subset, called here CTL-.
Lecture 8 22
Example CTL: EX(w1)
Lecture 8 23
Example CTL: E(i2 U w2)
Lecture 8 24
Kripke structure
• Intensional semantics for modal systems• Def: A Kripke structure over a set of
atomic propositions AP is the 4-tuple (S,Δ,AP,L) – S – finite set of states– Δ S S - a total transition relation– AP – a finite set of atomic propositions– L: S → 2AP – A labelling function which labels
each state with the functions true in that state
Lecture 8 25
Kripke structure• In model-checking, called a CTL-model, or
just a model:
Lecture 8 26
Unfolded Kripke structure
Lecture 8 27
Today…
• Summary, operations on zones• Preliminaries to MC
– Automata and TS, Büchi Automaton– Extensional and Intensional logics– Kripke structure
• CTL-– Syntax– Semantics– Algorithm for MC
Lecture 8 28
CTL- syntax
Given pAP, p is a CTL- formula, and if 1 and 2 are CTL- formulæ then each of the following is also a CTL- formula: 1
1 2
1 2
EX( 1 ) A( 1 U 2 ) E( 1 U 2 )
Lecture 8 29
Semantics of CTL
• Expressed in terms of a model, and the modelling relation ² which links a model, a state and a property.
• M,s ² P means that (CTL) property P holds in (or is satisfied in) state s for a given model M
Lecture 8 30
on
off
onoffAP = {B, G, R}s0
s1 s2
M,s0 ² EX(R) ? M,s0 ² EX(R) ?
M,s1 ² EX(R) ? M,s2 ² EX(G) ?
Note that the actions are not needed…
Semantics of CTL
Lecture 8 31
M,s2 ² E( u2 U w1 ) ???
Lecture 8 32
M,s2 ² A( u2 U w1 ) ???
Lecture 8 33
M,s2 ² A( u2 U i2 ) ???
Lecture 8 34
(Inductive) definition of ²
M,s ² p pL(s)
M,s ² 1 ( M,s ² 1 )
M,s ² 1 2 M,s ² 1 and M,s ² 2
M,s ² 1 2 M,s ² 1 or M,s ² 2
M,s ² EX( 1 ) Δ(s,s’) and M,s’ ² 1
(i.e. s has a successor
at which 1 holds)
Lecture 8 35
M,s ² EX( p )
Lecture 8 36
(Inductive) definition of ²
• A path from s is a state sequence such that:– si → si+1 (Δ(si, si+1)) for every i.
(i) is si, the ith element of
M,s ² A( 1 U 2 ) for every path p from s, for some j, M,p(j) ² 2, and i<j M,p(i) ² 1.
M,s ² E( 1 U 2 ) for one path p from s, for some j, M,p(j) ² 2, and i<j M,p(i) ² 1.
Lecture 8 37
M,s ² A( p U q )
Lecture 8 38
M,s ² E( p U q )
Lecture 8 39
Model checking CTL
Lecture 8 40
The sat algorithm for CTL
• Traverses a CTL model, and …– returns a set of states that …– Satisfy a property expressed in CTL
• We then see if our state s is in this set…
Assuming AP is the set of atomic propositions, and S the set of states, then…
Lecture 8 41
The sat algorithm for CTLset_of_states sat( property ) = if AP then {s | L(s)} else case of true : S
false : {}
: S–sat() 1 2 : sat(1) sat(2)
1 2 : sat(1) sat(2)
EX(1) : {sS | s’ s s’ sat(1)}
…
(Note that s is the set of successors of s)
Lecture 8 42
The sat algorithm for CTL• To find EU and AU, we use an algorithm which can be
expressed as the least fixed point of a function.• In general, a fixed point for a function g is any z such that
z=g(z).• If it is a continuous function over a CPO, there will be a
least fixed point. Now consider this:
A( 1 U 2 ) = 2 (1 AX( A( 1 U 2 )))
Z = 2 (1 AX( Z ))
(i.e. A fix-point equation)
Lecture 8 43
The sat algorithm for CTL
• The lfp algorithms for EU and AU iterate over the model, labelling those states which satisfy EU (and AU)
• Not detailed here, but you may want to investigate the algorithms in more detail.
Lecture 8 44
M,s2 ² E( i2 U ( u1 w2 )) ???
Lecture 8 45
sat(E( i2 U ( u1 w2 )) )
2 (1 EX( E( 1 U 2 )))
Lecture 8 46
sat(E( i2 U ( u1 w2 )) )
2 (1 EX( E( 1 U 2 )))
Lecture 8 47
sat(E( i2 U ( u1 w2 )) )
2 (1 EX( E( 1 U 2 )))
Lecture 8 48
sat(E( i2 U ( u1 w2 )) )
2 (1 EX( E( 1 U 2 )))
Lecture 8 49
M,s2 ² E( i2 U ( u1 w2 )) ???
Fixed point…
Lecture 8 50
Summary: Model checking CTL