Model%20checking%20CTL

1
Model checking CTL

• CS 5270 Lecture 8

2
Today

• Summary, operations on zones
• Preliminaries to MC
• Automata and TS, Büchi Automaton
• Extensional and Intensional logics
• Kripke structure
• CTL-
• Syntax
• Semantics
• Algorithm for MC

3
The Reductions
Both the set of states and actions are infinite.
TSTTS
TTS
Semantics
Time abstraction
Finite set of actions but infinite set of states.
TATTS
Quotient via bisimulation of finite index.
Regions
QTS/RTS
Both states and actions are finite sets.
4
The Reductions
5
QTS encodings

• RTS (Regional TS)
• Zones/DBM efficient

6
Operations on Zones

• Intersection of two zones

7
Operations on Zones

• Time elapsed zone

8
Operations on Zones

• Reset operation on y

9
Operations on Zones

• Past operation?

10
Today

• Summary, operations on zones
• Preliminaries to MC
• Automata and TS, Büchi Automaton
• Extensional and Intensional logics
• Kripke structure
• CTL-
• Syntax
• Semantics
• Algorithm for MC

11
AutomatonTSaccepting states

• Finite automaton (Q,S,?,q0,F)
• Q finite number of states
• S the alphabet (correspond to actions)
• ? - Q ? S ? Q a transition function
• q0 the start state
• F ? Q the set of accepting states
• The language accepted by such an automaton can be
  related to reachability questions Does a run
  lead to a desired accepting state?

12
Büchi Automaton

• Finite automaton (Q,S,?,q0,F)
• But interpret F differently, so that the
  automaton accepts an input sequence if an
  infinite run visits states in F infinitely many
  times.
• Use this for liveness in non-terminating systems
  - there is a measurement not followed by a
  recording.

13
Extensional and intensional logic

• Please answer YES or NO Will the next answer you
  give me be NO?
• You are either going to die in a bomb raid or you
  are not
• Extensional logic means that you can determine
  the truth of a formula from the truth values of
  its parts.
• Intensional/modal logic refers to QUALIFIED truth
  (words like could, eventually, possibly and so
  on).

14
Modal logic

• Operators
• ? - necessity
• ? - possibility
• With propositional variables, and connectives
  (?,?,?)
• TEMPORAL logic is a particular modal logic, with
  operators related to TIME, so that (for example)
  ? ? means that propositional variable ? must hold
  in all the following (later) states.

15
Propositional variables?

• The resource arbiter each process is idle,
  waiting, or using the resource i1,i2,w1,w2,u1,u2

16
Propositional variables?

• Label each state with properties true in that
  state

17
Temporal logics

• Common to use letter notation
• X ? - ? holds in the next state
• G ? - ? holds in all following states
• F ? - eventually ? holds somewhere
• ? U ? - ? holds until ? holds
• ? R ? - ? holds up to ? holds (if it holds)
• Path quantification
• A for all paths
• E there exists a path

18
Linear vs branching time
Linear time The set of all runs
010101010,010232323,
Branching time
Transition system
19
LTL versus CTL

• LTL and CTL both subsets of CTL
• LTL Linear Temporal Logic
• A modal, linear-time temporal logic (spin)
• CTL Computation Tree Logic
• A modal, branching-time temporal logic (smv)
• All temporal operators are preceded by a path
  quantifier (A or E)

20
Example CTL

• EX p - For (at least) one path, p holds in the
  next state
• A(p U q) For all paths, p holds until q holds
• E(p U q) For one path, p holds until q holds

21
CTL and CTL-

• CTL has two quantifiers, and five temporal
  operators, giving a total of 10 CTL temporal
  formulæ types.
• However all ten can be written in terms of the
  three just given EX AU and EU.
• For simplicity we only consider this subset,
  called here CTL-.

22
Example CTL EX(w1)
23
Example CTL E(i2 U w2)
24
Kripke structure

• Intensional semantics for modal systems
• Def A Kripke structure over a set of atomic
  propositions AP is the 4-tuple (S,?,AP,L)
• S finite set of states
• ? ? S ? S - a total transition relation
• AP a finite set of atomic propositions
• L S ? 2AP A labelling function which labels
  each state with the functions true in that state

25
Kripke structure

• In model-checking, called a CTL-model, or just a
  model

26
Unfolded Kripke structure
27
Today

• Summary, operations on zones
• Preliminaries to MC
• Automata and TS, Büchi Automaton
• Extensional and Intensional logics
• Kripke structure
• CTL-
• Syntax
• Semantics
• Algorithm for MC

28
CTL- syntax

• Given p?AP, p is a CTL- formula, and if ?1 and ?2
  are CTL- formulæ then each of the following is
  also a CTL- formula
• ??1
• ?1 ? ?2
• ?1 ? ?2
• EX( ?1 )
• A( ?1 U ?2 )
• E( ?1 U ?2 )

29
Semantics of CTL

• Expressed in terms of a model, and the modelling
  relation ² which links a model, a state and a
  property.
• M,s ² P means that (CTL) property P holds in (or
  is satisfied in) state s for a given model M

30
Semantics of CTL
off
AP B, G, R
s0
off
on
on
s1
s2
M,s0 ² EX(R) ? M,s0 ² EX(?R) ?
M,s1 ² EX(R) ? M,s2 ² EX(G) ?
Note that the actions are not needed
31
M,s2 ² E( u2 U w1 ) ???
32
M,s2 ² A( u2 U w1 ) ???
33
M,s2 ² A( u2 U i2 ) ???
34
(Inductive) definition of ²

• M,s ² p ? p?L(s)
• M,s ² ??1 ? ?( M,s ² ?1 )
• M,s ² ?1 ? ?2 ? M,s ² ?1 and M,s ² ?2
• M,s ² ?1 ? ?2 ? M,s ² ?1 or M,s ² ?2
• M,s ² EX( ?1 ) ? ?(s,s) and M,s ² ?1
• (i.e. s has a
  successor
• at which ?1
  holds)

35
M,s ² EX( p )
36
(Inductive) definition of ²

• A path p from s is a state sequence such that
• si ? si1 (?(si, si1)) for every i.
• (p(i) is si, the ith element of p)
• M,s ² A( ?1 U ?2 ) ? for every path p from s, for
  some j, M,p(j) ² ?2, and ?iltj M,p(i) ² ?1.
• M,s ² E( ?1 U ?2 ) ? for one path p from s, for
  some j, M,p(j) ² ?2, and ?iltj M,p(i) ² ?1.

37
M,s ² A( p U q )
38
M,s ² E( p U q )
39
Model checking CTL
40
The sat algorithm for CTL

• Traverses a CTL model, and
• returns a set of states that
• Satisfy a property expressed in CTL
• We then see if our state s is in this set
• Assuming AP is the set of atomic propositions,
  and S the set of states, then

41
The sat algorithm for CTL

• set_of_states sat( property ? )
• if ??AP then s ??L(s)
• else case ? of
• true S
• false
• ?? Ssat(?)
• ?1 ? ?2 sat(?1) ? sat(?2)
• ?1 ? ?2 sat(?1) ? sat(?2)
• EX(?1) s?S s? s? ? s? sat(?1)
• (Note that s? is
  the set of successors of s)

42
The sat algorithm for CTL

• To find EU and AU, we use an algorithm which can
  be expressed as the least fixed point of a
  function.
• In general, a fixed point for a function g is any
  z such that zg(z).
• If it is a continuous function over a CPO, there
  will be a least fixed point. Now consider this
• A( ?1 U ?2 ) ?2 ? (?1 ? AX( A( ?1 U ?2 )))
• Z ?2 ? (?1 ? AX( Z
  ))
• (i.e. A fix-point equation)

43
The sat algorithm for CTL

• The lfp algorithms for EU and AU iterate over the
  model, labelling those states which satisfy EU
  (and AU)
• Not detailed here, but you may want to
  investigate the algorithms in more detail.

44
M,s2 ² E( i2 U ( u1 ? w2 )) ???
45
sat(E( i2 U ( u1 ? w2 )) )
?2 ? (?1 ? EX( E( ?1 U ?2 )))
46
sat(E( i2 U ( u1 ? w2 )) )
?2 ? (?1 ? EX( E( ?1 U ?2 )))
47
sat(E( i2 U ( u1 ? w2 )) )
?2 ? (?1 ? EX( E( ?1 U ?2 )))
48
sat(E( i2 U ( u1 ? w2 )) )
?2 ? (?1 ? EX( E( ?1 U ?2 )))
49
M,s2 ² E( i2 U ( u1 ? w2 )) ???
Fixed point
50
Summary Model checking CTL