1 Computation Tree Logic (CTL)
2 CTL Syntax P - a set of atomic propositions, every p P is a CTL formula. f, g, CTL formulae, then so are f, f g, EXf, A[fUg], E[fUg] E, A – path quantifiers, X, U, G, F – temporal operators Interpreted over a tree of states: EXf - f holds in some immediate successor A[fUg] - every path has a prefix that satisfies [fUg]
3 CTL Model (Kripke Structure) M = (S, s I, R, L) S is a finite set of states, s I S is the initial state R S S s.t. u S. v S. (u,v) R (total) L: S 2 AP Example: AP = {p,q,r}
4 Example: XR Control Program
5 Computation Tree The infinite computation tree spanned by a model M=(S,s I,R,L) root s 0 =s i s t is an arc in the tree iff (s,t) R. A path is: s 0,s 1,s 2,… S s.t. i. (s i,s i+1 ) R
6 CTL Semantics w.r.t a given model (S,s I,R,L) and a state s S: s p iff p L(s) s f iff not s f s f g iff s f and s g s Exf iff s’. (s,s’) R and s’ f s A[fUg] iff for every path (s 0, s 1,…) s.t s 0 =s, k 0. s k g i. 0 i k s i f s E[fUg] iff for some path (s 0, s 1,…) s.t s 0 =s, k 0. s k g i. 0 i k s i f f is satisfiable iff there exists a model (S,s I,R,L) such that s I f f is valid iff f is satisfiable by every model (S,s I,R,L)
7 Derived Operators AX(f) EX f f holds at all next states AF(f) A[true U f] f holds in the future of every path EF(f) E[true U f] f holds in the future of some path AG(f) EF( f) every state in every path satisfies f EG(f) AF( f) for some path every state satisfies f
8 Example: Explicit semantics of EGf s EGf s AF f s A(trueU f) (s A(trueU f)) ( (s 0, s 1,…) s.t s 0 =s, i 0. s i f j. 0 j i s j true ( (s 0, s 1,…) s.t s 0 =s, i 0. s i f (s 0, s 1,…) s.t s 0 =s, i 0. (s i f) (s 0, s 1,…) s.t s 0 =s, i 0.(s i f)
9
10 A note on temporal wff Syntax: EXf, A[fUg], E[fUg] E, A – path quantifiers X, U, G, F – temporal operators Structure of a formula: (path)(temporal)[formula] E, A – path quantifiers X, U, G, F – temporal operators EF(Gu) is not a wff, only EF(EGu) or EF(AGu) A(fUg) cannot be derived from E(fUg) since E (fUg) is not wff (since (fUg) is not wff)
11 Properties Expressed in CTL Every req is followed by ack (not 1-1): AG(req AF ack) It is possible to get to a state where started holds but ready does not hold. EF(started ready) From any state it is possible to get to the restart state. AG EF restart Processes P,Q are not in their critical section simultaneously AG( (PC QC)) A process that asks to enter the critical section, eventually gets there AG(PE AF(PC)) Processes strictly alternate in access to the critical section AG(Pc A(PcU( Pc A( PcUQc))))
12 Expressing Time in CTL Assertions: 50 seconds minimal delay between trains. AG(Tin AX Tin AXAX Tin … AX..AX Tin ) It takes a train 6 seconds to arrive at the signal AG(Tin AX(AX(AX(AX(AX(AX(AtSignal))))))) however, we could write AG(Tin AX 6 (AtSignal) like we did in LTL 50
13 LTL vs. CTL LTL cannot distinguish behaviors that generate same path, therefore cannot express ‘possibility’. CTL is sensitive to the branching structure Thus, “it is always possible to get tea after inserting a coin” is expressible in CTL: AG(coin EXtea) but not in LTL Different models - A CTL tree defines a subset of models of LTL Expressivity – Define LTL satisfied on Kripke model if satisfied by every path.
14 LTL vs. CTL (II) satisfies p but not AFAGp. -- no single F state Similarly, – p q – (p Op) not expressible in CTL
15 LTL vs. CTL (III) AGEFp - not expressible in LTL Suppose A is equivalent to AGEFp - (a) satisfies AGEFp hence A - (b)-path(s) (a)-paths hence (b) satisfies A - However (b) does not satisfy AGEFp
16 CTL* Allows any LTL formula to be preceded by A or E. Exm. E(p Xq), A(Fq Gp) CTL* is more powerful then CTL and LTL but Model checking is PSPACE-complete in size of formula.
17 Model Checking Problem Model Checking problem: Given a program model (S, s 0, R, L) and a CTL formula f, determine if s 0 f. Model-checking Satisfiability Semantic search: Given (S, s 0, R,L), and f, find the set S’ S of all states in S that satisfy f. Check if s 0 S’.
18 Model Checking by Semantic Search Given (S, s 0, R,L), and f, find the set S’ S of all states in S that satisfy f. Check if s 0 S’. Simple for formulae: { s | s p } = { s | p L(s) } -- p atomic { s | s f g } = { s | s f } { s | s g } { s | s f } = S - { s | s f } { s | s EXf } = { s | t S s.t. (s,t) R t f } The problem arises with A(qUr) and E(qUr).
19 Fix-points Fix-point: (x)=x Given a set S, a functional : 2 S 2 S is: - monotonic iff P Q [P] [Q] - -continuous iff P1 P2 … [ Pi]= [Pi] - -continuous iff P1 P2 … [ Pi]= [Pi] Theorem (Tarski) Monotonic have least and greatest fix-points: lfp( ) = {Z : [Z]=Z}, gfp( ) = {Z : [Z]=Z}, lfp( ) = i [ ], i=0,1,… if is also -continuous gfp( ) = i [S], i=0,1,… if is also -continuous
20 Proof Example If is monotonic and -continuous then lfp( [Z]) = i [ ], i=0,1,… Proof: i [ ] is non-decreasing: [ ], and if i [ ] i+1 [ ] then i+1 [ ] i+2 [ ] since is monotonic. i [ ] is a fix-point since is -continuous: ( i [ ])= ( i [ ]) = i+1 [ ]= i [ ] least fix-point: for every i, i [ ] lfp( ); again by induction on i: - lfp( ), - i [ ] lfp( ) i+1 [ ]= ( i [ ]) (lfp( ))=lfp( )
21 Fix-points of CTL Operators Given, M=(S,s 0,R,L), every formula is identified with the set of states that satisfy the formula (false , true S). Lemma: EFf = f EXEFf (satisfied by same states) Suppose s 0 EFf. Then by definition there is a path s 0,s 1,s 2,… in M s.t. for some k s k f. If k=0 then s 0 f. Otherwise s 1 EFf and s 0 EXEFf. Thus, EFf f EXEFf. Similarly, if s 0 f EXEFf then s 0 f or s 0 EXEFf. In either case s 0 EFf and f EXEFf EFf. Therefore, EFf= f EXEFf. EFf is a fix-point of [Z] = f EX Z
22 Lemma: The functional f EX Z is monotonic Assume p q, we show that EXp EXq. By def. s EXp iff there exists t S s.t. (s,t) R and t p. But also t q (since p q) hence also s EXq. Hence, if p q then: { s | s f EXp } = { s | s f } { s | s EXp } { s | s f } { s | s EXq } = { s | s f EXq } f EX Z is monotonic, -continuous and -continuous Lemma: f EX Z is -continuous and -continuous In fact true for every monotonic functional on finite set: P1 P2 … Pm has a maximum Pm= Pi. Also, [Pi]= [Pm] (monotonic), hence [Pi]= [ Pi].) lfp(f EXZ) = (f EX false) i
23 Lemma: EFf is a least fixpoint of [Z]=f EXZ Suppose p is a fixpoint of . Then, p = f EXp. Hence, { s | s p } = { s | s f EXp } = { s | s f } { s | s EXp } Therefore: f p and EXp p Hence, p is closed under R -1 namely p contains all of its predecessors. Therefore, no path beginning in a non p- state can reach a p-state. Since f p it follows that EFf p (if s EFf then s starts a path that reaches f, therefore reaches p, therefore s is a p- state). Therefore, EFf is contained in any fixpoint of . EFf = (f EX false) i
24 Fixpoints of CTL Operators (Clark-Emerson) lfp [Z] A[fUg] g (f AXZ) E[fUg] g (f EXZ) AFf f AXZ EFf f EXZ [Z] gfp f AXZ AGf f EXZ EGf Recall AX(f) EX f
25 CTL Operators Computations EFf = (f EX false) i EGf = (f EX true) i -- gfp E[fUg] = (g (f EX false)) i A[fUg] = (g (f AX false)) i where i S (S is finite)
26 Example: EFp (false)= p EX false = p 2 (false)= p EX p 3 (false)= p EX(p EX p)
27 Example: EGy = (y EX true) i S0:{x,y,z} S2:{y,z} S3:{x} S4:{y} S5:{x,z} S6:{z}S7:{} S1:{x,y} [EG(y)] = [y] EX[S] = {s0,s1,s2,s4}=E 0 [y] EX[E 0 ]= {s0,s1,s2,s4} {s0,s2,s3,s4,s5,s6}= {s0,s2,s4}= E 1 [y] EX[E 1 ]= {s0,s1,s2,s4} {s0,s2,s3,s4,s6}= {s0,s2,s4}= E 1
28 Example: EF(x=z y z) = ((x=z y z) EX false) i S0:{x,y,z} S2:{y,z} S3:{x} S4:{y} S5:{x,z} S6:{z}S7:{} S1:{x,y} [EF(x=z y z)] = [(x=z y z)] EX[ ] = {s4,s5}=E 0 [E 0 ] EX[E 0 ]= {s4,s5} {s6}= {s4,s5,s6}= E 1 (EX[E 1 ]= {s6,s7})= {s4,s5,s6,s7}= E 2 (EX[E 2 ]= {s6,,s7,s5}) = {s4,s5,s6,s7}
29 Model Checking Algorithm (sketch) 1.Construct A, the set of sub-formulae of f. 2.For i=1,…,|f|, label every state s S with the sub-formulae of length i that are satisfied by s. 3.Check if s 0 is labeled by f. At stage i the algorithm employs the information gathered in earlier stages (in particular path formulae look at the information of the next states).
30 Model Checking Algorithm Given M=(S, s 0, R, L), and a CTL formula f for j=0 to length(f) for each sub-formula g of f of length j case (-- structure of g) p:nothing (-- S is already labeled with propositions) q r: s S: if q L(s) and r L(s) then add q r to L(s) q: s S: if q L(s) then add q to L(s) EXq: s S: if t s.t. (s,t) R and q L(t) then add EXq to L(s) A(qUr): AU-check(q, r) E(qUr): EU-check(q, r) if f L(s 0 ) then output=true, else output=false.
31 AU-check (q, r) for each s S, if r L(s) then add A(qUr) to L(s) for j=1 to |S| for each s S, if q L(s) and A(qUr) L(t) for all t s.t. (s,t) R then add A(qUr) to L(s) EU-check (q, r) for each s S, if r L(s) then add E(qUr) to L(s) for j=1 to |S| for each s S, if q L(s) and E(qUr) to L(t) for some t s.t. (s,t) R then add E(qUr) to L(s) Complexity: O(| | |S| 2 ) Checking state satisfiability fro A(qUr), E(qUr)
Fairness Assumption Strong fairness: a transition that is enabled i.o. is taken i.o - LTL: ( ) - - private case, =True Weak fairness: a transition that is continuously enabled is taken i.o - LTL: ( ) Rule out traces that are unrealistic or provide for unfair service (starvation). (T_Red &P_Green) & (P_Red &T_Green) Fairness assumptions are not in CTL
Fair Semantics for CTL Strong Fairness constraint: Sfair = i ( i i ) j ( j j ), i, i, j, j, CTL formulae. For a model M= (S, s I, R, L) and s S: FairPaths(s) = { Paths(s) | Sfair } Fair semantics w.r.t. Sfair s F p iff s p s F f iff not s F f s F f g iff s F f and s F g s F Exf iff s’. (s,s’) R and s’ f FairPaths(s), s F E[pUq] iff exists =(s 0, s 1,…) s.t s 0 =s, FairPaths(s), k 0. s k q i. 0 i k s i p s F A[pUq] iff for every =(s 0, s 1,…) s.t s 0 =s, FairPaths(s), k 0. s k q i. 0 i k s i p
Model Checking under Farness Constraints How to check: FairPaths(s) ? Observation: FairPaths(s) iff j 0 j FairPaths( j ) Hence, redefine fair semantic: s F p iff s p s F f iff not s F f s F f g iff s F f and s F g s F Exf iff s’. (s,s’) R and s’ f FairPaths(s’) s F A[fUg] iff for every path (s 0, s 1,…) s.t s 0 =s, k 0. s k g i. 0 i k s i f FairPaths(s k ) s F E[fUg] iff for some path (s 0, s 1,…) s.t s 0 =s, k 0. s k g i. 0 i k s i f FairPaths(s k )
Computation of FairPaths(s) Let: Sfair = ( ) where , are CTL formulae. Sfair iff k 0, n k, s.t. = s 0 …s k-1 (s k …s n ) and: k i n. s i or k j n. s j Computation of FairPaths(s) w.r.t. Sfair = ( ) For a model M= (S, s I, R, L): Let a, b, fair be new fresh variables Compute Sat( )={s S | s } then s Sat( ). L(s):=L(s) {a} Compute Sat( )={s S | s } then s Sat( ). L(s):=L(s) {b} Decompose M into a graph of maximal SCCs. For each SCC, if for all states s SCC, a L(s), or otherwise there exists a state s’ SCC s.t. b L(s’), mark the SCC as fair For each s S if there exists a path from s to a fair SCC then L(s) {fair}
Computation of FairPaths(s) Hence, redefine fair semantic: s F p iff s p s F f iff not s F f s F f g iff s F f and s F g s F Exf iff s’. (s,s’) R and s’ (f fair) s F A[fUg] iff for every path (s 0, s 1,…) s.t s 0 =s, k 0. s k g i. 0 i k s i (f fair) s F E[fUg] iff for some path (s 0, s 1,…) s.t s 0 =s, k 0. s k g i. 0 i k s i (f fair) Thus, ‘fair’ model checking requires pre-processing of the model that extends the states labeling, then normal model checking algorithm
Complexity For a model with N states and M transitions and a CTL formula f and a CTL fairness constraint, still linear time: O(|f|·(N +M)). In the general case, with k fairness constraints, the labeling must be carried out separately for each constraint and the final labeling is the conjunction of the separate labeling. The complexity is then O(|f|·(N +M)·k)
38 RTCTL A(qU k r) - at all paths r holds within k t.u. and q holds at all states until then. E(qU k r) - at some path r holds within k t.u. and q holds at all states until then. Semantics (fixed rate progress approach): s 0 A(qU k r) iff for every path ( s 0, s 1,…) i. 0 i k s i r j. 0 j i s j q s 0 E(qU k r) iff exists path ( s 0, s 1,…) and i 0. 0 i k s i r j. 0 j i s j q
39 Model Checking Algorithm for RTCTL Given M=(S, s 0, R, L), and a CTL formula f for j=0 to length(f) for each sub-formula g of f of length j case (structure of g) p: ….. q r: ….. q: ….. EXq:….. A(qUr): ….. A(qU k r): AU-check(min(k,|S|), q, r) E(qUr): ….. E(qU k r): EU-check(min(k,|S|), q, r) if f L(s 0 ) then output=true, else output=false.
40 AU-check (max_len, q, r) -- max_len= min(k,|S|) for each s S, if r L(s) then add A(qU 0 r) to L(s) for len=1 to max_len for each s S, if q L(s) and for every t such that (s,t) R there is j len-1 s.t. A(qU j r) L(t) then add A(qU len r) to L(s) for each s S, if A(qU j r) L(s) for some j max_len then replace by A(qU max_len r) to L(s) A(qU k r):
41 EU-check (max_len, q, r) -- max_len= min(k,|S|) for each s S, if r L(s) then add E(qU 0 r) to L(s) for len=1 to max_len for each s S, if q L(s) and E(qU len-1 r) L(t) for some t such that (s,t) R then add E(qU len r) to L(s) for each s S, if E(qU j r) L(s) for some j max_len then replace by E(qU max_len r) to L(s) E(qU k r):
42 RTCTL (II) In order to express fixed delays, we need: A(qU k r) - at all paths r holds at k t.u. and q holds at all states until then. E(qU k r) - at some path r holds at k t.u. and q holds at all states until then. Semantics (fixed rate progress approach): s 0 A(qU k r) iff for every path ( s 0, s 1,…) s k r j. 0 j k s j q s 0 E(qU k r) iff exists path ( s 0, s 1,…) and s k r j. 0 j k s j q Model checking same idea as for k
43 Railroad Crossing in Real-Time CTL Assertions: 50 seconds minimal delay between trains. AG(Tin EF 50 Tin) It takes a train 6 seconds to arrive at the signal AG(Tin AF 6 AtSignal) Train exits XR within 15 to 25 seconds. AG(((Twait AX( Twait)) AX(AtSignal Twait)) AG 16 Tout AF 26 Tout ) Requirements: Train at the signal is allowed to continue within 10 seconds. AG(AtSignal AF 5 ( Twait)) The gate is open whenever the crossing is empty for more than 10 seconds. AG( E(Tcr0U =10 Open))
44 Symbolic Model Checking Symbolic representation with Boolean formulae of: the model (program) CTL formula thus avoiding the state explosion problem. Model Checking reduces to Boolean formulae manipulation. The idea: Given a model (S,R,L) over P (set of atomic propositions), Represent every state s S by a Boolean formula over P that is satisfied exactly by L(s) Represents R in terms of the Boolean formulas corresponding to source and destination states.
45 Program Representation - Example I S p S’ p R ( p p’) (p p’) (p p’) ( p p) p’ (p p’) p’ (p p’) (p’ p) (p’ p’) (p p’)
46 S0 (v 0 v 1 ), S1 v 0 v 1, S2 v 0 v 1, S3 v 0 v 1 R (v 0 ' v 0 ) (v 1 ’ (v 0 v 1 )) Program Representation - Example II
47 CTL Symbolic Representation p P, f, f g, are Boolean formulae. We show Boolean representation for: EXf, A[fUg], E[fUg] EXf Let v 1,…,v n P be the atomic propositions in f, then: (v 1,…,v n ).f = (a 1,…,a n ) {0,1} n f(a 1,…,a n ) Then, EXf is represented by the formula (v 1 ',…,v n ').(R f’(v 1 ',…,v n ') ) EX p = p'. R f(p‘) = p'. (p p') p' = p'. (p p') = (p false) (p true) = p
48 EX(v 0 v 1 ) = (v 0 ', v 1 '). R (v 0 ' v 1 ') = (v 0 ', v 1 '). ( v 0 v 1 v 0 ' v 1 ') = (v 1 ').( v 0 v 1 false v 1 ') ( v 0 v 1 true v 1 ') = (v 1 '). ( v 0 v 1 v 1 ') = ( v 0 v 1 false) ( v 0 v 1 true) = ( v 0 v 1 )
49 CTL Operators Representation For other CTL operators use their fixed point representation in terms of EX. Example: computation of EFp - recall EFp = i (false) where (y)= p EXy 1 (false) = p EXfalse = p 2 (false) = (p) = p EXp = p p'.(p p') p' = true 3 (false) = (true) = p EXtrue = true
50 Computation of EF(v 0 v 1 ) 1 (false) = (v 0 v 1 ) EXfalse = (v 0 v 1 ) 2 (false) = (v 0 v 1 ) = (v 0 v 1 ) EX(v 0 v 1 ) = (v 0 v 1 ) ( v 0 v 1 ) = v 1 3 (false) = (v 1 ) = (v 0 v 1 ) EXv 1 = (v 0 v 1 ) 3 (false) = (v 0 v 1 ) = (v 0 v 1 ) EX(v 0 v 1 ) = true
51 Symbolic Model Checking Algorithm eval(f) { Case (f) p : return p g: return eval(g) g h: return eval(g) eval(h) EXg: return v'.(R p') E(gUh): return evalEU(eval(g),eval(h),false)) EGg: return evalEG(eval(g),true) } evalEU(p,q,y) { y'=q (p evalEX(y)) if y'=y then return y else return evalEU(p.q.y') } evalEG(p,y) { y'=(p evalEX(y)) if y'=y then return y else return evalEG(p.y') |
52 Binary Decision Diagrams (BDD) Graphical representation of Boolean formulae obtained from ordered decision trees. Ordered Decision Tree of a b c d
53 BDD Derivation Apply in bottom-up manner: Combine isomorphic sub-trees into a single tree Eliminate nodes whose left and right children are isomorphic –Linear time –Size of resulting graph depends on variable ordering
54 Example - Step 1: node elimination
55 Example - Step 1: isomorphic trees
56 Example - Step 1: Final BDD
57 Properties of BDDs Canonical representation of formulae, enables simple comparison. Logical operators: , , , EX are computed w.r.t. BDD quadratic time.