Algorithms for CTL B. Srivathsan Chennai Mathematical Institute - - PowerPoint PPT Presentation

Algorithms for CTL

• B. Srivathsan

Chennai Mathematical Institute

Model Checking and Systems Verification January - April 2016

1/22

Module 1: Adequate CTL formulae

2/22

Recap of CTL

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

3/22

Transition system satisfies CTL state formula φ if its computation tree satisfies φ

s0 s1 s3 s2 s3 s2 s3 s3 s2 s3 s2 s3

. . . . . . . . . . . . . . .

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3} 4/22

A tree satisfies CTL state formula φ if its root satisfies φ

∈

. . . . . . . . . . . . . . .

5/22

A state s in a transition system satisfies a CTL formula φ if the computation tree starting at s satisfies φ

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3}

6/22

Above transition system satisfies E X red

7/22

Above transition system satisfies E blue U red

8/22

Above transition system satisfies E G red

9/22

Above transition system satisfies E G red It does not satisfy A F blue

9/22

Mutual exclusion

non-crit wait crit exiting y>0:y:=y-1 y:=y+1 non-crit wait crit exiting y>0:y:=y-1 y:=y+1

|||

Atomic propositions AP = { p1,p2,p3,p4 } p1: pr1.location=crit p2: pr1.location=wait p3: pr2.location=crit p4: pr2.location=wait Above system satisfies A G ¬ (p1 ∧ p3)

10/22

Goal of this unit

Design an algorithm: INPUT: A transition system M and a CTL formula φ OUTPUT: Does M satisfy φ?

11/22

Goal of this unit

Design an algorithm: INPUT: A transition system M and a CTL formula φ OUTPUT: Does M satisfy φ? We will answer a more general question: Given M and φ, find all the states of M that satisfy φ

11/22

First step

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Rewrite A in terms of E

12/22

A X ( red ) equivalent to ¬ E X ( ¬ red ) . . . . . . . . . . . . . . .

13/22

A X ( red ) equivalent to ¬ E X ( ¬ red ) . . . . . . . . . . . . . . . A X φ ≡ ¬ E X ¬ φ

13/22

Can we rewrite A (φ U ψ) as ¬ E ¬ (φ U ψ) ?

14/22

Can we rewrite A (φ U ψ) as ¬ E ¬ (φ U ψ) ? No: ¬ E ¬ (φ U ψ) is not a CTL formula

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

14/22

Can we rewrite A (φ U ψ) as ¬ E ¬ (φ U ψ) ? No: ¬ E ¬ (φ U ψ) is not a CTL formula

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

CTL does not allow negation of path formula!

14/22

Coming next: Rewrite A U in terms of E U and E G

15/22

¬ (blue U red)

16/22

¬ (blue U red) ...

16/22

¬ (blue U red) ... G ¬ red

16/22

¬ (blue U red) ... G ¬ red

• r

16/22

¬ (blue U red) ... G ¬ red

• r

...

16/22

¬ (blue U red) ... G ¬ red

• r

... (¬ red) U (¬ blue ∧ ¬ red )

16/22

¬ (blue U red) ... G ¬ red

• r

... (¬ red) U (¬ blue ∧ ¬ red ) ¬ (φ U ψ) ≡ G ¬ ψ ∨ ( ¬ψ U (¬φ ∧ ¬ψ ) )

16/22

A (φ U ψ)

17/22

A (φ U ψ) ≡ ¬ E ¬ (φ U ψ)

17/22

A (φ U ψ) ≡ ¬ E ¬ (φ U ψ)

(Not a CTL formula)

17/22

A (φ U ψ) ≡ ¬ E ¬ (φ U ψ)

(Not a CTL formula)

≡ ¬ ( E G ¬ ψ ∨ E (¬ψ U (¬ψ ∧ ¬ φ)) )

17/22

A (φ U ψ) ≡ ¬ E ¬ (φ U ψ)

(Not a CTL formula)

≡ ¬ ( E G ¬ ψ ∨ E (¬ψ U (¬ψ ∧ ¬ φ)) )

(A CTL formula!)

17/22

A G ( red ) equivalent to ¬ E F ( ¬ red ) . . . . . . . . . . . . . . .

18/22

A F ( red ) equivalent to ¬ E G ( ¬ red ) . . . . . . . . . . . . . . .

19/22

First step

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Rewrite A in terms of E

20/22

First step

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Rewrite A in terms of E Done!

20/22

All CTL formulas can be written in terms of E X , E U , E G and E F

21/22

All CTL formulas can be written in terms of E X , E U , E G and E F Moreover E F φ ≡ E ( true U φ )

21/22

All CTL formulas can be written in terms of E X , E U , E G and E F Moreover E F φ ≡ E ( true U φ ) E X, E U and E G are adequate to describe all CTL formulas

21/22

Existential Normal Form (ENF) for CTL

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ | E X φ | E (φ1 U φ2) | E G φ pi ∈ AP φ,φ1,φ2 : State formulae

22/22

Existential Normal Form (ENF) for CTL

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ | E X φ | E (φ1 U φ2) | E G φ pi ∈ AP φ,φ1,φ2 : State formulae

Theorem For every CTL formula there exists an equivalent CTL formula in ENF

22/22

Module 2: EX, EU and EG

2/16

CTL model-checking problem

Given transition system M and a CTL formula φ, find all states of M that satisfy φ

3/16

CTL model-checking problem

Given transition system M and a CTL formula φ, find all states of M that satisfy φ In this unit: Special case when φ is either E X, E U or E G

3/16

Part 1:

Algorithm for E X

4/16

E X (p1 ∧ p2)

s1 s2 s3 s4 s5 { } {p1,p2} {p2} {p1,p2} {p1}

5/16

E X (p1 ∧ p2)

s1 s2 s3 s4 s5 { } {p1,p2} {p2} {p1,p2} {p1} p1 ∧ p2 p1 ∧ p2

5/16

E X (p1 ∧ p2)

s1 s2 s3 s4 s5 { } {p1,p2} {p2} {p1,p2} {p1} p1 ∧ p2 p1 ∧ p2 E X (p1 ∧ p2)

5/16

E X (p1 ∧ p2)

s1 s2 s3 s4 s5 { } {p1,p2} {p2} {p1,p2} {p1} p1 ∧ p2 p1 ∧ p2 E X (p1 ∧ p2) E X (p1 ∧ p2)

5/16

E X (p1 ∧ p2)

s1 s2 s3 s4 s5 { } {p1,p2} {p2} {p1,p2} {p1} p1 ∧ p2 p1 ∧ p2 E X (p1 ∧ p2) E X (p1 ∧ p2) E X (p1 ∧ p2)

5/16

E X (p1 ∧ ¬p2)

s1 s2 s3 s4 {} {p2} {p1,p2} {p1}

6/16

E X (p1 ∧ ¬p2)

s1 s2 s3 s4 {} {p2} {p1,p2} {p1} p1 ∧ ¬p2

6/16

E X (p1 ∧ ¬p2)

s1 s2 s3 s4 {} {p2} {p1,p2} {p1} p1 ∧ ¬p2 E X (p1 ∧ ¬p2)

6/16

E X (p1 ∧ ¬p2)

s1 s2 s3 s4 {} {p2} {p1,p2} {p1} p1 ∧ ¬p2 E X (p1 ∧ ¬p2) E X (p1 ∧ ¬p2)

6/16

E X (p1 ∧ ¬p2)

s1 s2 s3 s4 {} {p2} {p1,p2} {p1} p1 ∧ ¬p2 E X (p1 ∧ ¬p2) E X (p1 ∧ ¬p2) E X (p1 ∧ ¬p2)

6/16

Algorithm for E X φ

s

7/16

Algorithm for E X φ

s φ Suppose states satisfying φ have been labelled

7/16

Algorithm for E X φ

s φ E X φ Suppose states satisfying φ have been labelled State s is labelled with E X φ if there exists a successor which is labelled φ

7/16

Part 2:

Algorithm for E U

8/16

E (p1 U p2)

s1 s2 s3 s4 s5 s6 {p1} { } {p1} {p1} {p2} {p1}

9/16

E (p1 U p2)

s1 s2 s3 s4 s5 s6 {p1} { } {p1} {p1} {p2} {p1} E p1 U p2

9/16

E (p1 U p2)

s1 s2 s3 s4 s5 s6 {p1} { } {p1} {p1} {p2} {p1} E p1 U p2 E p1 U p2 E p1 U p2

9/16

E (p1 U p2)

s1 s2 s3 s4 s5 s6 {p1} { } {p1} {p1} {p2} {p1} E p1 U p2 E p1 U p2 E p1 U p2 E p1 U p2

9/16

E (p1 U p2)

s1 s2 s3 s4 s5 s6 {p1} { } {p1} {p1} {p2} {p1} E p1 U p2 E p1 U p2 E p1 U p2 E p1 U p2 E p1 U p2

9/16

E (¬ p1 U ¬ p2)

s1 s2 s3 s4 s5 s6 {p2} {p2} { } {p2} {p1} {p1}

10/16

E (¬ p1 U ¬ p2)

s1 s2 s3 s4 s5 s6 {p2} {p2} { } {p2} {p1} {p1} ¬p1 ¬p1 ¬p2 ¬p1,¬p2 ¬p2 ¬p1

10/16

E (¬ p1 U ¬ p2)

s1 s2 s3 s4 s5 s6 {p2} {p2} { } {p2} {p1} {p1} ¬p1 ¬p1 ¬p2 ¬p1,¬p2 ¬p2 ¬p1 E (¬p1 U ¬p2) E (¬p1 U ¬p2) E (¬p1 U ¬p2)

10/16

E (¬ p1 U ¬ p2)

s1 s2 s3 s4 s5 s6 {p2} {p2} { } {p2} {p1} {p1} ¬p1 ¬p1 ¬p2 ¬p1,¬p2 ¬p2 ¬p1 E (¬p1 U ¬p2) E (¬p1 U ¬p2) E (¬p1 U ¬p2) E (¬p1 U ¬p2) E (¬p1 U ¬p2)

10/16

E (¬ p1 U ¬ p2)

s1 s2 s3 s4 s5 s6 {p2} {p2} { } {p2} {p1} {p1} ¬p1 ¬p1 ¬p2 ¬p1,¬p2 ¬p2 ¬p1 E (¬p1 U ¬p2) E (¬p1 U ¬p2) E (¬p1 U ¬p2) E (¬p1 U ¬p2) E (¬p1 U ¬p2) E (¬p1 U ¬p2)

10/16

Algorithm for E (φ1 U φ2)

s

… If any state is labelled with φ2, label it with E (φ1 U φ2) … Repeat:

Label any state with E (φ1 U φ2) if it is labelled with φ1 and at least

• ne successor is labelled with E (φ1 U φ2)

until no change

11/16

Algorithm for E (φ1 U φ2)

s

E (φ1 U φ2) φ1 … If any state is labelled with φ2, label it with E (φ1 U φ2) … Repeat:

Label any state with E (φ1 U φ2) if it is labelled with φ1 and at least

• ne successor is labelled with E (φ1 U φ2)

until no change

11/16

Algorithm for E (φ1 U φ2)

s

E (φ1 U φ2) φ1 E (φ1 U φ2) … If any state is labelled with φ2, label it with E (φ1 U φ2) … Repeat:

Label any state with E (φ1 U φ2) if it is labelled with φ1 and at least

• ne successor is labelled with E (φ1 U φ2)

until no change

11/16

Part 3:

Algorithm for E G

12/16

E G p1

s1 s2 s3 s4 s5 s6 s7 s8 {p1} {p1} {p1} { } {p1} {p1} {p1} { }

13/16

E G p1

s1 s2 s3 s4 s5 s6 s7 s8 {p1} {p1} {p1} { } {p1} {p1} {p1} { } E G p1 E G p1 E G p1 E G p1 E G p1 E G p1 E G p1 E G p1

13/16

E G p1

s1 s2 s3 s4 s5 s6 s7 s8 {p1} {p1} {p1} { } {p1} {p1} {p1} { } E G p1 E G p1 E G p1 E G p1 E G p1 E G p1

13/16

E G p1

s1 s2 s3 s4 s5 s6 s7 s8 {p1} {p1} {p1} { } {p1} {p1} {p1} { } E G p1 E G p1 E G p1 E G p1 E G p1

13/16

E G p1

s1 s2 s3 s4 s5 s6 s7 s8 {p1} {p1} {p1} { } {p1} {p1} {p1} { } E G p1 E G p1 E G p1

13/16

E G p1

s1 s2 s3 s4 s5 s6 s7 s8 {p1} {p1} {p1} { } {p1} {p1} {p1} { } E G p1

13/16

E G p1

s1 s2 s3 s4 s5 s6 s7 s8 {p1} {p1} {p1} { } {p1} {p1} {p1} { }

13/16

E G p1

s1 s2 s3 s4 s5 s6 s7 s8 {p1} {p1} {p1} { } {p1} {p1} {p1} { } No state of the above transition system satisfies E G p1

13/16

E G p1

s1 s2 s3 s4 s5 s6 {p1} {p2} {p1} {p1} { } {p1}

14/16

E G p1

s1 s2 s3 s4 s5 s6 {p1} {p2} {p1} {p1} { } {p1} E G p1 E G p1 E G p1 E G p1 E G p1 E G p1

14/16

E G p1

s1 s2 s3 s4 s5 s6 {p1} {p2} {p1} {p1} { } {p1} E G p1 E G p1 E G p1 E G p1

14/16

E G p1

s1 s2 s3 s4 s5 s6 {p1} {p2} {p1} {p1} { } {p1} E G p1 E G p1 E G p1

14/16

Algorithm for E G φ

15/16

Algorithm for E G φ

… Label all states with E G φ

15/16

Algorithm for E G φ

… Label all states with E G φ … If any state is not labelled with φ, delete the label E G φ

15/16

Algorithm for E G φ

… Label all states with E G φ … If any state is not labelled with φ, delete the label E G φ … Repeat:

Delete the label E G φ from a state if none of its successors is labelled with E G φ until no change

15/16

Algorithm for E G φ

… Label all states with E G φ … If any state is not labelled with φ, delete the label E G φ

s

E G φ E G φ E G φ E G φ … Repeat:

Delete the label E G φ from a state if none of its successors is labelled with E G φ until no change

15/16

Algorithm for E G φ

… Label all states with E G φ … If any state is not labelled with φ, delete the label E G φ

s

E G φ … Repeat:

Delete the label E G φ from a state if none of its successors is labelled with E G φ until no change

15/16

Algorithm for E G φ

… Label all states with E G φ … If any state is not labelled with φ, delete the label E G φ

s

… Repeat:

Delete the label E G φ from a state if none of its successors is labelled with E G φ until no change

15/16

Summary

Algorithms

EX, EU, EG

16/16

Module 3: Final algorithm

2/8

CTL model-checking problem

Given transition system M and a CTL formula φ, find all states of M that satisfy φ

3/8

CTL model-checking problem

Given transition system M and a CTL formula φ, find all states of M that satisfy φ

… Module 1: Every CTL formula can be written using EX, EU, EG … Module 2: Labelling algorithms for EX, EU, EG

3/8

Coming next: Generic algorithm for a CTL formula

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ | E X φ | E (φ1 U φ2) | E G φ pi ∈ AP φ,φ1,φ2 : State formulae

4/8

E X E G (p1 ∧ p2)

s0 s1 s2 s3 s4 s5 s6 s7 {p1} {p1,p2} {p1,p2} {p1,p2} {p1,p2} {p2} {p1,p2} {p1,p2}

5/8

E X E G (p1 ∧ p2)

s0 s1 s2 s3 s4 s5 s6 s7 {p1} {p1,p2} {p1,p2} {p1,p2} {p1,p2} {p2} {p1,p2} {p1,p2}

p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2

5/8

E X E G (p1 ∧ p2)

s0 s1 s2 s3 s4 s5 s6 s7 {p1} {p1,p2} {p1,p2} {p1,p2} {p1,p2} {p2} {p1,p2} {p1,p2}

p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2)

5/8

E X E G (p1 ∧ p2)

s0 s1 s2 s3 s4 s5 s6 s7 {p1} {p1,p2} {p1,p2} {p1,p2} {p1,p2} {p2} {p1,p2} {p1,p2}

p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2)

5/8

E X E G (p1 ∧ p2)

s0 s1 s2 s3 s4 s5 s6 s7 {p1} {p1,p2} {p1,p2} {p1,p2} {p1,p2} {p2} {p1,p2} {p1,p2}

p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2)

5/8

E X E G (p1 ∧ p2)

s0 s1 s2 s3 s4 s5 s6 s7 {p1} {p1,p2} {p1,p2} {p1,p2} {p1,p2} {p2} {p1,p2} {p1,p2}

p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2)

5/8

E X E G (p1 ∧ p2)

s0 s1 s2 s3 s4 s5 s6 s7 {p1} {p1,p2} {p1,p2} {p1,p2} {p1,p2} {p2} {p1,p2} {p1,p2}

p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 p1 ∧ p2 E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E G (p1 ∧ p2) E X E G (p1 ∧ p2) E X E G (p1 ∧ p2) E X E G (p1 ∧ p2) E X E G (p1 ∧ p2) E X E G (p1 ∧ p2)

5/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

6/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

E G p2 E G p2 E G p2 E G p2 E G p2 E G p2

6/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

E G p2 E G p2 E G p2

6/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

E G p2 E G p2

6/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

E G p2

6/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

E G p2

E p1 U (E G p2) 6/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

E G p2

E p1 U (E G p2) E p1 U (E G p2) 6/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

E G p2

E p1 U (E G p2) E p1 U (E G p2) E p1 U (E G p2) 6/8

E p1 U (E G p2)

s1 s2 s3 s4 s5 s6 {p1} {p1} {p1} {p2} {p2} {p2}

E G p2

E p1 U (E G p2) E p1 U (E G p2) E p1 U (E G p2) E p1 U (E G p2) 6/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

end function

7/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

case end case end function

7/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

case φ is true : return S end case end function

7/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

case φ is true : return S φ is pi : return {states containing pi } end case end function

7/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

case φ is true : return S φ is pi : return {states containing pi } φ is φ1 ∧ φ2 : return SAT(φ1) ∩ SAT(φ2) end case end function

7/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

case φ is true : return S φ is pi : return {states containing pi } φ is ¬φ1 : return S − SAT(φ1) φ is φ1 ∧ φ2 : return SAT(φ1) ∩ SAT(φ2) end case end function

7/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

case φ is true : return S φ is pi : return {states containing pi } φ is ¬φ1 : return S − SAT(φ1) φ is φ1 ∧ φ2 : return SAT(φ1) ∩ SAT(φ2) φ is E X φ1 : return SATEX(φ1) /* procedure seen in Module 2 */ end case end function

7/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

case φ is true : return S φ is pi : return {states containing pi } φ is ¬φ1 : return S − SAT(φ1) φ is φ1 ∧ φ2 : return SAT(φ1) ∩ SAT(φ2) φ is E X φ1 : return SATEX(φ1) /* procedure seen in Module 2 */ φ is E (φ1 U φ2) : return SATEU(φ1,φ2) /* procedure seen in Module 2 */ end case end function

7/8

function SAT(φ)

/* Input: Transition system M with state set S, CTL formula φ in ENF */ /* Output: Set of states satisfying φ */

case φ is true : return S φ is pi : return {states containing pi } φ is ¬φ1 : return S − SAT(φ1) φ is φ1 ∧ φ2 : return SAT(φ1) ∩ SAT(φ2) φ is E X φ1 : return SATEX(φ1) /* procedure seen in Module 2 */ φ is E (φ1 U φ2) : return SATEU(φ1,φ2) /* procedure seen in Module 2 */ φ is E G φ1 : return SATEG(φ1) /* procedure seen in Module 2 */ end case end function

7/8

CTL model-checking algorithm

Reference: Logic in Computer Science, by Huth and Ryan - Section 3.6.1

8/8