Computation Tree Logic (CTL) Fazle Rabbi University of Oslo, Oslo, - PowerPoint PPT Presentation

Computation Tree Logic (CTL) Fazle Rabbi University of Oslo, Oslo, Norway Bergen University College, Bergen, Norway fazlr@student.matnat.uio.no, Fazle.Rabbi@hib.no May 30, 2015 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 1 / 25

Model of Computation Finite-state systems are modeled by labeled state transition graphs, called Kripke Structures . Example a,b b,c c Figure : State Transition Graph or Kripke Model Formally, a Kripke structure is a triple M = � S , R , L � , where S is the set of states, R ⊆ S × S is the transition relation, and L : S → P ( AP ) gives the set of atomic propositions true in each state. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 2 / 25

Model of Computation If some state is designated as the initial state, the structure can be unwound into an infinite tree with that state as the root. Example (Unwind State Graph to obtain Infinite Tree) a,b a,b b,c c a,b c c b,c c State Transition Graph or Kripke Model Infinite Computation Tree A path in M is an infinite sequence of states, π = s 0 , s 1 , ... such that for i ≥ 0 , ( s i , s i +1 ) ∈ R . Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 3 / 25

Motivation of using CTL LTL formulas are evaluated on paths. A state of a system satisfies an LTL formula if all paths from the given state satisfy it. Thus, LTL implicitly quantifies universally over paths. Properties which assert the existence of a path cannot be expressed in LTL. Example From any state it is possible to get to the Restart state. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 4 / 25

Motivation of using CTL Computation Tree Logic (CTL) is a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be the ‘actual path that is realised. In CTL, as well as the temporal operators X , F , G and U of LTL we also have quantifiers A and E which express ‘all paths’ and ‘exists a path’, respectively. Example (Each computation tree has the state s 0 as its root) g g g g g g g g g g M , s 0 | M , s 0 | M , s 0 | M , s 0 | = EF g = AF g = EG g = AG g Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 5 / 25

Syntax of CTL Definition CTL formulas are inductively defined via a Backus Naur form φ ::= ⊤ | ⊥ | p | ( ¬ φ ) | ( φ ∧ φ ) | ( φ ∨ φ ) | ( φ → φ ) | AX φ | EX φ | AF φ | EF φ | AG φ | EG φ | A [ φ U φ ] | E [ φ U φ ] where p ranges over a set of atomic formulas. Notice that each of the CTL temporal connectives is a pair of symbols. Q T X (next) there exists an execution E F ( fi nally) for all execution A G (globally) U (until) (and possibly others) Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 6 / 25

Semantics of computation tree logic Let M = ( S , → , L ) be a model. For a CTL formula φ . the relation M , s | = φ is defined by structural induction on φ : M , s | = ⊤ and M , s � ⊥ 1 M , s | = p iff p ∈ L ( s ) 2 M , s | = ¬ φ iff M , s � φ 3 4 M , s | = φ 1 ∧ φ 2 iff M , s | = φ 1 and M , s | = φ 2 5 M , s | = φ 1 ∨ φ 2 iff M , s | = φ 1 or M , s | = φ 2 6 M , s | = φ 1 → φ 2 iff M , s � φ 1 or M , s | = φ 2 M , s | = AX φ iff for all s 1 such that s → s 1 we have M , s 1 | = φ 7 M , s | = EX φ iff for some s 1 such that s → s 1 we have M , s 1 | = φ 8 M , s | = AG φ holds iff for all paths s 1 → s 2 → s 3 → ..., where s 1 equals s , and all s i along 9 the path, we have M , s i | = φ 10 M , s | = EG φ holds iff there is a path s 1 → s 2 → s 3 → ..., where s 1 equals s , and all s i along the path, we have M , s i | = φ 11 M , s | = AF φ holds iff for all paths s 1 → s 2 → s 3 → ..., where s 1 equals s , there is some s i such that M , s i | = φ 12 M , s | = EF φ holds iff there is a path s 1 → s 2 → s 3 → ..., where s 1 equals s , and for some s i along the path, we have M , s i | = φ 13 M , s | = A [ φ 1 U φ 2 ] holds iff for all paths s 1 → s 2 → s 3 → ..., where s 1 equals s , that path satisfies φ 1 U φ 2 14 M , s | = E [ φ 1 U φ 2 ] holds iff there is path s 1 → s 2 → s 3 → ..., where s 1 equals s , and that path satisfies φ 1 U φ 2 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 7 / 25

CTL Semantics: Intuitions (Cont.) AX EX AG EG AF A[ U ] EF E[ U ] 1 2 2 1 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 8 / 25

Example of CTL formula Example There is a reachable state satisfying q : this is written EF q . From all reachable states satisfying p , it is possible to maintain p continuously until reaching a state satisfying q : AG ( p → E [ p U q ]). Whenever a state satisfying p is reached, the system can exhibit q continuously forevermore: AG ( p → EG q ). There is a reachable state from which all reachable states satisfy p : EF AG p . Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 9 / 25

Expressive Power LTL and CTL have different expressive powers. The choice between LTL and CTL depends on the application and the personal preferences. For example, there is no CTL formula that is equivalent to the LTL formula �� p. Likewise, there is no LTL formula that is equivalent to the CTL formula AG ( EF p). The disjunction �� p ∨ AG ( EF p) is a CTL ∗ formula that is not expressible in either CTL or LTL. CTL* LTL CTL Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 10 / 25

Expressive Power There is no CTL formula that is equivalent to the LTL formula �� p. M a a s 0 s 1 s 2 s 0 a M, s 0 a s 1 LTL s 0 a M, s 0 s 2 CTL AF (AG a) s 1 a s 0 a s 2 s 1 s 2 a a a s 0 s 2 s 2 s 1 a a Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 11 / 25

Expressive Power There is no LTL formula that is equivalent to the CTL formula AG ( EF p). This is shown by contradiction: assume ϕ ≡ AG ( EF p); let: M M' a s 0 s 0 s 1 M | = AG ( EF p), and thus- by assumption- M | = ϕ Paths( M ′ ) ⊆ Paths( M ), Thus M ′ | = ϕ But M ′ � AG ( EF p) as path s w � G ( EF p) Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 12 / 25

Equivalences between CTL formulas Definition Two CTL formulas φ and ψ are said to be semantically equivalent if any state in any model which satisfies one of them also satisfies the other; we denote this by φ ≡ ψ . Example ¬ AF φ ≡ EG ¬ φ ¬ EF φ ≡ AG ¬ φ ¬ AX φ ≡ EX ¬ φ AF φ ≡ A [ T U φ ] EF φ ≡ E [ T U φ ] Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 13 / 25

Adequate sets of CTL connectives There are ten basic CTL operators: AX and EX AF and EF AG and EG AU and EU AR and ER Each of the ten operators can be expressed in terms of three operators EX , EG , and EU : AX φ = ¬ EX ( ¬ φ ) EF φ = E [ ⊤ U φ ] AG φ = ¬ EF ( ¬ φ ) AF φ = ¬ EG ( ¬ φ ) A [ φ U ψ ] ≡ ¬ E [ ¬ ψ U ( ¬ φ ∧ ¬ ψ )] ∧ ¬ EG ¬ ψ A [ φ R ψ ] ≡ ¬ E [ ¬ φ U ¬ ψ ] E [ φ R ψ ] ≡ ¬ A [ ¬ φ U ¬ ψ ] Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 14 / 25

CTL Model checking INPUT: a model M = ( S , → , L ) and a CTL formula φ . OUTPUT: the set of states of M which satisfy φ . First, we convert φ with the adequate sets of CTL connectives (i.e., ¬ , ∨ , EX , EU , EG ). Next, label the states of M with the subformulas of φ that are satisfied there, starting with the smallest subformulas and working outwards towards φ . Suppose ψ is a subformula of φ and states satisfying all the immediate subformulas of ψ have already been labelled. We determine by a case analysis which states to label with ψ . Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 15 / 25

CTL Model checking (cont..) If ψ is ⊥ : then no states are labelled with ⊥ . p : then label s with p if p ∈ L ( s ). ψ 1 ∧ ψ 2 : label s with ψ 1 ∧ ψ 2 if s is already labelled both with ψ 1 and with ψ 2 . ¬ ψ 1 : label s with ¬ ψ 1 if s is not already labelled with ψ 1 . EX ψ 1 : label any state with EX ψ 1 if one of its successors is labelled with ψ 1 . Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 16 / 25

CTL Model checking (cont..) If ψ is E [ ψ 1 U ψ 2 ]: If any state s is labelled with ψ 2 , label it with E [ ψ 1 U ψ 2 ]. Repeat: label any state with E [ ψ 1 U ψ 2 ] if it is labelled with ψ 1 and at least one of its successors is labelled with E [ ψ 1 U ψ 2 ], until there is no change. This step is illustrated in Figure E[ U ] E[ U ] 1 2 1 2 1 E[ U ] 1 1 2 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 17 / 25

CTL Model checking (cont..) If ψ is EG ψ 1 : Label all the states with EG ψ 1 . If any state s is not labelled with ψ 1 , delete the label EG ψ 1 . Repeat: delete the label EG ψ 1 from any state if none of its successors is labelled with EG ψ 1 ; until there is no change. Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 18 / 25