Computation Tree Logic B. Srivathsan Chennai Mathematical Institute - - PowerPoint PPT Presentation

Computation Tree Logic

• B. Srivathsan

Chennai Mathematical Institute

Model Checking and Systems Verification January - April 2016

1/35

Module 1: Tree behaviour of a transition system

2/35

Transition System

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3}

3/35

Transition System

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3}

s0 s1 s3 s3 s3 s3

...

Paths

s0 s1 s2 s3 s2 s3

...

3/35

Transition System

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3}

s0 s1 s3 s3 s3 s3

...

Paths

s0 s1 s2 s3 s2 s3

...

{ p1 }{ p2 }{ p1,p3 }{ p1,p3 }{ p1,p3 }{ p1,p3 } ... { p1 }{ p2 }{ p2 }{ p1,p3 }{p2}{ p1,p3 }{p2}{ p1,p3 } ...

Traces

3/35

In this unit

A tree view of the transition system ...

4/35

In this unit

A tree view of the transition system ... ... obtained by repeatedly unfolding it

4/35

s0 s1 s3 s2 s3 s2 s3 s3 s2 s3 s2 s3

. . . . . . . . . . . . . . .

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3} 5/35

s0 s1 s3 s2 s3 s2 s3 s3 s2 s3 s2 s3

Computation tree . . . . . . . . . . . . . . .

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3} 5/35

LTL talks about properties of paths

6/35

LTL talks about properties of paths Coming next: Properties of trees

6/35

. . . . . . . . . . . . . . .

7/35

Exists a path satisfying F( red ) . . . . . . . . . . . . . . .

7/35

. . . . . . . . . . . . . . .

8/35

Exists a path satisfying G( red ) . . . . . . . . . . . . . . .

8/35

. . . . . . . . . . . . . . .

9/35

Exists a path satisfying X( red ) . . . . . . . . . . . . . . .

9/35

. . . . . . . . . . . . . . .

10/35

Exists a path satisfying blue U red . . . . . . . . . . . . . . .

10/35

Properties of trees

Type 1: Exists a path satisfying LTL formula φ

11/35

Properties of trees

Type 1: Exists a path satisfying LTL formula φ

E operator: E φ

11/35

Exists a path satisfying F( red ) : E F ( red ) . . . . . . . . . . . . . . .

12/35

Exists a path satisfying G( red ) : E G ( red ) . . . . . . . . . . . . . . .

13/35

Exists a path satisfying X( red ) : E X ( red ) . . . . . . . . . . . . . . .

14/35

Exists a path satisfying blue U red : E ( blue U red ) . . . . . . . . . . . . . . .

15/35

. . . . . . . . . . . . . . .

16/35

All paths satisfy F( red ) . . . . . . . . . . . . . . .

16/35

. . . . . . . . . . . . . . .

17/35

All paths satisfy G( red ) . . . . . . . . . . . . . . .

17/35

. . . . . . . . . . . . . . .

18/35

All paths satisfy X( red ) . . . . . . . . . . . . . . .

18/35

. . . . . . . . . . . . . . .

19/35

All paths satisfy blue U red . . . . . . . . . . . . . . .

19/35

Properties of trees

Type 2: All paths satisfy LTL formula φ

20/35

Properties of trees

Type 2: All paths satisfy LTL formula φ

A operator: A φ

20/35

All paths satisfy F( red ) : A F( red ) . . . . . . . . . . . . . . .

21/35

All paths satisfy G( red ) : A G( red ) . . . . . . . . . . . . . . .

22/35

All paths satisfy X( red ) : A X( red ) . . . . . . . . . . . . . . .

23/35

All paths satisfy blue U red : A blue U red . . . . . . . . . . . . . . .

24/35

Properties of trees

… Exists a path satisfying path property φ :

E φ

… All paths satisfy path property φ :

A φ

25/35

Properties of trees

… Exists a path satisfying path property φ :

E φ

… All paths satisfy path property φ :

A φ Coming next: Mixing A and E

25/35

Recall...

Exists a path satisfying F( red ) : E F ( red ) . . . . . . . . . . . . . . .

26/35

Recall...

All paths satisfy G( red ) : A G( red ) . . . . . . . . . . . . . . .

27/35

. . . . . . . . . . . . . . .

28/35

E F A G (red) . . . . . . . . . . . . . . .

28/35

A F A G (red) . . . . . . . . . . . . . . .

29/35

Recall...

Exists a path satisfying G( red ) : E G ( red ) . . . . . . . . . . . . . . .

30/35

Recall...

Exists a path satisfying X( red ) : E X ( red ) . . . . . . . . . . . . . . .

31/35

E G E X (red) . . . . . . . . . . . . . . .

32/35

E G E X (red) . . . . . . . . . . . . . . .

33/35

E (E X blue) U (A G red) . . . . . . . . . . . . . . .

34/35

Summary

Transition system as a tree

Computation tree E and A operators

35/35

Module 2: CTL∗

2/25

Recap

… Path formulae

… Express properties of paths … LTL

… Properties on trees

… A and E operators … Mixing A and E 3/25

Recap

… Path formulae

… Express properties of paths … LTL

… Properties on trees

… A and E operators … Mixing A and E

Coming next: A logic for expressing properties on trees

3/25

State formulae

φ :=

. . . . . . . . . . . . . . .

4/25

State formulae

φ := true |

. . . . . . . . . . . . . . .

4/25

State formulae

φ := true | pi | pi ∈ AP

. . . . . . . . . . . . . . .

4/25

State formulae

φ := true | pi | φ1 ∧ φ2 | pi ∈ AP φ1,φ2 : State formulae

. . . . . . . . . . . . . . .

4/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 pi ∈ AP φ1,φ2 : State formulae

. . . . . . . . . . . . . . .

4/25

Path formulae

α :=

. . . . . . . . . . . . . . .

5/25

Path formulae

α := φ | φ : State formula

. . . . . . . . . . . . . . .

5/25

Path formulae

α := φ | α1 ∧ α2 | φ : State formula α1,α2 : Path formulae

. . . . . . . . . . . . . . .

5/25

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | φ : State formula α1,α2 : Path formulae

. . . . . . . . . . . . . . .

5/25

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | φ : State formula α1,α2 : Path formulae

. . . . . . . . . . . . . . .

5/25

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | φ : State formula α1,α2 : Path formulae

. . . . . . . . . . . . . . .

5/25

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | F α1 | φ : State formula α1,α2 : Path formulae

. . . . . . . . . . . . . . .

5/25

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae

. . . . . . . . . . . . . . .

5/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 pi ∈ AP φ1,φ2 : State formulae

. . . . . . . . . . . . . . .

6/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | pi ∈ AP φ1,φ2 : State formulae α : Path formula

. . . . . . . . . . . . . . .

6/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

. . . . . . . . . . . . . . .

6/25

CTL∗

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae

7/25

CTL∗

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae Examples: E F p1, A F A G p1, A F G p2, A p1, A E p1

7/25

When does a state in a tree satisfy a state formula? . . . . . . . . . . . . . . .

8/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

9/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula … Every state satisfies true

9/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula … Every state satisfies true … State satisfies pi if its label contains pi

9/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula … Every state satisfies true … State satisfies pi if its label contains pi … State satisfies φ1 ∧ φ2 if it satisfies both φ1 and φ2

9/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula … Every state satisfies true … State satisfies pi if its label contains pi … State satisfies φ1 ∧ φ2 if it satisfies both φ1 and φ2 … State satisfies ¬ φ if it does not satisfy φ

9/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula … Every state satisfies true … State satisfies pi if its label contains pi … State satisfies φ1 ∧ φ2 if it satisfies both φ1 and φ2 … State satisfies ¬ φ if it does not satisfy φ … State satisfies E α if there exists a path starting from the state

satisfying α

9/25

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula … Every state satisfies true … State satisfies pi if its label contains pi … State satisfies φ1 ∧ φ2 if it satisfies both φ1 and φ2 … State satisfies ¬ φ if it does not satisfy φ … State satisfies E α if there exists a path starting from the state

satisfying α

… State satisfies A α if all paths starting from the state satisfy α

9/25

When does a path in a tree satisfy a path formula? . . . . . . . . . . . . . . .

10/25

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae

11/25

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae … Path satisfies φ if the initial state of the path satisfies φ

11/25

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae … Path satisfies φ if the initial state of the path satisfies φ … Rest standard semantics like LTL

11/25

A tree satisfies state formula φ if its root satisfies φ

∈

. . . . . . . . . . . . . . .

12/25

… E F p1: Exists a path where p1 is true sometime

13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

… In all paths, there exists a state where A G p1 is true 13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

… In all paths, there exists a state where A G p1 is true … In all paths, there exists a state from which all paths satisfy G p1 13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

… In all paths, there exists a state where A G p1 is true … In all paths, there exists a state from which all paths satisfy G p1 … In all paths, there exists a state such that every state in the

subtree below it contains p1

13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

… In all paths, there exists a state where A G p1 is true … In all paths, there exists a state from which all paths satisfy G p1 … In all paths, there exists a state such that every state in the

subtree below it contains p1

… A F G p2: In all paths, there exists a state from which p2 is true

forever

13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

… In all paths, there exists a state where A G p1 is true … In all paths, there exists a state from which all paths satisfy G p1 … In all paths, there exists a state such that every state in the

subtree below it contains p1

… A F G p2: In all paths, there exists a state from which p2 is true

forever

… A p1:

13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

… In all paths, there exists a state where A G p1 is true … In all paths, there exists a state from which all paths satisfy G p1 … In all paths, there exists a state such that every state in the

subtree below it contains p1

… A F G p2: In all paths, there exists a state from which p2 is true

forever

… A p1:

… All paths satisfy p1 13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

… In all paths, there exists a state where A G p1 is true … In all paths, there exists a state from which all paths satisfy G p1 … In all paths, there exists a state such that every state in the

subtree below it contains p1

… A F G p2: In all paths, there exists a state from which p2 is true

forever

… A p1:

… All paths satisfy p1 … All paths start with p1 13/25

… E F p1: Exists a path where p1 is true sometime … A F A G p1:

… In all paths, there exists a state where A G p1 is true … In all paths, there exists a state from which all paths satisfy G p1 … In all paths, there exists a state such that every state in the

subtree below it contains p1

… A F G p2: In all paths, there exists a state from which p2 is true

forever

… A p1:

… All paths satisfy p1 … All paths start with p1 … Same as p1! 13/25

E F A G (red) . . . . . . . . . . . . . . .

14/25

A F A G (red) . . . . . . . . . . . . . . .

15/25

E G E X (red) . . . . . . . . . . . . . . .

16/25

E G E X (red) . . . . . . . . . . . . . . .

17/25

E (E X blue) U (A G red) . . . . . . . . . . . . . . .

18/25

When does a transition system satisfy a CTL∗ formula?

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3}

19/25

Transition system satisfies CTL∗ formula φ if its computation tree satisfies φ

s0 s1 s3 s2 s3 s2 s3 s3 s2 s3 s2 s3

. . . . . . . . . . . . . . .

s0 s1 s2 s3 {p1} {p2} {p2} {p1,p3} 20/25

Can LTL properties be written using CTL∗?

21/25

Transition System (TS) satisfies LTL formula φ if Traces(TS) ⊆ Words(φ)

22/25

Transition System (TS) satisfies LTL formula φ if Traces(TS) ⊆ Words(φ) All paths in the computation tree of TS satisfy path formula φ

22/25

Transition System (TS) satisfies LTL formula φ if Traces(TS) ⊆ Words(φ) All paths in the computation tree of TS satisfy path formula φ Equivalent CTL∗ formula: A φ

22/25

Can CTL∗ properties be written using LTL?

23/25

Can CTL∗ properties be written using LTL? Answer: No

23/25

E F A G (red) . . . . . . . . . . . . . . . Cannot be expressed in LTL

24/25

Summary

CTL∗

Syntax and semantics State formulae, Path formulae LTL properties ⊆ CTL∗ properties

25/25

Module 3: CTL

2/16

In this module...

Restrict to a subset of CTL∗ which has efficient model-checking algorithms

3/16

CTL∗

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := φ | α1 ∧ α2 | ¬α1 | X α1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae

4/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X α1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae

4/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | α1 U α2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae

4/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F α1 | G α1 φ : State formula α1,α2 : Path formulae

4/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G α1 φ : State formula α1,α2 : Path formulae

4/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1 φ : State formula α1,α2 : Path formulae

4/16

CTL

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

4/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2 A F p1 ∧ A G p2

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2 A F p1 ∧ A G p2 A F G p1

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2 A F p1 ∧ A G p2 A F G p1 A p1

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2 A F p1 ∧ A G p2 A F G p1 A p1 E G F p1

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2 A F p1 ∧ A G p2 A F G p1 A p1 E G F p1 A (F p1 ∧ G p2)

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2 A F p1 ∧ A G p2 A F G p1 A p1 E G F p1 A (F p1 ∧ G p2) A ( p1 U ( E G p2 ) )

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2 A F p1 ∧ A G p2 A F G p1 A p1 E G F p1 A (F p1 ∧ G p2) A ( p1 U ( E G p2 ) ) A ( p1 U ( G p2 ) )

5/16

State formulae

φ := true | pi | φ1 ∧ φ2 | ¬φ1 | E α | A α pi ∈ AP φ1,φ2 : State formulae α : Path formula

Path formulae

α := X φ1 | φ1 U φ2 | F φ1 | G φ1

Legal CTL formulae Illegal CTL formulae E F p1 E F A G p1 A X p2 A F p1 ∧ A G p2 A F G p1 A p1 E G F p1 A (F p1 ∧ G p2) A ( p1 U ( E G p2 ) ) A ( p1 U ( G p2 ) ) Every temporal operator X, U, F, G has a corresponding A or E

5/16

CTL

Syntax: Restricted form of CTL∗ Semantics: Same as seen in CTL∗

6/16

Example

non-crit wait crit exiting y>0:y:=y-1 y:=y+1 non-crit wait crit exiting y>0:y:=y-1 y:=y+1

|||

Atomic propositions AP = { p1,p2,p3,p4 } p1: pr1.location=crit p2: pr1.location=wait p3: pr2.location=crit p4: pr2.location=wait Mutual exclusion: A G ¬ (p1 ∧ p3)

7/16

Can LTL properties be written using CTL?

8/16

Can LTL properties be written using CTL? Answer: No

8/16

Can LTL properties be written using CTL? Answer: No Property A F G p1 cannot be expressed in CTL

8/16

A F G (red)

In all paths, eventually red is true forever

. . . . . . . . . . . . . . .

9/16

A F A G (red) . . . . . . . . . . . . . . .

10/16

A F E G (red) . . . . . . . . . . . . . . .

11/16

Can LTL properties be written using CTL? Answer: No Property A F G p1 cannot be expressed in CTL

12/16

Can CTL properties be written using LTL?

13/16

Can CTL properties be written using LTL? Answer: No

13/16

E F A G (red) . . . . . . . . . . . . . . . Cannot be expressed in LTL

14/16

CTL∗ CTL LTL

15/16

CTL∗ CTL LTL

A G p

15/16

CTL∗ CTL LTL

E F A G p A G p

15/16

CTL∗ CTL LTL

E F A G p F G p A G p

15/16

CTL∗ CTL LTL

E F A G p F G p A G p E F A G p ∨ A F G q

15/16

Summary

CTL

Subset of CTL∗ Paired temporal and A-E operators Expressive powers

16/16