CTL (Clarke & Emerson 81) Definition: Computation Tree Logic - - PDF document

ctl clarke emerson 81
SMART_READER_LITE
LIVE PREVIEW

CTL (Clarke & Emerson 81) Definition: Computation Tree Logic - - PDF document

Nov 11, 2023 341 likes •378 views

CTL (Clarke & Emerson 81) Definition: Computation Tree Logic CTL(AP , X , U ) Basics of Verification 1 Syntax: https://wikimpri.dptinfo.ens-cachan.fr/doku.php?id=cours:c-1-22 ::= | p ( p AP) | | | EX | AX |

slide-1
SLIDE 1

Basics of Verification1

https://wikimpri.dptinfo.ens-cachan.fr/doku.php?id=cours:c-1-22

Thomas Chatain

chatain@lsv.ens-cachan.fr http://www.lsv.ens-cachan.fr/~chatain/

MPRI – M1 2014 – 2015

1Thanks to Paul Gastin for previous versions of this material

CTL (Clarke & Emerson 81)

Definition: Computation Tree Logic CTL(AP, X, U)

Syntax: ϕ ::= ⊥ | p (p ∈ AP) | ¬ϕ | ϕ ∨ ϕ | EX ϕ | AX ϕ | E ϕ U ϕ | A ϕ U ϕ The semantics is inherited from CTL∗.

Remark: All CTL formulae are state formulae

[ [ϕ] ]M = {s ∈ S | M, s | = ϕ}

Examples: Macros

◮ EF ϕ = E ⊤ U ϕ

and AG ϕ = ¬ EF ¬ϕ

◮ AF ϕ = A ⊤ U ϕ

and EG ϕ = ¬ AF ¬ϕ

◮ AG(req → EF grant) ◮ AG(req → AF grant)

CTL (Clarke & Emerson 81)

Definition: Semantics

All CTL-formulae are state formulae. Hence, we have a simpler semantics. Let M = (S, T, I, AP, ℓ) be a Kripke structure without deadlocks and let s ∈ S. M, s | = p if p ∈ ℓ(s) M, s | = EX ϕ if ∃s → s′ with M, s′ | = ϕ M, s | = AX ϕ if ∀s → s′ we have M, s′ | = ϕ M, s | = E ϕ U ψ if ∃s = s0 → s1 → s2 → · · · sk finite path, with M, sk | = ψ and M, sj | = ϕ for all 0 ≤ j < k M, s | = A ϕ U ψ if ∀s = s0 → s1 → s2 → · · · infinite paths, ∃k ≥ 0 with M, sk | = ψ and M, sj | = ϕ for all 0 ≤ j < k

CTL (Clarke & Emerson 81)

Example:

1 2 3 4 5 6 7 8 q p, q q r p, r p, r p, q [ [EX p] ] = {1, 2, 3, 5, 6} [ [AX p] ] = {3, 6} [ [EF p] ] = {1, 2, 3, 4, 5, 6, 7, 8} [ [AF p] ] = {2, 3, 5, 6, 7} [ [E q U r] ] = {1, 2, 3, 4, 5, 6} [ [A q U r] ] = {2, 3, 4, 5, 6}

CTL (Clarke & Emerson 81)

Remark: Equivalent formulae

◮ AX ϕ ≡ ¬ EX ¬ϕ, ◮ ¬(ϕ U ψ) ≡ G ¬ψ ∨ (¬ψ U (¬ϕ ∧ ¬ψ)) ◮ A ϕ U ψ ≡ ¬ EG ¬ψ ∧ ¬ E(¬ψ U (¬ϕ ∧ ¬ψ)) ◮ AG(req → F grant) ≡ AG(req → AF grant) ◮ A G F ϕ ≡ AG AF ϕ

infinitely often

◮ E F G ϕ ≡ EF EG ϕ

ultimately

◮ EG EF ϕ ≡ E G F ϕ ≡ EG AF ϕ ◮ AF AG ϕ ≡ A F G ϕ ≡ AF EG ϕ ◮ EG EX ϕ ≡ E G X ϕ ≡ EG AX ϕ

1 2 3 ¬ϕ ϕ ¬ϕ

Model checking of CTL

Definition: Existential and universal model checking

Let M = (S, T, I, AP, ℓ) be a Kripke structure and ϕ ∈ CTL a formula. M | =∃ ϕ if M, s | = ϕ for some s ∈ I. M | =∀ ϕ if M, s | = ϕ for all s ∈ I.

Remark:

M | =∃ ϕ iff I ∩ [ [ϕ] ] = ∅ M | =∀ ϕ iff I ⊆ [ [ϕ] ] M | =∀ ϕ iff M | =∃ ¬ϕ

Definition: Model checking problems MC∀

CTL and MC∃ CTL

Input: A Kripke structure M = (S, T, I, AP, ℓ) and a formula ϕ ∈ CTL Question: Does M | =∀ ϕ ?

  • r

Does M | =∃ ϕ ?

Theorem:

Let M = (S, T, I, AP, ℓ) be a Kripke structure and ϕ ∈ CTL a formula. The model checking problem M | =∃ ϕ is decidable in time O(|M| · |ϕ|)

References

[1] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking. MIT Press, 2008. [2] B. B´ erard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci,

  • Ph. Schnoebelen.

Systems and Software Verification. Model-Checking Techniques and Tools. Springer, 2001. [3] E.M. Clarke, O. Grumberg, D.A. Peled. Model Checking. MIT Press, 1999. [4] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Specification. Springer, 1991. [5] Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems: Safety. Springer, 1995.

References

[6] S. Demri and P. Gastin. Specification and Verification using Temporal Logics. In Modern applications of automata theory, IISc Research Monographs 2. World Scientific, 2012.

http://www.lsv.ens-cachan.fr/~gastin/mes-publis.php

[7] D. Gabbay, I. Hodkinson and M. Reynolds. Temporal logic: mathematical foundations and computational aspects. Vol 1, Clarendon Press, Oxford, 1994. [8] D. Gabbay, A. Pnueli, S. Shelah, and J. Stavi. On the temporal analysis of fairness. In 7th Annual ACM Symposium PoPL’80, 163–173. ACM Press. [9] O. Lichtenstein and A. Pnueli. Checking that finite state concurrent programs satisfy their linear specification. In ACM Symposium PoPL’85, 97–107. [10] A. Sistla and E. Clarke. The complexity of propositional linear temporal logic. Journal of the Association for Computing Machinery. 32 (3), 733–749, (1985).

slide-2
SLIDE 2

Model checking of CTL

Theorem

Let M = (S, T, I, AP, ℓ) be a Kripke structure and ϕ ∈ CTL a formula. The model checking problem M | =∃ ϕ is decidable in time O(|M| · |ϕ|)

Proof:

Compute [ [ϕ] ] = {s ∈ S | M, s | = ϕ} by induction on the formula. The set [ [ϕ] ] is represented by a boolean array: L[s][ϕ] = ⊤ if s ∈ [ [ϕ] ]. The labelling ℓ is encoded in L: for p ∈ AP we have L[s][p] = ⊤ if p ∈ ℓ(s). For each t ∈ S, the set T −1(t) is represented as a list. for all t ∈ S do for all s ∈ T −1(t) do ...

  • d

takes time O(|T|).

Model checking of CTL

Definition: procedure semantics(ϕ)

case ϕ = ¬ϕ1 semantics(ϕ1) [ [ϕ] ] := S \ [ [ϕ1] ] O(|S|) case ϕ = ϕ1 ∨ ϕ2 semantics(ϕ1); semantics(ϕ2) [ [ϕ] ] := [ [ϕ1] ] ∪ [ [ϕ2] ] O(|S|) case ϕ = EXϕ1 semantics(ϕ1) [ [ϕ] ] := ∅ O(|S|) for all t ∈ [ [ϕ1] ] do for all s ∈ T −1(t) do [ [ϕ] ] := [ [ϕ] ] ∪ {s} O(|T|) case ϕ = AXϕ1 semantics(ϕ1) [ [ϕ] ] := S O(|S|) for all t / ∈ [ [ϕ1] ] do for all s ∈ T −1(t) do [ [ϕ] ] := [ [ϕ] ] \ {s} O(|T|)

Model checking of CTL

Definition: procedure semantics(ϕ)

case ϕ = E ϕ1 U ϕ2 O(|S| + |T|) semantics(ϕ1); semantics(ϕ2) Todo := [ [ϕ2] ] // the “todo” set Todo is imlemented with a list O(|S|) Good := [ [ϕ2] ] // the “result” is computed in the array Good O(|S|) while Todo = ∅ do |S| times Invariant 1: [ [ϕ2] ] ∪ Todo ⊆ Good ⊆ [ [E ϕ1 U ϕ2] ] and Invariant 2: [ [ϕ1] ] ∩ T −1(Good \ Todo) ⊆ Good take t ∈ Todo; Todo := Todo \ {t} O(1) for all s ∈ T −1(t) do |T| times if s ∈ [ [ϕ1] ] \ Good then Todo := Todo ∪ {s}; Good := Good ∪ {s} O(1)

  • d

[ [ϕ] ] := Good O(|S|) Good is only used to make the invariant clear. It can be replaced by [ [ϕ] ].

Model Checking of CTL

Proof: ϕ = E ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ EX(E ϕ1 U ϕ2))

◮ Termination and complexity:

Every state is added to Todo at most once. Every transition is considered at most once. Hence the time complexity is O(|S| + |T|).

◮ Invariant 1 is easy to prove. ◮ Invariant 2 is not needed, see my handwritten notes for its proof. ◮ We show that all states s ∈ [

[ϕ] ] will be added to Todo and to Good. Let s ∈ [ [ϕ] ] and let s = s0 → s1 → · · · → sk be a run of M such that sk ∈ [ [ϕ2] ] and si ∈ [ [ϕ1] ] for 0 ≤ i < k. sk is added to Todo with Todo := [ [ϕ2] ] and to Good with Good := [ [ϕ2] ]. Assume that si has been inserted in Todo for some 0 < i ≤ k. When t = si is taken out of Todo in the while loop, we consider si−1 ∈ T −1(si). Since si−1 ∈ [ [ϕ1] ], it is added to Todo if it was not added to Good (hence to Todo) before. By induction, we deduce that s = s0 ∈ Good at the end of the while loop. Hence, [ [E ϕ1 U ϕ2] ] ⊆ Good.

Model checking of CTL

Definition: procedure semantics(ϕ)

case ϕ = A ϕ1 U ϕ2 O(|S| + |T|) semantics(ϕ1); semantics(ϕ2) Todo := [ [ϕ2] ] // the “todo” set Todo is imlemented with a list O(|S|) Good := [ [ϕ2] ] // the “result” is computed in the array Good O(|S|) for all s ∈ S do c[s] := |T(s)| O(|S|) while Todo = ∅ do |S| times Invariant 1: [ [ϕ2] ] ∪ Todo ⊆ Good ⊆ [ [A ϕ1 U ϕ2] ] and Invariant 2: ∀s ∈ S, c[s] = |T(s) \ (Good \ Todo)| and Invariant 3: [ [ϕ1] ] ∩ {s ∈ S | c[s] = 0} ⊆ Good take t ∈ Todo; Todo := Todo \ {t} O(1) for all s ∈ T −1(t) do |T| times c[s] := c[s] − 1 O(1) if c[s] = 0 ∧ s ∈ [ [ϕ1] ] \ Good then Todo := Todo ∪ {s}; Good := Good ∪ {s} O(1)

  • d

[ [ϕ] ] := Good O(|S|) Good is only used to make the invariant clear. It can be replaced by [ [ϕ] ].

Model Checking of CTL

Proof: ϕ = A ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ AX(A ϕ1 U ϕ2))

◮ Termination and complexity:

Every state is added to Todo at most once. Every transition is considered at most once. Hence the time complexity is O(|S| + |T|). Inv1 [ [ϕ2] ] ∪ Todo ⊆ Good is clear. Inv2 We let Done = Good \ Todo. Initially, Done = ∅ and c[s] = |T(s)| for all s ∈ S. After the loop body: Done′ = Done ∪ {t} and for all s ∈ S, we have either t ∈ T(s) and c′[s] = c[s] − 1 = |T(s) \ Done| − 1 = |T(s) \ Done′|

  • r t /

∈ T(s) and c′[s] = c[s] = |T(s) \ Done| = |T(s) \ Done′|. We deduce that Inv2 is preserved. Inv1 Good ⊆ [ [A ϕ1 U ϕ2] ] is true initially since [ [ϕ2] ] ⊆ [ [A ϕ1 U ϕ2] ]. It is preserved thanks to Inv2: when a state s is added to Good then s ∈ [ [ϕ1] ] and c′[s] = 0 which implies T(s) ⊆ Done′ = Done ∪ {t} ⊆ Good. By induction, Good ⊆ [ [A ϕ1 U ϕ2] ]. Hence, s | = ϕ1 ∧ AX(A ϕ1 U ϕ2).

Model Checking of CTL

Proof: ϕ = A ϕ1 U ϕ2 = ϕ2 ∨ (ϕ1 ∧ AX(A ϕ1 U ϕ2))

It remains to show that [ [A ϕ1 U ϕ2] ] ⊆ Good at the end of the while loop. For each s / ∈ Good, we construct an infinite run s0 → s1 → s2 → · · · with s = s0 and which satisfies ¬(ϕ1 U ϕ2). Let s / ∈ Good. Assume that for some k ≥ 0, we have constructed a run ρ = s0 → s1 → · · · → sk with s = s0, sk / ∈ Good and s0, . . . , sk−1 ∈ [ [ϕ1] ] \ [ [ϕ2] ]. Since sk / ∈ Good we have sk / ∈ [ [ϕ2] ].

  • 1. If sk /

∈ [ [ϕ1] ] then any infinite extension of ρ satisfies ¬(ϕ1 U ϕ2). The construction stops and we are done.

  • 2. If sk ∈ [

[ϕ1] ] then, since sk whas not inserted in Good, we have c[sk] > 0. Using Inv2 we get T(sk) ⊆ Good and we find sk+1 ∈ T(sk) \ Good. If the construction does not stop with case 1 above, then we obtain an infinite run satisfying G(ϕ1 ∧ ¬ϕ2), hence also ¬(ϕ1 U ϕ2). We conclude that s / ∈ [ [A ϕ1 U ϕ2] ].

Complexity of CTL

Definition: SAT(CTL)

Input: A formula ϕ ∈ CTL Question: Existence of a model M and a state s such that M, s | = ϕ ?

Theorem: Complexity

◮ The model checking problem for CTL is PTIME-complete. ◮ The satisfiability problem for CTL is EXPTIME-complete.

slide-3
SLIDE 3

Fairness

Example: Fairness

Only fair runs are of interest

◮ Each process is enabled infinitely often:

  • i

G F runi

◮ No process stays ultimately in the critical section:

  • i

¬ F G CSi =

  • i

G F ¬CSi

Definition: Fair Kripke structure

M = (S, T, I, AP, ℓ, F1, . . . , Fn) with Fi ⊆ S. An infinite run σ is fair if it visits infinitely often each Fi

Fair CTL

Definition: Syntax of fair-CTL

ϕ ::= ⊥ | p (p ∈ AP) | ¬ϕ | ϕ ∨ ϕ | Ef X ϕ | Af X ϕ | Ef ϕ U ϕ | Af ϕ U ϕ

Definition: Semantics as a fragment of CTL∗

Let M = (S, T, I, AP, ℓ, F1, . . . , Fn) be a fair Kripke structure. Then, Ef ϕ = E(fair ∧ ϕ) and Af ϕ = A(fair → ϕ) where fair =

i G F Fi

Model checking of CTLf

Theorem

The model checking problem for CTLf is decidable in time O(|M| · |ϕ|)

Proof: Computation of Efair = [ [E fair] ]

Compute the SCC of M with Tarjan’s algorithm (in time O(|M|)). Let S′ be the union of the (non trivial) SCCs which intersect each Fi. Then, Efair is the set of states that can reach S′. Note that reachability can be computed in linear time.

Model checking of CTLf

Proof: Reductions

Ef X ϕ = E X(Efair ∧ ϕ) Af X ϕ = A X(Efair → ϕ) Ef ϕ U ψ = E ϕ U (Efair ∧ ψ) Af ϕ U ψ = (¬ Ef G ¬ψ) ∧ ¬ Ef(¬ψ U (¬ϕ ∧ ¬ψ)) Af G ϕ = ¬ Ef ⊤ U ¬ϕ Hence, we only need to compute the semantics of Ef G ϕ.

Proof: Computation of Ef G ϕ

Let Mϕ be the restriction of M to [ [ϕ] ]f. Compute the SCC of Mϕ with Tarjan’s algorithm (in linear time). Let S′ be the union of the (non trivial) SCCs of Mϕ which intersect each Fi. Then, M, s | = Ef G ϕ iff M, s | = E ϕ U S′ iff Mϕ, s | = EF S′. This is again a reachability problem which can be solved in linear time.