L ECTURE IV: C OMPUTATION T REE L OGIC (CTL) Alessandro Artale - - PowerPoint PPT Presentation

l ecture iv c omputation t ree l ogic ctl
SMART_READER_LITE
LIVE PREVIEW

L ECTURE IV: C OMPUTATION T REE L OGIC (CTL) Alessandro Artale - - PowerPoint PPT Presentation

Jan 29, 2023 352 likes •785 views

F ORMAL M ETHODS L ECTURE IV: C OMPUTATION T REE L OGIC (CTL) Alessandro Artale Faculty of Computer Science Free University of Bolzano artale@inf.unibz.it http://www.inf.unibz.it/ artale/ Some material (text, figures) displayed in these

slide-1
SLIDE 1

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Alessandro Artale Faculty of Computer Science – Free University of Bolzano

artale@inf.unibz.it http://www.inf.unibz.it/∼artale/

Some material (text, figures) displayed in these slides is courtesy of:

  • M. Benerecetti, A. Cimatti, M. Fisher, F. Giunchiglia, M. Pistore, M. Roveri, R.Sebastiani.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 1/37

slide-2
SLIDE 2

Summary of Lecture IV

Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 2/37

slide-3
SLIDE 3

Computation Tree logic Vs. LTL

LTL implicitly quantifies universally over paths. K M ,s | = φ iff for every path π starting at s K M ,π | = φ Properties that assert the existence of a path cannot be

  • expressed. In particular, properties which mix existential

and universal path quantifiers cannot be expressed. The Computation Tree Logic, CTL, solves these problems!

  • CTL explicitly introduces path quantifiers!
  • CTL is the natural temporal logic interpreted over

Branching Time Structures.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 3/37

slide-4
SLIDE 4

CTL at a glance

CTL is evaluated over branching-time structures (Trees). CTL explicitly introduces path quantifiers: All Paths:

P

Exists a Path: ♦

P .

Every temporal operator ( ,♦,

, U ) preceded by a path quantifier (

P or ♦ P ).

Universal modalities:

P ♦, P

,

P

,

P U

The temporal formula is true in all the paths starting in the current state. Existential modalities: ♦

P ♦,♦ P

,♦

P

,♦

P U

The temporal formula is true in some path starting in the current state.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 4/37

slide-5
SLIDE 5

Summary

Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 5/37

slide-6
SLIDE 6

CTL: Syntax

Countable set Σ of atomic propositions: p,q,... the set FORM

  • f formulas is:

ϕ,ψ → p | ⊤ | ⊥ | ¬ϕ | ϕ∧ψ | ϕ∨ψ |

  • P

ϕ |

P

ϕ |

P ♦ϕ | P (ϕU ψ)

P

ϕ | ♦

P

ϕ | ♦

P ♦ϕ | ♦ P (ϕU ψ)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 6/37

slide-7
SLIDE 7

CTL: Semantics

We interpret our CTL temporal formulas over Kripke Models linearized as trees (e.g.

P ♦done).

done !done

done done done done done done !done !done !done !done

Universal modalities (

P ♦, P

,

P

,

P U ): the

temporal formula is true in all the paths starting in the current state. Existential modalities (♦

P ♦,♦ P

,♦

P

,♦

P U ): the

temporal formula is true in some path starting in the current state.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 7/37

slide-8
SLIDE 8

CTL: Semantics (Cont.)

Let Σ be a set of atomic propositions. We interpret our CTL temporal formulas over Kripke Models:

K M

= S,I,R,Σ,L The semantics of a temporal formula is provided by the satisfaction relation: | =: (K M ×S× FORM) → {true,false}

Alessandro Artale (FM – First Semester – 2007/2008) – p. 8/37

slide-9
SLIDE 9

CTL Semantics: The Propositional Aspect

We start by defining when an atomic proposition is true at a state/time “si”

K M , si |

= p iff p ∈ L(si) (for p ∈ Σ) The semantics for the classical operators is as expected:

K M , si |

= ¬ϕ iff

K M , si |

= ϕ

K M , si |

= ϕ∧ψ iff

K M , si |

= ϕ and K M , si | = ψ

K M , si |

= ϕ∨ψ iff

K M , si |

= ϕ or K M , si | = ψ

K M , si |

= ϕ ⇒ ψ iff if K M , si | = ϕ then K M , si | = ψ

K M , si |

= ⊤

K M , si |

= ⊥

Alessandro Artale (FM – First Semester – 2007/2008) – p. 9/37

slide-10
SLIDE 10

CTL Semantics: The Temporal Aspect

Temporal operators have the following semantics where π=(si,si+1,...) is a generic path outgoing from state siinK M .

K M ,si |

=

P

ϕ iff ∀π = (si,si+1,...) K M ,si+1 | = ϕ

K M ,si |

=♦

P

ϕ iff ∃π = (si,si+1,...) K M ,si+1 | = ϕ

K M ,si |

=

P

ϕ iff ∀π = (si,si+1,...) ∀j ≥ i.K M ,s j | = ϕ

K M ,si |

=♦

P

ϕ iff ∃π = (si,si+1,...) ∀j ≥ i.K M ,s j | = ϕ

K M ,si |

=

P ♦ϕ

iff ∀π = (si,si+1,...) ∃j ≥ i.K M ,s j | = ϕ

K M ,si |

=♦

P ♦ϕ

iff ∃π = (si,si+1,...) ∃j ≥ i.K M ,s j | = ϕ

K M ,si |

=

P (ϕU ψ)

iff ∀π = (si,si+1,...) ∃j ≥ i.K M ,s j | = ψ and ∀i ≤ k < j : M,sk | = ϕ

K M ,si |

=♦

P (ϕU ψ)

iff ∃π = (si,si+1,...) ∃j ≥ i.K M ,s j | = ψ and ∀i ≤ k < j : K M ,sk | = ϕ

Alessandro Artale (FM – First Semester – 2007/2008) – p. 10/37

slide-11
SLIDE 11

CTL Semantics: Intuitions

CTL is given by the standard boolean logic enhanced with temporal operators. ⊲ “Necessarily Next”.

P

ϕ is true in st iff ϕ is true in every successor state st+1 ⊲ “Possibly Next”. ♦

P

ϕ is true in st iff ϕ is true in one successor state st+1 ⊲ “Necessarily in the future” (or “Inevitably”).

P ♦ϕ is true in st

iff ϕ is inevitably true in some st′ with t′ ≥ t ⊲ “Possibly in the future” (or “Possibly”). ♦

P ♦ϕ is true in st iff ϕ

may be true in some st′ with t′ ≥ t

Alessandro Artale (FM – First Semester – 2007/2008) – p. 11/37

slide-12
SLIDE 12

CTL Semantics: Intuitions (Cont.)

⊲ “Globally” (or “always”).

P

ϕ is true in st iff ϕ is true in all st′ with t′ ≥ t ⊲ “Possibly henceforth”. ♦

P

ϕ is true in st iff ϕ is possibly true henceforth ⊲ “Necessarily Until”.

P (ϕU ψ) is true in st iff necessarily ϕ

holds until ψ holds. ⊲ “Possibly Until”. ♦

P (ϕU ψ) is true in st iff possibly ϕ holds

until ψ holds.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 12/37

slide-13
SLIDE 13

CTL Alternative Notation

Alternative notations are used for temporal operators.

P

E

there Exists a path

  • P

A

in All paths

F

sometime in the Future

G Globally in the future

❦ X

neXtime

Alessandro Artale (FM – First Semester – 2007/2008) – p. 13/37

slide-14
SLIDE 14

CTL Semantics: Intuitions (Cont.)

P finally P globally P next P until q P EF P EX P U q ] E[ P EG AFP AXP P U q A[ ] AGP

Alessandro Artale (FM – First Semester – 2007/2008) – p. 14/37

slide-15
SLIDE 15

A Complete Set of CTL Operators

All CTL operators can be expressed via: ♦

P

,♦

P

,♦

P U

  • P

❦≡ ¬♦

P

¬ϕ

  • P ♦ϕ ≡ ¬♦

P

¬ϕ

P ♦ϕ ≡ ♦ P (⊤U ϕ)

  • P

ϕ ≡ ¬♦

P ♦¬ϕ ≡ ¬♦ P (⊤U ¬ϕ)

  • P (ϕU ψ) ≡ ¬♦

P

¬ψ∧¬♦

P (¬ψU (¬ϕ∧¬ψ))

Alessandro Artale (FM – First Semester – 2007/2008) – p. 15/37

slide-16
SLIDE 16

Summary

Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 16/37

slide-17
SLIDE 17

Safety Properties

Safety: “something bad will not happen” Typical examples:

  • P

¬(reactor_temp > 1000)

  • P

¬(one_way∧

P

  • ther_way)
  • P

¬((x = 0)∧

P

  • P

  • P

(y = z/x)) and so on..... Usually:

P

¬....

Alessandro Artale (FM – First Semester – 2007/2008) – p. 17/37

slide-18
SLIDE 18

Liveness Properties

Liveness: “something good will happen” Typical examples:

  • P ♦rich
  • P ♦(x > 5)
  • P

(start ⇒

P ♦terminate)

and so on..... Usually:

P ♦...

Alessandro Artale (FM – First Semester – 2007/2008) – p. 18/37

slide-19
SLIDE 19

Fairness Properties

Often only really useful when scheduling processes, responding to messages, etc. Fairness: “something is successful/allocated infinitely often” Typical example:

  • P

(

P ♦enabled)

Usually:

P

  • P ♦...

Alessandro Artale (FM – First Semester – 2007/2008) – p. 19/37

slide-20
SLIDE 20

Summary

Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 20/37

slide-21
SLIDE 21

The CTL Model Checking Problem

The CTL Model Checking Problem is formulated as:

K M |

= φ Check if K M ,s0 | = φ, for every initial state, s0, of the Kripke structure K M .

Alessandro Artale (FM – First Semester – 2007/2008) – p. 21/37

slide-22
SLIDE 22

Example 1: Mutual Exclusion (Safety)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

P

¬(C1 ∧C2) ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 22/37

slide-23
SLIDE 23

Example 1: Mutual Exclusion (Safety)

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

P

¬(C1 ∧C2) ? YES: There is no reachable state in which (C1 ∧C2) holds! (Same as the ¬(C1 ∧C2) in LTL.)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 22/37

slide-24
SLIDE 24

Example 2: Liveness

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

P

(T1 ⇒

P ♦C1) ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 23/37

slide-25
SLIDE 25

Example 2: Liveness

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

P

(T1 ⇒

P ♦C1) ?

YES: every path starting from each state where T1 holds passes through a state where C1 holds. (Same as (T1 ⇒ ♦C1) in LTL)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 23/37

slide-26
SLIDE 26

Example 3: Fairness

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

P

  • P ♦C1 ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 24/37

slide-27
SLIDE 27

Example 3: Fairness

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

P

  • P ♦C1 ?

NO: e.g., in the initial state, there is the blue cyclic path in which C1 never holds! (Same as

♦C1 in LTL)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 24/37

slide-28
SLIDE 28

Example 4: Non-Blocking

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

P

(N1 ⇒ ♦

P ♦T1) ?

Alessandro Artale (FM – First Semester – 2007/2008) – p. 25/37

slide-29
SLIDE 29

Example 4: Non-Blocking

N1, N2 turn=0 turn=1 C1, T2 turn=1 T1, T2 T1, N2 turn=1 C1, N2 turn=1 T1, T2 turn=2 N = noncritical, T = trying, C = critical User 1 User 2 N1, T2 turn=2 T1, C2 turn=2 turn=2 N1, C2

K M |

=

P

(N1 ⇒ ♦

P ♦T1) ?

YES: from each state where N1 holds there is a path leading to a state where T1 holds. (No corresponding LTL formulas)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 25/37

slide-30
SLIDE 30

Summary

Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 26/37

slide-31
SLIDE 31

LTL Vs. CTL: Expressiveness

⊲ Many CTL formulas cannot be expressed in LTL (e.g., those containing paths quantified existentially) E.g.,

P

(N1 ⇒ ♦

P ♦T1)

⊲ Many LTL formulas cannot be expressed in CTL E.g.,

♦T1 ⇒ ♦C1 (Strong Fairness in LTL)

i.e, formulas that select a range of paths with a property (♦p ⇒ ♦q Vs.

P

(p ⇒

P ♦q))

⊲ Some formluas can be expressed both in LTL and in CTL (typically LTL formulas with operators of nesting depth 1) E.g., ¬(C1 ∧C2), ♦C1, (T1 ⇒ ♦C1),

♦C1

Alessandro Artale (FM – First Semester – 2007/2008) – p. 27/37

slide-32
SLIDE 32

LTL Vs. CTL: Expressiveness (Cont.)

CTL and LTL have incomparable expressive power. The choice between LTL and CTL depends on the application and the personal preferences.

CTL LTL

Alessandro Artale (FM – First Semester – 2007/2008) – p. 28/37

slide-33
SLIDE 33

Summary

Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 29/37

slide-34
SLIDE 34

The Computation Tree Logic CTL*

CTL* is a logic that combines the expressive power of LTL and CTL. Temporal operators can be applied without any constraints.

P (

ϕ∨

❦ ❦

ϕ). Along all paths, ϕ is true in the next state or the next two steps.

P (

♦ϕ).

There is a path along which ϕ is infinitely often true.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 30/37

slide-35
SLIDE 35

CTL*: Syntax

Countable set Σ of atomic propositions: p,q,... we distinguish between States Formulas (evaluated on states): ϕ,ψ → p | ⊤ | ⊥ | ¬ϕ | ϕ∧ψ | ϕ∨ψ |

  • P α | ♦

P α

and Path Formulas (evaluated on paths): α,β → ϕ | ¬α | α∧β | α∨β |

α | α | ♦α | (αU β) The set of CTL* formulas FORM is the set of state formulas.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 31/37

slide-36
SLIDE 36

CTL* Semantics: State Formulas

We start by defining when an atomic proposition is true at a state “s0”

K M , s0 |

= p iff p ∈ L(s0) (for p ∈ Σ) The semantics for State Formulas is the following where π = (s0,s1,...) is a generic path outgoing from state s0:

K M , s0 |

= ¬ϕ iff

K M , s0 |

= ϕ

K M , s0 |

= ϕ∧ψ iff

K M , s0 |

= ϕ and K M , s0 | = ψ

K M , s0 |

= ϕ∨ψ iff

K M , s0 |

= ϕ or K M , s0 | = ψ

K M , s0 |

= ♦

P α

iff ∃π = (s0,s1,...)such that K M ,π | = α

K M , s0 |

=

P α

iff ∀π = (s0,s1,...)then K M ,π | = α

Alessandro Artale (FM – First Semester – 2007/2008) – p. 32/37

slide-37
SLIDE 37

CTL* Semantics: Path Formulas

The semantics for Path Formulas is the following where π = (s0,s1,...) is a generic path outgoing from state s0 and πi denotes the suffix path (si,si+1,...):

K M , π |

= ϕ iff

K M , s0 |

= ϕ

K M , π |

= ¬α iff

K M , π |

= α

K M , π |

= α∧β iff

K M , π |

= α and K M , π | = β

K M , π |

= α∨β iff

K M , π |

= α or K M , π | = β

K M , π |

= ♦α iff ∃i ≥ 0such that K M ,πi | = α

K M , π |

= α iff ∀i ≥ 0then K M ,πi | = α

K M , π |

=

α iff

K M ,π1 |

= α

K M , π |

= αU β iff ∃i ≥ 0such that K M ,πi | = β and ∀j.(0 ≤ j ≤ i) then K M ,π j | = α

Alessandro Artale (FM – First Semester – 2007/2008) – p. 33/37

slide-38
SLIDE 38

CTLs Vs LTL Vs CTL: Expressiveness

CTL* subsumes both CTL and LTL ⊲ ϕ in CTL = ⇒ ϕ in CTL* (e.g.,

P

(N1 ⇒ ♦

P ♦T1))

⊲ ϕ in LTL = ⇒

P ϕ in CTL* (e.g., P (

♦T1 ⇒ ♦C1))

⊲ LTL ∪ CTL ⊂ CTL* (e.g., ♦

P (

♦p ⇒ ♦q))

CTL LTL CTL*

Alessandro Artale (FM – First Semester – 2007/2008) – p. 34/37

slide-39
SLIDE 39

CTL* Vs LTL Vs CTL: Complexity

The following Table shows the Computational Complexity of checking Satisbiability Logic Complexity LTL

PSpace-Complete

CTL

ExpTime-Complete

CTL*

2ExpTime-Complete

Alessandro Artale (FM – First Semester – 2007/2008) – p. 35/37

slide-40
SLIDE 40

CTL* Vs LTL Vs CTL: Complexity (Cont.)

The following Table shows the Computational Complexity of Model Checking (M.C.)

  • Since M.C. has 2 inputs – the model, M , and the

formula, ϕ – we give two complexity measures. Logic Complexity w.r.t. | ϕ | Complexity w.r.t. | M | LTL

PSpace-Complete P (linear)

CTL

P-Complete P (linear)

CTL*

PSpace-Complete P (linear)

Alessandro Artale (FM – First Semester – 2007/2008) – p. 36/37

slide-41
SLIDE 41

Summary of Lecture IV

Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*.

Alessandro Artale (FM – First Semester – 2007/2008) – p. 37/37