Tecniche di Specifica e di Verifica Branching Time Temporal Logics - PowerPoint PPT Presentation

s s k s m ¬ψ 2 ¬ψ 1 Æ ¬ψ 2 ¬ψ 2 ¬ψ 2 ψ 2 • Suppose K, π (m) £ ψ 2 , required by K, s £ AU( ψ 1 , ψ 2 ) Take m to be the least such number. • • Then m > k , since K, s £ EU( ¬ψ 2 , ¬ψ 1 ∧ ¬ψ 2 ) • But 0 ≤ k < m and K, π (k) £ ¬ψ 1 • Hence not K, s £ AU( ψ 1 , ψ 2 ). Contradiction! • Thus K, s £ AU( ψ 1 , ψ 2 ) also implies: – K, s £ ¬ EU( ¬ψ 2 , ¬ψ 1 ∧ ¬ψ 2 ) • So K, s £ AU( ψ 1 , ψ 2 ) implies K, s £ NewAU( ψ 1 , ψ 2 ) 49

From CTL to NCTL • In a similar way we can argue that: if K, s £ newAU( ψ 1 , ψ 2 ) then K, s £ AU( ψ 1 , ψ 2 ). • Hence CTL can be expressed in terms of NCTL . 50

A more convenient CTL • NCTL ::= p | ¬ψ | ψ 1 ∨ ψ 2 | EX( ψ ) | | EU( ψ 1 , ψ 2 ) | EG( ψ ) • CTL ::= p | ¬ψ | ψ 1 ∨ ψ 2 | EX( ψ ) | | EU( ψ 1 , ψ 2 ) | AU( ψ 1 , ψ 2 ) • AU( ψ 1 , ψ 2 ) = NewAU( ψ 1 , ψ 2 ) = ¬ (EU( ¬ψ 2 , ( ¬ψ 1 ∧ ¬ψ 2 )) ∧ AF( ψ 2 ) • NewAU 1 = ¬ EU( ¬ψ 2 , ( ¬ψ 1 ∧ ¬ψ 2 ) • NewAU 2 = AF ψ 2 ¬ EG ¬ψ 2 = AF ψ 2 51

From CTL to NCTL • Let K = (S, S 0 , R, AP, L) and s ∈ S . • We need to argue: – K, s £ AU( ψ 1 , ψ 2 ) iff K, s £ NewAU 1 ∧ NewAU 2 • We already argued that: – If K, s £ AU( ψ 1 , ψ 2 ) then K, s £ NewAU 1 ∧ NewAU 2 52

From CTL to NCTL AU( ψ 1 , ψ 2 ) = ¬ EU( ¬ψ 2 , ( ¬ψ 1 ∧ ¬ψ 2 )) ∧ ¬ EG( ¬ψ 2 ) ⇐ We need to argue that: – If K, s £ NewAU 1 ∧ NewAU 2 then K, s £ AU( ψ 1 , ψ 2 ) • So assume K, s £ NewAU 1 ∧ NewAU 2 . • NewAU 1 = ¬ EU( ¬ψ 2 , ( ¬ψ 1 ∧ ¬ψ 2 )). • NewAU 2 = ¬ EG ¬ψ 2 = AF ψ 2 53

From CTL to NCTL • Let π be some path from s . • We need to show that there exists k ≥ 0 such that: – K, π (k) £ ψ 2 – K, π (j) £ ψ 1 if 0 ≤ j < k . • But K, s £ AF ψ 2 implies there along any path (and also along π ) there exists k ≥ 0 such that: – K, π (k) £ ψ 2 • Assume k is the least such number along π . 54

From CTL to NCTL Now consider an arbitrary m with 0 ≤ m < k . CLAIM : K, σ (m) £ ψ 1 • If the CLAIM is true then we are done. • Suppose instead that K, σ (m) £ ¬ ψ 1 . – Then K, σ (m) £ ¬ ψ 1 ∧ ¬ ψ 2 ( m < k ) WHY ??? – and K, σ (j) £ ¬ ψ 2 if 0 ≤ j < m, since j < m < k – Hence K, σ (0) £ EU( ¬ ψ 2 , ¬ ψ 1 ∧ ¬ ψ 2 ) – Therefore, not K, s £ NewAU 1 which is a contradiction ! 55

CTL Model Checking • K £ ψ iff K, s 0 £ ψ for every s 0 ∈ S 0 . • The CTL model checking problem . – K = (S, S 0 , R, AP, L) (system model) – ψ a CTL formula (spec. of the property) • Given K and ψ determine whether or not K £ ψ 56

CTL Model Checking • The actual model checking problem: – Given K = (S, S 0 , R, AP, L) – Given s ∈ S – Given ψ , an NCTL formula . – Determine whether: K, s £ ψ 57

The Sub-formulas of ψ • SF( ψ ) is the least set of formulas satisfying: – ψ ∈ SF( ψ ) – If ¬α ∈ SF( ψ ) then α ∈ SF( ψ ) . – If α ∨ β ∈ SF( ψ ) then α , β ∈ SF( ψ ) – If EX α ∈ SF( ψ ) then α ∈ SF( ψ ) . – If EU( α , β ) ∈ SF( ψ ) then α , β ∈ SF( ψ ) – If EG α ∈ SF( ψ ) then α ∈ SF( ψ ) . • SF( ψ ) ---- The set of sub-formulas of ψ . 58

The Labeling Procedure. • K = ( S, S 0 , R, AP, L) – s ∈ S – ψ a NCTL formula (built out of AP ). • Strategy : – Construct Labels : S ô 2 SF( ψ ) – 2 SF( ψ ) , the set of subsets of SF( ψ ) . – Each state of K is assigned a subset of a SF( ψ ) by the Labels function. • K, s £ ψ ψ ∈ Labels(s) . iff 59

The Labels function • Stage 1 : – For every t ∈ S : – Labels(t) = L(t) ( K =(S, S 0 , R, AP, L) ) • …. Assume we have done up to stage i . • Stage i +1 : – For every t ∈ S : – If α = ¬β then α ∈ Labels(t) β ∉ Labels(t) . iff 60

The Labels function • Stage i +1 : – For every t ∈ S : – If α = β 1 ∨ β 2 then α ∈ Labels(t) iff β 1 ∈ Labels(t) or β 2 ∈ Labels(t) – If α = EX β then α ∈ Labels(t) iff there exists s ∈ S such that β ∈ Labels(s) and R(t, s) 61

The Labels Function S β α = EX( β ) 62

Computing the labeling for EX( β ) Complexity: O(|M|) Algorithm Check_EX( β ) T := { s | β ∈ Labels(s) }; while T ≠ ∅ do choose s ∈ T ; T := T \{ s }; forall t ∈ S such that ( t , s ) ∈ R do Labels ( t ) := Labels ( t ) ∪ { EX β }; 63

The Labels Function • Stage i +1 : – For every t ∈ S : – If α = EU( β 1 , β 2 ) then α ∈ Labels(t) iff − β 2 ∈ Labels(t) or − β 1 ∈ Labels(t) and EU( β 1 , β 2 ) ∈ Labels(s) for some s with R(t,s). 64

The Labels Function • Collect in T all the states satisfying β 2 – all these states do also satisfy EU( β 1 , β 2 ) . • Traverse backward R from states in T and label with EU( β 1 ,β 2 ) all the states t satisfying β 1 and reaching at least a state s labeled with EU( β 1 ,β 2 ) . If s ∈ T, t with R(t,s) and β 1 ∈ Labels(t) then EU( β 1 ,β 2 ) ∈ Labels(t) 65

S β 1 β 1 β 1 β 2 β 2 ¬β 1 ¬β 2 β 1 β 1 T β 1 β 1 β 1 β 2 β 2 ¬β 1 ¬β 2 β 1 β 1 66

S β 1 β 1 β 1 β 2 β 2 ¬β 1 ¬β 2 β 1 β 1 T β 1 β 1 β 1 E β 1 U β 2 E β 1 U β 2 ¬β 1 ¬β 2 β 1 β 1 67

S β 1 β 1 β 1 β 2 β 2 ¬β 1 ¬β 2 β 1 β 1 E β 1 U β 2 T β 1 β 1 β 1 E β 1 U β 2 E β 1 U β 2 ¬β 1 E β 1 U β 2 ¬β 2 β 1 β 1 68

S β 1 β 1 β 1 β 2 β 2 ¬β 1 ¬β 2 β 1 β 1 E β 1 U β 2 T E β 1 U β 2 β 1 β 1 E β 1 U β 2 E β 1 U β 2 β 1 E β 1 U β 2 ¬β 1 E β 1 U β 2 ¬β 2 β 1 E β 1 U β 2 β 1 69

E β 1 U β 2 E β 1 U β 2 S β 1 β 1 E β 1 U β 2 E β 1 U β 2 β 1 E β 1 U β 2 β 2 β 2 ¬β 1 E β 1 U β 2 ¬β 2 β 1 E β 1 U β 2 β 1 70

Computing the labeling for EU( β 1 ,β 2 ) Algorithm Check_EU( β 1 ,β 2 ) Complexity: O(|M|) T := { s | β 2 ∈ Labels( s )}; forall s ∈ T do Labels( s ) := Labels( s ) ∪ { EU( β 1 ,β 2 ) }; while T ≠ ∅ do chose s ∈ T ; T := T \{ s }; forall t ∈ S with (t,s) ∈ R do if EU( β 1 ,β 2 ) ∉ Labels (t ) and β 1 ∈ Labels (t ) then Labels( t ) := Labels( t ) ∪ { EU( β 1 ,β 2 ) }; T := T ∪ { t }; 71

The Labels Function • Stage i +1 : – For every t ∈ S : – If α = EG( β ) then α ∈ Labels(t) iff – β ∈ Labels(t) and EG( β ) ∈ Labels(s) for some s with R(t,s). 72

Property of EG( β ) Let M’ = (S’,R’,L’) be the sub-graph of M where S’ = { s | M ,s £ β } – – R’ = R| S’ × S’ (the restriction of R to S’ ) – L’ = L| S’ (the restriction of L to S’ ) Lemma: M,s £ EG( β ) iff 1. s ∈ S’ and 2. there exists a path in M’ leading from s to a non-trivial strongly connected component C of the graph (S’,R’). 73

The Labels Function • Compute the non-trivial strongly connected components of the subgraph S’ whose states all satisfy β – all the states in these components do satisfy EG( β ) . • Traverse backward R and label with EG( β ) the states t reaching at least a state s labeled with EG( β ) (note that both t and s must belong to S’ ). If t ∈ S’ and R(t,s) then EG( β ) ∈ Labels(t) 74

S β β β ¬β β ¬β β β S’ β β β ¬β β ¬β β β 75

S β β β ¬β β ¬β β β T S’ β β β ¬β β ¬β β β 76

S β β β ¬β β ¬β β β T S’ EG β β β ¬β β ¬β EG β EG β 77

S β β β ¬β β ¬β β β T S’ EG β EG β β ¬β β ¬β EG β EG β 78

S β β β ¬β β ¬β β β T S’ EG β EG β EG β ¬β β ¬β EG β EG β 79

S EG β EG β EG β ¬β β ¬β EG β EG β S’ EG β EG β EG β ¬β β ¬β EG β EG β 80

Computing the labeling for EG( β ) Algorithm Check_EG( β ) Complexity: O(|M|) S’ := { s | β ∈ Labels( s )}; SCC := { C | C is a non trivial SCC of S’ }; T := ∪ C ∈ SCC { s | s ∈ C }; forall s ∈ T do Labels( s ) := Labels( s ) ∪ { EG( β) }; while T ≠ ∅ do chose s ∈ T ; T := T \{ s }; forall t ∈ S’ with (t,s) ∈ R do if EG( β) ∉ Lables (t ) then Labels( t ) := Labels( t ) ∪ { EG( β) }; T := T ∪ { t }; 81

CTL model checking • The algorithms just presented show that the model checking problem for CTL can be solved in time linear in the size of System M and the size of the Property φ , namely: in time O(|M| ⋅ | φ |) where |M| is the size of the graph underlying M and | φ | is the number of subformulae of φ . 82

Fixed point characterization • We will redefine the labeling function in terms of fixed point computation . • This is a nice and elegant algorithmic account. • It will be used when efficient symbolic approach will be introduced. 83

Partial Orders • A binary relation m on a set A is a partial order iff m is reflexive , anti-symmetric and transitive . • The pair <A, m > is called a partially ordered set (or poset ). • Example: If S is any set and ⊆ is the ordinary subset relation, then <2 S , ⊆ > is a partially ordered set . 84

Upper Bounds Given <A, m > and A’ ⊆ A • a ∈ A is an upper bound of A’ iff ∀ a’ ∈ A’ , a’ m a • a ∈ A is a least upper bound ( lub ) of A’ , written + A’ , iff – a is an upper bound of A’ and – ∀ a’ ∈ A , if a’ is an upper bound of A’ , then a m a’ 85

Lower Bounds Given <A, m > and A’ ⊆ A • a ∈ A is a lower bound of A’ iff ∀ a’ ∈ A’ , a m a’ • a ∈ A is a greatest lower bound ( glb ) of A’ , written * A’ , iff – a is a lower bound of A’ and – ∀ a’ ∈ A , if a’ is a lower bound of A’ , then a’ m a 86

Complete Lattice A poset <A, m > is a complete lattice if, for each A’ ⊆ A , the greatest lower bound * A’ and the least upper bound + A’ do exist. A complete lattice <A, m > has a unique greatest element + A= T and also a unique least element * A = ⊥ . 87

Complete Lattice The poset <2 S , ⊆ > is a complete lattice where intersection ∩ and union ∪ correspond to * and + , respectively. Any two subset of S have a least upper and a greatest lower bound . Example: S={a,b,c,d} . For {a,c} and {b,c} the lub is {c} , while the glb is {a,b,c} . There is a unique greatest element ∪ 2 S = S and a unique least element ∩ 2 S = ∅ . 88

Example of a complete lattice T={pqr} The complete lattice <2 S , ⊆ > when S is the set {p,q,r}. {qr} {pr} {pq} {p} {q} {r} ⊥ = ∅ 89

Monotonic functions • A function F: A ô A is monotonic if for each a,b ∈ A , a m b implies F(a) m F(b) . • In other words, a function F is monotonic if it preserves the ordering m . 90

Fixed points • Given a function F: A ô A , an element a ∈ A is a fixed point of F if F(a) = a . • a ∈ A is called the least fixed point of F ( µ x.F(x)) , if for all a’ ∈ A such that F(a’) = a’ , then a m a’ . • a ∈ A is called the greatest fixed point of F ( ν x.F(x)) , if for all a’ ∈ A such that F(a’) = a’ , then a’ m a . 91

Tarski’s Fixed Point theorem THEOREM: Let <A, m > be a complete lattice , and F: A ô A a monotonic function. Then F has a least and a greatest fixed point given, respectively, by: • µ x.F(x) = * {x ∈ A | F(x) m x} • ν x.F(x) = + {x ∈ A| x m F(x)} 92

Fixed point in finite lattices Let <A, m > be a finite complete lattice , and F: A ! A be a monotonic function. The least element of A Then the least fixed point for F is obtained as µ x.F(x) = F m ( ⊥ ) for some m , where F 0 ( ⊥ ) = ⊥ , and F n+1 ( ⊥ ) = F(F n ( ⊥ )) . Moreover, the greatest fixed point for F is obtained as ν x.F(x) = F k ( T ) for some k , where F 0 ( T ) = T , and F n+1 ( T ) = F(F n ( T )) . The greatest element of A 93

Generic fixed point algorithm Algorithm Compute_lfp( F :function) X 0 := ⊥ ; X 1 := F(X 0 ); j=1; while X j ≠ X j-1 j := j+1 ; X j := F(X j-1 ) ; return X j 94

CTL and complete lattices • Given a Kripke structure M=<S,S 0 ,R,L,AP> . We will then consider the poset <2 S , ⊆ > . • <2 S , ⊆ > is clearly a complete lattice (with respect to intersection and union). • We will identify a CTL formula with the set of states which satisfy it . • In this way we can define temporal operators as functions on the complete lattice <2 S , ⊆ > . 95

Denotation of a CTL formula • Given a formula φ , let us define its denotation (in M ), in symbols |[ φ ]| , as the set of states satisfying the formula: |[ φ ]| = { s | M,s £ φ } • We could then define the cpo < CTL , m > by: φ m ψ iff |[ φ ]| ⊆ |[ ψ ]| 96

Denotation of a CTL formula • Given the denotation of a formula |[ φ ]| = { s | M,s £ φ } • We could then define the cpo < CTL , m > by: φ m ψ iff |[ φ ]| ⊆ |[ ψ ]| • Then |[ ⊥ ]| = ∅ ; |[ T ]| = S ; • |[p]| = { s | p ∈ L(s) } ; CTL is closed under • |[ ¬φ ]| = S \ |[ φ ]| ; conjunction and disjunction , therefore for any pair of • |[ φ ∨ ψ ]| = |[ φ ]| ∪ |[ ψ ]| ; formulae the upper and • |[ φ ∧ ψ ]| = |[ φ ]| ∩ |[ ψ ]| ; lower bound do exist. 97

Denotation of a CTL formula • Given a formula φ , let us define its denotation (in M ), in symbols |[ φ ]| , as the set of states satisfying the formula: |[ φ ]| = { s | M,s £ φ } • …. • |[EX φ ]| = { s | ∃ t. ( t ∈ |[ φ ]| ∩ R(s) ) } • for the other temporal operators we would need to use fixed points…. 98

Fixed point characterization of EU( β 1 , β 2 ) • EU( β 1 , β 2 ) ≡ β 2 ∨ ( β 1 ∧ EX EU( β 1 , β 2 ) ) • |[EU( β 1 , β 2 )]| = µ Z.(|[ β 2 ]| ∪ (|[ β 1 ]| ∩ |[EX Z]|) ) • |[EU( β 1 , β 2 )]| = µ Z.(|[ β 2 ]| ∪ (|[ β 1 ]| ∩ { s | ∃ t ∈ Z ∩ R(s) }) ) 99

Fixed point characterization of EU( β 1 , β 2 ) Lemma: Let F(Z) = (|[ β 2 ]| ∪ (|[ β 1 ]| ∩ { s | ∃ t ∈ Z ∩ R(s) })) then F is a monotonic function , i.e. Z 1 ⊆ Z 2 implies F(Z 1 ) ⊆ F(Z 2 ) 100