1 computation tree logic (ctl). 2 ctl syntax p - a set of atomic propositions, every p p is a ctl...
TRANSCRIPT
1
Computation Tree Logic (CTL)
2
CTL
Syntax• P - a set of atomic propositions, every pP is a CTL formula.• f, g, CTL formulae, then so are f, fg, EXf, A[fUg], E[fUg]
E, A – path quantifiers, X, U, G, F – temporal operators
Interpreted over a tree of states:
• EXf - f holds in some immediate successor
• A[fUg] - every path has a prefix that satisfies [fUg]
A(fUg)
EXf
3
CTL Model (Kripke Structure)
M = (S, sI, R, L)• S is a finite set of states, sIS is the initial state
• R SS s.t. uS. vS. (u,v)R (total)
• L: S 2AP
Example: AP = {p,q,r}
S0{p,q}
S1{p}
S2{q}
4
Example: XR Control Program
5
Computation Tree
The infinite computation tree spanned by a model M=(S,sI,R,L) • root s0=si • st is an arc in the tree iff (s,t)R.
A path is: s0,s1,s2,…S s.t. i. (si,si+1)R
6
CTL Semantics
w.r.t a given model (S,sI,R,L) and a state sS:
s p iff pL(s)
s f iff not s f
s fg iff s f and s g
s Exf iff s’. (s,s’)R and s’ f
s A[fUg] iff for every path (s0, s1,…) s.t s0=s,
k0. sk g i. 0ik si f
s E[fUg] iff for some path (s0, s1,…) s.t s0=s,
k0. sk g i. 0ik si f
• f is satisfiable iff there exists a model (S,sI,R,L) such that sI
f
• f is valid iff f is satisfiable by every model (S,sI,R,L)
7Derived Operators
AX(f) EXf f holds at all next states
AF(f) A[true U f] f holds in the future of every path
EF(f) E[true U f] f holds in the future of some path
AG(f) EF(f) every state in every path satisfies f
EG(f) AF(f) for some path every state satisfies f
8
Example: Explicit semantics of EGf
s EGf
s AF f s A(trueUf) (s A(trueUf))
((s0, s1,…) s.t s0=s, i0. si f j. 0ji sj true
((s0, s1,…) s.t s0=s, i0. si f
(s0, s1,…) s.t s0=s, i0. (si f)
(s0, s1,…) s.t s0=s, i0.(si f)
9
10
A note on temporal wff
Syntax: EXf, A[fUg], E[fUg]• E, A – path quantifiers• X, U, G, F – temporal operators
Structure of a formula: (path)(temporal)[formula]• E, A – path quantifiers• X, U, G, F – temporal operators
EF(Gu) is not a wff, only EF(EGu) or EF(AGu)
A(fUg) cannot be derived from E(fUg) since E(fUg) is
not wff (since (fUg) is not wff)
11
Properties Expressed in CTL
• Every req is followed by ack (not 1-1): AG(req AF ack)
• It is possible to get to a state where started holds but ready does not hold.
EF(started ready)
• From any state it is possible to get to the restart state.
AG EF restart
• Processes P,Q are not in their critical section simultaneously
AG((PCQC))
• A process that asks to enter the critical section, eventually gets there
AG(PE AF(PC))
• Processes strictly alternate in access to the critical section
AG(Pc A(PcU(Pc A(PcUQc))))
12
Expressing Time in CTL
Assertions:
• 50 seconds minimal delay between trains.
AG(Tin AXTin AXAXTin … AX..AXTin )
• It takes a train 6 seconds to arrive at the signal
AG(Tin AX(AX(AX(AX(AX(AX(AtSignal)))))))
however, we could write AG(Tin AX6(AtSignal)
like we did in LTL
50
13
LTL vs. CTL
• LTL cannot distinguish behaviors that generate same path, therefore cannot express ‘possibility’.
• CTL is sensitive to the branching structureThus, “it is always possible to get tea after inserting a coin”is expressible in CTL: AG(coin EXtea) but not in LTL
• Different models - A CTL tree defines a subset of models of LTL
• Expressivity – Define LTL satisfied on Kripke model if satisfied by every path.
14
LTL vs. CTL (II)
satisfies p but not AFAGp. -- no single F state
Similarly,
p q (pOp)
not expressible in CTL
p ~p p
s0 s1 s2
15
LTL vs. CTL (III)
AGEFp - not expressible in LTL
Suppose A is equivalent to AGEFp
- (a) satisfies AGEFp hence A
- (b)-path(s) (a)-paths hence (b) satisfies A
- However (b) does not satisfy AGEFp
16
CTL*
Allows any LTL formula to be preceded by A or E.
Exm.
E(p Xq), A(Fq Gp)
CTL* is more powerful then CTL and LTL but
Model checking is PSPACE-complete in size of
formula.
17Model Checking Problem
Model Checking problem:
Given a program model (S, s0, R, L) and a CTL formula f,
determine if s0 f.
Model-checking Satisfiability
Semantic search:
• Given (S, s0, R,L), and f, find the set S’S of all states in S that
satisfy f.
• Check if s0S’.
18Model Checking by Semantic Search
• Given (S, s0, R,L), and f, find the set S’S of all states in S
that satisfy f.
• Check if s0S’.
Simple for formulae:
{ s | s p } = { s | pL(s) } -- p atomic
{ s | s fg } = { s | s f } { s | s g }
{ s | s f } = S - { s | s f }
{ s | s EXf } = { s | tS s.t. (s,t)R t f }
The problem arises with A(qUr) and E(qUr).
19Fix-points
• Fix-point: (x)=x
• Given a set S, a functional : 2S 2S is:
- monotonic iff PQ [P][Q]
- -continuous iff P1P2… [Pi]=[Pi]
- -continuous iff P1P2… [Pi]=[Pi]
• Theorem (Tarski)
Monotonic have least and greatest fix-points:
lfp() = {Z : [Z]=Z},
gfp() = {Z : [Z]=Z},
lfp() = i[], i=0,1,… if is also -continuous
gfp() = i[S], i=0,1,… if is also -continuous
20
Proof Example
If is monotonic and -continuous then
lfp([Z]) = i[], i=0,1,…Proof: i[] is non-decreasing: [], and if i[]i+1[] then i+1[]i+2[] since is monotonic.
i[] is a fix-point since is -continuous: (i[])=(i[]) = i+1[]=i[]
• least fix-point: for every i, i[]lfp(); again by induction on i:
- lfp(),
- i[]lfp() i+1[]=(i[]) (lfp())=lfp()
21
Fix-points of CTL Operators
Given, M=(S,s0,R,L), every formula is identified with the set ofstates that satisfy the formula (false, true S).
Lemma: EFf = f EXEFf (satisfied by same states)
• Suppose s0EFf. Then by definition there is a path s0,s1,s2,… in M s.t. for some k skf.
• If k=0 then s0f. Otherwise s1EFf and s0EXEFf. Thus, EFffEXEFf.
• Similarly, if s0fEXEFf then s0f or s0EXEFf. In either case s0EFf and fEXEFfEFf.
Therefore, EFf= fEXEFf.
EFf is a fix-point of [Z] = f EX Z
22
Lemma: The functional f EX Z is monotonic
• Assume pq, we show that EXpEXq. By def. sEXp iff there exists tS s.t. (s,t)R and tp. But also tq (since pq) hence also sEXq.
• Hence, if pq then:
{ s | s f EXp } = { s | s f } { s | s EXp }
{ s | s f } { s | s EXq }
= { s | s f EXq }
f EX Z is monotonic, -continuous and -continuous
Lemma: fEX Z is -continuous and -continuous
• In fact true for every monotonic functional on finite set: P1P2…Pm has a maximum Pm=Pi. Also, [Pi]=[Pm] (monotonic), hence [Pi]= [Pi].)
lfp(fEXZ) = (f EX false)i
23
Lemma: EFf is a least fixpoint of [Z]=fEXZ
• Suppose p is a fixpoint of . Then, p = fEXp. Hence,
{ s | s p } = { s | s f EXp }
= { s | s f } { s | s EXp }
Therefore: f p and EXp p
• Hence, p is closed under R-1 namely p contains all of its predecessors. Therefore, no path beginning in a non p-state can reach a p-state.
• Since f p it follows that EFf p (if s EFf then s starts a path that reaches f, therefore reaches p, therefore s is a p-state). Therefore, EFf is contained in any fixpoint of .
EFf = (f EX false)i
24
Fixpoints of CTL Operators (Clark-Emerson)
[Z]lfp
g (fAXZ)A[fUg]
g (fEXZ)E[fUg]
f AXZAFf
f EXZEFf
[Z] gfp
f AXZ AGf
f EXZ EGf
Recall AX(f) EXf
25
CTL Operators Computations
EFf = (f EX false)i
EGf = (f EX true)i -- gfp
E[fUg] = (g (f EX false))i
A[fUg] = (g (f AX false))i
where iS(S is finite)
26
Example: EFp P
the Kripke model
P
P
P
(false)= p EX false = p
2(false)= p EX p
3(false)= p EX(p EX p)
27
Example: EGy =(y EX true)i
S0:{x,y,z}
S2:{y,z}
S3:{x}
S4:{y} S5:{x,z}
S6:{z} S7:{}
S1:{x,y}
[EG(y)] =
[y] EX[S] = {s0,s1,s2,s4}=E0
[y]EX[E0]= {s0,s1,s2,s4}{s0,s2,s3,s4,s5,s6}= {s0,s2,s4}= E1
[y]EX[E1]= {s0,s1,s2,s4}{s0,s2,s3,s4,s6}= {s0,s2,s4}= E1
28
Example: EF(x=z yz) =((x=z yz) EX false)i
S0:{x,y,z}
S2:{y,z}
S3:{x}
S4:{y} S5:{x,z}
S6:{z} S7:{}
S1:{x,y}
[EF(x=z yz)] =
[(x=z yz)] EX[] = {s4,s5}=E0
[E0] EX[E0]= {s4,s5} {s6}= {s4,s5,s6}= E1
(EX[E1]= {s6,s7})= {s4,s5,s6,s7}= E2
(EX[E2]= {s6,,s7,s5}) = {s4,s5,s6,s7}
29
Model Checking
Algorithm (sketch)1. Construct A, the set of sub-formulae of f.2. For i=1,…,|f|, label every state sS with the sub-formulae
of length i that are satisfied by s.
3. Check if s0 is labeled by f.
At stage i the algorithm employs the information gatheredin earlier stages (in particular path formulae look at theinformation of the next states).
30
Model Checking Algorithm
Given M=(S, s0, R, L), and a CTL formula f
for j=0 to length(f)
for each sub-formula g of f of length j
case (-- structure of g)
p: nothing (-- S is already labeled with propositions)
qr: sS: if qL(s) and rL(s) then add qr to L(s)
q: sS: if qL(s) then add q to L(s)
EXq: sS: if t s.t. (s,t)R and qL(t) then add EXq to
L(s)
A(qUr): AU-check(q, r)
E(qUr): EU-check(q, r)
if fL(s0) then output=true, else output=false.
31
AU-check (q, r) for each sS, if rL(s) then add A(qUr) to L(s) for j=1 to |S| for each sS, if qL(s) and A(qUr)L(t) for all t s.t. (s,t)R then add A(qUr) to L(s) EU-check (q, r) for each sS, if rL(s) then add E(qUr) to L(s) for j=1 to |S| for each sS, if qL(s) and E(qUr) to L(t) for some t s.t. (s,t)R then add E(qUr) to L(s)
Complexity: O(|||S|2)
Checking state satisfiability fro A(qUr), E(qUr)
Fairness Assumption
Strong fairness: a transition that is enabled i.o. is taken i.o - LTL: ( ) - - private case, =True
Weak fairness: a transition that is continuously enabled is taken i.o - LTL: ( )
Rule out traces that are unrealistic or provide for unfair service (starvation).
(T_Red &P_Green)
& (P_Red &T_Green)
Fairness assumptions are not in CTL
Fair Semantics for CTL
Strong Fairness constraint: Sfair = i(i i) j(j j), i, i, j, j, CTL formulae.
For a model M= (S, sI, R, L) and sS:
FairPaths(s) = {Paths(s) | Sfair }
Fair semantics w.r.t. Sfair
s F p iff sp
s F f iff not sF f
s F fg iff sF f and sF g
s F Exf iff s’. (s,s’)R and s’ f FairPaths(s),
s F E[pUq] iff exists =(s0, s1,…) s.t s0=s, FairPaths(s),
k0. sk q i. 0ik si p
s F A[pUq] iff for every =(s0, s1,…) s.t s0=s, FairPaths(s),
k0. sk q i. 0ik si p
Model Checking under Farness Constraints
• How to check: FairPaths(s) ?
• Observation: FairPaths(s) iff j0 jFairPaths(j)
• Hence, redefine fair semantic:
s F p iff sp
s F f iff not sF f
s F fg iff sF f and sF g
s F Exf iff s’. (s,s’)R and s’ f FairPaths(s’)
s F A[fUg] iff for every path (s0, s1,…) s.t s0=s, k0. sk g i. 0ik si f FairPaths(sk)
s F E[fUg] iff for some path (s0, s1,…) s.t s0=s, k0. sk g i. 0ik si f FairPaths(sk)
Computation of FairPaths(s)
• Let: Sfair = ( ) where , are CTL formulae.
Sfair iff k0, nk, s.t. = s0…sk-1(sk…sn)
and: kin. si or kjn. sj
• Computation of FairPaths(s) w.r.t. Sfair = ( )
For a model M= (S, sI, R, L):
Let a, b, fair be new fresh variables
Compute Sat()={sS | s} then sSat(). L(s):=L(s){a}
Compute Sat()={sS | s} then sSat(). L(s):=L(s){b}
Decompose M into a graph of maximal SCCs.
For each SCC, if for all states sSCC, aL(s), or otherwise there exists a state s’SCC s.t. bL(s’), mark the SCC as fair
For each sS if there exists a path from s to a fair SCC then L(s){fair}
Computation of FairPaths(s)
• Hence, redefine fair semantic:
s F p iff sp
s F f iff not sF f
s F fg iff sF f and sF g
s F Exf iff s’. (s,s’)R and s’ (f fair)
s F A[fUg] iff for every path (s0, s1,…) s.t s0=s, k0. sk g i. 0ik si (f fair)
s F E[fUg] iff for some path (s0, s1,…) s.t s0=s, k0. sk g i. 0ik si (f fair)
Thus, ‘fair’ model checking requires pre-processing of themodel that extends the states labeling, then normal modelchecking algorithm
Complexity
• For a model with N states and M transitions and a CTL formula f and a CTL fairness constraint, still linear time: O(|f|·(N +M)).
• In the general case, with k fairness constraints, the labeling must be carried out separately for each constraint and the final labeling is the conjunction of the separate labeling. The complexity is then O(|f|·(N +M)·k)
38
RTCTL
A(qUkr) - at all paths r holds within k t.u. and q holds at all states until then. E(qUkr) - at some path r holds within k t.u. and q holds at all states until then. Semantics (fixed rate progress approach):
s0 A(qUkr) iff for every path ( s0, s1,…)
i. 0ik si r j. 0ji sj q
s0 E(qUkr) iff exists path ( s0, s1,…) and
i0. 0ik si r j. 0ji sj q
39
Model Checking Algorithm for RTCTL
Given M=(S, s0, R, L), and a CTL formula f
for j=0 to length(f)
for each sub-formula g of f of length j
case (structure of g)
p: …..
qr: …..
q: …..
EXq: …..
A(qUr): …..
A(qUkr): AU-check(min(k,|S|), q, r)
E(qUr): …..
E(qUkr): EU-check(min(k,|S|), q, r)
if fL(s0) then output=true, else output=false.
40
AU-check (max_len, q, r) -- max_len= min(k,|S|)
for each sS, if rL(s) then add A(qU0r) to L(s)
for len=1 to max_len
for each sS,
if qL(s) and for every t such that (s,t)R
there is jlen-1 s.t. A(qUjr)L(t)
then add A(qUlenr) to L(s)
for each sS,
if A(qUjr)L(s) for some jmax_len
then replace by A(qUmax_lenr) to L(s)
A(qUkr):
41
EU-check (max_len, q, r) -- max_len= min(k,|S|)
for each sS, if rL(s) then add E(qU0r) to L(s)
for len=1 to max_len
for each sS,
if qL(s) and
E(qUlen-1r) L(t) for some t such that (s,t)R
then add E(qUlenr) to L(s)
for each sS,
if E(qUjr) L(s) for some jmax_len
then replace by E(qUmax_lenr) to L(s)
E(qUkr):
42
RTCTL (II)
In order to express fixed delays, we need: A(qUkr) - at all paths r holds at k t.u. and q holds at all states until then. E(qUkr) - at some path r holds at k t.u. and q holds at all states until then. Semantics (fixed rate progress approach):
s0 A(qUkr) iff for every path ( s0, s1,…)
sk r j. 0jk sj q
s0 E(qUkr) iff exists path ( s0, s1,…) and
sk r j. 0jk sj q
Model checking same idea as for k
43
Railroad Crossing in Real-Time CTL
Assertions:
• 50 seconds minimal delay between trains.
AG(Tin EF50Tin)
• It takes a train 6 seconds to arrive at the signal
AG(Tin AF6AtSignal)
• Train exits XR within 15 to 25 seconds.
AG(((Twait AX(Twait)) AX(AtSignal Twait)) AG16 Tout AF26Tout )
Requirements:
• Train at the signal is allowed to continue within 10 seconds.
AG(AtSignal AF5(Twait))
• The gate is open whenever the crossing is empty for more than 10 seconds.
AG(E(Tcr0U=10Open))
44
Symbolic Model Checking
Symbolic representation with Boolean formulae of:
• the model (program)
• CTL formulathus avoiding the state explosion problem.
Model Checking reduces to Boolean formulae manipulation.
The idea: Given a model (S,R,L) over P (set of atomic propositions),
• Represent every state sS by a Boolean formula over P that is satisfied exactly by L(s)
• Represents R in terms of the Boolean formulas corresponding to source and destination states.
45
Program Representation - Example I
S p
S’ p
R (p p’) (p p’) (p p’)
(p p) p’ (p p’)
p’ (p p’)
(p’ p) (p’ p’)
(p p’)
S S'
p
46
S0 (v0 v1), S1 v0 v1,
S2 v0 v1, S3 v0 v1
R (v0' v0) (v1’ (v0 v1))
S0 S1
v0v0
v1
2-bit counter
S2
v1
S3
v0,v1
Program Representation - Example II
47
CTL Symbolic Representation
• pP , f, fg, are Boolean formulae.• We show Boolean representation for: EXf, A[fUg], E[fUg]
EXf
• Let v1,…,vnP be the atomic propositions in f, then:
(v1,…,vn).f = (a1,…,an){0,1}n f(a1,…,an)
• Then, EXf is represented by the formula
(v1',…,vn').(Rf’(v1',…,vn') )
EXp = p'. Rf(p‘)
= p'. (pp')p'
= p'. (pp')
= (pfalse) (ptrue) = p
48
EX(v0 v1)
= (v0', v1'). R(v0' v1')
= (v0', v1'). (v0 v1 v0' v1')
= (v1').(v0 v1 false v1') (v0 v1 true v1')
= (v1'). (v0 v1 v1')
= (v0v1false) (v0v1 true)
= (v0v1)
S0 S1
v0v0
v1
2-bit counter
S2
v1
S3
v0,v1
49
CTL Operators Representation
For other CTL operators use their fixed point representation
in terms of EX.
S S'
p
Example: computation of EFp
- recall EFp = i(false) where (y)= p EXy
1(false) = p EXfalse = p
2(false) = (p) = pEXp = pp'.(pp')p' = true
3(false) = (true) = pEXtrue = true
50Computation of EF(v0 v1)
1(false) = (v0 v1) EXfalse = (v0 v1)
2(false) = (v0 v1) = (v0 v1)EX(v0 v1)
= (v0 v1)(v0 v1) = v1
3(false) = (v1) = (v0 v1)EXv1 = (v0 v1)
3(false) = (v0 v1) = (v0 v1)EX(v0 v1) = true
51
Symbolic Model Checking Algorithm
eval(f)
{ Case (f)
p : return p
g: return eval(g)
gh: return eval(g)eval(h)
EXg: return v'.(Rp')
E(gUh): return evalEU(eval(g),eval(h),false))
EGg: return evalEG(eval(g),true) }
evalEU(p,q,y) { y'=q (p evalEX(y))
if y'=y then return y else return evalEU(p.q.y') }
evalEG(p,y) { y'=(p evalEX(y))
if y'=y then return y else return evalEG(p.y') |
52
Binary Decision Diagrams (BDD)
Graphical representation of Boolean formulae obtained
from ordered decision trees.
a
b b
c c
d d d d d d dd
cc
0 00 0 0 0 0 0 01 1 1 1 1 1 1
Ordered Decision Tree of a b c d
53BDD Derivation
Apply in bottom-up manner:
• Combine isomorphic sub-trees into a single tree
• Eliminate nodes whose left and right children are isomorphic
– Linear time
– Size of resulting graph depends on variable ordering
54
Example - Step 1: node elimination
a
b b
c c
d
0 1
d
0 1
d
0 1
d0 1
d
0 1
d
0 1
d
0 1
d
0 1
cc
0 1 1 1 10 0 0
0
0 0
1
11
0 0 0 0 0 0 0 0 01 1 1 1 1 1 1
55
a
b b
c
d
0 1
d
0,1
d
0,1
c0
0 0 1 1
Example - Step 1: isomorphic trees
56
a
b
c
d
0 1
0 1
0
0
1
1
0
0 1
1
Example - Step 1: Final BDD
57Properties of BDDs
• Canonical representation of formulae, enables simple comparison.
• Logical operators: , , , EX are computed w.r.t. BDD quadratic time.