computation tree logic (ctl) - tel aviv universitygafniv/11-ctl_mc_16.pdf · 3 ctl model (kripke...
TRANSCRIPT
-
1
Computation Tree Logic
(CTL)
-
2
CTL
Syntax
P - a set of atomic propositions, every pP is a CTL formula.
f, g, CTL formulae, then so are f, fg, EXf, A[fUg], E[fUg]
E, A path quantifiers, X, U, G, F temporal operators
Interpreted over a tree of states:
EXf - f holds in some immediate successor
A[fUg] - every path has a prefix that satisfies [fUg]
-
3
CTL Model (Kripke model)
M = (S, sI, R, L)
S is a finite set of states, sIS is the initial state
R SS s.t. uS. vS. (u,v)R (total)
L: S 2AP
Example: AP = {p,q,r}
S0
{p,q}
S1
{p}
S2
{q}
-
4
Example: XR Control Program
opening
closing
closed
Tin¬(open!)
/open,@close opened
open! & not(Tin)
Tin/@close
/@open, stop
Tout,Tin
{@open, stop}
{open!}{Tout,
@open,stop}
{Tout,Tin}
{Tin,open,
@close}
{close!,go}
{Tin,
@close}
Tout @ open,stop
close!/go
Tin&open!
/@close
{Tin,open!,
@close}
-
5
Computation Tree
The infinite computation tree spanned by a model M=(S,sI,R,L)
root s0=si st is an arc in the tree iff (s,t)R.
A path is: s0,s1,s2,S s.t. i. (si,si+1)R
S0
S1
S2
S0
S1 S2
S0 S1
S1 S2 S0
-
6
CTL Semantics
w.r.t a given model (S,sI,R,L) and a state sS:
s p iff pL(s)
s f iff not s f
s fg iff s f and s g
s EXf iff s. (s,s)R and s f
s A[fUg] iff for every path (s0, s1,) s.t s0=s,
k0. sk g i. 0ik si f
s E[fUg] iff for some path (s0, s1,) s.t s0=s,
k0. sk g i. 0ik si f
f is satisfiable iff there exists a model (S,sI,R,L) such that sI f
f is valid iff f is satisfiable by every model (S,sI,R,L)
-
7
Derived Operators
AX(f) EXf f holds at all next states
AF(f) A[true U f] f holds in the future of every path
EF(f) E[true U f] f holds in the future of some path
AG(f) EF(f) every state in every path satisfies f
EG(f) AF(f) for some path every state satisfies f
-
8
-
9
A note on temporal wff
Syntax: EXf, A[fUg], E[fUg]
E, A path quantifiers
X, U, G, F temporal operators
Structure of a formula: (path)(temporal)[formula]
E, A path quantifiers
X, U, G, F temporal operators
EF(Gu) is not a wff, only EF(EGu) or EF(AGu)
A(fUg) cannot be derived from E(fUg) since E(fUg) is
not wff (since (fUg) is not wff)
-
10
Properties Expressed in CTL
Every req is followed by ack (not 1-1): AG(req AF ack)
It is possible to get to a state where started holds but ready does
not hold.
EF(started ready)
From any state it is possible to get to the restart state.
AG EF restart
Processes P,Q are not in their critical section simultaneously
AG((PCQC))
A process that asks to enter the critical section, eventually gets
there
AG(PE AF(PC))
Processes strictly alternate in access to the critical section
AG(Pc A(PcU(Pc A(PcUQc))))
-
11
Expressing Time in CTL
Assertions:
50 seconds minimal delay between trains.
AG(Tin AXTin AXAXTin AX..AXTin )
It takes a train 6 seconds to arrive at the signal
AG(Tin AX(AX(AX(AX(AX(AX(AtSignal)))))))
however, we could write AG(Tin AX6(AtSignal)
like we did in LTL
50
-
12
LTL vs. CTL
LTL cannot distinguish behaviors that generate same path, therefore cannot express possibility.
CTL is sensitive to the branching structure
Thus, it is always possible to get tea after inserting a coin
is expressible in CTL: AG(coin EXtea) but not in LTL
A
B
C D
coin
coffee tea
A
B C
coin coin
D E
coffee tea
Different models -
A CTL tree defines
a subset of models
of LTL
Expressivity
Define LTL
satisfied on Kripke
model if satisfied
by every path.
For LTL both generate same paths
-
13
LTL vs. CTL (II)
satisfies p but not AFAGp. -- no single F state
Similarly,
p q
(pOp)
not expressible in CTL
p ~p p
s0
s1
s2
-
14
LTL vs. CTL (III)
AGEFp - not expressible in LTL
Suppose A is equivalent to AGEFp
- (a) satisfies AGEFp hence A
- (b)-paths (a)-paths hence (b) satisfies A
- However (b) does not satisfy AGEFp
S:{~p} S':{p} S:{~p}(a) (b)
-
15
CTL*
Allows any LTL formula to be preceded by A or E.
Exm.
E(p Xq), A(Fq Gp)
CTL* is more powerful then CTL and LTL but
Model checking is PSPACE-complete in size of
formula.
-
16
Model Checking Problem
CTL Model Checking problem:
Given a program model (S, s0, R, L) and a CTL formula f,
determine if s0 f.
Model-checking Satisfiability
Semantic search: Given, M=(S,s0,R,L), every formula is
identified with the set of states that satisfy the formula
(false, true S). So, given f,
find the set SS of all states in S that satisfy f.
Check if s0S.
-
17
Model Checking by Semantic Search
Given (S, s0, R,L), and f, find the set SS of all states in S
that satisfy f.
Simple for formulae:
{ s | s p } = { s | pL(s) } -- p atomic
{ s | s fg } = { s | s f } { s | s g }
{ s | s f } = S - { s | s f }
{ s | s EXf } = { s | tS s.t. (s,t)R t f }
The problem arises with A(qUr) and E(qUr).
-
18
Fix-points
Fix-point: (x)=x
Given a set S, a functional : 2S 2S is:
- monotonic iff PQ [P][Q]
- -continuous iff P1P2 [Pi]=[Pi]
- -continuous iff P1P2 [Pi]=[Pi]
Theorem (Tarski)
Monotonic have least and greatest fix-points:
lfp() = {Z : [Z]=Z},
gfp() = {Z : [Z]=Z},
lfp() = i[], i=0,1, if is also -continuous
gfp() = i[S], i=0,1, if is also -continuous
-
19
Fix-points of CTL Operators
Lemma: EFf = f EX(Eff) (satisfied by same states)
EFf is a fix-point of [Z] = f EX Z
f EX Z is monotonic, -continuous and -continuous
: lfp(fEXZ) = (f EX false)I
Lemma: EFf is a least fix-point of [Z] = f EX Z
EFf = (f EX false)i
-
20
Fixpoints of CTL Operators (Clark-Emerson)
computationlfp[Z]
(g (f AX false))iA[fUg]g (fAXZ)
(g (f EX false))iE[fUg]g (fEXZ)
(f AX false)iAFff AXZ
(f EX false)iEFff EXZ
Recall AX(f) EXf
computationgfp[Z]
(f AX true)iAGff AXZ
(f EX true)iEGff EXZ
where iS (S is finite)
-
21
Example: EFp P
the Kripke model
P
P
P
(false)= p EX false = p
2(false)= p EX p
3(false)= p EX(p EX p)
-
22
Example: EGy =(y EX true)i
S0:{x,y,z}
S2:{y,z}
S3:{x}
S4:{y} S5:{x,z}
S6:{z} S7:{}
S1:{x,y}
[EG(y)] =
[y] EX[S] = {s0,s1,s2,s4}=E0
[y]EX[E0]= {s0,s1,s2,s4}{s0,s2,s3,s4,s5,s6}= {s0,s2,s4}= E1
[y]EX[E1]= {s0,s1,s2,s4}{s0,s2,s3,s4,s6}= {s0,s2,s4}= E1
-
23
Example: EF(x=z yz) =((x=z yz) EX false)i
S0:{x,y,z}
S2:{y,z}
S3:{x}
S4:{y} S5:{x,z}
S6:{z} S7:{}
S1:{x,y}
[EF(x=z yz)] =
[(x=z yz)] EX[] = {s4,s5}=E0
[E0] EX[E0]= {s4,s5} {s6}= {s4,s5,s6}= E1
(EX[E1]= {s6,s7})= {s4,s5,s6,s7}= E2
(EX[E2]= {s6,,s7,s5}) = {s4,s5,s6,s7}
-
24
Model Checking
Algorithm (sketch)
1. Construct A, the set of sub-formulae of f.
2. For i=1,,|f|, label every state sS with the sub-formulae of length i that are satisfied by s.
3. Check if s0 is labeled by f.
At stage i the algorithm employs the information gathered
in earlier stages (in particular path formulae look at the
information of the next states).
-
25
Model Checking Algorithm
Given M=(S, s0, R, L), and a CTL formula f
for j=0 to length(f)
for each sub-formula g of f of length j
case (-- structure of g)
p: nothing (-- S is already labeled with propositions)
qr: sS: if qL(s) and rL(s) then add qr to L(s)
q: sS: if qL(s) then add q to L(s)
EXq: sS: if t s.t. (s,t)R and qL(t) then add EXq to L(s)
A(qUr): AU-check(q, r)
E(qUr): EU-check(q, r)
if fL(s0) then output=true, else output=false.
-
26
AU-check (q, r)
for each sS, if rL(s) then add A(qUr) to L(s)
for j=1 to |S|
for each sS,
if qL(s) and A(qUr)L(t) for all t s.t. (s,t)R
then add A(qUr) to L(s)
EU-check (q, r)
for each sS, if rL(s) then add E(qUr) to L(s)
for j=1 to |S|
for each sS,
if qL(s) and E(qUr) to L(t) for some t s.t. (s,t)R
then add E(qUr) to L(s)
Complexity: O(|||S|2)
Checking state satisfiability fro A(qUr), E(qUr)
-
Fairness Assumption
Strong fairness: a transition that is enabled i.o. is taken i.o
- LTL: ( ) - - private case, =True
Weak fairness: a transition that is continuously enabled is taken i.o
- LTL: ( )
Rule out traces that are unrealistic or provide for unfair service (starvation).
(T_Red &P_Green)
& (P_Red &T_Green)
Fairness assumptions are not in CTL
T_Red,
P_Red
T_Green,
P_Red
T_Red,
P_Green
-
Fair Semantics for CTL
Strong Fairness constraint:Sfair = i(i i) j(j j), i, i, j, j, CTL formulae.
For a model M= (S, sI, R, L) and sS:
FairPaths(s) = {Paths(s) | Sfair }
Fair semantics w.r.t. Sfair
s F p iff sp
s F f iff not sF f
s F fg iff sF f and sF g
s F Exf iff s. (s,s)R and s f FairPaths(s),
s F E[pUq] iff exists =(s0, s1,) s.t s0=s, FairPaths(s),
k0. sk q i. 0ik si p
s F A[pUq] iff for every =(s0, s1,) s.t s0=s, FairPaths(s),
k0. sk q i. 0ik si p
-
Model Checking under Farness Constraints
How to check: FairPaths(s) ?
Observation: FairPaths(s) iff j0 jFairPaths(j)
Hence, redefine fair semantic:
s F p iff sp
s F f iff not sF f
s F fg iff sF f and sF g
s F Exf iff s. (s,s)R and s f FairPaths(s)
s F A[fUg] iff for every path (s0, s1,) s.t s0=s,
k0. sk g i. 0ik si f
FairPaths(sk)
s F E[fUg] iff for some path (s0, s1,) s.t s0=s,
k0. sk g i. 0ik si f
FairPaths(sk)
-
Computation of FairPaths(s)
Let: Sfair = ( ) where , are CTL formulae.
Sfair iff k0, nk, s.t. = s0sk-1(sksn)
and: kin. si or kjn. sj
Computation of FairPaths(s) w.r.t. Sfair = ( )
For a model M= (S, sI, R, L):
Let a, b, fair be new fresh variables
Compute Sat()={sS | s} then sSat(). L(s):=L(s){a}
Compute Sat()={sS | s} then sSat(). L(s):=L(s){b}
Decompose M into a graph of maximal SCCs.
For each SCC, if for all states sSCC, aL(s), or otherwise there
exists a state sSCC s.t. bL(s), mark the SCC as fair
For each sS if there exists a path from s to a fair SCC then
L(s){fair}
-
Computation of FairPaths(s)
Hence, redefine fair semantic:
s F p iff sp
s F f iff not sF f
s F fg iff sF f and sF g
s F Exf iff s. (s,s)R and s (f fair)
s F A[fUg] iff for every path (s0, s1,) s.t s0=s,
k0. sk g i. 0ik si (f fair)
s F E[fUg] iff for some path (s0, s1,) s.t s0=s,
k0. sk g i. 0ik si (f fair)
Thus, fair model checking requires pre-processing of the
model that extends the states labeling, then normal model
checking algorithm
-
Complexity
For a model with N states and M transitions and a CTL
formula f and a CTL fairness constraint, still linear time:
O(|f|(N +M)).
In the general case, with k fairness constraints, the
labeling must be carried out separately for each
constraint and the final labeling is the conjunction of the
separate labeling. The complexity is then O(|f|(N +M)k)
-
33
RTCTL
A(qUkr) - at all paths r holds within k t.u. and q
holds at all states until then.
E(qUkr) - at some path r holds within k t.u. and q
holds at all states until then.
Semantics (fixed rate progress approach):
s0 A(qUkr) iff for every path ( s0, s1,)
i. 0ik si r j. 0ji sj q
s0 E(qUkr) iff exists path ( s0, s1,) and
i0. 0ik si r j. 0ji sj q
-
34
Model Checking Algorithm for RTCTL
Given M=(S, s0, R, L), and a CTL formula f
for j=0 to length(f)
for each sub-formula g of f of length j
case (structure of g)
p: ..
qr: ..
q: ..
EXq: ..
A(qUr): ..
A(qUkr): AU-check(min(k,|S|), q, r)
E(qUr): ..
E(qUkr): EU-check(min(k,|S|), q, r)
if fL(s0) then output=true, else output=false.
-
35
AU-check (max_len, q, r) -- max_len= min(k,|S|)
for each sS, if rL(s) then add A(qU0r) to L(s)
for len=1 to max_len
for each sS,
if qL(s) and for every t such that (s,t)R
there is jlen-1 s.t. A(qUjr)L(t)
then add A(qUlenr) to L(s)
for each sS,
if A(qUjr)L(s) for some jmax_len
then replace by A(qUmax_lenr) to L(s)
A(qUkr):
Note jk
-
36
EU-check (max_len, q, r) -- max_len= min(k,|S|)
for each sS, if rL(s) then add E(qU0r) to L(s)
for len=1 to max_len
for each sS,
if qL(s) and
E(qUlen-1r) L(t) for some t such that (s,t)R
then add E(qUlenr) to L(s)
for each sS,
if E(qUjr) L(s) for some jmax_len
then replace by E(qUmax_lenr) to L(s)
E(qUkr):
-
37
RTCTL (II)
In order to express fixed delays, we need:
A(qUkr) - at all paths r holds at k t.u. and q holds
at all states until then.
E(qUkr) - at some path r holds at k t.u. and q
holds at all states until then.
Semantics (fixed rate progress approach):
s0 A(qUkr) iff for every path ( s0, s1,)
sk r j. 0jk sj q
s0 E(qUkr) iff exists path ( s0, s1,) and
sk r j. 0jk sj q
Model checking same idea as for k
-
38
Railroad Crossing in Real-Time CTL
Assertions:
50 seconds minimal delay between trains.
AG(Tin EF50Tin)
It takes a train 6 seconds to arrive at the signal
AG(Tin AF6AtSignal)
Train exits XR within 15 to 25 seconds.
AG(((Twait AX(Twait)) AX(AtSignal Twait))
AG16 Tout AF26Tout )
Requirements:
Train at the signal is allowed to continue within 10 seconds.
AG(AtSignal AF5(Twait))
The gate is open whenever the crossing is empty for more than
10 seconds.
AG(E(Tcr0U=10Open))
-
39
Symbolic Model Checking
Symbolic representation with Boolean formulae of:
the model (program)
CTL formula
thus avoiding the state explosion problem.
Model Checking reduces to Boolean formulae manipulation.
The idea: Given a model (S,R,L) over P (set of atomic propositions),
Represent every state sS by a Boolean formula over P that is
satisfied exactly by L(s)
Represents R in terms of the Boolean formulas corresponding to
source and destination states.
-
40
Program Representation - Example I
S p
S p
R (p p) (p p) (p p)
(p p) p (p p)
p (p p)
(p p) (p p)
(p p)
S S'
p
-
41
S0 (v0 v1), S1 v0 v1,
S2 v0 v1, S3 v0 v1
R (v0' v0) (v1 (v0 v1))
S0 S1
v0v
0
v1
S2
v1
S3
v0,v
1
Program Representation - Example II
-
42
CTL Symbolic Representation
pP , f, fg, are Boolean formulae.
We show Boolean representation for: EXf, A[fUg], E[fUg]
EXf
Let v1,,vnP be the atomic propositions in f, then:
(v1,,vn).f = (a1,,an){0,1}n f(a1,,an)
Then, EXf is represented by the formula
(v1',,vn').(Rf(v1',,vn') )
S S'p
EXp = p'. Rf(p)
= p'. (pp')p'
= p'. (pp')
= (pfalse) (ptrue) = p
-
43
EX(v0 v1)
= (v0', v1'). R(v0' v1')
= (v0', v1'). (v0 v1 v0' v1')
= (v1').(v0 v1 false v1') (v0 v1 true v1')
= (v1'). (v0 v1 v1')
= (v0v1false) (v0v1true)
= (v0v1)
S0 S1
v0v
0
v1
S2
v1
S3
v0,v
1
-
44
CTL Operators Representation
For other CTL operators use their fixed point representation
in terms of EX.
S S'
p
Example: computation of EFp
- recall EFp = i(false) where (y)= p EXy
1(false) = p EXfalse = p
2(false) = (p) = pEXp = pp'.(pp')p' = true
3(false) = (true) = pEXtrue = true
-
45
Computation of EF(v0 v1)
1(false) = (v0 v1) EXfalse = (v0 v1)
2(false) = (v0 v1) = (v0 v1)EX(v0 v1)
= (v0 v1)(v0 v1) = v1
3(false) = (v1) = (v0 v1)EXv1 = (v0 v1)
3(false) = (v0 v1) = (v0 v1)EX(v0 v1) = true
S0 S1
v0v
0
v1
S2
v1
S3
v0,v
1
-
46
Symbolic Model Checking Algorithm
eval(f)
{ Case (f)
p : return p
g: return eval(g)
gh: return eval(g)eval(h)
EXg: return v'.(Rp')
E(gUh): return evalEU(eval(g),eval(h),false))
EGg: return evalEG(eval(g),true) }
evalEU(p,q,y) { y'=q (p evalEX(y))
if y'=y then return y else return evalEU(p.q.y') }
evalEG(p,y) { y'=(p evalEX(y))
if y'=y then return y else return evalEG(p.y') |
-
47
Binary Decision Diagrams (BDD)
Graphical representation of Boolean formulae obtained
from ordered decision trees.
a
b b
c c
d d d d d d dd
cc
Ordered Decision Tree of a b c d
-
48
BDD Derivation
Apply in bottom-up manner:
Combine isomorphic sub-trees into a single tree
Eliminate nodes whose left and right children are
isomorphic
Linear time
Size of resulting graph depends on variable ordering
-
49
Example - Step 1: node elimination
a
b b
c c
d
0 1
d
0 1
d
0 1
d0 1
d
0 1
d
0 1
d
0 1
d
0 1
cc
0 1 1 1 10 0 0
0
0 0
1
11
0 0 0 0 0 0 0 0 01 1 1 1 1 1 1
-
50
a
b b
c
d
0 1
d
0,1
d
0,1
c
0 1 0,1
0
0,1
0
1
1
0 0 1 1
Example - Step 1: isomorphic trees
-
51
a
b
c
d
0 1
0 1
0
0
1
1
0
0 1
1
Example - Step 1: Final BDD
-
52
Properties of BDDs
Canonical representation of formulae, enables simple
comparison.
Logical operators: , , , EX are computed w.r.t.
BDD quadratic time.