ctl model checking - university of maryland · cmsc 630 february 25, 2015 1 ctl model checking goal...

CMSC 630 February 25, 2015 1'

&

$

%

CTL Model Checking

Goal Method for proving M sat σ, where M is a Kripke structure and σ is a

CTL formula.

Approach Model checking!

• Mathematically, M is a model of σ if sI |=M σ.

• So determining if M sat σ amounts means checking whether M is a model

of σ

c©2015 Rance Cleaveland. All rights reserved.


&

$

%

Recall the CTL Fragment of CTL∗

... every path modality (i.e. F,G,U) must be preceded by a path quantifier A, E.

The syntax can also be given directly as follows.

σ ::= a

| ¬σ

| σ ∨ σ

| EXσ

| E(σ U σ)

| E(σ R σ)

Other operators (AX, AU, AR, EF, AF, EG, AG, etc.) can be defined in terms of

these.



&

$

%

So What’s the Big Deal About CTL?

− Formulas are “like” those in LTL, but more complex.

+ Model-checking problem easier to solve in CTL.



&

$

%

Properties in CTL

Expressiveness of CTL, LTL are incomparable.

One can reasonably argue that LTL is easier to understand.

However, one can turn LTL system specs into CTL formulas that are “at least as

strong”, provided LTL formulas are in positive normal form (i.e. negations only

applied to atomic propositions).

E.g.

PNF: GF executed

Not PNF: ¬GF executed



&

$

%

LTL, CTL and PNF

Any LTL formula can be put in PNF provided logic is extended with the necessary

duals (i.e. ∧, R).

¬(φ1 ∨ φ2) ≡ (¬φ1) ∧ (¬φ2)

¬(Xφ) ≡ X(¬φ)

¬(φ1 U φ2) ≡ (¬φ1) R (¬φ2)



&

$

%

Generating CTL Approximations to LTL

So how do we generate CTL formulas “at least as strong” as LTL system specs?

1. Put LTL formula in PNF.

2. Insert A path quantifier in front of each path modality.

LTL CTL

G (send ⇒ F receive) AG (send ⇒ AF receive)

(GF enabled) ⇒ (GF executed) (AFAG¬enabled) ∨ (AGAF executed)



&

$

%

PNF CTL

σ ::= a

| ¬a

| σ ∨ σ

| σ ∧ σ

| EXσ

| AXσ

| E(σ U σ)

| A(σ U σ)

| E(σ R σ)

| A(σ R σ)



&

$

%

The CTL Model-Checking Problem

Given

• Kripke structure M = 〈S,A, R, `, sI〉

• CTL formula (in PNF) σ

Determine Does sI |=M σ?

One approach

1. Define proof rules for CTL correctness assertions s `M σ.

2. Use rules to develop proofs.



&

$

%

Sample Proof Rules

Recall M = 〈S,A, R, `, sI〉.

a ∈ `(s)

s `M a(A)

a 6∈ `(s)

s `M ¬a(¬A)

s `M σ1

s `M σ1 ∨ σ2

(∨1)s `M σ2

s `M σ1 ∨ σ2

(∨2)

s `M σ1 s `M σ2

s `M σ1 ∧ σ2

(∧)

Are these rules sound? Complete?



&

$

%

Proof Rules for CTL Next-Step Modalities

How can we prove assertions of form s `M EXσ? s `M AXσ?

• M contains information about transitions from states.

• Proof rules should use this information.

s′ `M σ 〈s, s′〉 ∈ R

s `M EXσ(EX)

s1 `M σ · · · sn `M σ {s1, . . . , sn} = { s′ | 〈s, s′〉 ∈ R }

s `M AXσ(AX)



&

$

%

Proof Rules for U, R Modalities

Idea Use recursive characterizations of modalities.

Notation σ1 ≡ σ2 means: for all M, s, s |=M σ1 iff s |=M σ2.

Then: AFσ ≡ σ ∨ AX(AFσ).

σ ∨ AX (AF σ)

σ

σ

σ

σ σ

σ

AF σ

AF σ

σ



&

$

%

Other Recursive Characterizations

EFσ ≡

AGσ ≡

E(σ1 U σ2) ≡

E(σ1 R σ2) ≡



&

$

%

Turning Recursion into Proof Rules: U

s `M σ2

s `M E(σ1 U σ2)(EU1)

s `M σ2

s `M A(σ1 U σ2)(AU1)

s `M σ1 s′ `M E(σ1 U σ2) 〈s, s′〉 ∈ R

s `M E(σ1 U σ2)(EU2)

s `M σ1

s1 `M A(σ1 U σ2) · · · sn `M A(σ1 U σ2)

{s1, . . . , sn} = { s′ | 〈s, s′〉 ∈ R }

s `M A(σ1 U σ2)

(AU2)



&

$

%

Turning Recursion into Proof Rules: R

s `M σ1 s `M σ2

s `M E(σ1 R σ2)(ER1)

s `M σ1 s `M σ2

s `M A(σ1 R σ2)(AR1)

s `M σ2 s′ `M E(σ1 R σ2) 〈s, s′〉 ∈ R

s `M E(σ1 R σ2)(ER2)

s `M σ2

s1 `M A(σ1 R σ2) · · · sn `M A(σ1 R σ2)

{s1, . . . , sn} = { s′ | 〈s, s′〉 ∈ R }

s `M A(σ1 R σ2)

(AR2)



&

$

%

But What about Circular Proofs?

Consider proof of E(a U b) for Kripke structure below.

s0 : {a, c}

s1 : {a}s0 `M E(a U b)

s0 `M a s1 `M E(a U b)

a ∈ `(s0) s1 `M a

a ∈ `(s1)

s0 `M E(a U b)

Circularity is bad!



&

$

%

But What about Circular Proofs (cont.)?

Consider proof of EG a for Kripke structure below.

s0 : {a, c}

s1 : {a}s0 `M a

a ∈ `(s0) s1 `M a

a ∈ `(s1)

s0 `M EG a

s1 `M EG a

s0 `M EG a

Circularity is good!



&

$

%

Is Circularity Bad Or Good?

It depends on the modality ... but how? And why?

Precise answers depend on understanding fixpoint characterizations of the CTL

operators.

These characterizations will also lead to model-checking algorithms for finite-state

Kripke structures.



&

$

%

CTL Formulas and Fixpoints

Recall:

AFσ ≡ σ ∨ AX(AFσ)

Equivalently, AFσ may be seen as:

• a solution to the equation

w ≡ σ ∨ AXw,

• a fixpoint of the function

f(w) = σ ∨ AXw

Is the solution to the above equation unique? No! Consider the formula tt:

tt ≡ σ ∨ AX tt (why?).



&

$

%

So What?

AFσ is a solution to an equation, but not a unique solution.

How does this help us with circularity?

Answer Tarski!

... Polish emigre mathematician

... Active in early to mid 1900’s

... Well-known for work in logic, algebra, lattice theory

In 1950’s, Tarski and Knaster proved:

Theorem (Tarski-Knaster Fixpoint Theorem) Every monotonic function over a

complete lattice has a complete lattice of fixpoints.



&

$

%

Complete Lattice?

A complete lattice consists of:

• a set E of elements

• a partial ordering (“less than or equal to”) v⊆ E × E

• a least upper-bound operator⊔

∈ 2E → E

• a greatest lower-bound operatord

∈ 2E → E

Example Let S be a set. Then take:

• E = 2S

• v=⊆•⊔

=⋃

•d

=⋂

This is a complete lattice!



&

$

%

Facts about Lattices

Theorem Let 〈E,v,⊔,d〉 be a complete lattice. Then:

1. E has a greatest element > =⊔E =

d∅.

2. E has a least element ⊥=⊔∅ =

dE.

3. (Tarski-Knaster). Let f ∈ E → E be monotonic, i.e. if e1 v e2 then

f(e1) v f(e2). Then the structure 〈{ e | e = f(e) },v,⊔,d〉 is also a

complete lattice (“complete lattice of fixpoints”).



&

$

%

How Can This Possibly Help?

All the equations describing CTL operators have unique least and greatest

solutions! Let M = 〈S,A, `, R, sI〉 be a Kripke structure.

• 〈2S ,⊆,⋃,⋂〉 forms a complete lattice.

• Each equation has equivalent form w = f(w) where f maps sets of states

(meanings of formulas) to sets of states.

• Each of the f turns out to be monotonic over the lattice.

• Any complete lattice has a unique greatest and least element.



&

$

%

Example

AFσ is the unique least solution to w ≡ f(w), where f(w) ≡ σ ∨ AXw.

(More precisely, the set of states satisfying AFσ is the smallest set satisfying the

equation.)

That is, any other solution is implied by AFσ.

What is the largest?



&

$

%

Another Example

Consider:

f(w) = σ ∧ EXw

What is the least fixpoint? Greatest fixpoint?



&

$

%

One More Example

Consider:

f(w) = σ2 ∨ (σ1 ∧ AXw)

What is the least fixpoint? Greatest fixpoint?



&

$

%

Recall Motivation: Circular Reasoning

Least fixpoint CTL operator: Circularity bad!

Greatest fixpoint CTL operator: Circularity good!



&

$

%

Circularity Example #1

s0 : {a, c}

s1 : {a}s0 `M E(a U b)

s0 `M a s1 `M E(a U b)

a ∈ `(s0) s1 `M a

a ∈ `(s1)

s0 `M E(a U b)

• Circularity involves least-fixpoint operator (EU)

• This proof is therefore invalid.



&

$

%

Circularity Example #2

s0 : {a, c}

s1 : {a}s0 `M a

a ∈ `(s0) s1 `M a

a ∈ `(s1)

s0 `M EG a

s1 `M EG a

s0 `M EG a

• Circularity involves greatest-fixpoint operator (EG)

• This proof is therefore valid.



&

$

%

Constructing Proofs for s `M σ

• Use proof rules

A,¬A,∨1,∨2,∧, EX, AX, EU1, EU2, AU1, AU2, ER1, ER2, AR1, AR2

• Proofs are valid if they end in leaves or circularities only involve maximum

fixpoint formulas.



&

$

%

Example (Invalid) Proof: AFAGa

s0 : {a}

s1 : { }

s2 : {a}s0 `M AFAG a

. . .

s1 `M AFAG a

s0 `M AFAG a



&

$

%

Soundness and Completeness

• Proof construction is sound.

• Proof construction is complete for finite-state Kripke structures.

• Rules can be modified to be complete for arbitrary Kripke structures (sets of

states rather than single states on the left of `M ).



&

$

%

Algorithmic Model Checking

• We have talked about model-checking in terms of proof.

• For certain kinds of Kripke structures (i.e. finite-state), model-checking can be

performed automatically.

• Model-checking algorithms may be seen as conducting proof search.



&

$

%

The Finite-State Model-Checking Problem for CTL

Given

• Kripke structure M = 〈S,A, R, `, sI〉 with |S| < ∞

• CTL formula σ

Compute

• Does sI |=M σ?



&

$

%

Traditional CTL Model-Checking Algorithms

• Compute all states in S satisfying σ.

• See if sI is in this set.

Why is the calculation of these sets of states be possible?

Because of Kleene and the recursive characterizations of operators!



&

$

%

Continuous Functions on Lattices

Definition Let 〈E,v,⊔,d〉 be a lattice. Then f ∈ E → E is continuous if

for every chain e0 v e1 v · · ·,

f(∞⊔

i=0

ei) =∞⊔

i=0

f(ei)

Lemma

1. Every continuous function is monotonic.

2. If |E| < ∞ then every monotonic function is continous.



&

$

%

Kleene’s Fixpoint Theorem

Let 〈E,v,⊔,d〉 be a complete lattice, and let f ∈ E → E be continuous.

Then µf ∈ E and νf ∈ E, the least and greatest fixpoints of f , respectively,

can be given as follows.

µf =∞⊔

i=0

fi, where

f0 = ⊥

fi+1 = f(fi)

νf =∞l

i=0

fi, where

f0 = >

fi+1 = f(fi)



&

$

%

How Does This Help?

• For a finite-state Kripke structure 〈S,A, R, `, sI〉, complete lattice

〈2S ,⊆,⋃,⋂〉 is finite.

• CTL operators are least / greatest fixpoints of functions f(w) over this lattice.

• All functions for PNF CTL are monotonic, hence continuous over this lattice.



&

$

%

Calculating the Least Solution to an Equation

Assume equation is w ≡ f(w).

• Set w = ∅ (i.e. ff).

• Compute f(w).

• If w = f(w) we’re done; otherwise set w to f(w) and repeat.

E.g. w ≡ a ∨ AXw. (In other words, which states satisfy AF a?)

w f(w)

∅ {1} |= a ∨ AX∅

{1} {1, 2} |= a ∨ AX{1}

{1, 2} {1, 2} |= a ∨ AX{1, 2}

0

1 2

3

a



&

$

%

Another Example: E(a U b)

We need to calculate the least solution to w ≡ b ∨ (a ∧ EXw).

w f(w)

0

1 2

3

ab

aa



&

$

%

Calculating the Largest Solution to an Equation

• Set w = S (i.e. tt)

• Compute f(w).

• If w = f(w), we’re done; otherwise, set w to f(w) and repeat.

E.g. w ≡ a ∧ EXw. (In other words, which states satisfy EG a?)

w f(w)

{0, 1} {0} |= a ∧ EX{0, 1}

{0} {0} |= a ∧ EX{0}

0a

1



&

$

%

Least vs. Greatest: An Example

Consider the equation w ≡ b ∨ (a ∧ AXw).

Least solution:

w f(w)

Greatest solution:

w f(w)

0

1 2

3a

a

b



&

$

%

Classical CTL Model Checking

Recall that traditional CTL model checkers:

• Calculate all states that satisfy a given formula ...

• Then ask if the start state is in this set.

So how is the set of states calculated? By processing the formula from the inside

out!



&

$

%

Example: AFAG a

0

1

2

a

a

First: For AG a, calculate largest solution to w = a ∧ AXw.

w f(w)

Second: For AFw, compute least solution to y = w ∨ AX y.

y g(y)



&

$

%

Pragmatics I: Solving Equations Efficiently

Let M = 〈S,A, R, `, sI〉 be a Kripke structure.

Define: |M | = |S|+ |R|.

Claim: Equations defining CTL operators can be solved in |M | time.

How? Counters



&

$

%

Huh?

E.g. to get least solution to w = σ ∨ AXw (assuming σ already known):

• Associate counter to each state.

• Counter reflects number of transitions leading to states not in current

approximation to solution.

• When a state moves into solution, counters of states with transitions leading

to state must be updated.



&

$

%

Example: AF a

Must calculate smallest solution to w = a ∨ AXw

w = { }

0

2

3 4a

1a

1

1

2

2

1



&

$

%

Complexity

Best classical algorithms process each state/transition once per subformula.

How many subformulas are there in formula σ? |σ|! (|σ| is number of operators

in σ).

So for Kripke structure M , CTL formula σ, model checking takes: O(|M | · |σ|)

time.



&

$

%

Pragmatics II: “Short-circuiting”

... stop computation once status of start state is known.

E.g. If least solution is being calculated, and start state added to intermediate

approximation, can stop.

... does not affect complexity, but can improve “practical performance.”



&

$

%

Pragmatics III: On-the-fly Model Checking

... short-circuiting taken to the extreme.

... takes a “top-down” view (“what is the minimal information I need to compute to

check if sI |=M σ”).

Approaches can be formulated in terms of proof search involving proof rules like

the ones we have studied.

Subtlety: circularity.



&

$

%

Pragmatics IV: Efficient Data Structures

Classical algorithms require manipulations of sets of states:

• Unions, intersections

• Equality checking

• Transitions from/to sets of states

Model-checking also suffers from the State-Explosion Problem:

• Each Kripke-structure state, transition processed in worst case

• Number of Kripke-structure states is exponential in number of bits used in

“program” from which structure is generated

The right data structure can yield dramatic time/space improvements!



&

$

%

Example: (Ordered) Binary Decision Diagrams

In many applications states are fixed-width bit vectors.

OBDDs are data structures for compactly representing:

• functions in {0, 1}n → {0, 1}

• propositions in propositional logic over variables v0, . . . , vn−1

• sets of n-width bit vectors

Or / union, and / intersection, negation / complementation, equality all supported

efficiently.

In hardware community, most successful model checkers use OBDDs.



&

$

%

OBDDs and Sets of Fixed-Width Bit Vectors

Assume set v0, . . . , vn−1 of (boolean) variables, total ordering on variables

An OBDD is...

• a directed acyclic graph, with

• a leaf labeled 0 and a leaf labeled 1, and

• each internal node labeled by a vi, and

• each node having two edges, one labeled 0 and one 1, and

• the label of each node preceding those of its successors in the total order

In addition, OBDDs satisfy:

1. No isomorphic subgraphs

2. No “don’t cares”



&

$

%

Example

An OBDD for the set {000, 001, 011} with ordering v0v1v2.

0

1

01

1

0

v2

1 0

v1

v0

Equivalent proposition: ¬v0 ∧ (¬v1 ∨ v2)



&

$

%

Example

An OBDD for the set {000, 001, 011} with ordering v2v0v1.

1

0

0

0

1

1

10

v2

v0v0

v1

1

0

Equivalent proposition is the same: ¬v0 ∧ (¬v1 ∨ v2)



&

$

%

Facts about OBDDs

1. Variable ordering influences size of OBDDs.

2. Given a fixed variable ordering, set representation is canonical (equal sets

have isomorphic OBDDs).

3. Efficient implementations exist for union, intersection, complementation,

projection, ....



&

$

%

How Are OBDDs Used in Model Checking?

... To represent Kripke structures

• States represented as bit-vectors of length n

• Transitions represented as bit-vectors of length 2n

... To represent approximate solutions during equation solving

• If w = f(w) is an equation, process of “applying” f to get new

approximations can be given as function on OBDDs



&

$

%

OBDD Impact on Model Checking

• Multiple orders of magnitude improvement on Kripke-structure size

– Pre-OBDD (1989): 106 states possible

– Post-OBDD (1990): 1020 states possible

• Symbolic model checking

– OBDDs can be seen as representations of boolean propositions

– Other boolean-proposition representations have been studied, and SAT

solvers used to implement model checkers


ctl model checking - university of maryland · cmsc 630 february 25, 2015 1 ctl model checking goal...

Documents