Formal Verification. Lecture 5: Computation Tree Logic (CTL)

Similar documents
22c181: Formal Methods in Software Engineering. The University of Iowa Spring Propositional Logic

Sets. Definition A set is an unordered collection of objects called elements or members of the set.

Coverage Metrics. UC Berkeley EECS 219C. Wenchao Li

Modal logic. Benzmüller/Rojas, 2014 Artificial Intelligence 2

The tenure game. The tenure game. Winning strategies for the tenure game. Winning condition for the tenure game

A Complete Approximation Theory for Weighted Transition Systems

A Model-Theoretic Approach to the Verification of Situated Reasoning Systems

Section 8.1. Sequences and Series

Math 127: Equivalence Relations

Logic and Artificial Intelligence Lecture 18

Game Theory and Algorithms Lecture 19: Nim & Impartial Combinatorial Games

5.4 Imperfect, Real-Time Decisions

18 Completeness and Compactness of First-Order Tableaux

DVA325 Formal Languages, Automata and Models of Computation (FABER)

Notes for Recitation 3

Public Key Encryption

of the hypothesis, but it would not lead to a proof. P 1

COUNTING AND PROBABILITY

Modular Arithmetic. Kieran Cooney - February 18, 2016

Goal-Directed Tableaux

Introduction to Game Theory

To be able to determine the quadratic character of an arbitrary number mod p (p an odd prime), we. The first (and most delicate) case concerns 2

37 Game Theory. Bebe b1 b2 b3. a Abe a a A Two-Person Zero-Sum Game

Repeated Games. ISCI 330 Lecture 16. March 13, Repeated Games ISCI 330 Lecture 16, Slide 1

Reasoning About Strategies

Final exam. Question Points Score. Total: 150

Multiplayer Pushdown Games. Anil Seth IIT Kanpur

Primitive Roots. Chapter Orders and Primitive Roots

SF2972: Game theory. Mark Voorneveld, February 2, 2015

TOPOLOGY, LIMITS OF COMPLEX NUMBERS. Contents 1. Topology and limits of complex numbers 1

Scrabble is PSPACE-Complete

5.4 Imperfect, Real-Time Decisions

1111: Linear Algebra I

Organising LTL Monitors over Systems with a Global Clock

Extensive Form Games. Mihai Manea MIT

MAT Modular arithmetic and number theory. Modular arithmetic

arxiv: v1 [math.co] 16 Aug 2018

Class 8 - Sets (Lecture Notes)

A Logic for Social Influence through Communication

Tiling Problems. This document supersedes the earlier notes posted about the tiling problem. 1 An Undecidable Problem about Tilings of the Plane

Distributed Synthesis of Control Protocols for Smart Camera Networks

17. Symmetries. Thus, the example above corresponds to the matrix: We shall now look at how permutations relate to trees.

Surreal Numbers and Games. February 2010

3-2 Lecture 3: January Repeated Games A repeated game is a standard game which isplayed repeatedly. The utility of each player is the sum of

Theory of Probability - Brett Bernstein

Harmonic numbers, Catalan s triangle and mesh patterns

1.6 Congruence Modulo m

Communication Engineering Prof. Surendra Prasad Department of Electrical Engineering Indian Institute of Technology, Delhi

Imperfect Information Extensive Form Games

Avoiding Forgetfulness: Structured English Specifications for High-Level Robot Control with Implicit Memory

Monotone Sequences & Cauchy Sequences Philippe B. Laval

MATH 2420 Discrete Mathematics Lecture notes

arxiv: v2 [cs.cc] 18 Mar 2013

NON-OVERLAPPING PERMUTATION PATTERNS. To Doron Zeilberger, for his Sixtieth Birthday

arxiv: v1 [math.co] 8 Oct 2012

Chapter 1. The alternating groups. 1.1 Introduction. 1.2 Permutations

Midterm Examination. CSCI 561: Artificial Intelligence

Counting Snakes, Differentiating the Tangent Function, and Investigating the Bernoulli-Euler Triangle by Harold Reiter

Pin-Permutations and Structure in Permutation Classes

Wythoff s Game. Kimberly Hirschfeld-Cotton Oshkosh, Nebraska

Odd king tours on even chessboards

Simple permutations and pattern restricted permutations

Teacher s Notes. Problem of the Month: Courtney s Collection

Enumeration of Two Particular Sets of Minimal Permutations

3 Game Theory II: Sequential-Move and Repeated Games

Tutorial 1. (ii) There are finite many possible positions. (iii) The players take turns to make moves.

Bisimulation and Modal Logic in Distributed Computing

Game Description Logic and Game Playing

7.4 Permutations and Combinations

Finite homomorphism-homogeneous permutations via edge colourings of chains

CIS 2033 Lecture 6, Spring 2017

A State Equivalence and Confluence Checker for CHR

LECTURE 7: POLYNOMIAL CONGRUENCES TO PRIME POWER MODULI

SOLUTIONS TO PROBLEM SET 5. Section 9.1

A new approach to termination analysis of CHR

Summary Overview of Topics in Econ 30200b: Decision theory: strong and weak domination by randomized strategies, domination theorem, expected utility

Pattern Avoidance in Poset Permutations

Universiteit Leiden Opleiding Informatica

UMBC CMSC 671 Midterm Exam 22 October 2012

A paradox for supertask decision makers

Introduction to Computational Manifolds and Applications

Differentiable functions (Sec. 14.4)

ALGEBRA: Chapter I: QUESTION BANK

Case Studies of Application of Probabilistic and Statistical Model Checking in Game Design

Solutions to the problems from Written assignment 2 Math 222 Winter 2015

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Permutation Tableaux and the Dashed Permutation Pattern 32 1

Reading 14 : Counting

Restricted Permutations Related to Fibonacci Numbers and k-generalized Fibonacci Numbers

Solutions to Problem Set 6 - Fall 2008 Due Tuesday, Oct. 21 at 1:00

Applications of Fermat s Little Theorem and Congruences

Strategic Bargaining. This is page 1 Printer: Opaq

Discrete Math Class 4 ( )

APPROXIMATE KNOWLEDGE OF MANY AGENTS AND DISCOVERY SYSTEMS

QUOTIENT AND PSEUDO-OPEN IMAGES OF SEPARABLE METRIC SPACES

NIM Games: Handout 1

Cardinality of Accumulation Points of Infinite Sets

STAJSIC, DAVORIN, M.A. Combinatorial Game Theory (2010) Directed by Dr. Clifford Smyth. pp.40

COEN7501: Formal Hardware Verification

On the isomorphism problem of Coxeter groups and related topics

Transcription:

Formal Verification Lecture 5: Computation Tree Logic (CTL) Jacques Fleuriot 1 jdf@inf.ac.uk 1 With thanks to Bob Atkey for some of the diagrams.

Recap Previously: Linear-time Temporal Logic This time: A branching-time logic: Computation Tree Logic (CTL) Syntax and Semantics Comparison with LTL, CTL Model checking CTL

CTL Syntax Assume a set Atom of atom propositions. where p Atom. ϕ ::= p ϕ ϕ ϕ ϕ ϕ ϕ ϕ AX ϕ EX ϕ AF ϕ EF ϕ AG ϕ EG ϕ A[ϕ U ϕ] E[ϕ U ϕ] Each temporal connective is a pair of a path quantifier: A for all paths E there exists a path and an LTL-like temporal operator X, F, G, U. Precedence (high-to-low): (AX, EX, AF, EF, AG, EG, ), (, ),

CTL Semantics 1: Transition Systems and Paths (This is the same as for LTL) Definition (Transition System) A transition system M = S,, L consists of: S S S L : S P(Atom) a finite set of states transition relation a labelling function such that s 1 S. s 2 S. s 1 s 2 Definition (Path) A path π in a transition system M = S,, L is an infinite sequence of states s 0, s 1,... such that i 0. s i s i+1. Paths are written as: π = s 0 s 1 s 2...

CTL Semantics 2: Satisfaction Relation Satisfaction relation M, s = ϕ read as state s in model M satisfies CTL formula ϕ We often leave M implicit. The propositional connectives: s = s = s = p iff p L(s) s = ϕ iff s = ϕ s = ϕ ψ iff s = ϕ and s = ψ s = ϕ ψ iff s = ϕ or s = ψ s = ϕ ψ iff s = ϕ implies s = ψ

CTL Semantics 2: Satisfaction Relation The temporal connectives, assuming path π = s 0 s 1 s 2..., s = AX ϕ iff π s.t. s 0 = s. s 1 = ϕ s = EX ϕ iff π s.t. s 0 = s. s 1 = ϕ s = AG ϕ iff π s.t. s 0 = s. i. s i = ϕ s = EG ϕ iff π s.t. s 0 = s. i. s i = ϕ s = AF ϕ iff π s.t. s 0 = s. i. s i = ϕ s = EF ϕ iff π s.t. s 0 = s. i. s i = ϕ s = A[ϕ U ψ] iff π s.t. s 0 = s. s = E[ϕ U ψ] iff π s.t. s 0 = s. i. s i = ψ and j < i. s j = ϕ i. s i = ψ and j < i. s j = ϕ Note: The semantics for AX and EX is given differenttly in H&R.

CTL in Pictures AX ϕ For every next state, ϕ holds.

CTL in Pictures EX ϕ There exists a next state where ϕ holds.

CTL in Pictures AF ϕ For all paths, there exists a future state where ϕ holds.

CTL in Pictures EF ϕ There exists a path with a future state where ϕ holds.

CTL in Pictures AG ϕ For all paths, for all states along them, ϕ holds.

CTL in Pictures EG ϕ There exists a path such that, for all states along it, ϕ holds.

CTL in Pictures A[ϕ U ψ] For all paths, ψ eventually holds, and ϕ holds at all states earlier.

CTL in Pictures E[ϕ U ψ] There exists a path where ψ eventually holds, and ϕ holds at all states earlier.

Examples of CTL formulas (and their possible readings) EF ϕ it is possible to get to a state where ϕ is true

Examples of CTL formulas (and their possible readings) EF ϕ it is possible to get to a state where ϕ is true AG AF enabled A certain process is enabled infinitely often on every computation path

Examples of CTL formulas (and their possible readings) EF ϕ it is possible to get to a state where ϕ is true AG AF enabled A certain process is enabled infinitely often on every computation path AG (requested AF acknowledged) for any state, if a request ocurs, then it will eventually be acknowledged

Examples of CTL formulas (and their possible readings) EF ϕ it is possible to get to a state where ϕ is true AG AF enabled A certain process is enabled infinitely often on every computation path AG (requested AF acknowledged) for any state, if a request ocurs, then it will eventually be acknowledged AG (ϕ E[ϕ U ψ]) for any state, if ϕ holds, then there is a future where ψ eventually holds, and ϕ holds for all points in between

Examples of CTL formulas (and their possible readings) EF ϕ it is possible to get to a state where ϕ is true AG AF enabled A certain process is enabled infinitely often on every computation path AG (requested AF acknowledged) for any state, if a request ocurs, then it will eventually be acknowledged AG (ϕ E[ϕ U ψ]) for any state, if ϕ holds, then there is a future where ψ eventually holds, and ϕ holds for all points in between AG (ϕ EG ψ) for any state, if ϕ holds then there is a future where ψ always holds

Examples of CTL formulas (and their possible readings) EF ϕ it is possible to get to a state where ϕ is true AG AF enabled A certain process is enabled infinitely often on every computation path AG (requested AF acknowledged) for any state, if a request ocurs, then it will eventually be acknowledged AG (ϕ E[ϕ U ψ]) for any state, if ϕ holds, then there is a future where ψ eventually holds, and ϕ holds for all points in between AG (ϕ EG ψ) for any state, if ϕ holds then there is a future where ψ always holds EF AG ϕ there exists a possible state in the future, from where ϕ is always true

CTL Equivalences de Morgan dualities for the temporal connectives: Also have EX ϕ AX ϕ EF ϕ AG ϕ EG ϕ AF ϕ AF ϕ A[ U ϕ] EF ϕ E[ U ϕ] A[ϕ U ψ] (E[ ψ U ( ϕ ψ)] EG ψ) From these, one can show that the sets {AU, EU, EX} and {EU, EG, EX} are both adequate sets of temporal connectives.

Differences between LTL and CTL LTL allows for questions of the form For all paths, does the LTL formula ϕ hold? Does there exist a path on which the LTL formula ϕ holds? (Ask whether ϕ holds on all paths, and ask for a counterexample) CTL allows mixing of path quantifiers: AG (p EG q) For all paths, if p is true, then there exists a path on which q is always true. However, some path properties } are impossible to express in CTL LTL: G F p G F q are not the same CTL: AG AF p AG AF q Exist fair refinements of CTL that address this issue to some extent. E.g., path quantifiers that only consider paths where something happens infinitely often.

LTL vs CTL LTL: CTL: G F p G F q AG AF p AG AF q } are not the same The CTL formula is trivially satisfied, because AG AF p is not satisfied. The LTL formula is not satisfied, because the path cycling through s 0 forever satisfies G F p but not G F q.

LTL vs CTL LTL: CTL: F G p AF AG p } are not the same Exercise: Why?

CTL Model Checking CTL Model Checking seeks to answer the question: is it the case that for some initial state s 0? M, s 0 = ϕ CTL Model Checking algorithms usually fix M = S,, L and ϕ and compute all states s of M that satisfy ϕ: ϕ M = {s S M, s = ϕ} the denotation of ϕ in the model M The model checking question now becomes: s 0 ϕ M? (The model M is usually left implicit)

Denotation Semantics for CTL We compute ϕ recursively on the structure of ϕ: = S = p = {s S p L(s)} ϕ = S ϕ ϕ ψ = ϕ ψ ϕ ψ = ϕ ψ ϕ ψ = (S ϕ ) ψ Since ϕ is always a finite set, these are computable.

Denotation Semantics of the Temporal Connectives where pre (Y) pre (Y) EX ϕ = pre ( ϕ ) AX ϕ = pre ( ϕ ) = {s S s S. (s s ) s Y} = {s S s S. (s s ) s Y} these are again computable, because Y and S are finite. But what about the rest of the temporal connectives? e.g. EF ϕ = {s S π s.t. s 0 = s. i. s i = ϕ} No obvious way to compute this: there are infinitely many paths π!

Approximating EF ϕ Define Then EF 0 ϕ = EF i+1 ϕ = ϕ EX EF i ϕ EF 1 ϕ = ϕ EF 2 ϕ = ϕ EX ϕ EF 3 ϕ = ϕ EX (ϕ EX ϕ)... s EF i ϕ if there exists a finite path of length i 1 from s and ϕ holds at some point along that path. For a given (fixed) model M, let n = S. If there is a path of length k > n on which ϕ holds somewhere, there will also be a path of length n. (Proof: take the k-length path and repeatedly cut out segments between repeated states.) Therefore, for all k > n, EF k ϕ = EF n ϕ

Computing EF ϕ By a similar argument, EF ϕ = EF n ϕ The approximations can be computed by recursion on i: EF 0 ϕ = EF i+1 ϕ = ϕ pre ( EF i ϕ ) So we have an effective way of computing EF ϕ.

Approximating EG ϕ Define Then EG 0 ϕ = EG i+1 ϕ = ϕ EX EG i ϕ EG 1 ϕ = ϕ EG 2 ϕ = ϕ EX ϕ EG 3 ϕ = ϕ EX (ϕ EX ϕ)... s EG i ϕ if there exists a finite path of length i 1 from s and ϕ holds at every point along that path. As with EF ϕ, we have for all k > n, EG k ϕ = EG n ϕ = EG ϕ and so we can compute EG ϕ.

Fixed point Theory What s happening here is that we are computing fixed points. A set X S is a fixed point of a function F : P(S) P(S) iff F(X) = X. We have that (for n = S ) EF n ϕ = EF n+1 ϕ = ϕ EX EF n ϕ = ϕ pre ( EF n ϕ ) so EF n is a fixed point of F(Y) = ϕ pre (Y). Also, EF ϕ is a fixed point of F, since EF ϕ = EF n ϕ. More specifically, they are both the least fixed point of F.

Fixed point Theorem Let F : P(S) P(S) be a function that takes sets to sets. F is monotone iff X Y implies F(X) F(Y). Let F 0 (X) = X and F i+1 (X) = F(F i (X)). Given a collection of sets C P(S), a set X C is 1. the least element of C if Y C. X Y; and 2. the greatest element of C if Y C. Y X. Theorem (Knaster-Tarski (Special Case)) Let S be a set with n elements and F : P(S) P(S) be a monotone function. Then F n ( ) is the least fixed point of F; and F n (S) is the greatest fixed point of F. (Proof: see H&R, Section 3.7.1) This theorem justifies F n ( ) and F n (S) being fixed points of F without the need, as before, to appeal to further details about F.

Denotational semantics of temporal connectives When F : P(S) P(S) is a monotone function, we write µy. F(Y) for the least fixed point of F; and νy. F(Y) for the greatest fixed point of F. With this notation, we can define: EF ϕ = µy. ϕ pre (Y) EG ϕ = νy. ϕ pre (Y) AF ϕ = µy. ϕ pre (Y) AG ϕ = νy. ϕ pre (Y) E[ϕ U ψ] = µy. ψ ( ϕ pre (Y)) A[ϕ U ψ] = µy. ψ ( ϕ pre (Y)) In every case, F is monotone, so the Knaster-Tarski theorem assures us that the fixed point exists, and can be computed.

Further CTL Equivalences The fixed point characterisations of the CTL temporal connectives justify some more equivalences between CTL formulas: EF ϕ ϕ EX EF ϕ EG ϕ ϕ EX EG ϕ AF ϕ ϕ AX AF ϕ AG ϕ ϕ AX AG ϕ E[ϕ U ψ] ψ (ϕ EX E[ϕ U ψ]) A[ϕ U ψ] ψ (ϕ AX A[ϕ U ψ])

Summary CTL (H&R 3.4, 3.5, 3.6.1, 3.7) CTL, Syntax and Semantics Comparison with LTL Model Checking algorithm for CTL Next time: (A taste of) The LTL Model Checking algorithm

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback