Formal Verifjcation Lecture 5: Computation Tree Logic (CTL) Jacques - PowerPoint PPT Presentation

Formal Verifjcation Lecture 5: Computation Tree Logic (CTL) Jacques Fleuriot 1 jdf@inf.ac.uk 1With thanks to Bob Atkey for some of the diagrams.

Recap ▶ Previously: ▶ Linear-time Temporal Logic ▶ Tiis time: ▶ A branching-time logic: Computation Tree Logic (CTL) ▶ Syntax and Semantics ▶ Comparison with LTL, CTL ∗ ▶ Model checking CTL

CTL Syntax Assume a set Atom of atom propositions. Each temporal connective is a pair of a path quantifjer : A — for all paths E — there exists a path and an LTL-like temporal operator X , F , G , U . φ ::= p | ¬ φ | φ ∧ φ | φ ∨ φ | φ → φ | AX φ | EX φ | AF φ | EF φ | AG φ | EG φ | A [ φ U φ ] | E [ φ U φ ] where p ∈ Atom . Precedence (high-to-low): ( AX , EX , AF , EF , AG , EG , ¬ ) , ( ∧ , ∨ ) , →

CTL Semantics 1: Transition Systems and Paths ( Tiis is the same as for LTL ) Defjnition (Transition System) S a fjnite set of states transition relation a labelling function Defjnition (Path) A transition system M = ⟨ S , → , L ⟩ consists of: → ⊆ S × S L : S → P ( Atom ) such that ∀ s 1 ∈ S . ∃ s 2 ∈ S . s 1 → s 2 A path π in a transition system M = ⟨ S , → , L ⟩ is an infjnite sequence of states s 0 , s 1 , ... such that ∀ i ≥ 0 . s i → s i +1 . Paths are writuen as: π = s 0 → s 1 → s 2 → ...

CTL Semantics 2: Satisfaction Relation = iff iff s = = s iff iff = s iff s p = = Tie propositional connectives: s s s = Satisfaction relation M , s | = φ read as state s in model M satisfjes CTL formula φ We ofuen leave M implicit. | ⊤ ̸| ⊥ | p ∈ L ( s ) | ¬ φ s ̸| = φ | φ ∧ ψ s | = φ and s | = ψ | φ ∨ ψ s | = φ or s | = ψ | φ → ψ s | = φ implies s | = ψ

CTL Semantics 2: Satisfaction Relation s iff s iff s iff s iff s iff s iff Note: Tie semantics for AX and EX is given difgerentuly in H&R. iff iff s s Tie temporal connectives, assuming path π = s 0 → s 1 → s 2 → ... , | ∀ π s.t. s 0 = s . s 1 | = AX φ = φ | ∃ π s.t. s 0 = s . s 1 | = EX φ = φ | ∀ π s.t. s 0 = s . ∀ i . s i | = AG φ = φ | ∃ π s.t. s 0 = s . ∀ i . s i | = EG φ = φ | ∀ π s.t. s 0 = s . ∃ i . s i | = AF φ = φ | ∃ π s.t. s 0 = s . ∃ i . s i | = EF φ = φ | = A [ φ U ψ ] ∀ π s.t. s 0 = s . ∃ i . s i | = ψ and ∀ j < i . s j | = φ | ∃ π s.t. s 0 = s . = E [ φ U ψ ] ∃ i . s i | = ψ and ∀ j < i . s j | = φ

CTL in Pictures AX φ For every next state, φ holds.

CTL in Pictures EX φ Tiere exists a next state where φ holds.

CTL in Pictures AF φ For all paths, there exists a future state where φ holds.

CTL in Pictures EF φ Tiere exists a path with a future state where φ holds.

CTL in Pictures AG φ For all paths, for all states along them, φ holds.

CTL in Pictures EG φ Tiere exists a path such that, for all states along it, φ holds.

CTL in Pictures A [ φ U ψ ] For all paths, ψ eventually holds, and φ holds at all states earlier.

CTL in Pictures states earlier. E [ φ U ψ ] Tiere exists a path where ψ eventually holds, and φ holds at all

Examples of CTL formulas (and their possible readings) eventually holds, there exists a possible state in the future, from where EF AG always holds holds then there is a future where for any state, if EG AG holds for all points in between and holds, then there is a future where for any state, if U E AG for any state, if a request ocurs, then it will eventually be acknowledged AF acknowledged AG requested A certain process is enabled infjnitely ofuen on every computation path AG AF enabled is always true ▶ EF φ it is possible to get to a state where φ is true

Examples of CTL formulas (and their possible readings) eventually holds, there exists a possible state in the future, from where EF AG always holds holds then there is a future where for any state, if EG AG holds for all points in between and holds, then there is a future where for any state, if U E AG for any state, if a request ocurs, then it will eventually be acknowledged AF acknowledged AG requested A certain process is enabled infjnitely ofuen on every computation path is always true ▶ EF φ it is possible to get to a state where φ is true ▶ AG AF enabled

Examples of CTL formulas (and their possible readings) eventually holds, there exists a possible state in the future, from where EF AG always holds holds then there is a future where for any state, if EG AG holds for all points in between and holds, then there is a future where for any state, if U E AG for any state, if a request ocurs, then it will eventually be acknowledged A certain process is enabled infjnitely ofuen on every computation path is always true ▶ EF φ it is possible to get to a state where φ is true ▶ AG AF enabled ▶ AG ( requested → AF acknowledged )

Examples of CTL formulas (and their possible readings) AG there exists a possible state in the future, from where EF AG always holds holds then there is a future where for any state, if EG is always true for any state, if a request ocurs, then it will eventually be acknowledged A certain process is enabled infjnitely ofuen on every computation path ▶ EF φ it is possible to get to a state where φ is true ▶ AG AF enabled ▶ AG ( requested → AF acknowledged ) ▶ AG ( φ → E [ φ U ψ ]) for any state, if φ holds, then there is a future where ψ eventually holds, and φ holds for all points in between

Examples of CTL formulas (and their possible readings) A certain process is enabled infjnitely ofuen on every computation path for any state, if a request ocurs, then it will eventually be acknowledged EF AG there exists a possible state in the future, from where is always true ▶ EF φ it is possible to get to a state where φ is true ▶ AG AF enabled ▶ AG ( requested → AF acknowledged ) ▶ AG ( φ → E [ φ U ψ ]) for any state, if φ holds, then there is a future where ψ eventually holds, and φ holds for all points in between ▶ AG ( φ → EG ψ ) for any state, if φ holds then there is a future where ψ always holds

Examples of CTL formulas (and their possible readings) A certain process is enabled infjnitely ofuen on every computation path for any state, if a request ocurs, then it will eventually be acknowledged ▶ EF φ it is possible to get to a state where φ is true ▶ AG AF enabled ▶ AG ( requested → AF acknowledged ) ▶ AG ( φ → E [ φ U ψ ]) for any state, if φ holds, then there is a future where ψ eventually holds, and φ holds for all points in between ▶ AG ( φ → EG ψ ) for any state, if φ holds then there is a future where ψ always holds ▶ EF AG φ there exists a possible state in the future, from where φ is always true

CTL Equivalences de Morgan dualities for the temporal connectives: Also have ¬ EX φ ≡ AX ¬ φ ¬ EF φ ≡ AG ¬ φ ¬ EG φ ≡ AF ¬ φ ≡ A [ ⊤ U φ ] AF φ ≡ E [ ⊤ U φ ] EF φ A [ φ U ψ ] ≡ ¬ ( E [ ¬ ψ U ( ¬ φ ∧ ¬ ψ )] ∨ EG ¬ ψ ) From these, one can show that the sets { AU , EU , EX } and { EU , EG , EX } are both adequate sets of temporal connectives.

Difgerences between LTL and CTL true. Exist fair refjnements of CTL that address this issue to some extent. are not the same CTL: LTL: LTL allows for questions of the form However, some path properties are impossible to express in CTL For all paths, if p is true, then there exists a path on which q is always CTL allows mixing of path quantifjers: infjnitely ofuen. ▶ For all paths, does the LTL formula φ hold? ▶ Does there exist a path on which the LTL formula φ holds? (Ask whether ¬ φ holds on all paths, and ask for a counterexample) ▶ AG ( p → EG q ) G F p → G F q } AG AF p → AG AF q ▶ E.g., path quantifjers that only consider paths where something happens

LTL vs CTL LTL: CTL: are not the same Tie CTL formula is trivially satisfjed, because AG AF p is not satisfjed. Tie LTL formula is not satisfjed, because the path cycling G F p → G F q } AG AF p → AG AF q through s 0 forever satisfjes G F p but not G F q .

LTL vs CTL LTL: F G p CTL: AF AG p are not the same Exercise: Why? }

CTL Model Checling CTL Model Checking seeks to answer the question: is it the case that M , s 0 | = φ for some initial state s 0 ? CTL Model Checking algorithms usually fjx M = ⟨ S , → , L ⟩ and φ and compute all states s of M that satisfy φ : � φ � M = { s ∈ S | M , s | = φ } “the denotation of φ in the model M ” Tie model checking question now becomes: s 0 ∈ � φ � M ? (Tie model M is usually lefu implicit)

Denotation Semantics for CTL S We compute � φ � recursively on the structure of φ : � ⊤ � = � ⊥ � = ∅ � p � = { s ∈ S | p ∈ L ( s ) } � ¬ φ � S − � φ � = � φ ∧ ψ � = � φ � ∩ � ψ � � φ ∨ ψ � = � φ � ∪ � ψ � � φ → ψ � ( S − � φ � ) ∪ � ψ � = Since � φ � is always a fjnite set, these are computable.