L ECTURE IV: C OMPUTATION T REE L OGIC (CTL) Alessandro Artale - PowerPoint PPT Presentation

F ORMAL M ETHODS L ECTURE IV: C OMPUTATION T REE L OGIC (CTL) Alessandro Artale Faculty of Computer Science – Free University of Bolzano artale@inf.unibz.it http://www.inf.unibz.it/ ∼ artale/ Some material (text, figures) displayed in these slides is courtesy of: M. Benerecetti, A. Cimatti, M. Fisher, F. Giunchiglia, M. Pistore, M. Roveri, R.Sebastiani. Alessandro Artale (FM – First Semester – 2007/2008) – p. 1/37

Summary of Lecture IV Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*. Alessandro Artale (FM – First Semester – 2007/2008) – p. 2/37

Computation Tree logic Vs. LTL LTL implicitly quantifies universally over paths. = φ iff for every path π starting at s � K M , π � | = φ � K M , s � | Properties that assert the existence of a path cannot be expressed. In particular, properties which mix existential and universal path quantifiers cannot be expressed. The Computation Tree Logic , CTL, solves these problems! • CTL explicitly introduces path quantifiers ! • CTL is the natural temporal logic interpreted over Branching Time Structures. Alessandro Artale (FM – First Semester – 2007/2008) – p. 3/37

CTL at a glance CTL is evaluated over branching-time structures (Trees). CTL explicitly introduces path quantifiers : All Paths: � P Exists a Path: ♦ P . , ♦ , ❦ Every temporal operator ( , U ) preceded by a P or ♦ P ). path quantifier ( � P ♦ , � Universal modalities: � ❦ , � , � P U P P The temporal formula is true in all the paths starting in the current state. P ♦ , ♦ Existential modalities: ♦ , ♦ , ♦ ❦ P U P P The temporal formula is true in some path starting in the current state. Alessandro Artale (FM – First Semester – 2007/2008) – p. 4/37

Summary Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*. Alessandro Artale (FM – First Semester – 2007/2008) – p. 5/37

CTL: Syntax Countable set Σ of atomic propositions : p , q ,... the set F ORM of formulas is: ϕ , ψ → p | ⊤ | ⊥ | ¬ ϕ | ϕ ∧ ψ | ϕ ∨ ψ | P ♦ ϕ | � ϕ | � ϕ | � P ( ϕ U ψ ) ❦ � P P P ♦ ϕ | ♦ ♦ ϕ | ♦ ϕ | ♦ P ( ϕ U ψ ) ❦ P P Alessandro Artale (FM – First Semester – 2007/2008) – p. 6/37

CTL: Semantics We interpret our CTL temporal formulas over Kripke P ♦ done ). Models linearized as trees (e.g. � !done !done done !done done done !done done !done done done done P ♦ , � ❦ Universal modalities ( � , � , � P U ) : the P P temporal formula is true in all the paths starting in the current state. P ♦ , ♦ Existential modalities ( ♦ , ♦ , ♦ ❦ P U ) : the P P temporal formula is true in some path starting in the current state. Alessandro Artale (FM – First Semester – 2007/2008) – p. 7/37

CTL: Semantics (Cont.) Let Σ be a set of atomic propositions. We interpret our CTL temporal formulas over Kripke Models: = � S , I , R , Σ , L � K M The semantics of a temporal formula is provided by the satisfaction relation: = : ( K M × S × F ORM ) → { true , false } | Alessandro Artale (FM – First Semester – 2007/2008) – p. 8/37

CTL Semantics: The Propositional Aspect We start by defining when an atomic proposition is true at a state/time “ s i ” iff (for p ∈ Σ ) K M , s i | = p p ∈ L ( s i ) The semantics for the classical operators is as expected: iff = ¬ ϕ = ϕ K M , s i | K M , s i �| iff = ϕ ∧ ψ = ϕ and K M , s i | = ψ K M , s i | K M , s i | iff = ϕ ∨ ψ = ϕ or K M , s i | = ψ K M , s i | K M , s i | iff = ϕ ⇒ ψ = ϕ then K M , s i | = ψ K M , s i | if K M , s i | K M , s i | = ⊤ K M , s i �| = ⊥ Alessandro Artale (FM – First Semester – 2007/2008) – p. 9/37

CTL Semantics: The Temporal Aspect Temporal operators have the following semantics where π =( s i , s i + 1 ,... ) is a generic path outgoing from state s i in K M . ϕ ∀ π = ( s i , s i + 1 ,... ) K M , s i + 1 | = ϕ ❥ K M , s i | = � iff P = ♦ ϕ ∃ π = ( s i , s i + 1 ,... ) K M , s i + 1 | = ϕ ❥ K M , s i | iff P ϕ ∀ π = ( s i , s i + 1 ,... ) = ϕ K M , s i | = � iff ∀ j ≥ i . K M , s j | P = ♦ ϕ ∃ π = ( s i , s i + 1 ,... ) = ϕ K M , s i | ∀ j ≥ i . K M , s j | iff P P ♦ ϕ ∀ π = ( s i , s i + 1 ,... ) = ϕ K M , s i | = � iff ∃ j ≥ i . K M , s j | P ♦ ϕ = ♦ ∃ π = ( s i , s i + 1 ,... ) = ϕ K M , s i | iff ∃ j ≥ i . K M , s j | P ( ϕ U ψ ) ∀ π = ( s i , s i + 1 ,... ) = ψ and K M , s i | = � iff ∃ j ≥ i . K M , s j | = ϕ ∀ i ≤ k < j : M , s k | = ♦ P ( ϕ U ψ ) ∃ π = ( s i , s i + 1 ,... ) = ψ and K M , s i | iff ∃ j ≥ i . K M , s j | = ϕ ∀ i ≤ k < j : K M , s k | Alessandro Artale (FM – First Semester – 2007/2008) – p. 10/37

CTL Semantics: Intuitions CTL is given by the standard boolean logic enhanced with temporal operators. ϕ is true in s t iff ϕ is true in every ❦ ⊲ “Necessarily Next”. � P successor state s t + 1 ⊲ “Possibly Next”. ♦ ϕ is true in s t iff ϕ is true in one ❦ P successor state s t + 1 P ♦ ϕ is true in s t ⊲ “Necessarily in the future” (or “Inevitably”). � iff ϕ is inevitably true in some s t ′ with t ′ ≥ t P ♦ ϕ is true in s t iff ϕ ⊲ “Possibly in the future” (or “Possibly”). ♦ may be true in some s t ′ with t ′ ≥ t Alessandro Artale (FM – First Semester – 2007/2008) – p. 11/37

CTL Semantics: Intuitions (Cont.) ϕ is true in s t iff ϕ is true in all ⊲ “Globally” (or “always”). � P s t ′ with t ′ ≥ t ⊲ “Possibly henceforth”. ♦ ϕ is true in s t iff ϕ is possibly true P henceforth P ( ϕ U ψ ) is true in s t iff necessarily ϕ ⊲ “Necessarily Until”. � holds until ψ holds. P ( ϕ U ψ ) is true in s t iff possibly ϕ holds ⊲ “Possibly Until”. ♦ until ψ holds. Alessandro Artale (FM – First Semester – 2007/2008) – p. 12/37

CTL Alternative Notation Alternative notations are used for temporal operators. ♦ there Exists a path � E P in All paths � A � P ♦ sometime in the Future � F � G Globally in the future ❦ � X neXtime Alessandro Artale (FM – First Semester – 2007/2008) – p. 13/37

CTL Semantics: Intuitions (Cont.) P until q next finally globally P P P AXP AFP AGP A[ P U q ] EX EF EG P E[ P U q ] P P Alessandro Artale (FM – First Semester – 2007/2008) – p. 14/37

A Complete Set of CTL Operators All CTL operators can be expressed via: ♦ , ♦ , ♦ ❦ P U P P ❦ ≡ ¬ ♦ ¬ ϕ ❦ � P P P ♦ ϕ ≡ ¬ ♦ ¬ ϕ � P P ♦ ϕ ≡ ♦ ♦ P ( ⊤ U ϕ ) P ♦ ¬ ϕ ≡ ¬ ♦ ϕ ≡ ¬ ♦ P ( ⊤ U ¬ ϕ ) � P P ( ϕ U ψ ) ≡ ¬ ♦ ¬ ψ ∧¬ ♦ P ( ¬ ψ U ( ¬ ϕ ∧¬ ψ )) � P Alessandro Artale (FM – First Semester – 2007/2008) – p. 15/37

Summary Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*. Alessandro Artale (FM – First Semester – 2007/2008) – p. 16/37

Safety Properties Safety: “something bad will not happen” Typical examples: ¬ ( reactor _ temp > 1000 ) � P ❦ ¬ ( one _ way ∧ � other _ way ) � P P ❦ ❦ ❦ ¬ (( x = 0 ) ∧ � ( y = z / x )) � � � P P P P and so on..... ¬ .... Usually: � P Alessandro Artale (FM – First Semester – 2007/2008) – p. 17/37

Liveness Properties Liveness: “something good will happen” Typical examples: P ♦ rich � P ♦ ( x > 5 ) � P ♦ terminate ) ( start ⇒ � � P and so on..... P ♦ ... Usually: � Alessandro Artale (FM – First Semester – 2007/2008) – p. 18/37

Fairness Properties Often only really useful when scheduling processes, responding to messages, etc. Fairness: “something is successful/allocated infinitely often” Typical example: P ♦ enabled ) ( � � P P ♦ ... Usually: � � P Alessandro Artale (FM – First Semester – 2007/2008) – p. 19/37

Summary Computation Tree Logic: Intuitions. CTL: Syntax and Semantics. CTL in Computer Science. CTL and Model Checking: Examples. CTL Vs. LTL. CTL*. Alessandro Artale (FM – First Semester – 2007/2008) – p. 20/37

The CTL Model Checking Problem The CTL Model Checking Problem is formulated as: = φ K M | = φ , for every initial state , s 0 , of the Kripke Check if K M , s 0 | structure K M . Alessandro Artale (FM – First Semester – 2007/2008) – p. 21/37

Example 1: Mutual Exclusion (Safety) N = noncritical, T = trying, C = critical User 1 User 2 N1, N2 turn=0 N1, T2 T1, N2 turn=1 turn=2 C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2 C1, T2 T1, C2 turn=1 turn=2 K M | = � ¬ ( C 1 ∧ C 2 ) ? P Alessandro Artale (FM – First Semester – 2007/2008) – p. 22/37

Example 1: Mutual Exclusion (Safety) N = noncritical, T = trying, C = critical User 1 User 2 N1, N2 turn=0 N1, T2 T1, N2 turn=1 turn=2 C1, N2 T1, T2 T1, T2 N1, C2 turn=1 turn=1 turn=2 turn=2 C1, T2 T1, C2 turn=1 turn=2 K M | = � ¬ ( C 1 ∧ C 2 ) ? P YES: There is no reachable state in which ( C 1 ∧ C 2 ) holds! ¬ ( C 1 ∧ C 2 ) in LTL.) (Same as the Alessandro Artale (FM – First Semester – 2007/2008) – p. 22/37