computation tree logic (ctl) - forsiden - … of using ctl computation tree logic (ctl) is a...

Computation Tree Logic (CTL)

Fazle Rabbi

University of Oslo, Oslo, NorwayBergen University College, Bergen, Norway

[email protected], [email protected]

May 30, 2015

Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30, 2015 1 / 25

Model of Computation

Finite-state systems are modeled by labeled state transition graphs, calledKripke Structures.

Example

a,b

b,c c

Figure : State Transition Graph or Kripke Model

Formally, a Kripke structure is a triple M = 〈S ,R, L〉, where

S is the set of states,

R ⊆ S × S is the transition relation, and

L : S → P(AP) gives the set of atomic propositions true in each state.


Model of Computation

If some state is designated as the initial state, the structure can beunwound into an infinite tree with that state as the root.

Example (Unwind State Graph to obtain Infinite Tree)

a,b

b,c c

a,b

b,c c

a,b cc

State Transition Graph or Kripke Model Infinite Computation Tree

A path in M is an infinite sequence of states, π = s0, s1, ... such that fori ≥ 0, (si , si+1) ∈ R.


Motivation of using CTL

LTL formulas are evaluated on paths.A state of a system satisfies an LTL formula if all paths from the givenstate satisfy it.Thus, LTL implicitly quantifies universally over paths.Properties which assert the existence of a path cannot be expressedin LTL.

Example

From any state it is possible to get to the Restart state.


Motivation of using CTL

Computation Tree Logic (CTL) is a branching-time logic, meaning that itsmodel of time is a tree-like structure in which the future is not determined;there are different paths in the future, any one of which might be the‘actual path that is realised.In CTL, as well as the temporal operators X, F, G and U of LTL we alsohave quantifiers A and E which express ‘all paths’ and ‘exists a path’,respectively.

Example (Each computation tree has the state s0 as its root)

g gg

g

g

g

g

g

g

g

M, s0 |= EF g M, s0 |= AF g M, s0 |= EG g M, s0 |= AG g


Syntax of CTL

Definition

CTL formulas are inductively defined via a Backus Naur formφ ::= > | ⊥ | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | AXφ | EXφ |

AFφ | EFφ | AGφ | EGφ | A[φUφ] | E [φUφ]where p ranges over a set of atomic formulas.

Notice that each of the CTL temporal connectives is a pair of symbols.

Q T

there exists an execution Efor all execution A

X (next)F (finally)G (globally)U (until)(and possibly others)


Semantics of computation tree logic

Let M = (S,→, L) be a model. For a CTL formula φ. the relation M, s |= φ is defined bystructural induction on φ:

1 M, s |= > and M, s 2 ⊥2 M, s |= p iff p ∈ L(s)3 M, s |= ¬φ iff M, s 2 φ4 M, s |= φ1 ∧ φ2 iff M, s |= φ1 and M, s |= φ2

5 M, s |= φ1 ∨ φ2 iff M, s |= φ1 or M, s |= φ2

6 M, s |= φ1 → φ2 iff M, s 2 φ1 or M, s |= φ2

7 M, s |= AXφ iff for all s1 such that s → s1 we have M, s1 |= φ8 M, s |= EXφ iff for some s1 such that s → s1 we have M, s1 |= φ9 M, s |= AGφ holds iff for all paths s1 → s2 → s3 → ..., where s1 equals s, and all si along

the path, we have M, si |= φ10 M, s |= EGφ holds iff there is a path s1 → s2 → s3 → ..., where s1 equals s, and all si

along the path, we have M, si |= φ11 M, s |= AFφ holds iff for all paths s1 → s2 → s3 → ..., where s1 equals s, there is some si

such that M, si |= φ12 M, s |= EFφ holds iff there is a path s1 → s2 → s3 → ..., where s1 equals s, and for some

si along the path, we have M, si |= φ13 M, s |= A[φ1Uφ2] holds iff for all paths s1 → s2 → s3 → ..., where s1 equals s, that path

satisfies φ1Uφ2

14 M, s |= E [φ1Uφ2] holds iff there is path s1 → s2 → s3 → ..., where s1 equals s, and that

path satisfies φ1Uφ2


CTL Semantics: Intuitions (Cont.)

AX EX AG EG

AF EF A[ U ]1 2 E[ U ]1 2


Example of CTL formula

Example

There is a reachable state satisfying q: this is written EF q.

From all reachable states satisfying p, it is possible to maintain pcontinuously until reaching a state satisfying q: AG (p → E [p U q]).

Whenever a state satisfying p is reached, the system can exhibit qcontinuously forevermore: AG (p → EG q).

There is a reachable state from which all reachable states satisfy p:EF AG p.


Expressive Power

LTL and CTL have different expressive powers. The choice between LTLand CTL depends on the application and the personal preferences.

For example, there is no CTL formula that is equivalent to the LTLformula 32 p.

Likewise, there is no LTL formula that is equivalent to the CTLformula AG(EF p).

The disjunction 32 p ∨ AG(EF p) is a CTL∗ formula that is notexpressible in either CTL or LTL.

LTL CTL

CTL*


Expressive Power

There is no CTL formula that is equivalent to the LTL formula 32 p.

a a

a

a

a

a

a

a

a

a

a

M

s0 s1 s2

s0

s0

s0

s0

s1

s1

s1

s1

s2

s2s2

s2s2

M,s0 LTL a

M,s0 CTL AF (AG a)


Expressive Power

There is no LTL formula that is equivalent to the CTL formula AG(EF p).

This is shown by contradiction: assume ϕ ≡ AG(EF p); let:

a

M

s0 s1

M'

s0

M |= AG(EF p), and thus- by assumption- M |= ϕ

Paths(M ′) ⊆ Paths(M), Thus M ′ |= ϕ

But M ′ 2 AG(EF p) as path sw 2 G(EF p)


Equivalences between CTL formulas

Definition

Two CTL formulas φ and ψ are said to be semantically equivalent if anystate in any model which satisfies one of them also satisfies the other; wedenote this by φ ≡ ψ.

Example

¬AFφ ≡ EG¬φ¬EFφ ≡ AG¬φ¬AXφ ≡ EX¬φAFφ ≡ A[T U φ]EFφ ≡ E [T U φ]


Adequate sets of CTL connectives

There are ten basic CTL operators:

AX and EX

AF and EF

AG and EG

AU and EU

AR and ER

Each of the ten operators can be expressed in terms of three operatorsEX , EG , and EU:

AX φ = ¬EX (¬φ)

EF φ = E [>Uφ]

AG φ = ¬EF (¬φ)

AF φ = ¬EG (¬φ)

A[φUψ] ≡ ¬E [¬ψ U (¬φ ∧ ¬ψ)] ∧ ¬EG¬ψA[φRψ] ≡ ¬E [¬φ U ¬ψ]

E [φRψ] ≡ ¬A[¬φ U ¬ψ]


CTL Model checking

INPUT: a model M = (S ,→, L) and a CTL formula φ.OUTPUT: the set of states of M which satisfy φ.

First, we convert φ with the adequate sets of CTL connectives (i.e.,¬,∨,EX ,EU,EG ).Next, label the states of M with the subformulas of φ that are satisfiedthere, starting with the smallest subformulas and working outwardstowards φ.Suppose ψ is a subformula of φ and states satisfying all the immediatesubformulas of ψ have already been labelled. We determine by a caseanalysis which states to label with ψ.


CTL Model checking (cont..)

If ψ is

⊥: then no states are labelled with ⊥.

p: then label s with p if p ∈ L(s).

ψ1 ∧ψ2: label s with ψ1 ∧ψ2 if s is already labelled both with ψ1 andwith ψ2.

¬ψ1: label s with ¬ψ1 if s is not already labelled with ψ1.

EXψ1: label any state with EXψ1 if one of its successors is labelledwith ψ1.



If ψ is

E [ψ1Uψ2]:

If any state s is labelled with ψ2, label it with E [ψ1Uψ2].Repeat: label any state with E [ψ1Uψ2] if it is labelled with ψ1 and atleast one of its successors is labelled with E [ψ1Uψ2], until there is nochange. This step is illustrated in Figure

E[ U ]1 2

1

E[ U ]1 2

1

E[ U ]1 2



If ψ is

EGψ1:

Label all the states with EGψ1.If any state s is not labelled with ψ1, delete the label EGψ1.Repeat: delete the label EGψ1 from any state if none of its successorsis labelled with EGψ1 ; until there is no change.


Complexity of CTL Model checking algorithm

The complexity of the above mentioned algorithm isO(|f | × |S | × (|S |+ |R|)), where |f | is the number of connectives in theformula, |S | is the number of states and |R| is the number of transitions;the algorithm is linear in the size of the formula and quadratic in the sizeof the model.


A variant which is more efficient

For EX and EU we do as before (but take care to search the model bybackwards breadth-first search, for this ensures that we wont have to passover any node twice). For the EGψ case:

Restrict the graph to states satisfying ψ, i.e., delete all other states and their transitions;

Find the maximal strongly connected components (SCCs); these are maximal regions ofthe state space in which every state is linked with (= has a finite path to) every other onein that region.

Use backwards breadth-first search on the restricted graph to find any state that canreach an SCC.

states satisfying

EG scc

sccscc

The complexity of this algorithm is O(|f | × (|S |+ |R|)), i.e., linear both in the size of the modeland in the size of the formula


Fairness

Consider the dining philosopher problem. It is not very reasonable toassume that “One philosopher keeps eating forever.”

How can we rule out this behavior?One solution is to use ‘Fairness Constraints’

Fairness constraints rule out unrealistic executions


Fiarness (cont..)

Fairness Constraint

Sets of states (constraint) that must occur infinitely often along acomputation path to be considered

Usually described by a formula of the logic

Fairness constraints restrict the path quantifiers (E and A) to fairpaths

EF φ holds at state s only if there exists a fair path from s alongwhich φ holds

AG φ holds at s if φ holds in all states reachable from s along fairpaths.

If fairness constraints are interpreted as sets of states, then a fair pathmust contain an element of each fairness constraint infinitely often.If fairness constraints are interpreted as CTL formulas, then a path is fairif each constraint is true infinitely often along the path.


Fairness constraint in CTL

In CTL fairness constraints cannot be expressed!Solution:

Impose Fairness Constraints on top of the Kripke Model.

We call Fair Computation Paths those paths verifying a fairnessconstraint infinitely often.

We call Fair Kripke Models those models restricted to fair paths.

Formally, a fair Kripke structure is a 4-triple M = 〈S ,R, L,F 〉, whereS ,R, L are defined as before and F ⊆ 2S is a set of fairness constraints.Let π = s0, s1, ... be a path in M. defined

inf(π) = {s|s = si for infinitely many i }

We say that π is fair if and only if for every P ∈ F , inf (π) ∩ P 6= ∅.


References

Edmund M. Clarke Jr. and Orna Grumberg.

Model Checking.

The MIT Press, 1999.

Michael Huth and Mark Ryan

Logic in Computer Science: Modelling and Reasoning about Systems.

ISBN: 9780521543101


Thank You


computation tree logic (ctl) - forsiden - … of using ctl computation tree logic (ctl) is a...

Documents