Expressiveness CTL Model Checking

COMP

3

9

1 5

3Algorithmic Verification

<latexit sha1_base64="P4jUUJHo6g1yopyZBD74hiv3LdI=">AAAIZHicjVRbb9NIFD6kXEKWW6l4QEhooCBalIa4JYJqVcTSF14QRaIFqanQ2D5xRpnYZjxpG6L8Cn7d/oH9EfvEmWPnRgy7juw5/ubMd75zif1Uq8w2m39fqKxcvHT5SvVq7Y9r12/cvLV6+yhLBibAwyDRifnsywy1ivHQKqvxc2pQ9n2Nn/zevtv/dIomU0n80Q5TPOnLKFYdFUhL0JfVyve2j5GKR1b1vqUqsAOD41o7TkI8zqy0WO8orfd8PcAH2826ULGySuoTsfHV2xSjtsVz63fyNeuM9t+/OxiPx38uMxgMmUD6ySkKo6KuFUln76tHVHqnhGqnnOdUJRotU/mok7OfqXZLqHbLqSKDGJeJ0ruOqSw/r5xpiJqkMNWMhOW0Skha5STBUMZzeTmKVl0GAaZWxRGX6fzXdQqNPMubgmGEXIgydGeGuqoXqDeH7paiM4bWHNqa8Z5vFikJacWGV9/yGtNWkMq/dJQYZbt9FYgjNNMJZO0Yhwvz9+XWerPR5EssG15hrENxHSSrlTa0IYQEAhhAHxBisGRrkJDR7xg8aEJK2AmMCDNkKd5HGEONzg7IC8lDEtqjZ0RvxwUa07vjzPh0QFE03YZOCnhc+IRkdxjNVxdfzPn+KsaIuZ3GIa1+wdkn1EKX0P86N/H8v+dcTpYUvuRcFOlMGXFZBgsZdWjV9G5Jv3sOyRPJCumUISsgTBOaIy6GoTWvq8u8y3WW7Idk/S4Xd6oH3zj+xGeCaVp9ZjIUzeU9YE15rhLqdCal96yI7mrv8op4x50yhJ3Rvuu00zBhzqOMyGsLXrH3K9gj1OmVFNdV8gnjj+l28Xo8BYJ3cIFdMCKpFm7f5767majRvfyLaT+cVjPjPFz9keJ70IAW2f1p5IwrH5Bnh+5FBX3OVdHq5n6Zz2lxWZ7R0/VYsJ3MacgonoB97lfM/RAcyXkgc7jpzKvfWMoI4ZS7O2SdlnuC8Iw8M54ZzTmNWK/intf5H6JoR9NOxJ0dwgPKuUkdmuXsVM9nmnKlU45mp3WY/OeQJ6oLQtyd6SB7vtaLyvO6WZ7dfM4Rzum5B4/o7dFvlEw8c0SyJUlZyioM+yZFrfMTuSJTeM5mpgbuW+f9/GVbNo62G97zxvMP2+uv3xRfvSrcg4ewQfPyAl7DWziAQwgq/66Ilc2Vp1f+qV6rrlXv5K6VC8WZNVi4qvd/AB3w9Tw=</latexit>

Expressiveness, CTL Model Checking

Dr. Liam O’ConnorCSE, UNSW (for now)

Term 1 2020

1

Expressiveness CTL Model Checking

Comparing Logics

Formula Equivalence

Two formulae are equivalent iff they admit the same models.

∀A. (A |= P)⇔ (A |= Q)

P ≡ Q

Logic Expressiveness

A logic L1 is more expressive than a logic L2, written L2 ⊆ L1, iff:For all ϕ2 ∈ L2, there is a ϕ1 ∈ L1 such that ϕ1 ≡ ϕ2.

CTL ⊆ CTL∗? LTL ⊆ CTL∗? LTL ⊆ CTL? CTL ⊆ LTL?

2

Expressiveness CTL Model Checking

LTL ⊆ CTL∗

LTL formulae look like CTL∗ path formulae. How do we convertthem into equivalent state formulae?

Recall that A |= ϕ iff ∀ρ ∈ Traces(A). ρ |= ϕ

For all LTL formulae ϕ:

A |=LTL ϕ⇐⇒ A |=CTL∗ A ϕ

Proof follows trivially from the definition of A.

3

Expressiveness CTL Model Checking

LTL ⊆ CTL∗

LTL formulae look like CTL∗ path formulae. How do we convertthem into equivalent state formulae?

Recall that A |= ϕ iff ∀ρ ∈ Traces(A). ρ |= ϕ

For all LTL formulae ϕ:

A |=LTL ϕ⇐⇒ A |=CTL∗ A ϕ

Proof follows trivially from the definition of A.

4

Expressiveness CTL Model Checking

CTL ⊆ LTL?CTL Formula: AF AG •

LTL Formula: FG •? does this work?

p0 p1

p2

It’s not equivalent!

5

Expressiveness CTL Model Checking

CTL ⊆ LTL?CTL Formula: AF AG •

LTL Formula: FG •? does this work?

p0 p1

p2

It’s not equivalent!

6

Expressiveness CTL Model Checking

CTL ⊆ LTL?CTL Formula: AF AG •

LTL Formula: FG •? does this work?

p0 p1

p2

It’s not equivalent!

7

Expressiveness CTL Model Checking

CTL ⊆ LTL?CTL Formula: AF AG •

LTL Formula: FG •? does this work?

p0 p1

p2

It’s not equivalent!

8

Expressiveness CTL Model Checking

CTL 6⊆ LTLLet’s prove it.

Lemma (Trace Inclusion)

If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ

Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.

q0 q1

A B

Proof

Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!

9

Expressiveness CTL Model Checking

CTL 6⊆ LTLLet’s prove it.

Lemma (Trace Inclusion)

If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ

Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.

q0 q1

A B

Proof

Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!

10

Expressiveness CTL Model Checking

CTL 6⊆ LTLLet’s prove it.

Lemma (Trace Inclusion)

If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ

Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.

q0 q1

A B

Proof

Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!

11

Expressiveness CTL Model Checking

CTL 6⊆ LTLLet’s prove it.

Lemma (Trace Inclusion)

If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ

Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.

q0 q1

A B

Proof

Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!

12

Expressiveness CTL Model Checking

CTL 6⊆ LTLLet’s prove it.

Lemma (Trace Inclusion)

If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ

Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.

q0 q1

A B

Proof

Observe that B |= AG EF • butA 6|= AG EF •

Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!

13

Expressiveness CTL Model Checking

CTL 6⊆ LTLLet’s prove it.

Lemma (Trace Inclusion)

If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ

Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.

q0 q1

A B

Proof

Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.

But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!

14

Expressiveness CTL Model Checking

CTL 6⊆ LTLLet’s prove it.

Lemma (Trace Inclusion)

If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ

Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.

q0 q1

A B

Proof

Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.

Contradiction!

15

Expressiveness CTL Model Checking

CTL 6⊆ LTLLet’s prove it.

Lemma (Trace Inclusion)

If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ

Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.

q0 q1

A B

Proof

Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!

16

Expressiveness CTL Model Checking

LTL ⊆ CTL?

LTL Formula: F (• ∧ X •)

CTL Formula: AF (• ∧ AX •). Does this work?

q0 q3

q1q2 q4

Nope!

17

Expressiveness CTL Model Checking

LTL ⊆ CTL?

LTL Formula: F (• ∧ X •)CTL Formula: AF (• ∧ AX •). Does this work?

q0 q3

q1q2 q4

Nope!

18

Expressiveness CTL Model Checking

LTL ⊆ CTL?

LTL Formula: F (• ∧ X •)CTL Formula: AF (• ∧ AX •). Does this work?

q0 q3

q1q2 q4

Nope!

19

Expressiveness CTL Model Checking

LTL 6⊆ CTL

Lemma

It is possible to construct two families of automata Ai and Bi suchthat:

They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .

They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)

See the textbook (Baier and Katoen) for details.

Proof

Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!

20

Expressiveness CTL Model Checking

LTL 6⊆ CTL

Lemma

It is possible to construct two families of automata Ai and Bi suchthat:

They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .

They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)

See the textbook (Baier and Katoen) for details.

Proof

Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!

21

Expressiveness CTL Model Checking

LTL 6⊆ CTL

Lemma

It is possible to construct two families of automata Ai and Bi suchthat:

They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .

They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)

See the textbook (Baier and Katoen) for details.

Proof

Let ϕ be a CTL formula equivalent to F G •.

Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!

22

Expressiveness CTL Model Checking

LTL 6⊆ CTL

Lemma

It is possible to construct two families of automata Ai and Bi suchthat:

They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .

They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)

See the textbook (Baier and Katoen) for details.

Proof

Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|.

From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!

23

Expressiveness CTL Model Checking

LTL 6⊆ CTL

Lemma

It is possible to construct two families of automata Ai and Bi suchthat:

They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .

They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)

See the textbook (Baier and Katoen) for details.

Proof

Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,

but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!

24

Expressiveness CTL Model Checking

LTL 6⊆ CTL

Lemma

It is possible to construct two families of automata Ai and Bi suchthat:

They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .

They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)

See the textbook (Baier and Katoen) for details.

Proof

Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ,

so ϕ cannot be equivalent.Contradiction!

25

Expressiveness CTL Model Checking

LTL 6⊆ CTL

Lemma

It is possible to construct two families of automata Ai and Bi suchthat:

They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .

They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)

See the textbook (Baier and Katoen) for details.

Proof

Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!

26

Expressiveness CTL Model Checking

CTL ⊂ CTL∗

Every CTL formula is also a CTL∗ formula. But is it a strictinclusion (i.e. CTL ⊂ CTL∗)?

Yes. We know already that LTL ⊆ CTL∗ and that LTL 6⊆ CTL. Sopick any LTL formula that cannot be expressed in CTL, and wehave a formula that cannot be expressed in CTL but can be inCTL∗.

27

Expressiveness CTL Model Checking

CTL ⊂ CTL∗

Every CTL formula is also a CTL∗ formula. But is it a strictinclusion (i.e. CTL ⊂ CTL∗)?Yes.

We know already that LTL ⊆ CTL∗ and that LTL 6⊆ CTL. Sopick any LTL formula that cannot be expressed in CTL, and wehave a formula that cannot be expressed in CTL but can be inCTL∗.

28

Expressiveness CTL Model Checking

CTL ⊂ CTL∗

Every CTL formula is also a CTL∗ formula. But is it a strictinclusion (i.e. CTL ⊂ CTL∗)?Yes. We know already that LTL ⊆ CTL∗ and that LTL 6⊆ CTL. Sopick any LTL formula that cannot be expressed in CTL, and wehave a formula that cannot be expressed in CTL but can be inCTL∗.

29

Expressiveness CTL Model Checking

LTL ⊂ CTL∗

We saw that LTL ⊆ CTL∗. But is it a strict inclusion?(i.e. LTL ⊂ CTL∗)?

Yes. We know already that CTL ⊆ CTL∗ and that CTL 6⊆ LTL.So pick any CTL formula that cannot be expressed in LTL, and wehave a formula that cannot be expressed in LTL but can be inCTL∗.

30

Expressiveness CTL Model Checking

LTL ⊂ CTL∗

We saw that LTL ⊆ CTL∗. But is it a strict inclusion?(i.e. LTL ⊂ CTL∗)?Yes.

We know already that CTL ⊆ CTL∗ and that CTL 6⊆ LTL.So pick any CTL formula that cannot be expressed in LTL, and wehave a formula that cannot be expressed in LTL but can be inCTL∗.

31

Expressiveness CTL Model Checking

LTL ⊂ CTL∗

We saw that LTL ⊆ CTL∗. But is it a strict inclusion?(i.e. LTL ⊂ CTL∗)?Yes. We know already that CTL ⊆ CTL∗ and that CTL 6⊆ LTL.So pick any CTL formula that cannot be expressed in LTL, and wehave a formula that cannot be expressed in LTL but can be inCTL∗.

32

Expressiveness CTL Model Checking

(LTL ∪ CTL) ⊂ CTL∗

Is there any formula that can be expressed in CTL∗ but not inCTL nor in LTL?

Strict Inclusion

Yes. The proof is very involved, but the formula E G F • cannotbe expressed in either LTL nor CTL.

LTL CTL

CTL∗

33

Expressiveness CTL Model Checking

(LTL ∪ CTL) ⊂ CTL∗

Is there any formula that can be expressed in CTL∗ but not inCTL nor in LTL?

Strict Inclusion

Yes. The proof is very involved, but the formula E G F • cannotbe expressed in either LTL nor CTL.

LTL CTL

CTL∗

34

Expressiveness CTL Model Checking

(LTL ∪ CTL) ⊂ CTL∗

Is there any formula that can be expressed in CTL∗ but not inCTL nor in LTL?

Strict Inclusion

Yes. The proof is very involved, but the formula E G F • cannotbe expressed in either LTL nor CTL.

LTL CTL

CTL∗

35

Expressiveness CTL Model Checking

The CTL Model Checking Problem

Given

A CTL formula ϕ, and

An automaton A,

Determine if A |= ϕ.

Our approach

We first break the formula up into a parse tree. Then, annotatestates in a bottom-up fashion with the (sub-)formulae they satisfy.

36

Expressiveness CTL Model Checking

Parse Trees

A(p UNTIL E(True UNTIL q ∧ r))

A(· UNTIL ·)

p E(· UNTIL ·)

True ∧

q r

37

Expressiveness CTL Model Checking

Formal Algorithm: Basic Propositionscase ϕ ∈ P do /* Atomic proposition */

foreach q ∈ Q doif ϕ ∈ L(q) then

q.ϕ := True;else

q.ϕ := False;

case ϕ = ¬ψ do /* Negation */

Mark(A, ψ) ;foreach q ∈ Q do

q.ϕ := ¬q.ψ ;

case ϕ = ψ1 ∧ ψ2 do /* Conjunction */

Mark(A, ψ1); Mark(A, ψ2) ;foreach q ∈ Q do

q.ϕ := q.ψ1 ∧ q.ψ2 ;

38

Expressiveness CTL Model Checking

Formal Algorithm: EX

case ϕ = EX ψ do /* Exists a Successor */

Mark(A, ψ) ;foreach q ∈ Q do

q.ϕ := False;

foreach (q, q′) ∈ δ doif q′.ψ then

q.ϕ := True ;

We can simplify AX ψ to ¬EX ¬ψ. Why?

39

Expressiveness CTL Model Checking

case ϕ = E ψ1 UNTIL ψ2 do /* Exist Until */

Mark(A, ψ1) ; Mark(A, ψ2) ;foreach q ∈ Q do

q.ϕ := False;q.visited := False;if q.ψ2 then

q.ϕ := True ;q.visited := True ;W := W ∪ {q};

while W 6= ∅ doq := pop(W ); /* q satisfies ϕ */

foreach (q′, q) ∈ δ doif ¬q′.visited then

q′.visited := True ;if q′.ψ1 then

q′.ϕ := True; W := W ∪ {q′};

40

Expressiveness CTL Model Checking

case ϕ = A ψ1 UNTIL ψ2 do /* For All Until */

Mark(A, ψ1) ; Mark(A, ψ2);foreach q ∈ Q do

q.ϕ := False;q.nbUnchecked := |δ(q)|;if q.ψ2 then

q.ϕ := True ;W := W ∪ {q};

while W 6= ∅ doq := pop(W );/* q satisfies ϕ */

foreach (q′, q) ∈ δ doq′.nbUnchecked := q′.nbUnchecked − 1 ;if (q′.nbUnchecked = 0 ∧ q′.ψ1 ∧ ¬q′.ϕ) then

q′.ϕ := True ;W := W ∪ {q′};

41

Expressiveness CTL Model Checking

Complexity?

Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?

Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)

Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )

42

Expressiveness CTL Model Checking

Complexity?

Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?

Complexity for atomic propositions, ∧ and ¬:

O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)

Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )

43

Expressiveness CTL Model Checking

Complexity?

Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?

Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX:

O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)

Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )

44

Expressiveness CTL Model Checking

Complexity?

Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?

Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·):

O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)

Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )

45

Expressiveness CTL Model Checking

Complexity?

Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?

Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·):

O(|Q|+ |δ|)

Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )

46

Expressiveness CTL Model Checking

Complexity?

Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?

Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)

Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )

47

Expressiveness CTL Model Checking

Complexity?

Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?

Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)

Therefore, overall complexity is:

O( (|Q|+ |δ|)× |ϕ| )

48

Expressiveness CTL Model Checking

Complexity?

Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?

Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)

Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )

49

Expressiveness CTL Model Checking

Example

• •

••

• •

• •

Procedure

Simplify to basicCTL operations.

Build parse tree fornew formula.

Mark statesbottom up asdescribed.

Example

EF (• ∧ •)

EF AG (• ∧ •)

50

Expressiveness CTL Model Checking

Example

• •

••

• •

• •

Procedure

Simplify to basicCTL operations.

Build parse tree fornew formula.

Mark statesbottom up asdescribed.

Example

EF (• ∧ •)EF AG (• ∧ •)

51

Expressiveness CTL Model Checking

Bibliography

Expressiveness:

Huth/Ryan: Logic in Computer Science, Section 3.5

Baier/Katoen: Principles of Model Checking, Section 6.3

CTL Model Checking

Berard et al: System and Software Verification, Section 3.1

Baier/Katoen: Principles of Model Checking, Section 6.4

Clarke et al: Model Checking, Section 4.1

Huth/Ryan: Logic in Computer Science, Section 3.6

52