Expressiveness CTL Model Checking
52
Expressiveness CTL Model Checking COMP 3 9 1 5 3 Algorithmic Verification < l a t e x i t s h a 1 _ b a s e 6 4 = " P 4 j U U J H o 6 g 1 y o p y Z B D 7 4 h i v 3 L d I = " > A A A I Z H i c j V R b b 9 N I F D 6 k X E K W W 6 l 4 Q E h o o C B a l I a 4 J Y J q V c T S F 1 4 Q R a I F q a n Q 2 D 5 x R p n Y Z j x p G 6 L 8 C n 7 d / o H 9 E f v E m W P n R g y 7 j u w 5 / u b M d 7 5 z i f 1 U q 8 w 2 m 3 9 f q K x c v H T 5 S v V q 7 Y 9 r 1 2 / c v L V 6 + y h L B i b A w y D R i f n s y w y 1 i v H Q K q v x c 2 p Q 9 n 2 N n / z e v t v / d I o m U 0 n 8 0 Q 5 T P O n L K F Y d F U h L 0 J f V y v e 2 j 5 G K R 1 b 1 v q U q s A O D 4 1 o 7 T k I 8 z q y 0 W O 8 o r f d 8 P c A H 2 8 2 6 U L G y S u o T s f H V 2 x S j t s V z 6 3 f y N e u M 9 t + / O x i P x 3 8 u M x g M m U D 6 y S k K o 6 K u F U l n 7 6 t H V H q n h G q n n O d U J R o t U / m o k 7 O f q X Z L q H b L q S K D G J e J 0 r u O q S w / r 5 x p i J q k M N W M h O W 0 S k h a 5 S T B U M Z z e T m K V l 0 G A a Z W x R G X 6 f z X d Q q N P M u b g m G E X I g y d G e G u q o X q D e H 7 p a i M 4 b W H N q a 8 Z 5 v F i k J a c W G V 9 / y G t N W k M q / d J Q Y Z b t 9 F Y g j N N M J Z O 0 Y h w v z 9 + X W e r P R 5 E s s G 1 5 h r E N x H S S r l T a 0 I Y Q E A h h A H x B i s G R r k J D R 7 x g 8 a E J K 2 A m M C D N k K d 5 H G E O N z g 7 I C 8 l D E t q j Z 0 R v x w U a 0 7 v j z P h 0 Q F E 0 3 Y Z O C n h c + I R k d x j N V x d f z P n + K s a I u Z 3 G I a 1 + w d k n 1 E K X 0 P 8 6 N / H 8 v + d c T p Y U v u R c F O l M G X F Z B g s Z d W j V 9 G 5 J v 3 s O y R P J C u m U I S s g T B O a I y 6 G o T W v q 8 u 8 y 3 W W 7 I d k / S 4 X d 6 o H 3 z j + x G e C a V p 9 Z j I U z e U 9 Y E 1 5 r h L q d C a l 9 6 y I 7 m r v 8 o p 4 x 5 0 y h J 3 R v u u 0 0 z B h z q O M y G s L X r H 3 K 9 g j 1 O m V F N d V 8 g n j j + l 2 8 X o 8 B Y J 3 c I F d M C K p F m 7 f 5 7 6 7 m a j R v f y L a T + c V j P j P F z 9 k e J 7 0 I A W 2 f 1 p 5 I w r H 5 B n h + 5 F B X 3 O V d H q 5 n 6 Z z 2 l x W Z 7 R 0 / V Y s J 3 M a c g o n o B 9 7 l f M / R A c y X k g c 7 j p z K v f W M o I 4 Z S 7 O 2 S d l n u C 8 I w 8 M 5 4 Z z T m N W K / i n t f 5 H 6 J o R 9 N O x J 0 d w g P K u U k d m u X s V M 9 n m n K l U 4 5 m p 3 W Y / O e Q J 6 o L Q t y d 6 S B 7 v t a L y v O 6 W Z 7 d f M 4 R z u m 5 B 4 / o 7 d F v l E w 8 c 0 S y J U l Z y i o M + y Z F r f M T u S J T e M 5 m p g b u W + f 9 / G V b N o 6 2 G 9 7 z x v M P 2 + u v 3 x R f v S r c g 4 e w Q f P y A l 7 D W z i A Q w g q / 6 6 I l c 2 V p 1 f + q V 6 r r l X v 5 K 6 V C 8 W Z N V i 4 q v d / A B 3 w 9 T w = < / l a t e x i t > Expressiveness, CTL Model Checking Dr. Liam O’Connor CSE, UNSW (for now) Term 1 2020 1
Transcript of Expressiveness CTL Model Checking
Expressiveness CTL Model Checking
COMP
3
9
1 5
3Algorithmic Verification
<latexit sha1_base64="P4jUUJHo6g1yopyZBD74hiv3LdI=">AAAIZHicjVRbb9NIFD6kXEKWW6l4QEhooCBalIa4JYJqVcTSF14QRaIFqanQ2D5xRpnYZjxpG6L8Cn7d/oH9EfvEmWPnRgy7juw5/ubMd75zif1Uq8w2m39fqKxcvHT5SvVq7Y9r12/cvLV6+yhLBibAwyDRifnsywy1ivHQKqvxc2pQ9n2Nn/zevtv/dIomU0n80Q5TPOnLKFYdFUhL0JfVyve2j5GKR1b1vqUqsAOD41o7TkI8zqy0WO8orfd8PcAH2826ULGySuoTsfHV2xSjtsVz63fyNeuM9t+/OxiPx38uMxgMmUD6ySkKo6KuFUln76tHVHqnhGqnnOdUJRotU/mok7OfqXZLqHbLqSKDGJeJ0ruOqSw/r5xpiJqkMNWMhOW0Skha5STBUMZzeTmKVl0GAaZWxRGX6fzXdQqNPMubgmGEXIgydGeGuqoXqDeH7paiM4bWHNqa8Z5vFikJacWGV9/yGtNWkMq/dJQYZbt9FYgjNNMJZO0Yhwvz9+XWerPR5EssG15hrENxHSSrlTa0IYQEAhhAHxBisGRrkJDR7xg8aEJK2AmMCDNkKd5HGEONzg7IC8lDEtqjZ0RvxwUa07vjzPh0QFE03YZOCnhc+IRkdxjNVxdfzPn+KsaIuZ3GIa1+wdkn1EKX0P86N/H8v+dcTpYUvuRcFOlMGXFZBgsZdWjV9G5Jv3sOyRPJCumUISsgTBOaIy6GoTWvq8u8y3WW7Idk/S4Xd6oH3zj+xGeCaVp9ZjIUzeU9YE15rhLqdCal96yI7mrv8op4x50yhJ3Rvuu00zBhzqOMyGsLXrH3K9gj1OmVFNdV8gnjj+l28Xo8BYJ3cIFdMCKpFm7f5767majRvfyLaT+cVjPjPFz9keJ70IAW2f1p5IwrH5Bnh+5FBX3OVdHq5n6Zz2lxWZ7R0/VYsJ3MacgonoB97lfM/RAcyXkgc7jpzKvfWMoI4ZS7O2SdlnuC8Iw8M54ZzTmNWK/intf5H6JoR9NOxJ0dwgPKuUkdmuXsVM9nmnKlU45mp3WY/OeQJ6oLQtyd6SB7vtaLyvO6WZ7dfM4Rzum5B4/o7dFvlEw8c0SyJUlZyioM+yZFrfMTuSJTeM5mpgbuW+f9/GVbNo62G97zxvMP2+uv3xRfvSrcg4ewQfPyAl7DWziAQwgq/66Ilc2Vp1f+qV6rrlXv5K6VC8WZNVi4qvd/AB3w9Tw=</latexit>
Expressiveness, CTL Model Checking
Dr. Liam O’ConnorCSE, UNSW (for now)
Term 1 2020
1
Expressiveness CTL Model Checking
Comparing Logics
Formula Equivalence
Two formulae are equivalent iff they admit the same models.
∀A. (A |= P)⇔ (A |= Q)
P ≡ Q
Logic Expressiveness
A logic L1 is more expressive than a logic L2, written L2 ⊆ L1, iff:For all ϕ2 ∈ L2, there is a ϕ1 ∈ L1 such that ϕ1 ≡ ϕ2.
CTL ⊆ CTL∗? LTL ⊆ CTL∗? LTL ⊆ CTL? CTL ⊆ LTL?
2
Expressiveness CTL Model Checking
LTL ⊆ CTL∗
LTL formulae look like CTL∗ path formulae. How do we convertthem into equivalent state formulae?
Recall that A |= ϕ iff ∀ρ ∈ Traces(A). ρ |= ϕ
For all LTL formulae ϕ:
A |=LTL ϕ⇐⇒ A |=CTL∗ A ϕ
Proof follows trivially from the definition of A.
3
Expressiveness CTL Model Checking
LTL ⊆ CTL∗
LTL formulae look like CTL∗ path formulae. How do we convertthem into equivalent state formulae?
Recall that A |= ϕ iff ∀ρ ∈ Traces(A). ρ |= ϕ
For all LTL formulae ϕ:
A |=LTL ϕ⇐⇒ A |=CTL∗ A ϕ
Proof follows trivially from the definition of A.
4
Expressiveness CTL Model Checking
CTL ⊆ LTL?CTL Formula: AF AG •
LTL Formula: FG •? does this work?
p0 p1
p2
It’s not equivalent!
5
Expressiveness CTL Model Checking
CTL ⊆ LTL?CTL Formula: AF AG •
LTL Formula: FG •? does this work?
p0 p1
p2
It’s not equivalent!
6
Expressiveness CTL Model Checking
CTL ⊆ LTL?CTL Formula: AF AG •
LTL Formula: FG •? does this work?
p0 p1
p2
It’s not equivalent!
7
Expressiveness CTL Model Checking
CTL ⊆ LTL?CTL Formula: AF AG •
LTL Formula: FG •? does this work?
p0 p1
p2
It’s not equivalent!
8
Expressiveness CTL Model Checking
CTL 6⊆ LTLLet’s prove it.
Lemma (Trace Inclusion)
If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ
Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.
q0 q1
A B
Proof
Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!
9
Expressiveness CTL Model Checking
CTL 6⊆ LTLLet’s prove it.
Lemma (Trace Inclusion)
If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ
Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.
q0 q1
A B
Proof
Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!
10
Expressiveness CTL Model Checking
CTL 6⊆ LTLLet’s prove it.
Lemma (Trace Inclusion)
If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ
Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.
q0 q1
A B
Proof
Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!
11
Expressiveness CTL Model Checking
CTL 6⊆ LTLLet’s prove it.
Lemma (Trace Inclusion)
If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ
Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.
q0 q1
A B
Proof
Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!
12
Expressiveness CTL Model Checking
CTL 6⊆ LTLLet’s prove it.
Lemma (Trace Inclusion)
If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ
Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.
q0 q1
A B
Proof
Observe that B |= AG EF • butA 6|= AG EF •
Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!
13
Expressiveness CTL Model Checking
CTL 6⊆ LTLLet’s prove it.
Lemma (Trace Inclusion)
If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ
Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.
q0 q1
A B
Proof
Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.
But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!
14
Expressiveness CTL Model Checking
CTL 6⊆ LTLLet’s prove it.
Lemma (Trace Inclusion)
If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ
Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.
q0 q1
A B
Proof
Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.
Contradiction!
15
Expressiveness CTL Model Checking
CTL 6⊆ LTLLet’s prove it.
Lemma (Trace Inclusion)
If Traces(A) ⊆ Traces(B) then for any LTL formula ϕ,B |= ϕ =⇒ A |= ϕ
Suppose ∃ an LTL formula ϕ that is equivalent to AG EF •.
q0 q1
A B
Proof
Observe that B |= AG EF • butA 6|= AG EF •Because ϕ is equivalent, we knowB |= ϕ and A 6|= ϕ.But, as Traces(A) ⊆ Traces(B), ourlemma says that A |= ϕ.Contradiction!
16
Expressiveness CTL Model Checking
LTL ⊆ CTL?
LTL Formula: F (• ∧ X •)
CTL Formula: AF (• ∧ AX •). Does this work?
q0 q3
q1q2 q4
Nope!
17
Expressiveness CTL Model Checking
LTL ⊆ CTL?
LTL Formula: F (• ∧ X •)CTL Formula: AF (• ∧ AX •). Does this work?
q0 q3
q1q2 q4
Nope!
18
Expressiveness CTL Model Checking
LTL ⊆ CTL?
LTL Formula: F (• ∧ X •)CTL Formula: AF (• ∧ AX •). Does this work?
q0 q3
q1q2 q4
Nope!
19
Expressiveness CTL Model Checking
LTL 6⊆ CTL
Lemma
It is possible to construct two families of automata Ai and Bi suchthat:
They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .
They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)
See the textbook (Baier and Katoen) for details.
Proof
Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!
20
Expressiveness CTL Model Checking
LTL 6⊆ CTL
Lemma
It is possible to construct two families of automata Ai and Bi suchthat:
They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .
They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)
See the textbook (Baier and Katoen) for details.
Proof
Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!
21
Expressiveness CTL Model Checking
LTL 6⊆ CTL
Lemma
It is possible to construct two families of automata Ai and Bi suchthat:
They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .
They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)
See the textbook (Baier and Katoen) for details.
Proof
Let ϕ be a CTL formula equivalent to F G •.
Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!
22
Expressiveness CTL Model Checking
LTL 6⊆ CTL
Lemma
It is possible to construct two families of automata Ai and Bi suchthat:
They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .
They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)
See the textbook (Baier and Katoen) for details.
Proof
Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|.
From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!
23
Expressiveness CTL Model Checking
LTL 6⊆ CTL
Lemma
It is possible to construct two families of automata Ai and Bi suchthat:
They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .
They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)
See the textbook (Baier and Katoen) for details.
Proof
Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,
but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!
24
Expressiveness CTL Model Checking
LTL 6⊆ CTL
Lemma
It is possible to construct two families of automata Ai and Bi suchthat:
They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .
They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)
See the textbook (Baier and Katoen) for details.
Proof
Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ,
so ϕ cannot be equivalent.Contradiction!
25
Expressiveness CTL Model Checking
LTL 6⊆ CTL
Lemma
It is possible to construct two families of automata Ai and Bi suchthat:
They are distinguished by the LTL formula F G •, that is:Ai |= F G • but Bi 6|= F G • for any i .
They cannot be distinguished by CTL formulae of length ≤ i .That is, ∀i . ∀ϕ. |ϕ| ≤ i ⇒ (Ai |= ϕ⇔ Bi |= ϕ)
See the textbook (Baier and Katoen) for details.
Proof
Let ϕ be a CTL formula equivalent to F G •.Let k be the lengthof ϕ, i.e. k = |ϕ|. From lemma, Ak |= F G • and Bk 6|= F G •,but also Ak |= ϕ⇔ Bk |= ϕ, so ϕ cannot be equivalent.Contradiction!
26
Expressiveness CTL Model Checking
CTL ⊂ CTL∗
Every CTL formula is also a CTL∗ formula. But is it a strictinclusion (i.e. CTL ⊂ CTL∗)?
Yes. We know already that LTL ⊆ CTL∗ and that LTL 6⊆ CTL. Sopick any LTL formula that cannot be expressed in CTL, and wehave a formula that cannot be expressed in CTL but can be inCTL∗.
27
Expressiveness CTL Model Checking
CTL ⊂ CTL∗
Every CTL formula is also a CTL∗ formula. But is it a strictinclusion (i.e. CTL ⊂ CTL∗)?Yes.
We know already that LTL ⊆ CTL∗ and that LTL 6⊆ CTL. Sopick any LTL formula that cannot be expressed in CTL, and wehave a formula that cannot be expressed in CTL but can be inCTL∗.
28
Expressiveness CTL Model Checking
CTL ⊂ CTL∗
Every CTL formula is also a CTL∗ formula. But is it a strictinclusion (i.e. CTL ⊂ CTL∗)?Yes. We know already that LTL ⊆ CTL∗ and that LTL 6⊆ CTL. Sopick any LTL formula that cannot be expressed in CTL, and wehave a formula that cannot be expressed in CTL but can be inCTL∗.
29
Expressiveness CTL Model Checking
LTL ⊂ CTL∗
We saw that LTL ⊆ CTL∗. But is it a strict inclusion?(i.e. LTL ⊂ CTL∗)?
Yes. We know already that CTL ⊆ CTL∗ and that CTL 6⊆ LTL.So pick any CTL formula that cannot be expressed in LTL, and wehave a formula that cannot be expressed in LTL but can be inCTL∗.
30
Expressiveness CTL Model Checking
LTL ⊂ CTL∗
We saw that LTL ⊆ CTL∗. But is it a strict inclusion?(i.e. LTL ⊂ CTL∗)?Yes.
We know already that CTL ⊆ CTL∗ and that CTL 6⊆ LTL.So pick any CTL formula that cannot be expressed in LTL, and wehave a formula that cannot be expressed in LTL but can be inCTL∗.
31
Expressiveness CTL Model Checking
LTL ⊂ CTL∗
We saw that LTL ⊆ CTL∗. But is it a strict inclusion?(i.e. LTL ⊂ CTL∗)?Yes. We know already that CTL ⊆ CTL∗ and that CTL 6⊆ LTL.So pick any CTL formula that cannot be expressed in LTL, and wehave a formula that cannot be expressed in LTL but can be inCTL∗.
32
Expressiveness CTL Model Checking
(LTL ∪ CTL) ⊂ CTL∗
Is there any formula that can be expressed in CTL∗ but not inCTL nor in LTL?
Strict Inclusion
Yes. The proof is very involved, but the formula E G F • cannotbe expressed in either LTL nor CTL.
LTL CTL
CTL∗
33
Expressiveness CTL Model Checking
(LTL ∪ CTL) ⊂ CTL∗
Is there any formula that can be expressed in CTL∗ but not inCTL nor in LTL?
Strict Inclusion
Yes. The proof is very involved, but the formula E G F • cannotbe expressed in either LTL nor CTL.
LTL CTL
CTL∗
34
Expressiveness CTL Model Checking
(LTL ∪ CTL) ⊂ CTL∗
Is there any formula that can be expressed in CTL∗ but not inCTL nor in LTL?
Strict Inclusion
Yes. The proof is very involved, but the formula E G F • cannotbe expressed in either LTL nor CTL.
LTL CTL
CTL∗
35
Expressiveness CTL Model Checking
The CTL Model Checking Problem
Given
A CTL formula ϕ, and
An automaton A,
Determine if A |= ϕ.
Our approach
We first break the formula up into a parse tree. Then, annotatestates in a bottom-up fashion with the (sub-)formulae they satisfy.
36
Expressiveness CTL Model Checking
Parse Trees
A(p UNTIL E(True UNTIL q ∧ r))
A(· UNTIL ·)
p E(· UNTIL ·)
True ∧
q r
37
Expressiveness CTL Model Checking
Formal Algorithm: Basic Propositionscase ϕ ∈ P do /* Atomic proposition */
foreach q ∈ Q doif ϕ ∈ L(q) then
q.ϕ := True;else
q.ϕ := False;
case ϕ = ¬ψ do /* Negation */
Mark(A, ψ) ;foreach q ∈ Q do
q.ϕ := ¬q.ψ ;
case ϕ = ψ1 ∧ ψ2 do /* Conjunction */
Mark(A, ψ1); Mark(A, ψ2) ;foreach q ∈ Q do
q.ϕ := q.ψ1 ∧ q.ψ2 ;
38
Expressiveness CTL Model Checking
Formal Algorithm: EX
case ϕ = EX ψ do /* Exists a Successor */
Mark(A, ψ) ;foreach q ∈ Q do
q.ϕ := False;
foreach (q, q′) ∈ δ doif q′.ψ then
q.ϕ := True ;
We can simplify AX ψ to ¬EX ¬ψ. Why?
39
Expressiveness CTL Model Checking
case ϕ = E ψ1 UNTIL ψ2 do /* Exist Until */
Mark(A, ψ1) ; Mark(A, ψ2) ;foreach q ∈ Q do
q.ϕ := False;q.visited := False;if q.ψ2 then
q.ϕ := True ;q.visited := True ;W := W ∪ {q};
while W 6= ∅ doq := pop(W ); /* q satisfies ϕ */
foreach (q′, q) ∈ δ doif ¬q′.visited then
q′.visited := True ;if q′.ψ1 then
q′.ϕ := True; W := W ∪ {q′};
40
Expressiveness CTL Model Checking
case ϕ = A ψ1 UNTIL ψ2 do /* For All Until */
Mark(A, ψ1) ; Mark(A, ψ2);foreach q ∈ Q do
q.ϕ := False;q.nbUnchecked := |δ(q)|;if q.ψ2 then
q.ϕ := True ;W := W ∪ {q};
while W 6= ∅ doq := pop(W );/* q satisfies ϕ */
foreach (q′, q) ∈ δ doq′.nbUnchecked := q′.nbUnchecked − 1 ;if (q′.nbUnchecked = 0 ∧ q′.ψ1 ∧ ¬q′.ϕ) then
q′.ϕ := True ;W := W ∪ {q′};
41
Expressiveness CTL Model Checking
Complexity?
Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?
Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)
Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )
42
Expressiveness CTL Model Checking
Complexity?
Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?
Complexity for atomic propositions, ∧ and ¬:
O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)
Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )
43
Expressiveness CTL Model Checking
Complexity?
Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?
Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX:
O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)
Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )
44
Expressiveness CTL Model Checking
Complexity?
Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?
Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·):
O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)
Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )
45
Expressiveness CTL Model Checking
Complexity?
Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?
Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·):
O(|Q|+ |δ|)
Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )
46
Expressiveness CTL Model Checking
Complexity?
Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?
Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)
Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )
47
Expressiveness CTL Model Checking
Complexity?
Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?
Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)
Therefore, overall complexity is:
O( (|Q|+ |δ|)× |ϕ| )
48
Expressiveness CTL Model Checking
Complexity?
Assume a fixed size of formula |ϕ|, what is the run time complexityof this algorithm?
Complexity for atomic propositions, ∧ and ¬: O(|Q|)Complexity for EX: O(|Q|)Complexity for E(· UNTIL ·): O(|Q|+ |δ|)Complexity for A(· UNTIL ·): O(|Q|+ |δ|)
Therefore, overall complexity is: O( (|Q|+ |δ|)× |ϕ| )
49
Expressiveness CTL Model Checking
Example
• •
••
• •
• •
Procedure
Simplify to basicCTL operations.
Build parse tree fornew formula.
Mark statesbottom up asdescribed.
Example
EF (• ∧ •)
EF AG (• ∧ •)
50
Expressiveness CTL Model Checking
Example
• •
••
• •
• •
Procedure
Simplify to basicCTL operations.
Build parse tree fornew formula.
Mark statesbottom up asdescribed.
Example
EF (• ∧ •)EF AG (• ∧ •)
51
Expressiveness CTL Model Checking
Bibliography
Expressiveness:
Huth/Ryan: Logic in Computer Science, Section 3.5
Baier/Katoen: Principles of Model Checking, Section 6.3
CTL Model Checking
Berard et al: System and Software Verification, Section 3.1
Baier/Katoen: Principles of Model Checking, Section 6.4
Clarke et al: Model Checking, Section 4.1
Huth/Ryan: Logic in Computer Science, Section 3.6
52
