d3s.mff.cuni.cz jan kofroň, františek plášil · 2020. 10. 21. · jan kofroň, františek...

http://d3s.mff.cuni.cz

Behavior models and verificationLecture 5

Jan Kofroň, František Plášil

Agenda

Jan Kofroň, František Plášil, Lecture 5 2

CTL logic

CTL model checking

Computation Tree Logic

A formula can reason about many executions in a computation tree at once

PCTL

TCTL

LTL

Markov chains

Timed automata

Labelled transition system

Kripke structure

CTL Model checking (explicit)


open

start

empty

close

empty

close

start

close

heat

start

heat

CTL

𝑨𝑮(𝐬𝐭𝐚𝐫𝐭 → 𝑨𝑭 𝐡𝐞𝐚𝐭)

Model

Property specification

Model checker

Property satisfied

Property violated

Errorreport

CTL (explicit) Model checking

4

The task of explicit CTL model checking reads

For a Kripke structure M = (S, I, R, L) over AP and a (state based) temporal logic formula find the set of all states in S that satisfy :

𝑋 = { 𝑠 ∈ 𝑆: 𝑀, 𝑠 ⊨ }

“Explicit” : Each state of M is explicitly represented in memory in a labeled, directed graph, and checked

Jan Kofroň, František Plášil, Lecture 5

Model checking – simple KS and property

5

I

KS satisfies the specification in states

KS in the initial states I satisfies


Model checking– simple KS and property

6

KS does not satisfy the specification(formula) in the initial states I


I

CTL basic idea


Computational Tree Logic

Considers property of the states along the paths in a computational (sub)tree

As opposed to LTL which, given a state s, considers property of each path (starting in s) separately

CTL example


Consider Kripke str. with initial state , property

Assume • Syntax note: A – All paths E – Exists a path

= AG EF p In all (A) paths starting in and for any (G) state s on them it holds that there exists (E) a path starting with s such that it contains (F) a state where p holds

true

= AG EX p true

= AG AX pfalse

= AG EX AGpTrue

p

Comp. tree

Compare to LTL


Consider

Kripke str. with initial state , property

LTL

Assume = GFpIn all ∞ paths starting in , p globally holds in the future

Not true, since

Implies computational tree

with the path

p

p

CTL syntax

10

A CTL formula has one of the following forms:0, 1, p, , & , ,

p is an atomic formula, p AP

AX , EX

AG , EG

AF , EF

A[ U ], E[ U ]where , are CTL formulas

A – All paths E – Exists a path (two quantifiers)X – neXt G – Globally F – Future U - Until

Based on http://www.scs.carleton.ca/~howe/5404/handouts/Lecture1.pdfJan Kofroň, František Plášil, Lecture 5

CTL semantics

11

M, s ⊨ stands for “a state s from the Kripkestructure M satisfies a CTL formula ”

⊨ is defined by induction on the size of

Definition

M, s ⊨ p p L(s)

M, s ⊨ 1 not M, s ⊨ 1

M, s ⊨ 1 2 M, s ⊨ 1 or M, s ⊨ 2

M, s ⊨ 1 2 M, s ⊨ 1 and M, s ⊨ 2


CTL semantics

12

Definition (cont.)

M, s ⊨ EX 1 there is a state t and a transition s→t in M s.t.M, t ⊨ 1

M, s ⊨ AX 1 for every state t in M s.t. s→t, M, t ⊨ 1 holds


CTL semantics

13

Definition (cont.)

M, s ⊨ EF 1 there exists a state t and a path from s to t (in M) s.t.M, t ⊨ 1

M, s ⊨ AF 1 on every infinite path (in M) beginning in s there is a state t s.t. M, t ⊨ 1

M, s ⊨ EG 1 there exists an infinite path

= 0 → 1 →2 ... (in M) s.t.

s = 0 and for all i >= 0 i ⊨ 1 holds

M, s ⊨ AG 1 for every infinite path

= 0 → 1 →2 ... (in M) s.t.

s = 0, for all i >= 0 i ⊨ 1 holds


CTL semantics

14

Definition (cont.)

M, s ⊨ E [1 U 2]

there exists an infinite path = 0 → 1 →2 ... (in M) s.t.0 = s and there exists i >= 0 s.t.:

M, i ⊨ 2

for all j, 0 <= j < i, M, j ⊨ 1 holds

M, s ⊨ A [1 U 2]

for all infinite paths = 0 → 1 →2 ... (in M)

s.t. p0 = s, there exists i >= 0 s.t.:

M, i ⊨ 2

for all j, 0 <= j < i, M, j ⊨ 1 holds


15Jan Kofroň, František Plášil, Lecture 5

Kripkestructure

Computational tree

AX 1

= 1 holds

EX 1

= 1 either holds or not


AG 1

= 1 holds

AF 1

EG 1 EF 1

17Jan Kofroň, František Plášil, Lecture 5 17

= 1 undefined

E[1 U 2]

= 1, 2 undefined

A[1 U 2]

= 1 holds (2 undefined)



E[1 U 2]

= 1, 2 undefined

A[1 U 2]




Difference between CTL and LTL

Think of CTL formulas as approximations to LTL formulas

AG EF p is weaker than G F p

AF AG p is stronger than F G p

p p

Jan Kofroň, František Plášil Lecture 5 20

p


Think of CTL formulas as approximations to LTL formulas



p p


ptrue

false true

false


Practicality perspective



CTL formulas easier to verify

Good for finding bugs... EF p“exists” by CTL

Good for verifying... FG p“invariant” by LTL

p p


p

CTL vers. LTL

A property expressible in CTL but not in LTLFact: There is no LTL formula equivalent to the CTL formula AG(EF p)

Note that AG(EF p) is not the same as G(F p) in LTL

Suppose that there is such a (in LTL). Consider the following K.S.

s0 s1

p


CTL vers. LTL (cont.)

AG(EF p) is true in s0

→ is true in s0 as well i.e. is true on all paths that start in s0

→ therefore is true on the path that loops in s0

→ thus is true in s’ of the following Kripke structure

→ thus AG(EF p) would have to be true in s’

→ contradiction!

s’


LTL ver. CTL

The LTL formula FG p is not equivalent to any CTL formula

In particular, it is not equivalent to the CTL formula AF (AG p)


LTL ver. CTL

The LTL formula FG p is not equivalent to CTL formula AF(AG p)

To prove this, we have to find a Kripke structure M and a state s in M s.t.:

either M, s ⊨LTL FG p

and not M, s ⊨CTL AF (AG p)

orM, s ⊨CTL AF (AG p)

and not M, s ⊨LTL FG p

s

= p holds

= p does not hold


LTL ver. CTL

= p holds

= p does not hold

M, s ⊨LTL FG p

not M, s ⊨CTL AF (AG p)

s


LTL ver. CTL Expressiveness

LTL and CTL logics are incomparable


LTL vers. CTL: Complexity

Model checking of M= (S,R,L)Does M satisfy φ ?

|M| = |S|+ |R|

|Φ| = number of subformulas of Φ

Time complexityCTL: O(|M| . |Φ|)

LTL: O(|M| .2|φ| ) (PSPACE complete)

ConclusionLinear complexity in |M|

LTL exponential in |φ|However, typically |φ| << |M|


Back to CTL m.c.: Formula parse tree

30

(EG E[p U q]) & EX r

EG E[p U q] EX r

rE[p U q]

qp


Explicit CTL model checking algorithm

31

For every state s in S, the algorithm labels s with all

subformulas of which are true in s

label(s) – the set of labels associated with s

initially, label(s) = L(s)

then, the algorithm goes through a series of stages

during the i-th stage, the subformulas with i-1 nested operators

are processed

when a subformula is processed, it is added to the labeling of each

state s in which it is true (i.e. label(s) is updated)

Once the algorithm terminates, we will have

M, s ⊨ iff label(s)



32

p q

p r


EG E[p U q]

EX rE[p U q]

p q r



33

p q

p r

p q

pr


EG E[p U q]

EX rE[p U q]

p q r



34

p q

p r

p

E[p U q]

q

E[p U q]

p

E[p U q]

r


EG E[p U q]

EX rE[p U q]

p q r



35

p q

p r

p

E[p U q]

q

E[p U q]

p

E[p U q]

EX r

r

EX r


EG E[p U q]

EX rE[p U q]

p q r



36

p q

p r

p

E[p U q]

EG E[p U q]

q

E[p U q]

EG E[p U q]

p

E[p U q]

EX r

EG E[p U q]

r

EX r


EG E[p U q]

EX rE[p U q]

p q r



37

p q

p r


EG E[p U q]

EX rE[p U q]

p

E[p U q]

EG E[p U q]

q

E[p U q]

EG E[p U q]

p

E[p U q]

EX r

EG E[p U q]


r

EX r

p q r



38

Any CTL formula can be expressed in the terms of , &, EX, EU, EG

Handling 1, 1 & 2, EX 1 during a stage of the algorithm is trivial


All operators in terms of EX, EG, EU

39

AX 1 = EX ( 1)

EF 1 = E[1 U 1]

AG 1 = EF ( 1)

AF 1 = EG ( 1)

A[1 U 2] = EG ( 2) &

& E[2 U (1 & 2)]


Handling E[1 U 2]

40

procedure CheckEU(1, 2)T:= {s : 2 label(s)};for all s T do

label(s):= label(s) {E[1 U 2]};end for allwhile T != {}

choose s T;T:= T \ {s};for all t such that R(t,s) do

if E[1 U 2] label(t) and 1 label(t) then

label(t):= label(t) {E[1 U 2]};T:= T {t};

end ifend for all

end whileend procedure


Handling E[1 U 2] – example: fragment of M

41

1 2 2 2

1 1 2

1 1 2

1 1 1


Handling E[1 U 2]

42

1 2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

43

1 2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

44

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1 2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

45

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1 2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

46

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1 2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

47

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1 2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

48

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1 2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

49

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1 2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

50

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

51

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1 2

E [1 U 2]

1 1 1


Handling E[1 U 2]

52

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1


Handling E[1 U 2]

53

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1


Handling E[1 U 2]

54

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1


Handling E[1 U 2]

55

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1


Handling E[1 U 2]

56

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1


Handling E[1 U 2]

57

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1


Handling E[1 U 2]

58

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1


Handling E[1 U 2]

59

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1


Handling E[1 U 2]

60

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1

E [1 U 2]


Handling E[1 U 2]

61

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1

E [1 U 2]


Handling E[1 U 2]

62

1

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

2

E [1 U 2]

1

E [1 U 2]

1

E [1 U 2]

2

E [1 U 2]

1 1

E [1 U 2]

2

E [1 U 2]

1 1 1

E [1 U 2]


Handling EG 1

63

Based on decomposition of the graph into nontrivial strongly connected components

A strongly connected component (SCC) C is a maximal subgraph such that every node in C is reachable from every other node in C along a directed path entirely contained within C

C is nontrivial iff either it has more than one node or it contains one node with a self-loop

infinite path


Handling EG 1

64

M’ = (S’, R’, L’)

S’ = { s S : M, s ⊨ 1 }

R’ = R | S’ x S’

L’ = L | S’


Handling EG 1

65

Lemma: M, s ⊨ EG 1 iff both the following conditions are satisfied:

s S’

There exists a path in M’ that leads from s to some node t in a nontrivial strongly connected component C of the graph (S’, R’)


Handling EG 1

66

Construct the restricted Kripke structure M’ = (S’, R’, L’)

Partition the graph (S’, R’) into strongly connected components

Find those states that belong to a nontrivial component

Work backward (using converse of R’)find all the states that can be reached by a path (converse of R’ !) in which each state is labeled with 1


Handling EG 1

67

= 1 does not hold

= 1 holds


M:

Handling EG 1

68

Construction of (S’, R’)


M’:

Handling EG 1

69

Identification of nontrivial strongly connected components SCC by Tarjan algorithm (not detailed here)


Handling EG 1

70

= EG 1 holds


SCC

Handling EG 1 - identifying

71

procedure CheckEG(1)

S’ = {s : 1 label(s)};

SCC = {C : C is a nontrivial SCC of S’};

T:= CSCC{s : s C};

for all s T do

label(s):= label(s) {EG 1};

end for all

while T != {}

choose s T;

T:= T \ {s};

for all t such that t S’ and R(t,s) do

if EG 1 label(t) then

label(t):= label(t) {EG 1};

T:= T {t};

end if

end for all

end while

end procedure



72

CheckEU

O(|S| + |R|)

CheckEG

O(|S| + |R|)Partitioning using Tarjan algorithm: O(|S’| + |R’|)

has at most || different subformulas

Time complexity: O(|| * (|S| + |R|))


d3s.mff.cuni.cz jan kofroň, františek plášil · 2020. 10. 21. · jan kofroň, františek...

Documents