1. No category

Transition Systems and Linear-Time Properties

Transition Systems and Linear-Time Properties
Part #1 of Logic and Verification
Joost-Pieter Katoen
Software Modeling and Verification Group
RWTH Aachen University
MOVEP 2014, University of Nantes, July 7, 2014
c JPK
Model checking
• Automated model-based verification and debugging technique
– model of system = Kripke structure ≈ labeled transition system
– properties expressed in temporal logic like LTL or CTL
– provides counterexamples in case of property refutation
• Various striking examples
– Needham-Schroeder security protocol, storm surge barrier, C code
• 2008: Pioneers awarded prestigious ACM Turing Award
c JPK
1
Course topics
• Transition systems and linear-time properties
– traces, safety, liveness, fairness
• Verifying regular linear-time properties
– omega-regular languages, Büchi automata, nested depth-first search
• LTL model checking
– syntax, semantics, automata, model-checking algorithm
• CTL model checking
– syntax, semantics, CTL versus LTL, model-checking algorithm
c JPK
2
Principles of Model Checking
Christel Baier
TU Dresden, Germany
Joost-Pieter Katoen
RWTH Aachen University, Germany,
and
University of Twente, the Netherlands
“This book offers one of the most comprehensive introductions to logic model checking techniques available
today. The authors have found a way to explain both basic concepts and foundational theory thoroughly and
in crystal clear prose. Highly recommended for anyone who wants to learn about this important new field, or
brush up on their knowledge of the current state of the art.”
(Gerard J. Holzmann, NASA JPL, Pasadena)
c JPK
4
Content of this lecture
• Introduction
– why model checking?, how to model check?
• Transition systems
– paths, traces, program graphs
• Linear time properties
– safety, liveness, decomposition
• Fairness
– unconditional, strong and weak fairness
c JPK
5
Content of this lecture
⇒ Introduction
– why model checking?, how to model check?
• Transition systems
– paths, traces, program graphs
• Linear time properties
– safety, liveness, decomposition
• Fairness
– unconditional, strong and weak fairness
c JPK
6
Milestones in formal verification
• Mathematical approach towards program correctness
(Turing, 1949)
• Syntax-based technique for sequential programs
(Hoare, 1969)
– for a given input, does a computer program generate the correct output?
– based on compositional proof rules expressed in predicate logic
• Syntax-based technique for concurrent programs
(Pnueli, 1977)
– can handle properties referring to situations during the computation
– based on proof rules expressed in temporal logic
• Automated verification of concurrent programs
(Emerson & Clarke, 1981)
– model-based instead of proof-rule based approach
– does the concurrent program satisfy a given (logical) property?
these formal techniques are not biased towards the most probable scenarios
c JPK
8
Model checking overview
requirements
system
‘‘not biased towards the
most probable scenarios’’
Formalizing
Modeling
property
specification
system model
Model Checking
satisfied
violated +
counterexample
Simulation
location
error
insufficient
memory
c JPK
9
The model checking process
• Modeling phase
– model the system under consideration
– as a first sanity check, perform some simulations
– formalise the property to be checked
• Running phase
– run the model checker to check the validity of the property in the model
• Analysis phase
– property satisfied? → check next property (if any)
– property violated? →
1. analyse generated counterexample by simulation
2. refine the model, design, or property . . . and repeat the entire procedure
– out of memory? → try to reduce the model and try again
c JPK
10
Content of this lecture
• Introduction
– why model checking?, how to model check?
⇒ Transition systems
– paths, traces, program graphs
• Linear time properties
– safety, liveness, decomposition
• Fairness
– unconditional, strong and weak fairness
c JPK
11
Transition systems
• Model to describe the behaviour of systems
• Digraphs where nodes represent states, and edges model transitions
• State:
– the current colour of a traffic light
– the current values of all program variables + the program counter
– the current value of the registers together with the values of the input bits
• Transition: (“state change”)
– a switch from one colour to another
– the execution of a program statement
– the change of the registers and output bits for a new input
c JPK
12
Formal definition
A transition system TS is a tuple (S, Act, →, I, AP, L) where
•
•
•
•
•
•
S is a set of states
Act is a set of actions
−→ ⊆ S × Act × S is a transition relation
I ⊆ S is a set of initial states
AP is a set of atomic propositions
L : S → 2AP is a labeling function
S and Act are either finite or countably infinite
α
Notation: s −→ s instead of s, α, s ∈ −→
c JPK
13
Paths
• An infinite path fragment π is an infinite state sequence:
s0 s1 s2 . . .
such that si ∈ Post(si−1) for all i > 0
• Notations for path fragment π = s0 s1 s2 . . .:
– first(π) = s0 = π[0]; let π[j] = sj denote the j -th state of π
– j -th prefix π[..j] = s0 s1 . . . sj and j -th suffix π[j..] = sj sj+1 . . .
• A path of TS is an initial, maximal path fragment
– a maximal path fragment cannot be prolonged
– a path fragment is initial if s0 ∈ I
• Paths(s) is the set of maximal path fragments π with first(π) = s
c JPK
14
A mutual exclusion algorithm
n1 , n2 , y=1
w1 , n2 , y=1
c1 , n2 , y=0
w1 , w2 , y=1
c1 , w2 , y=0
c JPK
n1 , w2 , y=1
n1 , c2 , y=0
w1 , c2 , y=0
15
Traces
• Actions are mainly used to model the (possibility of) interaction
– synchronous or asynchronous communication
• Here, focus on the states that are visited during executions
– the states themselves are not “observable”, but just their atomic propositions
• Traces are sequences of the form L(s0) L(s1) L(s2) . . .
– just register the (set of) atomic propositions that are valid along the execution
• For transition systems without terminal states:
AP
– traces are infinite words over the alphabet 2 , i.e., they are in
– we will (mostly) assume that there are no terminal states
c JPK
AP
2
ω
16
Example traces
Let AP = { crit1, crit2 }
Example path:
π
=
n1, n2 , y = 1 → w1, n2 , y = 1 → c1, n2, y = 0 →
n1, n2 , y = 1 → n1, w2 , y = 1 → n1, c2, y = 0 → . . .
The trace of this path is the infinite word:
trace(π)
= ∅ ∅ { crit1 } ∅ ∅ { crit2 } ∅ ∅ { crit1 } ∅ ∅ { crit2 } . . .
The trace of the finite path fragment:
π
=
n1, n2, y = 1 → w1 , n2, y = 1 → w1 , w2, y = 1 →
w1, c2, y = 0 → w1, n2, y = 1 → c1, n2 , y = 0
is:
trace(
π)
c JPK
= ∅ ∅ ∅ { crit2 } ∅ { crit1 }
18
Program graphs: A beverage vending machine
“Abstract” transitions:
true :coin
start −−
−−−−→ select
nsprite >0 :sget
select −−
−−−−−−−→ start
and
and
true :refill
start −−
−−−−→ start
nbeer >0 :bget
select −−
−−−−−−→ start
nsprite =0 ∧ nbeer =0 :ret coin
select −−
−−−−−−−−−−−−−−−−→ start
c JPK
Action
Effect on variables
coin
ret coin
sget
bget
refill
nsprite := nsprite − 1
nbeer := nbeer − 1
nsprite := max ; nbeer := max
19
Some preliminaries
• typed variables with a valuation that assigns values to variables
– e.g., η(x) = 17 and η(y) = −2
• the set of Boolean conditions over Var
– propositional logic formulas whose propositions are of the form “x ∈ D”
– (−3 < x 5) ∧ (y = green) ∧ (x 2·x)
• effect of the actions is formalized by means of a mapping:
Effect : Act × Eval(Var) → Eval(Var)
– e.g., α ≡ x := y+5 and evaluation η(x) = 17 and η(y) = −2
– Effect(α, η)(x) = η(y) + 5 = 3, and Effect(α, η)(y) = η(y) = −2
c JPK
20
Program graphs
A program graph PG over set Var of typed variables is a tuple
(Loc, Act, Effect, −→, Loc0, g0)
where
• Loc is a set of locations with initial locations Loc0 ⊆ Loc
• Act is a set of actions
• Effect : Act × Eval(Var) → Eval(Var) is the effect function
• −→ ⊆ Loc ×
Cond(Var)
×Act × Loc, transition relation
Boolean conditions overVar
• g0 ∈ Cond(Var) is the initial condition.
Notation: −g:α
−→ denotes , g, α, ∈ −→
c JPK
21
Beverage vending machine
• Loc = { start, select } with Loc0 = { start }
• Act = { bget , sget , coin, ret coin, refill }
• Var = { nsprite, nbeer } with domain { 0, 1, . . . , max }
•
Effect(coin , η)
Effect(ret coin , η)
Effect(sget , η)
Effect(bget , η)
Effect(refill , η)
=
=
=
=
=
η
η
η[nsprite := nsprite −1]
η[nbeer := nbeer −1]
[nsprite := max , nbeer := max ]
• g0 = (nsprite = max ∧ nbeer = max )
c JPK
22
From program graphs to transition systems
• Basic strategy: unfolding
– state = location (current control) + data valuation η
– initial state = initial location satisfying the initial condition g0
• Propositions and labeling
– propositions: “at ” and “x ∈ D” for D ⊆ dom(x)
– , η is labeled with “at ” and all conditions that hold in η
g:α
α
• −−
−→ and g holds in η then , η −−
→ , Effect(α, η)
c JPK
23
Transition systems for program graphs
The transition system TS(PG) of program graph
PG = (Loc, Act, Effect, −→, Loc0, g0)
over set Var of variables is the tuple (S, Act, −→, I, AP, L) where
• S = Loc × Eval(Var)
g:α
−→ ∧ η |= g
−−
• −→ ⊆ S × Act × S is defined by the rule:
α
, η −−
→ , Effect(α, η)
• I = {, η | ∈ Loc0, η |= g0}
• AP = Loc ∪ Cond(Var) and L(, η) = {} ∪ {g ∈ Cond(Var) | η |= g}.
c JPK
24
refill
refill
start
coin
refill
select
beer
sprite
start
start
coin
select
sget
coin
select
bget
start bget
start
start
start
coin
coin
select
sget
sget
coin
select
select
sget
bget
coin
select
sget
start
start
bget
coin
select
bget
coin
ret coin
select
c JPK
25
Content of this lecture
• Introduction
– why model checking?, how to model check?
• Transition systems
– paths, traces, program graphs
⇒ Linear time properties
– safety, liveness, decomposition
• Fairness
– unconditional, strong and weak fairness
c JPK
26
Linear-time properties
• Linear-time properties specify the traces that a TS must exhibit
– LT-property specifies the admissible behaviour of the system
– later, a logical formalism will be introduced for specifying LT properties
AP ω
• A linear-time property (LT property) over AP is a subset of 2
– finite words are not needed, as it is assumed that there are no terminal states
• TS (over AP) satisfies LT-property P (over AP):
TS |= P
if and only if
Traces(TS) ⊆ P
– TS satisfies the LT property P if all its “observable” behaviors are admissible
c JPK
27
Semaphore-based mutual exclusion
PG1 :
PG2 :
noncrit1
y := y+1
noncrit2
y := y+1
wait1
wait2
y>0:
y := y−1
y>0:
y := y−1
crit1
crit2
y=0 means “lock is currently possessed”; y=1 means “lock is free”
c JPK
28
Transition system
n1 , n2 , y=1
y := y+1
y := y+1
w1 , n2 , y=1
c1 , n2 , y=0
n1 , w2 , y=1
w1 , w2 , y=1
y := y−1
n1 , c2 , y=0
y := y−1
c1 , w2 , y=0
c JPK
w1 , c2 , y=0
29
How to specify mutual exclusion?
“Always at most one process is in its critical section”
• Let AP = { crit1, crit2 }
– other atomic propositions are not of any relevance for this property
• Formalization as LT property
Pmutex = set of infinite words A0 A1 A2 . . . with { crit1 , crit2 } ⊆ Ai for all 0 i
• Contained in Pmutex are e.g., the infinite words:
{ crit1 } { crit2 } { crit1 } { crit2 } { crit1 } { crit2 } . . .
∅∅∅∅∅∅∅...
and
– this does not apply to words of the form: { crit1 } ∅ { crit1 , crit2 } . . .
Does the semaphore-based algorithm satisfy Pmutex ?
c JPK
30
Does the semaphore-based algorithm satisfy Pmutex ?
∅
n1 , n2 , y=1
∅
w1 , n2 , y=1
c1 , n2 , y=0 { crit1 }
{ crit1 } c1 , w2 , y=0
∅
n1 , w2 , y=1
∅
w1 , w2 , y=1
{ crit2 } n1 , c2 , y=0
w1 , c2 , y=0 { crit2 }
Yes as there is no reachable state labeled with { crit1, crit2 }
c JPK
31
How to specify starvation freedom?
“A process that wants to enter the critical section is eventually able to do so‘”
• Let AP = { wait1, crit1, wait2, crit2 }
• Formalization as LT-property
Pnostarve = set of infinite words A0 A1 A2 . . . such that:
∞
∞
⇒
∃ j. waiti ∈ Aj
∃ j. criti ∈ Aj
for each i ∈ { 1, 2 }
∞
∃ stands for “there are infinitely many”.
Does the semaphore-based algorithm satisfy Pnostarve ?
c JPK
32
No. The trace
∅ { wait2 } { wait1, wait2 } { crit1, wait2 }
{ wait2 } { wait1, wait2 } { crit1, wait2 } . . .
is a possible trace of the transition system but not in Pnostarve
c JPK
33
Trace equivalence and LT properties
For TS and TS be transition systems (over AP):
Traces(TS) ⊆ Traces(TS )
if and only if
for any LT property P : TS |= P implies TS |= P
Traces(TS) = Traces(TS )
if and only if
TS and TS satisfy the same LT properties
c JPK
34
Invariants
• LT property Pinv over AP is an invariant if it has the form:
Pinv =
AP ω
A0 A1 A2 . . . ∈ 2
| ∀j 0. Aj |= Φ
– where Φ is a propositional logic formula Φ over AP
– Φ is called an invariant condition of Pinv
• Note that
TS |= Pinv
iff
iff
iff
trace(π) ∈ Pinv for all paths π in TS
L(s) |= Φ for all states s that belong to a path of TS
L(s) |= Φ for all states s ∈ Reach(TS)
• Φ has to be fulfilled by all initial states and
– satisfaction of Φ is invariant under all transitions in the reachable fragment of TS
c JPK
35
Safety properties
• Safety properties may impose requirements on finite path fragments
– and cannot be verified by considering the reachable states only
• A safety property which is not an invariant:
– consider a cash dispenser, also known as automated teller machine (ATM)
– property “money can only be withdrawn once a correct PIN has been provided”
⇒ not an invariant, since it is not a state property
• But a safety property:
– any infinite run violating the property has a finite prefix that is “bad”
– i.e., in which money is withdrawn without issuing a PIN before
c JPK
36
Safety properties
• LT property Psafe over AP is a safety property if
– for all σ ∈
AP
2
ω
\ Psafe there exists a finite prefix σ
of σ such that:
Psafe ∩
σ ∈
AP ω
2
|σ
is a prefix of σ
= ∅
• Path fragment σ
is a bad prefix of Psafe
– let BadPref(Psafe ) denote the set of bad prefixes of Psafe
• Path fragment σ
is a minimal bad prefix for Psafe :
– if σ
∈ BadPref(Psafe ) and no proper prefix of σ
is in BadPref(Psafe )
c JPK
37
Safety properties and finite traces
For transition system TS without terminal states
and safety property Psafe :
TS |= Psafe if and only if Tracesfin (TS) ∩ BadPref(Psafe ) = ∅
c JPK
39
Closure
AP ω
• For trace σ ∈ 2
, let pref(σ) be the set of finite prefixes of σ:
AP ∗
pref(σ) = { σ
∈ 2
– if σ = A0 A1 . . . then pref(σ) =
|σ
is a finite prefix of σ }
ε, A0 , A0A1, A0A1A2, . . .
• For property P we have: pref(P ) =
σ∈P
pref(σ)
• The closure of LT property P :
APω
| pref(σ) ⊆ pref(P )
closure(P ) = σ ∈ 2
– the set of infinite traces whose finite prefixes are also prefixes of P , or
– infinite traces in the closure of P do not have a prefix that is not a prefix of P
c JPK
40
Safety properties and closures
For any LT property P over AP:
P is a safety property if and only if closure(P ) = P
c JPK
41
Why liveness?
• Safety properties specify that “something bad never happens”
• Doing nothing easily fulfills a safety property
– as this will never lead to a “bad” situation
⇒ Safety properties are complemented by liveness properties
– that require some progress
• Liveness properties assert that:
– ”something good” will happen eventually
c JPK
[Lamport 1977]
42
The meaning of liveness
The question of whether a real system satisfies a liveness property
is meaningless; it can be answered only by observing the system for
an infinite length of time, and real systems don’t run forever.
Liveness is always an approximation to the property we really care about.
We want a program to terminate within 100 years, but proving that it does
would require addition of distracting timing assumptions.
[Lamport 2000]
c JPK
So, we prove the weaker condition that the program eventually terminates.
This doesn’t prove that the program will terminate within our lifetimes,
but it does demonstrate the absence of infinite loops.
43
Liveness properties
LT property Plive over AP is a liveness property whenever
AP ∗
pref(Plive ) = 2
• A liveness property is an LT property
– that does not rule out any prefix
• Liveness properties are violated in “infinite time”
– whereas safety properties are violated in finite time
– finite traces are of no use to decide whether P holds or not
– any finite prefix can be extended such that the resulting infinite trace satisfies P
c JPK
44
Liveness properties for mutual exclusion
• Eventually:
– each process will eventually enter its critical section
• Repeated eventually:
– each process will enter ist critical section infinitely often
• Starvation freedom:
– each waiting process will eventually enter its critical section
c JPK
45
Safety vs. liveness
• Are safety and liveness properties disjoint?
Yes
• Is any linear-time property a safety or liveness property?
No
• But:
for any LT property P an equivalent LT property P exists
which is a conjunction of a safety and a liveness property
c JPK
46
Decomposition theorem
For any LT property P over AP there exists
a safety property Psafe and a liveness property Plive
(both over AP) such that:
P = Psafe ∩ Plive
Proposal: P = closure(P ) ∩ P ∪
=P
safe
c JPK
AP ω
2
\ closure(P )
=Plive
48
Classification of LT properties
safety and liveness property
(2AP)ω
safety properties
invariants
c JPK
1
0
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
liveness properties
neither liveness
nor safety properties
49
Content of this lecture
• Introduction
– why model checking?, how to model check?
• Transition systems
– paths, traces, program graphs
• Linear time properties
– safety, liveness, decomposition
⇒ Fairness
– unconditional, strong and weak fairness
c JPK
50
Does this program always terminate?
Inc ||| Reset
where
proc Inc = while x 0 do x := x + 1 od
proc Reset = x := −1
x is a shared integer variable that initially has value 0
c JPK
51
Is it possible to starve?
n1 , n2 , y=1
req2
rel
req1
rel
w1 , n2 , y=1
n1 , w2 , y=1
enter2
req2
req1
enter1
c1 , n2 , y=0
rel
w1 , w2 , y=1
req2
rel
enter1
c1 , w2 , y=0
c JPK
n1 , c2 , y=0
enter2
req1
w1 , c2 , y=0
52
Process two starves
n1 , n2 , y=1
req2
rel
req1
rel
w1 , n2 , y=1
n1 , w2 , y=1
enter2
req2
req1
enter1
c1 , n2 , y=0
rel
w1 , w2 , y=1
req2
rel
enter1
c1 , w2 , y=0
n1 , c2 , y=0
enter2
req1
w1 , c2 , y=0
Is it fair that process two has infinitely many possibilities
to enter the critical section, but never enters it?
c JPK
53
Process two starves
n1 , n2 , y=1
req2
rel
req1
rel
w1 , n2 , y=1
n1 , w2 , y=1
enter2
req2
req1
enter1
c1 , n2 , y=0
rel
w1 , w2 , y=1
req2
rel
enter1
c1 , w2 , y=0
n1 , c2 , y=0
enter2
req1
w1 , c2 , y=0
Is it fair that process two has infinitely many possibilities
to enter the critical section, but only enters it finitely often?
c JPK
54
Fairness
• Starvation freedom is often considered under process fairness
⇒ there is a fair scheduling of the execution of processes
• Fairness is typically needed to prove liveness
– to prove some form of progress, progress needs to be possible
• Fairness is concerned with a fair resolution of nondeterminism
– such that it is not biased to consistently ignore a possible option
• Problem: liveness properties constrain infinite behaviours
– but some traces—that are unfair—refute the liveness property
c JPK
55
Fairness constraints
• What is wrong with our examples?
Nothing!
– interleaving: not realistic as in no processor is infinitely faster than another
– semaphore-based mutual exclusion: level of abstraction
• Rule out “unrealistic” executions by imposing fairness constraints
– what to rule out?
⇒ different kinds of fairness constraints
• “A process gets its turn infinitely often”
– always
– if it is enabled infinitely often
– if it is continuously enabled from some point on
c JPK
unconditional fairness
strong fairness
weak fairness
56
Fairness constraints
For TS = (S, Act, →, I, AP, L) without terminal states, A ⊆ Act,
α
α
0 s −
1 . . . of TS:
and infinite execution fragment ρ = s0 −−→
→
1 −
1. ρ is unconditionally A-fair whenever: true =⇒ ∀k 0. ∃j k. αj ∈ A
infinitely often A is taken
2. ρ is strongly A-fair whenever:
( ∀k 0. ∃j k. Act(sj ) ∩ A = ∅ ) =⇒ ∀k 0. ∃j k. αj ∈ A
infinitely often A is enabled
infinitely often A is taken
3. ρ is weakly A-fair whenever:
( ∃k 0. ∀j k. Act(sj ) ∩ A = ∅ ) =⇒ ∀k 0. ∃j k. αj ∈ A
A is eventually always enabled
infinitely often A is taken
α
−
→s
where Act(s) = α ∈ Act | ∃s ∈ S. s −
c JPK
58
Which fairness notion to use?
• Fairness constraints aim to rule out “unreasonable” runs
• Too strong? ⇒ relevant computations ruled out
verification yields:
– “false”: error found
– “true”: don’t know as some relevant execution may refute it
• Too weak? ⇒ too many computations considered
verification yields:
– “true”: property holds
– “false”: don’t know, as refutation maybe due to some unreasonable run
often a combination of several fairness constraints is used
c JPK
60
Fairness assumptions
• A fairness assumption for Act is a triple
F = (Fucond , Fstrong , Fweak )
with Fucond , Fstrong , Fweak ⊆ 2Act
• Execution ρ is F-fair if:
– it is unconditionally A-fair for all A ∈ Fucond , and
– it is strongly A-fair for all A ∈ Fstrong , and
– it is weakly A-fair for all A ∈ Fweak
fairness assumption (∅, F , ∅) denotes strong fairness; (∅, ∅, F ) weak, etc.
c JPK
61
Fairness for mutual exclusion
n1 , n2 , y=1
req2
rel
req1
rel
w1 , n2 , y=1
n1 , w2 , y=1
enter2
req2
req1
enter1
c1 , n2 , y=0
req2
rel
w1 , w2 , y=1
enter2
rel
enter1
c1 , w2 , y=0
n1 , c2 , y=0
req1
w1 , c2 , y=0
F = (∅, { enter1, enter2 } , ∅)
Fstrong
c JPK
62
Fairness for mutual exclusion
n1 , n2 , y=1
req2
rel
req1
rel
w1 , n2 , y=1
n1 , w2 , y=1
enter2
req2
req1
enter1
c1 , n2 , y=0
req2
rel
w1 , w2 , y=1
enter2
rel
enter1
c1 , w2 , y=0
n1 , c2 , y=0
req1
w1 , c2 , y=0
F = (∅, { enter1 }, { enter2 } , ∅)
Fstrong
c JPK
63
Fairness for mutual exclusion
n1 , n2 , y=1
req2
rel
req1
rel
w1 , n2 , y=1
n1 , w2 , y=1
enter2
req2
req1
enter1
c1 , n2 , y=0
req2
rel
w1 , w2 , y=1
enter2
rel
enter1
c1 , w2 , y=0
F =
n1 , c2 , y=0
req1
w1 , c2 , y=0
∅, { enter1 }, { enter2 } , { req1 }, { req2 }
Fstrong
Fweak
in any F -fair execution each process infinitely often requests access
c JPK
64
Fair paths and traces
• Path s0 −
→ s1 −
→ s2 . . . is F-fair if
α
α
1 s −
2 s ...
– there exists an F -fair execution s0 −−→
→
1 −
2
– FairPathsF (s) denotes the set of F -fair paths that start in s
– FairPathsF (TS) =
s∈I FairPathsF (s)
• Trace σ is F-fair if there exists an F-fair path π with trace(π) = σ
– FairTracesF (s) = trace(FairPathsF (s))
– FairTracesF (TS) = trace(FairPathsF (TS))
c JPK
65
Fair satisfaction
• TS satisfies LT-property P :
TS |= P
if and only if
Traces(TS) ⊆ P
– TS satisfies the LT property P if all its observable behaviors are admissible
• TS fairly satisfies LT-property P wrt. fairness assumption F:
TS |=F P
if and only if
FairTracesF (TS) ⊆ P
– if all paths in TS are F -fair, then TS |=F P if and only if TS |= P
– if some path in TS is not F -fair, then possibly TS |=F P but TS | = P
c JPK
66
Fairness for mutual exclusion
n1 , n2 , y=1
req2
rel
req1
rel
w1 , n2 , y=1
n1 , w2 , y=1
enter2
req2
req1
enter1
c1 , n2 , y=0
req2
rel
w1 , w2 , y=1
enter2
rel
enter1
c1 , w2 , y=0
n1 , c2 , y=0
req1
w1 , c2 , y=0
TS |= “every process enters its critical section infinitely often”
and TS |=F “every . . . often”
but TS |=F “every . . . often”
c JPK
67
Fairness and safety properties
For TS and safety property Psafe (both over AP)
suhc that for any s ∈ Reach(TS): FairPathsF (s) = ∅:
TS |= Psafe
if and only if
TS |=F Psafe
Safety properties are thus preserved by “realizable” fairness assumptions
c JPK
68
Verifying Regular Linear-Time Properties
Part #2 of Logic and Verification
Joost-Pieter Katoen
Software Modeling and Verification Group
RWTH Aachen University
MOVEP 2014, University of Nantes, July 7, 2014
c JPK
Content of this lecture
• Automata on finite words
– refresh your memory
• Verifying regular safety properties
– product construction, counterexamples
• Automata on infinite words
– (generalised) Büchi automata, ω -regular languages
• Verifying ω-regular properties
– nested depth first search
c JPK
1
Content of this lecture
⇒ Automata on finite words
– refresh your memory
• Verifying regular safety properties
– product construction, counterexamples
• Automata on infinite words
– (generalised) Büchi automata, ω -regular languages
• Verifying ω-regular properties
– nested depth first search
c JPK
2
Refresh your memory: Finite automata
A nondeterministic finite automaton (NFA) A is a tuple (Q, Σ, δ, Q0, F ) where:
• Q is a finite set of states
• Σ is an alphabet
A
• δ : Q × Σ → 2Q is a transition function
q0
• Q0 ⊆ Q a set of initial states
B
A
B
q1
q2
B
• F ⊆ Q is a set of accept (or: final) states
c JPK
3
Language of an NFA
• NFA A = (Q, Σ, δ, Q0, F ) and word w = A1 . . . An ∈ Σ∗
• An accepted run for w in A is a finite sequence q0 q1 . . . qn such that:
A
i+1
– q0 ∈ Q0 and qi −
−−
−
→ qi+1 for all 0 i < n, and qn ∈ F
• w ∈ Σ∗ is accepted by A if there exists an accepting run for w
∗
• L(A) = w ∈ Σ | there exists an accepting run for w in A
• NFA A and A are equivalent if L(A) = L(A)
c JPK
4
Facts about finite automata
• They are as expressive as regular languages
• They are closed under ∩ and complementation
– NFA A ⊗ B (= cross product) accepts L(A) ∩ L(B)
– Total DFA A (= swap all accept and normal states) accepts L(A) = Σ∗ \ L(A)
• They are closed under determinization (= removal of choice)
– although at an exponential cost.....
• L(A) = ∅? = check for a reachable accept state in A
– this can be done using a simple depth-first search
• For regular language L there is a unique minimal DFA accepting L
c JPK
5
Content of this lecture
• Automata on finite words
– refresh your memory
⇒ Verifying regular safety properties
– product construction, counterexamples
• Automata on infinite words
– (generalised) Büchi automata, ω -regular languages
• Verifying ω-regular properties
– nested depth first search
c JPK
6
Safety properties
• LT property Psafe over AP is a safety property if
– for all σ ∈ Psafe there exists a finite prefix σ
of σ such that:
Psafe ∩
σ ∈
AP ω
|σ
∈ pref(σ) = ∅
2
• The set BadPref of bad prefixes for Psafe :
BadPref(Psafe ) =
AP ∗
2
\ pref(Psafe )
• The set MinBadPref of minimal bad prefixes for Psafe :
MinBadPref(Psafe ) = { σ ∈
c JPK
AP ∗
2
| pref(σ) ∩ BadPref(Psafe ) = { σ } }
7
Regular safety properties
• Definition:
Safety property Psafe is regular if BadPref(Psafe ) is a regular language
• Or, equivalently:
Safety property Psafe is regular if there exists
a finite automaton over the alphabet 2AP recognizing BadPref(Psafe )
c JPK
8
Some regular safety properties
• Every invariant (over AP) is a regular safety property
– bad prefixes have form Φ∗(¬Φ)true∗ for invariant condition Φ
– . . . where Φ stands for any A ⊆ AP with A |= Φ
• A regular safety property which is not an invariant:
“a red light is immediately preceded by a yellow light”
• A non-regular safety property:
“the number of inserted coins is at least the number of dispensed drinks”
c JPK
9
Peterson’s banking system
Person Left behaves as follows:
Person Right behaves as follows:
while true {
while true {
......
......
rq :
b1 , x = true, 2;
rq :
b2 , x = true, 1;
wt :
wait until(x == 1 || ¬ b2 ) {
wt :
wait until(x == 2 || ¬ b1 ) {
. . . @accountR . . .}
cs :
. . . @accountL . . .}
}
c JPK
cs :
b1 = false;
b2 = false;
......
......
}
10
Is the banking system safe?
x == 1
x == 2
b1 = 0
b2 = 0
b1 = 1
x=2
b2 = 1
b2 = 1
x=1
b2 = 1
x=1
b1 = 0
b1 = 1
x=2
x=2
b2 = 0
x=1
x == 1
b1 = 1
x == 2
Can we guarantee that only one person at a time has access to the bank account?
“always ¬ (@accountL ∧ @accountR )”
c JPK
11
Is the banking system safe?
• Safe = at most one person may have access to the account
• Unsafe: two persons have access to the account simultaneously
– unsafe behaviour can be characterized by bad prefix
– alternatively (in this case) by the finite automaton:
¬ (@accountL
∧ @accountR)
@accountL ∧ @accountR
• Traces(TSPet ) ∩ BadPref(Psafe ) = ∅?
– intersection, complementation and emptiness of languages . . .
c JPK
12
Problem statement
Let
• Psafe be a regular safety property over AP
• A be an NFA recognizing the bad prefixes of Psafe
– assume that ε ∈
/ L(A)
⇒ otherwise all finite words over 2AP are bad prefixes and Psafe = ∅
• TS be a finite transition system (over AP) without terminal states
How to establish whether TS |= Psafe ?
c JPK
13
Basic idea of the algorithm
TS |= Psafe
if and only if Tracesfin (TS) ∩ BadPref(Psafe ) = ∅
if and only if Tracesfin (TS) ∩ L(A) = ∅
if and only if TS ⊗ A |= “always” Φ
But . . . . . . this amounts to invariant checking on TS ⊗ A
⇒ checking regular safety properties can be done by depth-first search!
c JPK
14
Synchronous product
For transition system TS = (S, Act, →, I, AP, L) without terminal states
and A = (Q, Σ, δ, Q0, F ) an NFA with Σ = 2AP and Q0 ∩ F = ∅, let:
TS ⊗ A = (S , Act, → , I , AP, L)
where
• S = S × Q, AP = Q and L(s, q) = { q }
L(t)
α
s
−
−
→ t ∧ q −−−→ p
• → is the smallest relation defined by:
α s, q −−
→ t, p
L(s )
0
• I = { s0, q | s0 ∈ I ∧ ∃q0 ∈ Q0. q0 −−−−
→q}
without loss of generality it may be assumed that TS ⊗ A has no terminal states
c JPK
15
Example product
sr
sy
{ yellow }
∅
sg
c JPK
{ red }
∅
sry
yellow ∧ ¬red
yellow
q1
¬red ∧ ¬yellow
q0
¬yellow
red
qF
sg , q0
sry , q0
sy , q1
sr , q0
16
Verification of regular safety properties
Let TS over AP, NFA A, and P a regular safety property with L(A) = BadPref(P )
The following statements are equivalent:
(a) TS |= P
(b) Tracesfin (TS) ∩ L(A) = ∅
(c) TS ⊗ A |= Pinv (A) =
q∈F ¬ q
c JPK
17
Counterexamples
For each initial path fragment s0, q1 . . . sn, qn+1 of TS ⊗ A:
q1, . . . , qn ∈ F and qn+1 ∈ F
⇒
trace(s0 s1 . . . sn) ∈ L(A)
bad prefix for Psafe
c JPK
18
Time complexity
The time and space complexity of checking TS |= Psafe is in:
O(|TS| · |A|)
where A is an NFA with L(A) = MinBadPref(Psafe )
c JPK
19
Content of this lecture
• Automata on finite words
– refresh your memory
• Verifying regular safety properties
– product construction, counterexamples
⇒ Automata on infinite words
– (generalised) Büchi automata, ω -regular languages
• Verifying ω-regular properties
– nested depth first search
c JPK
20
Peterson’s banking system
Person Left behaves as follows:
Person Right behaves as follows:
while true {
while true {
......
......
rq :
b1 , x = true, 2;
rq :
b2 , x = true, 1;
wt :
wait until(x == 1 || ¬ b2 ) {
wt :
wait until(x == 2 || ¬ b1 ) {
. . . @accountR . . .}
cs :
. . . @accountL . . .}
}
c JPK
cs :
b1 = false;
b2 = false;
......
......
}
21
Is the banking system live?
x == 1
x == 2
b1 = 0
b2 = 0
b1 = 1
x=2
b2 = 1
b2 = 1
x=1
b2 = 1
x=1
b1 = 0
b1 = 1
x=2
x=2
b2 = 0
x=1
x == 1
b1 = 1
x == 2
If someone wants to update the account, does he ever get the opportunity to do so?
“always (reqL ⇒ eventually @accountL) ∧ always (reqR ⇒ eventually @accountR )”
c JPK
22
Is the banking system live?
• Live = when you want access to account, you eventually get it
• Not live: once you want access to the account, you never get it
– unlive behaviour can be characterized as a (set of) infinite traces
– or, equivalently, by a Büchi-automaton Live:
¬ @account
true
req
true
@account
• Checking liveness: Traces(TSPet ) ∩ Lω (Live) = ∅?
– (explicit) complementation, intersection and emptiness of Büchi automata!
c JPK
23
Syntax of ω-regular expressions
• Regular expressions denote languages of finite words
• ω-Regular expressions denote languages of infinite words
• An ω-regular expression G over Σ has the form:
ω
G = E1.Fω
1 + . . . + En .Fn
for n > 0
/ L(Fi)
where Ei, Fi are regular expressions over Σ with ε ∈
• Some examples: (A + B)∗.B ω , (B ∗.A)ω , and A∗.B ω + Aω
c JPK
25
Semantics of ω-regular expressions
• For L ⊆ Σ∗ let Lω = { w1w2w3 . . . | ∀i 0. wi ∈ L }
ω
• Let ω-regular expression G = E1.Fω
+
.
.
.
+
E
.F
n
1
n
• The semantics of G is a language L(G) ⊆ Σω :
Lω (G) = L(E1).L(F1)ω ∪ . . . ∪ L(En).L(Fn)ω
• G1 and G2 are equivalent, denoted G1 ≡ G2, if Lω (G1) = Lω (G2)
c JPK
26
ω-Regular languages
• L is ω-regular if L = Lω (G) for some ω-regular expression G
• Examples over Σ = { A, B }:
– language of all words with infinitely many As:
(B ∗.A)ω
– language of all words with finitely many As:
∗
(A + B) .B
– the empty language
ω
ω
∅
• ω-Regular languages are closed under ∪, ∩, and complementation
c JPK
27
ω-regular properties
• Definition:
LT property P over AP is ω-regular if
P is an ω-regular language over the alphabet 2AP
• Or, equivalently:
LT property P over AP is ω-regular if P is a language
accepted by a nondeterministic Büchi automaton over 2AP
c JPK
28
Example ω-regular properties
• Any invariant P is an ω-regular property
– as Φω describes P with invariant condition Φ
• Any regular safety property P is an ω-regular property
AP
ω
– as P = BadPref(P ). 2
is ω -regular
– and the fact that ω -regular languages are closed under complement
• Many liveness properties P are ω-regular properties
c JPK
29
Nondeterministic Büchi automata
• NFA (and DFA) are incapable of accepting infinite words
• Automata on infinite words
– suited for accepting ω -regular languages
– we consider nondeterministic Büchi automata (NBA)
• Accepting runs have to “check” the entire input word ⇒ are infinite
⇒ acceptance criteria for infinite runs are needed
• NBA are like NFA, but have a distinct acceptance criterion
– one of the accept states must be visited infinitely often
c JPK
30
Language of an NBA
• NBA A = (Q, Σ, δ, Q0, F ) and word σ = A0A1A2 . . . ∈ Σω
• An accepted run for σ in A is an infinite sequence q0 q1 q2 . . . such that:
A
i+1
– q0 ∈ Q0 and qi −
−−
−
→ qi+1 for all 0 i, and
– qi ∈ F for infinitely many i
• σ ∈ Σω is accepted by A if there exists an accepting run for σ
• The accepted language of A:
ω
Lω (A) = σ ∈ Σ | there exists an accepting run for σ in A
• NBA A and A are equivalent if Lω (A) = Lω (A)
c JPK
31
NBA versus NFA
A
A
A
A1
A
A
A
A2
finite equivalence ⇒ ω -equivalence
A
A1
A
A2
ω -equivalence ⇒ finite equivalence
L(A) = L(A ), but Lω (A) = Lω (A ) Lω (A) = Lω (A ), but L(A) = L(A )
c JPK
32
NBA and ω-regular languages
The class of languages accepted by NBA
agrees with the class of ω -regular languages
(1) any ω -regular language is recognized by an NBA
(2) for any NBA A, the language Lω (A) is ω -regular
c JPK
33
Checking non-emptiness
Lω (A) = ∅
if and only if
∃q0 ∈ Q0. ∃q ∈ F. ∃w ∈ Σ∗. ∃v ∈ Σ+. q ∈ δ ∗(q0, w) ∧ q ∈ δ ∗(q, v)
there is a reachable accept state on a cycle
The emptiness problem for NBA A can be solved in O(|A|)
c JPK
38
NBA are more expressive than DBA
NFA and DFA are equally expressive but NBA and DBA are not!
There is no DBA that accepts Lω ((A + B)∗Bω )
c JPK
39
An LT property requiring nondeterminism
q0
true
a
q1
a
¬a
q2
true
let { a } = AP, i.e., 2AP = {A, B} where A = {} and B = {a}
”eventually for ever a” equals (A + B)∗Bω = ({} + {a})∗ {a}ω
c JPK
40
Content of this lecture
• Automata on finite words
– refresh your memory
• Verifying regular safety properties
– product construction, counterexamples
• Automata on infinite words
– (generalised) Büchi automata, ω -regular languages
⇒ Verifying ω-regular properties
– nested depth first search
c JPK
47
ω-regular properties
• Definition:
LT property P over AP is ω-regular if
P is an ω-regular language over the alphabet 2AP
• Or, equivalently:
LT property P over AP is ω-regular if P is a language
accepted by a nondeterministic Büchi automaton over 2AP
c JPK
48
Basic idea of the algorithm
TS |= P
if and only if Traces(TS) ⊆ P
AP ω
if and only if Traces(TS) ∩ 2
\ P = ∅
if and only if Traces(TS) ∩ P = ∅
if and only if Traces(TS) ∩ Lω (A) = ∅
if and only if TS ⊗ A |= “eventually for ever” ¬F
persistence property
where A is an NBA accepting the complement property P =
c JPK
AP
2
ω
\P
49
Persistence property
AP ω
A persistence property over AP is an LT property Ppers ⊆ 2
“eventually for ever Φ” for some propositional logic formula Φ over AP:
Ppers =
ω
A0A1A2 . . . ∈ 2AP | ∃i 0. ∀j i. Aj |= Φ
Φ is called a persistence (or state) condition of Ppers
“Φ is an invariant after a while”
c JPK
50
Example persistence property
q0
true
a
q1
a
¬a
q2
true
let { a } = AP, i.e., 2AP = {A, B} where A = {} and B = {a}
”eventually for ever a” equals (A + B)∗Bω = ({} + {a})∗ {a}ω
c JPK
51
Recall synchronous product
For transition system TS = (S, Act, →, I, AP, L) without terminal states
and A = (Q, Σ, δ, Q0, F ) a non-blocking NBA with Σ = 2AP, let:
TS ⊗ A = (S , Act, → , I , AP, L)
where
• S = S × Q, AP = Q and L(s, q) = { q }
L(t)
α
s
−
−
→ t ∧ q −−−→ p
• → is the smallest relation defined by:
α s, q −−
→ t, p
L(s )
0
• I = { s0, q | s0 ∈ I ∧ ∃q0 ∈ Q0. q0 −−−−
→q}
c JPK
52
Verifying ω-regular properties
Let:
• TS be a transition system over AP
• P be an ω -regular property over AP, and
• A a non-blocking NBA such that Lω (A) = P .
The following statements are equivalent:
(a) TS |= P
(b) Traces(TS) ∩ Lω (A) = ∅
(c) TS ⊗ A |= Ppers (A)
where Ppers (A) = “eventually for ever ¬ F ”
⇒ checking ω -regular properties is reduced to persistence checking!
c JPK
53
Persistence checking and cycle detection
Let
• TS be a finite transition system without terminal states over AP
• Φ a propositional formula over AP, and
• Ppers the persistence property ”eventually for ever Φ”
TS |= Ppers
if and only if
∃s ∈ Reach(TS). s |= Φ ∧ s is on a cycle in G(TS)
c JPK
55
Infinitely often green?
{ red }
{ green }
q0
c JPK
¬green
true
¬green
q1
true
green
{ q0 }
{ q1 }
{ q2 }
s0, q0
s0, q1
s0, q2
s1, q0
s1, q1
s1, q2
{ q0 }
{ q1 }
{ q2 }
q2
56
Infinitely often green?
∅
s2
{ red }
s0
{ green }
s1
{ q0 }
{ q1 }
{ q2 }
s2, q0
s2, q1
s2, q2
s0, q0 { q0 } s0, q1 { q1 } s0, q2 { q2 }
c JPK
s1, q0
s1, q1
s1, q2
{ q0 }
{ q1 }
{ q2 }
57
Cycle detection
How to check for a reachable cycles containing a ¬Φ-state?
• Alternative 1:
–
–
–
–
compute the strongly connected components (SCCs) in G(TS)
check whether one such SCC is reachable from an initial state
. . . that contains a ¬Φ-state
“eventually for ever Φ” is refuted if and only if such SCC is found
• Alternative 2:
– use a nested depth-first search
⇒ more adequate for an on-the-fly verification algorithm
⇒ easier for generating counterexamples
c JPK
58
Nested depth-first search
• Idea: perform the two depth-first searches in an interleaved way
– the outer DFS serves to encounter all reachable ¬Φ-states
– the inner DFS seeks for backward edges leading to a ¬Φ-state
• Nested DFS
– on full expansion of ¬Φ-state s in the outer DFS, start inner DFS
– in inner DFS, visit all states reachable from s not visited in the inner DFS yet
– no backward edge found to s? continue the outer DFS (look for next ¬Φ state)
• Counterexample generation: DFS stack concatenation
– stack U for the outer DFS = path fragment from s0 ∈ I to s (in reversed order)
– stack V for the inner DFS = a cycle from state s to s (in reversed order)
c JPK
59
Correctness of nested DFS
Let:
• TS be a finite transition system over AP without terminal states and
• Ppers a persistence property
The nested DFS algorithm yields ”no” if and only if TS |= Ppers
c JPK
60
Time complexity
The worst-case time complexity of nested DFS is in
O((N +M ) + N ·| Φ |)
where N is # reachable states in TS, and M is # transitions in TS
c JPK
61
LTL Model Checking
Part #3 of Logic and Verification
Joost-Pieter Katoen
Software Modeling and Verification Group
RWTH Aachen University
MOVEP 2014, University of Nantes, July 7, 2014
c JPK
Content of this lecture
• Linear temporal logic
– syntax, semantics, specifying properties
• Equivalences and fairness
– weak until, fairness in LTL
• LTL model checking
– GNBA, from LTL to GNBA, complexity
c JPK
1
Content of this lecture
⇒ Linear temporal logic
– syntax, semantics, specifying properties
• Equivalences and fairness
– weak until, fairness in LTL
• LTL model checking
– GNBA, from LTL to GNBA, complexity
c JPK
2
LT properties
• An LT property is a set of infinite traces over AP
• Specifying such sets explicitly is often inconvenient
• Mutual exclusion is specified over AP = { c1, c2 } by
Pmutex = set of infinite words A0 A1 A2 . . . with { c1, c2 } ⊆ Ai for all 0 i
• Starvation freedom is specified over AP = { c1, w1, c2, w2 } by
Pnostarve = set of infinite words A0 A1 A2 . . . such that:
∞
∞
∞
∞
∃ j. w1 ∈ Aj ⇒ ∃ j. c1 ∈ Aj ∧ ∃ j. w2 ∈ Aj ⇒ ∃ j. c2 ∈ Aj
such properties can be specified succinctly using logic
c JPK
3
Linear Temporal Logic: Syntax
• Propositional logic
– a ∈ AP
– ¬φ and φ ∧ ψ
atomic proposition
negation and conjunction
• Temporal operators
– φ
– φUψ
neXt state fulfills φ
φ holds Until a ψ -state is reached
linear temporal logic is a logic for describing LT properties
c JPK
4
Derived operators
φ ∨ ψ
≡
¬ ( ¬ φ ∧ ¬ ψ)
φ ⇒ ψ
≡
¬φ ∨ ψ
φ⇔ψ
≡ (φ ⇒ ψ) ∧ (ψ ⇒ φ)
φ⊕ψ
≡ (φ ∧ ¬ψ) ∨ (¬φ ∧ ψ)
true ≡ φ ∨ ¬ φ
false ≡
¬ true
♦ φ ≡ true U φ
φ ≡
¬♦ ¬φ
“sometimes in the future”
“from now on for ever”
precedence order: the unary operators bind stronger than the binary ones.
¬ and bind equally strong. U takes precedence over ∧, ∨, and →
c JPK
5
Intuitive semantics
atomic prop. a
a
arbitrary
arbitrary
a
arbitrary
a ∧ ¬b
a ∧ ¬b
a ∧ ¬b
b
arbitrary
¬a
¬a
¬a
a
arbitrary
a
a
a
a
a
arbitrary
arbitrary
arbitrary
...
arbitrary
arbitrary
...
next step a
until a U b
eventually ♦a
always a
c JPK
...
...
...
6
LT properties
• Mutual exclusion is specified over AP = { c1, c2 } by
Pmutex = set of infinite words A0 A1 A2 . . . with { c1, c2 } ⊆ Ai for all 0 i
• In LTL: ¬(c1 ∧ c2)
• Starvation freedom is specified over AP = { c1, w1, c2, w2 } by
Pnostarve = set of infinite words A0 A1 A2 . . . such that:
∞
∞
∞
∞
∃ j. w1 ∈ Aj ⇒ ∃ j. c1 ∈ Aj ∧ ∃ j. w2 ∈ Aj ⇒ ∃ j. c2 ∈ Aj
• In LTL: ( ♦ w1 ⇒ ♦ c1) ∧ ( ♦ w2 ⇒ ♦ c2)
c JPK
7
Semantics over words
The LT-property induced by LTL formula ϕ over AP is:
Words(ϕ) =
ω
σ ∈ 2AP | σ |= ϕ , where |= is the smallest relation satisfying:
σ
|= true
σ
|= a
iff a ∈ A0
σ
|= ϕ1 ∧ ϕ2
iff σ |= ϕ1 and σ |= ϕ2
σ
|=
iff σ |= ϕ
σ
|= ϕ
σ
|= ϕ1 U ϕ2 iff ∃j 0. σ[j..] |= ϕ2 and σ[i..] |= ϕ1, 0 i < j
¬ϕ
(i.e., A0 |= a)
iff σ[1..] = A1A2A3 . . . |= ϕ
for σ = A0 A1 A2 . . . we have σ[i..] = Ai Ai+1 Ai+2 . . . is the suffix of σ from index i on
c JPK
8
Semantics of , ♦, ♦ and ♦
σ |= ♦ϕ
iff ∃j 0. σ[j..] |= ϕ
σ |= ϕ
iff ∀j 0. σ[j..] |= ϕ
σ |= ♦ϕ iff ∀j 0. ∃i j. σ[i . . .] |= ϕ
σ |= ♦ϕ iff ∃j 0.∀i j. σ[i . . .] |= ϕ
c JPK
9
Semantics over paths and states
Let TS = (S, Act, →, I, AP, L) and ϕ an LTL-formula over AP.
• For infinite path fragment π of TS:
π |= ϕ
iff
trace(π) |= ϕ
• For state s ∈ S:
s |= ϕ
iff
∀π ∈ Paths(s). π |= ϕ
• TS satisfies ϕ, denoted TS |= ϕ, iff Traces(TS) ⊆ Words(ϕ)
c JPK
10
Example
c JPK
s1
s2
s3
{ a, b }
{ a, b }
{a}
TS |= a
TS |= (a ∧ b)
TS |= (¬b ⇒ (a ∧ ¬b))
TS |= b U (a ∧ ¬b)
11
Practical properties in LTL
• Reachability
– simple reachability
– conditional reachability
♦ψ
φUψ
• Safety
– invariant
φ
• Liveness
(φ ⇒ ♦ ψ) and others
• Fairness
♦ φ and others
c JPK
12
Semantics of negation
For paths, it holds π |= ϕ if and only if π |= ¬ϕ since:
AP ω
Words(¬ϕ) = 2
\ Words(ϕ)
.
But: TS |= ϕ and TS |= ¬ϕ are not equivalent in general
It holds: TS |= ¬ϕ implies TS |= ϕ. Not always the reverse!
Note that:
TS |= ϕ
iff Traces(TS) ⊆ Words(ϕ)
iff Traces(TS) \ Words(ϕ) = ∅
iff Traces(TS) ∩ Words(¬ϕ) = ∅
.
TS neither satisfies ϕ nor ¬ϕ if there are
paths π1 and π2 in TS such that π1 |= ϕ and π2 |= ¬ϕ
c JPK
13
Example
s1
s0
s2
{a}
∅
∅
A transition system for which TS |= ♦a and TS |= ¬♦a
c JPK
14
Content of this lecture
• Linear temporal logic
– syntax, semantics, specifying properties
⇒ Equivalences and fairness
– weak until, fairness in LTL
• LTL model checking
– GNBA, from LTL to GNBA, complexity
c JPK
15
Equivalence
LTL formulas φ, ψ are equivalent, denoted φ ≡ ψ, if:
Words(φ) = Words(ψ)
c JPK
16
Duality and idempotence laws
Duality:
Idempotency:
c JPK
¬φ
≡
♦ ¬φ
¬♦φ
≡
¬φ
¬φ
≡
¬φ
φ
≡
φ
♦♦φ
≡
♦φ
φ U (φ U ψ)
≡
φUψ
(φ U ψ) U ψ
≡
φUψ
17
Expansion laws
Expansion:
φUψ
≡
ψ ∨ (φ ∧ (φ U ψ))
♦φ
≡
φ ∨ ♦φ
φ
≡
φ ∧ φ
proof on the black board
c JPK
20
Expansion for until
P = Words(ϕ U ψ) satisfies:
P = Words(ψ) ∪
A0A1A2 . . . ∈ Words(ϕ) | A1A2 . . . ∈ P
and is the smallest LT-property such that:
Words(ψ) ∪ A0A1A2 . . . ∈ Words(ϕ) | A1A2 . . . ∈ P
⊆ P
(∗)
smallest LT-property satisfying condition (*) means that:
P = Words(ϕ U ψ) satisfies (*) and Words(ϕ U ψ) ⊆ P for each P satisfying (*)
c JPK
21
LTL fairness constraints
Let Φ and Ψ be propositional logic formulas over AP.
1. An unconditional LTL fairness constraint is of the form:
ufair = ♦Ψ
2. A strong LTL fairness condition is of the form:
sfair = ♦Φ −→ ♦Ψ
3. A weak LTL fairness constraint is of the form:
wfair = ♦Φ −→ ♦Ψ
Φ stands for “something is enabled”; Ψ for “something is taken”
c JPK
24
LTL fairness assumption
• LTL fairness assumption = conjunction of LTL fairness constraints
– the fairness constraints are of any arbitrary type
• Strong fairness assumption: sfair =
0<ik
♦Φi −→ ♦Ψi
– compare this to an action-based strong fairness constraint over A with |A| = k
• General format: fair = ufair ∧ sfair ∧ wfair
• Rules of thumb:
– strong (or unconditional) fairness assumptions are useful for solving contentions
– weak fairness suffices for resolving nondeterminism resulting from interleaving
c JPK
25
Fair satisfaction
For state s in transition system TS (over AP) without terminal states, let
FairPathsfair (s)
=
FairTracesfair (s)
=
π ∈ Paths(s) | π |= fair
trace(π) | π ∈ FairPathsfair (s)
For LTL-formula ϕ, and LTL fairness assumption fair :
s |=fair ϕ
if and only if
∀π ∈ FairPathsfair (s). π |= ϕ and
TS |=fair ϕ
if and only if
∀s0 ∈ I. s0 |=fair ϕ
|=fair is the fair satisfaction relation for LTL; |= the standard one for LTL
c JPK
26
Randomized arbiter
noncrit1
noncrit2
unlock
req1
rel
req2
wait1
rel
rel
tail
head
enter1
crit1
wait2
enter2
enter1
lock
enter2
crit2
TS1 Arbiter TS2 |= ♦ crit1
But: TS1 Arbiter TS2 |=fair ♦crit1 ∧ ♦crit2 with fair = ♦head ∧ ♦tail
c JPK
27
Reducing |=fair to |=
For:
• transition system TS without terminal states
• LTL formula ϕ, and
• LTL fairness assumption fair
it holds:
TS |=fair ϕ
if and only if
TS |= (fair → ϕ)
verifying an LTL-formula under a fairness assumption can be done
using standard verification algorithms for LTL
c JPK
28
Content of this lecture
• Linear temporal logic
– syntax, semantics, specifying properties
• Equivalences and fairness
– weak until, fairness in LTL
⇒ LTL model checking
– GNBA, from LTL to GNBA, complexity
c JPK
29
LTL model-checking problem
The following decision problem:
Given finite transition system TS and LTL-formula ϕ:
yields “yes” if TS |= ϕ, and “no” (plus a counterexample) if TS |= ϕ
c JPK
30
NBA for LTL-formulae
c JPK
31
A first attempt
TS |= ϕ
if and only if
Traces(TS) ⊆ Words(ϕ)
Lω (Aϕ )
if and only if
Traces(TS) ∩ Lω (Aϕ) = ∅
if and only if
Traces(TS) ∩ Lω (Aϕ) = ∅
but complementation of NBA is quadratically exponential
2
if A has n states, A has cn states in worst case
c JPK
32
Observation
TS |= ϕ
if and only if
Traces(TS) ⊆ Words(ϕ)
AP ω
if and only if
Traces(TS) ∩ (2 ) \ Words(ϕ) = ∅
if and only if
Traces(TS) ∩ Words(¬ϕ) = ∅
Lω (A¬ϕ )
if and only if
TS ⊗ A¬ϕ |= ♦ ¬F
LTL model checking is thus reduced to persistence checking!
c JPK
33
Overview of LTL model checking
Negation of property
System
LTL-formula ¬ϕ
Model of system
model checker
Generalised Büchi automaton G¬ϕ
Transition system TS
Büchi automaton A¬ϕ
Product transition system
TS ⊗ A¬ϕ
TS ⊗ A¬ϕ |= Ppers (A
¬ϕ )
‘Yes’
c JPK
‘No’ (counter-example)
34
Generalized Büchi automata
• NBA are as expressive as ω-regular languages
• Variants of NBA exist that are equally expressive
– Muller, Rabin, Streett automata, and eneralized Büchi automata (GNBA)
• GNBA are like NBA, but have a distinct acceptance criterion
– a GNBA requires to visit several sets F1, . . . , Fk (k 0) infinitely often
– for k=0, all runs are accepting; for k=1 it behaves like an NBA
• GNBA are useful to relate temporal logic and automata
c JPK
35
Generalized Büchi automata
A generalized NBA (GNBA) G is a tuple (Q, Σ, δ, Q0, F) where:
• Q, Σ, δ and Q0 are as before, and
• F = { F1, . . . , Fk } is a (possibly empty) subset of 2Q
c JPK
36
Language of a GNBA
• GNBA G = (Q, Σ, δ, Q0, F) and word σ = A0A1A2 . . . ∈ Σω
• A accepted run for σ in G is an infinite sequence q0 q1 q2 . . . such that:
A
i q
– q0 ∈ Q0 and qi −−→
i+1 for all 0 i, and
– for all F ∈ F : qi ∈ F for infinitely many i
ω
• Lω (G) = σ ∈ Σ | there exists an accepting run for σ in G
c JPK
37
Example
crit2
true
q1
q0
crit1
true
q2
true
A GNBA for the property ”both processes are infinitely often in their critical section”
F = { { q1 }, { q2 } }
c JPK
38
From GNBA to NBA
For any GNBA G there exists an NBA A with:
Lω (G) = Lω (A) and |A| = O(|G| · |F |)
where F denotes the set of acceptance sets in G
Sketch of transformation GNBA (with |F| = k) into equivalent NBA:
–
–
–
–
c JPK
make k copies of the GNBA
initial states of NBA := the initial states in the first copy
final states of NBA := accept set F1 in the first copy
on visiting in i-th copy a state in Fi, then move to the (i+1)-st copy
39
Example
crit2
crit1
q1 , 1
q0 , 1
true
true
q0 , 2
crit1
c JPK
true
true
crit2
true
q1 , 2
q2 , 1
q2 , 2
true
40
From LTL to GNBA
GNBA Gϕ over 2AP for LTL-formula ϕ with Lω (Gϕ) = Words(ϕ):
• Assume ϕ only contains the operators ∧, ¬, and U
• States are elementary sets of sub-formulas in ϕ
– for σ = A0A1A2 . . . ∈ Words(ϕ), “expand” Ai ⊆ AP with sub-formulas of ϕ
– . . . to obtain σ̄ = B0B1B2 . . . such that
ψ ∈ Bi
if and only if
i
σ = Ai Ai+1 Ai+2 . . . |= ψ
– σ̄ is intended to be a run in GNBA Gϕ for σ
• Transitions are derived from semantics and expansion law for U
• Accept sets guarantee that: σ̄ is an accepting run for σ iff σ |= ϕ
c JPK
41
From LTL to GNBA: the states (example)
• Let ϕ = a U (¬a ∧ b)
and σ = { a } { a, b } { b } . . .
– Bi is a subset of { a, b, ¬a ∧ b, ϕ } ∪ { ¬a, ¬b, ¬(¬a ∧ b), ¬ϕ }
– this set of formulas is also called the closure of ϕ
• Extend A0 = { a } , A1 = { a, b }, A2 = { b }, . . . as follows:
–
–
–
–
–
extend A0 with ¬b, ¬(¬a ∧ b), and ϕ as they hold in σ 0 = σ (and no others)
extend A1 with ¬(¬a ∧ b) and ϕ as they hold in σ 1 (and no others)
extend A2 with ¬a, ¬a ∧ b and ϕ as they hold in σ 2 (and no others)
. . . and so forth
this is not effective and is performed on the automaton (not on words)
• Result:
– σ̄ = { a, ¬b, ¬(¬a ∧ b), ϕ } { a, b, ¬(¬a ∧ b), ϕ } { ¬a, b, ¬a ∧ b, ϕ } . . .
B0
c JPK
B1
B2
42
Closure
For LTL-formula ϕ, the set closure(ϕ)
consists of all sub-formulas ψ of ϕ and their negation ¬ψ
(where ψ and ¬¬ψ are identified)
for ϕ = a U (¬a ∧ b), closure(ϕ) = { a, b, ¬a, ¬b, ¬a ∧ b, ¬(¬a ∧ b), ϕ, ¬ϕ }
can we take Bi as any subset of closure(ϕ)? no! they must be elementary
c JPK
43
Elementary sets of formulae
B ⊆ closure(ϕ) is elementary if:
1. B is logically consistent if for all ϕ1 ∧ ϕ2, ψ ∈ closure(ϕ):
• ϕ1 ∧ ϕ2 ∈ B ⇔ ϕ1 ∈ B and ϕ2 ∈ B
• ψ ∈ B ⇒ ¬ψ ∈ B
• true ∈ closure(ϕ) ⇒ true ∈ B
2. B is locally consistent if for all ϕ1 U ϕ2 ∈ closure(ϕ):
• ϕ2 ∈ B ⇒ ϕ1 U ϕ2 ∈ B
• ϕ1 U ϕ2 ∈ B and ϕ2 ∈ B ⇒ ϕ1 ∈ B
3. B is maximal, i.e., for all ψ ∈ closure(ϕ):
• ψ∈
/B
c JPK
⇒ ¬ψ ∈ B
44
The GNBA of LTL-formula ϕ
For LTL-formula ϕ, let Gϕ = (Q, 2AP, δ, Q0, F) where
• Q = all elementary sets B ⊆ closure(ϕ) , Q0 = { B ∈ Q | ϕ ∈ B }
• F =
B ∈ Q | ϕ1 U ϕ2 ∈ B or ϕ2 ∈ B
| ϕ1 U ϕ2 ∈ closure(ϕ)
• The transition relation δ : Q × 2AP → 2Q is given by:
– If A = B ∩ AP then δ(B, A) = ∅
– δ(B, B ∩ AP) is the set B of all elementary sets of formulas satisfying:
(i) For every ψ ∈ closure(ϕ): ψ ∈ B ⇔ ψ ∈ B , and
(ii) For every ϕ1 U ϕ2 ∈ closure(ϕ):
ϕ1 U ϕ2 ∈ B
c JPK
⇔
ϕ2 ∈ B ∨ (ϕ1 ∈ B ∧ ϕ1 U ϕ2 ∈ B )
46
GNBA for LTL-formula a
a
B1
B2
a
{ a, a }
{ a, ¬ a }
¬a
¬a
a
a
B3
{ ¬a, a }
¬a
B4
{ ¬a, ¬ a }
¬a
Q0 = { B1 , B3 } since a ∈ B1 and a ∈ B3
δ(B2 , { a }) = { B3 , B4 } as B2 ∩ { a } = { a }, ¬ a = ¬a ∈ B2 , and ¬a ∈ B3 , B4
δ(B1 , { a }) = { B1 , B2 } as B1 ∩ { a } = { a }, a ∈ B1 and a ∈ B1 , B2
δ(B4 , { a }) = ∅ since B4 ∩ { a } = ∅ = { a }
The set F is empty, since ϕ = a does not contain an until-operator
c JPK
47
GNBA for LTL-formula a U b
B1
{ a, b, a U b }
B4
{ ¬a, ¬b, ¬(a U b) }
B3
{ a, ¬b, a U b }
B5
{ a, ¬b, ¬(a U b) }
{ ¬a, b, a U b }
B2
justification: on the black board
c JPK
48
NBA are more expressive than LTL
Corollary: every LTL-formula expresses an ω-regular property
But: there exist ω-regular properties that cannot be expressed in LTL
Example: there is no LTL formula ϕ with Words(ϕ) = P for the LT-property:
P =
A0 A1 A2 . . . ∈
{a}
2
ω
| a ∈ A2i for i 0
But there exists an NBA A with Lω (A) = P
⇒ there are ω -regular properties that cannot be expressed in LTL!
c JPK
49
Complexity for LTL to NBA
For any LTL-formula ϕ (over AP) there exists an NBA Aϕ
with Words(ϕ) = Lω (Aϕ ) and
which can be constructed in time and space in 2O(|ϕ|· log |ϕ|)
Justification complexity: next slide
c JPK
50
Time and space complexity
• States GNBA Gϕ are elementary sets of formulae in closure(ϕ)
– sets B can be represented by bit vectors with single bit per subformula ψ of ϕ
• The number of states in Gϕ is bounded by 2|subf(ϕ)|
– where subf(ϕ) denotes the set of all subformulae of ϕ
– |subf(ϕ)| 2·|ϕ|; so, the number of states in Gϕ is bounded by 2O(|ϕ|)
• The number of accepting sets of Gϕ is bounded above by O(|ϕ|)
• The number of states in NBA Aϕ is thus bounded by 2O(|ϕ)| · O(|ϕ|)
• 2O(|ϕ|) · O(|ϕ|) = 2O(|ϕ| log |ϕ|)
c JPK
qed
51
Lower bound
There exists a family of LTL formulas ϕn with |ϕn| = O(poly (n))
such that every NBA Aϕn for ϕn has at least 2n states
c JPK
52
Proof (1)
Let AP be non-empty, that is, |2AP| 2 and:
Ln =
A1 . . . An A1 . . . An σ | Ai ⊆ AP ∧ σ ∈
It follows Ln = Words(ϕn ) where ϕn =
a∈AP 0i<n
AP ω
2
,
for n 0
(i a ←→ n+i a)
ϕn is an LTL formula of polynomial length: |ϕn | ∈ O |AP| · n
However, any NBA A with Lω (A) = Ln has at least 2n states
c JPK
53
Proof (2)
Claim: any NBA A for
(i a ←→ n+i a) has at least 2n states
a∈AP 0i<n
Words of the form A1 . . . An A1 . . . An ∅ ∅ ∅ . . . are accepted by A
A thus has for every word A1 . . . An of length n, a state q(A1 . . . An), say,
which can be reached from an initial state by consuming A1 . . . An
From q(A1 . . . An), it is possible to visit an accept state infinitely often
by accepting the suffix A1 . . . An ∅ ∅ ∅ . . .
If A1 . . . An = A1 . . . An then
A1 . . . An A1 . . . An ∅ ∅ ∅ . . . ∈
/ Ln = Lω (A)
Therefore, the states q(A1 . . . An) are all pairwise different
n
2n states
Given |2AP| possible sequences A1 . . . An, NBA A has 2AP
c JPK
54
Complexity for LTL model checking
|ϕ|
The time and space complexity of LTL model checking is in O |TS|·2
c JPK
55
Theoretical complexity
The LTL model-checking problem is PSPACE-complete
c JPK
56
CTL Model Checking
Part #4 of Logic and Verification
Joost-Pieter Katoen
Software Modeling and Verification Group
RWTH Aachen University
MOVEP 2014, University of Nantes, July 7, 2014
c JPK
Content of this lecture
• Computation tree logic
– syntax, semantics, equational laws
• CTL model checking
– recursive descent, backward reachability, complexity
• Comparing LTL and CTL
– what can be expressed in CTL? what in LTL?, efficiency
• Fairness
– fair CTL semantics, model checking
c JPK
1
Content of this lecture
⇒ Computation tree logic
– syntax, semantics, equational laws
• CTL model checking
– recursive descent, backward reachability, complexity
• Comparing LTL and CTL
– what can be expressed in CTL? what in LTL?, efficiency
• Fairness
– fair CTL semantics, model checking
c JPK
2
Linear and branching temporal logic
• Linear temporal logic:
“statements about (all) paths starting in a state”
– s |= (x 20) iff for all possible paths starting in s always x 20
• Branching temporal logic:
“statements about all or some paths starting in a state”
– s |= ∀(x 20) iff for all paths starting in s always x 20
– s |= ∃(x 20) iff for some path starting in s always x 20
– nesting of path quantifiers is allowed
• Checking ∃ϕ in LTL can be done using ∀¬ϕ
– . . . but this does not work for nested formulas such as ∀∃♦a
c JPK
3
Linear versus branching temporal logic
• Semantics is based on a branching notion of time
– an infinite tree of states obtained by unfolding transition system
– one “time instant” may have several possible successor “time instants”
• Incomparable expressiveness
– there are properties that can be expressed in LTL, but not in CTL
– there are properties that can be expressed in most branching, but not in LTL
• Distinct model-checking algorithms, and their time complexities
• Distinct equivalences (pre-orders) on transition systems
– that correspond to logical equivalence in LTL and branching temporal logics
c JPK
4
Transition systems and trees
(s0 , 0)
s0
(s1 , 1)
s1 { x = 0 }
{x =
0}
s3
{ x = 1 , x = 0 }
c JPK
(s2 , 2)
s2
(s3 , 3)
{x = 0}
(s2 , 4)
(s3 , 2)
(s2 , 3)
(s3 , 3)
(s3 , 4) (s3 , 4) (s2 , 4)
(s3 , 4)
5
“behavior”
in a state s
path-based:
trace(s)
state-based:
computation tree of s
temporal
logic
LTL: path formulas ϕ
s |= ϕ iff
∀π ∈ Paths(s). π |= ϕ
CTL: state formulas
existential path quantification ∃ϕ
universal path quantification: ∀ϕ
complexity of the
model checking
PSPACE–complete
PTIME
problems
implementationrelation
c JPK
O |TS| · 2
|ϕ|
trace inclusion and the like
(proof is PSPACE-complete)
O (|TS| · |Φ|)
simulation and bisimulation
(proof in polynomial time)
6
Computation tree logic
modal logic over infinite trees [Clarke & Emerson 1981]
• Statements over states
–
–
–
–
a ∈ AP
¬ Φ and Φ ∧ Ψ
∃ϕ
∀ϕ
atomic proposition
negation and conjunction
there exists a path fulfilling ϕ
all paths fulfill ϕ
• Statements over paths
– Φ
– ΦUΨ
the next state fulfills Φ
Φ holds until a Ψ-state is reached
⇒ note that and U alternate with ∀ and ∃
c JPK
7
Derived operators
potentially Φ:
∃♦Φ
=
∃(true U Φ)
inevitably Φ:
∀♦Φ
=
∀(true U Φ)
potentially always Φ: ∃Φ
:= ¬∀♦¬Φ
invariantly Φ:
=
¬∃♦¬Φ
∃(Φ W Ψ)
=
∀(Φ W Ψ)
=
¬∀ (Φ ∧ ¬Ψ) U (¬Φ ∧ ¬Ψ)
¬∃ (Φ ∧ ¬Ψ) U (¬Φ ∧ ¬Ψ)
weak until:
∀Φ
the boolean connectives are derived as usual
c JPK
8
Visualization of semantics
∃♦red
∀♦red
c JPK
∃red
∀red
∃(yellow U red)
∀(yellow U red)
9
Semantics of CTL state-formulas
Defined by a relation |= such that
s |= Φ if and only if formula Φ holds in state s
c JPK
s |= a
iff a ∈ L(s)
s |= ¬ Φ
iff ¬ (s |= Φ)
s |= Φ ∧ Ψ
iff (s |= Φ) ∧ (s |= Ψ)
s |= ∃ϕ
iff π |= ϕ for some path π that starts in s
s |= ∀ϕ
iff π |= ϕ for all paths π that start in s
10
Semantics of CTL path-formulas
Define a relation |= such that
π |= ϕ if and only if path π satisfies ϕ
π |= Φ
iff π[1] |= Φ
π |= Φ U Ψ
iff (∃ j 0. π[j] |= Ψ ∧ (∀ 0 k < j. π[k] |= Φ))
where π[i] denotes the state si in the path π
c JPK
11
Transition system semantics
• For CTL-state-formula Φ, the satisfaction set Sat(Φ) is defined by:
Sat(Φ) = { s ∈ S | s |= Φ }
• TS satisfies CTL-formula Φ iff Φ holds in all its initial states:
TS |= Φ
if and only if
∀s0 ∈ I. s0 |= Φ
• Point of attention: TS |= Φ and TS |= ¬Φ is possible!
– because of several initial states, e.g. s0 |= ∃Φ and s0 |= ∃Φ
c JPK
12
CTL equivalence
CTL-formulas Φ and Ψ (over AP) are equivalent, denoted Φ ≡ Ψ
if and only if Sat(Φ) = Sat(Ψ) for all transition systems TS over AP
Φ ≡Ψ
c JPK
iff
(TS |= Φ
if and only if
TS |= Ψ)
13
Expansion laws
Recall in LTL: ϕ U ψ ≡ ψ ∨ (ϕ ∧ (ϕ U ψ))
In CTL:
∀(Φ U Ψ) ≡ Ψ ∨ (Φ ∧ ∀ ∀(Φ U Ψ))
∀♦Φ ≡ Φ ∨ ∀ ∀♦Φ
∀Φ ≡ Φ ∧ ∀ ∀Φ
∃(Φ U Ψ) ≡ Ψ ∨ (Φ ∧ ∃ ∃(Φ U Ψ))
∃♦Φ ≡ Φ ∨ ∃ ∃♦Φ
∃Φ ≡ Φ ∧ ∃ ∃Φ
c JPK
14
Content of this lecture
• Computation tree logic
– syntax, semantics, equational laws
⇒ CTL model checking
– recursive descent, backward reachability, complexity
• Comparing LTL and CTL
– what can be expressed in CTL? what in LTL?, efficiency
• Fairness
– fair CTL semantics, model checking
c JPK
16
Existential normal form (ENF)
The set of CTL formulas in existential normal form (ENF) is given by:
Φ ::= true a Φ1 ∧ Φ2 ¬Φ ∃Φ ∃(Φ1 U Φ2) ∃Φ
For each CTL formula, there exists an equivalent CTL formula in ENF
c JPK
17
Model checking CTL
• Convert the formula Φ into an equivalent Φ in ENF
• How to check whether TS satisfies Φ?
– compute recursively the set Sat(Φ) of states that satisfy Φ
– check whether all initial states belong to Sat(Φ)
• Recursive bottom-up computation:
–
–
–
–
–
c JPK
consider the parse-tree of Φ
start to compute Sat(a), for all leafs in the tree
then go one level up in the tree and check the formula of these nodes
then go one level up and check the formula of these nodes
and so on....... until the root of the tree (i.e., Φ) is checked
18
Example
∧
Sat(Φ)
∃ U Sat(Ψ)
Sat(Ψ) ∃
∃ Sat(Ψ)
b
a
¬
c
Φ = ∃a
∧ ∃(b U ∃¬c)
Ψ
Ψ .
Ψ
c JPK
19
Characterization of Sat (1)
For all CT L formulas Φ, Ψ over AP it holds:
Sat(true) = S
Sat(a) = { s ∈ S | a ∈ L(s) }, for any a ∈ AP
Sat(Φ ∧ Ψ) = Sat(Φ) ∩ Sat(Ψ)
Sat(¬Φ) = S \ Sat(Φ)
Sat(∃Φ) = { s ∈ S | Post(s) ∩ Sat(Φ) = ∅ }
where TS = (S, Act, →, I, AP, L) is a transition system without terminal states
c JPK
20
Characterization of Sat (2)
For all CT L formulas Φ, Ψ over AP it holds:
• Sat(∃(Φ U Ψ)) is the smallest subset T of S, such that:
(1) Sat(Ψ) ⊆ T and
(2) s ∈ Sat(Φ) and Post(s) ∩ T = ∅ implies s ∈ T
• Sat(∃Φ) is the largest subset T of S, such that:
(3) T ⊆ Sat(Φ) and
(4) s ∈ T implies Post(s) ∩ T = ∅
where TS = (S, Act, →, I, AP, L) is a transition system without terminal states
c JPK
21
Computation of Sat
switch(Φ):
a
...
∃Ψ
:
:
:
return { s ∈ S | a ∈ L(s) };
......
return { s ∈ S | Post(s) ∩ Sat(Ψ) = ∅ };
∃(Φ1 U Φ2 )
:
T := Sat(Φ2 ); (* compute the smallest fixed point *)
while Sat(Φ1 ) \ T ∩ Pre(T ) = ∅ do
let s ∈ Sat(Φ1 ) \ T ∩ Pre(T );
T := T ∪ { s };
od;
return T ;
∃Ψ
:
T := Sat(Ψ);
(* compute the greatest fixed point *)
while ∃s ∈ T. Post(s) ∩ T = ∅ do
let s ∈ { s ∈ T | Post(s) ∩ T = ∅ };
T := T \ { s };
od;
return T ;
end switch
c JPK
22
Computing Sat(∃(Φ U Ψ))
Input: finite transition system TS with state-set S and CTL-formula ∃(Φ U Ψ)
Output: Sat(∃(Φ U Ψ))
E := Sat(Ψ);
(* E administers the states s with s |= ∃(Φ U Ψ) *)
T := E ;
(* T contains the already visited states s with s |= ∃(Φ U Ψ) *)
while E = ∅ do
let s ∈ E ;
E := E \ { s };
for all s ∈ Pre(s ) do
if s ∈ Sat(Φ) \ T then E := E ∪ { s }; T := T ∪ { s }; fi
od
od
return T
c JPK
24
Example
∅
{r}
{ p, q, r }
{p}
{q}
{ q, r }
{ p, r }
{ p, q }
let’s check the CTL-formula ∃♦((p = r) ∧ (p = q))
c JPK
25
The computation in snapshots
{r}
{ p, q, r }
∅
{p}
{ p, r }
{q}
{ q, r }
c JPK
{ p, q }
(a)
(b)
(c)
(d)
26
Computing Sat(∃Φ)
(* E contains any not visited s with s | = ∃Φ *)
E := S \ Sat(Φ);
T := Sat(Φ);
(* T contains any s for which s |= ∃Φ has not yet been disproven *)
for all s ∈ Sat(Φ) do c[s] := | Post(s) |; od
while E = ∅ do
let s ∈ E ;
E := E \ { s };
for all s ∈ Pre(s ) do
if s ∈ T then
c[s] := c[s] − 1;
if c[s] = 0 then
T := T \ { s }; E := E ∪ { s };
fi
fi
od
od
return T
c JPK
(* initialize array c *)
(* loop invariant: c[s] = | Post(s) ∩ (T ∪ E) | *)
(* s |= Φ *)
(* s has been considered *)
(* update counter c[s] for predecessor s of s *)
(* s does not have any successor in T *)
27
Alternative algorithm
1. Consider only state s if s |= Φ, otherwise eliminate s
• change TS into TS[Φ] = (S , Act, → , I , AP, L) with S = Sat(Φ),
• → = → ∩ (S × Act × S ), I = I ∩ S , and L (s) = L(s) for s ∈ S ⇒ all removed states will not satisfy ∃Φ, and thus can be safely removed
2. Determine all non-trivial strongly connected components in TS[Φ]
• non-trivial SCC = maximal, connected subgraph with at least one transition
⇒ any state in such SCC satisfies ∃Φ
3. s |= ∃Φ is equivalent to “some SCC is reachable from s”
• this search can be done in a backward manner
c JPK
28
Example
{r}
{ p, q, r }
∅
{p}
{ p, r }
{q}
{ q, r }
{ p, q }
(a)
(c) SCC
c JPK
(b) K[q ]
(d)
29
Time complexity
For transition system TS with N states and K transitions,
and CTL formula Φ, the CTL model-checking problem TS |= Φ
can be determined in time O(| Φ |·(N + M ))
this applies to both algorithm for existential until-formulas
c JPK
30
Content of this lecture
• Computation tree logic
– syntax, semantics, equational laws
• CTL model checking
– recursive descent, backward reachability, complexity
⇒ Comparing LTL and CTL
– what can be expressed in CTL?, what in LTL?, efficiency
• Fairness
– fair CTL semantics, model checking
c JPK
31
Equivalence of LTL and CTL formulas
• CTL-formula Φ and LTL-formula ϕ (both over AP) are equivalent,
denoted Φ ≡ ϕ, if for any transition system TS over AP:
TS |= Φ
if and only if
TS |= ϕ
• Let Φ be a CTL-formula, and ϕ the LTL-formula that is obtained by
eliminating all path quantifiers in Φ. Then:
Φ ≡ ϕ or there does not exist any LTL-formula that is equivalent to Φ
c JPK
32
LTL and CTL are incomparable
• Some LTL-formulas cannot be expressed in CTL, e.g.,
– ♦a
– ♦(a ∧ a)
• Some CTL-formulas cannot be expressed in LTL, e.g.,
– ∀♦∀a
– ∀♦(a ∧ ∀a)
– ∀∃♦a
⇒ Cannot be expressed = there does not exist an equivalent formula
c JPK
33
Comparing LTL and CTL (1)
♦(a ∧ a) is not equivalent to ∀♦(a ∧ ∀a)
∅
s3
s2
s1
s0
∅
{a}
{a}
s4
{a}
c JPK
34
Comparing LTL and CTL (1)
♦(a ∧ a) is not equivalent to ∀♦(a ∧ ∀a)
∅
s3
s2
s1
s0
∅
{a}
{a}
s4
{a}
s0 |= ♦(a ∧ a)
but
s0 |= ∀♦(a ∧ ∀a)
since path s0 s1 (s2)ω violates ♦(a ∧ ∀a)
c JPK
35
Comparing LTL and CTL (2)
∀♦∀a is not equivalent to ♦a
s0
c JPK
s1
s2
36
Comparing LTL and CTL (2)
∀♦∀a is not equivalent to ♦a
s0
s0 |= ♦a
s2
s1
but
s0 |= ∀♦∀a
since path sω
0 violates ♦∀a
c JPK
37
Comparing LTL and CTL (3)
• No LTL-formula ϕ is equivalent to ∀∃♦a
• This is shown by contradiction: assume ϕ ≡ ∀∃♦a; let:
s
TS
∅
s
s
{a}
TS
∅
• TS |= ∀∃♦a, and thus—by assumption—TS |= ϕ
• Paths(TS) ⊆ Paths(TS), thus TS |= ϕ
• But TS |= ∀∃♦a as path sω |= ∃♦a
c JPK
38
Model-checking LTL versus CTL
• Let TS be a transition system with N states and M transitions
• Model-checking LTL-formula Φ has time-complexity O((N +M )·2| Φ |)
– linear in the state space of the system model
– exponential in the length of the formula
• Model-checking CTL-formula Φ has time-complexity O((N +M )·| Φ |)
– linear in the state space of the system model and the formula
• Is model-checking CTL more efficient?
c JPK
No!
39
Model-checking LTL versus CTL
⇒ LTL-formulae can be exponentially shorter than their equivalent in CTL
{ p0 } v1
{ p2 }
{ p1 }
{q}
v4 { p3 }
v3
v2
w
4
• Existence of Hamiltonian path in LTL: ¬ (♦p0 ∧ . . . ∧ ♦p3) ∧ q
• In CTL, all possible (= 4!) routes need to be encoded
c JPK
40
Content of this lecture
• Computation tree logic
– syntax, semantics, equational laws
• CTL model checking
– recursive descent, backward reachability, complexity
• Comparing LTL and CTL
– what can be expressed in CTL?, what in LTL?, efficiency
⇒ Fairness
– fair CTL semantics, model checking
c JPK
41
Fairness constraints in CTL
• For LTL it holds: TS |=fair ϕ
if and only if
TS |= (fair → ϕ)
• An analogous approach for CTL is not possible!
• Formulas form ∀(fair → ϕ) and ∃(fair ∧ ϕ) needed
• But: boolean combinations of path formulae are not allowed in CTL
• and: e.g., strong fairness constraints ♦b → ♦c ≡ ♦¬b ∨ ♦c
– cannot be expressed in CTL since persistence properties cannot
• Solution: change the semantics of CTL by ignoring unfair paths
c JPK
42
CTL fairness constraints
• A strong CTL fairness constraint is a formula of the form:
sfair =
(♦Φi → ♦Ψi)
0<ik
– where Φi and Ψi (for 0 < i k) are CTL-formulas over AP
– weak and unconditional CTL fairness constraints are defined analogously, e.g.
ufair =
♦Ψi and wfair =
(♦Φi → ♦Ψi)
0<ik
0<ik
– a CTL fairness assumption fair is a combination of ufair , sfair and wfair
⇒ a CTL fairness constraint is an LTL formula over CTL state formulas!
– note that s |= Φi and s |= Ψi refer to standard (unfair!) CTL semantics
c JPK
43
Semantics of fair CTL
For CTL fairness assumption fair , relation |=fair is defined by:
s |=fair a
iff a ∈ Label(s)
s |=fair ¬ Φ
iff
s |=fair Φ ∨ Ψ
iff (s |=fair Φ) ∨ (s |=fair Ψ)
s |=fair ∃ϕ
iff π |=fair ϕ for some fair path π that starts in s
s |=fair ∀ϕ
iff π |=fair ϕ for all fair paths π that start in s
¬ (s |=fair Φ)
π |=fair Φ
iff π[1] |=fair Φ
π |=fair Φ U Ψ
iff (∃ j 0. π[j] |=fair Ψ ∧ (∀ 0 k < j. π[k] |=fair Φ))
π is a fair path iff π |=LT L fair for CTL fairness assumption fair
c JPK
44
Transition system semantics
• For CTL-state-formula Φ, and fairness assumption fair:
Satfair (Φ) = { s ∈ S | s |=fair Φ }
• TS satisfies CTL-formula Φ iff Φ holds in all its initial states:
TS |=fair Φ
if and only if
∀s0 ∈ I. s0 |=fair Φ
– this is equivalent to I ⊆ Satfair (Φ)
c JPK
45
Randomized arbiter
noncrit1
noncrit2
unlock
req1
rel
req2
wait1
rel
rel
tail
head
enter1
crit1
wait2
enter2
enter1
lock
enter2
crit2
TS1 Arbiter TS2 |= (∀∀♦ crit1) ∧ (∀∀♦ crit2)
But: TS1 Arbiter TS2 |=fair ∀∀♦crit1 ∧ ∀∀♦crit2 with
fair = ♦head ∧ ♦tail
c JPK
46
Fair CTL model-checking problem
For:
• finite transition system TS without terminal states
• CTL formula Φ in ENF, and
• CTL fairness assumption fair
establish whether or not:
TS |=fair Φ
use bottom-up procedure à la CTL to determine Satfair (Φ)
using as much as possible standard CTL model-checking algorithms
c JPK
47
CTL fairness constraints
• A strong CTL fairness constraint: sfair =
0<ik
(♦Φi → ♦Ψi)
– where Φi and Ψi (for 0 < i k) are CTL-formulas over AP
• Replace the CTL state-formulas in sfair by fresh atomic propositions:
sfair :=
(♦ai → ♦bi)
0<ik
– where ai ∈ L(s) if and only if s ∈ Sat(Φi )
– . . . bi ∈ L(s) if and only if s ∈ Sat(Ψi )
– (for unconditional and weak fairness this goes similarly)
(not Satfair (Φi )!)
(not Satfair (Ψi )!)
• Note: π |= fair iff π[j..] |= fair for some j 0 iff π[j..] |= fair for all j 0
c JPK
48
Results for |=fair (1)
s |=fair ∃a if and only if ∃s ∈ Post(s) with s |= a and FairPaths(s) = ∅
s |=fair ∃(a U a) if and only if there exists a finite path fragment
s0 s1 s2 . . . sn−1sn ∈ Pathsfin (s)
with n 0
such that si |= a for 0 i < n, sn |= a, and FairPaths(sn) = ∅
c JPK
49
Results for |=fair (2)
s |=fair ∃a if and only if ∃s ∈ Post(s) with s |= a and FairPaths(s) = ∅
s |=fair ∃true
s |=fair ∃(a U a) if and only if there exists a finite path fragment
s0 s1 s2 . . . sn−1sn ∈ Pathsfin (s)
with n 0
such that si |= a for 0 i < n, sn |= a, and FairPaths(sn) = ∅
sn |=fair ∃true
c JPK
50
Basic algorithm
• Determine Satfair (∃true) = { s ∈ S | FairPaths(s) = ∅ }
• Introduce an atomic proposition afair and adjust labeling where:
– afair ∈ L(s)
if and only if s ∈ Satfair (∃true)
• Compute the sets Satfair (Ψ) for all subformulas Ψ of Φ (in ENF) by:
Satfair (a)
Satfair (¬a)
Satfair (a ∧ a )
Satfair (∃a)
Satfair (∃(a U a ))
Satfair (∃a)
=
=
=
=
=
=
{ s ∈ S | a ∈ L(s) }
S \ Satfair (a)
Satfair (a) ∩ Satfair (a )
Sat (∃(a
∧ afair )) Sat ∃(a U (a ∧ afair ))
......
• Thus: model checking CTL under fairness constraints is
– CTL model checking + algorithm for computing Satfair (∃a)!
c JPK
51
Model checking CTL with fairness
The model-checking problem for CTL with fairness can be reduced to:
(1) the model-checking problem for CTL (without fairness), and
(2) the problem of computing Satfair (∃a) for a ∈ AP
note that ∃true is a special case of ∃a
thus a single algorithm suffices for Satfair (∃a) and Satfair (∃true)
c JPK
52
Core model-checking algorithm
(* states are assumed to be labeled with ai and bi *)
compute Satfair (∃true) = { s ∈ S | FairPaths(s) = ∅ }
forall s ∈ Satfair (∃true) do L(s) := L(s) ∪ { afair } od
(* compute Satfair (Φ) *)
for all 0 < i | Φ | do
for all Ψ ∈ Sub(Φ) with | Ψ | = i do
switch(Ψ):
true
:
Satfair (Ψ) := S ;
a
:
Satfair (Ψ) := { s ∈ S | a ∈ L(s) };
a ∧ a
:
Satfair (Ψ) := { s ∈ S | a, a ∈ L(s) };
¬a
:
Satfair (Ψ) := { s ∈ S | a ∈ L(s) };
∃a
:
Satfair (Ψ) := Sat(∃(a ∧ afair ));
∃(a U a )
:
Satfair (Ψ) := Sat(∃(a U (a ∧ afair )));
∃a
:
compute Satfair (∃a)
end switch
replace all occurrences of Ψ (in Φ) by the fresh atomic proposition aΨ
forall s ∈ Satfair (Ψ) do L(s) := L(s) ∪ { aΨ } od
od
od
return I ⊆ Satfair (Φ)
c JPK
53
Characterization of Satfair (∃a)
s |=sfair ∃a where sfair =
(♦ai → ♦bi)
0<ik
iff there exists a finite path fragment s0 . . . sn and a cycle s0 . . . sr with:
1. s0 = s and sn = s0 = sr
2. si |= a, for any 0 i n, and sj |= a, for any 0 j r, and
3. Sat(ai) ∩ { s1, . . . , sr } = ∅ or Sat(bi) ∩ { s1, . . . , sr } = ∅ for 0 < i k
c JPK
54
Computing Satfair (∃a)
• Consider only state s if s |= a, otherwise eliminate s
– change TS into TS[a] = (S , Act, → , I , AP, L) with S = Sat(a),
– → = → ∩ (S × Act × S ), I = I ∩ S , and L (s) = L(s) for s ∈ S ⇒ each infinite path fragment in TS[a] satisfies a
• s |=fair ∃a iff there is a non-trivial SCC D in TS[a] reachable from s:
D ∩ Sat(ai ) = ∅
or
D ∩ Sat(bi ) = ∅ for 0 < i k
(*)
• Satsfair (∃a) = { s ∈ S | ReachTS[a](s) ∩ T = ∅ }
– T is the union of all non-trivial SCCs C that contain D satisfying (*)
how to compute the set T of SCCs?
c JPK
55
Time complexity
For transition system TS with N states and M transitions,
CTL formula Φ, and CTL fairness constraint fair with k conjuncts,
the CTL model-checking problem TS |=fair Φ
can be determined in time O(| Φ |·(N + M )·k)
c JPK
59

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz