Fixed Points
Context



We have defined the semantics of
CTL formulas
M,s f
We have given an efficient method
returning all states s such that
M,s f
for all finite state transition system
M and CTL formula f.
Next we present an algorithm for it
and proves its correctness
The algorithm SAT

SAT stands for ‘satisfies’
 Input:
a well-formed CTL formula
 Output: a set of states of a fixed
transition system M = <S, ,l>

Written in Pascal-like
 function
return
 local_var
 repeat until
 case is end_case
The main function (I)
function SAT(f)
begin
case f is
T : return S
 : return 
atomic : return {s  S | f l(s) }
f1 : return S - SAT(f1)
f1  f2 : return SAT(f1)  SAT(f2)
f1  f2 : return SAT(f1)  SAT(f2)
f1  f2 : return SAT(f1  f2)
:
:
The main function (II)
:
:
AXf1 : return SAT(EXf1)
EXf1 : return SAT_EX(f1)
A[f1 U f2] : return
SAT(E[f2U(f1 f2)]EGf2)
E[f1 U f2] : return SAT_EU(f1, f2)
EFf1 : return SAT(E[T U f1])
AFf1 : return SAT_AF(f1)
EGf1 : return SAT(EXf1) /*SAT_EG(f1)*/
AGf1 : return SAT(EFf1)
end_case
end
The function SAT_EX
function SAT_EX(f)
local_var X,Y
begin
X := SAT(f)
Y := { s  S | s  s’ : s’  X}
return Y
end
The function SAT_AF
function SAT_AF(f)
local_var X,Y
begin
X := S
Y := SAT(f)
repeat
X := Y
Y := Y  { s  S | s  s’ : s’  Y }
until X =Y
return Y
end
The function SAT_EU
function SAT_EU(f,)
local_var W,X,Y
begin
W := SAT(f)
X := S
Y := SAT()
repeat
X := Y
Y := Y  (W  { s  S | s  s’ : s’  Y })
until X =Y
return Y
end
The function SAT_EG
function SAT_EG(f)
local_var X,Y
begin
X := 
Y := SAT(f)
repeat
X := Y
Y := Y  { s  S | s  s’ : s’  Y }
until X =Y
return Y
end
Does it work?
Claim: For a given model M=<S, , l> and
well-formed CTL formula f the function
SAT(f) returns the set
[[f]] = { s  S | M,s f}
Is this true?
The proof (I)



The claim is proved by induction on the
structure of the formula f.
For f = T, , or p the set [[f]] is computed
directly
For f = f1, f1  f2, f1  f2 or f1  f2 we
apply
induction
and
predicate
logic
equivalences
 Example:
SAT(f1  f2) = SAT(f1)  SAT(f2)
= [[f1]]  [[f2]]
= [[f1  f2]]
(induction)
The proof (II)

For f = EXf1 we apply induction
SAT(EXf1) = SAT_EX(f1 )
= { s  S |  s  s’ : s’  SAT(f1)}
= { s  S | s  s’ : s’ [[f1]]}
= { s  S | s  s’ : M,s’ f1}
= { s  S | M,s EXf1}
= [[EXf1]]
(induction)
(def. [[-]])
(definition )
(def. [[-]])
The proof (III)

For f = AXf1, A[f1 U f2], EFf1, or AGf1 we can
rely on logical equivalences and on the correctness
of SAT_EX, SAT_AF, SAT_EU, and SAT_EG

Example:
SAT(AXf1) = SAT(EXf1)
= S - SAT_EX(f1)
= S - [[EXf1]]
= [[AXf1]]
(def. SAT(f))
(correctness SAT_EX)
(logical equivalence)
But we still have to prove the correctness
of SAT_AF, SAT_EU, and SAT_EG
EG equivalence
Recall that M,s EGf iff there exists an
execution s=s0 s1  s2  s3 … such that
M,si f for all i >= 0
Thus
EGf  f  EX EGf
Since
EX = { s  S |  s  s’ : s’  [[]]}
we obtain
[[EGf]] = [[f]]  { s  S | s  s’ : s’  [[EGf]]}
?
Fixed points
Let S be a set and F:Pow(S)  Pow(S) be a
a function
F
is monotone if
X  Y implies F(X)  F(Y)
for all subsets X and Y of S
A
A
subset X of S is a fixed point of F if
F(X) =X
subset X of S is a least fixed point of F if
F(X) = X and X  Y
for all fixed point Y of F
Examples

S = {s,t} and F:X  X  {s}
F
is monotone
 {s} and {s,t} are all fixed points of F
 {s} is the least fixed point of F

S = {s,t} and G:Xif X={s} then {t} else {s}
G
is not monotone
 {s}
G
 {s,t} but G({s}) = {t}  {s} = G({s,t})
does not have any fixed point
Fixed points (II)
Let Fi(X) = F(F(…F(X)…))

i-times
with i > 0 (thus F1(X) = F(X))

Theorem: Let S be a set with n+1 elements.
If F:Pow(S)  Pow(S) is a monotone
function then
1) Fn+1() is the least fixed point of F
2) Fn+1(S) is the greatest fixed point of F
Least and greatest fixed points can be
computed and the computation is
guaranteed to terminate !
Computing EGf
[[EGf]] = [[f]]  { s  S | s  s’ : s’  [[EGf]]}
?
Consider [[EGf]] as a fixed point of the
function
F(X) = [[f]]  { s  S | s  s’ : s’  X}

Theorem: Let n = |S| be the size of S and F
defined as above. We have
1) F is monotone
2) [[EGf]] is the greatest fixed point of F
3) [[EGf]] = Fn+1(S)
Correctness of SAT_EG

Inside the loop it always holds Y  SAT(f)

Because Y  SAT(f), substitute in SAT_EG
Y := Y  { s  S | s  s’ : s’  Y }
with Y := SAT(f)  { s  S | s  s’ : s’  Y }


Note that SAT_EG(f) is calculating the
greatest fixed point (use induction!)
F(X) = [[f]]  { s  S | s  s’ : s’  X}
It follows from the previous theorem that
SAT_EG(f) terminates and computes [[EGf]].
Example: EG
s0
q
s1
p
q

s2
s3
s4
Let us compute [[EGq]]. It is the greatest
fixed point of
F(X) = [[q]]  { s  S | s  s’ : s’  X }
={s0,s4}  { s  S | s  s’ : s’  X }
Example: EG

Iterating F on S until it stabilizes



F1(S) ={s0,s4}  { s  S | s  s’ : s’  S }
= {s0,s4}  S
= {s0,s4}
F2(S) =F(F1(S))
= F({s0,s4})
= {s0,s4}  { s  S | s  s’ : s’  {s0,s4} }
= {s0,s4}
Thus {s0,s4} is the greatest fixed point of F
and equals [[EGq]]

EU equivalence
From the definition of the semantics of EU
we can derive the equivalence
E[f U ]    (f  EX E[f U ])
Since
EX = { s  S |  s  s’ : s’  [[]]}
we obtain
[[E[f U ]]] = [[]] 
([[f]]  { s  S | s  s’ : s’  [[E[f U ]]]})
?
Computing E[f U ]
As before, consider [[E[f U ]]] as a fixed
point of the function
G(X) = [[]]  ([[f]]  { s  S | s  s’ : s’  X})

Theorem: Let n = |S| be the size of S and G
defined as above. We have
1) G is monotone
2) [[E[f U ]]] is the least fixed point of G
3) [[E[f U ]]] = Gn+1()
Correctness of SAT_EU
Inside the loop it always holds W=SAT(f)
and Y  SAT().
 Substitute in SAT_EU

with
Y:=Y  (W  { s  S | s  s’ : s’  Y })
Y:=SAT()  (SAT(f)  { s  S | s  s’ : s’  Y })
Note that SAT_EU(f) is calculating the least
fixed point of
G(X) = [[]]  ([[f]]  { s  S | s  s’ : s’  X})
 It follows from the previous theorem that
SAT_EU(f,)
terminates and computes
[[E[fU]]]

Example: EU
s0
q
s1
p
q

s2
s3
s4
Let us compute [[EFp]] = [[E[TUp]]] . It is the
least fixed point of
G(X) = [[p]]  ([[T]]  { s  S | s  s’ : s’  X})
={s3}  (S  { s  S | s  s’ : s’  X })
={s3}  { s  S | s  s’ : s’  X }
Example: EU

Iterating G on  until it stabilizes we have



G1() ={s3}  { s  S | s  s’ : s’   }
= {s3}   = {s3}
G2() =G(G1()) = G({s3})
= {s3}  { s  S | s  s’ : s’  {s3} }
= {s1,s3}
G3() =G(G2()) = G({s1,s3})
= {s3}  { s  S | s  s’ : s’  {s1,s3} }
= {s0,s1, s2,s3}

G4() =G(G3()) = G({s0,s1, s2,s3})
= {s3}  { s  S | s  s’ : s’  {s0,s1, s2,s3} }
= {s0,s1, s2,s3}

Thus [[EFp]] = [[E[TUp]]] = {s0,s1,s2,s3}.
AF equivalence
From the definition of the semantics of AF
we can derive the equivalence
AFf  f  AX AFf
Since
AX = { s  S | s  s’ : s’  [[]]}
we obtain
[[AFf]] = [[f]]  { s  S | s  s’ : s’  [[AFf]]}
?
Computing AFf
Again, consider [[AFf]] as a fixed point of
the function
H(X) = [[f]]  { s  S | s  s’ : s’  X}

Theorem: Let n = |S| be the size of S and G
defined as above. We have
1) H is monotone
2) [[AFf]] is the least fixed point of H
3) [[AFf]] = Hn+1()
Correctness of SAT_AF
Inside the loop it always holds Y  SAT(f).
 Substitute in SAT_AF

with


Y:=Y  { s  S | s  s’ : s’  Y })
Y:=SAT(f)  { s  S | s  s’ : s’  Y }
Note that SAT_AF(f) is calculating the least
fixed point of
H(X) = [[f]]  { s  S | s  s’ : s’  X}
It follows from the previous theorem that
SAT_EF(f) terminates and computes [[AFf]]