CTL Model Checking
Prof. P.H. Schmitt
Institut für Theoretische Informatik
Fakultät für Informatik
Universität Karlsruhe (TH)
Formal Systems II
Prof. P.H. Schmitt
CTLMC
Summer 2009
1 / 26
Fixed Point Theory
Prof. P.H. Schmitt
CTLMC
Summer 2009
2 / 26
Fixed Points Definition
Definition
Let f : P(G) → P(G) be a set valued function and Z a subset of G.
1. Z is called a fixed point of f if f (Z) = Z .
2. Z is called the least fixed point of f is Z is a fixed point and for all
other fixed points U of f the relation Z ⊆ U is true.
3. Z is called the greatest fixed point of f is Z is a fixed point and for
all other fixed points U of f the relation U ⊆ Z is true.
Prof. P.H. Schmitt
CTLMC
Summer 2009
3 / 26
Finite Fixed Point Lemma
Let G be an arbitrary set, Let P(G) denote the power set of a set G.
A function f : P(G) → P(G) is called monotone of for all X, Y ⊆ G
X ⊆ Y ⇒ f (X) ⊆ f (Y )
Let f : P(G) → P(G) be a monotone function on a finite set G.
1. There is a least and a greatest fixed point of f .
S
2. n≥1 f n (∅) is the least fixed point of f .
T
3. n≥1 f n (G) is the greatest fixed point of f .
Prof. P.H. Schmitt
CTLMC
Summer 2009
4 / 26
Proof
of part (2) of the finite fixed point Lemma
Monotonicity of f yields
∅ ⊆ f (∅) ⊆ f 2 (∅) ⊆ . . . ⊆ f n (∅) ⊆ . . .
Since G is S
finite there must be an i such that f i (∅) = f i+1 (∅).
Then Z = n≥1 f n (∅) = f i (∅) is a fixed point of f :
f (Z) = f (f i (∅)) = f i+1 (∅) = f i (∅) = Z
Let U be another fixed point of f .
From ∅ ⊆ U be infer by monotonicity of f at first f (∅) ⊆ f (U ) = U .
By induction on n we conclude f n (∅) ⊆ U for all n.
Thus also Z = f i (∅) ⊆ U .
Prof. P.H. Schmitt
CTLMC
Summer 2009
5 / 26
Continuous Functions
Definition
A function f : P(G) → P(G) is called
1. ∪-continuous (upward continuous), if for every ascending sequence
M 1 ⊆ M 2 ⊆ . . . ⊆ Mn ⊆ . . .
[
[
f(
Mn ) =
f (Mn )
n≥1
n≥1
2. ∩-continuous (downward continuous) , if for every descending
sequence M1 ⊇ M2 ⊇ . . . ⊇ Mn ⊇ . . .
\
\
f(
Mn ) =
f (Mn )
n≥1
Prof. P.H. Schmitt
n≥1
CTLMC
Summer 2009
6 / 26
Fixed Points For Continuous Functions
Let
f : P(G) → P(G) be an upward continuous functions and
g : P(G) → P(G) a downward continuous function.
The for all M, N ∈ P(G) such that M ⊆ f (M ) and g(N ) ⊆ N the
following is true.
S
1. n≥1 f n (M ) is the least fixed point of f containing M ,
T
2. n≥1 g n (M ) is the greatest fixed point of g contained in M .
Prof. P.H. Schmitt
CTLMC
Summer 2009
7 / 26
Proof of (1)
By monotonicity we first obtain
M ⊆ f (M ) ⊆ f 2 (M ) ⊆ . . . ⊆ f n (M ) ⊆ . . .
Let P =
S
f (P ) =
=
=
=
n≥1 f
n (M ).
This immediately gives M ⊆ P . Furthermore
S
f ( n≥1 f n (M ))
S
f n+1 (M )
by continuity
Sn≥1 n
since f (M ) ⊆ f 2 (M )
n≥1 f (M )
P
Assume now that Q is another fixed point of f satisfying M ⊆ Q.
By Monotonicity and the fixed point property f (M ) ⊆ f (Q) = Q and
furthermore for every S
n ≥ 1 also f n (M ) ⊆ Q.
Thus we obtain P = n≥1 f n (M ) ⊆ Q
Prof. P.H. Schmitt
CTLMC
Summer 2009
8 / 26
Knaster-Tarski-Fixed-Points Theorem
Let f : P(G) → P(G) be a monotone function. Then
f has a least and a greatest fixed point.
Note, G need not be finite.
Prof. P.H. Schmitt
CTLMC
Summer 2009
9 / 26
Proof
Fixed Point
Let L = {S
T ⊆ G | f (S) ⊆ S}, e.g., G ∈ L.
Let U = L. Show f (U ) = U !
For all S ∈ L by the property of an intersection: U ⊆ S.
By monotonicity
T and definition of L f (U ) ⊆ f (S) ⊆ S.
Thus f (U ) ⊆ L = U and we have already established half of our claim.
By monotonicity f (U ) ⊆ U implies f (f (U )) ⊆ f (U )
which yields f (U ) ∈ L and futhermore U ⊆ f (U ).
We thus have indeed U = f (U ).
Prof. P.H. Schmitt
CTLMC
Summer 2009
10 / 26
Proof
Least Fixed Point
Now assume W is another fixed point of f ,i.e., f (W ) = W .
This T
yields W ∈ L= {S ⊆ G | f (S) ⊆ S} and
U = L ⊆ W.
Thus U is the least fixed point of f .
Following
the same line of argument one can show that
S
{S ⊆ G | S ⊆ f (S)} is the greatest fixed point of f .
Prof. P.H. Schmitt
CTLMC
Summer 2009
11 / 26
CTL Model Checking
Algorithm
Prof. P.H. Schmitt
CTLMC
Summer 2009
12 / 26
Two Auxiliary Concepts
Let T = (S, R, v) be a transition system and F an CTL formula.
The set
τ (F ) = {s ∈ S | s |= F }
is called the characteristic region of F in T .
The universal and existential next step functions
fAX , fEX : P(S) → P(S) are defined by
fAX (Z) = {s ∈ S | for all t with sRt we get t ∈ Z}
fEX (Z) = {s ∈ S | there exists a t with sRt and t ∈ Z}
Prof. P.H. Schmitt
CTLMC
Summer 2009
13 / 26
CTL Model Checking Algorithm
Let T = (S, R, v) be a transition system and F an CTL formula. τ (F ) is
computed by the following high-level recursive algorithm:
1
2
3
4
5
6
7
8
9
10
τ (p)
τ (F1 ∧ F2 )
τ (F1 ∨ F2 )
τ (¬F1 )
τ (A(F1 U F2 ))
τ (E(F1 U F2 ))
τ (AFF1 )
τ (EFF1 )
τ (EGF1 )
τ (AGF1 )
Prof. P.H. Schmitt
=
=
=
=
=
=
=
=
=
=
{s ∈ S | v(s, p) = 1}
τ (F1 ) ∩ τ )F2 )
τ (F1 ) ∪ τ (F2 )
S \ τ (F1 )
lfp[τ (F2 ) ∪ (τ (F1 ) ∩ fAX (Z))]
lfp[τ (F2 ) ∪ (τ (F1 ) ∩ fEX (Z)]
lfp[τ (F1 ) ∪ fAX (Z)]
lfp[τ (F1 ) ∪ fEX (Z)]
gfp[τ (F1 ) ∩ fEX (Z)]
gfp[τ (F1 ) ∩ fAX (Z)]
CTLMC
Summer 2009
14 / 26
Correctness Proof
Case 10 AG F1
By definition
τ (AG F1 ) = {s ∈ S | s ∈ τ (F1 ) and h ∈ τ (AG F1 ) for all h with gRh}
Using Definition of the universal next step function:
τ (AG F1 ) = τ (F1 ) ∩ fAX (τ (AG F1 ))
So, τ (AG F1 ) is a fixed point of the function τ (F1 ) ∩ fAX (Z).
It remains to see that it is the greatest fixed point.
Prof. P.H. Schmitt
CTLMC
Summer 2009
15 / 26
Correctness Proof
Case 10 AG F1 (continued)
Let H be another fixed point, i.e., H = τ (F1 ) ∩ fAX (H).
We need to show H ⊆ τ (AG F1 )).
Consider g0 ∈ H with the aim of showing that for all n ≥ 0 and all gi
satisfying gi−1 Rgi for all 1 ≤ i ≤ n we obtain gn ∈ τ (F1 ).
Observe
H = τ (F1 ) ∩ fAX (H) ⊆ τ (F1 ).
Thus it suffices to show for all n ≥ 0 that gn ∈ H.
For n = 0 that is true by assumptions.
Assume gn−1 ∈ H.
gn−1 ∈ H ⊆ fAX (H) = {g | for all h with gRh we have h ∈ H}.
Thus gn ∈ H.
Prof. P.H. Schmitt
CTLMC
Summer 2009
16 / 26
Correctness Proof
Case 6 E(F1 U F2 )
By definition
τ (E(F1 U F2 )) = {g ∈ S | s |= F2 or s |= F1 and
there exists h with gRh and h |= F2 }
Using next step function:
τ (E(F1 U F2 )) = τ (F2 ) ∪ (τ (F1 ) ∩ fEX (τ (E(F1 U F2 )))
Thus τ (E(F1 U F2 )) is a fixed point of the function
τ (F2 ) ∪ (τ (F1 ) ∩ fEX (Z)).
It remains to show that it is the least fixed point.
Prof. P.H. Schmitt
CTLMC
Summer 2009
17 / 26
Correctness Proof
Case 6 E(F1 U F2 ) (continued)
Consider H ⊆ S with H = τ (F2 ) ∪ (τ (F1 ) ∩ fEX (H)).
We need τ (E(F1 U F2 )) ⊆ H.
Fix g0 ∈ τ (E(F1 U F2 )), try to arrive at g0 ∈ H.
There is an n ∈ N and there are gi for 1 ≤ i ≤ n satisfying
1. gi Rgi+1 for all 0 ≤ i < n.
2. gn ∈ τ (F2 ).
3. gi ∈ τ (F1 ) for all 0 ≤ i < n.
We set out to prove gn ∈ H by induction on n.
n = 0 Since H = τ (F2 ) ∪ (τ (F1 ) ∩ fEX (H)) ⊇ τ (F2 ) and
g0 = gn ∈ τ (F2 ).
n − 1 Ã n By induction hypothesis we have g1 ∈ H
Since g0 ∈ τ (F1 ) and g0 Rg1 we obtain g0 ∈ (τ (F1 ) ∩ fEX (H)) ⊆ H
and thus also g0 ∈ H.
Prof. P.H. Schmitt
CTLMC
Summer 2009
18 / 26
CTL Model Checking
Example
Prof. P.H. Schmitt
CTLMC
Summer 2009
19 / 26
Transition System
s0
n1 n2
s1 t1 n2
s2 c1 n2
s4 c1 t2
Prof. P.H. Schmitt
n1 t2 s5
s3
s8
t1 t2
t1 t2
n1 c2 s6
s7 t1 c2
CTLMC
Summer 2009
20 / 26
The Task
s0
n1 n2
s1 t1 n2
s2 c1 n2
n1 t2 s5
s3
s8
t1 t2
t1 t2
s4 c1 t2
n1 c2 s6
s7 t1 c2
N1
N2
T1
T2
C1
C2
0
1
1
0
0
0
0
1
0
1
1
0
0
0
2
0
1
0
0
1
0
3
0
0
1
1
0
0
4
0
0
0
1
1
0
5
1
0
0
1
0
0
6
1
0
0
0
0
1
7
0
0
1
0
0
1
8
0
0
1
1
0
0
Check if the following the formula is true in state 1.
F = T1 → AFC1 ≡ ¬T1 ∨ AFC1
Prof. P.H. Schmitt
CTLMC
Summer 2009
21 / 26
The Set-up
Goal
1 |= T1 → AFC1
i.e. 1 |= ¬T1 ∨ AFC1
We will present the computations starting with the innermost subformulas
first, i.e., in the order
τ (T1 ), τ (C1 ), τ (¬T1 ), τ (AFC1 ), and τ (F ).
This will make it much easier to follow the algorithm, since when a
recursice call is started, we know already its result.
In the end we check 1 ∈ τ (F ).
Prof. P.H. Schmitt
CTLMC
Summer 2009
22 / 26
The First Steps
τ (T1 ) = {1, 3, 7}
(1)
τ (C1 ) = {2, 4}
(2)
τ (¬T1 ) = {0, 2, 4, 5, 6}
(3)
From which we get easily
Prof. P.H. Schmitt
CTLMC
Summer 2009
23 / 26
Fixed Point Computation
The next step is to compute τ (AFC1 )
according to the algorithm this amounts to the computation of the least
fixed point of f (Z) = τ (C1 ) ∪ fAX (Z) = fAX (Z) ∪ {2, 4}.
We thus compute f (∅), f 2 (∅), . . . f n (∅) till we reach a stationary value,
i.e. f n (∅) = f n+1 (∅).
f 1 (∅)
f 2 (∅)
f 3 (∅)
f 4 (∅)
f 5 (∅)
f 6 (∅)
=
=
=
=
=
=
{2, 4}
{2, 3, 4}
{1, 2, 3, 4}
{1, 2, 3, 4, 7}
{1, 2, 3, 4, 7, 8}
{1, 2, 3, 4, 7, 8}
Thus
τ (AFC1 ) = {1, 2, 3, 4, 7, 8}
Prof. P.H. Schmitt
CTLMC
(4)
Summer 2009
24 / 26
End of the Computation
τ (F ) = τ (¬T1 ) ∪ τ (AFC1 ) = {0, 1, 2, 3, 4, 5, 6, 7, 8} = S
(5)
Since 1 ∈ τ (F ) we conclude
s1 |= F
Prof. P.H. Schmitt
CTLMC
(6)
Summer 2009
25 / 26
THE
END
Prof. P.H. Schmitt
CTLMC
Summer 2009
26 / 26