Temporal LTL Model Checking CTL Model Checking

Temporal Model Checking

Thomas Wahl

Computing Laboratory, Oxford University

18 Feb, 2009 Thomas Wahl, Oxford University Model Checking 1 Temporal Logics LTL Model Checking CTL Model Checking Outline

Temporal Logics

LTL Model Checking

CTL Model Checking

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 2 Temporal Logics LTL Model Checking CTL Model Checking Temporal Logics: Purpose

Temporal Logic: decidable logic to reason over program behavior along infinite timelines.

Is statement x executed infinitely often?

Is every request followed by a grant eventually?

Is there an execution along which always x ≥ 0?

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 3 Temporal Logics LTL Model Checking CTL Model Checking Temporal Logics: Ingredients

All temporal logics have temporal operators, which quantify over states along a program execution path:

“in all future states” “in some future state” “in the next state”

Some also have branching operators, which quantify over execution paths of a program:

“for all executions” “for some execution”

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 4 Temporal Logics LTL Model Checking CTL Model Checking Temporal Logics: Representatives

LTL: only temporal operators. cannot distinguish different program executions CTL: temporal + branching operators. can explicitly specify behavior along different paths CTL*:  LTL ∪ CTL µ-calculus:  CTL* [LTL: Pnueli ’77, CTL: Emerson/Clarke ’82]

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 5 Temporal Logics LTL Model Checking CTL Model Checking Temporal Logics: Which One to Use?

Infinite debate about which logic is “best”. . .

Criteria: easy of use, expressiveness, efficiency.

Allen Emerson: “Modalities for Model Checking: Branching Time Logic Strikes Back.” (1987) Moshe Vardi: “Branching vs. Linear Time: Final Showdown.” (2001)

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 6 Temporal Logics LTL Model Checking CTL Model Checking Outline

Temporal Logics

LTL Model Checking

CTL Model Checking

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 7 Temporal Logics LTL Model Checking CTL Model Checking Linear Temporal Logic (LTL): Syntax

LTL formulas are built out of:

• atomic propositions: p, q, r • Boolean operators: ∧, ¬,... • temporal operators:

X p: “next time p” F q: “eventually q” G r: “always r” p U q:“ p until q” Again: these apply to a fixed execution path

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 8 Temporal Logics LTL Model Checking CTL Model Checking Linear Temporal Logic: Semantics

LTL formulas evaluated over a path π = π0π1π2 ... Suffix of π starting at the ith state: πi .

Validity is defined as follows:

π |= p iff p ∈ L(π0) π |= ¬f iff π 6|= f π |= g ∧ h iff π |= g and π |= h π |= X f iff π1 |= f π |= G f iff ∀i : πi |= f π |= F f iff ∃i : πi |= f π |= g U h iff ∃i :(πi |= h and ∀j < i : πj |= g)

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 9 Temporal Logics LTL Model Checking CTL Model Checking LTL Model Checking

Given Kripke structure M := (S, R, L, s0) and LTL formula f : do all paths π through M satisfy f ?

M |= f := ∀π : π0 = s0 ∧ π path in M : π |= f

Approach: • represent M and f in same data structure • should be efficiently manipulatable

Solution: finite-state automata

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 10 Temporal Logics LTL Model Checking CTL Model Checking Finite-State Automata (FSA)

. . . quite similar to a transition system like a Kripke structure:

A = (Σ, Q, δ, Q0, F) .

• Σ, Q finite alphabet, finite state set • Transition relation: δ ⊆ Q × Σ × Q.

• Q0 initial states, F accepting states.

Automaton A accepts certain “words”, which form its language L(A).

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 11 Temporal Logics LTL Model Checking CTL Model Checking Kripke Structure and FSA

Goal: given structure M, define automaton AM such that

L(AM ) = {π : π is a path in M} .

Pretty straightforward.

Technicality: • FSAs have edge labels (“inputs”), • M has state labels (atomic propositions). But that can be fixed . . .

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 12 Temporal Logics LTL Model Checking CTL Model Checking Kripke Structure and FSA

M: MA: i

{p, q} {p, q} {p, q} {p} s0 s1 s0 s1 {p} {q} {q} s2 {p, q} s2

Every state of MA is accepting.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 13 Temporal Logics LTL Model Checking CTL Model Checking LTL Formula and FSA

Goal: given LTL formula f , define automaton Af such that

L(Af ) = {π : π |= f } .

Achieve this using Büchi acceptance condition:

Infinite path is accepted by a FSA if some accepting state is visited infinitely often.

Means: path goes through a cycle that contains an accepting state.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 14 Temporal Logics LTL Model Checking CTL Model Checking LTL Formula and FSA

p} ∗ ∗ { ∅ ∅ ∗ {p} ∗

, q} {q}, {p ∗ {p} ∅ ∗

(These FSAs represent which LTL formulas?)

“Tableau Construction” [GPVW 1985-95]

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 15 Temporal Logics LTL Model Checking CTL Model Checking LTL Model Checking

Finally: LTL Model Checking, by Language Containment:

M |= f iff L(AM ) ⊆ L(Af ) iff L(AM ) ∩ ¬L( Af ) = ∅ iff L(AM ) ∩ L(A¬f ) = ∅ iff L(AM ∩ A¬f ) = ∅.

Terminology in MCer SPIN: ¬f is a“ never claim”

Our algorithm looks for violations of f .

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 16 Temporal Logics LTL Model Checking CTL Model Checking LTL Model Checking

We had: M |= f iff L(AM ∩ A¬f ) = ∅ .

Intersection of two FSAs: by lock-step execution (standard constructions)

Emptiness of a FSA A with Büchi acceptance condition: L(A) 6= ∅ iff there is a reachable cycle through A that contains an accepting state.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 17 Temporal Logics LTL Model Checking CTL Model Checking LTL Model Checking

Final remarks.

Counter examples: If L(AM ∩ A¬f ) 6= ∅, then M 6|= f . The path to and through the accepting cycle is a counter example.

Complexity: O(|M| · 2|f |). Exponential complexity in |f | is not as big a problem in practice as it may seem: Usually, |f |  |M|

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 18 Temporal Logics LTL Model Checking CTL Model Checking Outline

Temporal Logics

LTL Model Checking

CTL Model Checking

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 19 Temporal Logics LTL Model Checking CTL Model Checking (CTL): Syntax

Combines branching operators A: “for all executions” (“futures”, “paths”) E: “for some execution” and temporal operators X, F, G, U, but only in specific ways:

 X    A  F    p E  G  U

and arbitrarily nested:

AG EF reset E(req U ack) EX AX false

Not:AE p (makes no sense), A FG p (allowed in CTL*, not CTL)

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 20 Temporal Logics LTL Model Checking CTL Model Checking CTL: Intuitive Semantics

AXp s0 EFp s0 p p

p "p imminent" "p reachable"

AFp s0 AGp p s0 p p p p p p p p

p p p p p p p p p p "p inevitable" "p invariant"

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 21 Temporal Logics LTL Model Checking CTL Model Checking CTL Model Checking

Input: M := (S, R, L, s0) and CTL formula f

Goal: determine whether M, s0 |= f .

We will do this by

1. computing Sf = {s ∈ S : M, s |= f }, and then

2. checking whether s0 ∈ Sf , possibly on the fly.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 22 EG p is a fixpoint of the operator τ(Z) = p ∧ EX Z: • in fact the greatest fixpoint of τ • computable by series of overapproximations:

Z0 = S ⊇ Z1 = p ∧ EX Z0 ⊇ Z2 = p ∧ EX Z1 ... = νZ .p ∧ EX Z

Temporal Logics LTL Model Checking CTL Model Checking The Tarski-Knaster Theorem

View CTL formula as set of states satisfying it. Then observe:

EG p = p ∧ EX p ∧ EX EX p ∧ ... = p ∧ EX(p ∧ EX(p ∧ ...)) = p ∧ EX(EG p) .

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 23 Temporal Logics LTL Model Checking CTL Model Checking The Tarski-Knaster Theorem

View CTL formula as set of states satisfying it. Then observe:

EG p = p ∧ EX p ∧ EX EX p ∧ ... = p ∧ EX(p ∧ EX(p ∧ ...)) = p ∧ EX(EG p) .

EG p is a fixpoint of the operator τ(Z) = p ∧ EX Z: • in fact the greatest fixpoint of τ • computable by series of overapproximations:

Z0 = S ⊇ Z1 = p ∧ EX Z0 ⊇ Z2 = p ∧ EX Z1 ... = νZ .p ∧ EX Z

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 24 Temporal Logics LTL Model Checking CTL Model Checking Computing Fixpoints

Least fixpoint Greatest fixpoint µZ .τ(Z): νZ.τ(Z ):

1: Z := ∅ 1: Z := S 2: repeat 2: repeat 3: Z˜ := Z 3: Z˜ := Z 4: Z := τ(Z ) 4: Z := τ(Z) 5: until Z = Z˜ 5: until Z = Z˜ 6: return Z 6: return Z

Only difference: initial value of Z

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 25 Temporal Logics LTL Model Checking CTL Model Checking Fixpoint Characterization of CTL

EF h = µZ .(h ∨ EX Z) EG h = νZ.(h ∧ EX Z) E(g U h) = µZ .(h ∨ (g ∧ EX Z)) AF h = µZ .(h ∨ AX Z) AG h = νZ.(h ∧ AX Z) A(g U h) = µZ .(h ∨ (g ∧ AX Z))

• F, U: least fixpoint µ, uses “∨”. Liveness properties • G : greatest fixpoint ν, uses “∧”. Safety properties

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 26 Temporal Logics LTL Model Checking CTL Model Checking CTL Model Checking: Complexity

Example AG EF p: “It is always possible to reach a p-state.”

AG EF p = AG(EF p) = νZ . (µY .p ∨ EX Y ) ∧ AX Z .

Procedure:

1. Y0 := µY . p ∨ EX Y (O(|M|))

2. Z0 := νZ.Y0 ∧ AX Z (O(|M|))

3. return Z0

⇒ cost ≈ 2 × |M|.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 27 Temporal Logics LTL Model Checking CTL Model Checking CTL Model Checking: Complexity

Each fixpoint costs O(|M|) steps (and each step only involves EX, AX, ∧, ∨)

number of fixpoint computations = number of EF, EG, AF, AG’s that appear in f

⇒ complexity O(|M| × |f |).

Compare: LTL model checking: O(|M| × 2|f |).

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 28 Temporal Logics LTL Model Checking CTL Model Checking CTL Model Checking using BDDs

All we need to do is implement the fixpoint routines:

Set of states satisfying EF p:

1: Z := ∅ 2: repeat Need: 3: Z˜ := Z • disjunction ∨ 4: Z := p ∨ EX Z 5: until Z = Z˜ • (pre-)image EX 6: return Z • termination Z = Z˜

Termination easy with BDDs: canonicity!

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 29 Temporal Logics LTL Model Checking CTL Model Checking Symbolic Transition Relations

set of states: constraint over the state variables set of transitions: constraint over two copies of the state variables: if x then y := true

as a Boolean formula over 4 (not 2) variables:

R(x, x0, y, y 0) = ((x ∧ y 0) ∨ (¬x ∧ y 0 = y)) ∧ x0 = x

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 30 Temporal Logics LTL Model Checking CTL Model Checking Symbolic Image Operations

Pre-image (predecessors) of a set of states Z:

EX Z = {s : ∃z ∈ Z : R(s, z)} .

Given:

• BDD Z over x1,..., xk , and 0 0 • BDD R over x1,..., xk , x1,..., xk .

Wanted: BDD for EX Z over x1,..., xk .

Operation Result over variables 0 0 0 0 1. Z := Z with xi renamed to xi x1..xk 0 0 0 2. L := Z ∧ R x1..xk , x1..xk 0 0 3. result := ∃x1..xk : L x1..xk

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 31