CTL Model Checking

Prof. P.H. Schmitt

Institut fur¨ Theoretische Informatik Fakult¨at fur¨ Informatik Universit¨at Karlsruhe (TH)

Formal Systems II

Prof. P.H. Schmitt CTLMC Summer 2009 1 / 26 Fixed Point Theory

Prof. P.H. Schmitt CTLMC Summer 2009 2 / 26 Fixed Points Deﬁnition Deﬁnition

Let f : P(G) → P(G) be a set valued function and Z a subset of G.

1. Z is called a fixed point of f if f(Z) = Z . 2. Z is called the least fixed point of f is Z is a fixed point and for all other fixed points U of f the relation Z ⊆ U is true. 3. Z is called the greatest fixed point of f is Z is a fixed point and for all other fixed points U of f the relation U ⊆ Z is true.

Prof. P.H. Schmitt CTLMC Summer 2009 3 / 26 Finite Fixed Point Lemma

Let G be an arbitrary set, Let P(G) denote the power set of a set G. A function f : P(G) → P(G) is called monotone of for all X,Y ⊆ G

X ⊆ Y ⇒ f(X) ⊆ f(Y )

Let f : P(G) → P(G) be a monotone function on a finite set G. 1. There is a least and a greatest fixed point of f. S n 2. n≥1 f (∅) is the least fixed point of f. T n 3. n≥1 f (G) is the greatest fixed point of f.

Prof. P.H. Schmitt CTLMC Summer 2009 4 / 26 Proof of part (2) of the ﬁnite ﬁxed point Lemma

Monotonicity of f yields

∅ ⊆ f(∅) ⊆ f 2(∅) ⊆ ... ⊆ f n(∅) ⊆ ...

Since G is ﬁnite there must be an i such that f i(∅) = f i+1(∅). S n i Then Z = n≥1 f (∅) = f (∅) is a ﬁxed point of f:

f(Z) = f(f i(∅)) = f i+1(∅) = f i(∅) = Z

Let U be another ﬁxed point of f. From ∅ ⊆ U be infer by monotonicity of f at ﬁrst f(∅) ⊆ f(U) = U. By induction on n we conclude f n(∅) ⊆ U for all n. Thus also Z = f i(∅) ⊆ U.

Prof. P.H. Schmitt CTLMC Summer 2009 5 / 26 Continuous Functions Deﬁnition

A function f : P(G) → P(G) is called 1. ∪-continuous (upward continuous), if for every ascending sequence M1 ⊆ M2 ⊆ ... ⊆ Mn ⊆ ... [ [ f( Mn) = f(Mn) n≥1 n≥1

2. ∩-continuous (downward continuous) , if for every descending sequence M1 ⊇ M2 ⊇ ... ⊇ Mn ⊇ ... \ \ f( Mn) = f(Mn) n≥1 n≥1

Prof. P.H. Schmitt CTLMC Summer 2009 6 / 26 Fixed Points For Continuous Functions

Let f : P(G) → P(G) be an upward continuous functions and g : P(G) → P(G) a downward continuous function.

The for all M,N ∈ P(G) such that M ⊆ f(M) and g(N) ⊆ N the following is true. S n 1. n≥1 f (M) is the least ﬁxed point of f containing M, T n 2. n≥1 g (M) is the greatest ﬁxed point of g contained in M.

Prof. P.H. Schmitt CTLMC Summer 2009 7 / 26 Proof of (1)

By monotonicity we ﬁrst obtain

M ⊆ f(M) ⊆ f 2(M) ⊆ ... ⊆ f n(M) ⊆ ...

S n Let P = n≥1 f (M). This immediately gives M ⊆ P . Furthermore

S n f(P ) = f( n≥1 f (M)) S n+1 = n≥1 f (M) by continuity S n 2 = n≥1 f (M) since f(M) ⊆ f (M) = P

Assume now that Q is another ﬁxed point of f satisfying M ⊆ Q. By Monotonicity and the ﬁxed point property f(M) ⊆ f(Q) = Q and furthermore for every n ≥ 1 also f n(M) ⊆ Q. S n Thus we obtain P = n≥1 f (M) ⊆ Q

Prof. P.H. Schmitt CTLMC Summer 2009 8 / 26 Knaster-Tarski-Fixed-Points Theorem

Let f : P(G) → P(G) be a monotone function. Then

f has a least and a greatest ﬁxed point.

Note, G need not be ﬁnite.

Prof. P.H. Schmitt CTLMC Summer 2009 9 / 26 Proof Fixed Point

Let L = {S ⊆ G | f(S) ⊆ S}, e.g., G ∈ L. Let U = T L. Show f(U) = U!

For all S ∈ L by the property of an intersection: U ⊆ S. By monotonicity and deﬁnition of L f(U) ⊆ f(S) ⊆ S. Thus f(U) ⊆ T L = U and we have already established half of our claim.

By monotonicity f(U) ⊆ U implies f(f(U)) ⊆ f(U) which yields f(U) ∈ L and futhermore U ⊆ f(U).

We thus have indeed U = f(U).

Prof. P.H. Schmitt CTLMC Summer 2009 10 / 26 Proof Least Fixed Point

Now assume W is another ﬁxed point of f,i.e., f(W ) = W . This yields W ∈ L= {S ⊆ G | f(S) ⊆ S} and U = T L ⊆ W . Thus U is the least ﬁxed point of f.

Following the same line of argument one can show that S{S ⊆ G | S ⊆ f(S)} is the greatest ﬁxed point of f.

Prof. P.H. Schmitt CTLMC Summer 2009 11 / 26 CTL Model Checking

Algorithm

Prof. P.H. Schmitt CTLMC Summer 2009 12 / 26 Two Auxiliary Concepts

Let T = (S, R, v) be a transition system and F an CTL formula. The set τ(F ) = {s ∈ S | s |= F } is called the characteristic region of F in T .

The universal and existential next step functions fAX , fEX : P(S) → P(S) are deﬁned by

fAX (Z) = {s ∈ S | for all t with sRt we get t ∈ Z} fEX (Z) = {s ∈ S | there exists a t with sRt and t ∈ Z}

Prof. P.H. Schmitt CTLMC Summer 2009 13 / 26 CTL Model Checking Algorithm

Let T = (S, R, v) be a transition system and F an CTL formula. τ(F ) is computed by the following high-level recursive algorithm:

1 τ(p) = {s ∈ S | v(s, p) = 1} 2 τ(F1 ∧ F2) = τ(F1) ∩ τ)F2) 3 τ(F1 ∨ F2) = τ(F1) ∪ τ(F2) 4 τ(¬F1) = S \ τ(F1) 5 τ(A(F1 U F2)) = lfp[τ(F2) ∪ (τ(F1) ∩ fAX (Z))] 6 τ(E(F1 U F2)) = lfp[τ(F2) ∪ (τ(F1) ∩ fEX (Z)] 7 τ(AFF1) = lfp[τ(F1) ∪ fAX (Z)] 8 τ(EFF1) = lfp[τ(F1) ∪ fEX (Z)] 9 τ(EGF1) = gfp[τ(F1) ∩ fEX (Z)] 10 τ(AGF1) = gfp[τ(F1) ∩ fAX (Z)]

Prof. P.H. Schmitt CTLMC Summer 2009 14 / 26 Correctness Proof

Case 10 AG F1 By deﬁnition

τ(AG F1) = {s ∈ S | s ∈ τ(F1) and h ∈ τ(AG F1) for all h with gRh}

Using Deﬁnition of the universal next step function:

τ(AG F1) = τ(F1) ∩ fAX (τ(AG F1))

So, τ(AG F1) is a ﬁxed point of the function τ(F1) ∩ fAX (Z).

It remains to see that it is the greatest ﬁxed point.

Prof. P.H. Schmitt CTLMC Summer 2009 15 / 26 Correctness Proof

Case 10 AG F1 (continued)

Let H be another ﬁxed point, i.e., H = τ(F1) ∩ fAX (H). We need to show H ⊆ τ(AG F1)). Consider g0 ∈ H with the aim of showing that for all n ≥ 0 and all gi satisfying gi−1Rgi for all 1 ≤ i ≤ n we obtain gn ∈ τ(F1).

Observe H = τ(F1) ∩ fAX (H) ⊆ τ(F1).

Thus it suﬃces to show for all n ≥ 0 that gn ∈ H. For n = 0 that is true by assumptions.

Assume gn−1 ∈ H. gn−1 ∈ H ⊆ fAX (H) = {g | for all h with gRh we have h ∈ H}.

Thus gn ∈ H.

Prof. P.H. Schmitt CTLMC Summer 2009 16 / 26 Correctness Proof

Case 6 E(F1 UF2) By deﬁnition

τ(E(F1 U F2)) = {g ∈ S | s |= F2 or s |= F1 and there exists h with gRh and h |= F2}

Using next step function:

τ(E(F1 U F2)) = τ(F2) ∪ (τ(F1) ∩ fEX (τ(E(F1 U F2)))

Thus τ(E(F1 U F2)) is a ﬁxed point of the function

τ(F2) ∪ (τ(F1) ∩ fEX (Z)).

It remains to show that it is the least ﬁxed point.

Prof. P.H. Schmitt CTLMC Summer 2009 17 / 26 Correctness Proof

Case 6 E(F1 UF2) (continued)

Consider H ⊆ S with H = τ(F2) ∪ (τ(F1) ∩ fEX (H)).

We need τ(E(F1 U F2)) ⊆ H.

Fix g0 ∈ τ(E(F1 U F2)), try to arrive at g0 ∈ H.

There is an n ∈ N and there are gi for 1 ≤ i ≤ n satisfying 1. giRgi+1 for all 0 ≤ i < n. 2. gn ∈ τ(F2). 3. gi ∈ τ(F1) for all 0 ≤ i < n.

We set out to prove gn ∈ H by induction on n. n = 0 Since H = τ(F2) ∪ (τ(F1) ∩ fEX (H)) ⊇ τ(F2) and g0 = gn ∈ τ(F2). n − 1 Ã n By induction hypothesis we have g1 ∈ H Since g0 ∈ τ(F1) and g0Rg1 we obtain g0 ∈ (τ(F1) ∩ fEX (H)) ⊆ H and thus also g0 ∈ H.

Prof. P.H. Schmitt CTLMC Summer 2009 18 / 26 CTL Model Checking

Example

Prof. P.H. Schmitt CTLMC Summer 2009 19 / 26 Transition System

n1n2

s1 t1n2 n1t2 s5

s3 s8

s2 c1n2 t1t2 t1t2 n1c2 s6

s4 c1t2 s7 t1c2

Prof. P.H. Schmitt CTLMC Summer 2009 20 / 26 The Task

n1n2

s1 t1n2 n1t2 s5

s3 s8 0 1 2 3 4 5 6 7 8 s2 c1n2 t1t2 t1t2 n1c2 s6 N1 1 0 0 0 0 1 1 0 0 N2 1 1 1 0 0 0 0 0 0

s4 c1t2 s7 t1c2 T1 0 1 0 1 0 0 0 1 1 T2 0 0 0 1 1 1 0 0 1 C1 0 0 1 0 1 0 0 0 0 C2 0 0 0 0 0 0 1 1 0 Check if the following the formula is true in state 1.

F = T1 → AFC1 ≡ ¬T1 ∨ AFC1

Prof. P.H. Schmitt CTLMC Summer 2009 21 / 26 The Set-up Goal 1 |= T1 → AFC1 i.e. 1 |= ¬T1 ∨ AFC1 We will present the computations starting with the innermost subformulas ﬁrst, i.e., in the order

τ(T1), τ(C1), τ(¬T1), τ(AFC1), and τ(F ). This will make it much easier to follow the algorithm, since when a recursice call is started, we know already its result.

In the end we check 1 ∈ τ(F ).

Prof. P.H. Schmitt CTLMC Summer 2009 22 / 26 The First Steps

τ(T1) = {1, 3, 7} (1)

τ(C1) = {2, 4} (2)

From which we get easily

τ(¬T1) = {0, 2, 4, 5, 6} (3)

Prof. P.H. Schmitt CTLMC Summer 2009 23 / 26 Fixed Point Computation

The next step is to compute τ(AFC1) according to the algorithm this amounts to the computation of the least ﬁxed point of f(Z) = τ(C1) ∪ fAX (Z) = fAX (Z) ∪ {2, 4}. We thus compute f(∅), f 2(∅),... f n(∅) till we reach a stationary value, i.e. f n(∅) = f n+1(∅).

f 1(∅) = {2, 4} f 2(∅) = {2, 3, 4} f 3(∅) = {1, 2, 3, 4} f 4(∅) = {1, 2, 3, 4, 7} f 5(∅) = {1, 2, 3, 4, 7, 8} f 6(∅) = {1, 2, 3, 4, 7, 8}

Thus

τ(AFC1) = {1, 2, 3, 4, 7, 8} (4)

Prof. P.H. Schmitt CTLMC Summer 2009 24 / 26 End of the Computation

τ(F ) = τ(¬T1) ∪ τ(AFC1) = {0, 1, 2, 3, 4, 5, 6, 7, 8} = S (5)

Since 1 ∈ τ(F ) we conclude

s1 |= F (6)

Prof. P.H. Schmitt CTLMC Summer 2009 25 / 26 THE

END

Prof. P.H. Schmitt CTLMC Summer 2009 26 / 26