Temporal Logics LTL Model Checking CTL Model Checking Temporal Logic Model Checking Thomas Wahl Computing Laboratory, Oxford University 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 1 Temporal Logics LTL Model Checking CTL Model Checking Outline Temporal Logics LTL Model Checking CTL Model Checking 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 2 Temporal Logics LTL Model Checking CTL Model Checking Temporal Logics: Purpose Temporal Logic: decidable logic to reason over program behavior along infinite timelines. Is statement x executed infinitely often? Is every request followed by a grant eventually? Is there an execution along which always x ≥ 0? 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 3 Temporal Logics LTL Model Checking CTL Model Checking Temporal Logics: Ingredients All temporal logics have temporal operators, which quantify over states along a program execution path: “in all future states” “in some future state” “in the next state” Some also have branching operators, which quantify over execution paths of a program: “for all executions” “for some execution” 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 4 Temporal Logics LTL Model Checking CTL Model Checking Temporal Logics: Representatives LTL: only temporal operators. cannot distinguish different program executions CTL: temporal + branching operators. can explicitly specify behavior along different paths CTL*: LTL [ CTL µ-calculus: CTL* [LTL: Pnueli ’77, CTL: Emerson/Clarke ’82] 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 5 Temporal Logics LTL Model Checking CTL Model Checking Temporal Logics: Which One to Use? Infinite debate about which logic is “best”. Criteria: easy of use, expressiveness, efficiency. Allen Emerson: “Modalities for Model Checking: Branching Time Logic Strikes Back.” (1987) Moshe Vardi: “Branching vs. Linear Time: Final Showdown.” (2001) 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 6 Temporal Logics LTL Model Checking CTL Model Checking Outline Temporal Logics LTL Model Checking CTL Model Checking 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 7 Temporal Logics LTL Model Checking CTL Model Checking Linear Temporal Logic (LTL): Syntax LTL formulas are built out of: • atomic propositions: p, q, r • Boolean operators: ^, :,... • temporal operators: X p: “next time p” F q: “eventually q” G r: “always r” p U q:“ p until q” Again: these apply to a fixed execution path 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 8 Temporal Logics LTL Model Checking CTL Model Checking Linear Temporal Logic: Semantics LTL formulas evaluated over a path π = π0π1π2 ::: Suffix of π starting at the ith state: πi . Validity is defined as follows: π j= p iff p 2 L(π0) π j= :f iff π 6j= f π j= g ^ h iff π j= g and π j= h π j= X f iff π1 j= f π j= G f iff 8i : πi j= f π j= F f iff 9i : πi j= f π j= g U h iff 9i :(πi j= h and 8j < i : πj j= g) 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 9 Temporal Logics LTL Model Checking CTL Model Checking LTL Model Checking Given Kripke structure M := (S; R; L; s0) and LTL formula f : do all paths π through M satisfy f ? M j= f := 8π : π0 = s0 ^ π path in M : π j= f Approach: • represent M and f in same data structure • should be efficiently manipulatable Solution: finite-state automata 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 10 Temporal Logics LTL Model Checking CTL Model Checking Finite-State Automata (FSA) . quite similar to a transition system like a Kripke structure: A = (Σ; Q; δ; Q0; F) : • Σ, Q finite alphabet, finite state set • Transition relation: δ ⊆ Q × Σ × Q. • Q0 initial states, F accepting states. Automaton A accepts certain “words”, which form its language L(A). 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 11 Temporal Logics LTL Model Checking CTL Model Checking Kripke Structure and FSA Goal: given structure M, define automaton AM such that L(AM ) = fπ : π is a path in Mg : Pretty straightforward. Technicality: • FSAs have edge labels (“inputs”), • M has state labels (atomic propositions). But that can be fixed . 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 12 Temporal Logics LTL Model Checking CTL Model Checking Kripke Structure and FSA M: MA: i fp; qg fp; qg fp; qg fpg s0 s1 s0 s1 fpg fqg fqg s2 fp; qg s2 Every state of MA is accepting. 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 13 Temporal Logics LTL Model Checking CTL Model Checking LTL Formula and FSA Goal: given LTL formula f , define automaton Af such that L(Af ) = fπ : π j= f g : Achieve this using Büchi acceptance condition: Infinite path is accepted by a FSA if some accepting state is visited infinitely often. Means: path goes through a cycle that contains an accepting state. 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 14 Temporal Logics LTL Model Checking CTL Model Checking LTL Formula and FSA pg ∗ ∗ f ; ; ∗ fpg ∗ ; qg fqg; fp ∗ fpg ; ∗ (These FSAs represent which LTL formulas?) “Tableau Construction” [GPVW 1985-95] 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 15 Temporal Logics LTL Model Checking CTL Model Checking LTL Model Checking Finally: LTL Model Checking, by Language Containment: M j= f iff L(AM ) ⊆ L(Af ) iff L(AM ) \ :L( Af ) = ; iff L(AM ) \L(A:f ) = ; iff L(AM \ A:f ) = ;. Terminology in MCer SPIN: :f is a“ never claim” Our algorithm looks for violations of f . 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 16 Temporal Logics LTL Model Checking CTL Model Checking LTL Model Checking We had: M j= f iff L(AM \ A:f ) = ; : Intersection of two FSAs: by lock-step execution (standard constructions) Emptiness of a FSA A with Büchi acceptance condition: L(A) 6= ; iff there is a reachable cycle through A that contains an accepting state. 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 17 Temporal Logics LTL Model Checking CTL Model Checking LTL Model Checking Final remarks. Counter examples: If L(AM \ A:f ) 6= ;, then M 6j= f . The path to and through the accepting cycle is a counter example. Complexity: O(jMj · 2jf j). Exponential complexity in jf j is not as big a problem in practice as it may seem: Usually, jf j jMj 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 18 Temporal Logics LTL Model Checking CTL Model Checking Outline Temporal Logics LTL Model Checking CTL Model Checking 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 19 Temporal Logics LTL Model Checking CTL Model Checking Computation Tree Logic (CTL): Syntax Combines branching operators A: “for all executions” (“futures”, “paths”) E: “for some execution” and temporal operators X, F, G, U, but only in specific ways: 2 X 3 A 6 F 7 6 7 p E 4 G 5 U and arbitrarily nested: AG EF reset E(req U ack) EX AX false Not:AE p (makes no sense), A FG p (allowed in CTL*, not CTL) 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 20 Temporal Logics LTL Model Checking CTL Model Checking CTL: Intuitive Semantics AXp s0 EFp s0 p p p "p imminent" "p reachable" AFp s0 AGp p s0 p p p p p p p p p p p p p p p p p p "p inevitable" "p invariant" 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 21 Temporal Logics LTL Model Checking CTL Model Checking CTL Model Checking Input: M := (S; R; L; s0) and CTL formula f Goal: determine whether M; s0 j= f . We will do this by 1. computing Sf = fs 2 S : M; s j= f g, and then 2. checking whether s0 2 Sf , possibly on the fly. 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 22 EG p is a fixpoint of the operator τ(Z) = p ^ EX Z: • in fact the greatest fixpoint of τ • computable by series of overapproximations: Z0 = S ⊇ Z1 = p ^ EX Z0 ⊇ Z2 = p ^ EX Z1 ... = νZ :p ^ EX Z Temporal Logics LTL Model Checking CTL Model Checking The Tarski-Knaster Theorem View CTL formula as set of states satisfying it. Then observe: EG p = p ^ EX p ^ EX EX p ^ ::: = p ^ EX(p ^ EX(p ^ :::)) = p ^ EX(EG p) : 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 23 Temporal Logics LTL Model Checking CTL Model Checking The Tarski-Knaster Theorem View CTL formula as set of states satisfying it. Then observe: EG p = p ^ EX p ^ EX EX p ^ ::: = p ^ EX(p ^ EX(p ^ :::)) = p ^ EX(EG p) : EG p is a fixpoint of the operator τ(Z) = p ^ EX Z: • in fact the greatest fixpoint of τ • computable by series of overapproximations: Z0 = S ⊇ Z1 = p ^ EX Z0 ⊇ Z2 = p ^ EX Z1 ... = νZ :p ^ EX Z 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 24 Temporal Logics LTL Model Checking CTL Model Checking Computing Fixpoints Least fixpoint Greatest fixpoint µZ .τ(Z): νZ.τ(Z ): 1: Z := ; 1: Z := S 2: repeat 2: repeat 3: Z~ := Z 3: Z~ := Z 4: Z := τ(Z ) 4: Z := τ(Z) 5: until Z = Z~ 5: until Z = Z~ 6: return Z 6: return Z Only difference: initial value of Z 18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 25 Temporal Logics LTL Model Checking CTL Model Checking Fixpoint Characterization of CTL EF h = µZ :(h _ EX Z) EG h = νZ:(h ^ EX Z) E(g U h) = µZ :(h _ (g ^ EX Z)) AF h = µZ :(h _ AX Z) AG h = νZ:(h ^ AX Z) A(g U h) = µZ :(h _ (g ^ AX Z)) • F, U: least fixpoint µ, uses “_”.